/usr/src/libexec/ftpd/monitor.c

Bug Summary

File:	src/libexec/ftpd/monitor.c
Warning:	line 178, column 14 Access to field 'pw_dir' results in a dereference of a null pointer (loaded from variable 'pw')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name monitor.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/libexec/ftpd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/libexec/ftpd -I /usr/src/libexec/ftpd/../../bin/ls -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/libexec/ftpd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/libexec/ftpd/monitor.c

1/*	$OpenBSD: monitor.c,v 1.30 2021/10/24 21:24:20 deraadt Exp $	*/

3/*
* Copyright (c) 2004 Moritz Jodeit <moritz@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

19#include <sys/types.h>
20#include <sys/socket.h>
21#include <sys/wait.h>
22#include <netinet/in.h>

24#include <errno(*__errno()).h>
25#include <fcntl.h>
26#include <paths.h>
27#include <pwd.h>
28#include <signal.h>
29#include <stdarg.h>
30#include <stdint.h>
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34#include <syslog.h>
35#include <unistd.h>

37#include "monitor.h"
38#include "extern.h"

40enum monitor_command {
CMD_USER,
CMD_PASS,
CMD_SOCKET,
CMD_BIND
45};

47enum monitor_state {
PREAUTH,
POSTAUTH
50};

52extern char	remotehost[];
53extern char	ttyline[20];
54extern int	debug;

56extern void	set_slave_signals(void);

58int	fd_monitor = -1;
59int	fd_slave = -1;
60int	nullfd;
61pid_t	slave_pid = -1;
62enum monitor_state	state = PREAUTH;

64void	send_data(int, void *, size_t);
65void	recv_data(int, void *, size_t);
66void	handle_cmds(void);
67void	set_monitor_signals(void);
68void	sig_pass_to_slave(int);
69void	sig_chld(int);
70void	fatalx(char *, ...);
71void	debugmsg(char *, ...);

73/*
* Send data over a socket and exit if something fails.
*/
76void
77send_data(int sock, void *buf, size_t len)
78{
ssize_t n;
size_t pos = 0;
char *ptr = buf;

while (len > pos) {
switch (n = write(sock, ptr + pos, len - pos)) {
case 0:
	kill_slave("write failure");
	_exit(0);
	/* NOTREACHED */
case -1:
	if (errno(*__errno()) != EINTR4 && errno(*__errno()) != EAGAIN35)
		fatalx("send_data: %m");
	break;
default:
	pos += n;
}
}
97}

99/*
* Receive data from socket and exit if something fails.
*/
102void
103recv_data(int sock, void *buf, size_t len)
104{
ssize_t n;
size_t pos = 0;
char *ptr = buf;

while (len > pos) {
switch (n = read(sock, ptr + pos, len - pos)) {
case 0:
	kill_slave(NULL((void *)0));
	_exit(0);
	/* NOTREACHED */
case -1:
	if (errno(*__errno()) != EINTR4 && errno(*__errno()) != EAGAIN35)
		fatalx("recv_data: %m");
	break;
default:
	pos += n;
}
}
123}

125void
126set_monitor_signals(void)
127{
struct sigaction act;
int i;

sigfillset(&act.sa_mask);
act.sa_flags = SA_RESTART0x0002;

act.sa_handler__sigaction_u.__sa_handler = SIG_DFL(void (*)(int))0;
for (i = 1; i < _NSIG33; i++)
sigaction(i, &act, NULL((void *)0));

act.sa_handler__sigaction_u.__sa_handler = sig_chld;
sigaction(SIGCHLD20, &act, NULL((void *)0));

act.sa_handler__sigaction_u.__sa_handler = sig_pass_to_slave;
sigaction(SIGHUP1, &act, NULL((void *)0));
sigaction(SIGINT2, &act, NULL((void *)0));
sigaction(SIGQUIT3, &act, NULL((void *)0));
sigaction(SIGTERM15, &act, NULL((void *)0));
146}

148/*
* Creates the privileged monitor process. It returns twice.
* It returns 1 for the unprivileged slave process and 0 for the
* user-privileged slave process after successful authentication.
*/
153int
154monitor_init(void)
155{
struct passwd *pw;
int pair[2];

if (socketpair(AF_LOCAL1, SOCK_STREAM1, PF_UNSPEC0, pair) == -1)
1
Assuming the condition is false→
2
←
Taking false branch→
fatalx("socketpair failed");

fd_monitor = pair[0];
fd_slave = pair[1];

set_monitor_signals();

slave_pid = fork();
if (slave_pid == -1)
3
←
Assuming the condition is false→
4
←
Taking false branch→
fatalx("fork of unprivileged slave failed");
if (slave_pid == 0) {
5
←
Assuming 'slave_pid' is equal to 0→
6
←
Taking true branch→
/* Unprivileged slave */
set_slave_signals();

if ((pw = getpwnam(FTPD_PRIVSEP_USER"_ftp")) == NULL((void *)0))
7
←
Value assigned to 'pw'→
8
←
Assuming pointer value is null→
9
←
Taking true branch→
	fatalx("privilege separation user %s not found",
	    FTPD_PRIVSEP_USER"_ftp");

if (chroot(pw->pw_dir) == -1)
10
←
Access to field 'pw_dir' results in a dereference of a null pointer (loaded from variable 'pw')
	fatalx("chroot %s: %m", pw->pw_dir);
if (chdir("/") == -1)
	fatalx("chdir /: %m");

if (setgroups(1, &pw->pw_gid) == -1)
	fatalx("setgroups: %m");
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
	fatalx("setresgid failed");
if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
	fatalx("setresuid failed");

endpwent();
close(fd_slave);
return (1);
}

setproctitle("%s: [priv pre-auth]", remotehost);

handle_cmds();

/* User-privileged slave */
return (0);
201}

203/*
* Creates the user-privileged slave process. It is called
* from the privileged monitor process and returns twice. It returns 0
* for the user-privileged slave process and 1 for the monitor process.
*/
208int
209monitor_post_auth(void)
210{
slave_pid = fork();
if (slave_pid == -1)
fatalx("fork of user-privileged slave failed");

snprintf(ttyline, sizeof(ttyline), "ftp%ld",
   slave_pid == 0 ? (long)getpid() : (long)slave_pid);

if (slave_pid == 0) {
/* User privileged slave */
close(fd_slave);
set_slave_signals();
return (0);
}

/* We have to keep stdout open, because reply() needs it. */
if ((nullfd = open(_PATH_DEVNULL"/dev/null", O_RDWR0x0002)) == -1)
fatalx("cannot open %s: %m", _PATH_DEVNULL"/dev/null");
dup2(nullfd, STDIN_FILENO0);
dup2(nullfd, STDERR_FILENO2);
close(nullfd);
close(fd_monitor);

return (1);
234}

236/*
* Handles commands received from the slave process. It will not return
* except in one situation: After successful authentication it will
* return as the user-privileged slave process.
*/
241void
242handle_cmds(void)
243{
enum monitor_command cmd;
enum auth_ret auth;
int err, s, slavequit, serrno, domain;
pid_t preauth_slave_pid;
size_t len;
union sockunion sa;
socklen_t salen;
char *name, *pw;

for (;;) {
recv_data(fd_slave, &cmd, sizeof(cmd));

switch (cmd) {
case CMD_USER:
	debugmsg("CMD_USER received");

	recv_data(fd_slave, &len, sizeof(len));
	if (len == SIZE_MAX0xffffffffffffffffUL)
		fatalx("monitor received invalid user length");
	if ((name = malloc(len + 1)) == NULL((void *)0))
		fatalx("malloc: %m");
	if (len > 0)
		recv_data(fd_slave, name, len);
	name[len] = '\0';

	user(name);
	free(name);
	break;
case CMD_PASS:
	debugmsg("CMD_PASS received");

	recv_data(fd_slave, &len, sizeof(len));
	if (len == SIZE_MAX0xffffffffffffffffUL)
		fatalx("monitor received invalid pass length");
	if ((pw = malloc(len + 1)) == NULL((void *)0))
		fatalx("malloc: %m");
	if (len > 0)
		recv_data(fd_slave, pw, len);
	pw[len] = '\0';

	preauth_slave_pid = slave_pid;

	auth = pass(pw);
	freezero(pw, len);

	switch (auth) {
	case AUTH_FAILED:
		/* Authentication failure */
		debugmsg("authentication failed");
		slavequit = 0;
		send_data(fd_slave, &slavequit,
		    sizeof(slavequit));
		break;
	case AUTH_SLAVE:
		if (pledge("stdio rpath wpath cpath inet recvfd"
		    " sendfd proc tty getpw", NULL((void *)0)) == -1)
			fatalx("pledge");
		/* User-privileged slave */
		debugmsg("user-privileged slave started");
		return;
		/* NOTREACHED */
	case AUTH_MONITOR:
		if (pledge("stdio inet sendfd recvfd proc",
		    NULL((void *)0)) == -1)
			fatalx("pledge");
		/* Post-auth monitor */
		debugmsg("monitor went into post-auth phase");
		state = POSTAUTH;
		setproctitle("%s: [priv post-auth]",
		    remotehost);
		slavequit = 1;

		send_data(fd_slave, &slavequit,
		    sizeof(slavequit));

		while (waitpid(preauth_slave_pid, NULL((void *)0), 0) == -1 &&
		    errno(*__errno()) == EINTR4)
			;
		break;
	default:
		fatalx("bad return value from pass()");
		/* NOTREACHED */
	}
	break;
case CMD_SOCKET:
	debugmsg("CMD_SOCKET received");

	if (state != POSTAUTH)
		fatalx("CMD_SOCKET received in invalid state");

	recv_data(fd_slave, &domain, sizeof(domain));
	if (domain != AF_INET2 && domain != AF_INET624)
		fatalx("monitor received invalid addr family");

	s = socket(domain, SOCK_STREAM1, 0);
	serrno = errno(*__errno());

	send_fd(fd_slave, s);
	if (s == -1)
		send_data(fd_slave, &serrno, sizeof(serrno));
	else
		close(s);
	break;
case CMD_BIND:
	debugmsg("CMD_BIND received");

	if (state != POSTAUTH)
		fatalx("CMD_BIND received in invalid state");

	s = recv_fd(fd_slave);

	recv_data(fd_slave, &salen, sizeof(salen));
	if (salen == 0 || salen > sizeof(sa))
		fatalx("monitor received invalid sockaddr len");

	bzero(&sa, sizeof(sa));
	recv_data(fd_slave, &sa, salen);

	if (sa.su_si.si_len != salen)
		fatalx("monitor received invalid sockaddr len");

	if (sa.su_si.si_family != AF_INET2 &&
	    sa.su_si.si_family != AF_INET624)
		fatalx("monitor received invalid addr family");

	err = bind(s, (struct sockaddr *)&sa, salen);
	serrno = errno(*__errno());

	if (s >= 0)
		close(s);

	send_data(fd_slave, &err, sizeof(err));
	if (err == -1)
		send_data(fd_slave, &serrno, sizeof(serrno));
	break;
default:
	fatalx("monitor received unknown command %d", cmd);
	/* NOTREACHED */
}
}
384}

386void
387sig_pass_to_slave(int signo)
388{
int olderrno = errno(*__errno());

if (slave_pid > 0)
kill(slave_pid, signo);

errno(*__errno()) = olderrno;
395}

397/* ARGSUSED */
398void
399sig_chld(int signo)
400{
pid_t pid;
int stat, olderrno = errno(*__errno());

do {
pid = waitpid(slave_pid, &stat, WNOHANG1);
if (pid > 0)
	_exit(0);
} while (pid == -1 && errno(*__errno()) == EINTR4);

errno(*__errno()) = olderrno;
411}

413void
414kill_slave(char *reason)
415{
if (slave_pid > 0) {
if (reason)
	syslog(LOG_NOTICE5, "kill slave %d: %s",
	    slave_pid, reason);
kill(slave_pid, SIGQUIT3);
}
422}

424void
425fatalx(char *fmt, ...)
426{
va_list ap;

va_start(ap, fmt)__builtin_va_start(ap, fmt);
vsyslog(LOG_ERR3, fmt, ap);
va_end(ap)__builtin_va_end(ap);

kill_slave("fatal error");

_exit(0);
436}

438void
439debugmsg(char *fmt, ...)
440{
va_list ap;

if (debug) {
va_start(ap, fmt)__builtin_va_start(ap, fmt);
vsyslog(LOG_DEBUG7, fmt, ap);
va_end(ap)__builtin_va_end(ap);
}
448}

450void
451monitor_user(char *name)
452{
enum monitor_command cmd;
size_t len;

cmd = CMD_USER;
send_data(fd_monitor, &cmd, sizeof(cmd));

len = strlen(name);
send_data(fd_monitor, &len, sizeof(len));
if (len > 0)
send_data(fd_monitor, name, len);
463}

465int
466monitor_pass(char *pass)
467{
enum monitor_command cmd;
int quitnow;
size_t len;

cmd = CMD_PASS;
send_data(fd_monitor, &cmd, sizeof(cmd));

len = strlen(pass);
send_data(fd_monitor, &len, sizeof(len));
if (len > 0)
send_data(fd_monitor, pass, len);

recv_data(fd_monitor, &quitnow, sizeof(quitnow));

return (quitnow);
483}

485int
486monitor_socket(int domain)
487{
enum monitor_command cmd;
int s, serrno;

cmd = CMD_SOCKET;
send_data(fd_monitor, &cmd, sizeof(cmd));
send_data(fd_monitor, &domain, sizeof(domain));

s = recv_fd(fd_monitor);
if (s == -1) {
recv_data(fd_monitor, &serrno, sizeof(serrno));
errno(*__errno()) = serrno;
}

return (s);
502}

504int
505monitor_bind(int s, struct sockaddr *name, socklen_t namelen)
506{
enum monitor_command cmd;
int ret, serrno;

cmd = CMD_BIND;
send_data(fd_monitor, &cmd, sizeof(cmd));

send_fd(fd_monitor, s);
send_data(fd_monitor, &namelen, sizeof(namelen));
send_data(fd_monitor, name, namelen);

recv_data(fd_monitor, &ret, sizeof(ret));
if (ret == -1) {
recv_data(fd_monitor, &serrno, sizeof(serrno));
errno(*__errno()) = serrno;
}

return (ret);
524}