/usr/src/sbin/pflogd/privsep.c

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name privsep.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sbin/pflogd/obj -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/sbin/pflogd/../../lib/libpcap -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/sbin/pflogd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/sbin/pflogd/privsep.c

File:	src/sbin/pflogd/privsep.c
Warning:	line 198, column 5 Value stored to 'bpfd' is never read

Bug Summary

Annotated Source Code

1	/* $OpenBSD: privsep.c,v 1.35 2021/07/12 15:09:19 beck Exp $ */
2
3	/*
4	* Copyright (c) 2003 Can Erkin Acar
5	* Copyright (c) 2003 Anil Madhavapeddy <anil@recoil.org>
6	*
7	* Permission to use, copy, modify, and distribute this software for any
8	* purpose with or without fee is hereby granted, provided that the above
9	* copyright notice and this permission notice appear in all copies.
10	*
11	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18	*/
19	#include <sys/types.h>
20	#include <sys/time.h>
21	#include <sys/socket.h>
22	#include <sys/ioctl.h>
23
24	#include <net/if.h>
25	#include <net/bpf.h>
26
27	#include <err.h>
28	#include <errno(*__errno()).h>
29	#include <fcntl.h>
30	#include <limits.h>
31	#include <pcap.h>
32	#include <pcap-int.h>
33	#include <pwd.h>
34	#include <signal.h>
35	#include <stdio.h>
36	#include <stdlib.h>
37	#include <string.h>
38	#include <syslog.h>
39	#include <unistd.h>
40	#include <netdb.h>
41	#include <resolv.h>
42	#include "pflogd.h"
43
44	enum cmd_types {
45	PRIV_INIT_PCAP, /* init pcap fdpass bpf */
46	PRIV_SET_SNAPLEN, /* set the snaplength */
47	PRIV_OPEN_LOG, /* open logfile for appending */
48	};
49
50	static int priv_fd = -1;
51	static volatile pid_t child_pid = -1;
52
53	static void sig_pass_to_chld(int);
54	static int may_read(int, void *, size_t);
55	static void must_read(int, void *, size_t);
56	static void must_write(int, void *, size_t);
57	static int set_snaplen(int snap);
58
59	extern char *filename;
60	extern char *interface;
61	extern char errbuf[PCAP_ERRBUF_SIZE256];
62	extern pcap_t *hpcap;
63
64	/* based on syslogd privsep */
65	void
66	priv_init(int Pflag, int argc, char *argv[])
67	{
68	int i, fd = -1, bpfd = -1, nargc, socks[2], cmd;
69	int snaplen, ret, olderrno;
70	struct passwd *pw;
71	char **nargv;
72	unsigned int buflen;
73
74	pw = getpwnam("_pflogd");
75	if (pw == NULL((void *)0))
76	errx(1, "unknown user _pflogd");
77	endpwent();
78
79	if (Pflag) {
80	gid_t gidset[1];
81
82	/* Child - drop privileges and return */
83	if (chroot(pw->pw_dir) != 0)
84	err(1, "unable to chroot");
85	if (chdir("/") != 0)
86	err(1, "unable to chdir");
87
88	gidset[0] = pw->pw_gid;
89	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
90	err(1, "setresgid() failed");
91	if (setgroups(1, gidset) == -1)
92	err(1, "setgroups() failed");
93	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
94	err(1, "setresuid() failed");
95	priv_fd = 3;
96	return;
97	}
98
99	/* Create sockets */
100	if (socketpair(AF_LOCAL1, SOCK_STREAM1, PF_UNSPEC0, socks) == -1)
101	err(1, "socketpair() failed");
102
103	child_pid = fork();
104	if (child_pid == -1)
105	err(1, "fork() failed");
106
107	if (!child_pid) {
108	close(socks[0]);
109	if (dup2(socks[1], 3) == -1)
110	err(1, "dup2 unpriv sock failed");
111	close(socks[1]);
112	if ((nargv = reallocarray(NULL((void *)0), argc + 2,
113	sizeof(char ))) == NULL((void )0))
114	err(1, "alloc unpriv argv failed");
115	nargc = 0;
116	nargv[nargc++] = argv[0];
117	nargv[nargc++] = "-P";
118	for (i = 1; i < argc; i++)
119	nargv[nargc++] = argv[i];
120	nargv[nargc] = NULL((void *)0);
121	execvp(nargv[0], nargv);
122	err(1, "exec unpriv '%s' failed", nargv[0]);
123	}
124	close(socks[1]);
125
126	/* Father */
127	/* Pass ALRM/TERM/HUP/INT/QUIT through to child */
128	signal(SIGALRM14, sig_pass_to_chld);
129	signal(SIGTERM15, sig_pass_to_chld);
130	signal(SIGHUP1, sig_pass_to_chld);
131	signal(SIGINT2, sig_pass_to_chld);
132	signal(SIGQUIT3, sig_pass_to_chld);
133
134	setproctitle("[priv]");
135
136	if (unveil(_PATH_RESCONF"/etc/resolv.conf", "r") == -1)
137	err(1, "unveil %s", _PATH_RESCONF"/etc/resolv.conf");
138	if (unveil(_PATH_HOSTS"/etc/hosts", "r") == -1)
139	err(1, "unveil %s", _PATH_HOSTS"/etc/hosts");
140	if (unveil(_PATH_SERVICES"/etc/services", "r") == -1)
141	err(1, "unveil %s", _PATH_SERVICES"/etc/services");
142	if (unveil("/dev/bpf", "r") == -1)
143	err(1, "unveil /dev/bpf");
144	if (unveil(filename, "rwc") == -1)
145	err(1, "unveil %s", filename);
146	if (unveil(NULL((void )0), NULL((void )0)) == -1)
147	err(1, "unveil");
148
149	#if 0
150	/* This needs to do bpf ioctl */
151	BROKEN if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL((void *)0)) == -1)
152	err(1, "pledge");
153	#endif
154
155	while (1) {
156	if (may_read(socks[0], &cmd, sizeof(int)))
157	break;
158	switch (cmd) {
159	case PRIV_INIT_PCAP:
160	logmsg(LOG_DEBUG7,
161	"[priv]: msg PRIV_INIT_PCAP received");
162	/* initialize pcap */
163	if (hpcap != NULL((void *)0) \|\| init_pcap()) {
164	logmsg(LOG_ERR3, "[priv]: Exiting, init failed");
165	_exit(1);
166	}
167	buflen = hpcap->bufsize; /* BIOCGBLEN for unpriv proc */
168	must_write(socks[0], &buflen, sizeof(unsigned int));
169	fd = pcap_fileno(hpcap);
170	send_fd(socks[0], fd);
171	if (fd < 0) {
172	logmsg(LOG_ERR3, "[priv]: Exiting, init failed");
173	_exit(1);
174	}
175	break;
176
177	case PRIV_SET_SNAPLEN:
178	logmsg(LOG_DEBUG7,
179	"[priv]: msg PRIV_SET_SNAPLENGTH received");
180	must_read(socks[0], &snaplen, sizeof(int));
181
182	ret = set_snaplen(snaplen);
183	if (ret) {
184	logmsg(LOG_NOTICE5,
185	"[priv]: set_snaplen failed for snaplen %d",
186	snaplen);
187	}
188
189	must_write(socks[0], &ret, sizeof(int));
190	break;
191
192	case PRIV_OPEN_LOG:
193	logmsg(LOG_DEBUG7,
194	"[priv]: msg PRIV_OPEN_LOG received");
195	/* create or append logs but do not follow symlinks */
196	if (bpfd != -1) {
197	close(bpfd);
198	bpfd = -1;
	Value stored to 'bpfd' is never read
199	}
200	bpfd = open(filename,
201	O_RDWR0x0002\|O_CREAT0x0200\|O_APPEND0x0008\|O_NONBLOCK0x0004\|O_NOFOLLOW0x0100,
202	0600);
203	olderrno = errno(*__errno());
204	send_fd(socks[0], bpfd);
205	if (bpfd == -1)
206	logmsg(LOG_NOTICE5,
207	"[priv]: failed to open %s: %s",
208	filename, strerror(olderrno));
209	break;
210
211	default:
212	logmsg(LOG_ERR3, "[priv]: unknown command %d", cmd);
213	_exit(1);
214	/* NOTREACHED */
215	}
216	}
217
218	exit(1);
219	}
220
221	/* this is called from parent */
222	static int
223	set_snaplen(int snap)
224	{
225	if (hpcap == NULL((void *)0))
226	return (1);
227
228	hpcap->snapshot = snap;
229	set_pcap_filter();
230
231	return 0;
232	}
233
234	/* receive bpf fd from privileged process using fdpass and init pcap */
235	int
236	priv_init_pcap(int snaplen)
237	{
238	int cmd, fd;
239	unsigned int buflen;
240
241	if (priv_fd < 0)
242	errx(1, "%s: called from privileged portion", __func__);
243
244	cmd = PRIV_INIT_PCAP;
245
246	must_write(priv_fd, &cmd, sizeof(int));
247	must_read(priv_fd, &buflen, sizeof(unsigned int));
248	fd = receive_fd(priv_fd);
249	if (fd < 0)
250	return (-1);
251
252	/* XXX temporary until pcap_open_live_fd API */
253	hpcap = pcap_create(interface, errbuf);
254	if (hpcap == NULL((void *)0))
255	return (-1);
256
257	/* XXX copies from pcap_open_live/pcap_activate */
258	hpcap->fd = fd;
259	pcap_set_snaplen(hpcap, snaplen);
260	pcap_set_promisc(hpcap, 1);
261	pcap_set_timeout(hpcap, PCAP_TO_MS500);
262	hpcap->oldstyle = 1;
263	hpcap->linktype = DLT_PFLOG117;
264	hpcap->bufsize = buflen; /* XXX bpf BIOCGBLEN */
265	hpcap->buffer = malloc(hpcap->bufsize);
266	if (hpcap->buffer == NULL((void *)0))
267	return (-1);
268	hpcap->activated = 1;
269
270	return (0);
271	}
272
273	/*
274	* send the snaplength to privileged process
275	*/
276	int
277	priv_set_snaplen(int snaplen)
278	{
279	int cmd, ret;
280
281	if (priv_fd < 0)
282	errx(1, "%s: called from privileged portion", __func__);
283
284	cmd = PRIV_SET_SNAPLEN;
285
286	must_write(priv_fd, &cmd, sizeof(int));
287	must_write(priv_fd, &snaplen, sizeof(int));
288
289	must_read(priv_fd, &ret, sizeof(int));
290
291	/* also set hpcap->snapshot in child */
292	if (ret == 0)
293	hpcap->snapshot = snaplen;
294
295	return (ret);
296	}
297
298	/* Open log-file */
299	int
300	priv_open_log(void)
301	{
302	int cmd, fd;
303
304	if (priv_fd < 0)
305	errx(1, "%s: called from privileged portion", __func__);
306
307	cmd = PRIV_OPEN_LOG;
308	must_write(priv_fd, &cmd, sizeof(int));
309	fd = receive_fd(priv_fd);
310
311	return (fd);
312	}
313
314	/* If priv parent gets a TERM or HUP, pass it through to child instead */
315	static void
316	sig_pass_to_chld(int sig)
317	{
318	int oerrno = errno(*__errno());
319
320	if (child_pid != -1)
321	kill(child_pid, sig);
322	errno(*__errno()) = oerrno;
323	}
324
325	/* Read all data or return 1 for error. */
326	static int
327	may_read(int fd, void *buf, size_t n)
328	{
329	char *s = buf;
330	ssize_t res, pos = 0;
331
332	while (n > pos) {
333	res = read(fd, s + pos, n - pos);
334	switch (res) {
335	case -1:
336	if (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35)
337	continue;
338	case 0:
339	return (1);
340	default:
341	pos += res;
342	}
343	}
344	return (0);
345	}
346
347	/* Read data with the assertion that it all must come through, or
348	* else abort the process. Based on atomicio() from openssh. */
349	static void
350	must_read(int fd, void *buf, size_t n)
351	{
352	char *s = buf;
353	ssize_t res, pos = 0;
354
355	while (n > pos) {
356	res = read(fd, s + pos, n - pos);
357	switch (res) {
358	case -1:
359	if (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35)
360	continue;
361	case 0:
362	_exit(0);
363	default:
364	pos += res;
365	}
366	}
367	}
368
369	/* Write data with the assertion that it all has to be written, or
370	* else abort the process. Based on atomicio() from openssh. */
371	static void
372	must_write(int fd, void *buf, size_t n)
373	{
374	char *s = buf;
375	ssize_t res, pos = 0;
376
377	while (n > pos) {
378	res = write(fd, s + pos, n - pos);
379	switch (res) {
380	case -1:
381	if (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35)
382	continue;
383	case 0:
384	_exit(0);
385	default:
386	pos += res;
387	}
388	}
389	}