clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name login_lchpass.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/libexec/login_lchpass/obj -resource-dir /usr/local/llvm16/lib/clang/16 -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -Wno-unused -fdebug-compilation-dir=/usr/src/libexec/login_lchpass/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/libexec/login_lchpass/login_lchpass.c
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | |
31 | |
32 | |
33 | |
34 | |
35 | |
36 | |
37 | #include <sys/resource.h> |
38 | #include <sys/uio.h> |
39 | |
40 | #include <pwd.h> |
41 | #include <stdio.h> |
42 | #include <stdlib.h> |
43 | #include <string.h> |
44 | #include <syslog.h> |
45 | #include <unistd.h> |
46 | #include <login_cap.h> |
47 | #include <readpassphrase.h> |
48 | |
49 | #define BACK_CHANNEL 3 |
50 | |
51 | int local_passwd(char *, int); |
52 | |
53 | int |
54 | main(int argc, char *argv[]) |
55 | { |
56 | struct iovec iov[2]; |
57 | struct passwd *pwd; |
58 | char *username = NULL, *hash = NULL; |
59 | char oldpass[1024]; |
60 | struct rlimit rl; |
61 | int c; |
62 | |
63 | iov[0].iov_base = BI_SILENT; |
64 | iov[0].iov_len = sizeof(BI_SILENT) - 1; |
65 | iov[1].iov_base = "\n"; |
66 | iov[1].iov_len = 1; |
67 | |
68 | rl.rlim_cur = 0; |
69 | rl.rlim_max = 0; |
70 | (void)setrlimit(RLIMIT_CORE, &rl); |
71 | |
72 | (void)setpriority(PRIO_PROCESS, 0, 0); |
73 | |
74 | openlog("login", LOG_ODELAY, LOG_AUTH); |
75 | |
76 | while ((c = getopt(argc, argv, "v:s:")) != -1) |
| 1 | Assuming the condition is false | |
|
| 2 | | Loop condition is false. Execution continues on line 91 | |
|
77 | switch (c) { |
78 | case 'v': |
79 | break; |
80 | case 's': |
81 | if (strcmp(optarg, "login") != 0) { |
82 | syslog(LOG_ERR, "%s: invalid service", optarg); |
83 | exit(1); |
84 | } |
85 | break; |
86 | default: |
87 | syslog(LOG_ERR, "usage error"); |
88 | exit(1); |
89 | } |
90 | |
91 | switch (argc - optind) { |
| 3 | | Control jumps to 'case 1:' at line 94 | |
|
92 | case 2: |
93 | |
94 | case 1: |
95 | username = argv[optind]; |
96 | break; |
97 | default: |
98 | syslog(LOG_ERR, "usage error"); |
99 | exit(1); |
100 | } |
101 | |
102 | pwd = getpwnam_shadow(username); |
| 4 | | Execution continues on line 102 | |
|
| |
103 | if (pwd) { |
| |
| |
104 | if (pwd->pw_uid == 0) { |
105 | syslog(LOG_ERR, "attempted root password change"); |
106 | pwd = NULL; |
107 | } else if (*pwd->pw_passwd == '\0') { |
108 | syslog(LOG_ERR, "%s attempting to add password", |
109 | username); |
110 | pwd = NULL; |
111 | } |
112 | } |
113 | |
114 | if (pwd) |
| |
115 | hash = pwd->pw_passwd; |
116 | |
117 | (void)setpriority(PRIO_PROCESS, 0, -4); |
118 | |
119 | (void)printf("Changing local password for %s.\n", username); |
120 | if ((readpassphrase("Old Password:", oldpass, sizeof(oldpass), |
| 9 | | Assuming the condition is false | |
|
| |
121 | RPP_ECHO_OFF)) == NULL) |
122 | exit(1); |
123 | |
124 | if (crypt_checkpass(oldpass, hash) != 0) { |
| 11 | | Assuming the condition is false | |
|
| |
125 | explicit_bzero(oldpass, strlen(oldpass)); |
126 | exit(1); |
127 | } |
128 | explicit_bzero(oldpass, strlen(oldpass)); |
129 | |
130 | |
131 | |
132 | |
133 | |
134 | local_passwd(pwd->pw_name, 1); |
| 13 | | Access to field 'pw_name' results in a dereference of a null pointer (loaded from variable 'pwd') |
|
135 | (void)writev(BACK_CHANNEL, iov, 2); |
136 | exit(0); |
137 | } |