CodeSonar : pvm3.4.6 : Null Pointer Dereference

pvm3.4.6 : pvm3.4.6 analysis 2 : Null Pointer Dereference at tdpro.c:1150

Categories:	LANG.MEM.NPD CWE:476
Warning ID:	22096.28959
Procedure:	tm_spawn
Trace:	view
Modified:	Thu Nov 26 11:29:14 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/tdpro.c

			Enter tm_spawn

tm_spawn(tp, mp)

struct task *tp;

struct pmsg *mp;

{

char *where = 0; /* location from req */

1088

struct waitc *wp; /* 'seed' waitc */

1089

struct waitc_spawn *wxp = 0; /* new task parameters */

1090

struct htab *htp; /* set of usable hosts */

struct hostd *hp;

int hh;

int i;

char *wd = 0;

char *wdenv = 0;

char *ptr;

int sz;

* unpack spawn command from task

1101

1102

1103

wxp = TALLOC(1, struct waitc_spawn, "waix");

1104

BZERO((char*)wxp, sizeof(struct waitc_spawn)); /* Null Pointer Dereference (ID: 288.28963) */

1105

1106

if (upkstralloc(mp, &wxp->w_file )

1107

|| upkint(mp, &wxp->w_flags )

1108

|| upkstralloc(mp, &where )

1109

|| upkint(mp, &wxp->w_veclen )

1110

|| upkint(mp, &wxp->w_argc ))

1111

goto bad;

1112

1113

if (wxp->w_veclen < 1)

1114

goto bad;

1115

1116

wxp->w_argv = TALLOC(wxp->w_argc + 1, char*, "argv"); /* Integer Overflow of Allocation Size (ID: 287.28962) */

1117

BZERO((char*)wxp->w_argv, (wxp->w_argc + 1) * sizeof(char*)); /* Null Pointer Dereference (ID: 286.28961) */

1118

for (i = 0; i < wxp->w_argc; i++)

1119

if (upkstralloc(mp, &wxp->w_argv[i]))

1120

goto bad;

1121

1122

if (upkuint(mp, &wxp->w_outtid )

1123

|| upkuint(mp, &wxp->w_outctx )

1124

|| upkuint(mp, &wxp->w_outtag )

1125

|| upkuint(mp, &wxp->w_trctid )

1126

|| upkuint(mp, &wxp->w_trcctx )

1127

|| upkuint(mp, &wxp->w_trctag ))

goto bad;

* extract any working directory string from "where"

ptr = where;

while ( *ptr != ':' && *ptr != '\0' )

1136

ptr++;

1137

if ( *ptr == ':' ) {

1138

*ptr++ = '\0'; /* close off actual "where" string */

1139

wd = ptr; /* save ptr to working directory */

}

* unpack environment from task

1144

1145

1146

if (upkuint(mp, &wxp->w_nenv ))

1147

goto bad;

1148

sz = wxp->w_nenv + 1 + (wd ? 1 : 0);

true

1149

wxp->w_env = TALLOC(sz, char*, "env"); /* Integer Overflow of Allocation Size (ID: 22097.28960) */

wxp->w_env <= 4095

1150

BZERO((char*)wxp->w_env, sz * sizeof(char*)); /* Null Pointer Dereference */

Preconditions

&$unknown_930083 >= 1
&$unknown_930098 != 0
((char*)&$heap_332074)[24] >= 1
$heap_332075 != 0
$heap_332075 != 58

Postconditions

errno' != 0
$heap_332074' = 0
bytes_after(&$heap_332074)' = 84
$heap_332074' is allocated by malloc
bytes_before(&$heap_332074)' = 0
((char*)&$heap_332074)[60]' = 0
((char*)&$heap_332074)[12]' = &$heap_332076
bytes_after(&$heap_332075)' = &$unknown_930083
$heap_332075' is allocated by malloc
bytes_before(&$heap_332075)' = 0
strlen(&$heap_332075)' = 1
((char*)&$heap_332075)[1]' = 0
$heap_332076' = 0
$heap_332076' is allocated by malloc
bytes_before(&$heap_332076)' = 0
ptr' = &$heap_332075 + 2
sz' = &$unknown_930098 / 4
wd' = &$heap_332075 + 2
wdenv' = 0
where' = &$heap_332075
wxp' = &$heap_332074

Change Warning 22096.28959 : Null Pointer Dereference

Priority:
State:
Finding:
Owner:
Note: