CodeSonar : pvm3.4.6 : Use After Free

pvm3.4.6 : pvm3.4.6 analysis 2 : Use After Free at pvmd.c:1680

Categories:	ALLOC.UAF CWE:416
Warning ID:	22029.28668
Procedure:	clear_opq_of
Trace:	view
Modified:	Thu Nov 26 11:27:19 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/pvmd.c

			Enter netoutput

{

struct timeval tnow, tx;

2228

struct pkt *pp, *pp2;

struct hostd *hp;

char *cp;

int len;

int cc;

char dummy[DDFRAGHDR];

len = 0;

for (pp = opq->pk_tlink; pp != opq; pp = pp->pk_tlink)

2238

len++;

2239

pvmlogprintf("netoutput() %d in opq\n", len);

2240

2241

if (opq->pk_tlink == opq)

return 0;

* send any pkts whose time has come

pvmgetclock(&tnow );

while ((pp = opq->pk_tlink) != opq && TVXLTY(&pp->pk_rtv, &tnow)) { /* Use After Free (ID: 22034.28692) */

2251

2252

2253

* fail if we've tried too hard

2254

2255

hp = pp->pk_hostd;

2256

if (pp->pk_nrt >= DDMINRETRIES

2257

&& pp->pk_rto.tv_sec >= DDMINTIMEOUT) { /* host is toast */

2258

pvmlogprintf(

2259

"netoutput() timed out sending to %s after %d, %d.%06d\n",

2260

hp->hd_name, pp->pk_nrt,

2261

pp->pk_rto.tv_sec, pp->pk_rto.tv_usec );

2262

hd_dump(hp );

2263

hostfailentry(hp );

2264

clear_opq_of((int)(TIDPVMD | hp->hd_hostpart));

2265

ht_delete(hosts, hp );

2266

if (newhosts)

2267

ht_delete(newhosts, hp );

continue;

}

cp = pp->pk_dat;

len = pp->pk_len;

if (pp->pk_flag & FFSOM) {

2274

cp -= MSGHDRLEN;

2275

len += MSGHDRLEN;

2276

if (cp < pp->pk_buf) {

2277

pvmlogerror("netoutput() no headroom for message header\n");

2278

return 0;

2279

}

2280

pvmput32(cp, pp->pk_enc );

2281

pvmput32(cp + 4, pp->pk_tag );

2282

pvmput32(cp + 8, pp->pk_ctx );

2283

pvmput32(cp + 16, pp->pk_wid );

2284

pvmput32(cp + 20, pp->pk_crc );

}

cp -= DDFRAGHDR;

len += DDFRAGHDR;

* save under packet header, because databuf may be shared.

2291

* we don't worry about message header, because it's only at the head.

2292

2293

BCOPY(cp, dummy, sizeof(dummy));

2294

if (cp < pp->pk_buf) {

2295

pvmlogerror("netoutput() no headroom for packet header\n");

return 0;

}

if (pvmdebmask & PDMPACKET) {

2300

pvmlogprintf(

2301

"netoutput() pkt to %s src t%x dst t%x f %s len %d seq %d ack %d retry %d\n",

2302

hp->hd_name, pp->pk_src, pp->pk_dst, pkt_flags (pp->pk_flag ),

2303

pp->pk_len, pp->pk_seq, pp->pk_ack, pp->pk_nrt );

2304

}

2305

pvmput32(cp, pp->pk_dst );

2306

pvmput32(cp + 4, pp->pk_src );

2307

pvmput16(cp + 8, pp->pk_seq );

2308

pvmput16(cp + 10, pp->pk_ack );

2309

pvmput32(cp + 12, 0); /* to keep purify happy */

2310

pvmput8(cp + 12, pp->pk_flag );

2311

#if 0

2312

/* drop (don't send) random packets */

2313

if (!(random() & 3)) {

2314

pvmlogerror("netoutput() darn, dropped one\n");

cc = -1;

} else

#endif

if ((cc = sendto(netsock, cp, len, 0,

2319

(struct sockaddr*)&hp->hd_sad, sizeof(hp->hd_sad))) == -1

&& errno != EINTR

#ifndef WIN32

&& errno != ENOBUFS

#endif

#ifdef IMA_LINUX

/* some Linux systems report this intermittent error */

2326

/* && errno != ECONNREFUSED */

2327

#endif

2328

/* hope this works for all archs, not just linux */

2329

&& errno != ENOMEM

2330

) {

2331

pvmlogperror("netoutput() sendto");

2332

#if defined(IMA_SUN4SOL2) || defined(IMA_X86SOL2) || defined(IMA_SUNMP) || defined(IMA_UXPM) || defined(IMA_UXPV)

2333

/* life, don't talk to me about life... */

2334

if (errno == ECHILD)

2335

pvmlogerror("this message brought to you by solaris\n");

else

#endif

pvmbailout(0);

}

#ifdef STATISTICS

if (cc == -1)

stats.sdneg++;

else

stats.sdok++;

#endif

BCOPY(dummy, cp, sizeof(dummy)); /* restore under header */

2348

2349

2350

* set timer for next retry

2351

2352

if (cc != -1) {

2353

if ((pp->pk_flag & (FFFIN|FFACK)) == (FFFIN|FFACK)) {

2354

pk_free(pp );

2355

if (hp != hosts->ht_hosts[0]) {

2356

hostfailentry(hp );

*opq->pk_tlink is freed

2357

clear_opq_of((int)(TIDPVMD | hp->hd_hostpart));

					Enter netoutput / clear_opq_of

clear_opq_of(tid)

int tid; /* host */

{

struct pkt *pp, *pp2;

1678

*opq->pk_tlink is freed

1679

for (pp = opq->pk_tlink; pp != opq; pp = pp->pk_tlink) {

*pp is freed

1680

if (pp->pk_dst == tid && !pp->pk_link) { /* Use After Free */

					Exit netoutput / clear_opq_of

2358

ht_delete(hosts, hp );

2359

if (newhosts)

2360

ht_delete(newhosts, hp );

}

continue;

}

if (!((pp->pk_flag & FFDAT)

2365

|| (pp->pk_flag & (FFFIN|FFACK)) == FFFIN)) {

pk_free(pp );

continue;

}

if (!TVISSET(&pp->pk_at))

2370

pp->pk_at = tnow;

2371

TVXADDY(&pp->pk_rtv, &tnow, &pp->pk_rta);

2372

TVXADDY(&pp->pk_rto, &pp->pk_rto, &pp->pk_rta);

#ifdef STATISTICS

if (pp->pk_nrt)

stats.netret++;

#endif

++pp->pk_nrt;

if (pp->pk_rta.tv_sec < DDMAXRTT) {

2379

TVXADDY(&pp->pk_rta, &pp->pk_rta, &pp->pk_rta);

}

} else {

tx.tv_sec = DDERRRETRY/1000000;

2384

tx.tv_usec = DDERRRETRY%1000000;

2385

TVXADDY(&pp->pk_rtv, &tnow, &tx);

2386

TVXADDY(&pp->pk_rto, &pp->pk_rto, &tx);

2387

}

2388

2389

/* reinsert packet into opq */

2390

2391

LISTDELETE(pp, pk_tlink, pk_trlink); /* Null Pointer Dereference (ID: 22035.28693) */

2392

for (pp2 = opq->pk_trlink; pp2 != opq; pp2 = pp2->pk_trlink)

2393

if (TVXLTY(&pp2->pk_rtv, &pp->pk_rtv))

2394

break;

2395

LISTPUTAFTER(pp2, pp, pk_tlink, pk_trlink);

Preconditions

opq->pk_tlink->pk_buf <= opq->pk_tlink->pk_dat - 32
opq->pk_tlink->pk_buf <= opq->pk_tlink->pk_dat - 48
opq->pk_tlink->pk_len >= -48
opq->pk_tlink->pk_hostd != *hosts->ht_hosts
opq->pk_tlink != opq
waitlist->wa_link != waitlist
$input_12 <= opq->pk_tlink->pk_len + 48
$input_12 >= 0

Postconditions

opq->pk_tlink->pk_dat[-13]' = opq->pk_tlink->pk_wid
opq->pk_tlink->pk_dat[-21]' = opq->pk_tlink->pk_ctx
opq->pk_tlink->pk_dat[-25]' = opq->pk_tlink->pk_tag
opq->pk_tlink->pk_dat[-29]' = opq->pk_tlink->pk_enc
opq->pk_tlink->pk_dat[-33]' = 0
opq->pk_tlink->pk_dat[-36]' = opq->pk_tlink->pk_flag
opq->pk_tlink->pk_dat[-37]' = opq->pk_tlink->pk_ack
opq->pk_tlink->pk_dat[-39]' = opq->pk_tlink->pk_seq
opq->pk_tlink->pk_dat[-41]' = opq->pk_tlink->pk_src
opq->pk_tlink->pk_dat[-45]' = opq->pk_tlink->pk_dst
opq->pk_tlink->pk_dat[-9]' = opq->pk_tlink->pk_crc
opq->pk_tlink->pk_nrt' <= 9
opq->pk_tlink->pk_tlink' = 0
opq->pk_tlink->pk_rtv.tv_sec' = &$unknown_82940
opq->pk_tlink->pk_rtv.tv_usec' <= tnow.tv_usec - 1
opq->pk_tlink->pk_trlink' = 0
*opq->pk_tlink' is freed
((char*)&$unknown_82942)[12]' = &$unknown_82943
((char*)&$unknown_82943)[8]' = &$unknown_82942
buf[0]' = 48
strlen(&buf[0])' = 1
tocttou(buf)' = tocttou(#string19)
cc' = $input_12
cp' = opq->pk_tlink->pk_dat - 48
dummy[0]' = opq->pk_tlink->pk_dat[-48]
hp' = opq->pk_tlink->pk_hostd
len' = opq->pk_tlink->pk_len + 48
pp' = opq->pk_tlink
pp' = opq->pk_tlink
tnow.tv_sec' = &$unknown_82940

Change Warning 22029.28668 : Use After Free

Priority:
State:
Finding:
Owner:
Note: