Re: Null deference pointer in dovecot-2.2.18
Dear,
use our static analysis tools, I find some bugs (Null deference pointer) for dovecot-2.2.18. Null deference pointer bugs often make program crashes, Please confim them, Thanks!
1. dovecot-2.2.18/src/config/config-request.c 332
'setting_export_section_name(ctx->prefix, def, children[i], i);', pointer 'children' in line 202 assigned NULL and if branch 'case SET_DEFLIST_UNIQUE' not execute, so pointer 'children' is always NULL. It load to a bug of null deference pointer In line 332.
The same bugs also appeared in :
1. dovecot-2.2.18/src/lib-index/mail-index-fsck.c line 170 or 174, pointer 'kw_rec ' mybe NULL.
2.dovecot-2.2.18/src/lib-storage/mail-search-args-simplify line 349, pointer 'prev_arg' mybe NULL.best wishes~
Amy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 15 Jul 2015, 吴迪 wrote:
use our static analysis tools, I find some bugs (Null deferencepointer) for dovecot-2.2.18. Null deference pointer bugs often make program crashes, Please confim them, Thanks!
Say, did you checked the code manually yourself, too? Automated checks are hints, if at all.
1. dovecot-2.2.18/src/config/config-request.c 332 'setting_export_section_name(ctx->prefix, def, children[i], i);', pointer 'children' in line 202 assigned NULL and if branch 'case SET_DEFLIST_UNIQUE' not execute, so pointer 'children' is always NULL. It load to a bug of null deference pointer In line 332.
e.g.:
line 332 is passed only, if count > 0. count appears just a very few times in this function, easily to be spotted and judged, that count == 0 always, except in cases:
case SET_DEFLIST:
case SET_DEFLIST_UNIQUE:here your tool also missed the 2nd case.
The same bugs also appeared in : 1. dovecot-2.2.18/src/lib-index/mail-index-fsck.c line 170 or 174, pointer 'kw_rec ' mybe NULL. 2.dovecot-2.2.18/src/lib-storage/mail-search-args-simplify line 349, pointer 'prev_arg' mybe NULL.best wishes~
Amy
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVaYDBXz1H7kL/d9rAQIkMAf/Y1yhstS3ky99WaQpchZ/TU/uwmtqvbdk 8CwmzsxNIsvMzoLqgCI3pCzY/e2zslGhwkDMJ0uncDTSEPuiJXwYWwEyiS0V1Ynl xPk85oOMurkrf9Z53r9QmhHZ4ZyB121q6c4xFxZZPTF3bJrAtocj4g2Ej6l1aw79 RlPiXLBKwxjttujSg73tG1ptDD/Wix/gQslTSm+tTZXGFLfMutM+qu4fKBvVqIBy IrEkyGI6cx5yxfZfgm0ECazL3VgJAqICQsQvPvTS5vwjyphqlLckphXKlIl7dSzH pXK6QKnaWW2AJ3fkZPIPVT8c1Moy0g3Y3ImIFXgzuNafP8k7nPqQhQ== =KRJF -----END PGP SIGNATURE-----
These are all false positives. I added some asserts that hopefully get rid of two of the warnings. I couldn't really think of a way to nicely avoid the mail-index-fsck.c warning.
http://hg.dovecot.org/dovecot-2.2/rev/06b884831f25
On 07/15/2015 06:07 AM, 吴迪 wrote:
Dear,
use our static analysis tools, I find some bugs (Null deference pointer) for dovecot-2.2.18. Null deference pointer bugs often make program crashes, Please confim them, Thanks! 1. dovecot-2.2.18/src/config/config-request.c 332 'setting_export_section_name(ctx->prefix, def, children[i], i);', pointer 'children' in line 202 assigned NULL and if branch 'case SET_DEFLIST_UNIQUE' not execute, so pointer 'children' is always NULL. It load to a bug of null deference pointer In line 332. The same bugs also appeared in : 1. dovecot-2.2.18/src/lib-index/mail-index-fsck.c line 170 or 174, pointer 'kw_rec ' mybe NULL. 2.dovecot-2.2.18/src/lib-storage/mail-search-args-simplify line 349, pointer 'prev_arg' mybe NULL.best wishes~
Amy
participants (3)
-
Steffen Kaiser
-
Timo Sirainen
-
吴迪