(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-mail/message-part-serialize.c) |
| |
| 119 | | | message_part_deserialize_part(struct deserialize_context *ctx, |
| 120 | | | struct message_part *parent, |
| 121 | | | unsigned int siblings, |
| 122 | | | struct message_part **part_r) |
| 123 | | | { |
| 124 | | | struct message_part *part, *first_part, **next_part; |
| 125 | | | unsigned int children_count; |
| 126 | | | uoff_t pos; |
| 127 | | | bool root = parent == NULL; |
Event 1:
parent == (void *)0 evaluates to true.
hide
|
|
| 128 | | | |
| 129 | | | first_part = NULL; |
| 130 | | | next_part = NULL; |
| 131 | | | while (siblings > 0) { |
Event 3:
During loop iterations, next_part is dereferenced.
hide
Event 4:
Continuing from loop body. Entering loop body. siblings > 0 evaluates to true.
hide
|
|
| 132 | | | siblings--; |
| 133 | | | |
| 134 | | | part = p_new(ctx->pool, struct message_part, 1);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool.h |
| |
84 | #define p_new(pool, type, count) \ |
85 | ((type *) p_malloc(pool, sizeof(type) * (count))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool.h |
| |
87 | #define p_malloc(pool, size) (pool)->v->malloc(pool, size) |
| |
|
| 135 | | | part->parent = parent; |
| 136 | | | |
| 137 | | | if (!read_next(ctx, &part->flags, sizeof(part->flags))) |
Event 5:
Skipping " if". read_next(...) evaluates to true.
hide
|
|
| 138 | | | return FALSE; |
| 139 | | | |
| 140 | | | if (root) |
Event 6:
Taking true branch. root evaluates to true.
hide
|
|
| 141 | | | root = FALSE; |
| 142 | | | else { |
| 143 | | | if (!read_next(ctx, &part->physical_pos, |
| 144 | | | sizeof(part->physical_pos))) |
| 145 | | | return FALSE; |
| 146 | | | } |
| 147 | | | |
| 148 | | | if (part->physical_pos < ctx->pos) { |
Event 7:
Skipping " if". part->physical_pos < ctx->pos evaluates to false.
hide
|
|
| 149 | | | ctx->error = "physical_pos less than expected"; |
| 150 | | | return FALSE; |
| 151 | | | } |
| 152 | | | |
| 153 | | | if (!read_next(ctx, &part->.physical_size, |
| 154 | | | sizeof(part->.physical_size))) |
Event 8:
Skipping " if". read_next(...) evaluates to true.
hide
|
|
| 155 | | | return FALSE; |
| 156 | | | |
| 157 | | | if (!read_next(ctx, &part->.virtual_size, |
| 158 | | | sizeof(part->.virtual_size))) |
Event 9:
Skipping " if". read_next(...) evaluates to true.
hide
|
|
| 159 | | | return FALSE; |
| 160 | | | |
| 161 | | | if (part->.virtual_size < |
| 162 | | | part->.physical_size) { |
Event 10:
Skipping " if". part->.virtual_size < part->.physical_size evaluates to false.
hide
|
|
| 163 | | | ctx->error = ".virtual_size too small"; |
| 164 | | | return FALSE; |
| 165 | | | } |
| 166 | | | |
| 167 | | | if (!read_next(ctx, &part->body_size.physical_size, |
| 168 | | | sizeof(part->body_size.physical_size))) |
Event 11:
Skipping " if". read_next(...) evaluates to true.
hide
|
|
| 169 | | | return FALSE; |
| 170 | | | |
| 171 | | | if (!read_next(ctx, &part->body_size.virtual_size, |
| 172 | | | sizeof(part->body_size.virtual_size))) |
Event 12:
Skipping " if". read_next(...) evaluates to true.
hide
|
|
| 173 | | | return FALSE; |
| 174 | | | |
| 175 | | | if ((part->flags & (MESSAGE_PART_FLAG_TEXT | |
| 176 | | | MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0) { |
Event 13:
Skipping " if". (part->flags & (MESSAGE_PART_FLAG_TEXT | MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0 evaluates to false.
hide
|
|
| 177 | | | if (!read_next(ctx, &part->body_size.lines, |
| 178 | | | sizeof(part->body_size.lines))) |
| 179 | | | return FALSE; |
| 180 | | | } |
| 181 | | | |
| 182 | | | if (part->body_size.virtual_size < |
| 183 | | | part->body_size.physical_size) { |
Event 14:
Skipping " if". part->body_size.virtual_size < part->body_size.physical_size evaluates to false.
hide
|
|
| 184 | | | ctx->error = "body_size.virtual_size too small"; |
| 185 | | | return FALSE; |
| 186 | | | } |
| 187 | | | |
| 188 | | | if ((part->flags & (MESSAGE_PART_FLAG_MULTIPART | |
| 189 | | | MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0) { |
Event 15:
Taking false branch. (part->flags & (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0 evaluates to false.
hide
|
|
| 190 | | | if (!read_next(ctx, &children_count, |
| 191 | | | sizeof(children_count))) |
| 192 | | | return FALSE; |
| 193 | | | } else { |
| 194 | | | children_count = 0; |
| 195 | | | } |
| 196 | | | |
| 197 | | | if (part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) { |
Event 16:
Skipping " if". part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822 evaluates to false.
hide
|
|
| 198 | | | |
| 199 | | | if (children_count == 0) { |
| 200 | | | ctx->error = |
| 201 | | | "message/rfc822 part has no children"; |
| 202 | | | return FALSE; |
| 203 | | | } |
| 204 | | | if (children_count != 1) { |
| 205 | | | ctx->error = "message/rfc822 part " |
| 206 | | | "has multiple children"; |
| 207 | | | return FALSE; |
| 208 | | | } |
| 209 | | | } |
| 210 | | | |
| 211 | | | if (children_count > 0) { |
Event 17:
Skipping " if". children_count > 0 evaluates to false.
hide
|
|
| 212 | | | |
| 213 | | | |
| 214 | | | ctx->pos = part->physical_pos + |
| 215 | | | part->.physical_size; |
| 216 | | | pos = ctx->pos + part->body_size.physical_size; |
| 217 | | | |
| 218 | | | if (!message_part_deserialize_part(ctx, part, |
| 219 | | | children_count, |
| 220 | | | &part->children)) |
| 221 | | | return FALSE; |
| 222 | | | |
| 223 | | | if (ctx->pos > pos) { |
| 224 | | | ctx->error = |
| 225 | | | "child part location exceeds our size"; |
| 226 | | | return FALSE; |
| 227 | | | } |
| 228 | | | ctx->pos = pos; |
| 229 | | | } |
| 230 | | | |
| 231 | | | if (first_part == NULL) |
Event 18:
Skipping " if". first_part == (void *)0 evaluates to false.
hide
|
|
| 232 | | | first_part = part; |
| 233 | | | if (next_part != NULL) |
Null Test After Dereference
This code tests the nullness of next_part, which has already been dereferenced. - If next_part were null, there would have been a prior null pointer dereference at message-part-serialize.c:131, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 3. Show: All events | Only primary events |
|
| 234 | | | *next_part = part; |
| 235 | | | next_part = &part->next; |
| 236 | | | } |
| 237 | | | |
| 238 | | | *part_r = first_part; |
| 239 | | | return TRUE; |
| 240 | | | } |
| |