/usr/src/usr.bin/ftp/complete.c

Bug Summary

File:	src/usr.bin/ftp/complete.c
Warning:	line 266, column 18 Access to field 'sl_cur' results in a dereference of a null pointer (loaded from variable 'dirlist')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name complete.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ftp/obj -resource-dir /usr/local/lib/clang/13.0.0 -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/ftp/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/ftp/complete.c

1/*	$OpenBSD: complete.c,v 1.33 2019/05/16 12:44:17 florian Exp $	*/
2/*	$NetBSD: complete.c,v 1.10 1997/08/18 10:20:18 lukem Exp $	*/

4/*-
* Copyright (c) 1997 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Luke Mewburn.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
*    notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
*    notice, this list of conditions and the following disclaimer in the
*    documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

33#ifndef SMALL

35/*
* FTP user program - command and file completion routines
*/

39#include <ctype.h>
40#include <err.h>
41#include <dirent.h>
42#include <stdio.h>
43#include <stdlib.h>
44#include <string.h>

46#include "ftp_var.h"

48static int	     comparstr(const void *, const void *);
49static unsigned char complete_ambiguous(char *, int, StringList *);
50static unsigned char complete_command(char *, int);
51static unsigned char complete_local(char *, int);
52static unsigned char complete_remote(char *, int);
53static void          ftpvis(char *, size_t, const char *, size_t);

55static int
56comparstr(const void *a, const void *b)
57{
return (strcmp(*(char **)a, *(char **)b));
59}

61/*
* Determine if complete is ambiguous. If unique, insert.
* If no choices, error. If unambiguous prefix, insert that.
* Otherwise, list choices. words is assumed to be filtered
* to only contain possible choices.
* Args:
*	word	word which started the match
*	list	list by default
*	words	stringlist containing possible matches
*/
71static unsigned char
72complete_ambiguous(char *word, int list, StringList *words)
73{
char insertstr[PATH_MAX1024 * 2];
char *lastmatch;
int i, j;
size_t matchlen, wordlen;

wordlen = strlen(word);
if (words->sl_cur == 0)
return (CC_ERROR6);	/* no choices available */

if (words->sl_cur == 1) {	/* only once choice available */
char *p = words->sl_str[0] + wordlen;
ftpvis(insertstr, sizeof(insertstr), p, strlen(p));
if (el_insertstr(el, insertstr) == -1)
	return (CC_ERROR6);
else
	return (CC_REFRESH4);
}

if (!list) {
lastmatch = words->sl_str[0];
matchlen = strlen(lastmatch);
for (i = 1 ; i < words->sl_cur ; i++) {
	for (j = wordlen ; j < strlen(words->sl_str[i]); j++)
		if (lastmatch[j] != words->sl_str[i][j])
			break;
	if (j < matchlen)
		matchlen = j;
}
if (matchlen > wordlen) {
	ftpvis(insertstr, sizeof(insertstr),
	    lastmatch + wordlen, matchlen - wordlen);
	if (el_insertstr(el, insertstr) == -1)
		return (CC_ERROR6);
	else
			/*
			 * XXX: really want CC_REFRESH_BEEP
			 */
		return (CC_REFRESH4);
}
}

putc('\n', ttyout)(!__isthreaded ? __sputc('\n', ttyout) : (putc)('\n', ttyout)
);
qsort(words->sl_str, words->sl_cur, sizeof(char *), comparstr);
list_vertical(words);
return (CC_REDISPLAY8);
119}

121/*
* Complete a command
*/
124static unsigned char
125complete_command(char *word, int list)
126{
struct cmd *c;
StringList *words;
size_t wordlen;
unsigned char rv;

words = sl_init();
wordlen = strlen(word);

for (c = cmdtab; c->c_name != NULL((void*)0); c++) {
if (wordlen > strlen(c->c_name))
	continue;
if (strncmp(word, c->c_name, wordlen) == 0)
	sl_add(words, c->c_name);
}

rv = complete_ambiguous(word, list, words);
sl_free(words, 0);
return (rv);
145}

147/*
* Complete a local file
*/
150static unsigned char
151complete_local(char *word, int list)
152{
StringList *words;
char dir[PATH_MAX1024];
char *file;
DIR *dd;
struct dirent *dp;
unsigned char rv;

if ((file = strrchr(word, '/')) == NULL((void*)0)) {
dir[0] = '.';
dir[1] = '\0';
file = word;
} else {
if (file == word) {
	dir[0] = '/';
	dir[1] = '\0';
} else {
	(void)strlcpy(dir, word, (size_t)(file - word) + 1);
}
file++;
}

if ((dd = opendir(dir)) == NULL((void*)0))
return (CC_ERROR6);

words = sl_init();

for (dp = readdir(dd); dp != NULL((void*)0); dp = readdir(dd)) {
if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
	continue;
if (strlen(file) > dp->d_namlen)
	continue;
if (strncmp(file, dp->d_name, strlen(file)) == 0) {
	char *tcp;

	tcp = strdup(dp->d_name);
	if (tcp == NULL((void*)0))
		errx(1, "Can't allocate memory for local dir");
	sl_add(words, tcp);
}
}
closedir(dd);

rv = complete_ambiguous(file, list, words);
sl_free(words, 1);
return (rv);
198}

200/*
* Complete a remote file
*/
203static unsigned char
204complete_remote(char *word, int list)
205{
static StringList *dirlist;
19
←
'dirlist' initialized to a null pointer value→
static char	 lastdir[PATH_MAX1024];
StringList	*words;
char		 dir[PATH_MAX1024];
char		*file, *cp;
int		 i;
unsigned char	 rv;

char *dummyargv[] = { "complete", dir, NULL((void*)0) };

if ((file = strrchr(word, '/')) == NULL((void*)0)) {
20
←
Assuming the condition is true→
21
←
Taking true branch→
dir[0] = '.';
dir[1] = '\0';
file = word;
} else {
cp = file;
while (*cp == '/' && cp > word)
	cp--;
(void)strlcpy(dir, word, (size_t)(cp - word + 2));
file++;
}

if (dirchange || strcmp(dir, lastdir) != 0) {	/* dir not cached */
22
←
Assuming 'dirchange' is 0→
23
←
Assuming the condition is false→
24
←
Taking false branch→
char *emesg;

sl_free(dirlist, 1);
dirlist = sl_init();

mflag = 1;
emesg = NULL((void*)0);
if (debug)
	(void)putc('\n', ttyout)(!__isthreaded ? __sputc('\n', ttyout) : (putc)('\n', ttyout)
);
while ((cp = remglob(dummyargv, 0, &emesg)) != NULL((void*)0)) {
	char *tcp;

	if (!mflag)
		continue;
	if (*cp == '\0') {
		mflag = 0;
		continue;
	}
	tcp = strrchr(cp, '/');
	if (tcp)
		tcp++;
	else
		tcp = cp;
	tcp = strdup(tcp);
	if (tcp == NULL((void*)0))
		errx(1, "Can't allocate memory for remote dir");
	sl_add(dirlist, tcp);
}
if (emesg != NULL((void*)0)) {
	fprintf(ttyout, "\n%s\n", emesg);
	return (CC_REDISPLAY8);
}
(void)strlcpy(lastdir, dir, sizeof lastdir);
dirchange = 0;
}

words = sl_init();
for (i = 0; i < dirlist->sl_cur; i++) {
25
←
Access to field 'sl_cur' results in a dereference of a null pointer (loaded from variable 'dirlist')
cp = dirlist->sl_str[i];
if (strlen(file) > strlen(cp))
	continue;
if (strncmp(file, cp, strlen(file)) == 0)
	sl_add(words, cp);
}
rv = complete_ambiguous(file, list, words);
sl_free(words, 0);
return (rv);
276}

