/usr/src/lib/libutil/imsg.c

Bug Summary

File:	src/lib/libutil/imsg.c
Warning:	line 278, column 7 Use of memory after it is freed

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name imsg.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libutil/obj -resource-dir /usr/local/lib/clang/13.0.0 -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libutil/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libutil/imsg.c

1/*	$OpenBSD: imsg.c,v 1.16 2017/12/14 09:27:44 kettenis Exp $	*/
2 
3/*
4 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18 
19#include <sys/types.h>
20#include <sys/queue.h>
21#include <sys/socket.h>
22#include <sys/uio.h>
23 
24#include <errno(*__errno()).h>
25#include <stdlib.h>
26#include <string.h>
27#include <unistd.h>
28 
29#include "imsg.h"
30 
31int	 imsg_fd_overhead = 0;
32 
33static int	 imsg_get_fd(struct imsgbuf *);
34 
35void
36imsg_init(struct imsgbuf *ibuf, int fd)
37{
38	msgbuf_init(&ibuf->w);
39	memset(&ibuf->r, 0, sizeof(ibuf->r));
40	ibuf->fd = fd;
41	ibuf->w.fd = fd;
42	ibuf->pid = getpid();
43	TAILQ_INIT(&ibuf->fds)do { (&ibuf->fds)->tqh_first = ((void *)0); (&ibuf
->fds)->tqh_last = &(&ibuf->fds)->tqh_first
; } while (0);
44}
45 
46ssize_t
47imsg_read(struct imsgbuf *ibuf)
48{
49	struct msghdr		 msg;
50	struct cmsghdr		*cmsg;
51	union {
52		struct cmsghdr hdr;
53		char	buf[CMSG_SPACE(sizeof(int) * 1)((((unsigned long)(sizeof(struct cmsghdr)) + (sizeof(long) - 1
)) &~(sizeof(long) - 1)) + (((unsigned long)(sizeof(int) *
 1) + (sizeof(long) - 1)) &~(sizeof(long) - 1)))];
54	} cmsgbuf;
55	struct iovec		 iov;
56	ssize_t			 n = -1;
57	int			 fd;
58	struct imsg_fd		*ifd;
59 
60	memset(&msg, 0, sizeof(msg));
61	memset(&cmsgbuf, 0, sizeof(cmsgbuf));
62 
63	iov.iov_base = ibuf->r.buf + ibuf->r.wpos;
64	iov.iov_len = sizeof(ibuf->r.buf) - ibuf->r.wpos;
65	msg.msg_iov = &iov;
66	msg.msg_iovlen = 1;
67	msg.msg_control = &cmsgbuf.buf;
68	msg.msg_controllen = sizeof(cmsgbuf.buf);
69 
70	if ((ifd = calloc(1, sizeof(struct imsg_fd))) == NULL((void *)0))
71		return (-1);
72 
73again:
74	if (getdtablecount() + imsg_fd_overhead +
75	    (int)((CMSG_SPACE(sizeof(int))((((unsigned long)(sizeof(struct cmsghdr)) + (sizeof(long) - 1
)) &~(sizeof(long) - 1)) + (((unsigned long)(sizeof(int))
 + (sizeof(long) - 1)) &~(sizeof(long) - 1)))-CMSG_SPACE(0)((((unsigned long)(sizeof(struct cmsghdr)) + (sizeof(long) - 1
)) &~(sizeof(long) - 1)) + (((unsigned long)(0) + (sizeof
(long) - 1)) &~(sizeof(long) - 1))))/sizeof(int))
76	    >= getdtablesize()) {
77		errno(*__errno()) = EAGAIN35;
78		free(ifd);
79		return (-1);
80	}
81 
82	if ((n = recvmsg(ibuf->fd, &msg, 0)) == -1) {
83		if (errno(*__errno()) == EINTR4)
84			goto again;
85		goto fail;
86	}
87 
88	ibuf->r.wpos += n;
89 
90	for (cmsg = CMSG_FIRSTHDR(&msg)((&msg)->msg_controllen >= sizeof(struct cmsghdr) ?
 (struct cmsghdr *)(&msg)->msg_control : (struct cmsghdr
 *)((void *)0)); cmsg != NULL((void *)0);
91	    cmsg = CMSG_NXTHDR(&msg, cmsg)(((char *)(cmsg) + (((unsigned long)((cmsg)->cmsg_len) + (
sizeof(long) - 1)) &~(sizeof(long) - 1)) + (((unsigned long
)(sizeof(struct cmsghdr)) + (sizeof(long) - 1)) &~(sizeof
(long) - 1)) > ((char *)(&msg)->msg_control) + (&
msg)->msg_controllen) ? (struct cmsghdr *)((void *)0) : (struct
 cmsghdr *)((char *)(cmsg) + (((unsigned long)((cmsg)->cmsg_len
) + (sizeof(long) - 1)) &~(sizeof(long) - 1))))) {
92		if (cmsg->cmsg_level == SOL_SOCKET0xffff &&
93		    cmsg->cmsg_type == SCM_RIGHTS0x01) {
94			int i;
95			int j;
96 
97			/*
98			 * We only accept one file descriptor.  Due to C
99			 * padding rules, our control buffer might contain
100			 * more than one fd, and we must close them.
101			 */
102			j = ((char *)cmsg + cmsg->cmsg_len -
103			    (char *)CMSG_DATA(cmsg)((unsigned char *)(cmsg) + (((unsigned long)(sizeof(struct cmsghdr
)) + (sizeof(long) - 1)) &~(sizeof(long) - 1)))) / sizeof(int);
104			for (i = 0; i < j; i++) {
105				fd = ((int *)CMSG_DATA(cmsg)((unsigned char *)(cmsg) + (((unsigned long)(sizeof(struct cmsghdr
)) + (sizeof(long) - 1)) &~(sizeof(long) - 1))))[i];
106				if (ifd != NULL((void *)0)) {
107					ifd->fd = fd;
108					TAILQ_INSERT_TAIL(&ibuf->fds, ifd,do { (ifd)->entry.tqe_next = ((void *)0); (ifd)->entry.
tqe_prev = (&ibuf->fds)->tqh_last; *(&ibuf->
fds)->tqh_last = (ifd); (&ibuf->fds)->tqh_last =
 &(ifd)->entry.tqe_next; } while (0)
109					    entry)do { (ifd)->entry.tqe_next = ((void *)0); (ifd)->entry.
tqe_prev = (&ibuf->fds)->tqh_last; *(&ibuf->
fds)->tqh_last = (ifd); (&ibuf->fds)->tqh_last =
 &(ifd)->entry.tqe_next; } while (0);
110					ifd = NULL((void *)0);
111				} else
112					close(fd);
113			}
114		}
115		/* we do not handle other ctl data level */
116	}
117 
118fail:
119	free(ifd);
120	return (n);
121}
122 
123ssize_t
124imsg_get(struct imsgbuf *ibuf, struct imsg *imsg)
125{
126	size_t			 av, left, datalen;
127 
128	av = ibuf->r.wpos;
129 
130	if (IMSG_HEADER_SIZEsizeof(struct imsg_hdr) > av)
131		return (0);
132 
133	memcpy(&imsg->hdr, ibuf->r.buf, sizeof(imsg->hdr));
134	if (imsg->hdr.len < IMSG_HEADER_SIZEsizeof(struct imsg_hdr) ||
135	    imsg->hdr.len > MAX_IMSGSIZE16384) {
136		errno(*__errno()) = ERANGE34;
137		return (-1);
138	}
139	if (imsg->hdr.len > av)
140		return (0);
141	datalen = imsg->hdr.len - IMSG_HEADER_SIZEsizeof(struct imsg_hdr);
142	ibuf->r.rptr = ibuf->r.buf + IMSG_HEADER_SIZEsizeof(struct imsg_hdr);
143	if (datalen == 0)
144		imsg->data = NULL((void *)0);
145	else if ((imsg->data = malloc(datalen)) == NULL((void *)0))
146		return (-1);
147 
148	if (imsg->hdr.flags & IMSGF_HASFD1)
149		imsg->fd = imsg_get_fd(ibuf);
150	else
151		imsg->fd = -1;
152 
153	memcpy(imsg->data, ibuf->r.rptr, datalen);
154 
155	if (imsg->hdr.len < av) {
156		left = av - imsg->hdr.len;
157		memmove(&ibuf->r.buf, ibuf->r.buf + imsg->hdr.len, left);
158		ibuf->r.wpos = left;
159	} else
160		ibuf->r.wpos = 0;
161 
162	return (datalen + IMSG_HEADER_SIZEsizeof(struct imsg_hdr));
163}
164 
165int
166imsg_compose(struct imsgbuf *ibuf, uint32_t type, uint32_t peerid, pid_t pid,
167    int fd, const void *data, uint16_t datalen)
168{
169	struct ibuf	*wbuf;
170 
171	if ((wbuf = imsg_create(ibuf, type, peerid, pid, datalen)) == NULL((void *)0))
172		return (-1);
173 
174	if (imsg_add(wbuf, data, datalen) == -1)
175		return (-1);
176 
177	wbuf->fd = fd;
178 
179	imsg_close(ibuf, wbuf);
180 
181	return (1);
182}
183 
184int
185imsg_composev(struct imsgbuf *ibuf, uint32_t type, uint32_t peerid, pid_t pid,
186    int fd, const struct iovec *iov, int iovcnt)
187{
188	struct ibuf	*wbuf;
189	int		 i, datalen = 0;
190 
191	for (i = 0; i < iovcnt; i++)
192		datalen += iov[i].iov_len;
193 
194	if ((wbuf = imsg_create(ibuf, type, peerid, pid, datalen)) == NULL((void *)0))
195		return (-1);
196 
197	for (i = 0; i < iovcnt; i++)
198		if (imsg_add(wbuf, iov[i].iov_base, iov[i].iov_len) == -1)
199			return (-1);
200 
201	wbuf->fd = fd;
202 
203	imsg_close(ibuf, wbuf);
204 
205	return (1);
206}
207 
208/* ARGSUSED */
209struct ibuf *
210imsg_create(struct imsgbuf *ibuf, uint32_t type, uint32_t peerid, pid_t pid,
211    uint16_t datalen)
212{
213	struct ibuf	*wbuf;
214	struct imsg_hdr	 hdr;
215 
216	datalen += IMSG_HEADER_SIZEsizeof(struct imsg_hdr);
217	if (datalen > MAX_IMSGSIZE16384) {
218		errno(*__errno()) = ERANGE34;
219		return (NULL((void *)0));
220	}
221 
222	hdr.type = type;
223	hdr.flags = 0;
224	hdr.peerid = peerid;
225	if ((hdr.pid = pid) == 0)
226		hdr.pid = ibuf->pid;
227	if ((wbuf = ibuf_dynamic(datalen, MAX_IMSGSIZE16384)) == NULL((void *)0)) {
228		return (NULL((void *)0));
229	}
230	if (imsg_add(wbuf, &hdr, sizeof(hdr)) == -1)
231		return (NULL((void *)0));
232 
233	return (wbuf);
234}
235 
236int
237imsg_add(struct ibuf *msg, const void *data, uint16_t datalen)
238{
239	if (datalen)
240		if (ibuf_add(msg, data, datalen) == -1) {
241			ibuf_free(msg);
242			return (-1);
243		}
244	return (datalen);
245}
246 
247void
248imsg_close(struct imsgbuf *ibuf, struct ibuf *msg)
249{
250	struct imsg_hdr	*hdr;
251 
252	hdr = (struct imsg_hdr *)msg->buf;
253 
254	hdr->flags &= ~IMSGF_HASFD1;
255	if (msg->fd != -1)
256		hdr->flags |= IMSGF_HASFD1;
257 
258	hdr->len = (uint16_t)msg->wpos;
259 
260	ibuf_close(&ibuf->w, msg);
261}
262 
263void
264imsg_free(struct imsg *imsg)
265{
266	freezero(imsg->data, imsg->hdr.len - IMSG_HEADER_SIZEsizeof(struct imsg_hdr));
267}
268 
269static int
270imsg_get_fd(struct imsgbuf *ibuf)
271{
272	int		 fd;
273	struct imsg_fd	*ifd;
274 
275	if ((ifd = TAILQ_FIRST(&ibuf->fds)((&ibuf->fds)->tqh_first)) == NULL((void *)0))
2
←
Assuming the condition is false→
3
←
Taking false branch→
12
←
Taking false branch→
276		return (-1);
277 
278	fd = ifd->fd;
13
←
Use of memory after it is freed
279	TAILQ_REMOVE(&ibuf->fds, ifd, entry)do { if (((ifd)->entry.tqe_next) != ((void *)0)) (ifd)->
entry.tqe_next->entry.tqe_prev = (ifd)->entry.tqe_prev;
 else (&ibuf->fds)->tqh_last = (ifd)->entry.tqe_prev
; *(ifd)->entry.tqe_prev = (ifd)->entry.tqe_next; ; ; }
 while (0);
4
←
Assuming field 'tqe_next' is equal to null→
5
←
Taking false branch→
6
←
Loop condition is false.  Exiting loop→
280	free(ifd);
7
←
Memory is released→
281 
282	return (fd);
283}
284 
285int
286imsg_flush(struct imsgbuf *ibuf)
287{
288	while (ibuf->w.queued)
289		if (msgbuf_write(&ibuf->w) <= 0)
290			return (-1);
291	return (0);
292}
293 
294void
295imsg_clear(struct imsgbuf *ibuf)
296{
297	int	fd;
298 
299	msgbuf_clear(&ibuf->w);
300	while ((fd = imsg_get_fd(ibuf)) != -1)
1
Calling 'imsg_get_fd'→
8
←
Returning; memory was released→
9
←
Assuming the condition is true→
10
←
Loop condition is true.  Entering loop body→
11
←
Calling 'imsg_get_fd'→
301		close(fd);
302}