Text  |   XML   |   Visible Warnings:

pvm3.4.6 : pvm3.4.6 analysis 2 : Use After Free  at cmds.c:499

Categories: ALLOC.UAF CWE:416
Warning ID: 508.29299
Procedure: newalias
Trace: view
Modified: Thu Nov 26 11:36:51 2009   show details
 
Priority: None
State: None
Finding: None
Owner: None
  edit properties

Legend [ X ]
Warning Location
Contributes
Parse Error
Other Warning
Two or More Loop Iterations
On Execution Path
Comment
Macro
Preprocessor
Include
Keyword
Preprocessed Away
Legend
Warning Location Contributes Parse Error
Other Warning Two or More Loop Iterations On Execution Path
Comment Macro Preprocessor
Include Keyword Preprocessed Away

Source  |  Language: C Hide Legend     
ProblemLineSource
   /kat0/fletcher/SATE/2010/pvm3/console/cmds.c
   Enter alias_cmd
 1385 alias_cmd(ac, av) 
 1386         int ac;
 1387         char **av;
 1388 {
 1389         struct alias *ap;
 1390         char *p;
 1391         int i;
 1392  
 1393         if (ac < 3) {
 1394                 for (ap = aliases->a_link; ap != aliases; ap = ap->a_link) {
 1395                         fputs(ap->a_name, stdout);
 1396                         p = "\t";
 1397                         for (i = 0; i < ap->a_num; i++) {
 1398                                 printf("%s%s", p, ap->a_args[i]);
 1399                                 p = " ";
 1400                         }
 1401                         fputs("\n", stdout);
 1402                 }
 1403  
 1404         } else {
true1405                 if (ap = findalias(av[1]))
 1406                         freealias(ap);
*aliases->a_link is freed1407                 newalias(av[1], ac - 2, av + 2);
     Enter alias_cmd / newalias
 484   struct alias * 
 485   newalias(name, num, args) 
 486           char *name;
 487           int num;
 488           char **args;
 489   {
 490           struct alias *ap, *ap2;
 491    
 492           ap = TALLOC(1, struct alias, "alias");
 493           ap->a_name = STRALLOC(name);   /* Null Pointer Dereference (ID: 500.29282) */
 494           ap->a_args = TALLOC(num + 1, char *, "aargs");   /* Integer Overflow of Allocation Size (ID: 499.29281) */
 495           ap->a_num = num;
 496           while (num-- > 0)
 497                   ap->a_args[num] = STRALLOC(args[num]);   /* Null Pointer Dereference (ID: 498.29279) */
*aliases->a_link is freed498           for (ap2 = aliases->a_link; ap2 != aliases; ap2 = ap2->a_link)
*ap2 is freed499                   if (strcmp(ap2->a_name, name) > 0)     /* Use After Free */
     Exit alias_cmd / newalias
Preconditions 
name >= 3
aliases->a_link->a_num >= 1
*aliases->a_link->a_name = ((char*)*num)[4]
strlen(aliases->a_link->a_name) = strlen(((char*)num)[4])
aliases->a_link != aliases
Postconditions 
aliases->a_link->a_link->a_rlink' = aliases->a_link->a_rlink
aliases->a_link->a_rlink' = 0
aliases->a_link->a_num' = -1
*aliases->a_link->a_args' is freed
aliases->a_link->a_rlink->a_link' = aliases->a_link->a_link
*aliases->a_link->a_name' is freed
aliases->a_link->a_link' = 0
*aliases->a_link' is freed
ap' = aliases->a_link
ap' = &$heap_444339
ap2' = aliases->a_link
args' = av + 8
bytes_after(&$heap_444339)' = 24
$heap_444339' is allocated by malloc
$heap_444339' is allocated
bytes_before(&$heap_444339)' = 0
((char*)&$heap_444339)[16]' = &$heap_444341
((char*)&$heap_444339)[8]' = &$heap_444340
((char*)&$heap_444339)[12]' = ac - 2
$heap_444340' = *av[1]
bytes_after(&$heap_444340)' = strlen(av[1]) + 1
$heap_444340' is allocated by malloc
$heap_444340' is allocated
bytes_before(&$heap_444340)' = 0
strlen(&$heap_444340)' = strlen(av[1])
tocttou($heap_444340)' = tocttou(*av[1])
bytes_after(&$heap_444341)' = 4 * ac - 4
$heap_444341' is allocated by malloc
$heap_444341' is allocated
bytes_before(&$heap_444341)' = 0
name' = av[1]
num' = -1



Change Warning 508.29299 : Use After Free

Priority:
State:
Finding:
Owner:
Note: