CodeSonar : pvm3.4.6 : Integer Overflow of Allocation Size

pvm3.4.6 : pvm3.4.6 analysis 2 : Integer Overflow of Allocation Size at pvm_gstat.c:88

Categories:	ALLOC.IOAS BSI:MALLOC-OVERFLOW CWE:680
Warning ID:	22183.29340
Procedure:	main
Trace:	view
Modified:	Thu Nov 26 11:38:24 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/pvmgs/pvm_gstat.c

			Enter main

main(argc, argv)

int argc;

char *argv[];

{

int gstid;

int i, j, ng;

GROUP_STRUCT group;

group.len = 0; group.name = (char *) NULL;

group.tids = (int *) NULL; group.btids = (int *) NULL;

pvm_mytid();

if((gstid = gs_getgstid()) < 0)

{

fprintf(stderr, "%s: no groups server\n", argv[0]);

return(-1);

}

pvm_setcontext( SYSCTX_DG );

pvm_initsend(PvmDataDefault );

pvm_send(gstid, GSLS );

if ( pvm_trecv(gstid, GSLS, pvmgs_tmout ) <= 0)

{

fprintf(stderr, "Error receiving message from group server\n");

exit (-1);

}

/* Unpack the information for each group */

pvm_upkint(&ng, 1, 1);

if (ng == 0) /* Uninitialized Variable (ID: 548.29341) */

fprintf(stdout, "no groups exist\n");

for (i = 0; i < ng; i++)

{

pvm_upkint(&(group.len),1,1);

NEWMEM(group.name, group.len+1,char);

pvm_upkstr(group.name );

pvm_upkint(&(group.ntids), 1, 1);

pvm_upkint(&(group.maxntids), 1,1);

pvm_upkint(&(group.barrier_count), 1, 1);

pvm_upkint(&(group.barrier_reached),1,1);

true

NEWMEM(group.tids, group.maxntids, int); /* Integer Overflow of Allocation Size */

NEWMEM(group.btids, group.barrier_reached, int); /* Integer Overflow of Allocation Size (ID: 22182.29339) */

pvm_upkint(group.tids, group.maxntids, 1);

if (group.barrier_reached > 0)

pvm_upkint(group.btids, group.barrier_reached, 1);

fprintf(stdout,

"group: %s, size: %d, barrier_count %d, barrier_reached %d\n",

group.name, group.ntids, group.barrier_count,

group.barrier_reached);

fputs("tids:\n", stdout);

for (j = 0; j < group.maxntids; j++)

if (group.tids[j] > 0) /* Uninitialized Variable (ID: 546.29337) */ /* Null Pointer Dereference (ID: 547.29338) */

100

fprintf(stdout, "%d 0x%x\t", j, group.tids[j]);

101

fputs("\n", stdout);

102

if (group.barrier_reached > 0)

103

{

104

fputs("tids waiting on barrier:\n", stdout);

105

for (j = 0; j < group.barrier_reached; j++)

106

fprintf(stdout, "0x%x\t", group.btids[j]); /* Null Pointer Dereference (ID: 545.29335) */

107

fputs("\n", stdout);

Preconditions

&$unknown_13432602 >= 1
&$unknown_13432603 != 0
&$unknown_13432604 >= 3
&$unknown_13432606 >= 1
&$unknown_13432609 != 0
gstid >= 0
pvmautoerr != 2
pvmautoerr != 3
pvmmytid >= -1
pvmtoplvl != 0
pvmtrc.trctid >= 1
$input_12 = 0

Postconditions

*stdout' is allocated by fopen
bytes_before(stdout)' = 0
$unknown_13432609' is freed
errno' != 0
group.name' = 0
group.tids' = &$unknown_13432609
gstid' = gstid
i' = &$unknown_13432604 - 2
ng' = &$unknown_13432604
pvmmytid' != &$unknown_13432606
pvmrbuf' = &$unknown_13432603
pvmtrc.trctid' = &$unknown_13432606
pvmtrccodef' = &$unknown_13432605

Change Warning 22183.29340 : Integer Overflow of Allocation Size

Priority:
State:
Finding:
Owner:
Note: