(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/deliver/deliver.c) |
| |
| 678 | | | static struct istream * |
| 679 | | | create_raw_stream(struct mail_user *user, int fd, time_t *mtime_r) |
| 680 | | | { |
| 681 | | | struct istream *input, *input2, *input_list[2]; |
| 682 | | | const unsigned char *data; |
| 683 | | | char *sender = NULL; |
Event 1:
sender is set to NULL. - Determines the freed value in the Free Null Pointer warning later.
hide
|
|
| 684 | | | size_t i, size; |
| 685 | | | int ret, tz; |
| 686 | | | |
| 687 | | | *mtime_r = (time_t)-1; |
| 688 | | | fd_set_nonblock(fd, FALSE); |
| 689 | | | |
| 690 | | | input = i_stream_create_fd(fd, 4096, FALSE); |
| 691 | | | input->blocking = TRUE; |
Event 2:
!0 evaluates to true.
hide
|
|
| 692 | | | |
| 693 | | | ret = i_stream_read_data(input, &data, &size, 5); |
| 694 | | | if (ret > 0 && size >= 5 && memcmp(data, "From ", 5) == 0) { |
Event 3:
Skipping " if". - ret > 0 evaluates to true.
- size >= 5 evaluates to true.
- memcmp(data, "From ", 5) == 0 evaluates to false.
hide
|
|
| 695 | | | |
| 696 | | | i_stream_skip(input, 5); |
| 697 | | | while ((ret = i_stream_read_data(input, &data, &size, 0)) > 0) { |
| 698 | | | for (i = 0; i < size; i++) { |
| 699 | | | if (data[i] == '\n') |
| 700 | | | break; |
| 701 | | | } |
| 702 | | | if (i != size) { |
| 703 | | | (void)mbox_from_parse(data, i, mtime_r, &tz, |
| 704 | | | &sender); |
| 705 | | | i_stream_skip(input, i + 1); |
| 706 | | | break; |
| 707 | | | } |
| 708 | | | i_stream_skip(input, size); |
| 709 | | | } |
| 710 | | | } |
| 711 | | | |
| 712 | | | if (sender != NULL && explicit_envelope_sender == NULL) { |
Event 4:
Skipping " if". sender != (void *)0 evaluates to false.
hide
|
|
| 713 | | | |
| 714 | | | |
| 715 | | | explicit_envelope_sender = i_strdup(sender); |
| 716 | | | } |
| 717 | | | i_free(sender);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.h |
| |
14 | #define i_free(mem) \ |
15 | STMT_START { \ |
16 | free(mem); \ |
17 | (mem) = NULL; \ |
18 | } STMT_END |
| |
|
Event 5:
sender, which evaluates to NULL, is passed to free(). See related event 1.
hide
Free Null Pointer
sender is not a valid address. - sender evaluates to NULL.
- Some older implementations of free() have unsafe behavior on NULL pointers.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| |