/usr/src/bin/mt/mtrmt.c

Bug Summary

File:	src/bin/mt/mtrmt.c
Warning:	line 122, column 11 Access to field 'pw_name' results in a dereference of a null pointer (loaded from variable 'pwd')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name mtrmt.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/bin/mt/obj -resource-dir /usr/local/lib/clang/13.0.0 -D RMT -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/bin/mt/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/bin/mt/mtrmt.c

1/*	$OpenBSD: mtrmt.c,v 1.24 2019/07/03 03:24:01 deraadt Exp $	*/
2/*	$NetBSD: mtrmt.c,v 1.2 1996/03/06 06:22:07 scottr Exp $	*/
3 
4/*-
5 * Copyright (c) 1980, 1993
6 *	The Regents of the University of California.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the University nor the names of its contributors
17 *    may be used to endorse or promote products derived from this software
18 *    without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32 
33#include <sys/types.h>
34#include <sys/mtio.h>
35#include <sys/ioctl.h>
36#include <sys/socket.h>
37#include <sys/time.h>
38#include <ufs/ufs/dinode.h>
39 
40#include <netinet/in.h>
41#include <netinet/tcp.h>
42 
43#include <protocols/dumprestore.h>
44 
45#include <ctype.h>
46#include <err.h>
47#include <netdb.h>
48#include <pwd.h>
49#include <signal.h>
50#include <stdio.h>
51#include <stdlib.h>
52#include <string.h>
53#include <unistd.h>
54#include <limits.h>
55 
56#include "pathnames.h"
57#include "mt.h"
58 
59#define	TS_CLOSED0	0
60#define	TS_OPEN1		1
61 
62static	int rmtstate = TS_CLOSED0;
63static	int rmtape;
64static	char *rmtpeer;
65 
66static	int okname(char *);
67static	int rmtcall(char *, char *);
68static	void rmtconnaborted(void);
69static	void sigrmtconnaborted(int);
70static	int rmtgetb(void);
71static	void rmtgetconn(void);
72static	void rmtgets(char *, int);
73static	int rmtreply(char *);
74 
75int
76rmthost(char *host)
77{
78	if ((rmtpeer = strdup(host)) == NULL((void *)0))
1
Assuming the condition is false→
2
←
Taking false branch→
79		err(1, "strdup");
80	signal(SIGPIPE13, sigrmtconnaborted);
81	rmtgetconn();
3
←
Calling 'rmtgetconn'→
82	if (rmtape < 0)
83		return (0);
84	return (1);
85}
86 
87/* ARGSUSED */
88static void
89sigrmtconnaborted(int signo)
90{
91 
92	warnx("Lost connection to remote host.");
93	_exit(1);
94}
95 
96static void
97rmtconnaborted(void)
98{
99 
100	errx(1, "Lost connection to remote host.");
101}
102 
103void
104rmtgetconn(void)
105{
106	char *cp;
107	static struct passwd *pwd = NULL((void *)0);
4
←
'pwd' initialized to a null pointer value→
108#ifdef notdef
109	static int on = 1;
110#endif
111	char *tuser;
112	int size;
113	int maxseg;
114 
115	if ((cp = strchr(rmtpeer, '@')) != NULL((void *)0)) {
5
←
Assuming the condition is false→
6
←
Taking false branch→
116		tuser = rmtpeer;
117		*cp = '\0';
118		if (!okname(tuser))
119			exit(1);
120		rmtpeer = ++cp;
121	} else
122		tuser = pwd->pw_name;
7
←
Access to field 'pw_name' results in a dereference of a null pointer (loaded from variable 'pwd')
123 
124	rmtape = rcmdsh(&rmtpeer, -1, pwd->pw_name, tuser,
125	    _PATH_RMT"/etc/rmt", NULL((void *)0));
126	if (rmtape == -1)
127		exit(1);		/* rcmd already printed error message */
128 
129	size = TP_BSIZE1024;
130	if (size > 60 * 1024)		/* XXX */
131		size = 60 * 1024;
132	/* Leave some space for rmt request/response protocol */
133	size += 2 * 1024;
134 
135	while (size > TP_BSIZE1024 &&
136	    setsockopt(rmtape, SOL_SOCKET0xffff, SO_SNDBUF0x1001, &size, sizeof (size)) == -1)
137		    size -= TP_BSIZE1024;
138	(void)setsockopt(rmtape, SOL_SOCKET0xffff, SO_RCVBUF0x1002, &size, sizeof (size));
139 
140	maxseg = 1024;
141	(void)setsockopt(rmtape, IPPROTO_TCP6, TCP_MAXSEG0x02, &maxseg,
142	    sizeof (maxseg));
143 
144#ifdef notdef
145	if (setsockopt(rmtape, IPPROTO_TCP6, TCP_NODELAY0x01, &on, sizeof (on)) == -1)
146		perror("TCP_NODELAY setsockopt");
147#endif
148	if (pledge("stdio", NULL((void *)0)) == -1)
149		err(1, "pledge");
150}
151 
152static int
153okname(char *cp0)
154{
155	unsigned char *cp;
156	int c;
157 
158	for (cp = cp0; *cp; cp++) {
159		c = (unsigned char)*cp;
160		if (!isascii(c) || !(isalnum(c) || c == '_' || c == '-')) {
161			warnx("invalid user name: %s", cp0);
162			return (0);
163		}
164	}
165	return (1);
166}
167 
168int
169rmtopen(char *tape, int mode)
170{
171	char buf[1 + PATH_MAX1024+1 + 10+1 +1];
172	int r;
173 
174	r = snprintf(buf, sizeof (buf), "O%s\n%d\n", tape, mode);
175	if (r < 0 || r >= sizeof buf)
176		errx(1, "tape name too long");
177	rmtstate = TS_OPEN1;
178	return (rmtcall(tape, buf));
179}
180 
181void
182rmtclose(void)
183{
184 
185	if (rmtstate != TS_OPEN1)
186		return;
187	rmtcall("close", "C\n");
188	rmtstate = TS_CLOSED0;
189}
190 
191struct	mtget mts;
192 
193struct mtget *
194rmtstatus(void)
195{
196	int i;
197	char *cp;
198 
199	if (rmtstate != TS_OPEN1)
200		return (NULL((void *)0));
201	rmtcall("status", "S\n");
202	for (i = 0, cp = (char *)&mts; i < sizeof(mts); i++)
203		*cp++ = rmtgetb();
204	return (&mts);
205}
206 
207int
208rmtioctl(int cmd, int count)
209{
210	char buf[1 + 10+1 + 10+1 +1];
211	int r;
212 
213	if (count < 0)
214		return (-1);
215	r = snprintf(buf, sizeof (buf), "I%d\n%d\n", cmd, count);
216	if (r < 0 || r >= sizeof buf)
217		errx(1, "string error during ioctl");
218	return (rmtcall("ioctl", buf));
219}
220 
221static int
222rmtcall(char *cmd, char *buf)
223{
224 
225	if (write(rmtape, buf, strlen(buf)) != strlen(buf))
226		rmtconnaborted();
227	return (rmtreply(cmd));
228}
229 
230static int
231rmtreply(char *cmd)
232{
233	char *cp;
234	char code[30], emsg[BUFSIZ1024];
235 
236	rmtgets(code, sizeof (code));
237	if (*code == 'E' || *code == 'F') {
238		rmtgets(emsg, sizeof (emsg));
239		warnx("%s: %s", cmd, emsg);
240		if (*code == 'F') {
241			rmtstate = TS_CLOSED0;
242			return (-1);
243		}
244		return (-1);
245	}
246	if (*code != 'A') {
247		/* Kill trailing newline */
248		cp = code + strlen(code);
249		if (cp > code && *--cp == '\n')
250			*cp = '\0';
251 
252		warnx("Protocol to remote tape server botched (code \"%s\").",
253		    code);
254		rmtconnaborted();
255	}
256	return (atoi(code + 1));
257}
258 
259int
260rmtgetb(void)
261{
262	char c;
263 
264	if (read(rmtape, &c, 1) != 1)
265		rmtconnaborted();
266	return (c);
267}
268 
269/* Get a line (guaranteed to have a trailing newline). */
270void
271rmtgets(char *line, int len)
272{
273	char *cp = line;
274 
275	while (len > 1) {
276		*cp = rmtgetb();
277		if (*cp == '\n') {
278			cp[1] = '\0';
279			return;
280		}
281		cp++;
282		len--;
283	}
284	*cp = '\0';
285	warnx("Protocol to remote tape server botched.");
286	warnx("(rmtgets got \"%s\").", line);
287	rmtconnaborted();
288}