(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/lib-signals.c) |
| |
| 102 | | | static void signal_read(void *context ATTR_UNUSED) |
| 103 | | | { |
| 104 | | | siginfo_t signal_buf[10]; |
| 105 | | | siginfo_t signals[MAX_SIGNAL_VALUE+1]; |
| 106 | | | ssize_t i, ret; |
| 107 | | | int signo; |
| 108 | | | |
| 109 | | | ret = read(sig_pipe_fd[0], signal_buf, sizeof(signal_buf)); |
Event 1:
&signal_buf[0].si_signo is passed to read() as the second argument.
hide
Event 2:
Inside read(), *signal_buf is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input], where signal_buf is &signal_buf[0].si_signo. - This determines the potentially dangerous position that will be accessed later.
See related event 1.
hide
|
|
| 110 | | | if (ret > 0) { |
Event 3:
Taking true branch. ret > 0 evaluates to true.
hide
|
|
| 111 | | | if (ret % sizeof(siginfo_t) != 0) |
Event 4:
Skipping " if". ret % sizeof( siginfo_t ) != 0 evaluates to false.
hide
|
|
| 112 | | | i_fatal("read(sigpipe) returned partial data"); |
| 113 | | | ret /= sizeof(siginfo_t); |
| 114 | | | |
| 115 | | | |
| 116 | | | memset(signals, 0, sizeof(signals)); |
| 117 | | | for (i = 0; i < ret; i++) { |
Event 5:
i is set to 0.
hide
Event 6:
Entering loop body. i < ret evaluates to true.
hide
|
|
| 118 | | | signo = signal_buf[i].si_signo; |
Event 7:
signo is set to signal_buf[0].si_signo, which evaluates to the value assigned to *signal_buf at lib-signals.c:109. See related events 2 and 5.
hide
|
|
| 119 | | | if (signo > MAX_SIGNAL_VALUE) { |
Event 8:
Skipping " if". signo > 31 evaluates to false.
hide
|
|
| 120 | | | i_panic("sigpipe contains signal %d > %d", |
| 121 | | | signo, MAX_SIGNAL_VALUE); |
| 122 | | | } |
| 123 | | | signals[signo] = signal_buf[i]; |
Buffer Underrun
This code could write before the beginning of the buffer signals. - The first potentially underrun byte is at offset 128 * signo from the beginning of the object. See related event 7.
- 128 * signo evaluates to the value assigned to *signal_buf at lib-signals.c:109, times 128, which is bounded above by 3968.
- If 128 * signo is negative, an underrun will occur. The analysis cannot rule out the possibility of 128 * signo taking on one or more of these dangerous values, so has issued this warning.
- The underrun occurs in stack memory.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| |