(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/userdb-passwd-file.c) |
| |
| 22 | | | static void passwd_file_lookup(struct auth_request *auth_request, |
| 23 | | | userdb_callback_t *callback) |
| 24 | | | { |
| 25 | | | struct userdb_module *_module = auth_request->userdb->userdb; |
| 26 | | | struct passwd_file_userdb_module *module = |
| 27 | | | (struct passwd_file_userdb_module *)_module; |
| 28 | | | struct passwd_user *pu; |
| 29 | | | const struct var_expand_table *table; |
| 30 | | | string_t *str; |
| 31 | | | const char *key, *value; |
| 32 | | | char **p; |
| 33 | | | |
| 34 | [+] | | pu = db_passwd_file_lookup(module->pwf, auth_request); |
 |
| 35 | | | if (pu == NULL) { |
Event 7:
Skipping " if". pu == (void *)0 evaluates to false.
hide
|
|
| 36 | | | callback(USERDB_RESULT_USER_UNKNOWN, auth_request); |
| 37 | | | return; |
| 38 | | | } |
| 39 | | | |
| 40 | | | auth_request_init_userdb_reply(auth_request); |
| 41 | | | if (pu->uid != (uid_t)-1) { |
Event 8:
Taking true branch. pu->uid != (uid_t)-1 evaluates to true.
hide
|
|
| 42 | | | auth_request_set_userdb_field(auth_request, "uid", |
| 43 | | | dec2str(pu->uid)); |
| 44 | | | } |
| 45 | | | if (pu->gid != (gid_t)-1) { |
Event 9:
Skipping " if". pu->gid != (gid_t)-1 evaluates to false.
hide
|
|
| 46 | | | auth_request_set_userdb_field(auth_request, "gid", |
| 47 | | | dec2str(pu->gid)); |
| 48 | | | } |
| 49 | | | |
| 50 | | | if (pu->home != NULL) |
Event 10:
Taking true branch. pu->home != (void *)0 evaluates to true.
hide
|
|
| 51 | | | auth_request_set_userdb_field(auth_request, "home", pu->home); |
| 52 | | | |
| 53 | | | if (pu-> != NULL) { |
Event 11:
Taking true branch. pu-> != (void *)0 evaluates to true.
hide
|
|
| 54 | | | str = t_str_new(512); |
| 55 | | | table = auth_request_get_var_expand_table(auth_request, NULL); |
| 56 | | | |
| 57 | | | for (p = pu->; *p != NULL; p++) { |
Event 12:
Entering loop body. *p != (void *)0 evaluates to true.
hide
|
|
| 58 | | | if (strncmp(*p, "userdb_", 7) != 0) |
Event 13:
Skipping " if". strncmp(*p, "userdb_", 7) != 0 evaluates to false.
hide
|
|
| 59 | | | continue; |
| 60 | | | |
| 61 | | | key = *p + 7; |
| 62 | | | value = strchr(key, '='); |
Event 14:
strchr() returns an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - Dereferenced later, causing the null pointer dereference.
hide
Event 15:
value is set to strchr(key, 61). See related event 14.
hide
|
|
| 63 | | | if (value != NULL) { |
Event 16:
Skipping " if". value != (void *)0 evaluates to false.
hide
Event 17:
Considering the case where value is equal to 0. See related event 15.
hide
|
|
| 64 | | | key = t_strdup_until(key, value); |
| 65 | | | str_truncate(str, 0); |
| 66 | | | var_expand(str, value + 1, table); |
| 67 | | | value = str_c(str); |
| 68 | | | } |
| 69 | [+] | | auth_request_set_userdb_field(auth_request, key, value); |
Event 18:
value, which evaluates to NULL, is passed to auth_request_set_userdb_field() as the third argument. See related event 17.
hide
|
|
 |
| |