CodeSonar : pvm3.4.6 : Use After Free

pvm3.4.6 : pvm3.4.6 analysis 2 : Use After Free at waitc.c:249

Categories:	ALLOC.UAF CWE:416
Warning ID:	22062.28796
Procedure:	wait_new
Trace:	view
Modified:	Thu Nov 26 11:28:03 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/ddpro.c

			Enter dm_db

dm_db(hp, mp)

struct hostd *hp;

struct pmsg *mp;

{

int opcode; /* op requested */

2948

int tid;

2949

int req; /* index requested */

2950

int flags;

2951

char *name = 0; /* class name */

2952

struct pmsg *mp2 = 0; /* reply */

2953

struct pmsg *mp3 = 0; /* data message */

2954

2955

struct waitc *wp, *wp2; /* wait ctx ptrs (notify, recvinfo */

2956

struct pmsg *mp4 = 0; /* notify forward message */

2957

struct hostd *hp2; /* remote notify host */

2958

2959

struct pvmmclass *np, *np2; /* reset pointers */

2960

struct pvmmentry *ep, *ep2; /* reset pointers */

2961

int *noresets; /* noreset tids */

2962

int nnr; /* # of noreset tasks */

int found;

int cc;

int i;

int notified;

hp = hp;

if (upkint(mp, &opcode ) || upkint(mp, &tid )

2971

|| upkstralloc(mp, &name ) || upkint(mp, &req ) || upkint(mp, &flags ))

goto badformat;

mp2 = mesg_new (0);

mp2->m_dst = mp->m_src; /* Null Pointer Dereference (ID: 183.28808) */

2976

mp2->m_tag = DM_DBACK;

2977

mp2->m_wid = mp->m_wid;

switch (opcode) {

case TMDB_PUT:

mp3 = mesg_new (0);

if (pmsg_unpack(mp, mp3 ))

2984

goto badformat;

2985

if ((req = mb_insert(tid, name, req, flags, mp3 )) < 0)

pmsg_unref(mp3 );

else {

/* check for any pending requests for this mbox entry */

2990

notified = 0;

true

2991

for (wp = waitlist->wa_link; wp != waitlist; wp = wp2) {

2992

wp2 = wp->wa_link;

2993

if (wp->wa_kind == WT_RECVINFO) {

2994

ep = (struct pvmmentry *) wp->wa_spec;

2995

if ( !strcmp( (char *) ep->me_msg, name ) ) {

2996

cc = mb_lookup(ep->me_tid, (char *) ep->me_msg,

2997

ep->me_ind, ep->me_flags, &mp3 );

2998

if ( cc != PvmNotFound ) {

2999

pkint(wp->wa_mesg, cc );

3000

if (mp3) {

3001

pmsg_pack(wp->wa_mesg, mp3 );

3002

pmsg_unref(mp3 );

3003

}

3004

sendmessage(wp->wa_mesg );

3005

wp->wa_mesg = 0;

3006

PVM_FREE(ep->me_msg);

PVM_FREE(ep);

wait_delete(wp );

}

}

}

/* check if task needs mbox notify for mb_tidy()... */

3013

else if (wp->wa_kind == WT_TASKX) {

3014

if ( wp->wa_on == tid && wp->wa_tid == pvmmytid )

notified++;

}

}

/* create mbox notify for mb_tidy() cleanup... */

3020

if ( !notified ) {

3021

/* dummy notify for clean up */

*waitlist->wa_link is freed

3022

wp = wait_new (WT_TASKX );

					/kat0/fletcher/SATE/2010/pvm3/src/waitc.c

					Enter dm_db / wait_new

struct waitc *

wait_new(kind)

int kind;

{

static int lastwid = 0; /* last wid assigned */

232

233

int startwid; /* to detect when we've tried all */

234

int wid;

235

struct waitc *wp, *wp2;

236

237

238

* find a unique wid by incrementing lastwid and stepping through

239

* waitlist until we find a vacant slot.

240

241

242

if (++lastwid > widrange)

243

lastwid = 1;

244

startwid = lastwid;

*waitlist->wa_link is freed

wp = waitlist;

while (1) {

wid = widbase + lastwid;

249

while (wp->wa_wid < wid) /* Use After Free */

*wp->wa_link is freed

250

if ((wp = wp->wa_link) == waitlist)

					Exit dm_db / wait_new

Preconditions

&$unknown_668069 >= 1
((char*)&((char*)*$unknown_668077)[24])[20] <= 0
((char*)&((char*)*$unknown_668077)[24])[12] = 0
pvmmboxclasses->mc_link->mc_ent->me_link->me_ind <= ((char*)waitlist->wa_link->wa_spec)[8] - 1
waitlist->wa_link->wa_peer >= 0
waitlist->wa_link->wa_kind = 18
waitlist->wa_wid <= widbase
((char*)*waitlist->wa_link->wa_spec)[24] = *pvmmboxclasses->mc_link->mc_name
strlen(pvmmboxclasses->mc_link->mc_name) = strlen(((char*)waitlist->wa_link->wa_spec)[24])
pvmmboxclasses->mc_link->mc_ent->me_link != pvmmboxclasses->mc_link->mc_ent
((char*)*$unknown_668077)[24] = ((char*)$unknown_668077)[24]
waitlist->wa_link->wa_link = waitlist
pvmmboxclasses->mc_link != pvmmboxclasses
waitlist->wa_link != waitlist
numfrags != 0
numfrags != 1
numpmsgs != 0
numpmsgs != 1
widrange <= lastwid

Postconditions

((char*)&((char*)*$unknown_668077)[24])[4]' = &freepmsgs.m_link
freefrags.fr_link->fr_link->fr_rlink' = freefrags.fr_link->fr_rlink
freepmsgs.m_link->m_link->m_rlink' = freepmsgs.m_link->m_rlink
waitlist->wa_link->wa_mesg' = 0
freefrags.fr_link->fr_max' = 0
freefrags.fr_link->fr_len' = 0
freefrags.fr_link->fr_u.ref' = 1
freefrags.fr_link->fr_u.dab' = 1
freefrags.fr_link->fr_u.spr' = 0
freefrags.fr_link->fr_rlink' = freefrags.fr_link
freefrags.fr_link->fr_rip' = 0
freefrags.fr_link->fr_buf' = 0
freefrags.fr_link->fr_dat' = 0
((char*)*waitlist->wa_link->wa_spec)[24]' is freed
waitlist->wa_link->wa_mesg->m_link' = &freepmsgs.m_link
*waitlist->wa_link->wa_spec' is freed
freefrags.fr_link->fr_rlink->fr_link' = freefrags.fr_link->fr_link
freepmsgs.m_link->m_rlink->m_link' = freepmsgs.m_link->m_link
*waitlist->wa_link' is freed
freefrags.fr_link->fr_link' = freefrags.fr_link
cc' != -32
cc' >= ((char*)waitlist->wa_link->wa_spec)[8]
ep' = waitlist->wa_link->wa_spec
freepmsgs.m_rlink' = waitlist->wa_link->wa_mesg
bytes_after(&$heap_70880)' = &$unknown_668069
$heap_70880' is allocated by malloc
bytes_before(&$heap_70880)' = 0
kind' = 8
lastwid' = 1
mp2' = freepmsgs.m_link
mp3' = ((char*)$unknown_668077)[24]
mp4' = 0
name' = &$heap_70880
notified' = 0
opcode' = 1
req' >= 0
startwid' = 1
wid' = widbase + 1
wp' = waitlist->wa_link
wp' = waitlist->wa_link->wa_link
wp2' = waitlist->wa_link->wa_link

Change Warning 22062.28796 : Use After Free

Priority:
State:
Finding:
Owner:
Note: