/usr/src/lib/libc/rpc/pmap_prot2.c

Bug Summary

File:	src/lib/libc/rpc/pmap_prot2.c
Warning:	line 95, column 28 Dereference of null pointer (loaded from variable 'rp')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name pmap_prot2.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libc/obj -resource-dir /usr/local/lib/clang/13.0.0 -include namespace.h -I /usr/src/lib/libc/include -I /usr/src/lib/libc/hidden -D __LIBC__ -D APIWARN -D YP -I /usr/src/lib/libc/yp -I /usr/src/lib/libc -I /usr/src/lib/libc/gdtoa -I /usr/src/lib/libc/arch/amd64/gdtoa -D INFNAN_CHECK -D MULTIPLE_THREADS -D NO_FENV_H -D USE_LOCALE -I /usr/src/lib/libc -I /usr/src/lib/libc/citrus -D RESOLVSORT -D FLOATING_POINT -D PRINTF_WIDE_CHAR -D SCANF_WIDE_CHAR -D FUTEX -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libc/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libc/rpc/pmap_prot2.c

1/*	$OpenBSD: pmap_prot2.c,v 1.8 2015/09/13 15:36:56 guenther Exp $ */
2 
3/*
4 * Copyright (c) 2010, Oracle America, Inc.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are
8 * met:
9 *
10 *     * Redistributions of source code must retain the above copyright
11 *       notice, this list of conditions and the following disclaimer.
12 *     * Redistributions in binary form must reproduce the above
13 *       copyright notice, this list of conditions and the following
14 *       disclaimer in the documentation and/or other materials
15 *       provided with the distribution.
16 *     * Neither the name of the "Oracle America, Inc." nor the names of its
17 *       contributors may be used to endorse or promote products derived
18 *       from this software without specific prior written permission.
19 *
20 *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 *   FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 *   COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 *   INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 *   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
27 *   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28 *   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
29 *   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
30 *   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 */
33 
34/*
35 * pmap_prot2.c
36 * Protocol for the local binder service, or pmap.
37 */
38 
39#include <rpc/types.h>
40#include <rpc/xdr.h>
41#include <rpc/pmap_prot.h>
42 
43 
44/* 
45 * What is going on with linked lists? (!)
46 * First recall the link list declaration from pmap_prot.h:
47 *
48 * struct pmaplist {
49 *	struct pmap pml_map;
50 *	struct pmaplist *pml_map;
51 * };
52 *
53 * Compare that declaration with a corresponding xdr declaration that 
54 * is (a) pointer-less, and (b) recursive:
55 *
56 * typedef union switch (bool_t) {
57 * 
58 *	case TRUE: struct {
59 *		struct pmap;
60 * 		pmaplist_t foo;
61 *	};
62 *
63 *	case FALSE: struct {};
64 * } pmaplist_t;
65 *
66 * Notice that the xdr declaration has no nxt pointer while
67 * the C declaration has no bool_t variable.  The bool_t can be
68 * interpreted as ``more data follows me''; if FALSE then nothing
69 * follows this bool_t; if TRUE then the bool_t is followed by
70 * an actual struct pmap, and then (recursively) by the 
71 * xdr union, pamplist_t.  
72 *
73 * This could be implemented via the xdr_union primitive, though this
74 * would cause a one recursive call per element in the list.  Rather than do
75 * that we can ``unwind'' the recursion
76 * into a while loop and do the union arms in-place.
77 *
78 * The head of the list is what the C programmer wishes to past around
79 * the net, yet is the data that the pointer points to which is interesting;
80 * this sounds like a job for xdr_reference!
81 */
82bool_tint32_t
83xdr_pmaplist(XDR *xdrs, struct pmaplist **rp)
84{
85	/*
86	 * more_elements is pre-computed in case the direction is
87	 * XDR_ENCODE or XDR_FREE.  more_elements is overwritten by
88	 * xdr_bool when the direction is XDR_DECODE.
89	 */
90	bool_tint32_t more_elements;
91	int freeing = (xdrs->x_op == XDR_FREE);
1
Assuming field 'x_op' is equal to XDR_FREE→
92	struct pmaplist **next;
93 
94	while (TRUE(1)) {
2
←
Loop condition is true.  Entering loop body→
14
←
Loop condition is true.  Entering loop body→
95		more_elements = (bool_tint32_t)(*rp != NULL0);
3
←
Assuming the condition is false→
15
←
Dereference of null pointer (loaded from variable 'rp')
96		if (! xdr_bool(xdrs, &more_elements))
4
←
Assuming the condition is false→
5
←
Taking false branch→
97			return (FALSE(0));
98		if (! more_elements)
6
←
Assuming 'more_elements' is not equal to 0→
7
←
Taking false branch→
99			return (TRUE(1));  /* we are done */
100		/*
101		 * the unfortunate side effect of non-recursion is that in
102		 * the case of freeing we must remember the next object
103		 * before we free the current object ...
104		 */
105		if (freeing7.1
'freeing' is 1
)
8
←
Taking true branch→
106			next = &((*rp)->pml_next); 
9
←
Null pointer value stored to 'next'→
107		if (! xdr_reference(xdrs, (caddr_t *)rp,
10
←
Assuming the condition is false→
11
←
Taking false branch→
108		    (u_int)sizeof(struct pmaplist), xdr_pmap))
109			return (FALSE(0));
110		rp = (freeing11.1
'freeing' is 1
) ? next : &((*rp)->pml_next);
12
←
'?' condition is true→
13
←
Null pointer value stored to 'rp'→
111	}
112}
113DEF_WEAK(xdr_pmaplist)__asm__(".weak " "xdr_pmaplist" " ; " "xdr_pmaplist" " = " "_libc_xdr_pmaplist"
);