CodeSonar : pvm3.4.6 : Buffer Overrun

pvm3.4.6 : pvm3.4.6 analysis 2 : Buffer Overrun at lpvm.c:2897

Categories:	LANG.MEM.BO CWE:120 CWE:121 CWE:122 CWE:126
Warning ID:	329.29009
Procedure:	mksocs
Trace:	view
Modified:	Thu Nov 26 11:29:30 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/lpvm.c

			Enter mksocs

{

char buf[128];

#ifndef WIN32

int d;

#else

HANDLE d;

#endif

#ifdef SOCKLENISUINT

#if defined(IMA_AIX4SP2) || defined(IMA_AIX5SP2)

...

#else

int oslen;

#endif

int n;

int try;

char *p;

#ifndef NOUNIXDOM

struct sockaddr_un uns;

#endif

if (topvmd)

return 0;

* get addr of pvmd, make socket to talk.

2822

* first try envar PVMSOCK, then try sockaddr file.

2823

2824

2825

if (!(p = getenv("PVMSOCK"))) {

2826

if (!(p = pvmdsockfile ())) { /* Redundant Condition (ID: 327.29006) */

2827

pvmlogerror("mksocs() pvmdsockfile() failed\n"); /* Unreachable Call (ID: 328.29007) */

goto bail;

}

#ifndef WIN32

if ((d = open(p, O_RDONLY, 0)) == -1) {

2832

#else

2833

d = win32_open_file(p);

2834

if (d == (HANDLE) -2) {

2835

system_loser_win=TRUE;

...

goto bail;

}

if (n == 0) {

pvmlogerror("mksocs() read addr file: wrong length read\n");

2862

goto bail;

2863

}

2864

buf[n] = 0; /* Buffer Overrun (ID: 331.29010) */

p = buf;

}

FD_ZERO(&pvmrfds);

FD_ZERO(&pvmwfds);

pvmnfds = 0;

topvmd = ttpcb_new ();

2875

topvmd->tt_tid = TIDPVMD; /* Null Pointer Dereference (ID: 330.29008) */

if (p[0] == '/') {

#ifdef NOUNIXDOM

pvmlogerror("mksocs() no support for Unix domain socket\n");

goto bail;

#else /*NOUNIXDOM*/

if ((topvmd->tt_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {

2884

pvmlogperror("mksocs() socket");

goto bail;

}

* XXX these 2 loops are a hack -

2890

* XXX it keeps too many tasks from overflowing the pvmd listen q.

2891

* XXX maybe the pvmd should make a socket pair for the task instead.

try = 5;

while (1) {

BZERO((char*)&uns, sizeof(uns));

2896

uns.sun_family = AF_UNIX;

strlen(p) > 107

2897

strcpy(uns.sun_path, p); /* Buffer Overrun */

2898

n = sizeof(uns);

2899

if (connect(topvmd->tt_fd, (struct sockaddr*)&uns, n) == -1) {

2900

if (--try <= 0) {

2901

pvmlogperror("mksocs() connect");

2902

pvmlogprintf("\tsocket address tried: %s\n",p );

2903

goto bail;

2904

}

2905

pvmsleep(1); /* XXX hmm again */

Preconditions

numpmsgs = 0
$input_12 >= 1
topvmd = 0

Postconditions

((char*)$unknown_1151062)[4]' = &$unknown_1151063
_ALARM_CLOCK' = 1
$unknown_1151063' = &freepmsgs.m_link
((char*)&$unknown_1151063)[4]' = ((char*)&$unknown_1151062)[4]
errno' != 0
freepmsgs.m_link' = &$unknown_1151063 - 92
freepmsgs.m_rlink' = &$unknown_1151063
$heap_335113' = 47
bytes_after(&$heap_335113)' = $input_12 + 1
$heap_335113' is allocated by malloc
$heap_335113' is a non-heap object
bytes_before(&$heap_335113)' = 0
strlen(&$heap_335113)' = $input_12
$heap_335114' = 0
bytes_after(&$heap_335114)' = 64
$heap_335114' is allocated by malloc
$heap_335114' is allocated
bytes_before(&$heap_335114)' = 0
((char*)&$heap_335114)[16]' = &$heap_335115 - 4096
$heap_335115' is allocated by open
$heap_335115' is allocated
n' = 110
numpmsgs' = 49
p' = &$heap_335113
pvmnfds' = 0
topvmd' = &$heap_335114
uns.sun_family' = 1
uns.sun_path[0]' = 47

Change Warning 329.29009 : Buffer Overrun

Priority:
State:
Finding:
Owner:
Note: