/usr/src/lib/libutil/login_fbtab.c

Bug Summary

File:	src/lib/libutil/login_fbtab.c
Warning:	line 101, column 4 Potential leak of memory pointed to by 'buf'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name login_fbtab.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libutil/obj -resource-dir /usr/local/llvm16/lib/clang/16 -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libutil/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/lib/libutil/login_fbtab.c

1/*	$OpenBSD: login_fbtab.c,v 1.18 2022/12/27 17:10:08 jmc Exp $	*/
2 
3/************************************************************************
4* Copyright 1995 by Wietse Venema.  All rights reserved.  Some individual
5* files may be covered by other copyrights.
6*
7* This material was originally written and compiled by Wietse Venema at
8* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
9* 1992, 1993, 1994 and 1995.
10*
11* Redistribution and use in source and binary forms, with or without
12* modification, are permitted provided that this entire copyright notice
13* is duplicated in all such copies.
14*
15* This software is provided "as is" and without any expressed or implied
16* warranties, including, without limitation, the implied warranties of
17* merchantibility and fitness for any particular purpose.
18************************************************************************/
19/*
20    SYNOPSIS
21	void login_fbtab(tty, uid, gid)
22	char *tty;
23	uid_t uid;
24	gid_t gid;
25 
26    DESCRIPTION
27	This module implements device security as described in the
28	SunOS 4.1.x fbtab(5) and SunOS 5.x logindevperm(4) manual
29	pages. The program first looks for /etc/fbtab. If that file
30	cannot be opened it attempts to process /etc/logindevperm.
31	We expect entries with the following format:
32 
33	    Comments start with a # and extend to the end of the line.
34 
35	    Blank lines or lines with only a comment are ignored.
36 
37	    All other lines consist of three fields delimited by
38	    whitespace: a login device (/dev/console), an octal
39	    permission number (0600), and a ":"-delimited list of
40	    devices (/dev/kbd:/dev/mouse). All device names are
41	    absolute paths. A path that ends in "*" refers to all
42	    directory entries except "." and "..".
43 
44	    If the tty argument (relative path) matches a login device
45	    name (absolute path), the permissions of the devices in the
46	    ":"-delimited list are set as specified in the second
47	    field, and their ownership is changed to that of the uid
48	    and gid arguments.
49 
50    DIAGNOSTICS
51	Problems are reported via the syslog daemon with severity
52	LOG_ERR.
53 
54    AUTHOR
55	Wietse Venema (wietse@wzv.win.tue.nl)
56	Eindhoven University of Technology
57	The Netherlands
58 */
59 
60#include <sys/types.h>
61#include <sys/stat.h>
62 
63#include <errno(*__errno()).h>
64#include <limits.h>
65#include <glob.h>
66#include <paths.h>
67#include <stdio.h>
68#include <stdlib.h>
69#include <string.h>
70#include <syslog.h>
71#include <unistd.h>
72#include <util.h>
73 
74#define _PATH_FBTAB"/etc/fbtab"	"/etc/fbtab"
75 
76static void login_protect(const char *, mode_t, uid_t, gid_t);
77 
78#define	WSPACE" \t\n"		" \t\n"
79 
80/*
81 * login_fbtab - apply protections specified in /etc/fbtab or logindevperm
82 */
83void
84login_fbtab(const char *tty, uid_t uid, gid_t gid)
85{
86	FILE	*fp;
87	char	*buf, *toklast, *tbuf, *devnam, *cp;
88	mode_t	prot;
89	size_t	len;
90 
91	if ((fp = fopen(_PATH_FBTAB"/etc/fbtab", "r")) == NULL((void *)0))
1
Assuming the condition is false→
2
←
Taking false branch→
92		return;
93 
94	tbuf = NULL((void *)0);
95	while ((buf = fgetln(fp, &len)) != NULL((void *)0)) {
3
←
Assuming the condition is true→
4
←
Loop condition is true.  Entering loop body→
12
←
 Execution continues on line 95→
13
←
Assuming the condition is true→
14
←
Loop condition is true.  Entering loop body→
96		if (buf[len - 1] == '\n')
5
←
Assuming the condition is false→
6
←
Taking false branch→
15
←
Assuming the condition is false→
16
←
Taking false branch→
97			buf[len - 1] = '\0';
98		else {
99			if ((tbuf = malloc(len + 1)) == NULL((void *)0))
7
←
Memory is allocated→
8
←
Assuming the condition is false→
9
←
Taking false branch→
17
←
Assuming the condition is false→
18
←
Taking false branch→
100				break;
101			memcpy(tbuf, buf, len);
19
←
Potential leak of memory pointed to by 'buf'
102			tbuf[len] = '\0';
103			buf = tbuf;
104		}
105		if ((cp = strchr(buf, '#')))
10
←
Assuming 'cp' is null→
106			*cp = '\0';	/* strip comment */
107		if (buf[0] == '\0' ||
11
←
Assuming the condition is true→
108		    (cp = devnam = strtok_r(buf, WSPACE" \t\n", &toklast)) == NULL((void *)0))
109			continue;	/* empty or comment */
110		if (strncmp(devnam, _PATH_DEV"/dev/", sizeof(_PATH_DEV"/dev/") - 1) != 0 ||
111		    (cp = strtok_r(NULL((void *)0), WSPACE" \t\n", &toklast)) == NULL((void *)0) ||
112		    *cp != '0' ||
113		    sscanf(cp, "%o", &prot) == 0 ||
114		    prot == 0 ||
115		    (prot & 0777) != prot ||
116		    (cp = strtok_r(NULL((void *)0), WSPACE" \t\n", &toklast)) == NULL((void *)0)) {
117			syslog(LOG_ERR3, "%s: bad entry: %s", _PATH_FBTAB"/etc/fbtab",
118			    cp ? cp : "(null)");
119			continue;
120		}
121		if (strcmp(devnam + sizeof(_PATH_DEV"/dev/") - 1, tty) == 0) {
122			for (cp = strtok_r(cp, ":", &toklast); cp != NULL((void *)0);
123			    cp = strtok_r(NULL((void *)0), ":", &toklast))
124				login_protect(cp, prot, uid, gid);
125		}
126	}
127	free(tbuf);
128	fclose(fp);
129}
130 
131/*
132 * login_protect - protect one device entry
133 */
134static void
135login_protect(const char *path, mode_t mask, uid_t uid, gid_t gid)
136{
137	glob_t	g;
138	size_t	n;
139	char	*gpath;
140 
141	if (strlen(path) >= PATH_MAX1024) {
142		errno(*__errno()) = ENAMETOOLONG63;
143		syslog(LOG_ERR3, "%s: %s: %m", _PATH_FBTAB"/etc/fbtab", path);
144		return;
145	}
146 
147	if (glob(path, GLOB_NOSORT0x0020, NULL((void *)0), &g) != 0) {
148		if (errno(*__errno()) != ENOENT2)
149			syslog(LOG_ERR3, "%s: glob(%s): %m", _PATH_FBTAB"/etc/fbtab", path);
150		globfree(&g);
151		return;
152	}
153 
154	for (n = 0; n < g.gl_matchc; n++) {
155		gpath = g.gl_pathv[n];
156 
157		if (chmod(gpath, mask) && errno(*__errno()) != ENOENT2)
158			syslog(LOG_ERR3, "%s: chmod(%s): %m", _PATH_FBTAB"/etc/fbtab", gpath);
159		if (chown(gpath, uid, gid) && errno(*__errno()) != ENOENT2)
160			syslog(LOG_ERR3, "%s: chown(%s): %m", _PATH_FBTAB"/etc/fbtab", gpath);
161	}
162 
163	globfree(&g);
164}