Uninitialized Variable : dovecot-1.2.0 : CodeSonar

Uninitialized Variable at commands.c:106

No properties have been set. | edit properties

Jump to warning location ↓

warning details...

Categories:

LANG.MEM.UVAR CWE:457

Warning ID:

7894.24759

Procedure:

cmd_dele

Path:

view trace

Last Modified:

Fri Oct 28 11:30:17 2011 show details hide details

Analysis:

dovecot-1.2.0 analysis 4

Started:

Fri Oct 28 11:01:23 2011 show details hide details

by user:	sate
on host:	ubuntu
at address:	10.233.219.208

Finished:

Fri Oct 28 11:46:16 2011 show logs hide logs

build:	[Full] [Streamed Full] [Tail] [Streamed Tail]
codesonar parse:	[Full] [Streamed Full] [Tail] [Streamed Tail]
codesonar analysis:	[Full] [Streamed Full] [Tail] [Streamed Tail]

Analysis State:

Analysis finished.

Detected:

Fri Oct 28 11:30:17 2011

First Detected:

Wed Aug 10 23:58:52 2011

Show Events | Change View | Options

All events

Only primary events

Side-by-side

List

	Jump to warning location by default
	Show control flow events by default
	Show other warnings
✓	Show line numbers
✓	Wrap lines

cmd_dele

(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/pop3/commands.c) expand/collapse

static int cmd_dele(struct client *client, const char *args)

{

unsigned int msgnum;

[+]

if (get_msgnum(client, args, &msgnum) == NULL)

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include/stddef.h

400	#define NULL ((void *)0)

get_msgnum

(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/pop3/commands.c) expand/collapse

static const char *get_msgnum(struct client *client, const char *args,

unsigned int *msgnum)

{

unsigned int num, last_num;

num = 0;

while (*args != '\0' && *args != ' ') {

Event 1: The loop is executed one or more times.

hide

if (*args < '0' || *args > '9') {

client_send_line(client,

"-ERR Invalid message number: %s", args);

return NULL;

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include/stddef.h

400	#define NULL ((void *)0)

}

last_num = num;

num = num*10 + (*args - '0');

if (num < last_num) {

client_send_line(client,

"-ERR Message number too large: %s", args);

return NULL;

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include/stddef.h

400	#define NULL ((void *)0)

}

args++;

}

if (num == 0 || num > client->messages_count) {

Event 2: Skipping "if".

num == 0 evaluates to false.
num > client->messages_count evaluates to false.

hide

client_send_line(client,

"-ERR There's no message %u.", num);

return NULL;

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include/stddef.h

400	#define NULL ((void *)0)

}

num--;

if (client->deleted) {

Event 3: Skipping "if". client->deleted evaluates to false.

hide

if (client->deleted_bitmask[num / CHAR_BIT] &

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include-fixed/limits.h

65	#define CHAR_BIT __CHAR_BIT__

(1 << (num % CHAR_BIT))) {

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include-fixed/limits.h

65	#define CHAR_BIT __CHAR_BIT__

client_send_line(client, "-ERR Message is deleted.");

return NULL;

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include/stddef.h

400	#define NULL ((void *)0)

}

while (*args == ' ') args++;

Event 4: Entering loop body. *args == 32 evaluates to true.

hide

Event 5: Continuing from loop body. Leaving loop. *args == 32 evaluates to false.

hide

*msgnum = num;

return args;

Event 6: Skipping "if". get_msgnum(...) == (void *)0 evaluates to false.

hide

return -1;

100

101

if (!client->deleted) {

Event 7: Taking true branch. client->deleted evaluates to false.

hide

102

[+]

client->deleted_bitmask = i_malloc(MSGS_BITMASK_SIZE(client));

x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/pop3/client.h

9	#define MSGS_BITMASK_SIZE(client) \
10	(((client)->messages_count + (CHAR_BIT-1)) / CHAR_BIT)

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include-fixed/limits.h

65	#define CHAR_BIT __CHAR_BIT__

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include-fixed/limits.h

65	#define CHAR_BIT __CHAR_BIT__

i_malloc

(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.c) expand/collapse

void *i_malloc(size_t size)

{

void *rv = malloc(size);

Event 8: malloc() returns the address of a new object.

hide

Event 9: *malloc(size) is allocated here, but is not initialized.

hide

Event 10: rv is set to malloc(size). See related event 8.

hide

if( !rv )

Event 11: Skipping "if". rv evaluates to true.

hide

abort();

return rv;

Event 12: i_malloc() returns rv, which evaluates to malloc(size) from imem.c:9. See related event 10.

hide

Event 13: client->deleted_bitmask is set to i_malloc(...), which evaluates to malloc(size) from imem.c:9. See related event 12.

hide

103

client->deleted = TRUE;

x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h

15	# define TRUE (!FALSE)

x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h

11	# define FALSE (0)

Event 14: !0 evaluates to true.

hide

104

}

105

106

client->deleted_bitmask[msgnum / CHAR_BIT] |= 1 << (msgnum % CHAR_BIT);

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include-fixed/limits.h

65	#define CHAR_BIT __CHAR_BIT__

x /usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/include-fixed/limits.h

65	#define CHAR_BIT __CHAR_BIT__

Uninitialized Variable

*client->deleted_bitmask was not initialized.

The issue can occur if the highlighted code executes.

See related events 9 and 13.
Show: All events | Only primary events

	Expand macro definition
	Stay highlighted
	Jump to next occurrence
	Jump to previous occurrence
	Go to definition
	Get Information
	Lock in window

Change Warning 7894.24759 : Uninitialized Variable

Priority:
State:
Finding:
Owner:
Note: