Bug Summary

File:got/../lib/buf.c
Warning:line 113, column 12
Access to field 'cb_buf' results in a dereference of a null pointer

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd6.9 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name buf.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -fno-split-dwarf-inlining -debugger-tuning=gdb -resource-dir /usr/local/lib/clang/11.1.0 -I /home/ben/Projects/got/got/../include -I /home/ben/Projects/got/got/../lib -D GOT_LIBEXECDIR=/home/ben/bin -D GOT_VERSION=0.53-current -internal-isystem /usr/local/lib/clang/11.1.0/include -internal-externc-isystem /usr/include -O0 -fdebug-compilation-dir /home/ben/Projects/got/got/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -o /home/ben/Projects/got/scan/2021-05-28-230913-68537-1 -x c /home/ben/Projects/got/got/../lib/buf.c
1/* $OpenBSD: buf.c,v 1.27 2016/10/16 13:35:51 okan Exp $ */
2/*
3 * Copyright (c) 2003 Jean-Francois Brousseau <jfb@openbsd.org>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. The name of the author may not be used to endorse or promote products
13 * derived from this software without specific prior written permission.
14 *
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
16 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
17 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
18 * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
19 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
21 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
22 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
23 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
24 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <sys/queue.h>
28#include <sys/stat.h>
29
30#include <errno(*__errno()).h>
31#include <fcntl.h>
32#include <stdint.h>
33#include <stdio.h>
34#include <stdlib.h>
35#include <string.h>
36#include <unistd.h>
37
38#include "buf.h"
39
40#include "got_error.h"
41
42#define BUF_INCR128 128
43
44#define SIZE_LEFT(b)((b)->cb_size - (b)->cb_len) ((b)->cb_size - (b)->cb_len)
45
46static const struct got_error *buf_grow(BUF *, size_t);
47
48/*
49 * Create a new buffer structure and return a pointer to it. This structure
50 * uses dynamically-allocated memory and must be freed with buf_free(), once
51 * the buffer is no longer needed.
52 */
53const struct got_error *
54buf_alloc(BUF **b, size_t len)
55{
56 const struct got_error *err = NULL((void *)0);
57
58 *b = malloc(sizeof(**b));
7
Assigning value
59 if (*b == NULL((void *)0))
8
Assuming the condition is true
9
Taking true branch
60 return NULL((void *)0);
10
Returning null pointer, which participates in a condition later
61 /* Postpone creation of zero-sized buffers */
62 if (len > 0) {
63 (*b)->cb_buf = calloc(1, len);
64 if ((*b)->cb_buf == NULL((void *)0)) {
65 err = got_error_from_errno("calloc");
66 free(*b);
67 *b = NULL((void *)0);
68 return err;
69 }
70 } else
71 (*b)->cb_buf = NULL((void *)0);
72
73 (*b)->cb_size = len;
74 (*b)->cb_len = 0;
75
76 return NULL((void *)0);
77}
78
79/*
80 * Open the file specified by <path> and load all of its contents into a
81 * buffer.
82 * Returns the loaded buffer on success or NULL on failure.
83 * Sets errno on error.
84 */
85const struct got_error *
86buf_load(BUF **buf, const char *path)
87{
88 const struct got_error *err = NULL((void *)0);
89 int fd;
90 ssize_t ret;
91 size_t len;
92 u_char *bp;
93 struct stat st;
94
95 *buf = NULL((void *)0);
96
97 fd = open(path, O_RDONLY0x0000, 0600);
98 if (fd == -1)
1
Assuming the condition is false
2
Taking false branch
99 return got_error_from_errno2("open", path);
100
101 if (fstat(fd, &st) == -1) {
3
Assuming the condition is false
4
Taking false branch
102 err = got_error_from_errno2("fstat", path);
103 goto out;
104 }
105
106 if ((uintmax_t)st.st_size
4.1
Field 'st_size' is <= SIZE_MAX
> SIZE_MAX0xffffffffffffffffUL) {
5
Taking false branch
107 err = got_error_set_errno(EFBIG27, path);
108 goto out;
109 }
110 err = buf_alloc(buf, st.st_size);
6
Calling 'buf_alloc'
11
Returning from 'buf_alloc'
111 if (err
11.1
'err' is null
)
12
Taking false branch
112 goto out;
113 for (bp = (*buf)->cb_buf; ; bp += (size_t)ret) {
13
Access to field 'cb_buf' results in a dereference of a null pointer
114 len = SIZE_LEFT(*buf)((*buf)->cb_size - (*buf)->cb_len);
115 ret = read(fd, bp, len);
116 if (ret == -1) {
117 err = got_error_from_errno2("read", path);
118 goto out;
119 } else if (ret == 0)
120 break;
121
122 (*buf)->cb_len += (size_t)ret;
123 }
124
125out:
126 if (close(fd) == -1 && err == NULL((void *)0))
127 err = got_error_from_errno2("close", path);
128 if (err) {
129 buf_free(*buf);
130 *buf = NULL((void *)0);
131 }
132 return err;
133}
134
135void
136buf_free(BUF *b)
137{
138 if (b == NULL((void *)0))
139 return;
140 free(b->cb_buf);
141 free(b);
142}
143
144/*
145 * Free the buffer <b>'s structural information but do not free the contents
146 * of the buffer. Instead, they are returned and should be freed later using
147 * free().
148 */
149void *
150buf_release(BUF *b)
151{
152 void *tmp;
153
154 tmp = b->cb_buf;
155 free(b);
156 return (tmp);
157}
158
159u_char *
160buf_get(BUF *b)
161{
162 return (b->cb_buf);
163}
164
165/*
166 * Empty the contents of the buffer <b> and reset pointers.
167 */
168void
169buf_empty(BUF *b)
170{
171 memset(b->cb_buf, 0, b->cb_size);
172 b->cb_len = 0;
173}
174
175/*
176 * Append a single character <c> to the end of the buffer <b>.
177 */
178const struct got_error *
179buf_putc(BUF *b, int c)
180{
181 const struct got_error *err = NULL((void *)0);
182 u_char *bp;
183
184 if (SIZE_LEFT(b)((b)->cb_size - (b)->cb_len) == 0) {
185 err = buf_grow(b, BUF_INCR128);
186 if (err)
187 return err;
188 }
189 bp = b->cb_buf + b->cb_len;
190 *bp = (u_char)c;
191 b->cb_len++;
192 return NULL((void *)0);
193}
194
195/*
196 * Append a string <s> to the end of buffer <b>.
197 */
198const struct got_error *
199buf_puts(size_t *newlen, BUF *b, const char *str)
200{
201 return buf_append(newlen, b, str, strlen(str));
202}
203
204/*
205 * Return u_char at buffer position <pos>.
206 */
207u_char
208buf_getc(BUF *b, size_t pos)
209{
210 return (b->cb_buf[pos]);
211}
212
213/*
214 * Append <len> bytes of data pointed to by <data> to the buffer <b>. If the
215 * buffer is too small to accept all data, it will get resized to an
216 * appropriate size to accept all data.
217 * Returns the number of bytes successfully appended to the buffer.
218 */
219const struct got_error *
220buf_append(size_t *newlen, BUF *b, const void *data, size_t len)
221{
222 const struct got_error *err = NULL((void *)0);
223 size_t left, rlen;
224 u_char *bp;
225
226 left = SIZE_LEFT(b)((b)->cb_size - (b)->cb_len);
227 rlen = len;
228
229 if (left < len) {
230 err = buf_grow(b, len - left);
231 if (err)
232 return err;
233 }
234 bp = b->cb_buf + b->cb_len;
235 memcpy(bp, data, rlen);
236 b->cb_len += rlen;
237
238 *newlen = rlen;
239 return NULL((void *)0);
240}
241
242/*
243 * Returns the size of the buffer that is being used.
244 */
245size_t
246buf_len(BUF *b)
247{
248 return (b->cb_len);
249}
250
251/*
252 * Write the contents of the buffer <b> to the specified <fd>
253 */
254int
255buf_write_fd(BUF *b, int fd)
256{
257 u_char *bp;
258 size_t len;
259 ssize_t ret;
260
261 len = b->cb_len;
262 bp = b->cb_buf;
263
264 do {
265 ret = write(fd, bp, len);
266 if (ret == -1) {
267 if (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)
268 continue;
269 return (-1);
270 }
271
272 len -= (size_t)ret;
273 bp += (size_t)ret;
274 } while (len > 0);
275
276 return (0);
277}
278
279/*
280 * Write the contents of the buffer <b> to the file whose path is given in
281 * <path>. If the file does not exist, it is created with mode <mode>.
282 */
283const struct got_error *
284buf_write(BUF *b, const char *path, mode_t mode)
285{
286 const struct got_error *err = NULL((void *)0);
287 int fd;
288 open:
289 if ((fd = open(path, O_WRONLY0x0001|O_CREAT0x0200|O_TRUNC0x0400, mode)) == -1) {
290 err = got_error_from_errno2("open", path);
291 if (errno(*__errno()) == EACCES13 && unlink(path) != -1)
292 goto open;
293 else
294 return err;
295 }
296
297 if (buf_write_fd(b, fd) == -1) {
298 err = got_error_from_errno("buf_write_fd");
299 (void)unlink(path);
300 return err;
301 }
302
303 if (fchmod(fd, mode) < 0)
304 err = got_error_from_errno2("fchmod", path);
305
306 if (close(fd) == -1 && err == NULL((void *)0))
307 err = got_error_from_errno2("close", path);
308
309 return err;
310}
311
312/*
313 * Write the contents of the buffer <b> to a temporary file whose path is
314 * specified using <template> (see mkstemp.3).
315 * NB. This function will modify <template>, as per mkstemp
316 */
317const struct got_error *
318buf_write_stmp(BUF *b, char *template)
319{
320 const struct got_error *err = NULL((void *)0);
321 int fd;
322
323 if ((fd = mkstemp(template)) == -1)
324 return got_error_from_errno("mkstemp");
325
326 if (buf_write_fd(b, fd) == -1) {
327 err = got_error_from_errno("buf_write_fd");
328 (void)unlink(template);
329 }
330
331 if (close(fd) == -1 && err == NULL((void *)0))
332 err = got_error_from_errno("close");
333
334 return err;
335}
336
337/*
338 * Grow the buffer <b> by <len> bytes. The contents are unchanged by this
339 * operation regardless of the result.
340 */
341static const struct got_error *
342buf_grow(BUF *b, size_t len)
343{
344 u_char *buf;
345 buf = reallocarray(b->cb_buf, 1, b->cb_size + len);
346 if (buf == NULL((void *)0))
347 return got_error_from_errno("reallocarray");
348 b->cb_buf = buf;
349 b->cb_size += len;
350 return NULL((void *)0);
351}