(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/auth.c) |
| |
| 206 | | | void auth_init(struct auth *auth) |
| 207 | | | { |
| 208 | | | struct auth_passdb *passdb; |
| 209 | | | struct auth_userdb *userdb; |
| 210 | | | const struct mech_module *mech; |
| 211 | | | const char *const *mechanisms; |
| 212 | | | const char *env; |
| 213 | | | |
| 214 | | | for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) |
Event 1:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 215 | | | passdb_init(passdb); |
| 216 | | | for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) |
Event 2:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 217 | | | passdb_init(passdb); |
| 218 | | | for (userdb = auth->userdbs; userdb != NULL; userdb = userdb->next) |
| 219 | | | userdb_init(userdb); |
| 220 | | | |
| 221 | | | if (!worker) |
Event 4:
Taking true branch. worker evaluates to false.
hide
|
|
| 222 | | | passdb_cache_init(); |
| 223 | | | |
| 224 | | | auth->mech_handshake = str_new(auth->pool, 512); |
| 225 | | | |
| 226 | | | auth->anonymous_username = getenv("ANONYMOUS_USERNAME"); |
| 227 | | | if (auth->anonymous_username != NULL && |
| 228 | | | *auth->anonymous_username == '\0') |
| 229 | | | auth->anonymous_username = NULL; |
| 230 | | | |
| 231 | | | |
| 232 | | | env = getenv("MECHANISMS"); |
| 233 | | | if (env == NULL) |
Event 6:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 234 | | | i_fatal("MECHANISMS environment is unset"); |
| 235 | | | |
| 236 | | | mechanisms = t_strsplit_spaces(env, " "); |
| 237 | | | while (*mechanisms != NULL) { |
Event 7:
Leaving loop. *mechanisms != (void *)0 evaluates to false.
hide
|
|
| 238 | | | if (strcasecmp(*mechanisms, "ANONYMOUS") == 0) { |
| 239 | | | if (auth->anonymous_username == NULL) { |
| 240 | | | i_fatal("ANONYMOUS listed in mechanisms, " |
| 241 | | | "but anonymous_username not given"); |
| 242 | | | } |
| 243 | | | } |
| 244 | | | mech = mech_module_find(*mechanisms); |
| 245 | | | if (mech == NULL) { |
| 246 | | | i_fatal("Unknown authentication mechanism '%s'", |
| 247 | | | *mechanisms); |
| 248 | | | } |
| 249 | | | auth_mech_register(auth, mech); |
| 250 | | | |
| 251 | | | mechanisms++; |
| 252 | | | } |
| 253 | | | |
| 254 | | | if (auth->mech_modules == NULL) |
Event 8:
Skipping " if". auth->mech_modules == (void *)0 evaluates to false.
hide
|
|
| 255 | | | i_fatal("No authentication mechanisms configured"); |
| 256 | | | auth_mech_list_verify_passdb(auth); |
| 257 | | | |
| 258 | | | env = getenv("REALMS"); |
| 259 | | | if (env == NULL) |
Event 9:
Taking true branch. env == (void *)0 evaluates to true.
hide
|
|
| 260 | | | env = ""; |
| 261 | | | auth->auth_realms = p_strsplit_spaces(auth->pool, env, " "); |
| 262 | | | |
| 263 | | | env = getenv("DEFAULT_REALM"); |
| 264 | | | if (env != NULL && *env != '\0') |
| 265 | | | auth->default_realm = env; |
| 266 | | | |
| 267 | | | env = getenv("USERNAME_CHARS"); |
Event 12:
Inside getenv(), *getenv("USERNAME_CHARS") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the potentially dangerous position that will be accessed later.
hide
Event 13:
env is set to getenv("USERNAME_CHARS"). See related event 11.
hide
|
|
| 268 | | | if (env == NULL || *env == '\0') { |
| 269 | | | |
| 270 | | | memset(auth->username_chars, 1, sizeof(auth->username_chars)); |
| 271 | | | } else { |
| 272 | | | for (; *env != '\0'; env++) |
Event 15:
Entering loop body. *env != 0 evaluates to true.
hide
|
|
| 273 | | | auth->username_chars[(int)(uint8_t)*env] = 1; |
Buffer Underrun
This code could write before the beginning of the buffer pointed to by auth. - auth is at an offset from the beginning of the allocated memory. The byte offset value is the number of allocated bytes preceding auth.
- The first potentially underrun byte is at offset *env + 44 from the beginning of the object. See related events 12 and 13.
- *env + 44 evaluates to *getenv("USERNAME_CHARS") at auth.c:267, plus 44.
- If *env + 44 is less than the number of allocated bytes preceding auth, an underrun will occur. The analysis cannot rule out the possibility of *env + 44 taking on one or more of these dangerous values, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 12 and 13. Show: All events | Only primary events |
|
| |