(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/deliver/auth-client.c) |
| |
| 58 | | | static int set_env(struct auth_user_reply *reply, |
| 59 | | | const char *user, uid_t euid) |
| 60 | | | { |
| 61 | | | const char *; |
| 62 | | | unsigned int len; |
| 63 | | | |
| 64 | | | if (reply->uid == 0) { |
Event 1:
Taking false branch. reply->uid == 0 evaluates to false.
hide
|
|
| 65 | | | i_error("userdb(%s) returned 0 as uid", user); |
| 66 | | | return -1; |
| 67 | | | } else if (reply->uid == (uid_t)-1) { |
Event 2:
Taking true branch. reply->uid == (uid_t)-1 evaluates to true.
hide
|
|
| 68 | | | if (getenv("MAIL_UID") != NULL) { |
Event 3:
Taking true branch. getenv(...) != (void *)0 evaluates to true.
hide
|
|
| 69 | [+] | | if (!parse_uid(getenv("MAIL_UID"), &reply->uid) || |
Event 4:
getenv() returns NULL. - Dereferenced later, causing the null pointer dereference.
hide
Event 5:
getenv("MAIL_UID"), which evaluates to NULL, is passed to parse_uid() as the first argument. See related event 4.
hide
|
|
 |
| |