CodeSonar : Pvm : Use After Free

Pvm : Pvm analysis 1 : Use After Free at lpvm.c:1039

Categories:	LANG.ALLOC.UAF CWE:416
Warning ID:	2759.2814
Procedure:	check_routeadd
Trace:	View
Modified:	Wed Sep 2 12:45:12 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/u1/paul/SATE/2010/c/pvm/pvm3/src/lpvm.c

			Enter mxfer

1789

mxfer(txup, tmout)

1790

struct pmsg *txup; /* outgoing message or null */

1791

struct timeval *tmout; /* time limit to get at least one message */

1792

{

1793

struct ttpcb *txpcbp = 0; /* route for ogm */

1794

struct frag *txfp = 0; /* cur ogm frag or null */

struct timeval tin;

struct timeval tnow;

struct timeval *tvp;

#ifdef FDSETNOTSTRUCT

1799

fd_set rfds, wfds;

1800

#else

1801

struct fd_set rfds, wfds;

1802

#endif

1803

int wantmore = 1; /* nothing rxd yet and not timed out */

1804

int gotem = 0; /* count of received msgs downloaded */

int ff;

int n;

#ifdef SOCKLENISUINT

#if defined(IMA_AIX4SP2) || defined(IMA_AIX5SP2)

unsigned int oslen;

#else

size_t oslen;

#endif

#else

int oslen;

#endif

char *txcp = 0; /* point to remainder of txfp */

1817

int txtogo = 0; /* len of remainder of txfp */

1818

struct sockaddr_in sad;

1819

int s;

1820

struct ttpcb *pcbp;

1821

char *inPlaceHeader = (char *) NULL; /* for inplace data */

1822

int inPlaceBodyLen = 0; /* len of inplace body */

1823

int bypassRead = FALSE; /* bypass reading packets before send?*/

1824

int waitForOgmToComplete = FALSE;

1825

int probedForIncomingPkts = FALSE; /* need to probe for incoming pkts */

1826

struct msgid *sendmsg = (struct msgid *) NULL;

1827

char errtxt[64];

1828

1829

int nfr = 0, totfr = 0; /* number frags read my mxinput */

1830

int probe = 0; /* called at a probe (nrecv) */

if (tmout)

{

pvmgetclock(&tin );

probe = ( tmout -> tv_sec == 0 && tmout -> tv_usec == 0);

1836

}

1837

1838

if (txup) { /* transmitting a umsg */

1839

txfp = txup->m_frag->fr_link;

1840

if (!txfp->fr_buf) {

1841

if (!(txfp = fr_new (MAXHDR )))

1842

return PvmNoMem;

1843

txfp->fr_dat += MAXHDR;

1844

LISTPUTBEFORE(txup->m_frag, txfp, fr_link, fr_rlink);

1845

}

1846

/* Get connection info for this dest. If none, go to pvmd */

1847

if (!(txpcbp = ttpcb_find (txup->m_dst )) || txpcbp->tt_state != TTOPEN)

1848

txpcbp = topvmd;

1849

txup->m_ref++;

1850

bypassRead = TRUE; /* bypass reading the first time through */

1851

}

1852

1853

if (pvmdebmask & PDMMESSAGE) {

1854

pvmlogprintf("mxfer() mid %d", (txup ? txup->m_mid : 0));

1855

if (txup)

1856

pvmlogprintf(" ctx %d tag %s dst t%x route t%x",

1857

txup->m_ctx,

1858

pvmnametag (txup->m_tag, (int *)0),

1859

txup->m_dst, txpcbp->tt_tid );

1860

if (tmout)

1861

pvmlogprintf(" tmout %d.%06d\n",

1862

tmout->tv_sec, tmout->tv_usec );

1863

else

1864

pvmlogprintf(" tmout inf\n");

1865

}

1866

1867

/* XXX we go an extra time through select because wantmore gets set

1868

XXX inside loop. no big deal. also, could avoid calling gettimeofday

1869

XXX if tmout is 0.0 */

/* Do this loop if

* 1) Sending a frag

* OR 2) Received *part* of an incoming frag from the daemon

1874

* OR 3) Wantmore is true

1875

* OR 4) Need the current OGM to complete its asynch send

1876

* OR 5) We haven't probed at least once for incoming packets

1877

1878

* wantmore is initialized to TRUE -> loop exec'ed at least once

while (txfp || topvmd->tt_rxf || wantmore || waitForOgmToComplete

1883

|| !probedForIncomingPkts

)

{

totfr = 0;

/* Either we are sending something, or have a partial recv'd frag */

1890

if (txfp || topvmd->tt_rxf) /* gotta block */

1891

{

1892

/* must block if sending any message, or receiving from pvmd */

1893

tvp = (struct timeval *) NULL;

}

else

{

if (wantmore)

{

/* Calculate how long to wait inside the "select"

1901

* tval = NULL means wait forever

1902

* tval = (0,0) means probe

1903

* tval = (x,y) means wait at most x sec + y usec

1904

1905

1906

if (tmout) /* finite time to block */

1907

{

1908

pvmgetclock(&tnow );

1909

TVXSUBY(&tnow, &tnow, &tin);

1910

if (TVXLTY(tmout, &tnow)) /* time's up */

{

TVCLEAR(&tnow);

wantmore = 0;

}

else

{

TVXSUBY(&tnow, tmout, &tnow);

}

tvp = &tnow;

}

else

{ /* forever to block */

1923

tvp = (struct timeval *) NULL;

}

}

else

{ /* return asap */

TVCLEAR(&tnow);

tvp = &tnow;

}

}

/* Here we are setting the read and write file descriptors for

1935

* the following select statement.

#if !defined(IMA_MPP)

rfds = pvmrfds;

FD_ZERO(&wfds);

if (txfp)

FD_SET(txpcbp->tt_fd, &wfds);

1944

#endif

1945

1946

if (pvmdebmask & PDMSELECT) {

1947

if (tvp)

1948

pvmlogprintf("mxfer() select timeout %d.%06d\n",

1949

tvp->tv_sec, tvp->tv_usec );

1950

else

1951

pvmlogprintf("mxfer() select timeout inf\n");

1952

#if !defined(IMA_MPP)

1953

print_fdset("mxfer() rfds=", pvmnfds, &rfds );

1954

print_fdset("mxfer() wfds=", pvmnfds, &wfds );

#endif

}

#if !defined(IMA_MPP)

1959

probedForIncomingPkts = TRUE;

1960

if ((n = select(pvmnfds,

1961

#ifdef FDSETISINT

1962

(int *)&rfds, (int *)&wfds, (int *)0,

1963

#else

1964

(fd_set *)&rfds, (fd_set *)&wfds, (fd_set*)0,

#endif

tvp)) == -1

&& errno != EINTR

#ifdef IMA_LINUX

&& errno != EAGAIN

#endif

) {

pvmlogperror("mxfer() select");

1973

return PvmSysErr;

1974

}

1975

if (pvmdebmask & PDMSELECT) {

1976

pvmlogprintf("mxfer() select returns %d\n", n );

}

if (n == -1)

continue;

* if pvmd conn has data ready, read packets

1982

1983

1984

if (FD_ISSET(topvmd->tt_fd, &rfds)

1985

&& !(mxfersingle && gotem))

1986

{

1987

if ((n = mxinput(topvmd, &nfr )) < 0) {

1988

if (n != -1)

1989

pvmlogerror("mxfer() mxinput bad return on pvmd sock\n");

1990

else if (pvmdebmask & (PDMSELECT|PDMMESSAGE|PDMPACKET))

1991

pvmlogerror("mxfer() EOF on pvmd sock\n");

return PvmSysErr;

}

totfr += nfr;

if (gotem += n)

wantmore = 0;

}

* if task conn has data ready, read packets

2002

2003

2004

/* This goes through *all* of the pcbs that have been defined to

2005

* check for messages. This is too much overhead for IMA_MPP

2006

* machines. Instead all local routes must be probed at one time.

2007

2008

2009

for (pcbp = ttlist->tt_link; pcbp != ttlist; pcbp = pcbp->tt_link) {

2010

if (pcbp->tt_state == TTOPEN && FD_ISSET(pcbp->tt_fd, &rfds)) {

2011

if ((n = mxinput(pcbp, &nfr )) < 0)

ttpcb_dead(pcbp );

else {

totfr += nfr;

if (gotem += n)

wantmore = 0;

}

} else /* Try and complete a direct (socket) Connection rqst */

2021

if (pcbp->tt_state == TTGRNWAIT

2022

&& FD_ISSET(pcbp->tt_fd, &rfds)) {

2023

oslen = sizeof(sad);

2024

s = accept(pcbp->tt_fd, (struct sockaddr*)&sad, &oslen);

2025

if (s == -1) {

2026

pvmlogperror("mxfer() accept");

ttpcb_dead(pcbp );

} else {

#ifndef NOSOCKOPT

#ifndef NOUNIXDOM

if (!pcbp->tt_spath) { /* not unix sock */

2033

#endif

2034

n = 1;

2035

if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY,

2036

(char*)&n, sizeof(int)) == -1)

2037

pvmlogperror("mxfer() setsockopt");

2038

#if (!defined(IMA_RS6K)) \

2039

&& (!defined(IMA_AIX46K)) && (!defined(IMA_AIX46K64)) \

2040

&& (!defined(IMA_AIX56K)) && (!defined(IMA_AIX56K64))

2041

n = TTSOCKBUF;

2042

if (setsockopt(s, SOL_SOCKET, SO_SNDBUF,

2043

(char*)&n, sizeof(int)) == -1

2044

|| setsockopt(s, SOL_SOCKET, SO_RCVBUF,

2045

(char*)&n, sizeof(n)) == -1)

2046

pvmlogperror(

2047

"mxfer() setsockopt SO_SNDBUF");

#endif

#ifndef NOUNIXDOM

}

#endif

#endif /*NOSOCKOPT*/

if (pvmdebmask & PDMROUTE) {

2054

pvmlogprintf("mxfer() accept from t%x = %d\n",

2055

pcbp->tt_tid, s );

2056

}

2057

(void)close(pcbp->tt_fd);

2058

2059

(void)dup2(s, pcbp->tt_fd);

2060

(void)close(s);

2061

2062

pvm_fd_delete(pcbp->tt_fd, 1);

2063

2064

/* notify route socket closed */

2065

true

2066

check_routedelete(pcbp );

2067

pcbp->tt_fd = s;

2068

pcbp->tt_state = TTOPEN;

#ifndef WIN32

{

int i;

if ((i = fcntl(pcbp->tt_fd, F_GETFL, 0))

2075

== -1)

2076

pvmlogperror("mxfer() fcntl");

else {

#ifdef O_NDELAY

i |= O_NDELAY;

#else

i |= FNDELAY;

#endif

(void)fcntl(pcbp->tt_fd, F_SETFL, i);

}

}

#endif

pvm_fd_add(s, 1);

/* new route socket created for communication */

2091

*waitlist->wa_link is freed

2092

check_routeadd(pcbp );

					Enter mxfer / check_routeadd

check_routeadd(pcbp)

struct ttpcb *pcbp;

{

struct waitc *wp, *wp2;

1034

struct pmsg *up;

1035

int sbf;

1036

*waitlist->wa_link is freed

1037

wp = waitlist->wa_link;

1038

while (wp != waitlist) {

*wp is freed

1039

wp2 = wp->wa_link; /* Use After Free */

					Exit mxfer / check_routeadd

}

}

}

bypassRead = bypassRead; /* sgi compiler */

#else /* !IMA_MPP */

/* For Native Messaging mxinput is used to probe pvmd AND tasks when

2102

* given a NULL ttpcb pointer

if (!bypassRead)

{

...

#endif /* !IMA_MPP */

2121

2122

* if sending and socket ready to write, send packets

2123

2124

2125

#if !defined(IMA_MPP)

2126

/* XXX Native message direct routes are alway open, if they exist */

2127

2128

if (txfp && txpcbp->tt_state != TTOPEN)

2129

{

2130

/* make sure our route hasn't just been closed */

txpcbp = topvmd;

txcp = 0;

txtogo = 0;

txfp = txup->m_frag->fr_link;

}

else

#endif

{

if (txfp

&& !waitForOgmToComplete

2142

#if !defined(IMA_MPP)

2143

&& FD_ISSET(txpcbp->tt_fd, &wfds)

2144

#endif

2145

){

2146

inPlaceHeader = (char *) NULL; /*sending inplace header ?*/

2147

inPlaceBodyLen = 0; /* length of inplace body, if inplace*/

2148

2149

if (!txtogo) /* We haven't sent anything, yet, Build Header */

2150

{

2151

if (txfp->fr_u.dab) /* packed data */

{

txcp = txfp->fr_dat;

}

else /* inplace data */

2156

{

2157

txcp = inPlaceHeader = inPlaceHdrPool +

2158

hdrPoolStk*(HEADER_SIZE+SHORT_PAYLOAD) + HEADER_SIZE;

2159

2160

if (pvmdebmask & PDMPACKET)

2161

{

2162

sprintf(errtxt,"mxfer() hdrPoolStk is %d\n", hdrPoolStk);

2163

pvmlogerror(errtxt );

2164

}

2165

2166

if (hdrPoolStk++ >= NINPLACE_HDRS)

2167

{

2168

sprintf(errtxt, "mxfer(): > %d inplace frags \n",

2169

NINPLACE_HDRS);

2170

pvmlogerror(errtxt );

return PvmSysErr;

}

}

txtogo = txfp->fr_len;

2177

2178

2179

* if this is first frag, prepend message header

2180

2181

ff = 0;

2182

if (txfp->fr_rlink == txup->m_frag)

{

txcp -= MSGHDRLEN;

txtogo += MSGHDRLEN;

pvmput32(txcp,

(txup->m_enc == 0x20000000 ? pvmmydsig : txup->m_enc));

2188

pvmput32(txcp + 4, txup->m_tag );

2189

pvmput32(txcp + 8, txup->m_ctx );

2190

pvmput32(txcp + 16, txup->m_wid );

2191

#ifdef MCHECKSUM

2192

pvmput32(txcp + 20, umbuf_crc(txup));

2193

#else

2194

pvmput32(txcp + 20, 0);

#endif

ff = FFSOM;

}

if (txfp->fr_link == txup->m_frag)

2199

ff |= FFEOM;

2200

2201

* prepend frag header

2202

2203

txcp -= TDFRAGHDR;

2204

pvmput32(txcp, txup->m_dst );

2205

pvmput32(txcp + 4, pvmmytid );

2206

pvmput32(txcp + 8, txtogo );

2207

pvmput32(txcp + 12, 0); /* to keep putrify happy */

2208

pvmput8(txcp + 12, ff );

2209

txtogo += TDFRAGHDR;

2210

if (!txfp->fr_u.dab) /* inplace data */

2211

{

2212

txtogo -= txfp->fr_len;

2213

inPlaceBodyLen = txfp->fr_len;

}

}

if (pvmdebmask & PDMPACKET)

2218

{

2219

pvmlogprintf("mxfer() dst t%x n=%d\n", txup->m_dst, txtogo );

}

#if defined(IMA_MPP)

/* node_send will do an async send. Feed it a midlist struct.

2225

* when we get to the end of a message we call ogm_done

2226

* to make sure message is really gone, and we can free

* memory

n = pvm_node_send(txcp, txtogo, txpcbp, &sendmsg,

2231

inPlaceHeader, inPlaceBodyLen);

2232

#else

2233

inPlaceBodyLen = inPlaceBodyLen; /* sgi compiler */

2234

2235

#if defined(IMA_RS6K) || defined(IMA_SP2MPI) || defined(IMA_AIX4SP2) \

2236

|| defined(IMA_AIX5SP2)

2237

n = write(txpcbp->tt_fd, txcp, min(txtogo, 4096));

2238

#else

2239

#ifndef WIN32

2240

n = write(txpcbp->tt_fd, txcp, txtogo);

2241

#else

2242

n = win32_write_socket(txpcbp->tt_fd,txcp,txtogo);

#endif

#endif

#endif

if (pvmdebmask & PDMPACKET) {

2248

pvmlogprintf("mxfer() wrote %d\n", n );

}

if (n == -1 &&

#ifndef WIN32

errno != EWOULDBLOCK &&

#endif

errno != EINTR)

{

if (txpcbp == topvmd)

2257

{

2258

pvmlogperror("mxfer() write pvmd sock");

return PvmSysErr;

}

else

{

pvmlogperror("mxfer() write tt sock");

2264

/* reset message and route to pvmd */

ttpcb_dead(txpcbp );

txpcbp = topvmd;

txcp = 0;

txtogo = 0;

txfp = txup->m_frag->fr_link;

}

}

if (n > 0)

{

txcp += n;

if ((txtogo -= n) <= 0)

2277

{

2278

if (txcp == inPlaceHeader && txfp->fr_len )

2279

/* inplace, body length > 0 */

2280

{

2281

txcp = txfp->fr_dat;

2282

txtogo = txfp->fr_len;

2283

bypassRead = TRUE; /* try to send body without

2284

doing another read */

}

else /* packed */

{

txcp = 0;

txfp = txfp->fr_link;

2290

if (!txfp->fr_buf) {

2291

txfp = 0;

2292

waitForOgmToComplete = TRUE;

bypassRead = FALSE;

}

}

}

}

else /* we couldn't send, might be a head-head send so ... */

2299

{

2300

bypassRead = FALSE; /* enable reading if couldn't send */

}

}

}

/* We are waiting for an outgoing message to complete. We

2307

can't send the next message until it does complete */

2308

2309

if (waitForOgmToComplete)

2310

{

2311

if (ogm_complete(&sendmsg ))

2312

{

2313

pmsg_unref(txup ); /* unref the message */

2314

txup = 0;

2315

waitForOgmToComplete = FALSE;

2316

hdrPoolStk = 0; /* recover all the inplace headers */

}

}

/* if not sending, and not waiting for ogm to complete,

2321

flush anything waiting in the reentered-send queue */

2322

2323

if (!txfp && txrp != txwp && !waitForOgmToComplete) {

2324

txup = txlist[txrp];

2325

if (++txrp >= sizeof(txlist)/sizeof(txlist[0]))

2326

txrp = 0;

2327

2328

txfp = txup->m_frag->fr_link;

2329

txfp = txfp->fr_buf ? txfp : 0;

2330

if (!(txpcbp = ttpcb_find (txup->m_dst ))

2331

|| txpcbp->tt_state != TTOPEN)

txpcbp = topvmd;

}

if (pvmdebmask & PDMMESSAGE) {

2336

pvmlogprintf("mxfer() txfp %d gotem %d tt_rxf %d\n",

2337

(txfp ? 1 : 0), gotem, (topvmd->tt_rxf ? 1 : 0));

2338

}

2339

2340

if (probe && !gotem && totfr) /* got frags, keep reading */

2341

wantmore = 1;

Preconditions

$param_1 = 0
((char*)$param_2)[8] = 0
waitlist->wa_link->wa_kind = 16
((char*)$unknown_1262104)[16] = waitlist->wa_link->wa_on
((char*)$unknown_1262104)[80] != 0
*$param_2 = 0
ttlist->tt_link != ttlist
waitlist->wa_link != waitlist
$unknown_1262104 != ttlist
mxfersingle = 0

Postconditions

waitlist->wa_link->wa_mesg' = 0
((char*)$unknown_1262104)[20]' = 3
((char*)$unknown_1262104)[24]' = &$heap_164760 - 4096
*waitlist->wa_link' is freed
*stderr' is allocated by fopen
bytes_before(stderr)' = 0
__arr' = &wfds.__fds_bits[0]
__i' = 16
errno' != 0
$heap_164760' is allocated by open
$heap_164760' is allocated
((char*)&$heap_164760)[-4096]' is open
newline' = 0
pcbp' = $unknown_1262104
pcbp' = $unknown_1262104
probe' = 1
probedForIncomingPkts' = 1
s' = &$heap_164760 - 4096
sendmsg' = 0
tin.tv_sec' = &$unknown_1262079
tmout' = $param_2
tnow.tv_sec' = 0
tnow.tv_usec' = 0
tvp' = &tnow.tv_sec
txfp' = 0
wfds.__fds_bits[15]' = 0
wp' = waitlist->wa_link

Change Warning 2759.2814 : Use After Free

Priority:
State:
Finding:
Owner:
Note: