/usr/src/usr.sbin/ldpd/pfkey.c

Bug Summary

File:	src/usr.sbin/ldpd/pfkey.c
Warning:	line 296, column 25 The left operand of '!=' is a garbage value

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name pfkey.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/ldpd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.sbin/ldpd -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/ldpd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.sbin/ldpd/pfkey.c

1/*	$OpenBSD: pfkey.c,v 1.12 2019/01/23 02:02:04 dlg Exp $ */

3/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
* Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

20#include <sys/types.h>
21#include <errno(*__errno()).h>
22#include <stdlib.h>
23#include <string.h>
24#include <unistd.h>

26#include "ldpd.h"
27#include "ldpe.h"
28#include "log.h"

30static int	 pfkey_send(int, uint8_t, uint8_t, uint8_t,
    int, union ldpd_addr *, union ldpd_addr *,
    uint32_t, uint8_t, int, char *, uint8_t, int, char *,
    uint16_t, uint16_t);
34static int	 pfkey_reply(int, uint32_t *);
35static int	 pfkey_sa_add(int, union ldpd_addr *, union ldpd_addr *,
    uint8_t, char *, uint32_t *);
37static int	 pfkey_sa_remove(int, union ldpd_addr *, union ldpd_addr *,
    uint32_t *);
39static int	 pfkey_md5sig_establish(struct nbr *, struct ldp_auth *);
40static int	 pfkey_md5sig_remove(struct nbr *);

42#define	PFKEY2_CHUNKsizeof(uint64_t) sizeof(uint64_t)
43#define	ROUNDUP(x)(((x) + (sizeof(uint64_t) - 1)) & ~(sizeof(uint64_t) - 1)
) (((x) + (PFKEY2_CHUNKsizeof(uint64_t) - 1)) & ~(PFKEY2_CHUNKsizeof(uint64_t) - 1))
44#define	IOV_CNT20	20

46static uint32_t	 sadb_msg_seq;
47static uint32_t	 pid; /* should pid_t but pfkey needs uint32_t */
48static int	 fd;

50static int
51pfkey_send(int sd, uint8_t satype, uint8_t mtype, uint8_t dir,
  int af, union ldpd_addr *src, union ldpd_addr *dst, uint32_t spi,
  uint8_t aalg, int alen, char *akey, uint8_t ealg, int elen, char *ekey,
  uint16_t sport, uint16_t dport)
55{
struct sadb_msg		smsg;
struct sadb_sa		sa;
struct sadb_address	sa_src, sa_dst;
struct sadb_key		sa_akey, sa_ekey;
struct sadb_spirange	sa_spirange;
struct iovec		iov[IOV_CNT20];
ssize_t			n;
int			len = 0;
int			iov_cnt;
struct sockaddr_storage	ssrc, sdst, smask, dmask;
struct sockaddr		*saptr;

if (!pid)
pid = getpid();

/* we need clean sockaddr... no ports set */
memset(&ssrc, 0, sizeof(ssrc));
memset(&smask, 0, sizeof(smask));
if ((saptr = addr2sa(af, src, 0)))
memcpy(&ssrc, saptr, sizeof(ssrc));
switch (af) {
case AF_INET2:
memset(&((struct sockaddr_in *)&smask)->sin_addr, 0xff, 32/8);
break;
case AF_INET624:
memset(&((struct sockaddr_in6 *)&smask)->sin6_addr, 0xff,
    128/8);
break;
default:
return (-1);
}
smask.ss_family = ssrc.ss_family;
smask.ss_len = ssrc.ss_len;

memset(&sdst, 0, sizeof(sdst));
memset(&dmask, 0, sizeof(dmask));
if ((saptr = addr2sa(af, dst, 0)))
memcpy(&sdst, saptr, sizeof(sdst));
switch (af) {
case AF_INET2:
memset(&((struct sockaddr_in *)&dmask)->sin_addr, 0xff, 32/8);
break;
case AF_INET624:
memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr, 0xff,
    128/8);
break;
default:
return (-1);
}
dmask.ss_family = sdst.ss_family;
dmask.ss_len = sdst.ss_len;

memset(&smsg, 0, sizeof(smsg));
smsg.sadb_msg_version = PF_KEY_V22;
smsg.sadb_msg_seq = ++sadb_msg_seq;
smsg.sadb_msg_pid = pid;
smsg.sadb_msg_len = sizeof(smsg) / 8;
smsg.sadb_msg_type = mtype;
smsg.sadb_msg_satype = satype;

switch (mtype) {
case SADB_GETSPI1:
memset(&sa_spirange, 0, sizeof(sa_spirange));
sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE16;
sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8;
sa_spirange.sadb_spirange_min = 0x100;
sa_spirange.sadb_spirange_max = 0xffffffff;
sa_spirange.sadb_spirange_reserved = 0;
break;
case SADB_ADD3:
case SADB_UPDATE2:
case SADB_DELETE4:
memset(&sa, 0, sizeof(sa));
sa.sadb_sa_exttype = SADB_EXT_SA1;
sa.sadb_sa_len = sizeof(sa) / 8;
sa.sadb_sa_replay = 0;
sa.sadb_sa_spi = spi;
sa.sadb_sa_state = SADB_SASTATE_MATURE1;
break;
}

memset(&sa_src, 0, sizeof(sa_src));
sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC5;
sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)(((ssrc.ss_len) + (sizeof(uint64_t) - 1)) & ~(sizeof(uint64_t
) - 1))) / 8;

memset(&sa_dst, 0, sizeof(sa_dst));
sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST6;
sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)(((sdst.ss_len) + (sizeof(uint64_t) - 1)) & ~(sizeof(uint64_t
) - 1))) / 8;

sa.sadb_sa_auth = aalg;
sa.sadb_sa_encrypt = SADB_X_EALG_AES12; /* XXX */

switch (mtype) {
case SADB_ADD3:
case SADB_UPDATE2:
memset(&sa_akey, 0, sizeof(sa_akey));
sa_akey.sadb_key_exttype = SADB_EXT_KEY_AUTH8;
sa_akey.sadb_key_len = (sizeof(sa_akey) +
    ((alen + 7) / 8) * 8) / 8;
sa_akey.sadb_key_bits = 8 * alen;

memset(&sa_ekey, 0, sizeof(sa_ekey));
sa_ekey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT9;
sa_ekey.sadb_key_len = (sizeof(sa_ekey) +
    ((elen + 7) / 8) * 8) / 8;
sa_ekey.sadb_key_bits = 8 * elen;

break;
}

iov_cnt = 0;

/* msghdr */
iov[iov_cnt].iov_base = &smsg;
iov[iov_cnt].iov_len = sizeof(smsg);
iov_cnt++;

switch (mtype) {
case SADB_ADD3:
case SADB_UPDATE2:
case SADB_DELETE4:
/* SA hdr */
iov[iov_cnt].iov_base = &sa;
iov[iov_cnt].iov_len = sizeof(sa);
smsg.sadb_msg_len += sa.sadb_sa_len;
iov_cnt++;
break;
case SADB_GETSPI1:
/* SPI range */
iov[iov_cnt].iov_base = &sa_spirange;
iov[iov_cnt].iov_len = sizeof(sa_spirange);
smsg.sadb_msg_len += sa_spirange.sadb_spirange_len;
iov_cnt++;
break;
}

/* dest addr */
iov[iov_cnt].iov_base = &sa_dst;
iov[iov_cnt].iov_len = sizeof(sa_dst);
iov_cnt++;
iov[iov_cnt].iov_base = &sdst;
iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len)(((sdst.ss_len) + (sizeof(uint64_t) - 1)) & ~(sizeof(uint64_t
) - 1));
smsg.sadb_msg_len += sa_dst.sadb_address_len;
iov_cnt++;

/* src addr */
iov[iov_cnt].iov_base = &sa_src;
iov[iov_cnt].iov_len = sizeof(sa_src);
iov_cnt++;
iov[iov_cnt].iov_base = &ssrc;
iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len)(((ssrc.ss_len) + (sizeof(uint64_t) - 1)) & ~(sizeof(uint64_t
) - 1));
smsg.sadb_msg_len += sa_src.sadb_address_len;
iov_cnt++;

switch (mtype) {
case SADB_ADD3:
case SADB_UPDATE2:
if (alen) {
	/* auth key */
	iov[iov_cnt].iov_base = &sa_akey;
	iov[iov_cnt].iov_len = sizeof(sa_akey);
	iov_cnt++;
	iov[iov_cnt].iov_base = akey;
	iov[iov_cnt].iov_len = ((alen + 7) / 8) * 8;
	smsg.sadb_msg_len += sa_akey.sadb_key_len;
	iov_cnt++;
}
if (elen) {
	/* encryption key */
	iov[iov_cnt].iov_base = &sa_ekey;
	iov[iov_cnt].iov_len = sizeof(sa_ekey);
	iov_cnt++;
	iov[iov_cnt].iov_base = ekey;
	iov[iov_cnt].iov_len = ((elen + 7) / 8) * 8;
	smsg.sadb_msg_len += sa_ekey.sadb_key_len;
	iov_cnt++;
}
break;
}

len = smsg.sadb_msg_len * 8;
do {
n = writev(sd, iov, iov_cnt);
} while (n == -1 && (errno(*__errno()) == EAGAIN35 || errno(*__errno()) == EINTR4));

if (n == -1) {
log_warn("writev (%d/%d)", iov_cnt, len);
return (-1);
}

return (0);
247}

249int
250pfkey_read(int sd, struct sadb_msg *h)
251{
struct sadb_msg hdr;

if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK0x2) != sizeof(hdr)) {
8
←
Assuming the condition is true→
9
←
Taking true branch→
if (errno(*__errno()) == EAGAIN35 || errno(*__errno()) == EINTR4)
10
←
Assuming the condition is true→
	return (0);
11
←
Returning without writing to 'h->sadb_msg_errno'→
12
←
Returning zero, which participates in a condition later→
log_warn("pfkey peek");
return (-1);
}

/* XXX: Only one message can be outstanding. */
if (hdr.sadb_msg_seq == sadb_msg_seq &&
   hdr.sadb_msg_pid == pid) {
if (h)
	*h = hdr;
return (0);
}

/* not ours, discard */
if (read(sd, &hdr, sizeof(hdr)) == -1) {
if (errno(*__errno()) == EAGAIN35 || errno(*__errno()) == EINTR4)
	return (0);
log_warn("pfkey read");
return (-1);
}

return (1);
278}

280static int
281pfkey_reply(int sd, uint32_t *spip)
282{
struct sadb_msg hdr, *msg;
struct sadb_ext *ext;
struct sadb_sa *sa;
uint8_t *data;
ssize_t len;
int rv;

do {
15
←
Loop condition is false.  Exiting loop→
rv = pfkey_read(sd, &hdr);
7
←
Calling 'pfkey_read'→
13
←
Returning from 'pfkey_read'→
if (rv == -1)
14
←
Taking false branch→
	return (-1);
} while (rv);

if (hdr.sadb_msg_errno != 0) {
16
←
The left operand of '!=' is a garbage value
errno(*__errno()) = hdr.sadb_msg_errno;
if (errno(*__errno()) == ESRCH3)
	return (0);
else {
	log_warn("pfkey");
	return (-1);
}
}
if ((data = reallocarray(NULL((void *)0), hdr.sadb_msg_len, PFKEY2_CHUNKsizeof(uint64_t))) == NULL((void *)0)) {
log_warn("pfkey malloc");
return (-1);
}
len = hdr.sadb_msg_len * PFKEY2_CHUNKsizeof(uint64_t);
if (read(sd, data, len) != len) {
log_warn("pfkey read");
freezero(data, len);
return (-1);
}

if (hdr.sadb_msg_type == SADB_GETSPI1) {
if (spip == NULL((void *)0)) {
	freezero(data, len);
	return (0);
}

msg = (struct sadb_msg *)data;
for (ext = (struct sadb_ext *)(msg + 1);
    (size_t)((uint8_t *)ext - (uint8_t *)msg) <
    msg->sadb_msg_len * PFKEY2_CHUNKsizeof(uint64_t);
    ext = (struct sadb_ext *)((uint8_t *)ext +
    ext->sadb_ext_len * PFKEY2_CHUNKsizeof(uint64_t))) {
	if (ext->sadb_ext_type == SADB_EXT_SA1) {
		sa = (struct sadb_sa *) ext;
		*spip = sa->sadb_sa_spi;
		break;
	}
}
}
freezero(data, len);
return (0);
337}

339static int
340pfkey_sa_add(int af, union ldpd_addr *src, union ldpd_addr *dst, uint8_t keylen,
  char *key, uint32_t *spi)
342{
if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE8, SADB_GETSPI1, 0,
   af, src, dst, 0, 0, 0, NULL((void *)0), 0, 0, NULL((void *)0), 0, 0) < 0)
return (-1);
if (pfkey_reply(fd, spi) < 0)
return (-1);
if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE8, SADB_UPDATE2, 0,
   af, src, dst, *spi, 0, keylen, key, 0, 0, NULL((void *)0), 0, 0) < 0)
return (-1);
if (pfkey_reply(fd, NULL((void *)0)) < 0)
return (-1);
return (0);
354}

356static int
357pfkey_sa_remove(int af, union ldpd_addr *src, union ldpd_addr *dst,
  uint32_t *spi)
359{
if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE8, SADB_DELETE4, 0,
5
←
Taking false branch→
   af, src, dst, *spi, 0, 0, NULL((void *)0), 0, 0, NULL((void *)0), 0, 0) < 0)
return (-1);
if (pfkey_reply(fd, NULL((void *)0)) < 0)
6
←
Calling 'pfkey_reply'→
return (-1);
*spi = 0;
return (0);
367}

369static int
370pfkey_md5sig_establish(struct nbr *nbr, struct ldp_auth *auth)
371{
sleep(1);

pfkey_md5sig_remove(nbr);

if (pfkey_sa_add(nbr->af, &nbr->laddr, &nbr->raddr,
   auth->md5key_len, auth->md5key, &nbr->auth_spi_out) == -1)
return (-1);

if (pfkey_sa_add(nbr->af, &nbr->raddr, &nbr->laddr,
   auth->md5key_len, auth->md5key, &nbr->auth_spi_in) == -1)
return (-1);

nbr->auth_established = 1;

return (0);
387}

389static int
390pfkey_md5sig_remove(struct nbr *nbr)
391{
if (nbr->auth_spi_out) {
2
←
Assuming field 'auth_spi_out' is not equal to 0→
3
←
Taking true branch→
if (pfkey_sa_remove(nbr->af, &nbr->laddr, &nbr->raddr,
4
←
Calling 'pfkey_sa_remove'→
    &nbr->auth_spi_out) == -1)
	return (-1);
}
if (nbr->auth_spi_in) {
if (pfkey_sa_remove(nbr->af, &nbr->raddr, &nbr->laddr,
    &nbr->auth_spi_in) == -1)
	return (-1);
}

nbr->auth_established = 0;
nbr->auth_spi_in = 0;
nbr->auth_spi_out = 0;

return (0);
408}

410static struct ldp_auth *
411pfkey_find_auth(struct ldpd_conf *conf, struct nbr *nbr)
412{
struct ldp_auth *auth, *match = NULL((void *)0);

LIST_FOREACH(auth, &conf->auth_list, entry)for((auth) = ((&conf->auth_list)->lh_first); (auth)
!= ((void *)0); (auth) = ((auth)->entry.le_next)) {
in_addr_t mask = prefixlen2mask(auth->idlen);
if ((auth->id.s_addr & mask) != (nbr->id.s_addr & mask))
	continue;

if (match == NULL((void *)0) ||
    match->idlen < auth->idlen)
	match = auth;
}

return (match);
426}

428int
429pfkey_establish(struct ldpd_conf *conf, struct nbr *nbr)
430{
struct ldp_auth *auth = NULL((void *)0);

auth = pfkey_find_auth(conf, nbr);
if (auth == NULL((void *)0) || /* no policy */
   auth->md5key_len == 0) /* "no tcpmd5 sig" */
return (0);

return (pfkey_md5sig_establish(nbr, auth));
439}

441int
442pfkey_remove(struct nbr *nbr)
443{
return (pfkey_md5sig_remove(nbr));
1
Calling 'pfkey_md5sig_remove'→
445}

447int
448pfkey_init(void)
449{
if ((fd = socket(PF_KEY30, SOCK_RAW3 | SOCK_CLOEXEC0x8000 | SOCK_NONBLOCK0x4000,
   PF_KEY_V22)) == -1) {
if (errno(*__errno()) == EPROTONOSUPPORT43) {
	log_warnx("PF_KEY not available");
	sysdep.no_pfkey = 1;
	return (-1);
} else
	fatal("pfkey setup failed");
}
return (fd);
460}