(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/deliver/deliver.c) |
| |
| 815 | | | static void expand_envs(const char *user) |
| 816 | | | { |
| 817 | | | const struct var_expand_table *table; |
| 818 | | | const char *value, *const *envs, *home, *env_name; |
| 819 | | | unsigned int i, count; |
| 820 | | | string_t *str; |
| 821 | | | |
| 822 | | | home = getenv("HOME"); |
| 823 | | | |
| 824 | | | str = t_str_new(256); |
| 825 | | | table = get_var_expand_table(user, home); |
| 826 | [+] | | envs = array_get(&plugin_envs, &count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
156 | #define array_get(array, count) \ |
157 | ARRAY_TYPE_CAST_CONST(array)array_get_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
 |
| 827 | | | for (i = 0; i < count; i++) { |
Event 1:
Leaving loop. i < count evaluates to false.
hide
|
|
| 828 | | | str_truncate(str, 0); |
| 829 | | | var_expand(str, envs[i], table); |
| 830 | | | env_put(str_c(str)); |
| 831 | | | } |
| 832 | | | |
| 833 | [+] | | envs = array_get(&lda_envs, &count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
156 | #define array_get(array, count) \ |
157 | ARRAY_TYPE_CAST_CONST(array)array_get_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
 |
| 834 | | | for (i = 0; i < count; i++) |
| 835 | | | env_put(envs[i]); |
| 836 | | | |
| 837 | | | |
| 838 | | | |
| 839 | | | if (home == NULL) |
Event 3:
Skipping " if". home == (void *)0 evaluates to false.
hide
|
|
| 840 | | | home = getenv("HOME"); |
| 841 | | | table = get_var_expand_table(user, home); |
| 842 | | | |
| 843 | | | value = getenv("MAIL_LOCATION"); |
Event 5:
Inside getenv(), the capacity of the buffer pointed to by getenv("MAIL_LOCATION") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the capacity of the buffer that will be overrun later.
hide
Event 6:
Inside getenv(), the length of the string pointed to by getenv("MAIL_LOCATION") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input].
hide
Event 7:
Considering the case where the capacity of the buffer pointed to by getenv("MAIL_LOCATION") is at least 1.
hide
Event 8:
value is set to getenv("MAIL_LOCATION"). See related event 4.
hide
|
|
| 844 | | | if (value != NULL) |
Event 9:
Taking true branch. value != (void *)0 evaluates to true.
hide
|
|
| 845 | [+] | | value = expand_mail_env(value, table); |
Event 10:
value, which evaluates to getenv("MAIL_LOCATION") from deliver.c:843, is passed to expand_mail_env() as the first argument. See related event 8.
hide
|
|
 |
| |