(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-sync-keywords.c) |
| |
| 113 | | | (struct mail_index_sync_map_ctx *ctx, |
| 114 | | | const char *keyword_name, unsigned int *keyword_idx_r) |
| 115 | | | { |
| 116 | | | struct mail_index_map *map; |
| 117 | | | const struct mail_index_ext *ext = NULL; |
| 118 | | | struct *kw_hdr; |
| 119 | | | struct kw_rec; |
| 120 | | | uint32_t ext_map_idx; |
| 121 | | | buffer_t *buf = NULL; |
| 122 | | | size_t keyword_len, rec_offset, name_offset, name_offset_root; |
| 123 | | | unsigned int keywords_count; |
| 124 | | | |
| 125 | | | |
| 126 | | | |
| 127 | | | |
| 128 | | | map = mail_index_sync_get_atomic_map(ctx); |
| 129 | | | |
| 130 | | | if (!mail_index_map_lookup_ext(map, MAIL_INDEX_EXT_KEYWORDS, |
| 131 | | | &ext_map_idx)) |
Event 1:
Taking false branch. mail_index_map_lookup_ext(...) evaluates to true.
hide
|
|
| 132 | | | ext_map_idx = (uint32_t)-1; |
| 133 | | | else { |
| 134 | | | |
| 135 | | | ext = array_idx(&map->extensions, ext_map_idx);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
165 | #define array_idx(array, idx) \ |
166 | ARRAY_TYPE_CAST_CONST(array)array_idx_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
| 136 | | | buf = (map, ext, 1, &keywords_count, |
| 137 | | | &rec_offset, &name_offset_root, |
| 138 | | | &name_offset); |
| 139 | | | } |
| 140 | | | |
| 141 | | | if (buf == NULL) { |
Event 2:
Skipping " if". buf == (void *)0 evaluates to false.
hide
|
|
| 142 | | | |
| 143 | | | buf = buffer_create_dynamic(pool_datastack_create(), 512); |
| 144 | | | kw_hdr = buffer_append_space_unsafe(buf, sizeof(*kw_hdr)); |
| 145 | | | kw_hdr->keywords_count = 1; |
| 146 | | | |
| 147 | | | keywords_count = kw_hdr->keywords_count; |
| 148 | | | rec_offset = buf->used; |
| 149 | | | name_offset_root = rec_offset + |
| 150 | | | kw_hdr->keywords_count * sizeof(kw_rec); |
| 151 | | | name_offset = 0; |
| 152 | | | } |
| 153 | | | |
| 154 | | | |
| 155 | | | memset(&kw_rec, 0, sizeof(kw_rec)); |
| 156 | | | kw_rec.name_offset = name_offset; |
| 157 | | | |
| 158 | | | keyword_len = strlen(keyword_name) + 1; |
| 159 | | | buffer_write(buf, rec_offset, &kw_rec, sizeof(kw_rec)); |
| 160 | | | buffer_write(buf, name_offset_root, keyword_name, keyword_len); |
| 161 | | | |
| 162 | | | rec_offset += sizeof(kw_rec); |
| 163 | | | kw_rec.name_offset += keyword_len; |
| 164 | | | name_offset_root += keyword_len; |
| 165 | | | |
| 166 | | | if ((buf->used % 4) != 0) |
Event 3:
Skipping " if". buf->used % 4 != 0 evaluates to false.
hide
|
|
| 167 | | | buffer_append_zero(buf, 4 - (buf->used % 4)); |
| 168 | | | |
| 169 | | | if (ext == NULL || buf->used > ext->hdr_size || |
| 170 | | | (uint32_t)ext->record_size * CHAR_BIT < keywords_count) { |
| 171 | | | |
| 172 | | | buffer_append_zero(buf, 128); |
| 173 | | | keywords_ext_register(ctx, ext_map_idx, |
| 174 | | | ext == NULL ? 0 : ext->reset_id, |
Null Test After Dereference
This code tests the nullness of ext, which has already been dereferenced. - If ext were null, there would have been a prior null pointer dereference at mail-index-sync-keywords.c:169, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| 175 | | | buf->used, keywords_count); |
| 176 | | | |
| 177 | | | |
| 178 | | | map = ctx->view->map; |
| 179 | | | |
| 180 | | | if (!mail_index_map_lookup_ext(map, MAIL_INDEX_EXT_KEYWORDS, |
| 181 | | | &ext_map_idx)) |
| 182 | | | i_unreached();
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
208 | #define i_unreached() \ |
209 | i_panic("file %s: line %d: unreached", __FILE__, __LINE__) |
| |
|
| 183 | | | ext = array_idx(&map->extensions, ext_map_idx);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
165 | #define array_idx(array, idx) \ |
166 | ARRAY_TYPE_CAST_CONST(array)array_idx_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
| 184 | | | |
| 185 | | | i_assert(ext->hdr_size == buf->used);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 186 | | | } |
| 187 | | | |
| 188 | | | buffer_copy(map->hdr_copy_buf, ext->hdr_offset, buf, 0, buf->used); |
| 189 | | | map->hdr_base = map->hdr_copy_buf->data; |
| 190 | | | |
| 191 | | | if (mail_index_map_parse_keywords(map) < 0) |
| 192 | | | i_panic("Keyword update corrupted keywords "); |
| 193 | | | |
| 194 | | | *keyword_idx_r = keywords_count - 1; |
| 195 | | | i_assert(*keyword_idx_r / CHAR_BIT < ext->record_size);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 196 | | | } |
| |