/usr/src/libexec/login_lchpass/login_lchpass.c

Bug Summary

File:	src/libexec/login_lchpass/login_lchpass.c
Warning:	line 134, column 15 Access to field 'pw_name' results in a dereference of a null pointer (loaded from variable 'pwd')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name login_lchpass.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/libexec/login_lchpass/obj -resource-dir /usr/local/lib/clang/13.0.0 -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -Wno-unused -fdebug-compilation-dir=/usr/src/libexec/login_lchpass/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/libexec/login_lchpass/login_lchpass.c

1/*	$OpenBSD: login_lchpass.c,v 1.21 2018/04/26 12:42:51 guenther Exp $	*/
2 
3/*-
4 * Copyright (c) 1995,1996 Berkeley Software Design, Inc. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 * 3. All advertising materials mentioning features or use of this software
15 *    must display the following acknowledgement:
16 *      This product includes software developed by Berkeley Software Design,
17 *      Inc.
18 * 4. The name of Berkeley Software Design, Inc.  may not be used to endorse
19 *    or promote products derived from this software without specific prior
20 *    written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 *	BSDI $From: login_lchpass.c,v 1.4 1997/08/08 18:58:23 prb Exp $
35 */
36 
37#include <sys/resource.h>
38#include <sys/uio.h>
39 
40#include <pwd.h>
41#include <stdio.h>
42#include <stdlib.h>
43#include <string.h>
44#include <syslog.h>
45#include <unistd.h>
46#include <login_cap.h>
47#include <readpassphrase.h>
48 
49#define BACK_CHANNEL3	3
50 
51int local_passwd(char *, int);
52 
53int
54main(int argc, char *argv[])
55{
56	struct iovec iov[2];
57	struct passwd *pwd;
58	char *username = NULL((void *)0), *hash = NULL((void *)0);
59	char oldpass[1024];
60	struct rlimit rl;
61	int c;
62 
63	iov[0].iov_base = BI_SILENT"reject silent";
64	iov[0].iov_len = sizeof(BI_SILENT"reject silent") - 1;
65	iov[1].iov_base = "\n";
66	iov[1].iov_len = 1;
67 
68	rl.rlim_cur = 0;
69	rl.rlim_max = 0;
70	(void)setrlimit(RLIMIT_CORE4, &rl);
71 
72	(void)setpriority(PRIO_PROCESS0, 0, 0);
73 
74	openlog("login", LOG_ODELAY0x04, LOG_AUTH(4<<3));
75 
76	while ((c = getopt(argc, argv, "v:s:")) != -1)
1
Assuming the condition is false→
2
←
Loop condition is false. Execution continues on line 91→
77		switch (c) {
78		case 'v':
79			break;
80		case 's':	/* service */
81			if (strcmp(optarg, "login") != 0) {
82				syslog(LOG_ERR3, "%s: invalid service", optarg);
83				exit(1);
84			}
85			break;
86		default:
87			syslog(LOG_ERR3, "usage error");
88			exit(1);
89		}
90 
91	switch (argc - optind) {
3
←
Control jumps to 'case 1:'  at line 94→
92	case 2:
93		/* class is not used */
94	case 1:
95		username = argv[optind];
96		break;
4
←
 Execution continues on line 102→
97	default:
98		syslog(LOG_ERR3, "usage error");
99		exit(1);
100	}
101 
102	pwd = getpwnam_shadow(username);
5
←
Value assigned to 'pwd'→
103	if (pwd) {
6
←
Assuming 'pwd' is null→
7
←
Taking false branch→
104		if (pwd->pw_uid == 0) {
105			syslog(LOG_ERR3, "attempted root password change");
106			pwd = NULL((void *)0);
107		} else if (*pwd->pw_passwd == '\0') {
108			syslog(LOG_ERR3, "%s attempting to add password",
109			    username);
110			pwd = NULL((void *)0);
111		}
112	}
113 
114	if (pwd7.1
'pwd' is null
)
8
←
Taking false branch→
115		hash = pwd->pw_passwd;
116 
117	(void)setpriority(PRIO_PROCESS0, 0, -4);
118 
119	(void)printf("Changing local password for %s.\n", username);
120	if ((readpassphrase("Old Password:", oldpass, sizeof(oldpass),
9
←
Assuming the condition is false→
10
←
Taking false branch→
121		    RPP_ECHO_OFF0x00)) == NULL((void *)0))
122		exit(1);
123 
124	if (crypt_checkpass(oldpass, hash) != 0) {
11
←
Assuming the condition is false→
12
←
Taking false branch→
125		explicit_bzero(oldpass, strlen(oldpass));
126		exit(1);
127	}
128	explicit_bzero(oldpass, strlen(oldpass));
129 
130	/*
131	 * We rely on local_passwd() to block signals during the
132	 * critical section.
133	 */
134	local_passwd(pwd->pw_name, 1);
13
←
Access to field 'pw_name' results in a dereference of a null pointer (loaded from variable 'pwd')
135	(void)writev(BACK_CHANNEL3, iov, 2);
136	exit(0);
137}