(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/mech-plain.c) |
| |
| 10 | | | mech_plain_auth_continue(struct auth_request *request, |
| 11 | | | const unsigned char *data, size_t data_size) |
| 12 | | | { |
| 13 | | | const char *authid, *authenid, *error; |
| 14 | | | char *pass; |
| 15 | | | size_t i, len; |
| 16 | | | int count; |
| 17 | | | |
| 18 | | | |
| 19 | | | |
| 20 | | | authid = (const char *) data; |
| 21 | | | authenid = NULL; pass = NULL; |
| 22 | | | |
| 23 | | | count = 0; |
| 24 | | | for (i = 0; i < data_size; i++) { |
Event 1:
The loop is executed one or more times.
hide
Event 2:
During loop iterations, authenid is set to an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 25 | | | if (data[i] == '\0') { |
| 26 | | | if (++count == 1) |
| 27 | | | authenid = (const char *) data + i+1; |
| 28 | | | else { |
| 29 | | | i++; |
| 30 | | | len = data_size - i; |
| 31 | | | pass = p_strndup(unsafe_data_stack_pool, |
| 32 | | | data+i, len); |
| 33 | | | break; |
| 34 | | | } |
| 35 | | | } |
| 36 | | | } |
| 37 | | | |
| 38 | | | if (authenid != NULL && strcmp(authid, authenid) == 0) { |
Event 3:
Skipping " if". authenid != (void *)0 evaluates to false.
hide
Event 4:
Considering the case where authenid is equal to 0. See related event 2.
hide
|
|
| 39 | | | |
| 40 | | | authid = ""; |
| 41 | | | } |
| 42 | | | |
| 43 | | | if (count != 2) { |
Event 5:
Taking false branch. count != 2 evaluates to false.
hide
|
|
| 44 | | | |
| 45 | | | auth_request_log_info(request, "plain", "invalid input"); |
| 46 | | | auth_request_fail(request); |
| 47 | [+] | | } else if (!auth_request_set_username(request, authenid, &error)) { |
Event 6:
authenid, which evaluates to NULL, is passed to auth_request_set_username() as the second argument. See related event 4.
hide
|
|
 |
| |