(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/master/master-settings.c) |
| |
| 1034 | | | static void pid_file_check_running(const char *path) |
| 1035 | | | { |
| 1036 | | | char buf[32]; |
| 1037 | | | int fd; |
| 1038 | | | ssize_t ret; |
| 1039 | | | |
| 1040 | | | fd = open(path, O_RDONLY); |
| 1041 | | | if (fd == -1) { |
Event 2:
Skipping " if". fd == -1 evaluates to false.
hide
|
|
| 1042 | | | if (errno == ENOENT)
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
| 1043 | | | return; |
| 1044 | | | i_fatal("open(%s) failed: %m", path); |
| 1045 | | | } |
| 1046 | | | |
| 1047 | | | ret = read(fd, buf, sizeof(buf)); |
Event 3:
32 is passed to read() as the third argument.
hide
Event 4:
read() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
Event 5:
Considering the case where read(fd, buf, sizeof( buf )) is at least 1.
hide
Event 6:
Considering the case where read(fd, buf, sizeof( buf )) is no more than 32. See related event 3.
hide
Event 7:
ret is set to read(fd, buf, sizeof( buf )). See related event 4.
hide
|
|
| 1048 | | | if (ret <= 0) { |
Event 8:
Taking false branch. ret <= 0 evaluates to false.
hide
|
|
| 1049 | | | if (ret == 0) |
| 1050 | | | i_error("Empty PID file in %s, overriding", path); |
| 1051 | | | else |
| 1052 | | | i_fatal("read(%s) failed: %m", path); |
| 1053 | | | } else { |
| 1054 | | | pid_t pid; |
| 1055 | | | |
| 1056 | | | if (buf[ret-1] == '\n') |
Event 9:
Skipping " if". buf[ret - 1] == 10 evaluates to false.
hide
|
|
| 1057 | | | ret--; |
| 1058 | | | buf[ret] = '\0'; |
Buffer Overrun
This code could write past the end of buf. - The code writes 1 byte starting at offset ret from the beginning of buf, whose capacity is 32 bytes.
- The number of bytes written could exceed the number of allocated bytes beyond that offset.
- ret evaluates to read(fd, buf, sizeof( buf )) from master-settings.c:1047, which is bounded above by 32 and the length of the string pointed to by buf and below by 1. See related event 7.
- If ret is higher than 31, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
- The overrun occurs in stack memory.
The issue can occur if the highlighted code executes. See related events 5, 6, and 7. Show: All events | Only primary events |
|
| |