Bug Summary

File:programs/pluto/ikev2_cp.c
Warning:line 67, column 38
Dereference of null pointer (loaded from variable 'ip')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-redhat-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ikev2_cp.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/build/quick-libreswan-2/programs/pluto -resource-dir /usr/lib64/clang/13.0.0 -D TimeZoneOffset=timezone -D PIE -D NSS_IPSEC_PROFILE -D XFRM_LIFETIME_DEFAULT=30 -D USE_IKEv1 -D XFRM_SUPPORT -D USE_XFRM_INTERFACE -D USE_DNSSEC -D DEFAULT_DNSSEC_ROOTKEY_FILE="/var/lib/unbound/root.key" -D HAVE_LABELED_IPSEC -D HAVE_SECCOMP -D LIBCURL -D USE_LINUX_AUDIT -D HAVE_NM -D USE_PAM_AUTH -D USE_3DES -D USE_AES -D USE_CAMELLIA -D USE_CHACHA -D USE_DH31 -D USE_MD5 -D USE_SHA1 -D USE_SHA2 -D USE_PRF_AES_XCBC -D USE_NSS_KDF -D DEFAULT_RUNDIR="/run/pluto" -D IPSEC_CONF="/etc/ipsec.conf" -D IPSEC_CONFDDIR="/etc/ipsec.d" -D IPSEC_NSSDIR="/var/lib/ipsec/nss" -D IPSEC_CONFDIR="/etc" -D IPSEC_EXECDIR="/usr/local/libexec/ipsec" -D IPSEC_SBINDIR="/usr/local/sbin" -D IPSEC_VARDIR="/var" -D POLICYGROUPSDIR="/etc/ipsec.d/policies" -D IPSEC_SECRETS_FILE="/etc/ipsec.secrets" -D FORCE_PR_ASSERT -D USE_FORK=1 -D USE_VFORK=0 -D USE_DAEMON=0 -D USE_PTHREAD_SETSCHEDPRIO=1 -D GCC_LINT -D HAVE_LIBCAP_NG -I . -I ../../OBJ.linux.x86_64/programs/pluto -I ../../include -I /usr/include/nss3 -I /usr/include/nspr4 -I /home/build/quick-libreswan-2/programs/pluto/linux-copy -D HERE_FILENAME="programs/pluto/ikev2_cp.c" -internal-isystem /usr/lib64/clang/13.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib/gcc/x86_64-redhat-linux/11/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -std=gnu99 -fdebug-compilation-dir=/home/build/quick-libreswan-2/programs/pluto -ferror-limit 19 -stack-protector 3 -fgnuc-version=4.2.1 -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-01-01-205714-1273399-1 -x c /home/build/quick-libreswan-2/programs/pluto/ikev2_cp.c
1/* IKEv2 Configuration Payload, for Libreswan
2 *
3 * Copyright (C) 2007-2008 Michael Richardson <mcr@xelerance.com>
4 * Copyright (C) 2008-2011 Paul Wouters <paul@xelerance.com>
5 * Copyright (C) 2008 Antony Antony <antony@xelerance.com>
6 * Copyright (C) 2008-2009 David McCullough <david_mccullough@securecomputing.com>
7 * Copyright (C) 2010,2012 Avesh Agarwal <avagarwa@redhat.com>
8 * Copyright (C) 2010-2019 Tuomo Soini <tis@foobar.fi
9 * Copyright (C) 2012-2019 Paul Wouters <pwouters@redhat.com>
10 * Copyright (C) 2012-2018 Antony Antony <antony@phenome.org>
11 * Copyright (C) 2013-2019 D. Hugh Redelmeier <hugh@mimosa.com>
12 * Copyright (C) 2013 David McCullough <ucdevel@gmail.com>
13 * Copyright (C) 2013 Matt Rogers <mrogers@redhat.com>
14 * Copyright (C) 2015-2019 Andrew Cagney <cagney@gnu.org>
15 * Copyright (C) 2017-2018 Sahana Prasad <sahana.prasad07@gmail.com>
16 * Copyright (C) 2017-2018 Vukasin Karadzic <vukasin.karadzic@gmail.com>
17 * Copyright (C) 2017 Mayank Totale <mtotale@gmail.com>
18 * Copyright (C) 2020 Yulia Kuzovkova <ukuzovkova@gmail.com>
19 *
20 * This program is free software; you can redistribute it and/or modify it
21 * under the terms of the GNU General Public License as published by the
22 * Free Software Foundation; either version 2 of the License, or (at your
23 * option) any later version. See <https://www.gnu.org/licenses/gpl2.txt>.