278/*
* Generic complete routine
*/
281unsigned char
282complete(EditLine *el, int ch)
283{
static char word[FTPBUFLEN1024 + 200];
static int lastc_argc, lastc_argo;
struct cmd *c;
const LineInfo *lf;
int celems, dolist;
size_t len;

lf = el_line(el);
len = lf->lastchar - lf->buffer;
if (len >= sizeof(line))
1
Assuming the condition is false→
2
←
Taking false branch→
return (CC_ERROR6);
(void)memcpy(line, lf->buffer, len);
line[len] = '\0';
cursor_pos = line + (lf->cursor - lf->buffer);
lastc_argc = cursor_argc;	/* remember last cursor pos */
lastc_argo = cursor_argo;
makeargv();			/* build argc/argv of current line */

if (cursor_argo >= sizeof(word))
3
←
Assuming the condition is false→
4
←
Taking false branch→
return (CC_ERROR6);

dolist = 0;
	/* if cursor and word is same, list alternatives */
if (lastc_argc == cursor_argc && lastc_argo == cursor_argo
5
←
Assuming 'lastc_argc' is not equal to 'cursor_argc'→
   && strncmp(word, margv(marg_sl->sl_str)[cursor_argc], cursor_argo) == 0)
dolist = 1;
else if (cursor_argo)
6
←
Assuming 'cursor_argo' is 0→
7
←
Taking false branch→
memcpy(word, margv(marg_sl->sl_str)[cursor_argc], cursor_argo);
word[cursor_argo] = '\0';

if (cursor_argc == 0)
8
←
Assuming 'cursor_argc' is not equal to 0→
9
←
Taking false branch→
return (complete_command(word, dolist));

c = getcmd(margv(marg_sl->sl_str)[0]);
if (c == (struct cmd *)-1 || c == 0)
10
←
Assuming the condition is false→
11
←
Assuming 'c' is not equal to null→
12
←
Taking false branch→
return (CC_ERROR6);
celems = strlen(c->c_complete);

/* check for 'continuation' completes (which are uppercase) */
if ((cursor_argc > celems) && (celems > 0)
13
←
Assuming 'cursor_argc' is <= 'celems'→
   && isupper((unsigned char)c->c_complete[celems - 1]))
cursor_argc = celems;

if (cursor_argc13.1
'cursor_argc' is <= 'celems'
 > celems)
14
←
Taking false branch→
return (CC_ERROR6);

switch (c->c_complete[cursor_argc - 1]) {
15
←
Control jumps to 'case 82:'  at line 335→
case 'l':			/* local complete */
case 'L':
return (complete_local(word, dolist));
case 'r':			/* remote complete */
case 'R':
if (connected != -1) {
16
←
Assuming the condition is false→
17
←
Taking false branch→
	fputs("\nMust be logged in to complete.\n", ttyout);
	return (CC_REDISPLAY8);
}
return (complete_remote(word, dolist));
18
←
Calling 'complete_remote'→
case 'c':			/* command complete */
case 'C':
return (complete_command(word, dolist));
case 'n':			/* no complete */
return (CC_ERROR6);
}

return (CC_ERROR6);
349}

351/*
* Copy characters from src into dst, \ quoting characters that require it.
*/
354static void
355ftpvis(char *dst, size_t dstlen, const char *src, size_t srclen)
356{
size_t	di, si;

di = si = 0;
while (di + 1 < dstlen && si < srclen && src[si] != '\0') {
switch (src[si]) {
case '\\':
case ' ':
case '\t':
case '\r':
case '\n':
case '"':
	/* Need room for two characters and NUL, avoiding
	 * incomplete escape sequences at end of dst. */
	if (di + 3 >= dstlen)
		break;
	dst[di++] = '\\';
	/* FALLTHROUGH */
default:
	dst[di++] = src[si++];
}
}
if (dstlen != 0)
dst[di] = '\0';
380}
381#endif /* !SMALL */