clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name mtrmt.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/bin/mt/obj -resource-dir /usr/local/llvm16/lib/clang/16 -D RMT -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/bin/mt/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/bin/mt/mtrmt.c
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | |
31 | |
32 | |
33 | #include <sys/types.h> |
34 | #include <sys/mtio.h> |
35 | #include <sys/ioctl.h> |
36 | #include <sys/socket.h> |
37 | #include <sys/time.h> |
38 | #include <ufs/ufs/dinode.h> |
39 | |
40 | #include <netinet/in.h> |
41 | #include <netinet/tcp.h> |
42 | |
43 | #include <protocols/dumprestore.h> |
44 | |
45 | #include <ctype.h> |
46 | #include <err.h> |
47 | #include <netdb.h> |
48 | #include <pwd.h> |
49 | #include <signal.h> |
50 | #include <stdio.h> |
51 | #include <stdlib.h> |
52 | #include <string.h> |
53 | #include <unistd.h> |
54 | #include <limits.h> |
55 | |
56 | #include "pathnames.h" |
57 | #include "mt.h" |
58 | |
59 | #define TS_CLOSED 0 |
60 | #define TS_OPEN 1 |
61 | |
62 | static int rmtstate = TS_CLOSED; |
63 | static int rmtape; |
64 | static char *rmtpeer; |
65 | |
66 | static int okname(char *); |
67 | static int rmtcall(char *, char *); |
68 | static void rmtconnaborted(void); |
69 | static void sigrmtconnaborted(int); |
70 | static int rmtgetb(void); |
71 | static void rmtgetconn(void); |
72 | static void rmtgets(char *, int); |
73 | static int rmtreply(char *); |
74 | |
75 | int |
76 | rmthost(char *host) |
77 | { |
78 | if ((rmtpeer = strdup(host)) == NULL) |
| 1 | Assuming the condition is false | |
|
| |
79 | err(1, "strdup"); |
80 | signal(SIGPIPE, sigrmtconnaborted); |
81 | rmtgetconn(); |
| |
82 | if (rmtape < 0) |
83 | return (0); |
84 | return (1); |
85 | } |
86 | |
87 | static void |
88 | sigrmtconnaborted(int signo) |
89 | { |
90 | |
91 | warnx("Lost connection to remote host."); |
92 | _exit(1); |
93 | } |
94 | |
95 | static void |
96 | rmtconnaborted(void) |
97 | { |
98 | |
99 | errx(1, "Lost connection to remote host."); |
100 | } |
101 | |
102 | void |
103 | rmtgetconn(void) |
104 | { |
105 | char *cp; |
106 | static struct passwd *pwd = NULL; |
| 4 | | 'pwd' initialized to a null pointer value | |
|
107 | #ifdef notdef |
108 | static int on = 1; |
109 | #endif |
110 | char *tuser; |
111 | int size; |
112 | int maxseg; |
113 | |
114 | if ((cp = strchr(rmtpeer, '@')) != NULL) { |
| 5 | | Assuming the condition is false | |
|
| |
115 | tuser = rmtpeer; |
116 | *cp = '\0'; |
117 | if (!okname(tuser)) |
118 | exit(1); |
119 | rmtpeer = ++cp; |
120 | } else |
121 | tuser = pwd->pw_name; |
| 7 | | Access to field 'pw_name' results in a dereference of a null pointer (loaded from variable 'pwd') |
|
122 | |
123 | rmtape = rcmdsh(&rmtpeer, -1, pwd->pw_name, tuser, |
124 | _PATH_RMT, NULL); |
125 | if (rmtape == -1) |
126 | exit(1); |
127 | |
128 | size = TP_BSIZE; |
129 | if (size > 60 * 1024) |
130 | size = 60 * 1024; |
131 | |
132 | size += 2 * 1024; |
133 | |
134 | while (size > TP_BSIZE && |
135 | setsockopt(rmtape, SOL_SOCKET, SO_SNDBUF, &size, sizeof (size)) == -1) |
136 | size -= TP_BSIZE; |
137 | (void)setsockopt(rmtape, SOL_SOCKET, SO_RCVBUF, &size, sizeof (size)); |
138 | |
139 | maxseg = 1024; |
140 | (void)setsockopt(rmtape, IPPROTO_TCP, TCP_MAXSEG, &maxseg, |
141 | sizeof (maxseg)); |
142 | |
143 | #ifdef notdef |
144 | if (setsockopt(rmtape, IPPROTO_TCP, TCP_NODELAY, &on, sizeof (on)) == -1) |
145 | perror("TCP_NODELAY setsockopt"); |
146 | #endif |
147 | if (pledge("stdio", NULL) == -1) |
148 | err(1, "pledge"); |
149 | } |
150 | |
151 | static int |
152 | okname(char *cp0) |
153 | { |
154 | unsigned char *cp; |
155 | int c; |
156 | |
157 | for (cp = cp0; *cp; cp++) { |
158 | c = (unsigned char)*cp; |
159 | if (!isascii(c) || !(isalnum(c) || c == '_' || c == '-')) { |
160 | warnx("invalid user name: %s", cp0); |
161 | return (0); |
162 | } |
163 | } |
164 | return (1); |
165 | } |
166 | |
167 | int |
168 | rmtopen(char *tape, int mode) |
169 | { |
170 | char buf[1 + PATH_MAX+1 + 10+1 +1]; |
171 | int r; |
172 | |
173 | r = snprintf(buf, sizeof (buf), "O%s\n%d\n", tape, mode); |
174 | if (r < 0 || r >= sizeof buf) |
175 | errx(1, "tape name too long"); |
176 | rmtstate = TS_OPEN; |
177 | return (rmtcall(tape, buf)); |
178 | } |
179 | |
180 | void |
181 | rmtclose(void) |
182 | { |
183 | |
184 | if (rmtstate != TS_OPEN) |
185 | return; |
186 | rmtcall("close", "C\n"); |
187 | rmtstate = TS_CLOSED; |
188 | } |
189 | |
190 | struct mtget mts; |
191 | |
192 | struct mtget * |
193 | rmtstatus(void) |
194 | { |
195 | int i; |
196 | char *cp; |
197 | |
198 | if (rmtstate != TS_OPEN) |
199 | return (NULL); |
200 | rmtcall("status", "S\n"); |
201 | for (i = 0, cp = (char *)&mts; i < sizeof(mts); i++) |
202 | *cp++ = rmtgetb(); |
203 | return (&mts); |
204 | } |
205 | |
206 | int |
207 | rmtioctl(int cmd, int count) |
208 | { |
209 | char buf[1 + 10+1 + 10+1 +1]; |
210 | int r; |
211 | |
212 | if (count < 0) |
213 | return (-1); |
214 | r = snprintf(buf, sizeof (buf), "I%d\n%d\n", cmd, count); |
215 | if (r < 0 || r >= sizeof buf) |
216 | errx(1, "string error during ioctl"); |
217 | return (rmtcall("ioctl", buf)); |
218 | } |
219 | |
220 | static int |
221 | rmtcall(char *cmd, char *buf) |
222 | { |
223 | |
224 | if (write(rmtape, buf, strlen(buf)) != strlen(buf)) |
225 | rmtconnaborted(); |
226 | return (rmtreply(cmd)); |
227 | } |
228 | |
229 | static int |
230 | rmtreply(char *cmd) |
231 | { |
232 | char *cp; |
233 | char code[30], emsg[BUFSIZ]; |
234 | |
235 | rmtgets(code, sizeof (code)); |
236 | if (*code == 'E' || *code == 'F') { |
237 | rmtgets(emsg, sizeof (emsg)); |
238 | warnx("%s: %s", cmd, emsg); |
239 | if (*code == 'F') { |
240 | rmtstate = TS_CLOSED; |
241 | return (-1); |
242 | } |
243 | return (-1); |
244 | } |
245 | if (*code != 'A') { |
246 | |
247 | cp = code + strlen(code); |
248 | if (cp > code && *--cp == '\n') |
249 | *cp = '\0'; |
250 | |
251 | warnx("Protocol to remote tape server botched (code \"%s\").", |
252 | code); |
253 | rmtconnaborted(); |
254 | } |
255 | return (atoi(code + 1)); |
256 | } |
257 | |
258 | int |
259 | rmtgetb(void) |
260 | { |
261 | char c; |
262 | |
263 | if (read(rmtape, &c, 1) != 1) |
264 | rmtconnaborted(); |
265 | return (c); |
266 | } |
267 | |
268 | |
269 | void |
270 | rmtgets(char *line, int len) |
271 | { |
272 | char *cp = line; |
273 | |
274 | while (len > 1) { |
275 | *cp = rmtgetb(); |
276 | if (*cp == '\n') { |
277 | cp[1] = '\0'; |
278 | return; |
279 | } |
280 | cp++; |
281 | len--; |
282 | } |
283 | *cp = '\0'; |
284 | warnx("Protocol to remote tape server botched."); |
285 | warnx("(rmtgets got \"%s\").", line); |
286 | rmtconnaborted(); |
287 | } |