(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/auth.c) |
| |
| 206 | | | void auth_init(struct auth *auth) |
| 207 | | | { |
| 208 | | | struct auth_passdb *passdb; |
| 209 | | | struct auth_userdb *userdb; |
| 210 | | | const struct mech_module *mech; |
| 211 | | | const char *const *mechanisms; |
| 212 | | | const char *env; |
| 213 | | | |
| 214 | | | for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) |
Event 1:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 215 | | | passdb_init(passdb); |
| 216 | | | for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) |
Event 2:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 217 | | | passdb_init(passdb); |
| 218 | | | for (userdb = auth->userdbs; userdb != NULL; userdb = userdb->next) |
| 219 | | | userdb_init(userdb); |
| 220 | | | |
| 221 | | | if (!worker) |
Event 4:
Taking true branch. worker evaluates to false.
hide
|
|
| 222 | | | passdb_cache_init(); |
| 223 | | | |
| 224 | | | auth->mech_handshake = str_new(auth->pool, 512); |
| 225 | | | |
| 226 | | | auth->anonymous_username = getenv("ANONYMOUS_USERNAME"); |
| 227 | | | if (auth->anonymous_username != NULL && |
| 228 | | | *auth->anonymous_username == '\0') |
| 229 | | | auth->anonymous_username = NULL; |
| 230 | | | |
| 231 | | | |
| 232 | | | env = getenv("MECHANISMS"); |
| 233 | | | if (env == NULL) |
Event 6:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 234 | | | i_fatal("MECHANISMS environment is unset"); |
| 235 | | | |
| 236 | | | mechanisms = t_strsplit_spaces(env, " "); |
| 237 | | | while (*mechanisms != NULL) { |
Event 7:
Leaving loop. *mechanisms != (void *)0 evaluates to false.
hide
|
|
| 238 | | | if (strcasecmp(*mechanisms, "ANONYMOUS") == 0) { |
| 239 | | | if (auth->anonymous_username == NULL) { |
| 240 | | | i_fatal("ANONYMOUS listed in mechanisms, " |
| 241 | | | "but anonymous_username not given"); |
| 242 | | | } |
| 243 | | | } |
| 244 | | | mech = mech_module_find(*mechanisms); |
| 245 | | | if (mech == NULL) { |
| 246 | | | i_fatal("Unknown authentication mechanism '%s'", |
| 247 | | | *mechanisms); |
| 248 | | | } |
| 249 | | | auth_mech_register(auth, mech); |
| 250 | | | |
| 251 | | | mechanisms++; |
| 252 | | | } |
| 253 | | | |
| 254 | | | if (auth->mech_modules == NULL) |
Event 8:
Skipping " if". auth->mech_modules == (void *)0 evaluates to false.
hide
|
|
| 255 | | | i_fatal("No authentication mechanisms configured"); |
| 256 | | | auth_mech_list_verify_passdb(auth); |
| 257 | | | |
| 258 | | | env = getenv("REALMS"); |
| 259 | | | if (env == NULL) |
Event 9:
Taking true branch. env == (void *)0 evaluates to true.
hide
|
|
| 260 | | | env = ""; |
| 261 | | | auth->auth_realms = p_strsplit_spaces(auth->pool, env, " "); |
| 262 | | | |
| 263 | | | env = getenv("DEFAULT_REALM"); |
| 264 | | | if (env != NULL && *env != '\0') |
| 265 | | | auth->default_realm = env; |
| 266 | | | |
| 267 | | | env = getenv("USERNAME_CHARS"); |
Event 12:
Inside getenv(), *getenv("USERNAME_CHARS") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - Determines the array index accessed during the type underrun later.
hide
Event 13:
env is set to getenv("USERNAME_CHARS"). See related event 11.
hide
|
|
| 268 | | | if (env == NULL || *env == '\0') { |
| 269 | | | |
| 270 | | | memset(auth->username_chars, 1, sizeof(auth->username_chars)); |
| 271 | | | } else { |
| 272 | | | for (; *env != '\0'; env++) |
Event 15:
Entering loop body. *env != 0 evaluates to true.
hide
|
|
| 273 | | | auth->username_chars[(int)(uint8_t)*env] = 1; |
Type Underrun
The code could write outside auth->username_chars (but inside *auth). - The type of auth->username_chars is char[256].
- The index is *env. See related events 12 and 13.
- *env evaluates to *getenv("USERNAME_CHARS") at auth.c:267.
- If *env is negative, an underrun will occur. The analysis cannot rule out the possibility of *env taking on one or more of these dangerous values, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 12 and 13. Show: All events | Only primary events |
|
| |