/usr/src/bin/test/test.c

Bug Summary

File:	src/bin/test/test.c
Warning:	line 373, column 10 Access to field 'op_num' results in a dereference of a null pointer (loaded from variable 'op')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name test.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/bin/test/obj -resource-dir /usr/local/lib/clang/13.0.0 -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/bin/test/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/bin/test/test.c

1/*	$OpenBSD: test.c,v 1.19 2018/04/02 06:47:43 tobias Exp $	*/
2/*	$NetBSD: test.c,v 1.15 1995/03/21 07:04:06 cgd Exp $	*/

4/*
* test(1); version 7-like  --  author Erik Baalbergen
* modified by Eric Gisin to be used as built-in.
* modified by Arnold Robbins to add SVR3 compatibility
* (-x -c -b -p -u -g -k) plus Korn's -L -nt -ot -ef and new -S (socket).
* modified by J.T. Conklin for NetBSD.
*
* This program is in the Public Domain.
*/

14#include <sys/types.h>
15#include <sys/stat.h>
16#include <unistd.h>
17#include <ctype.h>
18#include <errno(*__errno()).h>
19#include <limits.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23#include <err.h>

25/* test(1) accepts the following grammar:
oexpr	::= aexpr | aexpr "-o" oexpr ;
aexpr	::= nexpr | nexpr "-a" aexpr ;
nexpr	::= primary | "!" primary
primary	::= unary-operator operand
| operand binary-operator operand
| operand
| "(" oexpr ")"
;
unary-operator ::= "-r"|"-w"|"-x"|"-f"|"-d"|"-c"|"-b"|"-p"|
"-u"|"-g"|"-k"|"-s"|"-t"|"-z"|"-n"|"-o"|"-O"|"-G"|"-L"|"-S";

binary-operator ::= "="|"!="|"<"|">"|"-eq"|"-ne"|"-ge"|"-gt"|
	"-le"|"-lt"|"-nt"|"-ot"|"-ef";
operand ::= <any legal UNIX file name>
40*/

42enum token {
EOI,
FILRD,
FILWR,
FILEX,
FILEXIST,
FILREG,
FILDIR,
FILCDEV,
FILBDEV,
FILFIFO,
FILSOCK,
FILSYM,
FILGZ,
FILTT,
FILSUID,
FILSGID,
FILSTCK,
FILNT,
FILOT,
FILEQ,
FILUID,
FILGID,
STREZ,
STRNZ,
STREQ,
STRNE,
STRLT,
STRGT,
INTEQ,
INTNE,
INTGE,
INTGT,
INTLE,
INTLT,
UNOT,
BAND,
BOR,
LPAREN,
RPAREN,
OPERAND
83};

85enum token_types {
UNOP,
BINOP,
BUNOP,
BBINOP,
PAREN
91};

93struct t_op {
const char *op_text;
short op_num, op_type;
96} const ops [] = {
{"-r",	FILRD,	UNOP},
{"-w",	FILWR,	UNOP},
{"-x",	FILEX,	UNOP},
{"-e",	FILEXIST,UNOP},
{"-f",	FILREG,	UNOP},
{"-d",	FILDIR,	UNOP},
{"-c",	FILCDEV,UNOP},
{"-b",	FILBDEV,UNOP},
{"-p",	FILFIFO,UNOP},
{"-u",	FILSUID,UNOP},
{"-g",	FILSGID,UNOP},
{"-k",	FILSTCK,UNOP},
{"-s",	FILGZ,	UNOP},
{"-t",	FILTT,	UNOP},
{"-z",	STREZ,	UNOP},
{"-n",	STRNZ,	UNOP},
{"-h",	FILSYM,	UNOP},		/* for backwards compat */
{"-O",	FILUID,	UNOP},
{"-G",	FILGID,	UNOP},
{"-L",	FILSYM,	UNOP},
{"-S",	FILSOCK,UNOP},
{"=",	STREQ,	BINOP},
{"!=",	STRNE,	BINOP},
{"<",	STRLT,	BINOP},
{">",	STRGT,	BINOP},
{"-eq",	INTEQ,	BINOP},
{"-ne",	INTNE,	BINOP},
{"-ge",	INTGE,	BINOP},
{"-gt",	INTGT,	BINOP},
{"-le",	INTLE,	BINOP},
{"-lt",	INTLT,	BINOP},
{"-nt",	FILNT,	BINOP},
{"-ot",	FILOT,	BINOP},
{"-ef",	FILEQ,	BINOP},
{"!",	UNOT,	BUNOP},
{"-a",	BAND,	BBINOP},
{"-o",	BOR,	BBINOP},
{"(",	LPAREN,	PAREN},
{")",	RPAREN,	PAREN},
{0,	0,	0}
137};

139char **t_wp;
140struct t_op const *t_wp_op;

142static enum token t_lex(char *);
143static enum token t_lex_type(char *);
144static int oexpr(enum token n);
145static int aexpr(enum token n);
146static int nexpr(enum token n);
147static int binop(void);
148static int primary(enum token n);
149static const char *getnstr(const char *, int *, size_t *);
150static int intcmp(const char *, const char *);
151static int filstat(char *nm, enum token mode);
152static int getn(const char *s);
153static int newerf(const char *, const char *);
154static int olderf(const char *, const char *);
155static int equalf(const char *, const char *);
156static __dead__attribute__((__noreturn__)) void syntax(const char *op, char *msg);

158int
159main(int argc, char *argv[])
160{
extern char *__progname;
int	res;

if (pledge("stdio rpath", NULL((void *)0)) == -1)
1
Assuming the condition is false→
2
←
Taking false branch→
err(2, "pledge");

if (strcmp(__progname, "[") == 0) {
3
←
Assuming the condition is false→
4
←
Taking false branch→
if (strcmp(argv[--argc], "]"))
	errx(2, "missing ]");
argv[argc] = NULL((void *)0);
}

/* Implement special cases from POSIX.2, section 4.62.4 */
switch (argc) {
5
←
Control jumps to 'case 5:'  at line 193→
case 1:
return 1;
case 2:
return (*argv[1] == '\0');
case 3:
if (argv[1][0] == '!' && argv[1][1] == '\0') {
	return !(*argv[2] == '\0');
}
break;
case 4:
if (argv[1][0] != '!' || argv[1][1] != '\0') {
	if (t_lex(argv[2]),
	    t_wp_op && t_wp_op->op_type == BINOP) {
		t_wp = &argv[1];
		return (binop() == 0);
	}
}
break;
case 5:
if (argv[1][0] == '!' && argv[1][1] == '\0') {
6
←
Assuming the condition is true→
7
←
Assuming the condition is true→
8
←
Taking true branch→
	if (t_lex(argv[3]),
10
←
Taking true branch→
	    t_wp_op8.1
't_wp_op' is non-null
 && t_wp_op->op_type == BINOP) {
9
←
Assuming field 'op_type' is equal to BINOP→
		t_wp = &argv[2];
		return !(binop() == 0);
11
←
Calling 'binop'→
	}
}
break;
}

t_wp = &argv[1];
res = !oexpr(t_lex(*t_wp));

if (*t_wp != NULL((void *)0) && *++t_wp != NULL((void *)0))
syntax(*t_wp, "unknown operand");

return res;
211}

213static __dead__attribute__((__noreturn__)) void
214syntax(const char *op, char *msg)
215{
if (op && *op)
errx(2, "%s: %s", op, msg);
else
errx(2, "%s", msg);
220}

222static int
223oexpr(enum token n)
224{
int res;

res = aexpr(n);
if (t_lex(*++t_wp) == BOR)
return oexpr(t_lex(*++t_wp)) || res;
t_wp--;
return res;
232}

234static int
235aexpr(enum token n)
236{
int res;

res = nexpr(n);
if (t_lex(*++t_wp) == BAND)
return aexpr(t_lex(*++t_wp)) && res;
t_wp--;
return res;
244}

246static int
247nexpr(enum token n)
248{
if (n == UNOT)
return !nexpr(t_lex(*++t_wp));
return primary(n);
252}

254static int
255primary(enum token n)
256{
int res;

if (n == EOI)
syntax(NULL((void *)0), "argument expected");
if (n == LPAREN) {
res = oexpr(t_lex(*++t_wp));
if (t_lex(*++t_wp) != RPAREN)
	syntax(NULL((void *)0), "closing paren expected");
return res;
}
/*
* We need this, if not binary operations with more than 4
* arguments will always fall into unary.
*/
if(t_lex_type(t_wp[1]) == BINOP) {
t_lex(t_wp[1]);
if (t_wp_op && t_wp_op->op_type == BINOP)
	return binop();
}

if (t_wp_op && t_wp_op->op_type == UNOP) {
/* unary expression */
if (*++t_wp == NULL((void *)0))
	syntax(t_wp_op->op_text, "argument expected");
switch (n) {
case STREZ:
	return strlen(*t_wp) == 0;
case STRNZ:
	return strlen(*t_wp) != 0;
case FILTT:
	return isatty(getn(*t_wp));
default:
	return filstat(*t_wp, n);
}
}

return strlen(*t_wp) > 0;
294}

296static const char *
297getnstr(const char *s, int *signum, size_t *len)
298{
const char *p, *start;

/* skip leading whitespaces */
p = s;
while (isspace((unsigned char)*p))
p++;

/* accept optional sign */
if (*p == '-') {
*signum = -1;
p++;
} else {
*signum = 1;
if (*p == '+')
	p++;
}

/* skip leading zeros */
while (*p == '0' && isdigit((unsigned char)p[1]))
p++;

/* turn 0 always positive */
if (*p == '0')
*signum = 1;

start = p;
while (isdigit((unsigned char)*p))
p++;
*len = p - start;

/* allow trailing whitespaces */
while (isspace((unsigned char)*p))
p++;

/* validate number */
if (*p != '\0' || *start == '\0')
errx(2, "%s: invalid", s);

return start;
338}

340static int
341intcmp(const char *opnd1, const char *opnd2)
342{
const char *p1, *p2;
size_t len1, len2;
int c, sig1, sig2;

p1 = getnstr(opnd1, &sig1, &len1);
p2 = getnstr(opnd2, &sig2, &len2);

if (sig1 != sig2)
c = sig1;
else if (len1 != len2)
c = (len1 < len2) ? -sig1 : sig1;
else
c = strncmp(p1, p2, len1) * sig1;

return c;
358}

360static int
361binop(void)
362{
const char *opnd1, *opnd2;
struct t_op const *op;

opnd1 = *t_wp;
(void) t_lex(*++t_wp);
12
←
Calling 't_lex'→
19
←
Returning from 't_lex'→
op = t_wp_op;
20
←
Null pointer value stored to 'op'→

if ((opnd2 = *++t_wp) == NULL((void *)0))
21
←
Assuming the condition is false→
22
←
Taking false branch→
syntax(op->op_text, "argument expected");

switch (op->op_num) {
23
←
Access to field 'op_num' results in a dereference of a null pointer (loaded from variable 'op')
case STREQ:
return strcmp(opnd1, opnd2) == 0;
case STRNE:
return strcmp(opnd1, opnd2) != 0;
case STRLT:
return strcmp(opnd1, opnd2) < 0;
case STRGT:
return strcmp(opnd1, opnd2) > 0;
case INTEQ:
return intcmp(opnd1, opnd2) == 0;
case INTNE:
return intcmp(opnd1, opnd2) != 0;
case INTGE:
return intcmp(opnd1, opnd2) >= 0;
case INTGT:
return intcmp(opnd1, opnd2) > 0;
case INTLE:
return intcmp(opnd1, opnd2) <= 0;
case INTLT:
return intcmp(opnd1, opnd2) < 0;
case FILNT:
return newerf(opnd1, opnd2);
case FILOT:
return olderf(opnd1, opnd2);
case FILEQ:
return equalf(opnd1, opnd2);
}

syntax(op->op_text, "not a binary operator");
403}

405static enum token
406t_lex_type(char *s)
407{
struct t_op const *op = ops;

if (s == NULL((void *)0))
return -1;

while (op->op_text) {
if (strcmp(s, op->op_text) == 0)
	return op->op_type;
op++;
}
return -1;
419}

421static int
422filstat(char *nm, enum token mode)
423{
struct stat s;
mode_t i;

if (mode == FILSYM) {
428#ifdef S_IFLNK0120000
if (lstat(nm, &s) == 0) {
	i = S_IFLNK0120000;
	goto filetype;
}
433#endif
return 0;
}

if (stat(nm, &s) != 0)
return 0;

switch (mode) {
case FILRD:
return access(nm, R_OK0x04) == 0;
case FILWR:
return access(nm, W_OK0x02) == 0;
case FILEX:
return access(nm, X_OK0x01) == 0;
case FILEXIST:
return access(nm, F_OK0) == 0;
case FILREG:
i = S_IFREG0100000;
goto filetype;
case FILDIR:
i = S_IFDIR0040000;
goto filetype;
case FILCDEV:
i = S_IFCHR0020000;
goto filetype;
case FILBDEV:
i = S_IFBLK0060000;
goto filetype;
case FILFIFO:
462#ifdef S_IFIFO0010000
i = S_IFIFO0010000;
goto filetype;
465#else
return 0;
467#endif
case FILSOCK:
469#ifdef S_IFSOCK0140000
i = S_IFSOCK0140000;
goto filetype;
472#else
return 0;
474#endif
case FILSUID:
i = S_ISUID0004000;
goto filebit;
case FILSGID:
i = S_ISGID0002000;
goto filebit;
case FILSTCK:
i = S_ISVTX0001000;
goto filebit;
case FILGZ:
return s.st_size > 0L;
case FILUID:
return s.st_uid == geteuid();
case FILGID:
return s.st_gid == getegid();
default:
return 1;
}

494filetype:
return ((s.st_mode & S_IFMT0170000) == i);

497filebit:
return ((s.st_mode & i) != 0);
499}

501static enum token
502t_lex(char *s)
503{
struct t_op const *op = ops;

if (s12.1
's' is not equal to null
 == 0) {
13
←
Taking false branch→
t_wp_op = NULL((void *)0);
return EOI;
}
while (op->op_text) {
14
←
Loop condition is true.  Entering loop body→
17
←
Loop condition is false. Execution continues on line 517→
if (strcmp(s, op->op_text) == 0) {
15
←
Assuming the condition is false→
16
←
Taking false branch→
	t_wp_op = op;
	return op->op_num;
}
op++;
}
t_wp_op = NULL((void *)0);
18
←
Null pointer value stored to 't_wp_op'→
return OPERAND;
519}

521/* atoi with error detection */
522static int
523getn(const char *s)
524{
char buf[32];
const char *errstr, *p;
size_t len;
int r, sig;

p = getnstr(s, &sig, &len);
if (sig != 1)
errstr = "too small";
else if (len >= sizeof(buf))
errstr = "too large";
else {
strlcpy(buf, p, sizeof(buf));
buf[len] = '\0';
r = strtonum(buf, 0, INT_MAX2147483647, &errstr);
}

if (errstr != NULL((void *)0))
errx(2, "%s: %s", s, errstr);

return r;
545}

547static int
548newerf(const char *f1, const char *f2)
549{
struct stat b1, b2;

return (stat(f1, &b1) == 0 &&
   stat(f2, &b2) == 0 &&
   b1.st_mtimest_mtim.tv_sec > b2.st_mtimest_mtim.tv_sec);
555}

557static int
558olderf(const char *f1, const char *f2)
559{
struct stat b1, b2;

return (stat(f1, &b1) == 0 &&
   stat(f2, &b2) == 0 &&
   b1.st_mtimest_mtim.tv_sec < b2.st_mtimest_mtim.tv_sec);
565}

567static int
568equalf(const char *f1, const char *f2)
569{
struct stat b1, b2;

return (stat(f1, &b1) == 0 &&
   stat(f2, &b2) == 0 &&
   b1.st_dev == b2.st_dev &&
   b1.st_ino == b2.st_ino);
576}