CodeSonar : pvm3.4.6 : Null Pointer Dereference

pvm3.4.6 : pvm3.4.6 analysis 2 : Null Pointer Dereference at pvmd.c:2391

Categories:	LANG.MEM.NPD CWE:476
Warning ID:	22035.28693
Procedure:	netoutput
Trace:	view
Modified:	Thu Nov 26 11:27:25 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/pvmd.c

			Enter work

1696

work()

1697

{

1698

static int lastpinged = 0; /* host that got last keepalive msg */

1699

#ifdef FDSETNOTSTRUCT

1700

fd_set rfds, wfds; /* result of select */

1701

/* fd_set efds; */

1702

#else

1703

struct fd_set rfds, wfds; /* result of select */

1704

/* struct fd_set efds; */

1705

#endif

1706

int nrdy; /* number of fds ready after select */

...

1718

double tbpl; /* time at beginning of probe loop */

1719

double toutpl; /* timeout in the probe loop */

1720

int timed_out;

1721

extern double dclock();

#endif

#endif

#ifdef SHMEM

int someclosed;

#endif

gettimeofday(&tnow, (struct timezone*)0);

1729

if (pvmdebmask || myhostpart) {

1730

PVM_TIMET time_temp;

1731

pvmlogprintf("%s (%s) %s %s\n",

1732

hosts->ht_hosts[hosts->ht_local]->hd_name,

1733

inadport_decimal (&hosts->ht_hosts[hosts->ht_local]->hd_sad ), /* Buffer Overrun (ID: 22089.28936) */ /* Buffer Underrun (ID: 22088.28935) */

1734

myarchname,

1735

PVM_VER );

1736

pvmlogprintf("ready ");

1737

time_temp = (PVM_TIMET) tnow.tv_sec;

1738

pvmlogprintf(ctime(&time_temp)); /* Format String (ID: 22201.29376) */

}

* check for default plug-in modules (& start them)

1743

* (only if pvmd, not for pvmd'...)

if ( myhostpart ) {

char *av[5];

char *buf;

char *cmd;

int ac;

int i;

for ( i=0 ; modulenames[i] ; i++ ) {

1754

cmd = getenv( modulenames[i] );

1755

if ( cmd != NULL )

1756

{

...

1765

}

1766

if (buf) PVM_FREE( buf );

}

}

}

* remind myself to start those pesky slave pvmds

if (addmesg) {

struct pmsg *mp = addmesg;

addmesg = 0;

sendmessage(mp );

}

* init bail (for PVMDSTARTUP) and ping times

pvmgetclock(&tnow );

tout.tv_sec = DDBAILTIME;

1788

tout.tv_usec = 0;

1789

TVXADDY(&tbail, &tnow, &tout);

1790

1791

tout.tv_sec = DDPINGTIME;

1792

tout.tv_usec = 0;

1793

TVXADDY(&tping, &tnow, &tout);

1794

1795

/* init select fd sets */

wrk_fds_init();

if (loclsock >= 0)

wrk_fds_add(loclsock, 1);

1801

wrk_fds_add(netsock, 1);

for (; ; ) {

* clean up after any tasks that we got SIGCHLDs for

#ifdef IMA_BEOSCYLD

reap(SIGCLD);

#endif

while (rdead != wdead) {

1812

if (deads[rdead].dd_pid == pprime) {

1813

int cc;

1814

#ifdef SOCKLENISUINT

1815

#if defined(IMA_AIX4SP2) || defined(IMA_AIX5SP2) \

1816

|| defined(IMA_AIX56K64) || defined(IMA_LINUXALPHA)

unsigned int oslen;

#else

size_t oslen;

#endif

#else

int oslen;

#endif

struct sockaddr_in osad;

struct timeval t;

char buf[DDFRAGHDR];

hostfailentry(hosts->ht_hosts[0]);

true

1829

clear_opq_of((int)(TIDPVMD | hosts->ht_hosts[0]->hd_hostpart));

pprime = 0;

while (1) {

FD_ZERO(&rfds);

FD_SET(ppnetsock, &rfds);

1835

t.tv_sec = 0;

1836

t.tv_usec = 0;

1837

cc = select(ppnetsock + 1,

1838

#ifdef FDSETISINT

1839

(int *)&rfds, (int *)0, (int *)0,

1840

#else

1841

(fd_set *)&rfds, (fd_set *)0, (fd_set *)0,

#endif

&t);

if (cc == 1) {

oslen = sizeof(osad);

1846

recvfrom(ppnetsock, buf, sizeof(buf),

1847

0, (struct sockaddr*)&osad, &oslen);

1848

1849

} else if (cc != -1 || errno != EINTR)

break;

}

} else {

if (tp = task_findpid (deads[rdead].dd_pid )) {

1855

1856

/* check for output one last time

1857

XXX this could be cleaner by going through main select again

1858

XXX before flushing the task */

1859

1860

tp->t_status = deads[rdead].dd_es;

1861

tp->t_utime = deads[rdead].dd_ut;

1862

tp->t_stime = deads[rdead].dd_st;

1863

while (tp->t_out >= 0) {

1864

1865

#ifdef FDSETNOTSTRUCT

fd_set rfds;

#else

struct fd_set rfds;

#endif

FD_ZERO(&rfds);

FD_SET(tp->t_out, &rfds);

1873

TVCLEAR(&tout);

1874

if (select(tp->t_out + 1,

1875

#ifdef FDSETISINT

1876

(int *)&rfds, (int *)0, (int *)0,

1877

#else

1878

(fd_set *)&rfds, (fd_set *)0, (fd_set *)0,

#endif

&tout) == 1)

loclstout(tp );

else

break;

}

#if defined(IMA_PGON) || defined(IMA_SP2MPI) || defined(IMA_AIX4SP2) \

1887

|| defined(IMA_AIX5SP2) || defined(IMA_BEOLIN)

mpp_free(tp);

#endif

task_cleanup(tp );

task_free(tp );

}

}

if (++rdead >= ndead)

1895

rdead = 0;

1896

}

1897

opq->pk_tlink->pk_tlink <= 4095

1898

netoutput();

					Enter work / netoutput

{

struct timeval tnow, tx;

2228

struct pkt *pp, *pp2;

struct hostd *hp;

char *cp;

int len;

int cc;

char dummy[DDFRAGHDR];

len = 0;

for (pp = opq->pk_tlink; pp != opq; pp = pp->pk_tlink)

2238

len++;

2239

pvmlogprintf("netoutput() %d in opq\n", len);

2240

2241

if (opq->pk_tlink == opq)

return 0;

* send any pkts whose time has come

pvmgetclock(&tnow );

opq->pk_tlink->pk_tlink <= 4095

2250

while ((pp = opq->pk_tlink) != opq && TVXLTY(&pp->pk_rtv, &tnow)) { /* Use After Free (ID: 22034.28692) */

2251

2252

2253

* fail if we've tried too hard

2254

2255

hp = pp->pk_hostd;

2256

if (pp->pk_nrt >= DDMINRETRIES

2257

&& pp->pk_rto.tv_sec >= DDMINTIMEOUT) { /* host is toast */

2258

pvmlogprintf(

2259

"netoutput() timed out sending to %s after %d, %d.%06d\n",

2260

hp->hd_name, pp->pk_nrt,

2261

pp->pk_rto.tv_sec, pp->pk_rto.tv_usec );

2262

hd_dump(hp );

2263

hostfailentry(hp );

2264

clear_opq_of((int)(TIDPVMD | hp->hd_hostpart));

2265

ht_delete(hosts, hp );

2266

if (newhosts)

2267

ht_delete(newhosts, hp );

continue;

}

cp = pp->pk_dat;

len = pp->pk_len;

if (pp->pk_flag & FFSOM) {

2274

cp -= MSGHDRLEN;

2275

len += MSGHDRLEN;

2276

if (cp < pp->pk_buf) {

2277

pvmlogerror("netoutput() no headroom for message header\n");

2278

return 0;

2279

}

2280

pvmput32(cp, pp->pk_enc );

2281

pvmput32(cp + 4, pp->pk_tag );

2282

pvmput32(cp + 8, pp->pk_ctx );

2283

pvmput32(cp + 16, pp->pk_wid );

2284

pvmput32(cp + 20, pp->pk_crc );

}

cp -= DDFRAGHDR;

len += DDFRAGHDR;

* save under packet header, because databuf may be shared.

2291

* we don't worry about message header, because it's only at the head.

2292

2293

BCOPY(cp, dummy, sizeof(dummy));

2294

if (cp < pp->pk_buf) {

2295

pvmlogerror("netoutput() no headroom for packet header\n");

return 0;

}

if (pvmdebmask & PDMPACKET) {

2300

pvmlogprintf(

2301

"netoutput() pkt to %s src t%x dst t%x f %s len %d seq %d ack %d retry %d\n",

2302

hp->hd_name, pp->pk_src, pp->pk_dst, pkt_flags (pp->pk_flag ),

2303

pp->pk_len, pp->pk_seq, pp->pk_ack, pp->pk_nrt );

2304

}

2305

pvmput32(cp, pp->pk_dst );

2306

pvmput32(cp + 4, pp->pk_src );

2307

pvmput16(cp + 8, pp->pk_seq );

2308

pvmput16(cp + 10, pp->pk_ack );

2309

pvmput32(cp + 12, 0); /* to keep purify happy */

2310

pvmput8(cp + 12, pp->pk_flag );

2311

#if 0

2312

/* drop (don't send) random packets */

2313

if (!(random() & 3)) {

2314

pvmlogerror("netoutput() darn, dropped one\n");

cc = -1;

} else

#endif

if ((cc = sendto(netsock, cp, len, 0,

2319

(struct sockaddr*)&hp->hd_sad, sizeof(hp->hd_sad))) == -1

&& errno != EINTR

#ifndef WIN32

&& errno != ENOBUFS

#endif

#ifdef IMA_LINUX

/* some Linux systems report this intermittent error */

2326

/* && errno != ECONNREFUSED */

2327

#endif

2328

/* hope this works for all archs, not just linux */

2329

&& errno != ENOMEM

...

2331

pvmlogperror("netoutput() sendto");

2332

#if defined(IMA_SUN4SOL2) || defined(IMA_X86SOL2) || defined(IMA_SUNMP) || defined(IMA_UXPM) || defined(IMA_UXPV)

2333

/* life, don't talk to me about life... */

2334

if (errno == ECHILD)

2335

pvmlogerror("this message brought to you by solaris\n");

else

#endif

pvmbailout(0);

}

#ifdef STATISTICS

if (cc == -1)

stats.sdneg++;

else

stats.sdok++;

#endif

BCOPY(dummy, cp, sizeof(dummy)); /* restore under header */

2348

2349

2350

* set timer for next retry

2351

2352

if (cc != -1) {

2353

if ((pp->pk_flag & (FFFIN|FFACK)) == (FFFIN|FFACK)) {

2354

pk_free(pp );

2355

if (hp != hosts->ht_hosts[0]) {

2356

hostfailentry(hp );

2357

clear_opq_of((int)(TIDPVMD | hp->hd_hostpart));

2358

ht_delete(hosts, hp );

2359

if (newhosts)

2360

ht_delete(newhosts, hp );

}

continue;

}

if (!((pp->pk_flag & FFDAT)

2365

|| (pp->pk_flag & (FFFIN|FFACK)) == FFFIN)) {

pk_free(pp );

continue;

}

if (!TVISSET(&pp->pk_at))

2370

pp->pk_at = tnow;

2371

TVXADDY(&pp->pk_rtv, &tnow, &pp->pk_rta);

2372

TVXADDY(&pp->pk_rto, &pp->pk_rto, &pp->pk_rta);

#ifdef STATISTICS

if (pp->pk_nrt)

stats.netret++;

#endif

++pp->pk_nrt;

if (pp->pk_rta.tv_sec < DDMAXRTT) {

2379

TVXADDY(&pp->pk_rta, &pp->pk_rta, &pp->pk_rta);

