CodeSonar : Pvm : Null Pointer Dereference

Pvm : Pvm analysis 1 : Null Pointer Dereference at cmds.c:2335

Categories:	LANG.MEM.NPD CWE:476
Warning ID:	2932.3014
Procedure:	spawn_cmd
Trace:	View
Modified:	Wed Sep 2 12:52:57 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/u1/paul/SATE/2010/c/pvm/pvm3/console/cmds.c

			Enter spawn_cmd

spawn_cmd(ac, av)

int ac;

char **av;

{

int *tids = 0;

char *where = 0;

int flags = PvmNoSpawnParent;

int count = 1;

int i;

int oflg = 0;

int tflg = 0;

int app;

char *ofn = 0;

char *tfn = 0;

struct job *jp, *jp2;

2202

void status_msg();

2203

void event_dump_hdr();

2204

void output_dump_hdr();

2205

int fd;

2206

2207

while (av[1][0] == '-') {

2208

if (ac < 3) {

2209

fputs("incorrect arg count\n", stdout);

2210

return 1;

2211

}

2212

if (av[1][1] == '~') {

2213

flags |= PvmHostCompl;

2214

av[1]++;

2215

}

2216

if (av[1][1] == '.' || islower(av[1][1])) { /* Negative Character Value (ID: 2426.2451) */

2217

where = av[1] + 1;

2218

flags |= PvmTaskHost;

}

if (av[1][1] == ':')

where = av[1] + 1;

if (isupper(av[1][1])) { /* Negative Character Value (ID: 2427.2452) */

2223

where = av[1] + 1;

2224

flags |= PvmTaskArch;

2225

}

2226

if (av[1][1] == '?')

2227

flags |= PvmTaskDebug;

2228

if (isdigit(av[1][1])) /* Negative Character Value (ID: 2428.2453) */

2229

count = atoi(av[1] + 1);

2230

if (av[1][1] == '>') {

oflg = 1;

app = 0;

ofn = av[1] + 2;

if (av[1][2] == '>') {

app = 1;

ofn++;

}

if (!*ofn)

ofn = 0;

printf("%s to %s\n", (app ? "Append" : "Write"),

2242

(ofn ? ofn : "(console)"));

2243

2244

}

2245

if (av[1][1] == '@') {

tflg = 1;

tfn = av[1] + 2;

if (!*tfn)

tfn = "";

}

/* gnu-like host (where) arg, allows IP's to be used... */

2252

if (av[1][1] == '-') {

2253

if ( !strncmp( &(av[1][2]), "host=", 5 ) ) {

2254

where = av[1] + 7;

2255

flags |= PvmTaskHost;

}

}

av++;

ac--;

}

if (tflg) {

jp2 = job_new (nextjob );

2263

jp2->j_flag |= JOB_TRACE;

2264

jp2->j_trcid = trc_get_tracer_id();

2265

jp2->j_trcid->status_msg = status_msg;

2266

if (tfn && !strcmp(tfn,""))

2267

jp2->j_trcid->event_dump_hdr = event_dump_hdr;

2268

if (oflg && !ofn) ofn = "";

2269

if (ofn)

2270

jp2->j_trcid->output_dump_hdr = output_dump_hdr;

2271

jp2->j_trcid->event_ctx = pvm_getcontext();

...

2283

trc_save_host_status_events( jp2->j_trcid );

2284

if (ofn) {

2285

trc_set_output_file( jp2->j_trcid, ofn );

2286

if (!trc_open_output_file( jp2->j_trcid )) {

job_free(jp2 );

return 1;

}

}

oflg = 0;

}

else {

pvm_setopt(PvmTraceTid, 0);

2295

2296

if (oflg) {

2297

pvm_setopt(PvmOutputTid, mytid );

2298

pvm_setopt(PvmOutputContext, pvm_getcontext());

2299

pvm_setopt(PvmOutputCode, nextjob );

2300

jp = job_new (nextjob );

2301

printf("[%d]\n", nextjob - joboffset);

nextjob++;

if (ofn) {

if ( app ) {

fd = open( ofn,

O_RDWR|O_APPEND|O_CREAT|O_EXCL|O_TRUNC, 0600 ); /* Leak (ID: 2929.3011) */

2307

}

2308

else {

2309

fd = open( ofn, O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0600 ); /* Leak (ID: 2930.3012) */

}

if (fd < 0) {

perror(ofn);

job_free(jp );

return 1;

}

jp->j_ff = fdopen( fd, (app ? "a" : "w") );

if (!jp->j_ff) {

perror(ofn);

job_free(jp );

return 1;

}

}

} else

pvm_setopt(PvmOutputTid, 0);

}

tids = TALLOC(count > 1 ? count : 1, int, "int");

2328

if ((i = pvm_spawn(av[1], &av[2], flags, where, count, tids )) >= 0) {

if (oflg & !i)

job_free(jp );

if (tflg & !i)

job_free(jp2 );

printf("%d successful\n", i);

2334

for (i = 0; i < count; i++)

tids <= 4095

2335

if (tids[i] < 0) /* Null Pointer Dereference */

Preconditions

$param_1 >= 3
&$unknown_3318194 != 0
&$unknown_3318195 != 0
&$unknown_3318225 = 0
&$unknown_3318226 = 1
((char*)&((char*)*$param_2)[8])[2] = 62
((char*)&((char*)*$param_2)[8])[3] != 0
((char*)&((char*)*$param_2)[8])[1] = 62
((char*)*$unknown_3318220)[32] = 0
joblist->j_link->j_jid <= nextjob - 1
((char*)$unknown_3318220)[16] <= nextjob - 1
((char*)*$param_2)[16] != 45
((char*)*$param_2)[8] = 45
strlen(((char*)$param_2)[8]) != 0
strlen(((char*)$param_2)[8]) != 2
strlen(((char*)$param_2)[8]) != 3
strlen(((char*)$param_2)[8]) != 1
*$unknown_3318220 = joblist
joblist->j_link != joblist
$input_12 = 1

Postconditions

((char*)**$unknown_3318220)[8]' = ((char*)*$unknown_3318220)[8]
((char*)*$unknown_3318220)[40]' = &$heap_241303
((char*)*$unknown_3318220)[8]' = 0
((char*)**$unknown_3318220)[8]' = **$unknown_3318220
**$unknown_3318220' = 0
**$unknown_3318220' is freed
ac' = $param_1 - 1
app' = 1
av' = $param_2 + 8
count' = &$unknown_3318226
fd' = &$heap_241302 - 4096
flags' = 66
$heap_241302' is allocated by open
$heap_241302' is freed
((char*)&$heap_241302)[-4096]' is closed
$heap_241303' = &$heap_241302 - 4096
bytes_after(&$heap_241303)' = 1028
$heap_241303' is allocated by fopen
$heap_241303' is freed
$heap_241303' is closed
bytes_before(&$heap_241303)' = 0
i' = 0
jp' = *$unknown_3318220
nextjob' = nextjob + 1
oflg' = 1
ofn' = ((char*)$param_2)[8] + 3
tflg' = 0
tfn' = 0
tids' = 0
where' = ((char*)$param_2)[8] + 1

Change Warning 2932.3014 : Null Pointer Dereference

Priority:
State:
Finding:
Owner:
Note: