/usr/src/usr.bin/usbhidaction/usbhidaction.c

Bug Summary

File:	src/usr.bin/usbhidaction/usbhidaction.c
Warning:	line 390, column 4 4th function call argument is an uninitialized value

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name usbhidaction.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/usbhidaction/obj -resource-dir /usr/local/lib/clang/13.0.0 -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/usbhidaction/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/usbhidaction/usbhidaction.c

1/*	$OpenBSD: usbhidaction.c,v 1.24 2021/12/15 11:23:09 mestre Exp $ */
2/*      $NetBSD: usbhidaction.c,v 1.7 2002/01/18 14:38:59 augustss Exp $ */
3 
4/*
5 * Copyright (c) 2000, 2002 The NetBSD Foundation, Inc.
6 * All rights reserved.
7 *
8 * This code is derived from software contributed to The NetBSD Foundation
9 * by Lennart Augustsson <lennart@augustsson.net>.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in the
18 *    documentation and/or other materials provided with the distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
23 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
24 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32 
33#include <stdio.h>
34#include <stdlib.h>
35#include <string.h>
36#include <ctype.h>
37#include <err.h>
38#include <fcntl.h>
39#include <limits.h>
40#include <unistd.h>
41#include <sys/types.h>
42#include <sys/ioctl.h>
43#include <dev/usb/usb.h>
44#include <dev/usb/usbhid.h>
45#include <usbhid.h>
46#include <syslog.h>
47#include <signal.h>
48#include <paths.h>
49 
50int verbose = 0;
51int isdemon = 0;
52 
53volatile sig_atomic_t reparse = 0;
54 
55struct command {
56	struct command *next;
57	int line;
58 
59	struct hid_item item;
60	int value;
61	char anyvalue;
62	char *name;
63	char *action;
64};
65struct command *commands;
66 
67#define SIZE4000 4000
68 
69void usage(void);
70struct command *parse_conf(const char *, report_desc_t, int, int);
71void docmd(struct command *, int, const char *, int, char **);
72void freecommands(struct command *);
73 
74/* ARGSUSED */
75static void
76sighup(int signo)
77{
78	reparse = 1;
79}
80 
81int
82main(int argc, char **argv)
83{
84	const char *conf = NULL((void *)0);
85	const char *dev = NULL((void *)0);
86	int fd, ch, sz, n, val, i;
87	int demon, ignore;
88	report_desc_t repd;
89	char buf[100];
90	char devnamebuf[PATH_MAX1024];
91	struct command *cmd;
92	int reportid;
93 
94	demon = 1;
95	ignore = 0;
96	while ((ch = getopt(argc, argv, "c:df:iv")) != -1) {
1
Assuming the condition is true→
2
←
Loop condition is true.  Entering loop body→
5
←
Assuming the condition is true→
6
←
Loop condition is true.  Entering loop body→
9
←
Assuming the condition is false→
10
←
Loop condition is false. Execution continues on line 119→
97		switch(ch) {
3
←
Control jumps to 'case 102:'  at line 107→
7
←
Control jumps to 'case 99:'  at line 98→
98		case 'c':
99			conf = optarg;
100			break;
8
←
 Execution continues on line 96→
101		case 'd':
102			demon ^= 1;
103			break;
104		case 'i':
105			ignore++;
106			break;
107		case 'f':
108			dev = optarg;
109			break;
4
←
 Execution continues on line 96→
110		case 'v':
111			demon = 0;
112			verbose++;
113			break;
114		case '?':
115		default:
116			usage();
117		}
118	}
119	argc -= optind;
120	argv += optind;
121 
122	if (conf == NULL((void *)0) || dev11.1
'dev' is not equal to NULL
 == NULL((void *)0))
11
←
Assuming 'conf' is not equal to NULL→
12
←
Taking false branch→
123		usage();
124 
125	if (hid_start(NULL((void *)0)) == -1)
13
←
Assuming the condition is false→
14
←
Taking false branch→
126		errx(1, "hid_init");
127 
128	if (dev[0] != '/') {
15
←
Assuming the condition is false→
16
←
Taking false branch→
129		snprintf(devnamebuf, sizeof(devnamebuf), "/dev/%s%s",
130		    isdigit((unsigned char)dev[0]) ? "uhid" : "", dev);
131		dev = devnamebuf;
132	}
133 
134	if (demon16.1
'demon' is 1
 && conf[0] != '/')
17
←
Taking false branch→
135		errx(1, "config file must have an absolute path, %s", conf);
136 
137	fd = open(dev, O_RDWR0x0002 | O_CLOEXEC0x10000);
138	if (fd == -1)
18
←
Assuming the condition is false→
19
←
Taking false branch→
139		err(1, "%s", dev);
140 
141	if (ioctl(fd, USB_GET_REPORT_ID((unsigned long)0x40000000 | ((sizeof(int) & 0x1fff) <<
 16) | ((('U')) << 8) | ((25))), &reportid) == -1)
20
←
Assuming the condition is false→
21
←
Taking false branch→
142		reportid = -1;
143	repd = hid_get_report_desc(fd);
144	if (repd == NULL((void *)0))
22
←
Assuming 'repd' is not equal to NULL→
23
←
Taking false branch→
145		err(1, "hid_get_report_desc() failed");
146 
147	commands = parse_conf(conf, repd, reportid, ignore);
24
←
Calling 'parse_conf'→
148 
149	sz = hid_report_size(repd, hid_input, reportid);
150 
151	if (verbose)
152		printf("report size %d\n", sz);
153	if (sz > sizeof buf)
154		errx(1, "report too large");
155 
156	(void)signal(SIGHUP1, sighup);
157 
158	/* we do not care about the children, so ignore them */
159	(void)signal(SIGCHLD20, SIG_IGN(void (*)(int))1);
160 
161	if (demon) {
162		if (daemon(0, 0) == -1)
163			err(1, "daemon()");
164		isdemon = 1;
165	}
166 
167	if (unveil(conf, "r") == -1)
168		err(1, "unveil %s", conf);
169	if (unveil(NULL((void *)0), NULL((void *)0)) == -1)
170		err(1, "unveil");
171 
172	for(;;) {
173		n = read(fd, buf, sz);
174		if (verbose > 2) {
175			printf("read %d bytes:", n);
176			for (i = 0; i < n; i++)
177				printf(" %02x", buf[i]);
178			printf("\n");
179		}
180		if (n == -1) {
181			if (verbose)
182				err(1, "read");
183			else
184				exit(1);
185		}
186		if (n != sz) {
187			err(2, "read size");
188		}
189		for (cmd = commands; cmd; cmd = cmd->next) {
190			val = hid_get_data(buf, &cmd->item);
191			if (cmd->value == val || cmd->anyvalue)
192				docmd(cmd, val, dev, argc, argv);
193		}
194		if (reparse) {
195			struct command *cmds =
196			    parse_conf(conf, repd, reportid, ignore);
197			if (cmds) {
198				freecommands(commands);
199				commands = cmds;
200			}
201			reparse = 0;
202		}
203	}
204 
205	exit(0);
206}
207 
208void
209usage(void)
210{
211	extern char *__progname;
212 
213	fprintf(stderr(&__sF[2]), "usage: %s [-div] -c config-file -f device arg ...\n",
214	    __progname);
215	exit(1);
216}
217 
218static int
219peek(FILE *f)
220{
221	int c;
222 
223	c = getc(f)(!__isthreaded ? (--(f)->_r < 0 ? __srget(f) : (int)(*(
f)->_p++)) : (getc)(f));
224	if (c != EOF(-1))
225		ungetc(c, f);
226	return c;
227}
228 
229struct command *
230parse_conf(const char *conf, report_desc_t repd, int reportid, int ignore)
231{
232	FILE *f;
233	char *p;
234	int line;
235	char buf[SIZE4000], name[SIZE4000], value[SIZE4000], action[SIZE4000];
236	char usage[SIZE4000], coll[SIZE4000];
237	struct command *cmd, *cmds;
238	struct hid_data *d;
239	struct hid_item h;
240	int u, lo, hi, range;
241 
242	f = fopen(conf, "r");
243	if (f == NULL((void *)0))
25
←
Assuming 'f' is not equal to NULL→
26
←
Taking false branch→
244		err(1, "%s", conf);
245 
246	cmds = NULL((void *)0);
247	for (line = 1; ; line++) {
27
←
Loop condition is true.  Entering loop body→
248		if (fgets(buf, sizeof buf, f) == NULL((void *)0))
28
←
Assuming the condition is false→
29
←
Taking false branch→
249			break;
250		if (buf[0] == '#' || buf[0] == '\n')
30
←
Assuming the condition is false→
31
←
Assuming the condition is false→
32
←
Taking false branch→
251			continue;
252		p = strchr(buf, '\n');
253		while (p && isspace(peek(f))) {
33
←
Assuming 'p' is null→
254			if (fgets(p, sizeof buf - strlen(buf), f) == NULL((void *)0))
255				break;
256			p = strchr(buf, '\n');
257		}
258		if (p33.1
'p' is null
)
34
←
Taking false branch→
259			*p = 0;
260		if (sscanf(buf, "%s %s %[^\n]", name, value, action) != 3) {
35
←
Assuming the condition is false→
36
←
Taking false branch→
261			if (isdemon) {
262				syslog(LOG_WARNING4, "config file `%s', line %d"
263				    ", syntax error: %s", conf, line, buf);
264				freecommands(cmds);
265				fclose(f);
266				return (NULL((void *)0));
267			} else {
268				errx(1, "config file `%s', line %d"
269				    ", syntax error: %s", conf, line, buf);
270			}
271		}
272 
273		cmd = malloc(sizeof *cmd);
37
←
Uninitialized value stored to field 'value'→
274		if (cmd == NULL((void *)0))
38
←
Assuming 'cmd' is not equal to NULL→
39
←
Taking false branch→
275			err(1, "malloc failed");
276		cmd->next = cmds;
277		cmds = cmd;
278		cmd->line = line;
279 
280		if (strcmp(value, "*") == 0) {
40
←
Assuming the condition is true→
41
←
Taking true branch→
281			cmd->anyvalue = 1;
282		} else {
283			cmd->anyvalue = 0;
284			if (sscanf(value, "%d", &cmd->value) != 1) {
285				if (isdemon) {
286					syslog(LOG_WARNING4,
287					    "config file `%s', line %d, "
288					    "bad value: %s",
289					    conf, line, value);
290					freecommands(cmds);
291					fclose(f);
292					return (NULL((void *)0));
293				} else {
294					errx(1, "config file `%s', line %d, "
295					    "bad value: %s",
296					    conf, line, value);
297				}
298			}
299		}
300 
301		coll[0] = 0;
302		d = hid_start_parse(repd, 1 << hid_input, reportid);
303		if (d == NULL((void *)0))
42
←
Assuming 'd' is not equal to NULL→
43
←
Taking false branch→
304			err(1, "hid_start_parse failed");
305		while (hid_get_item(d, &h)) {
44
←
Loop condition is true.  Entering loop body→
306			if (verbose > 2)
45
←
Assuming 'verbose' is <= 2→
46
←
Taking false branch→
307				printf("kind=%d usage=%x\n", h.kind, h.usage);
308			if (h.flags & HIO_CONST0x001)
47
←
Assuming the condition is false→
48
←
Taking false branch→
309				continue;
310			switch (h.kind) {
49
←
Control jumps to 'case hid_input:'  at line 311→
311			case hid_input:
312				if (h.usage_minimum != 0 ||
50
←
Assuming field 'usage_minimum' is equal to 0→
52
←
Taking false branch→
313				    h.usage_maximum != 0) {
51
←
Assuming field 'usage_maximum' is equal to 0→
314					lo = h.usage_minimum;
315					hi = h.usage_maximum;
316					range = 1;
317				} else {
318					lo = h.usage;
319					hi = h.usage;
320					range = 0;
321				}
322				for (u = lo; u <= hi; u++) {
53
←
Loop condition is true.  Entering loop body→
323					snprintf(usage, sizeof usage,  "%s:%s",
324						 hid_usage_page(HID_PAGE(u)(((u) >> 16) & 0xffff)),
325						 hid_usage_in_page(u));
326					if (verbose53.1
'verbose' is <= 2
 > 2)
54
←
Taking false branch→
327						printf("usage %s\n", usage);
328					if (!strcasecmp(usage, name))
55
←
Assuming the condition is true→
56
←
Taking true branch→
329						goto foundhid;
57
←
Control jumps to line 378→
330					if (coll[0]) {
331						snprintf(usage, sizeof usage,
332						  "%s.%s:%s", coll+1,
333						  hid_usage_page(HID_PAGE(u)(((u) >> 16) & 0xffff)),
334						  hid_usage_in_page(u));
335						if (verbose > 2)
336							printf("usage %s\n",
337							    usage);
338						if (!strcasecmp(usage, name))
339							goto foundhid;
340					}
341				}
342				break;
343			case hid_collection:
344				snprintf(coll + strlen(coll),
345				    sizeof coll - strlen(coll),  ".%s:%s",
346				    hid_usage_page(HID_PAGE(h.usage)(((h.usage) >> 16) & 0xffff)),
347				    hid_usage_in_page(h.usage));
348				break;
349			case hid_endcollection:
350				if (coll[0])
351					*strrchr(coll, '.') = 0;
352				break;
353			default:
354				break;
355			}
356		}
357		hid_end_parse(d);
358		if (ignore) {
359			if (verbose)
360				warnx("ignore item '%s'", name);
361			/* pop and free this ignored item */
362			cmds = cmd->next;
363			free(cmd);
364			continue;
365		}
366		if (isdemon) {
367			syslog(LOG_WARNING4, "config file `%s', line %d, HID "
368			    "item not found: `%s'", conf, line, name);
369			freecommands(cmds);
370			fclose(f);
371			return (NULL((void *)0));
372		} else {
373			errx(1, "config file `%s', line %d, HID item "
374			    "not found: `%s'", conf, line, name);
375		}
376 
377	foundhid:
378		hid_end_parse(d);
379		cmd->item = h;
380		cmd->name = strdup(name);
381		cmd->action = strdup(action);
382		if (range57.1
'range' is 0
) {
58
←
Taking false branch→
383			if (cmd->value == 1)
384				cmd->value = u - lo;
385			else
386				cmd->value = -1;
387		}
388 
389		if (verbose)
59
←
Assuming 'verbose' is not equal to 0→
60
←
Taking true branch→
390			printf("PARSE:%d %s, %d, '%s'\n", cmd->line, name,
61
←
4th function call argument is an uninitialized value
391			    cmd->value, cmd->action);
392	}
393	fclose(f);
394	return (cmds);
395}
396 
397void
398docmd(struct command *cmd, int value, const char *hid, int argc, char **argv)
399{
400	char cmdbuf[SIZE4000], *p, *q;
401	size_t len;
402	int n, r;
403	pid_t pid;
404 
405	if (cmd->action == NULL((void *)0)) {
406		if (verbose)
407			printf("no action for device %s value %d\n",
408			    hid, value);
409		return;
410	}
411	for (p = cmd->action, q = cmdbuf; *p && q < &cmdbuf[SIZE4000-1]; ) {
412		if (*p == '$') {
413			p++;
414			len = &cmdbuf[SIZE4000-1] - q;
415			if (isdigit((unsigned char)*p)) {
416				n = strtol(p, &p, 10) - 1;
417				if (n >= 0 && n < argc) {
418					strncpy(q, argv[n], len);
419					q += strlen(q);
420				}
421			} else if (*p == 'V') {
422				p++;
423				snprintf(q, len, "%d", value);
424				q += strlen(q);
425			} else if (*p == 'N') {
426				p++;
427				strncpy(q, cmd->name, len);
428				q += strlen(q);
429			} else if (*p == 'H') {
430				p++;
431				strncpy(q, hid, len);
432				q += strlen(q);
433			} else if (*p) {
434				*q++ = *p++;
435			}
436		} else {
437			*q++ = *p++;
438		}
439	}
440	*q = 0;
441 
442	pid = fork();
443	if (pid == -1)
444		warn("fork failed");
445	else if (pid == 0) {
446		setpgid(0, 0);
447		if (verbose)
448			printf("executing '%s'\n", cmdbuf);
449		r = execl(_PATH_BSHELL"/bin/sh", "sh", "-c", cmdbuf, (char *)NULL((void *)0));
450		err(1, "execl");
451	}
452}
453 
454void
455freecommands(struct command *cmd)
456{
457	struct command *next;
458 
459	while (cmd) {
460		next = cmd->next;
461		free(cmd);
462		cmd = next;
463	}
464}