Bug Summary

File:src/bin/ksh/c_test.c
Warning:line 118, column 6
Null pointer passed as 1st argument to string comparison function

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name c_test.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/bin/ksh/obj -resource-dir /usr/local/lib/clang/13.0.0 -D EMACS -D VI -I . -I /usr/src/bin/ksh -I /usr/src/bin/ksh/../../lib/libc/gen -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/bin/ksh/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/bin/ksh/c_test.c
1/* $OpenBSD: c_test.c,v 1.27 2019/06/28 13:34:59 deraadt Exp $ */
2
3/*
4 * test(1); version 7-like -- author Erik Baalbergen
5 * modified by Eric Gisin to be used as built-in.
6 * modified by Arnold Robbins to add SVR3 compatibility
7 * (-x -c -b -p -u -g -k) plus Korn's -L -nt -ot -ef and new -S (socket).
8 * modified by Michael Rendell to add Korn's [[ .. ]] expressions.
9 * modified by J.T. Conklin to add POSIX compatibility.
10 */
11
12#include <sys/stat.h>
13
14#include <string.h>
15#include <unistd.h>
16
17#include "sh.h"
18#include "c_test.h"
19
20/* test(1) accepts the following grammar:
21 oexpr ::= aexpr | aexpr "-o" oexpr ;
22 aexpr ::= nexpr | nexpr "-a" aexpr ;
23 nexpr ::= primary | "!" nexpr ;
24 primary ::= unary-operator operand
25 | operand binary-operator operand
26 | operand
27 | "(" oexpr ")"
28 ;
29
30 unary-operator ::= "-a"|"-r"|"-w"|"-x"|"-e"|"-f"|"-d"|"-c"|"-b"|"-p"|
31 "-u"|"-g"|"-k"|"-s"|"-t"|"-z"|"-n"|"-o"|"-O"|"-G"|
32 "-L"|"-h"|"-S"|"-H";
33
34 binary-operator ::= "="|"=="|"!="|"-eq"|"-ne"|"-ge"|"-gt"|"-le"|"-lt"|
35 "-nt"|"-ot"|"-ef"|"<"|">"
36 ;
37 operand ::= <any thing>
38*/
39
40#define T_ERR_EXIT2 2 /* POSIX says > 1 for errors */
41
42struct t_op {
43 char op_text[4];
44 Test_op op_num;
45};
46static const struct t_op u_ops [] = {
47 {"-a", TO_FILAXST },
48 {"-b", TO_FILBDEV },
49 {"-c", TO_FILCDEV },
50 {"-d", TO_FILID },
51 {"-e", TO_FILEXST },
52 {"-f", TO_FILREG },
53 {"-G", TO_FILGID },
54 {"-g", TO_FILSETG },
55 {"-h", TO_FILSYM },
56 {"-H", TO_FILCDF },
57 {"-k", TO_FILSTCK },
58 {"-L", TO_FILSYM },
59 {"-n", TO_STNZE },
60 {"-O", TO_FILUID },
61 {"-o", TO_OPTION },
62 {"-p", TO_FILFIFO },
63 {"-r", TO_FILRD },
64 {"-s", TO_FILGZ },
65 {"-S", TO_FILSOCK },
66 {"-t", TO_FILTT },
67 {"-u", TO_FILSETU },
68 {"-w", TO_FILWR },
69 {"-x", TO_FILEX },
70 {"-z", TO_STZER },
71 {"", TO_NONOP }
72};
73static const struct t_op b_ops [] = {
74 {"=", TO_STEQL },
75 {"==", TO_STEQL },
76 {"!=", TO_STNEQ },
77 {"<", TO_STLT },
78 {">", TO_STGT },
79 {"-eq", TO_INTEQ },
80 {"-ne", TO_INTNE },
81 {"-gt", TO_INTGT },
82 {"-ge", TO_INTGE },
83 {"-lt", TO_INTLT },
84 {"-le", TO_INTLE },
85 {"-ef", TO_FILEQ },
86 {"-nt", TO_FILNT },
87 {"-ot", TO_FILOT },
88 {"", TO_NONOP }
89};
90
91static int test_eaccess(const char *, int);
92static int test_oexpr(Test_env *, int);
93static int test_aexpr(Test_env *, int);
94static int test_nexpr(Test_env *, int);
95static int test_primary(Test_env *, int);
96static int ptest_isa(Test_env *, Test_meta);
97static const char *ptest_getopnd(Test_env *, Test_op, int);
98static int ptest_eval(Test_env *, Test_op, const char *,
99 const char *, int);
100static void ptest_error(Test_env *, int, const char *);
101
102int
103c_test(char **wp)
104{
105 int argc;
106 int res;
107 Test_env te;
108
109 te.flags = 0;
110 te.isa = ptest_isa;
111 te.getopnd = ptest_getopnd;
112 te.eval = ptest_eval;
113 te.error = ptest_error;
114
115 for (argc = 0; wp[argc]; argc++)
1
Assuming pointer value is null
2
Loop condition is false. Execution continues on line 118
116 ;
117
118 if (strcmp(wp[0], "[") == 0) {
3
Null pointer passed as 1st argument to string comparison function
119 if (strcmp(wp[--argc], "]") != 0) {
120 bi_errorf("missing ]");
121 return T_ERR_EXIT2;
122 }
123 }
124
125 te.pos.wp = wp + 1;
126 te.wp_end = wp + argc;
127
128 /*
129 * Handle the special cases from POSIX.2, section 4.62.4.
130 * Implementation of all the rules isn't necessary since
131 * our parser does the right thing for the omitted steps.
132 */
133 if (argc <= 5) {
134 char **owp = wp;
135 int invert = 0;
136 Test_op op;
137 const char *opnd1, *opnd2;
138
139 while (--argc >= 0) {
140 if ((*te.isa)(&te, TM_END))
141 return !0;
142 if (argc == 3) {
143 opnd1 = (*te.getopnd)(&te, TO_NONOP, 1);
144 if ((op = (Test_op) (*te.isa)(&te, TM_BINOP))) {
145 opnd2 = (*te.getopnd)(&te, op, 1);
146 res = (*te.eval)(&te, op, opnd1,
147 opnd2, 1);
148 if (te.flags & TEF_ERROR(1<<(0)))
149 return T_ERR_EXIT2;
150 if (invert & 1)
151 res = !res;
152 return !res;
153 }
154 /* back up to opnd1 */
155 te.pos.wp--;
156 }
157 if (argc == 1) {
158 opnd1 = (*te.getopnd)(&te, TO_NONOP, 1);
159 /* Historically, -t by itself test if fd 1
160 * is a file descriptor, but POSIX says its
161 * a string test...
162 */
163 if (!Flag(FPOSIX)(shell_flags[(int) (FPOSIX)]) && strcmp(opnd1, "-t") == 0)
164 break;
165 res = (*te.eval)(&te, TO_STNZE, opnd1,
166 NULL((void*)0), 1);
167 if (invert & 1)
168 res = !res;
169 return !res;
170 }
171 if ((*te.isa)(&te, TM_NOT)) {
172 invert++;
173 } else
174 break;
175 }
176 te.pos.wp = owp + 1;
177 }
178
179 return test_parse(&te);
180}
181
182/*
183 * Generic test routines.
184 */
185
186Test_op
187test_isop(Test_env *te, Test_meta meta, const char *s)
188{
189 char sc1;
190 const struct t_op *otab;
191
192 otab = meta == TM_UNOP ? u_ops : b_ops;
193 if (*s) {
194 sc1 = s[1];
195 for (; otab->op_text[0]; otab++)
196 if (sc1 == otab->op_text[1] &&
197 strcmp(s, otab->op_text) == 0)
198 return otab->op_num;
199 }
200 return TO_NONOP;
201}
202
203int
204test_eval(Test_env *te, Test_op op, const char *opnd1, const char *opnd2,
205 int do_eval)
206{
207 int res;
208 int not;
209 struct stat b1, b2;
210
211 if (!do_eval)
212 return 0;
213
214 switch ((int) op) {
215 /*
216 * Unary Operators
217 */
218 case TO_STNZE: /* -n */
219 return *opnd1 != '\0';
220 case TO_STZER: /* -z */
221 return *opnd1 == '\0';
222 case TO_OPTION: /* -o */
223 if ((not = *opnd1 == '!'))
224 opnd1++;
225 if ((res = option(opnd1)) < 0)
226 res = 0;
227 else {
228 res = Flag(res)(shell_flags[(int) (res)]);
229 if (not)
230 res = !res;
231 }
232 return res;
233 case TO_FILRD: /* -r */
234 return test_eaccess(opnd1, R_OK0x04) == 0;
235 case TO_FILWR: /* -w */
236 return test_eaccess(opnd1, W_OK0x02) == 0;
237 case TO_FILEX: /* -x */
238 return test_eaccess(opnd1, X_OK0x01) == 0;
239 case TO_FILAXST: /* -a */
240 return stat(opnd1, &b1) == 0;
241 case TO_FILEXST: /* -e */
242 /* at&t ksh does not appear to do the /dev/fd/ thing for
243 * this (unless the os itself handles it)
244 */
245 return stat(opnd1, &b1) == 0;
246 case TO_FILREG: /* -r */
247 return stat(opnd1, &b1) == 0 && S_ISREG(b1.st_mode)((b1.st_mode & 0170000) == 0100000);
248 case TO_FILID: /* -d */
249 return stat(opnd1, &b1) == 0 && S_ISDIR(b1.st_mode)((b1.st_mode & 0170000) == 0040000);
250 case TO_FILCDEV: /* -c */
251 return stat(opnd1, &b1) == 0 && S_ISCHR(b1.st_mode)((b1.st_mode & 0170000) == 0020000);
252 case TO_FILBDEV: /* -b */
253 return stat(opnd1, &b1) == 0 && S_ISBLK(b1.st_mode)((b1.st_mode & 0170000) == 0060000);
254 case TO_FILFIFO: /* -p */
255 return stat(opnd1, &b1) == 0 && S_ISFIFO(b1.st_mode)((b1.st_mode & 0170000) == 0010000);
256 case TO_FILSYM: /* -h -L */
257 return lstat(opnd1, &b1) == 0 && S_ISLNK(b1.st_mode)((b1.st_mode & 0170000) == 0120000);
258 case TO_FILSOCK: /* -S */
259 return stat(opnd1, &b1) == 0 && S_ISSOCK(b1.st_mode)((b1.st_mode & 0170000) == 0140000);
260 case TO_FILCDF:/* -H HP context dependent files (directories) */
261 return 0;
262 case TO_FILSETU: /* -u */
263 return stat(opnd1, &b1) == 0 &&
264 (b1.st_mode & S_ISUID0004000) == S_ISUID0004000;
265 case TO_FILSETG: /* -g */
266 return stat(opnd1, &b1) == 0 &&
267 (b1.st_mode & S_ISGID0002000) == S_ISGID0002000;
268 case TO_FILSTCK: /* -k */
269 return stat(opnd1, &b1) == 0 &&
270 (b1.st_mode & S_ISVTX0001000) == S_ISVTX0001000;
271 case TO_FILGZ: /* -s */
272 return stat(opnd1, &b1) == 0 && b1.st_size > 0L;
273 case TO_FILTT: /* -t */
274 if (opnd1 && !bi_getn(opnd1, &res)) {
275 te->flags |= TEF_ERROR(1<<(0));
276 res = 0;
277 } else {
278 /* generate error if in FPOSIX mode? */
279 res = isatty(opnd1 ? res : 0);
280 }
281 return res;
282 case TO_FILUID: /* -O */
283 return stat(opnd1, &b1) == 0 && b1.st_uid == ksheuid;
284 case TO_FILGID: /* -G */
285 return stat(opnd1, &b1) == 0 && b1.st_gid == getegid();
286 /*
287 * Binary Operators
288 */
289 case TO_STEQL: /* = */
290 if (te->flags & TEF_DBRACKET(1<<(1)))
291 return gmatch(opnd1, opnd2, false0);
292 return strcmp(opnd1, opnd2) == 0;
293 case TO_STNEQ: /* != */
294 if (te->flags & TEF_DBRACKET(1<<(1)))
295 return !gmatch(opnd1, opnd2, false0);
296 return strcmp(opnd1, opnd2) != 0;
297 case TO_STLT: /* < */
298 return strcmp(opnd1, opnd2) < 0;
299 case TO_STGT: /* > */
300 return strcmp(opnd1, opnd2) > 0;
301 case TO_INTEQ: /* -eq */
302 case TO_INTNE: /* -ne */
303 case TO_INTGE: /* -ge */
304 case TO_INTGT: /* -gt */
305 case TO_INTLE: /* -le */
306 case TO_INTLT: /* -lt */
307 {
308 int64_t v1, v2;
309
310 if (!evaluate(opnd1, &v1, KSH_RETURN_ERROR0x1, false0) ||
311 !evaluate(opnd2, &v2, KSH_RETURN_ERROR0x1, false0)) {
312 /* error already printed.. */
313 te->flags |= TEF_ERROR(1<<(0));
314 return 1;
315 }
316 switch ((int) op) {
317 case TO_INTEQ:
318 return v1 == v2;
319 case TO_INTNE:
320 return v1 != v2;
321 case TO_INTGE:
322 return v1 >= v2;
323 case TO_INTGT:
324 return v1 > v2;
325 case TO_INTLE:
326 return v1 <= v2;
327 case TO_INTLT:
328 return v1 < v2;
329 }
330 }
331 case TO_FILNT: /* -nt */
332 {
333 int s2;
334 /* ksh88/ksh93 succeed if file2 can't be stated
335 * (subtly different from `does not exist').
336 */
337 return stat(opnd1, &b1) == 0 &&
338 (((s2 = stat(opnd2, &b2)) == 0 &&
339 b1.st_mtimest_mtim.tv_sec > b2.st_mtimest_mtim.tv_sec) || s2 < 0);
340 }
341 case TO_FILOT: /* -ot */
342 {
343 int s1;
344 /* ksh88/ksh93 succeed if file1 can't be stated
345 * (subtly different from `does not exist').
346 */
347 return stat(opnd2, &b2) == 0 &&
348 (((s1 = stat(opnd1, &b1)) == 0 &&
349 b1.st_mtimest_mtim.tv_sec < b2.st_mtimest_mtim.tv_sec) || s1 < 0);
350 }
351 case TO_FILEQ: /* -ef */
352 return stat (opnd1, &b1) == 0 && stat (opnd2, &b2) == 0 &&
353 b1.st_dev == b2.st_dev && b1.st_ino == b2.st_ino;
354 }
355 (*te->error)(te, 0, "internal error: unknown op");
356 return 1;
357}
358
359/* Routine to deal with X_OK on non-directories when running as root.
360 */
361static int
362test_eaccess(const char *path, int amode)
363{
364 int res;
365
366 res = access(path, amode);
367 /*
368 * On most (all?) unixes, access() says everything is executable for
369 * root - avoid this on files by using stat().
370 */
371 if (res == 0 && ksheuid == 0 && (amode & X_OK0x01)) {
372 struct stat statb;
373
374 if (stat(path, &statb) == -1)
375 res = -1;
376 else if (S_ISDIR(statb.st_mode)((statb.st_mode & 0170000) == 0040000))
377 res = 0;
378 else
379 res = (statb.st_mode & (S_IXUSR0000100|S_IXGRP0000010|S_IXOTH0000001)) ?
380 0 : -1;
381 }
382
383 return res;
384}
385
386int
387test_parse(Test_env *te)
388{
389 int res;
390
391 res = test_oexpr(te, 1);
392
393 if (!(te->flags & TEF_ERROR(1<<(0))) && !(*te->isa)(te, TM_END))
394 (*te->error)(te, 0, "unexpected operator/operand");
395
396 return (te->flags & TEF_ERROR(1<<(0))) ? T_ERR_EXIT2 : !res;
397}
398
399static int
400test_oexpr(Test_env *te, int do_eval)
401{
402 int res;
403
404 res = test_aexpr(te, do_eval);
405 if (res)
406 do_eval = 0;
407 if (!(te->flags & TEF_ERROR(1<<(0))) && (*te->isa)(te, TM_OR))
408 return test_oexpr(te, do_eval) || res;
409 return res;
410}
411
412static int
413test_aexpr(Test_env *te, int do_eval)
414{
415 int res;
416
417 res = test_nexpr(te, do_eval);
418 if (!res)
419 do_eval = 0;
420 if (!(te->flags & TEF_ERROR(1<<(0))) && (*te->isa)(te, TM_AND))
421 return test_aexpr(te, do_eval) && res;
422 return res;
423}
424
425static int
426test_nexpr(Test_env *te, int do_eval)
427{
428 if (!(te->flags & TEF_ERROR(1<<(0))) && (*te->isa)(te, TM_NOT))
429 return !test_nexpr(te, do_eval);
430 return test_primary(te, do_eval);
431}
432
433static int
434test_primary(Test_env *te, int do_eval)
435{
436 const char *opnd1, *opnd2;
437 int res;
438 Test_op op;
439
440 if (te->flags & TEF_ERROR(1<<(0)))
441 return 0;
442 if ((*te->isa)(te, TM_OPAREN)) {
443 res = test_oexpr(te, do_eval);
444 if (te->flags & TEF_ERROR(1<<(0)))
445 return 0;
446 if (!(*te->isa)(te, TM_CPAREN)) {
