Bug Summary

File:auth.c
Location:line 112, column 12
Description:Access to field 'next' results in a dereference of a null pointer (loaded from variable 'lav')

Annotated Source Code

1/* $Xorg: auth.c,v 1.4 2000/08/17 19:54:01 cpqbld Exp $ */
2
3/************************************************************************/
4/* Copyright (c) 1993 Quarterdeck Office Systems */
5/* */
6/* Permission to use, copy, modify, distribute, and sell this software */
7/* and software and its documentation for any purpose is hereby granted */
8/* without fee, provided that the above copyright notice appear in all */
9/* copies and that both that copyright notice and this permission */
10/* notice appear in supporting documentation, and that the name */
11/* Quarterdeck Office Systems, Inc. not be used in advertising or */
12/* publicity pertaining to distribution of this software without */
13/* specific, written prior permission. */
14/* */
15/* THIS SOFTWARE IS PROVIDED `AS-IS'. QUARTERDECK OFFICE SYSTEMS, */
16/* INC., DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, */
17/* INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF */
18/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR */
19/* NONINFRINGEMENT. IN NO EVENT SHALL QUARTERDECK OFFICE SYSTEMS, */
20/* INC., BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING SPECIAL, */
21/* INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF USE, DATA, OR */
22/* PROFITS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF, AND REGARDLESS */
23/* OF WHETHER IN AN ACTION IN CONTRACT, TORT OR NEGLIGENCE, ARISING OUT */
24/* OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
25/************************************************************************/
26/* $XFree86: xc/programs/rstart/auth.c,v 1.4 2001/01/17 23:45:03 dawes Exp $ */
27
28#include <stdio.h>
29#include <X11/Xos.h>
30#include <errno(*__error()).h>
31#include <stdlib.h>
32#include <ctype.h>
33#include <sys/types.h>
34#include <sys/wait.h>
35
36#include "server.h"
37
38static char *Strupr ( char *s0 );
39static struct auth_info *find_or_create_auth ( char *s );
40static char * expand ( char *s, int ac, char **av );
41
42struct list_of_argv {
43 struct list_of_argv *next;
44 int argc;
45 char **argv;
46};
47
48struct auth_info {
49 struct auth_info *next;
50 char *name;
51 struct list_of_argv *data;
52 char **program;
53 char **input;
54};
55
56struct auth_info *auth_schemes = NULL((void *)0);
57
58static char *
59Strupr(char *s0)
60{
61 char *s;
62
63 for(s = s0; *s; s++) {
64 if(islower(*s)) *s = toupper(*s);
65 }
66 return s0;
67}
68
69/* Argument "s" is overwritten and the memory used, so it must not be */
70/* deallocated or subsequently used by the caller. */
71struct auth_info *
72find_or_create_auth(char *s)
73{
74 struct auth_info *auth;
75
76 Strupr(s);
77
78 for(auth = auth_schemes; auth; auth=auth->next) {
79 if(!strcmp(s, auth->name)) return auth;
80 }
81
82 auth = (struct auth_info *)malloc(sizeof(*auth));
83 if(!auth) nomem();
84
85 auth->next = auth_schemes;
86 auth->name = s;
87 auth->data = NULL((void *)0);
88 auth->program = NULL((void *)0);
89 auth->input = NULL((void *)0);
90 auth_schemes = auth;
91
92 return auth;
93}
94
95void
96key_auth(int ac, char **av)
97{
98 struct list_of_argv *lav;
99 struct auth_info *auth;
100
101 if(ac < 2) {
1
Assuming 'ac' is >= 2
2
Taking false branch
102 printf(
103 "%s: Failure: Malformed AUTH\n",myname);
104 exit(255);
105 }
106
107 auth = find_or_create_auth(av[1]);
108
109 lav = (struct list_of_argv *)malloc(sizeof(*lav));
3
Value assigned to 'lav'
110 if(!lav) nomem();
4
Assuming 'lav' is null
5
Taking true branch
111
112 lav->next = auth->data;
6
Access to field 'next' results in a dereference of a null pointer (loaded from variable 'lav')
113 lav->argc = ac-2;
114 lav->argv = av+2;
115 auth->data = lav;
116}
117
118void
119key_internal_auth_program(int ac, char **av)
120{
121 struct auth_info *auth;
122
123 if(ac < 4) {
124 printf(
125 "%s: Failure: Malformed INTERNAL-AUTH-PROGRAM\n",myname);
126 exit(255);
127 }
128
129 auth = find_or_create_auth(av[1]);
130 auth->program = av + 2;
131}
132
133void
134key_internal_auth_input(int ac, char **av)
135{
136 struct auth_info *auth;
137
138 if(ac < 2) {
139 printf(
140 "%s: Failure: Malformed INTERNAL-AUTH-INPUT\n",myname);
141 exit(255);
142 }
143
144 auth = find_or_create_auth(av[1]);
145 auth->input = av + 2;
146}
147
148void
149do_auth(void)
150{
151 struct auth_info *auth;
152 int p[2];
153 char **pp;
154 struct list_of_argv *lav;
155 char *s;
156 int pid;
157 int status;
158
159 for(auth = auth_schemes; auth; auth = auth->next) {
160 if(!auth->data) continue;
161 if(!auth->program) {
162 printf(
163"%s: Warning: no %s authorization program specified in this context\n",myname,
164 auth->name);
165 continue;
166 }
167
168 if(pipe(p)) {
169 printf("%s: Error: pipe - %s\n",myname, strerror(errno(*__error())));
170 exit(255);
171 }
172
173 fflush(stdout__stdoutp); /* Can't hurt. */
174
175 switch(pid = fork()) {
176 case -1:
177 printf("%s: Error: fork - %s\n",myname, strerror(errno(*__error())));
178 exit(255);
179 case 0: /* kid */
180 close(0);
181 dup(p[0]);
182 close(p[0]);
183 close(p[1]);
184 execvp(auth->program[0], auth->program+1);
185 printf("%s: Error: %s - %s\n",myname, auth->program[0],
186 strerror(errno(*__error())));
187 exit(255);
188 break;
189 default: /* parent */
190 close(p[0]);
191 for(lav = auth->data; lav; lav=lav->next) {
192 for(pp = auth->input; *pp; pp++) {
193 s = expand(*pp, lav->argc, lav->argv);
194 write(p[1], s, strlen(s));
195 write(p[1], "\n", 1);
196 }
197 }
198 close(p[1]);
199 while(wait(&status) != pid) /* LOOP */;
200 if(status) {
201 printf(
202 "%s: Warning: %s authorization setup failed\n",myname, auth->name);
203 }
204 break;
205 }
206 }
207}
208
209char *
210expand(char *s, int ac, char **av)
211{
212 static char buf[BUFSIZ1024];
213 char *p;
214 int i;
215
216 p = buf;
217 while(*s) {
218 if(*s == '$') {
219 s++;
220 if(*s == '$') {
221 *p++ = *s++;
222 continue;
223 }
224 if(!isdigit(*s)) {
225 printf(
226 "%s: Failure: bad $ in configuration: non-digit after $\n",myname);
227 exit(255);
228 }
229 i = (int)strtol(s, &s, 10);
230 if(i > ac) {
231 printf(
232 "%s: Failure: not enough arguments to AUTH\n",myname);
233 exit(255);
234 }
235 strcpy(p, av[i-1])__builtin___strcpy_chk (p, av[i-1], __builtin_object_size (p,
2 > 1 ? 1 : 0))
;
236 p += strlen(p);
237 } else *p++ = *s++;
238 }
239 *p = '\0';
240
241 return buf;
242}