}

} else {

tx.tv_sec = DDERRRETRY/1000000;

2384

tx.tv_usec = DDERRRETRY%1000000;

2385

TVXADDY(&pp->pk_rtv, &tnow, &tx);

2386

TVXADDY(&pp->pk_rto, &pp->pk_rto, &tx);

2387

}

2388

2389

/* reinsert packet into opq */

2390

pp->pk_tlink <= 4095

2391

LISTDELETE(pp, pk_tlink, pk_trlink); /* Null Pointer Dereference */

					Exit work / netoutput

Preconditions

&$unknown_238061 >= 1000000
&$unknown_238062 >= 1000000
&$unknown_238063 = 2 * opq->pk_tlink->pk_rta.tv_usec
&$unknown_238063 >= 1000000
opq->pk_tlink->pk_buf <= opq->pk_tlink->pk_dat - 16
opq->pk_tlink->pk_len >= -16
opq->pk_tlink->pk_nrt = 0
opq->pk_tlink->pk_rta.tv_sec <= 8
opq->pk_tlink->pk_rta.tv_usec >= 500000
opq->pk_tlink->pk_at.tv_sec != 0
(*hosts->ht_hosts)->hd_txq >= 0
(*hosts->ht_hosts)->hd_vmid = 0
(*hosts->ht_hosts)->hd_arch != 0
opq->pk_tlink != opq
opq->pk_tlink->pk_link = 0
loclsock >= 0
myhostpart = 0
pvmdebmask = 0
rdead != 0
$input_12 <= opq->pk_tlink->pk_len + 16
$input_12 >= 0
tnow.tv_usec >= 1000000
wdead = 0

Postconditions

opq->pk_tlink->pk_dat[-13]' = opq->pk_tlink->pk_dst
opq->pk_tlink->pk_dat[-4]' = opq->pk_tlink->pk_flag
opq->pk_tlink->pk_dat[-5]' = opq->pk_tlink->pk_ack
opq->pk_tlink->pk_dat[-7]' = opq->pk_tlink->pk_seq
opq->pk_tlink->pk_dat[-9]' = opq->pk_tlink->pk_src
opq->pk_tlink->pk_dat[-1]' = 0
opq->pk_tlink->pk_nrt' = opq->pk_tlink->pk_nrt + 1
opq->pk_tlink->pk_tlink' = 0
opq->pk_tlink->pk_rtv.tv_usec' = &$unknown_238061 - 1000000
opq->pk_tlink->pk_rta.tv_sec' = 2 * opq->pk_tlink->pk_rta.tv_sec + 1
opq->pk_tlink->pk_rta.tv_usec' = &$unknown_238063 - 1000000
opq->pk_tlink->pk_rto.tv_usec' = &$unknown_238062 - 1000000
opq->pk_tlink->pk_trlink' = 0
*opq->pk_tlink' is freed
addmesg' = 0
strlen(&buf[0])' = 59
buf[59]' = 0
cc' = 0
cc' = $input_12
cp' = opq->pk_tlink->pk_dat - 16
dummy[0]' = opq->pk_tlink->pk_dat[-16]
errno' != 0
hp' = opq->pk_tlink->pk_hostd
len' = opq->pk_tlink->pk_len + 16
mp' = addmesg
pp' = opq->pk_tlink
pprime' = 0
rdead' = 0
stats.sdok' = stats.sdok + 1
t.tv_sec' = 0
t.tv_usec' = 0
tbail.tv_sec' = &$unknown_238052 + 301
tbail.tv_usec' = tnow.tv_usec - 1000000
tnow.tv_sec' = &$unknown_238052
tnow.tv_sec' >= opq->pk_tlink->pk_rtv.tv_sec + 1
tping.tv_sec' = &$unknown_238052 + 61
tping.tv_usec' = tnow.tv_usec - 1000000

Change Warning 22035.28693 : Null Pointer Dereference

Priority:
State:
Finding:
Owner:
Note: