CodeSonar : pvm3.4.6 : Buffer Overrun

pvm3.4.6 : pvm3.4.6 analysis 2 : Buffer Overrun at trcutil.c:602

Categories:	LANG.MEM.BO CWE:120 CWE:121 CWE:122 CWE:126
Warning ID:	466.29229
Procedure:	trc_add_to_trie
Trace:	view
Modified:	Thu Nov 26 11:36:21 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/tracer/trcfile.c

			Enter trc_read_trace_event

2421

trc_read_trace_event( ID, eof )

TRC_ID ID;

int *eof;

{

TRC_TEVDESC TD;

char tmp[4096];

char c;

int entry_exit;

int dummy;

int index;

int code;

int flag;

int eid;

int ee;

int i;

*eof = TRC_FALSE;

if ( ID->trace_in == NULL )

return( TRC_FALSE );

while ( TRC_TRUE )

{

c = getc( ID->trace_in );

2447

2448

if ( c != (char) EOF )

{

switch ( c )

{

/* Record Descriptor Packet */

case '#':

{

/* Get event ID */

flag = fscanf( ID->trace_in, "%d", &code );

if ( flag != 1 )

{

printf( "Error Reading Event ID\n" );

return( TRC_FALSE );

}

/* Get event name */

if ( !trc_find_event_str( ID, "\"" ) )

return( TRC_FALSE );

i = 0;

while ( (c = getc( ID->trace_in )) != (char) EOF

2475

&& c != '"' && c != '(' )

2476

{

2477

tmp[i++] = c; /* Buffer Overrun (ID: 471.29235) */

2478

}

2479

2480

TRC_CKEOF( c, "EOF Reading Event Descriptor Name\n",

2481

return( TRC_FALSE ) );

2482

i > 4096

2483

tmp[i] = '\0'; /* Buffer Overrun (ID: 472.29236) */

/* PVM 3.4 Trace */

if ( c == '(' )

{

/* Decode event ID */

2490

2491

index = ( code / 1000 ) - 1;

2492

2493

eid = ( code - ((index + 1) * 1000) ) / 2;

2494

2495

ee = code - ((index + 1) * 1000) - (2 * eid);

2496

2497

/* Read in entry/exit or index value */

2498

2499

flag = fscanf( ID->trace_in, "%d", &dummy );

if ( flag != 1 )

{

printf( "Error Reading Event Index\n" );

return( TRC_FALSE );

}

/* Read in next char for parsing context */

2509

2510

c = getc( ID->trace_in );

2511

2512

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2513

return( TRC_FALSE ) );

if ( c == '.' )

{

if ( ee != dummy )

{

printf( "Warning: " );

2520

printf( "Entry/Exit Mismatch " );

2521

printf( "%d != %d\n", ee, dummy );

2522

}

2523

2524

entry_exit = TRC_IGNORE_TEV;

2525

2526

if ( dummy == 0 )

2527

entry_exit = TRC_ENTRY_TEV;

2528

2529

else if ( dummy == 1 )

2530

entry_exit = TRC_EXIT_TEV;

2531

2532

flag = fscanf( ID->trace_in, "%d", &dummy );

if ( flag != 1 )

{

printf( "Error Reading Event Index\n" );

return( TRC_FALSE );

}

if ( index != dummy )

2542

{

2543

printf( "Warning: " );

2544

printf( "Descriptor Index Mismatch " );

2545

printf( "%d != %d\n", index, dummy );

index = dummy;

}

if ( !trc_find_event_str( ID, ")" ) )

return( TRC_FALSE );

}

else

{

entry_exit = TRC_IGNORE_TEV;

if ( ee == 1 )

{

printf( "Warning: " );

2561

printf( "Entry/Exit Mismatch " );

2562

printf( "%d != %d\n", ee, entry_exit );

2563

}

2564

2565

if ( index != dummy )

2566

{

2567

printf( "Warning: " );

2568

printf( "Descriptor Index Mismatch " );

2569

printf( "%d != %d\n", index, dummy );

index = dummy;

}

}

strlen(&tmp[0]) > 4096

2575

if ( !trc_find_event_str( ID, "\"" ) )

2576

return( TRC_FALSE );

2577

strlen($param_3) > bytes_after($param_3)

2578

if ( !(TD = trc_read_descriptor(

strlen(&tmp[0]) > 4096

2579

ID, eid, tmp, entry_exit, index )) )

					Enter trc_read_trace_event / trc_read_descriptor

2766

trc_read_descriptor( ID, eid, name, entry_exit, index )

TRC_ID ID;

int eid;

char *name;

int entry_exit;

int index;

{

TRC_DATADESC DD;

TRC_TEVDESC TD;

TRC_TEVDESC tdptr;

...

char last;

char c;

long tmp;

int done;

int i;

/* Find first bracket */

2791

2792

if ( !trc_find_event_str( ID, "{" ) )

2793

return( (TRC_TEVDESC) NULL );

/* matching } */

/* Create Descriptor Structure */

2798

2799

TD = trc_create_tevdesc(); /* Leak (ID: 458.29219) */

TD->refcount = 1;

TD->name = trc_copy_str ( name ); /* Leak (ID: 459.29220) */

TD->eid = eid;

TD->entry_exit = entry_exit;

TD->index = index;

/* Read in Data Descriptor Statements */

done = 0;

{

/* matching { */

while ( (c = getc( ID->trace_in )) != (char) EOF

2820

&& c != '/' && c != '}' );

2821

2822

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2823

return( (TRC_TEVDESC) NULL ) );

2824

2825

/* Another Descriptor Statement */

if ( c == '/' )

{

if ( TD->ddesc == NULL )

2830

DD = TD->ddesc = trc_create_datadesc(); /* Leak (ID: 457.29218) */

2831

2832

else

2833

DD = DD->next = trc_create_datadesc();

/* Get Second '/' */

c = getc( ID->trace_in );

...

3008

else

3009

DD->array = TEV_DATA_ARRAY;

}

else

DD->array = TEV_DATA_SCALAR;

3014

}

3015

3016

/* End of Descriptor */

else

{

if ( !trc_find_event_end( ID ) )

3021

return( (TRC_TEVDESC) NULL );

done++;

}

}

while ( !done );

tdptr = (TRC_TEVDESC) trc_lookup_trie ( TRC_EVENT_TRIE, name );

3029

3030

if ( tdptr == NULL )

strlen(name) > bytes_after(name)

3031

trc_add_to_trie( TRC_EVENT_TRIE, name, (void *) TD );

							/kat0/fletcher/SATE/2010/pvm3/tracer/trcutil.c

							Enter trc_read_trace_event / trc_read_descriptor / trc_add_to_trie

521

trc_add_to_trie( T, str, value )

TRC_TRIE T;

char *str;

void *value;

{

TRC_TRIE tptr;

char *bump;

int bumpindex;

int marked;

int index;

int len;

int i;

if ( T == NULL )

{

printf( "\nError in trc_add_to_trie(): Null Trie\n\n" );

return( TRC_FALSE );

}

if ( str == NULL || !strcmp( str, "" ) )

544

{

545

printf( "\nError in trc_add_to_trie(): Empty String\n\n" );

return( TRC_FALSE );

}

strlen(str) > bytes_after(str)

550

len = strlen( str ) - 1;

marked = 0;

for ( i=0 ; i < len && !marked ; i++ )

555

{

556

index = trc_trie_index( str[i] );

tptr = &(T[index]);

if ( tptr->next != NULL )

T = tptr->next;

else

{

if ( !tptr->valid )

{

tptr->valid = TRC_TRUE;

568

569

tptr->str = trc_copy_str ( str );

tptr->value = value;

marked++;

}

else

{

tptr->next = trc_create_triestack();

T = tptr->next;

bump = tptr->str;

if ( strlen( bump ) > i + 1 )

585

{

586

bumpindex = trc_trie_index( bump[ i + 1 ] );

587

588

T[bumpindex].valid = TRC_TRUE;

589

T[bumpindex].str = bump;

590

T[bumpindex].value = tptr->value;

591

592

tptr->valid = TRC_FALSE;

593

tptr->str = (char *) NULL;

594

tptr->value = (void *) NULL;

}

}

}

}

if ( !marked )

{

len > bytes_after(str) - 1

602

index = trc_trie_index( str[len] ); /* Buffer Overrun */ /* Buffer Underrun (ID: 22174.29230) */

							Exit trc_read_trace_event / trc_read_descriptor / trc_add_to_trie

					Exit trc_read_trace_event / trc_read_descriptor

{

return( TRC_FALSE );

}

if ( ID->handle_descriptor )

2585

(ID->handle_descriptor)( ID, TD );

2586

}

2587

2588

/* PVM 3.3 Trace - Ignore Descriptor */

else

{

eid = code;

if ( tmp[ i - 1 ] == '0' ) /* Buffer Underrun (ID: 470.29234) */ /* Buffer Overrun (ID: 469.29233) */

2595

entry_exit = TRC_ENTRY_TEV;

2596

2597

else if ( tmp[ i - 1 ] == '1' ) /* Buffer Overrun (ID: 467.29231) */ /* Buffer Underrun (ID: 468.29232) */

2598

entry_exit = TRC_EXIT_TEV;

2599

2600

else

2601

entry_exit = TRC_IGNORE_TEV;

2602

2603

if ( !(TD = trc_read_descriptor(

2604

ID, eid, tmp, entry_exit, -1 )) )

{

return( TRC_FALSE );

}

if ( ID->handle_old_descriptor )

2610

(ID->handle_old_descriptor)( ID, TD );

}

break;

}

/* Record Data Packet */

case '"':

{

i = 0;

while ( (c = getc( ID->trace_in )) != (char) EOF

2623

&& c != '"' && c != '(' )

...

2695

{

2696

return(

2697

trc_process_old_trace_event( ID, tmp ) );

2698

}

2699

2700

/* break; unreachable */

}

/* Command Packet */

case '%':

{

tmp[0] = '%';

if ( !trc_find_event_end_ret( ID, tmp + 1, 4095 ) )

2710

return( TRC_FALSE );

2711

2712

if ( ID->handle_command )

2713

(ID->handle_command)( ID, tmp );

break;

}

/* Stream Attribute Packet */

case '/':

{

c = getc( ID->trace_in );

2723

2724

TRC_CKEOF( c, "EOF Reading Trace Comment\n",

2725

return( TRC_FALSE ) );

if ( c != '*' )

{

printf( "\nError Reading Trace File\n" );

2730

printf( "\t- '*' expected (/* */)\n\n" );

}

strcpy( tmp, "/*" );

if ( !trc_find_event_end_ret( ID, tmp + 2, 4094 ) )

2736

return( TRC_FALSE );

2737

2738

if ( ID->handle_comment )

2739

(ID->handle_comment)( ID, tmp );

break;

}

/* White Space */

case ' ':

case '\t':

case '\n':

{

break;

Preconditions

TRC_EVENT_TRIE != 0
((char*)&$unknown_12090437)[12] != 0
$input_12 = 1
$input_630780 >= 3
$input_646204 = 35
$input_646220 = 1
$input_646228 = 40
$input_646244 = 46
$input_646260 = 1
$input_646268 = 125

Postconditions

ID' = ID
T' = ((char*)&$unknown_12090437)[12]
TD' = &$heap_435934
$unknown_12090426' is allocated by fopen
bytes_before(&$unknown_12090426)' = 0
c' = $input_646268
c' = $input_646244
code' = $input_646212
done' = 1
dummy' = $input_646252
ee' != 1
eid' = eid'
entry_exit' = 1
entry_exit' = 1
flag' = $input_646260
$heap_435934' = &$heap_435935
bytes_after(&$heap_435934)' = 36
$heap_435934' is allocated by malloc
$heap_435934' is allocated
bytes_before(&$heap_435934)' = 0
((char*)&$heap_435934)[16]' = -1
((char*)&$heap_435934)[20]' = -1
((char*)&$heap_435934)[24]' = 0
((char*)&$heap_435934)[28]' = 1
((char*)&$heap_435934)[32]' = 0
((char*)&$heap_435934)[8]' = 1
((char*)&$heap_435934)[12]' = $input_646252
bytes_after(&$heap_435935)' = $input_630780 + 1
$heap_435935' is allocated by malloc
$heap_435935' is allocated
bytes_before(&$heap_435935)' = 0
strlen(&$heap_435935)' = $input_630780
i' = $input_630780
i' = $input_630780 - 1
index' = $input_646252
index' = $input_646252
len' = $input_630780 - 1
marked' = 0
name' = &tmp[0]
str' = &tmp[0]
tdptr' = 0
tmp[0]' = $heap_435935'
strlen(&tmp[0])' = $input_630780
tptr' = &$unknown_12090437
value' = &$heap_435934

Change Warning 466.29229 : Buffer Overrun

Priority:
State:
Finding:
Owner:
Note: