(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/master/login-process.c) |
| |
| 630 | | | static pid_t create_login_process(struct login_group *group) |
| 631 | | | { |
| 632 | | | struct log_io *log; |
| 633 | | | const struct listener *listens; |
| 634 | | | unsigned int max_log_lines_per_sec; |
| 635 | | | const char *prefix; |
| 636 | | | pid_t pid; |
| 637 | | | ARRAY_TYPE(dup2) dups; |
| 638 | | | unsigned int i, listen_count = 0, ssl_listen_count = 0; |
| 639 | | | int fd[2], log_fd, cur_fd, tmp_fd; |
| 640 | | | |
| 641 | | | if (group->set->login_uid == 0) |
Event 1:
Skipping " if". group->set->login_uid == 0 evaluates to false.
hide
|
|
| 642 | | | i_fatal("Login process must not run as root"); |
| 643 | | | |
| 644 | | | |
| 645 | | | if (socketpair(AF_UNIX, SOCK_STREAM, 0, fd) < 0) {
x /usr/include/bits/socket.h |
| |
76 | #define PF_UNIX PF_LOCAL /* POSIX name for PF_LOCAL. */ |
| |
x /usr/include/bits/socket.h |
| |
75 | #define PF_LOCAL 1 /* Local to host (pipes and file-domain). */ |
| |
x /usr/include/bits/socket.h |
| |
75 | #define PF_LOCAL 1 /* Local to host (pipes and file-domain). */ |
| |
x /usr/include/bits/socket.h |
| |
44 | #define SOCK_STREAM SOCK_STREAM |
| |
|
Event 2:
Skipping " if". socketpair(...) < 0 evaluates to false.
hide
|
|
| 646 | | | i_error("socketpair() failed: %m"); |
| 647 | | | return -1; |
| 648 | | | } |
| 649 | | | |
| 650 | | | max_log_lines_per_sec = |
| 651 | | | group->set->login_process_per_connection ? 10 : 0; |
Event 3:
group->set->login_process_per_connection evaluates to false.
hide
|
|
| 652 | [+] | | log_fd = log_create_pipe(&log, max_log_lines_per_sec); |
 |
| 653 | | | if (log_fd < 0) |
Event 7:
Taking true branch. log_fd < 0 evaluates to true.
hide
|
|
| 654 | | | pid = -1; |
| 655 | | | else { |
| 656 | | | pid = fork(); |
| 657 | | | if (pid < 0) |
| 658 | | | i_error("fork() failed: %m"); |
| 659 | | | } |
| 660 | | | |
| 661 | | | if (pid < 0) { |
Event 8:
Taking true branch. pid < 0 evaluates to true.
hide
|
|
| 662 | | | (void)close(fd[0]); |
| 663 | | | (void)close(fd[1]); |
| 664 | | | (void)close(log_fd); |
Event 9:
log_fd, which evaluates to -1, is passed to close(). See related event 6.
hide
Negative file descriptor
File descriptor argument log_fd has value -1. - close() will fail when called with a negative file descriptor.
The issue can occur if the highlighted code executes. See related event 9. Show: All events | Only primary events |
|
| |