Null deference pointer in dovecot-2.2.18

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Jul 2015, 吴迪 wrote:

>     use our static analysis tools, I find some bugs (Null deference 
> pointer) for dovecot-2.2.18. Null deference pointer bugs often make 
> program crashes, Please confim them, Thanks!

Say, did you checked the code manually yourself, too? Automated checks are 
hints, if at all.

>      1. dovecot-2.2.18/src/config/config-request.c   332
>
>      'setting_export_section_name(ctx->prefix, def, children[i], i);',  pointer 'children' in line 202  assigned  NULL and if  branch 'case SET_DEFLIST_UNIQUE'  not execute, so pointer 'children' is always NULL.   It load to a bug of null deference pointer In line 332.

e.g.:

line 332 is passed only, if count > 0. count appears just a very few times 
in this function, easily to be spotted and judged, that count == 0 always, 
except in cases:

 		case SET_DEFLIST:
 		case SET_DEFLIST_UNIQUE:

here your tool also missed the 2nd case.

>      The  same bugs also appeared in :
>
>
>      1. dovecot-2.2.18/src/lib-index/mail-index-fsck.c   line 170 or 174, pointer 'kw_rec ' mybe NULL.
>
>
>       2.dovecot-2.2.18/src/lib-storage/mail-search-args-simplify line 349, pointer 'prev_arg' mybe NULL.
>
>
>
>
>
>
> best wishes~
>
>
> Amy
>
>
>
>
>

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVaYDBXz1H7kL/d9rAQIkMAf/Y1yhstS3ky99WaQpchZ/TU/uwmtqvbdk
8CwmzsxNIsvMzoLqgCI3pCzY/e2zslGhwkDMJ0uncDTSEPuiJXwYWwEyiS0V1Ynl
xPk85oOMurkrf9Z53r9QmhHZ4ZyB121q6c4xFxZZPTF3bJrAtocj4g2Ej6l1aw79
RlPiXLBKwxjttujSg73tG1ptDD/Wix/gQslTSm+tTZXGFLfMutM+qu4fKBvVqIBy
IrEkyGI6cx5yxfZfgm0ECazL3VgJAqICQsQvPvTS5vwjyphqlLckphXKlIl7dSzH
pXK6QKnaWW2AJ3fkZPIPVT8c1Moy0g3Y3ImIFXgzuNafP8k7nPqQhQ==
=KRJF
-----END PGP SIGNATURE-----