Text  |   XML   |   Visible Warnings:

pvm3.4.6 : pvm3.4.6 analysis 2 : Buffer Overrun  at pvmd.c:5238

Categories: LANG.MEM.BO CWE:120 CWE:121 CWE:122 CWE:126
Warning ID: 22067.28896
Procedure: varsub
Trace: view
Modified: Thu Nov 26 11:28:24 2009   show details
 
Priority: None
State: None
Finding: None
Owner: None
  edit properties

Legend [ X ]
Warning Location
Contributes
Parse Error
Other Warning
Two or More Loop Iterations
On Execution Path
Comment
Macro
Preprocessor
Include
Keyword
Preprocessed Away
Legend
Warning Location Contributes Parse Error
Other Warning Two or More Loop Iterations On Execution Path
Comment Macro Preprocessor
Include Keyword Preprocessed Away

Source  |  Language: C Hide Legend     
ProblemLineSource
   /kat0/fletcher/SATE/2010/pvm3/src/pvmd.c
   Enter slave_config
 5449 slave_config(hn, argc, argv) 
 5450         char *hn;
 5451         int argc;
 5452         char **argv;
 5453 {
 5454         int lh;                 /* local host index */ 
 5455         int mh;                 /* master host index */ 
 5456         struct hostd *hp;
 5457         int i, j;
 5458         int ac;
 5459         int ms = 0;             /* manual (humanoid) startup */ 
 5460 #ifndef WIN32 
 5461         int dof = 1;            /* fork, exit parent (default) */ 
 5462 #else 
 5463         int dof = 0; 
 5464 #endif 
 5465         int bad = 0;
 5466         char *p;
 5467         char *s;
 5468  
 5469         for (i = j = ac = 1; i < argc; i++) {
 5470                 if (argv[i][0] == '-') {
 5471                         switch (argv[i][1]) {
 5472  
 5473                         case 'S': 
 5474                                 ms = 1;
 5475                                 break;
 5476  
 5477                         case 'f': 
 5478                                 dof = 0;
 5479                                 break;
 5480  
 5481                         default: 
 5482                                 pvmlogprintf("slave_config() unknown switch: %s\n", argv[i]);
 5483                                 bad++;
 5484                         }
 5485  
 5486                 } else {
 5487                         argv[j++] = argv[i];
 5488                         ac++;
 5489                 }
 5490         }
 5491         argc = ac;
 5492  
 5493         if (bad || argc != 6) {
 5494                 pvmlogerror("slave_config: bad args\n");
 5495                 pvmbailout(0);
 5496         }
 5497  
 5498         mh = atoi(argv[1]);
 5499         lh = atoi(argv[4]);
 5500         hosts = ht_new(1);
 5501         hosts->ht_serial = 1;
 5502         hosts->ht_master = mh;
 5503         hosts->ht_cons = mh;
 5504         hosts->ht_local = lh;
 5505  
 5506         hp = hd_new(mh);
 5507         hp->hd_name = STRALLOC("?");   /* Null Pointer Dereference (ID: 262.28915) */
 5508         hex_inadport(argv[2], &hp->hd_sad);
 5509         hp->hd_mtu = atoi(argv[3]);
 5510         ht_insert(hosts, hp);
 5511         hd_unref(hp);
 5512  
 5513         hp = hd_new(0);
 5514         hp->hd_name = STRALLOC("pvmd'");   /* Null Pointer Dereference (ID: 261.28913) */
 5515         hp->hd_arch = STRALLOC(myarchname);   /* Null Pointer Dereference (ID: 260.28911) */
 5516         hp->hd_mtu = pvmudpmtu;
 5517         hp->hd_dsig = pvmmydsig;
 5518         hex_inadport(argv[5], &hp->hd_sad);
 5519         ht_insert(hosts, hp);
 5520         hd_unref(hp);
 5521  
 5522         hp = hd_new(lh);
 5523         hp->hd_name = STRALLOC(hn);   /* Null Pointer Dereference (ID: 259.28909) */
 5524         hp->hd_arch = STRALLOC(myarchname);   /* Null Pointer Dereference (ID: 260.28908) */
 5525         hp->hd_mtu = pvmudpmtu;
 5526         hp->hd_dsig = pvmmydsig;
 5527         hex_inadport(argv[5], &hp->hd_sad);
 5528         ht_insert(hosts, hp);
 5529         hd_unref(hp);
 5530  
 5531         if (i = mksocs()) {
 5532                 if (i == 2) {
 5533                         printf("PvmDupHost\n");
 5534                         fflush(stdout);
 5535                 }
 5536                 pvmbailout(0);
 5537         }
 5538  
 5539         printf("ddpro<%d> arch<%s> ip<%s> mtu<%d> dsig<%d>\n",
 5540                 DDPROTOCOL,
 5541                 myarchname,
 5542                 inadport_hex(&hp->hd_sad),
 5543                 pvmudpmtu,
 5544                 pvmmydsig);
 5545         fflush(stdout);
 5546  
 5547 #ifndef WIN32 
 5548  
 5549 #if !defined(IMA_OS2) && !defined(CYGWIN)
 5550         if (!ms)
 5551                 (void)read(0, (char*)&i, 1);
 5552 #endif 
 5553  
 5554         if (dof) {
 5555                 if (i = fork()) {
 5556                         if (i == -1)
 5557                                 pvmlogperror("slave_config() fork");
 5558                         exit(0);
 5559                 }
 5560  
 5561         /* close everything but our sockets */ 
 5562  
 5563                 for (i = getdtablesize(); --i >= 0; )
 5564 /* XXX don't like this - hard to maintain */ 
 5565                         if (i != netsock && i != loclsock && i != log_fd)
 5566                                 (void)close(i);
 5567         }
 5568  
 5569         /* reopen 0, 1, 2*/ 
 5570  
 5571         (void)open("/dev/null", O_RDONLY, 0);
 5572         (void)open("/dev/null", O_WRONLY, 0);   /* File System Race Condition (ID: 22074.28903) */
 5573         (void)dup2(1, 2);
 5574  
 5575 #endif 
 5576  
 5577         pvmsetlog(2);
 5578  
 5579         if ((p = getenv("PVM_PATH")))
 5580                 s = STRALLOC(p);   /* Null Pointer Dereference (ID: 22072.28901) */
 5581         else 
 5582                 s = STRALLOC(DEFBINDIR);   /* Null Pointer Dereference (ID: 22073.28902) */
 5583         epaths = colonsep(varsub(s));
 5584         PVM_FREE(s);
 5585  
 5586         s = STRALLOC(DEFDEBUGGER);   /* Null Pointer Dereference (ID: 22071.28900) */
 5587         debugger = varsub(s);
 5588         PVM_FREE(s);
 5589  
 5590         if ((s = getenv("PVM_WD")))
 5591                 p = STRALLOC(s);   /* Null Pointer Dereference (ID: 22070.28899) */
 5592         else 
true5593                 p = STRALLOC(pvmgethome());   /* Null Pointer Dereference (ID: 22069.28898) */
bytes_after(p) < 35594         s = varsub(p);
     Enter slave_config / varsub
 5205   char * 
 5206   varsub(s) 
 5207           char *s;
 5208   {
 5209           int rm = 8;             /* length of result string space */ 
 5210           char *r;                /* result string */ 
 5211           int rl = 0;
 5212           char *p;
 5213           char *vn, *vv;
 5214           char c;
 5215           int l;
 5216    
 5217           r = TALLOC(rm, char, "var");
 5218           while (*s) {   /* Null Pointer Dereference (ID: 143.28764) */
bytes_after(s) < 35219                   for (p = s; *p && *p != '$'; p++) ;
 5220                   if (l = p - s) {
 5221                           if (rl + l >= rm) {
 5222                                   rm = rl + l + 1;
 5223                                   r = TREALLOC(r, rm, char);
 5224                           }
 5225                           strncpy(r + rl, s, l);   /* Null Pointer Dereference (ID: 138.28759) */
 5226                           rl += l;
 5227                   }
bytes_after(p) < 35228                   s = p++;
 5229                   if (*s == '$') {
 5230                           if (*p == '{')
bytes_after(p) < 25231                                   p++;
bytes_after(p) < 15232                           vn = p;
 5233                           while (isalnum(*p) || *p == '_')   /* Buffer Overrun (ID: 22085.28922) */  /* 2 more... */
 5234                                   p++;
 5235                           c = *p;
 5236                           *p = 0;
 5237    
bytes_after(vn) < 15238                           vv = getenv(vn);     /* Buffer Overrun */  /* Buffer Overrun (ID: 22084.28921) */
     Exit slave_config / varsub
Preconditions 
$param_2 >= 3
&$unknown_716601 != 0
&$heap_90768 <= &$unknown_716607 - 2
((char*)*$param_3)[20] != 58
((char*)*$param_3)[8] != 58
$unknown_716603 != 58
strlen(&$unknown_716605) != 1
strlen(&$unknown_716605) > 0
((char*)&$unknown_716607)[1] != 95
((char*)&$heap_90752)[20] != 0
((char*)&$heap_90752)[96] >= 0
$heap_90768 = 36
((char*)&$heap_90768)[1] = 123
Postconditions 
((char*)$heap_90752)[20]' is freed
*stdout' is allocated by fopen
bytes_before(stdout)' = 0
ac' = 6
strlen(&$unknown_716607)' = 1
((char*)&$unknown_716607)[1]' = 0
argc' = 6
atnewline' = 1
bad' = 0
strlen(&buf[0])' = 17
buf[17]' = 0
c' = ((char*)&$unknown_716607)[1]
debugger' = &$unknown_716604
dof' = &$unknown_716601
epaths' = &$heap_90766
errno' != 0
hd' = &#string17[0]
$heap_90744' = 1
bytes_after(&$heap_90744)' = 32
$heap_90744' is allocated by malloc
$heap_90744' is allocated
bytes_before(&$heap_90744)' = 0
((char*)&$heap_90744)[16]' = $input_12
((char*)&$heap_90744)[20]' = $input_67364
((char*)&$heap_90744)[12]' = $input_12
$heap_90746' = &$heap_90746
bytes_after(&$heap_90746)' = 120
$heap_90746' is allocated by malloc
$heap_90746' is allocated
bytes_before(&$heap_90746)' = 0
((char*)&$heap_90746)[16]' = 0
((char*)&$heap_90746)[20]' = 0
((char*)&$heap_90746)[4]' = &$heap_90746
((char*)&$heap_90746)[8]' = 0
((char*)&$heap_90746)[116]' = 0
((char*)&$heap_90746)[12]' = 0
bytes_after(&$heap_90747)' = 120
$heap_90747' is allocated by malloc
$heap_90747' is allocated
bytes_before(&$heap_90747)' = 0
((char*)&$heap_90747)[16]' = 0
((char*)&$heap_90747)[20]' = 0
((char*)&$heap_90747)[8]' = 0
((char*)&$heap_90747)[116]' = 0
((char*)&$heap_90747)[12]' = 0
$heap_90748' = 1
bytes_after(&$heap_90748)' = 124
$heap_90748' is allocated by malloc
bytes_before(&$heap_90748)' = 0
((char*)&$heap_90748)[52]' = $input_67372
((char*)&$heap_90748)[56]' = 2
((char*)&$heap_90748)[72]' = 1
((char*)&$heap_90748)[76]' = 1
((char*)&$heap_90748)[80]' = &$heap_90746
((char*)&$heap_90748)[8]' = &$heap_90750
((char*)&$heap_90748)[84]' = &$heap_90749
((char*)&$heap_90748)[92]' = &$heap_90747
((char*)&$heap_90748)[100]' = 1
((char*)&$heap_90748)[108]' = 1000
((char*)&$heap_90748)[112]' = 0
$heap_90749' = &$heap_90749
bytes_after(&$heap_90749)' = 120
$heap_90749' is allocated by malloc
$heap_90749' is allocated
bytes_before(&$heap_90749)' = 0
((char*)&$heap_90749)[16]' = 0
((char*)&$heap_90749)[20]' = 0
((char*)&$heap_90749)[4]' = &$heap_90749
((char*)&$heap_90749)[8]' = 0
((char*)&$heap_90749)[116]' = 0
((char*)&$heap_90749)[12]' = 0
$heap_90750' = 63
bytes_after(&$heap_90750)' = 2
$heap_90750' is allocated by malloc
$heap_90750' is allocated
bytes_before(&$heap_90750)' = 0
strlen(&$heap_90750)' = 1
tocttou($heap_90750)' = tocttou(#string176)
bytes_after(&$heap_90751)' = 120
$heap_90751' is allocated by malloc
bytes_before(&$heap_90751)' = 0
$heap_90752' = 0
bytes_after(&$heap_90752)' = 124
$heap_90752' is allocated by malloc
$heap_90752' is freed
bytes_before(&$heap_90752)' = 0
((char*)&$heap_90752)[44]' = pvmmydsig
((char*)&$heap_90752)[52]' = pvmudpmtu
((char*)&$heap_90752)[56]' = 2
((char*)&$heap_90752)[72]' = 1
((char*)&$heap_90752)[76]' = 1
((char*)&$heap_90752)[80]' = &$heap_90751
((char*)&$heap_90752)[8]' = &$heap_90755
((char*)&$heap_90752)[84]' = &$heap_90753
((char*)&$heap_90752)[92]' = &$heap_90754
((char*)&$heap_90752)[100]' = 1
((char*)&$heap_90752)[108]' = 1000
((char*)&$heap_90752)[112]' = 0
((char*)&$heap_90752)[12]' = &$heap_90756
$heap_90753' = &$heap_90753
bytes_after(&$heap_90753)' = 120
$heap_90753' is allocated by malloc
bytes_before(&$heap_90753)' = 0
((char*)&$heap_90753)[16]' = 0
((char*)&$heap_90753)[20]' = 0
((char*)&$heap_90753)[4]' = &$heap_90753
((char*)&$heap_90753)[116]' = 0
bytes_after(&$heap_90754)' = 120
$heap_90754' is allocated by malloc
bytes_before(&$heap_90754)' = 0
((char*)&$heap_90754)[16]' = 0
((char*)&$heap_90754)[20]' = 0
((char*)&$heap_90754)[116]' = 0
$heap_90755' = 112
bytes_after(&$heap_90755)' = 6
$heap_90755' is allocated by malloc
bytes_before(&$heap_90755)' = 0
strlen(&$heap_90755)' = 5
tocttou($heap_90755)' = tocttou(#string167)
$heap_90756' = *myarchname
bytes_after(&$heap_90756)' = strlen(myarchname) + 1
$heap_90756' is allocated by malloc
bytes_before(&$heap_90756)' = 0
strlen(&$heap_90756)' = strlen(myarchname)
tocttou($heap_90756)' = tocttou(*myarchname)
bytes_after(&$heap_90757)' = 120
$heap_90757' is allocated by malloc
$heap_90757' is allocated
bytes_before(&$heap_90757)' = 0
((char*)&$heap_90757)[16]' = 0
((char*)&$heap_90757)[20]' = 0
((char*)&$heap_90757)[8]' = 0
((char*)&$heap_90757)[116]' = 0
((char*)&$heap_90757)[12]' = 0
$heap_90758' = &$heap_90758
bytes_after(&$heap_90758)' = 120
$heap_90758' is allocated by malloc
$heap_90758' is allocated
bytes_before(&$heap_90758)' = 0
((char*)&$heap_90758)[16]' = 0
((char*)&$heap_90758)[20]' = 0
((char*)&$heap_90758)[4]' = &$heap_90758
((char*)&$heap_90758)[8]' = 0
((char*)&$heap_90758)[116]' = 0
((char*)&$heap_90758)[12]' = 0
$heap_90759' = &$heap_90759
bytes_after(&$heap_90759)' = 120
$heap_90759' is allocated by malloc
$heap_90759' is allocated
bytes_before(&$heap_90759)' = 0
((char*)&$heap_90759)[16]' = 0
((char*)&$heap_90759)[20]' = 0
((char*)&$heap_90759)[4]' = &$heap_90759
((char*)&$heap_90759)[8]' = 0
((char*)&$heap_90759)[116]' = 0
((char*)&$heap_90759)[12]' = 0
$heap_90760' = 1
bytes_after(&$heap_90760)' = 124
$heap_90760' is allocated by malloc
bytes_before(&$heap_90760)' = 0
((char*)&$heap_90760)[44]' = pvmmydsig
((char*)&$heap_90760)[52]' = pvmudpmtu
((char*)&$heap_90760)[56]' = 2
((char*)&$heap_90760)[72]' = 1
((char*)&$heap_90760)[76]' = 1
((char*)&$heap_90760)[80]' = &$heap_90758
((char*)&$heap_90760)[8]' = &$heap_90762
((char*)&$heap_90760)[84]' = &$heap_90759
((char*)&$heap_90760)[92]' = &$heap_90757
((char*)&$heap_90760)[100]' = 1
((char*)&$heap_90760)[108]' = 1000
((char*)&$heap_90760)[112]' = &$heap_90761
((char*)&$heap_90760)[12]' = &$heap_90763
bytes_after(&$heap_90761)' = 20
$heap_90761' is allocated by malloc
$heap_90761' is allocated
bytes_before(&$heap_90761)' = 0
((char*)&$heap_90761)[16]' = 0
((char*)&$heap_90761)[8]' = 0
((char*)&$heap_90761)[12]' = 0
$heap_90762' = *hn
bytes_after(&$heap_90762)' = strlen(hn) + 1
$heap_90762' is allocated by malloc
$heap_90762' is allocated
bytes_before(&$heap_90762)' = 0
strlen(&$heap_90762)' = strlen(hn)
tocttou($heap_90762)' = tocttou(*hn)
$heap_90763' = *myarchname
bytes_after(&$heap_90763)' = strlen(myarchname) + 1
$heap_90763' is allocated by malloc
$heap_90763' is allocated
bytes_before(&$heap_90763)' = 0
strlen(&$heap_90763)' = strlen(myarchname)
tocttou($heap_90763)' = tocttou(*myarchname)
$heap_90764' is allocated by open
$heap_90764' is allocated
$heap_90765' = 36
bytes_after(&$heap_90765)' = 49
$heap_90765' is allocated by malloc
$heap_90765' is freed
bytes_before(&$heap_90765)' = 0
tocttou($heap_90765)' = tocttou(#string168)
$heap_90766' = &$unknown_716603
$heap_90766' is allocated by malloc
$heap_90766' is allocated
bytes_before(&$heap_90766)' = 0
((char*)&$heap_90766)[4]' = 0
$heap_90767' = 36
bytes_after(&$heap_90767)' = 23
$heap_90767' is allocated by malloc
$heap_90767' is freed
bytes_before(&$heap_90767)' = 0
tocttou($heap_90767)' = tocttou(#string170)
bytes_after(&$heap_90768)' = 2
$heap_90768' is allocated by malloc
$heap_90768' is allocated
bytes_before(&$heap_90768)' = 0
strlen(&$heap_90768)' = strlen(&$unknown_716605)
hosts' = &$heap_90744
hp' = &$heap_90760
i' = -1
lh' = $input_67364
log_ff' = 0
log_how' = 2
mh' = $input_12
ms' = 1
p' = &$unknown_716607 + 1
p' = &$heap_90768
r' = 0
rl' = l'
rm' = 8
s' = 0
s' = &$heap_90768
vn' = &$heap_90768 + 2



Change Warning 22067.28896 : Buffer Overrun

Priority:
State:
Finding:
Owner:
Note: