(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/dbox/dbox-transaction.c) |
| |
| 57 | | | static void dbox_transaction_created(struct mail_index_transaction *t) |
| 58 | | | { |
| 59 | | | struct mailbox *box = MAIL_STORAGE_CONTEXT(t->view);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/mail-storage-private.h |
| |
380 | #define MAIL_STORAGE_CONTEXT(obj) \ |
381 | MODULE_CONTEXT(obj, mail_storage_mail_index_module) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
46 | #define MODULE_CONTEXT(obj, id_ctx) \ |
47 | (*((void **)array_idx_modifiable(&(obj)->module_contexts, \ |
48 | (id_ctx).id.module_id) + \ |
49 | OBJ_REGISTER_COMPATIBLE(obj, id_ctx))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
179 | #define array_idx_modifiable(array, idx) \ |
180 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
181 | array_idx_modifiable_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
43 | #define OBJ_REGISTER_COMPATIBLE(obj, id_ctx) \ |
44 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(OBJ_REGISTER(obj), (id_ctx).reg) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
|
| 60 | | | |
| 61 | | | |
| 62 | | | if (box != NULL && |
Event 1:
Taking true branch. - box != (void *)0 evaluates to true.
- strcmp(...) == 0 evaluates to true.
hide
|
|
| 63 | | | strcmp(box->storage->name, DBOX_STORAGE_NAME) == 0) { |
| 64 | | | struct dbox_mailbox *dbox = (struct dbox_mailbox *)box; |
| 65 | | | struct dbox_transaction_context *mt; |
| 66 | | | |
| 67 | | | mt = i_new(struct dbox_transaction_context, 1);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.h |
| |
8 | #define i_new(type, count) ((type *) i_malloc(sizeof(type) * (count))) |
| |
|
Event 3:
mt is set to i_malloc(...). See related event 2.
hide
|
|
| 68 | | | mt->ictx.trans = t; |
| 69 | | | mt->ictx.super = t->v; |
| 70 | | | |
| 71 | | | t->v.commit = dbox_transaction_commit; |
| 72 | | | t->v.rollback = dbox_transaction_rollback; |
| 73 | [+] | | MODULE_CONTEXT_SET(t, mail_storage_mail_index_module, mt);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
96 | #define MODULE_CONTEXT_SET(obj, id_ctx, context) \ |
97 | MODULE_CONTEXT_SET_FULL(obj, id_ctx, context, &(context)->module_ctx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
87 | #define MODULE_CONTEXT_SET_FULL(obj, id_ctx, ctx, module_ctx) STMT_START { \ |
88 | void *_module_tmp = ctx + \ |
89 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(module_ctx, \ |
90 | (**(obj)->module_contexts.v)) + \ |
91 | OBJ_REGISTER_COMPATIBLE(obj, id_ctx); \ |
92 | array_idx_set_i(&(obj)->module_contexts.arr, \ |
93 | module_get_context_id(&(id_ctx).id), &_module_tmp); \ |
94 | } STMT_END |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
43 | #define OBJ_REGISTER_COMPATIBLE(obj, id_ctx) \ |
44 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(OBJ_REGISTER(obj), (id_ctx).reg) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
|
 |
| 74 | | | |
| 75 | [+] | | index_transaction_init(&mt->ictx, &dbox->ibox); |
Event 5:
mt, which evaluates to i_malloc(...) from dbox-transaction.c:67, is passed to index_transaction_init() as the first argument. See related event 3.
hide
Event 6:
The resource of interest is allocated inside index_transaction_init().
hide
|
|
 |
| 76 | | | } |
| 77 | | | |
| 78 | | | if (next_hook_mail_index_transaction_created != NULL) |
Event 43:
Skipping " if". next_hook_mail_index_transaction_created != (void *)0 evaluates to false.
hide
|
|
| 79 | | | next_hook_mail_index_transaction_created(t); |
| 80 | | | } |
Leak
There are no remaining references to the resource malloc(size) from imem.c:9. The issue can occur if the highlighted code executes. See related events 6, 8, 10, 11, 12, 14, 15, 16, 17, 18, 19, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 40, 41, 44, and 45. Show: All events | Only primary events |
|
| |