CodeSonar : pvm3.4.6 : Use After Free

pvm3.4.6 : pvm3.4.6 analysis 2 : Use After Free at pvmcruft.c:735

Categories:	ALLOC.UAF CWE:416
Warning ID:	22075.28904
Procedure:	inadport_hex
Trace:	view
Modified:	Thu Nov 26 11:28:27 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/pvmd.c

			Enter slave_config

5449

slave_config(hn, argc, argv)

char *hn;

int argc;

char **argv;

{

int lh; /* local host index */

5455

int mh; /* master host index */

struct hostd *hp;

int i, j;

int ac;

int ms = 0; /* manual (humanoid) startup */

5460

#ifndef WIN32

5461

int dof = 1; /* fork, exit parent (default) */

#else

int dof = 0;

#endif

int bad = 0;

char *p;

char *s;

for (i = j = ac = 1; i < argc; i++) {

5470

if (argv[i][0] == '-') {

5471

switch (argv[i][1]) {

case 'S':

ms = 1;

break;

case 'f':

dof = 0;

break;

default:

pvmlogprintf("slave_config() unknown switch: %s\n", argv[i]);

bad++;

}

} else {

argv[j++] = argv[i];

ac++;

}

}

argc = ac;

if (bad || argc != 6) {

5494

pvmlogerror("slave_config: bad args\n");

pvmbailout(0);

}

mh = atoi(argv[1]);

lh = atoi(argv[4]);

hosts = ht_new (1);

hosts->ht_serial = 1;

5502

hosts->ht_master = mh;

5503

hosts->ht_cons = mh;

5504

hosts->ht_local = lh;

5505

5506

hp = hd_new (mh );

5507

hp->hd_name = STRALLOC("?"); /* Null Pointer Dereference (ID: 262.28915) */

5508

hex_inadport(argv[2], &hp->hd_sad );

5509

hp->hd_mtu = atoi(argv[3]);

5510

ht_insert(hosts, hp );

hd_unref(hp );

hp = hd_new (0);

hp->hd_name = STRALLOC("pvmd'"); /* Null Pointer Dereference (ID: 261.28913) */

5515

hp->hd_arch = STRALLOC(myarchname); /* Null Pointer Dereference (ID: 260.28911) */

5516

hp->hd_mtu = pvmudpmtu;

5517

hp->hd_dsig = pvmmydsig;

5518

hex_inadport(argv[5], &hp->hd_sad );

5519

ht_insert(hosts, hp );

5520

hd_unref(hp );

5521

	5522		hp = hd_new (lh );

5523

hp->hd_name = STRALLOC(hn); /* Null Pointer Dereference (ID: 259.28909) */

5524

hp->hd_arch = STRALLOC(myarchname); /* Null Pointer Dereference (ID: 260.28908) */

5525

hp->hd_mtu = pvmudpmtu;

5526

hp->hd_dsig = pvmmydsig;

5527

hex_inadport(argv[5], &hp->hd_sad );

5528

ht_insert(hosts, hp );

hd_unref(hp );

if (i = mksocs()) {

if (i == 2) {

printf("PvmDupHost\n");

fflush(stdout);

}

pvmbailout(0);

}

printf("ddpro<%d> arch<%s> ip<%s> mtu<%d> dsig<%d>\n",

5540

DDPROTOCOL,

5541

myarchname,

	5542		inadport_hex (&hp->hd_sad ),

					/kat0/fletcher/SATE/2010/pvm3/src/pvmcruft.c

					Enter slave_config / inadport_hex

728

char *

729

inadport_hex(sad)

730

struct sockaddr_in *sad;

{

static char buf[16];

int a;

a = ntohl(0xffffffff & sad->sin_addr.s_addr); /* Use After Free */

					Exit slave_config / inadport_hex

5543

pvmudpmtu,

*hp is freed

5544

pvmmydsig);

Preconditions

$param_2 >= 3
((char*)*$param_3)[20] != 58
((char*)&$heap_139026)[96] >= 0
((char*)&$heap_139026)[12] >= 0
((char*)&$heap_139035)[20] != 0
((char*)&$heap_139035)[96] >= 0

Postconditions

((char*)$heap_139035)[20]' is freed
ac' = 6
argc' = 6
bad' = 0
$heap_139021' = 1
bytes_after(&$heap_139021)' = 32
$heap_139021' is allocated by malloc
$heap_139021' is allocated
bytes_before(&$heap_139021)' = 0
((char*)&$heap_139021)[16]' = $input_12
((char*)&$heap_139021)[20]' = $input_89812
((char*)&$heap_139021)[8]' = ((char*)&$heap_139021)[8] + 1
((char*)&$heap_139021)[12]' = $input_12
bytes_after(&$heap_139023)' = 120
$heap_139023' is allocated by malloc
bytes_before(&$heap_139023)' = 0
((char*)&$heap_139023)[16]' = 0
((char*)&$heap_139023)[20]' = 0
((char*)&$heap_139023)[116]' = 0
bytes_after(&$heap_139024)' = 120
$heap_139024' is allocated by malloc
bytes_before(&$heap_139024)' = 0
((char*)&$heap_139024)[8]' = 0
((char*)&$heap_139024)[116]' = 0
bytes_after(&$heap_139025)' = 20
$heap_139025' is allocated by malloc
bytes_before(&$heap_139025)' = 0
((char*)&$heap_139025)[16]' = 0
((char*)&$heap_139025)[8]' = 0
((char*)&$heap_139025)[12]' = 0
$heap_139026' = 0
bytes_after(&$heap_139026)' = 124
$heap_139026' is allocated by malloc
$heap_139026' is freed
bytes_before(&$heap_139026)' = 0
((char*)&$heap_139026)[52]' = $input_89820
((char*)&$heap_139026)[56]' = 2
((char*)&$heap_139026)[72]' = 1
((char*)&$heap_139026)[76]' = 1
((char*)&$heap_139026)[80]' = &$heap_139024
((char*)&$heap_139026)[8]' = &$heap_139028
((char*)&$heap_139026)[84]' = &$heap_139027
((char*)&$heap_139026)[92]' = &$heap_139023
((char*)&$heap_139026)[100]' = 1
((char*)&$heap_139026)[108]' = 1000
((char*)&$heap_139026)[112]' = &$heap_139025
bytes_after(&$heap_139027)' = 120
$heap_139027' is allocated by malloc
bytes_before(&$heap_139027)' = 0
((char*)&$heap_139027)[16]' = 0
((char*)&$heap_139027)[4]' = &$heap_139027
$heap_139028' = 63
bytes_after(&$heap_139028)' = 2
$heap_139028' is allocated by malloc
bytes_before(&$heap_139028)' = 0
strlen(&$heap_139028)' = 1
tocttou($heap_139028)' = tocttou(#string176)
$heap_139029' = &$heap_139029
bytes_after(&$heap_139029)' = 120
$heap_139029' is allocated by malloc
$heap_139029' is allocated
bytes_before(&$heap_139029)' = 0
((char*)&$heap_139029)[16]' = 0
((char*)&$heap_139029)[20]' = 0
((char*)&$heap_139029)[4]' = &$heap_139029
((char*)&$heap_139029)[8]' = 0
((char*)&$heap_139029)[116]' = 0
((char*)&$heap_139029)[12]' = 0
$heap_139030' = 1
bytes_after(&$heap_139030)' = 124
$heap_139030' is allocated by malloc
bytes_before(&$heap_139030)' = 0
((char*)&$heap_139030)[44]' = pvmmydsig
((char*)&$heap_139030)[52]' = pvmudpmtu
((char*)&$heap_139030)[56]' = 2
((char*)&$heap_139030)[72]' = 1
((char*)&$heap_139030)[76]' = 1
((char*)&$heap_139030)[80]' = &$heap_139029
((char*)&$heap_139030)[8]' = &$heap_139033
((char*)&$heap_139030)[84]' = &$heap_139031
((char*)&$heap_139030)[92]' = &$heap_139032
((char*)&$heap_139030)[100]' = 1
((char*)&$heap_139030)[108]' = 1000
((char*)&$heap_139030)[112]' = 0
((char*)&$heap_139030)[12]' = &$heap_139034
$heap_139031' = &$heap_139031
bytes_after(&$heap_139031)' = 120
$heap_139031' is allocated by malloc
$heap_139031' is allocated
bytes_before(&$heap_139031)' = 0
((char*)&$heap_139031)[16]' = 0
((char*)&$heap_139031)[20]' = 0
((char*)&$heap_139031)[4]' = &$heap_139031
((char*)&$heap_139031)[8]' = 0
((char*)&$heap_139031)[116]' = 0
((char*)&$heap_139031)[12]' = 0
bytes_after(&$heap_139032)' = 120
$heap_139032' is allocated by malloc
$heap_139032' is allocated
bytes_before(&$heap_139032)' = 0
((char*)&$heap_139032)[16]' = 0
((char*)&$heap_139032)[20]' = 0
((char*)&$heap_139032)[8]' = 0
((char*)&$heap_139032)[116]' = 0
((char*)&$heap_139032)[12]' = 0
$heap_139033' = 112
bytes_after(&$heap_139033)' = 6
$heap_139033' is allocated by malloc
$heap_139033' is allocated
bytes_before(&$heap_139033)' = 0
strlen(&$heap_139033)' = 5
tocttou($heap_139033)' = tocttou(#string167)
$heap_139034' = *myarchname
bytes_after(&$heap_139034)' = strlen(myarchname) + 1
$heap_139034' is allocated by malloc
$heap_139034' is allocated
bytes_before(&$heap_139034)' = 0
strlen(&$heap_139034)' = strlen(myarchname)
tocttou($heap_139034)' = tocttou(*myarchname)
$heap_139035' = 0
bytes_after(&$heap_139035)' = 124
$heap_139035' is allocated by malloc
$heap_139035' is freed
bytes_before(&$heap_139035)' = 0
((char*)&$heap_139035)[44]' = pvmmydsig
((char*)&$heap_139035)[52]' = pvmudpmtu
((char*)&$heap_139035)[56]' = 2
((char*)&$heap_139035)[72]' = 1
((char*)&$heap_139035)[76]' = 1
((char*)&$heap_139035)[80]' = &$heap_139036
((char*)&$heap_139035)[8]' = &$heap_139039
((char*)&$heap_139035)[84]' = &$heap_139037
((char*)&$heap_139035)[92]' = &$heap_139038
((char*)&$heap_139035)[100]' = 1
((char*)&$heap_139035)[108]' = 1000
((char*)&$heap_139035)[112]' = 0
((char*)&$heap_139035)[12]' = &$heap_139040
bytes_after(&$heap_139036)' = 120
$heap_139036' is allocated by malloc
bytes_before(&$heap_139036)' = 0
$heap_139037' = &$heap_139037
bytes_after(&$heap_139037)' = 120
$heap_139037' is allocated by malloc
bytes_before(&$heap_139037)' = 0
((char*)&$heap_139037)[16]' = 0
((char*)&$heap_139037)[20]' = 0
((char*)&$heap_139037)[4]' = &$heap_139037
((char*)&$heap_139037)[116]' = 0
bytes_after(&$heap_139038)' = 120
$heap_139038' is allocated by malloc
bytes_before(&$heap_139038)' = 0
((char*)&$heap_139038)[16]' = 0
((char*)&$heap_139038)[20]' = 0
((char*)&$heap_139038)[116]' = 0
$heap_139039' = *hn
bytes_after(&$heap_139039)' = strlen(hn) + 1
$heap_139039' is allocated by malloc
bytes_before(&$heap_139039)' = 0
strlen(&$heap_139039)' = strlen(hn)
tocttou($heap_139039)' = tocttou(*hn)
$heap_139040' = *myarchname
bytes_after(&$heap_139040)' = strlen(myarchname) + 1
$heap_139040' is allocated by malloc
bytes_before(&$heap_139040)' = 0
strlen(&$heap_139040)' = strlen(myarchname)
tocttou($heap_139040)' = tocttou(*myarchname)
hosts' = &$heap_139021
hp' = &$heap_139035
i' = 0
lh' = $input_89812
mh' = $input_12
sad' = &$heap_139035 + 56

Change Warning 22075.28904 : Use After Free

Priority:
State:
Finding:
Owner:
Note: