CodeSonar : pvm3.4.6 : Buffer Overrun

pvm3.4.6 : pvm3.4.6 analysis 2 : Buffer Overrun at cmds.c:1189

Categories:	LANG.MEM.BO CWE:120 CWE:121 CWE:122 CWE:126
Warning ID:	502.29294
Procedure:	do_rsh_cmd
Trace:	view
Modified:	Thu Nov 26 11:36:50 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/console/cmds.c

			Enter diagnose_cant_start_pvm

678

diagnose_cant_start_pvm( hostline )

char *hostline;

{

FILE *fp;

#ifndef WIN32

struct passwd *pw;

#endif

struct hostd hp;

...

char lhost[1024];

char pvmarch[1024];

char pvmroot[1024];

char pvmtmp[1024];

char result[1024];

char result2[1024];

char tcmd[1024];

char tmp[255];

char user[1024];

int remote_os = -1;

int len;

int i;

/* Extract Raw Host Name from Add Command */

706

707

if ( parsehost(hostline, &hp ) < 0 ) {

708

printf( "Error Parsing Host String!\n" );

709

printf( "Cannot Auto-Diagnose!\n" );

return( 0 );

}

/* Get Local Hostname */

714

715

gethostname( lhost, 1024 );

/* Get Local User */

#ifndef WIN32

if ( (pw = getpwuid( getuid() )) != NULL )

721

strcpy( user, pw->pw_name );

722

else

723

strcpy( user, "<your_user_name>" );

724

#else

725

strcpy( user, MyGetUserName() );

726

#endif

727

728

/* Ping / Timeout Test */

729

730

731

* Maybe later - for now rsh returns "Connection timed out"

732

733

printf( "Pinging Host \"%s\"...\n", hp.hd_name );

...

fclose( fp );

}

else

printf( "Ping Command Failed - Test Skipped...\n" );

unlink( tfile );

/* Verify Rsh Path */

754

755

printf( "Verifying Local Path to \"rsh\"...\n" );

756

757

strcpy( tcmd, pvmgetrsh () ); /* Buffer Overrun (ID: 503.29295) */

758

759

if ( stat( tcmd, &statck ) < 0 ) {

760

printf( "\nError - File %s Not Found!\n", tcmd );

761

#ifndef WIN32

762

printf( "Use \"whereis rsh\" or \"which rsh\" to determine\n" );

763

printf( "where \"rsh\" is on your system and modify the\n" );

764

printf( "$PVM_ROOT/conf/$PVM_ARCH.def configuration file\n" );

765

#else

766

printf( "Determine the path to the \"rsh\" command on your\n" );

767

printf( "system, and edit %PVM_ROOT%\\conf\\WIN32.def\n" );

768

#endif

769

printf( "to adjust the path for the -DRSHCOMMAND=\\\"\\\"\n" );

770

printf( "flag. Then recompile PVM and your applications.\n" );

return( 0 );

}

else

printf( "Rsh found in %s - O.K.\n", tcmd );

/* Rsh Test */

if ( do_rsh_cmd( &hp, "Testing Rsh/Rhosts Access to",

780

"echo YES", result, 1024 ) ) {

781

782

/* check result */

783

if ( !strncmp( result, "YES", 3 ) )

784

printf( "Rsh/Rhosts Access is O.K.\n" );

785

else {

786

printf( "\nRsh/Rhosts Access FAILED - \"%s\"\n", result );

787

printf( "Make sure host %s is up and connected to\n",

788

hp.hd_name );

789

printf( "a network and check its DNS / IP address.\n" );

790

printf( "Also verify that %s is allowed\n", lhost );

791

printf( "rsh access on %s\n", hp.hd_name );

792

printf( "Add this line to the $HOME/.rhosts on %s:\n",

793

hp.hd_name );

794

printf( "%s %s\n", lhost, user );

return( 0 );

}

}

else

return( 0 );

/* Is Remote Host O.S. Windows or Unix? */

803

804

if ( do_rsh_cmd( &hp, "Checking O.S. Type (Unix test) on",

805

"pwd", result, 1024 ) ) {

/* Unix-land */

if ( result[0] == '/' ) {

809

printf( "Host %s is Unix-based.\n", hp.hd_name );

810

remote_os = 0;

811

}

812

else if ( do_rsh_cmd( &hp, "Checking O.S. Type (Win test) on",

	813		"chdir", result2, 1024 ) ) {

					Enter diagnose_cant_start_pvm / do_rsh_cmd

1168

do_rsh_cmd( hp, label, cmd, result, rsize )

struct hostd *hp;

char *label;

char *cmd;

char *result;

int rsize;

{

FILE *fp;

char tcmd[1024];

char tmp[255];

int ret = 1;

int len;

/* Dump Test Label */

1184

$input_12 > 1022

1185

printf( "%s Host \"%s\"...\n", label, hp->hd_name );

1186

1187

/* Construct Rsh Command */

1188

	1189				sprintf( tcmd, "%s ", pvmgetrsh () ); /* Buffer Overrun / / Buffer Overrun (ID: 501.29293) */

1190

1191

if ( hp->hd_login != NULL ) {

1192

sprintf( tmp, "-l %s ", hp->hd_login );

strcat( tcmd, tmp );

}

sprintf( tmp, "%s '%s' ", hp->hd_name, cmd );

strcat( tcmd, tmp );

#ifndef WIN32

sprintf( tmp, "2>&1" );

strcat( tcmd, tmp );

#endif

/* Collect Rsh Command Results */

1205

1206

fp = popen( tcmd, "r" );

1207

1208

if ( fp != NULL ) {

1209

if ( fgets( result, rsize, fp ) != NULL ) {

1210

/* strip off '\n' */

1211

len = strlen( result );

1212

if ( len > 0 && result[ len - 1 ] == '\n' )

1213

result[ len - 1 ] = '\0';

1214

/* strip off any '\r' */

1215

len = strlen( result );

1216

if ( len > 0 && result[ len - 1 ] == '\r' )

1217

result[ len - 1 ] = '\0';

1218

}

1219

else {

1220

printf( "Error Parsing Output - Can't Auto-Diagnose.\n" );

ret = 0;

}

pclose( fp );

}

else {

printf( "Rsh Command Failed - Check Your Execution Path!\n" );

ret = 0;

}

return( ret );

}

					Exit diagnose_cant_start_pvm / do_rsh_cmd

	814
	815		/* Windows-land */
	816		len = strlen( result2 );
	817		if ( len >= 3 && result2[0] >= 'A' && result2[0] <= 'Z'
	818		&& result2[1] == ':' && result2[2] == '\\' ) {
	819		printf( "Host %s is Windows-based.\n", hp.hd_name );
	820		remote_os = 1;
	821		}
	822		/* Hmmm... Go Figure. */
	823		else {
			...
	866		return( 0 );
	867		}
	868		}
	869		}
	870		}
	871		else
	872		return( 0 );
	873
	874		/* PVM_ROOT Test */
	875
	876		if ( do_rsh_cmd( &hp,
	877		( remote_os == 0 ) ?
	878		"Checking $PVM_ROOT on" : "Checking %PVM_ROOT% on",
	879		( remote_os == 0 ) ?
	880		"echo $PVM_ROOT" : "echo %PVM_ROOT%",

strlen(rd) > 1022

881

result, 1024 ) ) {

					Enter diagnose_cant_start_pvm / do_rsh_cmd

	1168				do_rsh_cmd( hp, label, cmd, result, rsize )
	1169				struct hostd *hp;
	1170				char *label;
	1171				char *cmd;
	1172				char *result;
	1173				int rsize;
	1174				{
	1175				FILE *fp;
	1176
	1177				char tcmd[1024];
	1178				char tmp[255];
	1179
	1180				int ret = 1;
	1181				int len;
	1182
	1183				/* Dump Test Label */
	1184
	1185				printf( "%s Host \"%s\"...\n", label, hp->hd_name );
	1186
	1187				/* Construct Rsh Command */
	1188

strlen(rd) > 1022

1189

sprintf( tcmd, "%s ", pvmgetrsh () ); /* Buffer Overrun */ /* Buffer Overrun (ID: 501.29293) */

					Exit diagnose_cant_start_pvm / do_rsh_cmd

Preconditions

hp->hd_ref != 0
strlen(hp) != 0
$input_12 >= 0
$input_702324 != 47

Postconditions

cmd' = &#string67[0]
codesonar_distance_tweak' = 3
$heap_443918' = $input_444
bytes_after(&$heap_443918)' = $input_12 + 1
$heap_443918' is allocated by malloc
$heap_443918' is a non-heap object
bytes_before(&$heap_443918)' = 0
strlen(&$heap_443918)' = $input_12
hp' = &hp.hd_ref
hp.hd_login' = 0
hp.hd_arch' = 0
label' = &#string69[0]
pw' = 0
rd' = &$heap_443918
remote_os' = -1
result' = &result[0]
result[0]' = $input_702324
strlen(&result[0])' = 0
ret' = 1
rsize' = 1024
statck.st_dev' = $input_40964
tcmd[0]' = *rd
strlen(&tcmd[0])' = strlen(rd)
tcmd[0]' is accessed by path name
user[0]' = 60
strlen(&user[0])' = 16
tocttou(user)' = tocttou(#string15)

Change Warning 502.29294 : Buffer Overrun

Priority:
State:
Finding:
Owner:
Note: