(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/imap-login/client.c) |
| |
| 678 | | | void clients_notify_auth_connected(void) |
| 679 | | | { |
| 680 | | | struct client *client; |
| 681 | | | |
| 682 | | | for (client = clients; client != NULL; client = client->next) { |
Event 1:
client is set to clients.
hide
Event 2:
Entering loop body. client != (void *)0 evaluates to true.
hide
Use After Free
The memory pointed to by client was freed at client.c:648 and is read from here. The issue can occur if the highlighted code executes. See related events 1 and 50. Show: All events | Only primary events |
|
| 683 | | | struct imap_client *imap_client = (struct imap_client *)client; |
Event 3:
imap_client is set to client, which evaluates to clients. See related event 1.
hide
|
|
| 684 | | | |
| 685 | | | if (imap_client->to_auth_waiting != NULL) |
Event 4:
Skipping " if". imap_client->to_auth_waiting != (void *)0 evaluates to false.
hide
|
|
| 686 | | | timeout_remove(&imap_client->to_auth_waiting); |
| 687 | | | if (!imap_client->greeting_sent) |
Event 5:
Skipping " if". imap_client->greeting_sent evaluates to true.
hide
|
|
| 688 | | | client_send_greeting(imap_client); |
| 689 | | | if (imap_client->input_blocked) { |
Event 6:
Taking true branch. imap_client->input_blocked evaluates to true.
hide
|
|
| 690 | | | imap_client->input_blocked = FALSE; |
| 691 | [+] | | client_input(imap_client); |
Event 7:
imap_client, which evaluates to clients, is passed to client_input(). See related event 3.
hide
|
|
 |
| |