(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/master/login-process.c) |
| |
| 247 | | | static bool login_process_read_group(struct login_process *p) |
| 248 | | | { |
| 249 | | | struct login_group *group; |
| 250 | | | const char *name, *proto; |
| 251 | | | unsigned char buf[256]; |
| 252 | | | enum mail_protocol protocol; |
| 253 | | | unsigned int len; |
| 254 | | | ssize_t ret; |
| 255 | | | |
| 256 | | | |
| 257 | | | ret = read(p->fd, buf, 1); |
Event 1:
buf is passed to read() as the second argument.
hide
Event 2:
Inside read(), *buf is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - Determines the size in the Unreasonable Size Argument warning later.
See related event 1.
hide
|
|
| 258 | | | if (ret != 1) |
Event 3:
Taking false branch. ret != 1 evaluates to false.
hide
|
|
| 259 | | | len = 0; |
| 260 | | | else { |
| 261 | | | len = buf[0]; |
Event 4:
len is set to buf[0], which evaluates to the value assigned to *buf at login-process.c:257. See related event 2.
hide
|
|
| 262 | | | if (len >= sizeof(buf)) { |
Event 5:
Skipping " if". len >= sizeof( buf ) evaluates to false.
hide
|
|
| 263 | | | i_error("login: Server name length too large"); |
| 264 | | | return FALSE; |
| 265 | | | } |
| 266 | | | |
| 267 | | | ret = read(p->fd, buf, len); |
Event 6:
len, which evaluates to the value assigned to *buf at login-process.c:257, is passed to read() as the third argument. See related event 4.
hide
Unreasonable Size Argument
The size argument to read() could have an unreasonable value. - The size argument is len, which evaluates to the value assigned to *buf at login-process.c:257.
- One or more of the possible values of len are unreasonable.
- A size argument is considered unreasonable if it is negative or very large.
The issue can occur if the highlighted code executes. See related event 6. Show: All events | Only primary events |
|
| |