Bug Summary

File:src/usr.bin/ssh/ssh-keysign/../sshbuf.c
Warning:line 126, column 3
Potential leak of memory pointed to by 'ret'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name sshbuf.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ssh/ssh-keysign/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.bin/ssh/ssh-keysign/.. -D WITH_OPENSSL -D WITH_ZLIB -D ENABLE_PKCS11 -D HAVE_DLOPEN -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -fdebug-compilation-dir=/usr/src/usr.bin/ssh/ssh-keysign/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/ssh/ssh-keysign/../sshbuf.c
1/* $OpenBSD: sshbuf.c,v 1.15 2020/02/26 13:40:09 jsg Exp $ */
2/*
3 * Copyright (c) 2011 Damien Miller
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <signal.h>
20#include <stdlib.h>
21#include <stdio.h>
22#include <string.h>
23
24#include "ssherr.h"
25#define SSHBUF_INTERNAL
26#include "sshbuf.h"
27#include "misc.h"
28
29static inline int
30sshbuf_check_sanity(const struct sshbuf *buf)
31{
32 SSHBUF_TELL("sanity");
33 if (__predict_false(buf == NULL ||__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)
34 (!buf->readonly && buf->d != buf->cd) ||__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)
35 buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX ||__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)
36 buf->cd == NULL ||__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)
37 buf->max_size > SSHBUF_SIZE_MAX ||__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)
38 buf->alloc > buf->max_size ||__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)
39 buf->size > buf->alloc ||__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)
40 buf->off > buf->size)__builtin_expect(((buf == ((void *)0) || (!buf->readonly &&
buf->d != buf->cd) || buf->refcount < 1 || buf->
refcount > 0x100000 || buf->cd == ((void *)0) || buf->
max_size > 0x8000000 || buf->alloc > buf->max_size
|| buf->size > buf->alloc || buf->off > buf->
size) != 0), 0)) {
41 /* Do not try to recover from corrupted buffer internals */
42 SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
43 ssh_signal(SIGSEGV11, SIG_DFL(void (*)(int))0);
44 raise(SIGSEGV11);
45 return SSH_ERR_INTERNAL_ERROR-1;
46 }
47 return 0;
48}
49
50static void
51sshbuf_maybe_pack(struct sshbuf *buf, int force)
52{
53 SSHBUF_DBG(("force %d", force));
54 SSHBUF_TELL("pre-pack");
55 if (buf->off == 0 || buf->readonly || buf->refcount > 1)
56 return;
57 if (force ||
58 (buf->off >= SSHBUF_PACK_MIN8192 && buf->off >= buf->size / 2)) {
59 memmove(buf->d, buf->d + buf->off, buf->size - buf->off);
60 buf->size -= buf->off;
61 buf->off = 0;
62 SSHBUF_TELL("packed");
63 }
64}
65
66struct sshbuf *
67sshbuf_new(void)
68{
69 struct sshbuf *ret;
70
71 if ((ret = calloc(sizeof(*ret), 1)) == NULL((void *)0))
72 return NULL((void *)0);
73 ret->alloc = SSHBUF_SIZE_INIT256;
74 ret->max_size = SSHBUF_SIZE_MAX0x8000000;
75 ret->readonly = 0;
76 ret->refcount = 1;
77 ret->parent = NULL((void *)0);
78 if ((ret->cd = ret->d = calloc(1, ret->alloc)) == NULL((void *)0)) {
79 free(ret);
80 return NULL((void *)0);
81 }
82 return ret;
83}
84
85struct sshbuf *
86sshbuf_from(const void *blob, size_t len)
87{
88 struct sshbuf *ret;
89
90 if (blob == NULL((void *)0) || len
4.1
'len' is <= SSHBUF_SIZE_MAX
 > SSHBUF_SIZE_MAX0x8000000 ||
4
Assuming 'blob' is not equal to NULL
7
Taking false branch
91 (ret = calloc(sizeof(*ret), 1)) == NULL((void *)0))
5
Memory is allocated
6
Assuming the condition is false
92 return NULL((void *)0);
93 ret->alloc = ret->size = ret->max_size = len;
94 ret->readonly = 1;
95 ret->refcount = 1;
96 ret->parent = NULL((void *)0);
97 ret->cd = blob;
98 ret->d = NULL((void *)0);
99 return ret;
100}
101
102int
103sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent)
104{
105 int r;
106
107 if ((r = sshbuf_check_sanity(child)) != 0 ||
108 (r = sshbuf_check_sanity(parent)) != 0)
109 return r;
110 child->parent = parent;
111 child->parent->refcount++;
112 return 0;
113}
114
115struct sshbuf *
116sshbuf_fromb(struct sshbuf *buf)
117{
118 struct sshbuf *ret;
119
120 if (sshbuf_check_sanity(buf) != 0)
1
Assuming the condition is false
2
Taking false branch
121 return NULL((void *)0);
122 if ((ret = sshbuf_from(sshbuf_ptr(buf), sshbuf_len(buf))) == NULL((void *)0))
3
Calling 'sshbuf_from'
8
Returned allocated memory
9
Taking false branch
123 return NULL((void *)0);
124 if (sshbuf_set_parent(ret, buf) != 0) {
10
Taking true branch
125 sshbuf_free(ret);
126 return NULL((void *)0);
11
Potential leak of memory pointed to by 'ret'
127 }
128 return ret;
129}
130
131void
132sshbuf_free(struct sshbuf *buf)
133{
134 if (buf == NULL((void *)0))
135 return;
136 /*
137 * The following will leak on insane buffers, but this is the safest
138 * course of action - an invalid pointer or already-freed pointer may
139 * have been passed to us and continuing to scribble over memory would
140 * be bad.
141 */
142 if (sshbuf_check_sanity(buf) != 0)
143 return;
144
145 /*
146 * If we are a parent with still-extant children, then don't free just
147 * yet. The last child's call to sshbuf_free should decrement our
148 * refcount to 0 and trigger the actual free.
149 */
150 buf->refcount--;
151 if (buf->refcount > 0)
152 return;
153
154 /*
155 * If we are a child, the free our parent to decrement its reference
156 * count and possibly free it.
157 */
158 sshbuf_free(buf->parent);
159 buf->parent = NULL((void *)0);
160
161 if (!buf->readonly) {
162 explicit_bzero(buf->d, buf->alloc);
163 free(buf->d);
164 }
165 freezero(buf, sizeof(*buf));
166}
167
168void
169sshbuf_reset(struct sshbuf *buf)
170{
171 u_char *d;
172
173 if (buf->readonly || buf->refcount > 1) {
174 /* Nonsensical. Just make buffer appear empty */
175 buf->off = buf->size;
176 return;
177 }
178 (void) sshbuf_check_sanity(buf);
179 buf->off = buf->size = 0;
180 if (buf->alloc != SSHBUF_SIZE_INIT256) {
181 if ((d = recallocarray(buf->d, buf->alloc, SSHBUF_SIZE_INIT256,
182 1)) != NULL((void *)0)) {
183 buf->cd = buf->d = d;
184 buf->alloc = SSHBUF_SIZE_INIT256;
185 }
186 }
187 explicit_bzero(buf->d, SSHBUF_SIZE_INIT256);
188}
189
190size_t
191sshbuf_max_size(const struct sshbuf *buf)
192{
193 return buf->max_size;
194}
195
196size_t
197sshbuf_alloc(const struct sshbuf *buf)
198{
199 return buf->alloc;
200}
201
202const struct sshbuf *
203sshbuf_parent(const struct sshbuf *buf)
204{
205 return buf->parent;
206}
207
208u_int
209sshbuf_refcount(const struct sshbuf *buf)
210{
211 return buf->refcount;
212}
213
214int
215sshbuf_set_max_size(struct sshbuf *buf, size_t max_size)
216{
217 size_t rlen;
218 u_char *dp;
219 int r;
220
221 SSHBUF_DBG(("set max buf = %p len = %zu", buf, max_size));
222 if ((r = sshbuf_check_sanity(buf)) != 0)
223 return r;
224 if (max_size == buf->max_size)
225 return 0;
226 if (buf->readonly || buf->refcount > 1)
227 return SSH_ERR_BUFFER_READ_ONLY-49;
228 if (max_size > SSHBUF_SIZE_MAX0x8000000)
229 return SSH_ERR_NO_BUFFER_SPACE-9;
230 /* pack and realloc if necessary */
231 sshbuf_maybe_pack(buf, max_size < buf->size);
232 if (max_size < buf->alloc && max_size > buf->size) {
233 if (buf->size < SSHBUF_SIZE_INIT256)
234 rlen = SSHBUF_SIZE_INIT256;
235 else
236 rlen = ROUNDUP(buf->size, SSHBUF_SIZE_INC)((((buf->size)+((256)-1))/(256))*(256));
237 if (rlen > max_size)
238 rlen = max_size;
239 SSHBUF_DBG(("new alloc = %zu", rlen));
240 if ((dp = recallocarray(buf->d, buf->alloc, rlen, 1)) == NULL((void *)0))
241 return SSH_ERR_ALLOC_FAIL-2;
242 buf->cd = buf->d = dp;
243 buf->alloc = rlen;
244 }
245 SSHBUF_TELL("new-max");
246 if (max_size < buf->alloc)
247 return SSH_ERR_NO_BUFFER_SPACE-9;
248 buf->max_size = max_size;
249 return 0;
250}
251
252size_t
253sshbuf_len(const struct sshbuf *buf)
254{
255 if (sshbuf_check_sanity(buf) != 0)
256 return 0;
257 return buf->size - buf->off;
258}
259
260size_t
261sshbuf_avail(const struct sshbuf *buf)
262{
263 if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
264 return 0;
265 return buf->max_size - (buf->size - buf->off);
266}
267
268const u_char *
269sshbuf_ptr(const struct sshbuf *buf)
270{
271 if (sshbuf_check_sanity(buf) != 0)
272 return NULL((void *)0);
273 return buf->cd + buf->off;
274}
275
276u_char *
277sshbuf_mutable_ptr(const struct sshbuf *buf)
278{
279 if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
280 return NULL((void *)0);
281 return buf->d + buf->off;
282}
283
284int
285sshbuf_check_reserve(const struct sshbuf *buf, size_t len)
286{
287 int r;
288
289 if ((r = sshbuf_check_sanity(buf)) != 0)
290 return r;
291 if (buf->readonly || buf->refcount > 1)
292 return SSH_ERR_BUFFER_READ_ONLY-49;
293 SSHBUF_TELL("check");
294 /* Check that len is reasonable and that max_size + available < len */
295 if (len > buf->max_size || buf->max_size - len < buf->size - buf->off)
296 return SSH_ERR_NO_BUFFER_SPACE-9;
297 return 0;
298}
299
300int
301sshbuf_allocate(struct sshbuf *buf, size_t len)
302{
303 size_t rlen, need;
304 u_char *dp;
305 int r;
306
307 SSHBUF_DBG(("allocate buf = %p len = %zu", buf, len));
308 if ((r = sshbuf_check_reserve(buf, len)) != 0)
309 return r;
310 /*
311 * If the requested allocation appended would push us past max_size
312 * then pack the buffer, zeroing buf->off.
313 */
314 sshbuf_maybe_pack(buf, buf->size + len > buf->max_size);
315 SSHBUF_TELL("allocate");
316 if (len + buf->size <= buf->alloc)
317 return 0; /* already have it. */
318
319 /*
320 * Prefer to alloc in SSHBUF_SIZE_INC units, but
321 * allocate less if doing so would overflow max_size.
322 */
323 need = len + buf->size - buf->alloc;
324 rlen = ROUNDUP(buf->alloc + need, SSHBUF_SIZE_INC)((((buf->alloc + need)+((256)-1))/(256))*(256));
325 SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
326 if (rlen > buf->max_size)
327 rlen = buf->alloc + need;
328 SSHBUF_DBG(("adjusted rlen %zu", rlen));
329 if ((dp = recallocarray(buf->d, buf->alloc, rlen, 1)) == NULL((void *)0)) {
330 SSHBUF_DBG(("realloc fail"));
331 return SSH_ERR_ALLOC_FAIL-2;
332 }
333 buf->alloc = rlen;
334 buf->cd = buf->d = dp;
335 if ((r = sshbuf_check_reserve(buf, len)) < 0) {
336 /* shouldn't fail */
337 return r;
338 }
339 SSHBUF_TELL("done");
340 return 0;
341}
342
343int
344sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
345{
346 u_char *dp;
347 int r;
348
349 if (dpp != NULL((void *)0))
350 *dpp = NULL((void *)0);
351
352 SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
353 if ((r = sshbuf_allocate(buf, len)) != 0)
354 return r;
355
356 dp = buf->d + buf->size;
357 buf->size += len;
358 if (dpp != NULL((void *)0))
359 *dpp = dp;
360 return 0;
361}
362
363int
364sshbuf_consume(struct sshbuf *buf, size_t len)
365{
366 int r;
367
368 SSHBUF_DBG(("len = %zu", len));
369 if ((r = sshbuf_check_sanity(buf)) != 0)
370 return r;
371 if (len == 0)
372 return 0;
373 if (len > sshbuf_len(buf))
374 return SSH_ERR_MESSAGE_INCOMPLETE-3;
375 buf->off += len;
376 /* deal with empty buffer */
377 if (buf->off == buf->size)
378 buf->off = buf->size = 0;
379 SSHBUF_TELL("done");
380 return 0;
381}
382
383int
384sshbuf_consume_end(struct sshbuf *buf, size_t len)
385{
386 int r;
387
388 SSHBUF_DBG(("len = %zu", len));
389 if ((r = sshbuf_check_sanity(buf)) != 0)
390 return r;
391 if (len == 0)
392 return 0;
393 if (len > sshbuf_len(buf))
394 return SSH_ERR_MESSAGE_INCOMPLETE-3;
395 buf->size -= len;
396 SSHBUF_TELL("done");
397 return 0;
398}
399