447 (*te->error)(te, 0, "missing closing paren");
448 return 0;
449 }
450 return res;
451 }
452 /*
453 * Binary should have precedence over unary in this case
454 * so that something like test \( -f = -f \) is accepted
455 */
456 if ((te->flags & TEF_DBRACKET(1<<(1))) || (&te->pos.wp[1] < te->wp_end &&
457 !test_isop(te, TM_BINOP, te->pos.wp[1]))) {
458 if ((op = (Test_op) (*te->isa)(te, TM_UNOP))) {
459 /* unary expression */
460 opnd1 = (*te->getopnd)(te, op, do_eval);
461 if (!opnd1) {
462 (*te->error)(te, -1, "missing argument");
463 return 0;
464 }
465
466 return (*te->eval)(te, op, opnd1, NULL((void*)0),
467 do_eval);
468 }
469 }
470 opnd1 = (*te->getopnd)(te, TO_NONOP, do_eval);
471 if (!opnd1) {
472 (*te->error)(te, 0, "expression expected");
473 return 0;
474 }
475 if ((op = (Test_op) (*te->isa)(te, TM_BINOP))) {
476 /* binary expression */
477 opnd2 = (*te->getopnd)(te, op, do_eval);
478 if (!opnd2) {
479 (*te->error)(te, -1, "missing second argument");
480 return 0;
481 }
482
483 return (*te->eval)(te, op, opnd1, opnd2, do_eval);
484 }
485 if (te->flags & TEF_DBRACKET(1<<(1))) {
486 (*te->error)(te, -1, "missing expression operator");
487 return 0;
488 }
489 return (*te->eval)(te, TO_STNZE, opnd1, NULL((void*)0), do_eval);
490}
491
492/*
493 * Plain test (test and [ .. ]) specific routines.
494 */
495
496/* Test if the current token is a whatever. Accepts the current token if
497 * it is. Returns 0 if it is not, non-zero if it is (in the case of
498 * TM_UNOP and TM_BINOP, the returned value is a Test_op).
499 */
500static int
501ptest_isa(Test_env *te, Test_meta meta)
502{
503 /* Order important - indexed by Test_meta values */
504 static const char *const tokens[] = {
505 "-o", "-a", "!", "(", ")"
506 };
507 int ret;
508
509 if (te->pos.wp >= te->wp_end)
510 return meta == TM_END;
511
512 if (meta == TM_UNOP || meta == TM_BINOP)
513 ret = (int) test_isop(te, meta, *te->pos.wp);
514 else if (meta == TM_END)
515 ret = 0;
516 else
517 ret = strcmp(*te->pos.wp, tokens[(int) meta]) == 0;
518
519 /* Accept the token? */
520 if (ret)
521 te->pos.wp++;
522
523 return ret;
524}
525
526static const char *
527ptest_getopnd(Test_env *te, Test_op op, int do_eval)
528{
529 if (te->pos.wp >= te->wp_end)
530 return op == TO_FILTT ? "1" : NULL((void*)0);
531 return *te->pos.wp++;
532}
533
534static int
535ptest_eval(Test_env *te, Test_op op, const char *opnd1, const char *opnd2,
536 int do_eval)
537{
538 return test_eval(te, op, opnd1, opnd2, do_eval);
539}
540
541static void
542ptest_error(Test_env *te, int offset, const char *msg)
543{
544 const char *op = te->pos.wp + offset >= te->wp_end ?
545 NULL((void*)0) : te->pos.wp[offset];
546
547 te->flags |= TEF_ERROR(1<<(0));
548 if (op)
549 bi_errorf("%s: %s", op, msg);
550 else
551 bi_errorf("%s", msg);
552}