Bug Summary

File:src/usr.sbin/authpf/authpf.c
Warning:line 822, column 3
Potential memory leak

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name authpf.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/authpf/obj -resource-dir /usr/local/lib/clang/13.0.0 -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/authpf/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.sbin/authpf/authpf.c
1/* $OpenBSD: authpf.c,v 1.128 2019/06/28 13:32:47 deraadt Exp $ */
2
3/*
4 * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include <sys/types.h>
20#include <sys/ioctl.h>
21#include <sys/socket.h>
22#include <sys/stat.h>
23#include <sys/wait.h>
24
25#include <netinet/in.h>
26#include <arpa/inet.h>
27#include <net/if.h>
28#include <net/pfvar.h>
29
30#include <err.h>
31#include <errno(*__errno()).h>
32#include <fcntl.h>
33#include <login_cap.h>
34#include <pwd.h>
35#include <grp.h>
36#include <signal.h>
37#include <stdio.h>
38#include <stdlib.h>
39#include <string.h>
40#include <syslog.h>
41#include <time.h>
42#include <unistd.h>
43
44#include "pathnames.h"
45
46static int read_config(FILE *);
47static void print_message(char *);
48static int allowed_luser(struct passwd *);
49static int check_luser(char *, char *);
50static int remove_stale_rulesets(void);
51static int recursive_ruleset_purge(char *, char *);
52static int change_filter(int, const char *, const char *);
53static int change_table(int, const char *);
54static void authpf_kill_states(void);
55
56int dev; /* pf device */
57char anchorname[PF_ANCHOR_NAME_SIZE64] = "authpf";
58char rulesetname[PATH_MAX1024 - PF_ANCHOR_NAME_SIZE64 - 2];
59char tablename[PF_TABLE_NAME_SIZE32] = "authpf_users";
60int user_ip = 1; /* controls whether $user_ip is set */
61
62FILE *pidfp;
63int pidfd = -1;
64char luser[LOGIN_NAME_MAX32]; /* username */
65char ipsrc[256]; /* ip as a string */
66char pidfile[PATH_MAX1024]; /* we save pid in this file. */
67
68struct timespec Tstart, Tend; /* start and end times of session */
69
70volatile sig_atomic_t want_death;
71static void need_death(int signo);
72static __dead__attribute__((__noreturn__)) void do_death(int);
73extern char *__progname; /* program name */
74
75/*
76 * User shell for authenticating gateways. Sole purpose is to allow
77 * a user to ssh to a gateway, and have the gateway modify packet
78 * filters to allow access, then remove access when the user finishes
79 * up. Meant to be used only from ssh(1) connections.
80 */
81int
82main(int argc, char *argv[])
83{
84 int lockcnt = 0, n;
85 FILE *config;
86 struct in6_addr ina;
87 struct passwd *pw;
88 char *cp;
89 gid_t gid;
90 uid_t uid;
91 char *shell;
92 login_cap_t *lc;
93
94 if (strcmp(__progname, "-authpf-noip") == 0)
1
Assuming the condition is false
2
Taking false branch
95 user_ip = 0;
96
97 config = fopen(PATH_CONFFILE"/etc/authpf/authpf.conf", "r");
98 if (config == NULL((void *)0)) {
3
Assuming 'config' is not equal to NULL
4
Taking false branch
99 syslog(LOG_ERR3, "cannot open %s (%m)", PATH_CONFFILE"/etc/authpf/authpf.conf");
100 exit(1);
101 }
102
103 if ((cp = getenv("SSH_TTY")) == NULL((void *)0)) {
5
Assuming the condition is false
6
Taking false branch
104 syslog(LOG_ERR3, "non-interactive session connection for authpf");
105 exit(1);
106 }
107
108 if ((cp = getenv("SSH_CLIENT")) == NULL((void *)0)) {
7
Assuming the condition is false
8
Taking false branch
109 syslog(LOG_ERR3, "cannot determine connection source");
110 exit(1);
111 }
112
113 if (strlcpy(ipsrc, cp, sizeof(ipsrc)) >= sizeof(ipsrc)) {
9
Assuming the condition is false
10
Taking false branch
114 syslog(LOG_ERR3, "SSH_CLIENT variable too long");
115 exit(1);
116 }
117 cp = strchr(ipsrc, ' ');
118 if (!cp) {
11
Assuming 'cp' is non-null
12
Taking false branch
119 syslog(LOG_ERR3, "corrupt SSH_CLIENT variable %s", ipsrc);
120 exit(1);
121 }
122 *cp = '\0';
123 if (inet_pton(AF_INET2, ipsrc, &ina) != 1 &&
13
Assuming the condition is false
124 inet_pton(AF_INET624, ipsrc, &ina) != 1) {
125 syslog(LOG_ERR3,
126 "cannot determine IP from SSH_CLIENT %s", ipsrc);
127 exit(1);
128 }
129 /* open the pf device */
130 dev = open(PATH_DEVFILE"/dev/pf", O_RDWR0x0002);
131 if (dev == -1) {
14
Assuming the condition is false
15
Taking false branch
132 syslog(LOG_ERR3, "cannot open packet filter device (%m)");
133 goto die;
134 }
135
136 uid = getuid();
137 pw = getpwuid(uid);
138 if (pw == NULL((void *)0)) {
16
Assuming 'pw' is not equal to NULL
17
Taking false branch
139 syslog(LOG_ERR3, "cannot find user for uid %u", uid);
140 goto die;
141 }
142
143 if ((lc = login_getclass(pw->pw_class)) != NULL((void *)0))
18
Assuming the condition is false
19
Taking false branch
144 shell = login_getcapstr(lc, "shell", pw->pw_shell,
145 pw->pw_shell);
146 else
147 shell = pw->pw_shell;
148
149 login_close(lc);
150
151 if (strcmp(shell, PATH_AUTHPF_SHELL"/usr/sbin/authpf") &&
20
Assuming the condition is false
152 strcmp(shell, PATH_AUTHPF_SHELL_NOIP"/usr/sbin/authpf-noip")) {
153 syslog(LOG_ERR3, "wrong shell for user %s, uid %u",
154 pw->pw_name, pw->pw_uid);
155 if (shell != pw->pw_shell)
156 free(shell);
157 goto die;
158 }
159
160 if (shell
20.1
'shell' is equal to field 'pw_shell'
 != pw->pw_shell)
21
Taking false branch
161 free(shell);
162
163 /*
164 * Paranoia, but this data _does_ come from outside authpf, and
165 * truncation would be bad.
166 */
167 if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) {
22
Assuming the condition is false
23
Taking false branch
168 syslog(LOG_ERR3, "username too long: %s", pw->pw_name);
169 goto die;
170 }
171
172 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)",
24
Assuming the condition is false
26
Taking false branch
173 luser, (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
25
Assuming the condition is false
174 syslog(LOG_INFO6, "%s(%ld) too large, ruleset name will be %ld",
175 luser, (long)getpid(), (long)getpid());
176 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
177 (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
178 syslog(LOG_ERR3, "pid too large for ruleset name");
179 goto die;
180 }
181 }
182
183
184 /* Make our entry in /var/authpf as ipaddr or username */
185 n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
186 PATH_PIDFILE"/var/authpf", user_ip
26.1
'user_ip' is 1
 ? ipsrc : luser);
27
'?' condition is true
187 if (n < 0 || (u_int)n >= sizeof(pidfile)) {
28
Assuming 'n' is >= 0
29
Assuming the condition is false
30
Taking false branch
188 syslog(LOG_ERR3, "path to pidfile too long");
189 goto die;
190 }
191
192 signal(SIGTERM15, need_death);
193 signal(SIGINT2, need_death);
194 signal(SIGALRM14, need_death);
195 signal(SIGPIPE13, need_death);
196 signal(SIGHUP1, need_death);
197 signal(SIGQUIT3, need_death);
198 signal(SIGTSTP18, need_death);
199
200 /*
201 * If someone else is already using this ip, then this person
202 * wants to switch users - so kill the old process and exit
203 * as well.
204 *
205 * Note, we could print a message and tell them to log out, but the
206 * usual case of this is that someone has left themselves logged in,
207 * with the authenticated connection iconized and someone else walks
208 * up to use and automatically logs in before using. If this just
209 * gets rid of the old one silently, the new user never knows they
210 * could have used someone else's old authentication. If we
211 * tell them to log out before switching users it is an invitation
212 * for abuse.
213 */
214
215 do {
216 int save_errno, otherpid = -1;
217 char otherluser[LOGIN_NAME_MAX32];
218
219 if ((pidfd = open(pidfile, O_RDWR0x0002|O_CREAT0x0200, 0644)) == -1 ||
31
Assuming the condition is false
33
Taking false branch
220 (pidfp = fdopen(pidfd, "r+")) == NULL((void *)0)) {
32
Assuming the condition is false
221 if (pidfd != -1)
222 close(pidfd);
223 syslog(LOG_ERR3, "cannot open or create %s: %s", pidfile,
224 strerror(errno(*__errno())));
225 goto die;
226 }
227
228 if (flock(fileno(pidfp)(!__isthreaded ? ((pidfp)->_file) : (fileno)(pidfp)), LOCK_EX0x02|LOCK_NB0x04) == 0)
34
Assuming '__isthreaded' is 0
35
'?' condition is true
36
Assuming the condition is true
37
Taking true branch
229 break;
38
 Execution continues on line 278
230 save_errno = errno(*__errno());
231
232 /* Mark our pid, and username to our file. */
233
234 rewind(pidfp);
235 /* 31 == MAXLOGNAME - 1 */
236 if (fscanf(pidfp, "%d\n%31s\n", &otherpid, otherluser) != 2)
237 otherpid = -1;
238 syslog(LOG_DEBUG7, "tried to lock %s, in use by pid %d: %s",
239 pidfile, otherpid, strerror(save_errno));
240
241 if (otherpid > 0) {
242 syslog(LOG_INFO6,
243 "killing prior auth (pid %d) of %s by user %s",
244 otherpid, ipsrc, otherluser);
245 if (kill((pid_t) otherpid, SIGTERM15) == -1) {
246 syslog(LOG_INFO6,
247 "could not kill process %d: (%m)",
248 otherpid);
249 }
250 }
251
252 /*
253 * We try to kill the previous process and acquire the lock
254 * for 10 seconds, trying once a second. if we can't after
255 * 10 attempts we log an error and give up.
256 */
257 if (want_death || ++lockcnt > 10) {
258 if (!want_death)
259 syslog(LOG_ERR3, "cannot kill previous authpf (pid %d)",
260 otherpid);
261 fclose(pidfp);
262 pidfp = NULL((void *)0);
263 pidfd = -1;
264 goto dogdeath;
265 }
266 sleep(1);
267
268 /* re-open, and try again. The previous authpf process
269 * we killed above should unlink the file and release
270 * it's lock, giving us a chance to get it now
271 */
272 fclose(pidfp);
273 pidfp = NULL((void *)0);
274 pidfd = -1;
275 } while (1);
276
277 /* whack the group list */
278 gid = getegid();
279 if (setgroups(1, &gid) == -1) {
39
Assuming the condition is false
40
Taking false branch
280 syslog(LOG_INFO6, "setgroups: %s", strerror(errno(*__errno())));
281 do_death(0);
282 }
283
284 /* revoke privs */
285 uid = getuid();
286 if (setresuid(uid, uid, uid) == -1) {
41
Assuming the condition is false
42
Taking false branch
287 syslog(LOG_INFO6, "setresuid: %s", strerror(errno(*__errno())));
288 do_death(0);
289 }
290 openlog("authpf", LOG_PID0x01 | LOG_NDELAY0x08, LOG_DAEMON(3<<3));
291
292 if (!check_luser(PATH_BAN_DIR"/etc/authpf/banned", luser) || !allowed_luser(pw)) {
43
Taking false branch
293 syslog(LOG_INFO6, "user %s prohibited", luser);
294 do_death(0);
295 }
296
297 if (read_config(config)) {
44
Taking false branch
298 syslog(LOG_ERR3, "invalid config file %s", PATH_CONFFILE"/etc/authpf/authpf.conf");
299 do_death(0);
300 }
301
302 if (remove_stale_rulesets()) {
45
Taking false branch
303 syslog(LOG_INFO6, "error removing stale rulesets");
304 do_death(0);
305 }
306
307 /* We appear to be making headway, so actually mark our pid */
308 rewind(pidfp);
309 fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser);
310 fflush(pidfp);
311 (void) ftruncate(fileno(pidfp)(!__isthreaded ? ((pidfp)->_file) : (fileno)(pidfp)), ftello(pidfp));
46
'?' condition is true
312
313 if (change_filter(1, luser, ipsrc) == -1) {
47
Calling 'change_filter'
314 printf("Unable to modify filters\r\n");
315 do_death(0);
316 }
317 if (user_ip && change_table(1, ipsrc) == -1) {
318 printf("Unable to modify table\r\n");
319 change_filter(0, luser, ipsrc);
320 do_death(0);
321 }
322
323 while (1) {
324 struct stat sb;
325 char *path_message;
326 printf("\r\nHello %s. ", luser);
327 printf("You are authenticated from host \"%s\"\r\n", ipsrc);
328 setproctitle("%s@%s", luser, ipsrc);
329 if (asprintf(&path_message, "%s/%s/authpf.message",
330 PATH_USER_DIR"/etc/authpf/users", luser) == -1)
331 do_death(1);
332 if (stat(path_message, &sb) == -1 || ! S_ISREG(sb.st_mode)((sb.st_mode & 0170000) == 0100000)) {
333 free(path_message);
334 if ((path_message = strdup(PATH_MESSAGE"/etc/authpf/authpf.message")) == NULL((void *)0))
335 do_death(1);
336 }
337 print_message(path_message);
338 while (1) {
339 sleep(10);
340 if (want_death)
341 do_death(1);
342 }
343 }
344
345dogdeath:
346 printf("\r\n\r\nSorry, this service is currently unavailable due to ");
347 printf("technical difficulties\r\n\r\n");
348 print_message(PATH_PROBLEM"/etc/authpf/authpf.problem");
349 printf("\r\nYour authentication process (pid %ld) was unable to run\n",
350 (long)getpid());
351 sleep(180); /* them lusers read reaaaaal slow */
352die:
353 do_death(0);
354}
355
356/*
357 * reads config file in PATH_CONFFILE to set optional behaviours up
358 */
359static int
360read_config(FILE *f)
361{
362 char buf[1024];
363 int i = 0;
364
365 do {
366 char **ap;
367 char *pair[4], *cp, *tp;
368 int len;
369
370 if (fgets(buf, sizeof(buf), f) == NULL((void *)0)) {
371 fclose(f);
372 return (0);
373 }
374 i++;
375 len = strlen(buf);
376 if (len == 0)
377 continue;
378 if (buf[len - 1] != '\n' && !feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof
)(f))) {
379 syslog(LOG_ERR3, "line %d too long in %s", i,
380 PATH_CONFFILE"/etc/authpf/authpf.conf");
381 return (1);
382 }
383 buf[len - 1] = '\0';
384
385 for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
386 ; /* nothing */
387
388 if (!*cp || *cp == '#' || *cp == '\n')
389 continue;
390
391 for (ap = pair; ap < &pair[3] &&
392 (*ap = strsep(&cp, "=")) != NULL((void *)0); ) {
393 if (**ap != '\0')
394 ap++;
395 }
396 if (ap != &pair[2])
397 goto parse_error;
398
399 tp = pair[1] + strlen(pair[1]);
400 while ((*tp == ' ' || *tp == '\t') && tp >= pair[1])
401 *tp-- = '\0';
402
403 if (strcasecmp(pair[0], "anchor") == 0) {
404 if (!pair[1][0] || strlcpy(anchorname, pair[1],
405 sizeof(anchorname)) >= sizeof(anchorname))
406 goto parse_error;
407 }
408 if (strcasecmp(pair[0], "table") == 0) {
409 if (!pair[1][0] || strlcpy(tablename, pair[1],
410 sizeof(tablename)) >= sizeof(tablename))
411 goto parse_error;
412 }
413 } while (!feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof
)(f)) && !ferror(f)(!__isthreaded ? (((f)->_flags & 0x0040) != 0) : (ferror
)(f)));
414 fclose(f);
415 return (0);
416
417parse_error:
418 fclose(f);
419 syslog(LOG_ERR3, "parse error, line %d of %s", i, PATH_CONFFILE"/etc/authpf/authpf.conf");
420 return (1);
421}
422
423
424/*
425 * splatter a file to stdout - max line length of 1024,
426 * used for spitting message files at users to tell them
427 * they've been bad or we're unavailable.
428 */
429static void
430print_message(char *filename)
431{
432 char buf[1024];
433 FILE *f;
434
435 if ((f = fopen(filename, "r")) == NULL((void *)0))
436 return; /* fail silently, we don't care if it isn't there */
437
438 do {
439 if (fgets(buf, sizeof(buf), f) == NULL((void *)0)) {
440 fflush(stdout(&__sF[1]));
441 fclose(f);
442 return;
443 }
444 } while (fputs(buf, stdout(&__sF[1])) != EOF(-1) && !feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof
)(f)));
445 fflush(stdout(&__sF[1]));
446 fclose(f);
447}
448
449/*
450 * allowed_luser checks to see if user "luser" is allowed to
451 * use this gateway by virtue of being listed in an allowed
452 * users file, namely /etc/authpf/authpf.allow .
453 * Users may be listed by <username>, %<group>, or @<login_class>.
454 *
455 * If /etc/authpf/authpf.allow does not exist, then we assume that
456 * all users who are allowed in by sshd(8) are permitted to
457 * use this gateway. If /etc/authpf/authpf.allow does exist, then a
458 * user must be listed if the connection is to continue, else
459 * the session terminates in the same manner as being banned.
460 */
461static int
462allowed_luser(struct passwd *pw)
463{
464 char *buf, *lbuf;
465 int matched;
466 size_t len;
467 FILE *f;
468
469 if ((f = fopen(PATH_ALLOWFILE"/etc/authpf/authpf.allow", "r")) == NULL((void *)0)) {
470 if (errno(*__errno()) == ENOENT2) {
471 /*
472 * allowfile doesn't exist, thus this gateway
473 * isn't restricted to certain users...
474 */
475 return (1);
476 }
477
478 /*
479 * luser may in fact be allowed, but we can't open
480 * the file even though it's there. probably a config
481 * problem.
482 */
483 syslog(LOG_ERR3, "cannot open allowed users file %s (%s)",
484 PATH_ALLOWFILE"/etc/authpf/authpf.allow", strerror(errno(*__errno())));
485 return (0);
486 } else {
487 /*
488 * /etc/authpf/authpf.allow exists, thus we do a linear
489 * search to see if they are allowed.
490 * also, if username "*" exists, then this is a
491 * "public" gateway, such as it is, so let
492 * everyone use it.
493 */
494 int gl_init = 0, ngroups = NGROUPS_MAX16 + 1;
495 gid_t groups[NGROUPS_MAX16 + 1];
496
497 lbuf = NULL((void *)0);
498 matched = 0;
499
500 while ((buf = fgetln(f, &len))) {
501
502 if (buf[len - 1] == '\n')
503 buf[len - 1] = '\0';
504 else {
505 if ((lbuf = malloc(len + 1)) == NULL((void *)0))
506 err(1, NULL((void *)0));
507 memcpy(lbuf, buf, len);
508 lbuf[len] = '\0';
509 buf = lbuf;
510 }
511
512 if (buf[0] == '@') {
513 /* check login class */
514 if (strcmp(pw->pw_class, buf + 1) == 0)
515 matched++;
516 } else if (buf[0] == '%') {
517 /* check group membership */
518 int cnt;
519 struct group *group;
520
521 if ((group = getgrnam(buf + 1)) == NULL((void *)0)) {
522 syslog(LOG_ERR3,
523 "invalid group '%s' in %s (%s)",
524 buf + 1, PATH_ALLOWFILE"/etc/authpf/authpf.allow",
525 strerror(errno(*__errno())));
526 fclose(f);
527 return (0);
528 }
529
530 if (!gl_init) {
531 (void) getgrouplist(pw->pw_name,
532 pw->pw_gid, groups, &ngroups);
533 gl_init++;
534 }
535
536 for ( cnt = 0; cnt < ngroups; cnt++) {
537 if (group->gr_gid == groups[cnt]) {
538 matched++;
539 break;
540 }
541 }
542 } else {
543 /* check username and wildcard */
544 matched = strcmp(pw->pw_name, buf) == 0 ||
545 strcmp("*", buf) == 0;
546 }
547
548 free(lbuf);
549 lbuf = NULL((void *)0);
550
551 if (matched) {
552 fclose(f);
553 return (1); /* matched an allowed user/group */
554 }
555 }
556 syslog(LOG_INFO6, "denied access to %s: not listed in %s",
557 pw->pw_name, PATH_ALLOWFILE"/etc/authpf/authpf.allow");
558
559 /* reuse buf */
560 buf = "\n\nSorry, you are not allowed to use this facility!\n";
561 fputs(buf, stdout(&__sF[1]));
562 }
563 fflush(stdout(&__sF[1]));
564 fclose(f);
565 return (0);
566}
567
568/*
569 * check_luser checks to see if user "luser" has been banned
570 * from using us by virtue of having an file of the same name
571 * in the "luserdir" directory.
572 *
573 * If the user has been banned, we copy the contents of the file
574 * to the user's screen. (useful for telling the user what to
575 * do to get un-banned, or just to tell them they aren't
576 * going to be un-banned.)
577 */
578static int
579check_luser(char *luserdir, char *luser)
580{
581 FILE *f;
582 int n;
583 char tmp[PATH_MAX1024];
584
585 n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, luser);
586 if (n < 0 || (u_int)n >= sizeof(tmp)) {
587 syslog(LOG_ERR3, "provided banned directory line too long (%s)",
588 luserdir);
589 return (0);
590 }
591 if ((f = fopen(tmp, "r")) == NULL((void *)0)) {
592 if (errno(*__errno()) == ENOENT2) {
593 /*
594 * file or dir doesn't exist, so therefore
595 * this luser isn't banned.. all is well
596 */
597 return (1);
598 } else {
599 /*
600 * luser may in fact be banned, but we can't open the
601 * file even though it's there. probably a config
602 * problem.
603 */
604 syslog(LOG_ERR3, "cannot open banned file %s (%s)",
605 tmp, strerror(errno(*__errno())));
606 return (0);
607 }
608 } else {
609 /*
610 * luser is banned - spit the file at them to
611 * tell what they can do and where they can go.
612 */
613 syslog(LOG_INFO6, "denied access to %s: %s exists",
614 luser, tmp);
615
616 /* reuse tmp */
617 strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n",
618 sizeof(tmp));
619 while (fputs(tmp, stdout(&__sF[1])) != EOF(-1) && !feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof
)(f))) {
620 if (fgets(tmp, sizeof(tmp), f) == NULL((void *)0)) {
621 fflush(stdout(&__sF[1]));
622 fclose(f);
623 return (0);
624 }
625 }
626 fclose(f);
627 }
628 fflush(stdout(&__sF[1]));
629 return (0);
630}
631
632/*
633 * Search for rulesets left by other authpf processes (either because they
634 * died ungracefully or were terminated) and remove them.
635 */
636static int
637remove_stale_rulesets(void)
638{
639 struct pfioc_ruleset prs;
640 u_int32_t nr;
641
642 memset(&prs, 0, sizeof(prs));
643 strlcpy(prs.path, anchorname, sizeof(prs.path));
644 if (ioctl(dev, DIOCGETRULESETS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) <<
8) | ((58))), &prs) == -1) {
645 if (errno(*__errno()) == EINVAL22)
646 return (0);
647 else
648 return (1);
649 }
650
651 nr = prs.nr;
652 while (nr) {
653 char *s, *t;
654 pid_t pid;
655
656 prs.nr = nr - 1;
657 if (ioctl(dev, DIOCGETRULESET(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) <<
8) | ((59))), &prs) == -1)
658 return (1);
659 errno(*__errno()) = 0;
660 if ((t = strchr(prs.name, '(')) == NULL((void *)0))
661 t = prs.name;
662 else
663 t++;
664 pid = strtoul(t, &s, 10);
665 if (!prs.name[0] || errno(*__errno()) ||
666 (*s && (t == prs.name || *s != ')')))
667 return (1);
668 if ((kill(pid, 0) && errno(*__errno()) != EPERM1) || pid == getpid()) {
669 if (recursive_ruleset_purge(anchorname, prs.name))
670 return (1);
671 }
672 nr--;
673 }
674 return (0);
675}
676
677static int
678recursive_ruleset_purge(char *an, char *rs)
679{
680 struct pfioc_trans_e *t_e = NULL((void *)0);
681 struct pfioc_trans *t = NULL((void *)0);
682 struct pfioc_ruleset *prs = NULL((void *)0);
683
684 /* purge rules */
685 errno(*__errno()) = 0;
686 if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL((void *)0))
687 goto no_mem;
688 if ((t_e = calloc(2, sizeof(struct pfioc_trans_e))) == NULL((void *)0))
689 goto no_mem;
690 t->size = 2;
691 t->esize = sizeof(struct pfioc_trans_e);
692 t->array = t_e;
693 t_e[0].type = PF_TRANS_RULESET;
694 snprintf(t_e[0].anchor, sizeof(t_e[0].anchor), "%s/%s", an, rs);
695 t_e[1].type = PF_TRANS_TABLE;
696
697 if ((ioctl(dev, DIOCXBEGIN(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_trans) & 0x1fff) << 16) | ((('D')) <<
8) | ((81))), t) == -1||
698 ioctl(dev, DIOCXCOMMIT(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_trans) & 0x1fff) << 16) | ((('D')) <<
8) | ((82))), t) == -1) &&
699 errno(*__errno()) != EINVAL22)
700 goto cleanup;
701
702 /* purge any children */
703 if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL((void *)0))
704 goto no_mem;
705 snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs);
706 if (ioctl(dev, DIOCGETRULESETS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) <<
8) | ((58))), prs) == -1) {
707 if (errno(*__errno()) != EINVAL22)
708 goto cleanup;
709 errno(*__errno()) = 0;
710 } else {
711 int nr = prs->nr;
712
713 while (nr) {
714 prs->nr = 0;
715 if (ioctl(dev, DIOCGETRULESET(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) <<
8) | ((59))), prs) == -1)
716 goto cleanup;
717
718 if (recursive_ruleset_purge(prs->path, prs->name))
719 goto cleanup;
720 nr--;
721 }
722 }
723
724no_mem:
725 if (errno(*__errno()) == ENOMEM12)
726 syslog(LOG_ERR3, "calloc failed");
727
728cleanup:
729 free(t);
730 free(t_e);
731 free(prs);
732 return (errno(*__errno()));
733}
734
735/*
736 * Add/remove filter entries for user "luser" from ip "ipsrc"
737 */
738static int
739change_filter(int add, const char *luser, const char *ipsrc)
740{
741 char *fdpath = NULL((void *)0), *userstr = NULL((void *)0), *ipstr = NULL((void *)0);
742 char *rsn = NULL((void *)0), *fn = NULL((void *)0);
743 pid_t pid;
744 gid_t gid;
745 int s;
746
747 if (add
47.1
'add' is 1
) {
48
Taking true branch
748 struct stat sb;
749 struct group *grent;
750 char *pargv[13] = {
751 "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
752 "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL((void *)0)
753 };
754
755 if((grent = getgrgid(getgid())) == NULL((void *)0)) {
49
Assuming the condition is false
50
Taking false branch
756 syslog(LOG_ERR3, "Group not found user %s, gid %d",
757 luser, getgid());
758 goto error;
759 }
760
761 if (luser
50.1
'luser' is not equal to NULL
 == NULL((void *)0) || !luser[0] || ipsrc
51.1
'ipsrc' is not equal to NULL
 == NULL((void *)0) || !ipsrc[0]) {
51
Assuming the condition is false
52
Assuming the condition is false
53
Taking false branch
762 syslog(LOG_ERR3, "invalid luser/ipsrc");
763 goto error;
764 }
765
766 if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
54
Assuming the condition is false
55
Taking false branch
767 goto no_mem;
768 if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
56
Assuming the condition is false
57
Taking false branch
769 goto no_mem;
770 if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
58
Assuming the condition is false
59
Taking false branch
771 goto no_mem;
772 if (asprintf(&userstr, "user_id=%s", luser) == -1)
60
Assuming the condition is false
61
Taking false branch
773 goto no_mem;
774 if (asprintf(&fn, "%s/%s/authpf.rules",
62
Assuming the condition is false
63
Taking false branch
775 PATH_USER_DIR"/etc/authpf/users", luser) == -1)
776 goto no_mem;
777 if (stat(fn, &sb) == -1) {
64
Assuming the condition is true
65
Taking true branch
778 free(fn);
779 if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR"/etc/authpf/groups",
66
Assuming the condition is false
67
Taking false branch
780 grent->gr_name) == -1)
781 goto no_mem;
782 if(stat(fn, &sb) == -1) {
68
Assuming the condition is true
69
Taking true branch
783 free(fn);
784 if ((fn = strdup(PATH_PFRULES"/etc/authpf/authpf.rules")) == NULL((void *)0))
70
Memory is allocated
71
Assuming the condition is false
72
Taking false branch
785 goto no_mem;
786 }
787 }
788 pargv[2] = fdpath;
789 pargv[5] = rsn;
790 pargv[7] = userstr;
791 if (user_ip) {
73
Assuming 'user_ip' is not equal to 0
74
Taking true branch
792 pargv[9] = ipstr;
793 pargv[11] = fn;
794 } else {
795 pargv[8] = "-f";
796 pargv[9] = fn;
797 pargv[10] = NULL((void *)0);
798 }
799
800 switch (pid = fork()) {
75
'Default' branch taken. Execution continues on line 816
801 case -1:
802 syslog(LOG_ERR3, "fork failed");
803 goto error;
804 case 0:
805 /* revoke group privs before exec */
806 gid = getgid();
807 if (setresgid(gid, gid, gid) == -1) {
808 err(1, "setregid");
809 }
810 execvp(PATH_PFCTL"/sbin/pfctl", pargv);
811 warn("exec of %s failed", PATH_PFCTL"/sbin/pfctl");
812 _exit(1);
813 }
814
815 /* parent */
816 waitpid(pid, &s, 0);
817 if (s != 0) {
76
Assuming 's' is equal to 0
77
Taking false branch
818 syslog(LOG_ERR3, "pfctl exited abnormally");
819 goto error;
820 }
821
822 clock_gettime(CLOCK_MONOTONIC3, &Tstart);
78
Potential memory leak
823 syslog(LOG_INFO6, "allowing %s, user %s", ipsrc, luser);
824 } else {
825 remove_stale_rulesets();
826
827 clock_gettime(CLOCK_MONOTONIC3, &Tend);
828 syslog(LOG_INFO6, "removed %s, user %s - duration %d seconds",
829 ipsrc, luser, (int)(Tend.tv_sec - Tstart.tv_sec));
830 }
831 return (0);
832no_mem:
833 syslog(LOG_ERR3, "malloc failed");
834error:
835 free(fdpath);
836 free(rsn);
837 free(userstr);
838 free(ipstr);
839 free(fn);
840 return (-1);
841}
842
843/*
844 * Add/remove this IP from the "authpf_users" table.
845 */
846static int
847change_table(int add, const char *ipsrc)
848{
849 struct pfioc_table io;
850 struct pfr_addr addr;
851
852 bzero(&io, sizeof(io));
853 strlcpy(io.pfrio_table.pfrt_name, tablename,
854 sizeof(io.pfrio_table.pfrt_name));
855 io.pfrio_buffer = &addr;
856 io.pfrio_esize = sizeof(addr);
857 io.pfrio_size = 1;
858
859 bzero(&addr, sizeof(addr));
860 if (ipsrc == NULL((void *)0) || !ipsrc[0])
861 return (-1);
862 if (inet_pton(AF_INET2, ipsrc, &addr.pfra_ip4addrpfra_u._pfra_ip4addr) == 1) {
863 addr.pfra_af = AF_INET2;
864 addr.pfra_net = 32;
865 } else if (inet_pton(AF_INET624, ipsrc, &addr.pfra_ip6addrpfra_u._pfra_ip6addr) == 1) {
866 addr.pfra_af = AF_INET624;
867 addr.pfra_net = 128;
868 } else {
869 syslog(LOG_ERR3, "invalid ipsrc");
870 return (-1);
871 }
872
873 if (ioctl(dev, add ? DIOCRADDADDRS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_table) & 0x1fff) << 16) | ((('D')) <<
8) | ((67))) : DIOCRDELADDRS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_table) & 0x1fff) << 16) | ((('D')) <<
8) | ((68))), &io) == -1 &&
874 errno(*__errno()) != ESRCH3) {
875 syslog(LOG_ERR3, "cannot %s %s from table %s: %s",
876 add ? "add" : "remove", ipsrc, tablename,
877 strerror(errno(*__errno())));
878 return (-1);
879 }
880 return (0);
881}
882
883/*
884 * This is to kill off states that would otherwise be left behind stateful
885 * rules. This means we don't need to allow in more traffic than we really
886 * want to, since we don't have to worry about any luser sessions lasting
887 * longer than their ssh session. This function is based on
888 * pfctl_kill_states from pfctl.
889 */
890static void
891authpf_kill_states(void)
892{
893 struct pfioc_state_kill psk;
894 struct pf_addr target;
895
896 memset(&psk, 0, sizeof(psk));
897 memset(&target, 0, sizeof(target));
898
899 if (inet_pton(AF_INET2, ipsrc, &target.v4pfa.v4) == 1)
900 psk.psk_af = AF_INET2;
901 else if (inet_pton(AF_INET624, ipsrc, &target.v6pfa.v6) == 1)
902 psk.psk_af = AF_INET624;
903 else {
904 syslog(LOG_ERR3, "inet_pton(%s) failed", ipsrc);
905 return;
906 }
907
908 /* Kill all states from ipsrc */
909 memcpy(&psk.psk_src.addr.v.a.addr, &target,
910 sizeof(psk.psk_src.addr.v.a.addr));
911 memset(&psk.psk_src.addr.v.a.mask, 0xff,
912 sizeof(psk.psk_src.addr.v.a.mask));
913 if (ioctl(dev, DIOCKILLSTATES(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_state_kill) & 0x1fff) << 16) | ((('D'
)) << 8) | ((41))), &psk) == -1)
914 syslog(LOG_ERR3, "DIOCKILLSTATES failed (%m)");
915
916 /* Kill all states to ipsrc */
917 memset(&psk.psk_src, 0, sizeof(psk.psk_src));
918 memcpy(&psk.psk_dst.addr.v.a.addr, &target,
919 sizeof(psk.psk_dst.addr.v.a.addr));
920 memset(&psk.psk_dst.addr.v.a.mask, 0xff,
921 sizeof(psk.psk_dst.addr.v.a.mask));
922 if (ioctl(dev, DIOCKILLSTATES(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct pfioc_state_kill) & 0x1fff) << 16) | ((('D'
)) << 8) | ((41))), &psk) == -1)
923 syslog(LOG_ERR3, "DIOCKILLSTATES failed (%m)");
924}
925
926/* signal handler that makes us go away properly */
927static void
928need_death(int signo)
929{
930 want_death = 1;
931}
932
933/*
934 * function that removes our stuff when we go away.
935 */
936static __dead__attribute__((__noreturn__)) void
937do_death(int active)
938{
939 int ret = 0;
940
941 if (active) {
942 change_filter(0, luser, ipsrc);
943 if (user_ip) {
944 change_table(0, ipsrc);
945 authpf_kill_states();
946 }
947 }
948 if (pidfile[0] && pidfd != -1)
949 if (unlink(pidfile) == -1)
950 syslog(LOG_ERR3, "cannot unlink %s (%m)", pidfile);
951 exit(ret);
952}