(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/auth.c) |
| |
| 206 | | | void auth_init(struct auth *auth) |
| 207 | | | { |
| 208 | | | struct auth_passdb *passdb; |
| 209 | | | struct auth_userdb *userdb; |
| 210 | | | const struct mech_module *mech; |
| 211 | | | const char *const *mechanisms; |
| 212 | | | const char *env; |
| 213 | | | |
| 214 | | | for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) |
Event 1:
Entering loop body. passdb != (void *)0 evaluates to true.
hide
Event 2:
Continuing from loop body. Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 215 | | | passdb_init(passdb); |
| 216 | | | for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) |
Event 3:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 217 | | | passdb_init(passdb); |
| 218 | | | for (userdb = auth->userdbs; userdb != NULL; userdb = userdb->next) |
Event 4:
Leaving loop. userdb != (void *)0 evaluates to false.
hide
|
|
| 219 | | | userdb_init(userdb); |
| 220 | | | |
| 221 | | | if (!worker) |
Event 5:
Taking true branch. worker evaluates to false.
hide
|
|
| 222 | | | passdb_cache_init(); |
| 223 | | | |
| 224 | | | auth->mech_handshake = str_new(auth->pool, 512); |
| 225 | | | |
| 226 | | | auth->anonymous_username = getenv("ANONYMOUS_USERNAME"); |
| 227 | | | if (auth->anonymous_username != NULL && |
Event 6:
Skipping " if". auth->anonymous_username != (void *)0 evaluates to false.
hide
|
|
| 228 | | | *auth->anonymous_username == '\0') |
| 229 | | | auth->anonymous_username = NULL; |
| 230 | | | |
| 231 | | | |
| 232 | | | env = getenv("MECHANISMS"); |
| 233 | | | if (env == NULL) |
Event 7:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 234 | | | i_fatal("MECHANISMS environment is unset"); |
| 235 | | | |
| 236 | | | mechanisms = t_strsplit_spaces(env, " "); |
| 237 | | | while (*mechanisms != NULL) { |
Event 8:
Leaving loop. *mechanisms != (void *)0 evaluates to false.
hide
|
|
| 238 | | | if (strcasecmp(*mechanisms, "ANONYMOUS") == 0) { |
| 239 | | | if (auth->anonymous_username == NULL) { |
| 240 | | | i_fatal("ANONYMOUS listed in mechanisms, " |
| 241 | | | "but anonymous_username not given"); |
| 242 | | | } |
| 243 | | | } |
| 244 | | | mech = mech_module_find(*mechanisms); |
| 245 | | | if (mech == NULL) { |
| 246 | | | i_fatal("Unknown authentication mechanism '%s'", |
| 247 | | | *mechanisms); |
| 248 | | | } |
| 249 | | | auth_mech_register(auth, mech); |
| 250 | | | |
| 251 | | | mechanisms++; |
| 252 | | | } |
| 253 | | | |
| 254 | | | if (auth->mech_modules == NULL) |
Event 9:
Skipping " if". auth->mech_modules == (void *)0 evaluates to false.
hide
|
|
| 255 | | | i_fatal("No authentication mechanisms configured"); |
| 256 | | | auth_mech_list_verify_passdb(auth); |
| 257 | | | |
| 258 | | | env = getenv("REALMS"); |
| 259 | | | if (env == NULL) |
Event 10:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 260 | | | env = ""; |
| 261 | | | auth->auth_realms = p_strsplit_spaces(auth->pool, env, " "); |
| 262 | | | |
| 263 | | | env = getenv("DEFAULT_REALM"); |
| 264 | | | if (env != NULL && *env != '\0') |
Event 11:
Skipping " if". env != (void *)0 evaluates to false.
hide
|
|
| 265 | | | auth->default_realm = env; |
| 266 | | | |
| 267 | | | env = getenv("USERNAME_CHARS"); |
| 268 | | | if (env == NULL || *env == '\0') { |
Event 12:
Taking true branch. env == (void *)0 evaluates to true.
hide
|
|
| 269 | | | |
| 270 | | | memset(auth->username_chars, 1, sizeof(auth->username_chars)); |
| 271 | | | } else { |
| 272 | | | for (; *env != '\0'; env++) |
| 273 | | | auth->username_chars[(int)(uint8_t)*env] = 1; |
| 274 | | | } |
| 275 | | | |
| 276 | | | env = getenv("USERNAME_TRANSLATION"); |
Event 14:
Inside getenv(), *getenv("USERNAME_TRANSLATION") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the potentially dangerous position that will be accessed later.
hide
Event 15:
env is set to getenv("USERNAME_TRANSLATION"). See related event 13.
hide
|
|
| 277 | | | if (env != NULL) { |
Event 16:
Taking true branch. env != (void *)0 evaluates to true.
hide
|
|
| 278 | | | for (; *env != '\0' && env[1] != '\0'; env += 2) |
| 279 | | | auth->username_translation[(int)(uint8_t)*env] = env[1]; |
Buffer Underrun
This code could write before the beginning of the buffer pointed to by auth. - auth is at an offset from the beginning of the allocated memory. The byte offset value is the number of allocated bytes preceding auth.
- The first potentially underrun byte is at offset *env + 300 from the beginning of the object. See related events 14 and 15.
- *env + 300 evaluates to *getenv("USERNAME_TRANSLATION") at auth.c:276, plus 300.
- If *env + 300 is less than the number of allocated bytes preceding auth, an underrun will occur. The analysis cannot rule out the possibility of *env + 300 taking on one or more of these dangerous values, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 14 and 15. Show: All events | Only primary events |
|
| |