(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/login-common/ssl-proxy-openssl.c) |
| |
| 429 | | | static void ssl_read(struct ssl_proxy *proxy) |
| 430 | | | { |
| 431 | | | int ret; |
| 432 | | | |
| 433 | | | while (proxy->plainout_size < sizeof(proxy->plainout_buf) && |
Event 1:
Entering loop body. - proxy->plainout_size < sizeof( proxy->plainout_buf ) evaluates to true.
- proxy->destroyed evaluates to false.
hide
Use After Free
The memory pointed to by proxy was freed at ssl-proxy-openssl.c:649 and is read from here. The issue can occur if the highlighted code executes. See related event 17. Show: All events | Only primary events |
|
| 434 | | | !proxy->destroyed) { |
| 435 | | | ret = SSL_read(proxy->ssl, |
| 436 | | | proxy->plainout_buf + proxy->plainout_size, |
| 437 | | | sizeof(proxy->plainout_buf) - |
| 438 | | | proxy->plainout_size); |
| 439 | | | if (ret <= 0) { |
Event 3:
Taking false branch. ret <= 0 evaluates to false.
hide
|
|
| 440 | | | ssl_handle_error(proxy, ret, "SSL_read()"); |
| 441 | | | break; |
| 442 | | | } else { |
| 443 | | | i_free_and_null(proxy->last_error);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.h |
| |
14 | #define i_free(mem) \ |
15 | STMT_START { \ |
16 | free(mem); \ |
17 | (mem) = NULL; \ |
18 | } STMT_END |
| |
|
| 444 | | | proxy->plainout_size += ret; |
| 445 | [+] | | plain_write(proxy); |
Event 4:
proxy is passed to plain_write().
hide
|
|
 |
| |