clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name allowedhost.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/lpr/lpd/obj -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/usr.sbin/lpr/lpd/../common_source -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/lpr/lpd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/usr.sbin/lpr/lpd/allowedhost.c
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | |
31 | #include <sys/socket.h> |
32 | #include <sys/types.h> |
33 | |
34 | #include <netinet/in.h> |
35 | #include <arpa/inet.h> |
36 | |
37 | #include <ctype.h> |
38 | #include <limits.h> |
39 | #include <netdb.h> |
40 | #include <netgroup.h> |
41 | #include <signal.h> |
42 | #include <stdio.h> |
43 | #include <stdlib.h> |
44 | #include <string.h> |
45 | #include <syslog.h> |
46 | #include <unistd.h> |
47 | |
48 | static int checkhost(struct sockaddr *, socklen_t, const char *); |
49 | static char *gethostloop(struct sockaddr *, socklen_t); |
50 | |
51 | |
52 | |
53 | |
54 | |
55 | int |
56 | allowedhost(FILE *hostf, struct sockaddr *raddr, socklen_t salen) |
57 | { |
58 | char *cp, *ep, *line = NULL; |
59 | char *ahost, *rhost = (char *)-1; |
60 | char domain[HOST_NAME_MAX+1]; |
61 | size_t linesize = 0; |
62 | ssize_t linelen; |
63 | int hostok = 0; |
64 | |
65 | getdomainname(domain, sizeof(domain)); |
66 | |
67 | while ((linelen = getline(&line, &linesize, hostf)) != -1) { |
| 1 | Assuming the condition is true | |
|
| 2 | | Loop condition is true. Entering loop body | |
|
68 | cp = line; |
69 | ep = line + linelen; |
70 | if (*cp == '#') |
| 3 | | Assuming the condition is false | |
|
71 | continue; |
72 | while (cp < ep && !isspace((unsigned char)*cp)) { |
| |
| 5 | | Assuming the character is not a whitespace character | |
|
| 6 | | Loop condition is true. Entering loop body | |
|
| 11 | | Assuming 'cp' is < 'ep' | |
|
| 12 | | Assuming the character is not a whitespace character | |
|
| 13 | | Loop condition is true. Entering loop body | |
|
| 18 | | Assuming 'cp' is >= 'ep' | |
|
73 | if (!isprint((unsigned char)*cp)) |
| 7 | | Assuming the character is printable | |
|
| 14 | | Assuming the character is printable | |
|
74 | goto bail; |
75 | *cp = isupper((unsigned char)*cp) ? |
| |
| 9 | | Assuming the character is not an uppercase letter | |
|
| |
| |
| 16 | | Assuming the character is an uppercase letter | |
|
| |
76 | tolower((unsigned char)*cp) : *cp; |
77 | cp++; |
78 | } |
79 | if (cp == line) |
| |
80 | continue; |
81 | *cp = '\0'; |
82 | |
83 | ahost = line; |
84 | if (strlen(ahost) > HOST_NAME_MAX) |
| 20 | | Assuming the condition is false | |
|
| |
85 | continue; |
86 | |
87 | |
88 | |
89 | |
90 | |
91 | |
92 | switch (ahost[0]) { |
| 22 | | Control jumps to 'case 45:' at line 94 | |
|
93 | case '+': |
94 | case '-': |
95 | switch (ahost[1]) { |
| 23 | | Control jumps to 'case 64:' at line 99 | |
|
96 | case '\0': |
97 | hostok = 1; |
98 | break; |
99 | case '@': |
100 | if (rhost == (char *)-1) |
| |
101 | rhost = gethostloop(raddr, salen); |
| |
102 | hostok = 0; |
103 | if (rhost) |
104 | hostok = innetgr(&ahost[2], rhost, |
105 | NULL, domain); |
106 | break; |
107 | default: |
108 | hostok = checkhost(raddr, salen, &ahost[1]); |
109 | break; |
110 | } |
111 | if (ahost[0] == '-') |
112 | hostok = -hostok; |
113 | break; |
114 | default: |
115 | hostok = checkhost(raddr, salen, ahost); |
116 | break; |
117 | } |
118 | |
119 | |
120 | if (hostok != 0) |
121 | break; |
122 | } |
123 | bail: |
124 | free(line); |
125 | return (hostok > 0 ? 0 : -1); |
126 | } |
127 | |
128 | |
129 | |
130 | |
131 | |
132 | static int |
133 | checkhost(struct sockaddr *raddr, socklen_t salen, const char *lhost) |
134 | { |
135 | struct addrinfo hints, *res, *r; |
136 | char h1[NI_MAXHOST], h2[NI_MAXHOST]; |
137 | int error; |
138 | const int niflags = NI_NUMERICHOST; |
139 | |
140 | h1[0] = '\0'; |
141 | if (getnameinfo(raddr, salen, h1, sizeof(h1), NULL, 0, niflags) != 0) |
142 | return (0); |
143 | |
144 | |
145 | memset(&hints, 0, sizeof(hints)); |
146 | hints.ai_family = raddr->sa_family; |
147 | hints.ai_socktype = SOCK_DGRAM; |
148 | res = NULL; |
149 | error = getaddrinfo(lhost, "0", &hints, &res); |
150 | if (error) |
151 | return (0); |
152 | |
153 | |
154 | |
155 | |
156 | for (r = res; r; r = r->ai_next) { |
157 | h2[0] = '\0'; |
158 | if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, sizeof(h2), |
159 | NULL, 0, niflags) != 0) |
160 | continue; |
161 | if (strcasecmp(h1, h2) == 0) { |
162 | freeaddrinfo(res); |
163 | return (1); |
164 | } |
165 | } |
166 | |
167 | |
168 | freeaddrinfo(res); |
169 | return (0); |
170 | } |
171 | |
172 | |
173 | |
174 | |
175 | |
176 | |
177 | static char * |
178 | gethostloop(struct sockaddr *raddr, socklen_t salen) |
179 | { |
180 | static char remotehost[NI_MAXHOST]; |
181 | char h1[NI_MAXHOST], h2[NI_MAXHOST]; |
182 | struct addrinfo hints, *res, *r; |
183 | int error; |
184 | const int niflags = NI_NUMERICHOST; |
185 | |
186 | h1[0] = remotehost[0] = '\0'; |
187 | if (getnameinfo(raddr, salen, remotehost, sizeof(remotehost), |
| 26 | | Assuming the condition is false | |
|
| |
188 | NULL, 0, NI_NAMEREQD) != 0) |
189 | return (NULL); |
190 | if (getnameinfo(raddr, salen, h1, sizeof(h1), NULL, 0, niflags) != 0) |
| 28 | | Assuming the condition is false | |
|
| |
191 | return (NULL); |
192 | |
193 | |
194 | |
195 | |
196 | |
197 | memset(&hints, 0, sizeof(hints)); |
198 | hints.ai_family = raddr->sa_family; |
199 | hints.ai_socktype = SOCK_DGRAM; |
200 | hints.ai_flags = AI_CANONNAME; |
201 | res = NULL; |
202 | error = getaddrinfo(remotehost, "0", &hints, &res); |
| 30 | | Value assigned to 'res' | |
|
203 | if (error) |
| |
| |
204 | return (NULL); |
205 | |
206 | for (r = res; r; r = r->ai_next) { |
| 33 | | Assuming pointer value is null | |
|
| 34 | | Loop condition is false. Execution continues on line 221 | |
|
207 | h2[0] = '\0'; |
208 | if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, sizeof(h2), |
209 | NULL, 0, niflags) != 0) |
210 | continue; |
211 | if (strcasecmp(h1, h2) == 0) { |
212 | freeaddrinfo(res); |
213 | return (remotehost); |
214 | } |
215 | } |
216 | |
217 | |
218 | |
219 | |
220 | |
221 | syslog(LOG_NOTICE, "lpd: address %s not listed for host %s", |
222 | h1, res->ai_canonname ? res->ai_canonname : remotehost); |
| 35 | | Access to field 'ai_canonname' results in a dereference of a null pointer (loaded from variable 'res') |
|
223 | freeaddrinfo(res); |
224 | return (NULL); |
225 | } |
226 | |
227 | #ifdef DEBUG |
228 | int |
229 | main(int argc, char *argv[]) |
230 | { |
231 | struct addrinfo hints; |
232 | int i; |
233 | |
234 | memset(&hints, 0, sizeof(hints)); |
235 | hints.ai_family = PF_UNSPEC; |
236 | hints.ai_socktype = SOCK_STREAM; |
237 | |
238 | for (i = 1; i < argc; i++) { |
239 | struct addrinfo *res0; |
240 | int error = getaddrinfo(argv[i], NULL, &hints, &res0); |
241 | if (error) { |
242 | printf("%s: %s\n", argv[i], gai_strerror(error)); |
243 | continue; |
244 | } |
245 | error = allowedhost(stdin, res0->ai_addr, res0->ai_addrlen); |
246 | printf("%s: %s\n", argv[i], error ? "denied" : "allowed"); |
247 | } |
248 | exit(0); |
249 | } |
250 | #endif /* DEBUG */ |