(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/deliver/smtp-client.c) |
| |
| 28 | | | smtp_client_run_sendmail(const char *destination, |
| 29 | | | const char *return_path, int fd) |
| 30 | | | { |
| 31 | | | const char *argv[7], *sendmail_path; |
| 32 | | | |
| 33 | | | |
| 34 | | | |
| 35 | [+] | | sendmail_path = t_strdup(deliver_set->sendmail_path); |
 |
| 36 | | | |
| 37 | | | argv[0] = sendmail_path; |
| 38 | | | argv[1] = "-i"; |
| 39 | | | argv[2] = "-f"; |
| 40 | | | argv[3] = return_path != NULL && *return_path != '\0' ? |
Event 5:
return_path != (void *)0 evaluates to false.
hide
|
|
| 41 | | | return_path : "<>"; |
| 42 | | | argv[4] = "--"; |
| 43 | | | argv[5] = destination; |
| 44 | | | argv[6] = NULL; |
| 45 | | | |
| 46 | | | if (dup2(fd, STDIN_FILENO) < 0)
x /usr/include/unistd.h |
| |
211 | #define STDIN_FILENO 0 /* Standard input. */ |
| |
|
Event 6:
Skipping " if". dup2(fd, 0) < 0 evaluates to false.
hide
|
|
| 47 | | | i_fatal("dup2() failed: %m"); |
| 48 | | | |
| 49 | | | deliver_env_clean(TRUE); |
Event 7:
!0 evaluates to true.
hide
|
|
| 50 | | | |
| 51 | | | (void)execv(sendmail_path, (void *)argv); |
Event 8:
sendmail_path, which evaluates to NULL, is passed to execv() as the first argument. See related event 4.
hide
Null Pointer Dereference
The body of execv() dereferences sendmail_path, but it is NULL. The issue can occur if the highlighted code executes. See related event 8. Show: All events | Only primary events |
|
| |