24 *
25 * This program is distributed in the hope that it will be useful, but
26 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
27 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
28 * for more details.
29 */
30
31#include "ip_info.h"
32
33#include "defs.h"
34#include "demux.h"
35#include "connections.h"
36#include "state.h"
37#include "log.h"
38
39#include "ikev2_cp.h"
40
41/* Misleading name, also used for NULL sized type's */
42static stf_status ikev2_ship_cp_attr_ip(uint16_t type, ip_address *ip,
43 const char *story, struct pbs_outpacket_byte_stream *outpbs)
44{
45 struct pbs_outpacket_byte_stream a_pbs;
46
47 struct ikev2_cp_attribute attr = {
48 .type = type,
49 };
50
51 /* could be NULL */
52 const struct ip_info *afi = address_type(ip);
53
54 if (afi == NULL((void*)0)) {
10
Assuming 'afi' is not equal to NULL
11
Taking false branch
55 attr.len = 0;
56 } else if (afi == &ipv6_info) {
12
Assuming the condition is true
13
Taking true branch
57 attr.len = INTERNAL_IP6_ADDRESS_SIZE17; /* RFC hack to append IPv6 prefix len */
58 } else {
59 attr.len = address_type(ip)->ip_size;
60 }
61
62 if (!out_struct(&attr, &ikev2_cp_attribute_desc, outpbs,
14
Assuming the condition is false
15
Taking false branch
63 &a_pbs))
64 return STF_INTERNAL_ERROR;
65
66 if (attr.len
15.1
Field 'len' is > 0
 > 0) {
16
Taking true branch
67 diag_t d = pbs_out_address(&a_pbs, *ip, story);
17
Dereference of null pointer (loaded from variable 'ip')
68 if (d != NULL((void*)0)) {
69 llog_diag(RC_LOG_SERIOUS, a_pbs.outs_logger, &d, "%s", "");
70 return STF_INTERNAL_ERROR;
71 }
72 }
73
74 if (attr.len == INTERNAL_IP6_ADDRESS_SIZE17) { /* IPv6 address add prefix */
75 uint8_t ipv6_prefix_len = INTERNL_IP6_PREFIX_LEN128;
76 diag_t d = pbs_out_raw(&a_pbs, &ipv6_prefix_len, sizeof(uint8_t), "INTERNL_IP6_PREFIX_LEN");
77 if (d != NULL((void*)0)) {
78 llog_diag(RC_LOG_SERIOUS, outpbs->outs_logger, &d, "%s", "");
79 return STF_INTERNAL_ERROR;
80 }
81 }
82
83 close_output_pbs(&a_pbs);
84 return STF_OK;
85}
86
87static stf_status ikev2_ship_cp_attr_str(uint16_t type, char *str,
88 const char *story, pb_stream *outpbs)
89{
90 pb_stream a_pbs;
91 struct ikev2_cp_attribute attr = {
92 .type = type,
93 .len = (str == NULL((void*)0)) ? 0 : strlen(str),
94 };
95
96 if (!out_struct(&attr, &ikev2_cp_attribute_desc, outpbs,
97 &a_pbs))
98 return STF_INTERNAL_ERROR;
99
100 if (attr.len > 0) {
101 diag_t d = pbs_out_raw(&a_pbs, str, attr.len, story);
102 if (d != NULL((void*)0)) {
103 llog_diag(RC_LOG_SERIOUS, outpbs->outs_logger, &d, "%s", "");
104 return STF_INTERNAL_ERROR;
105 }
106 }
107
108 close_output_pbs(&a_pbs);
109 return STF_OK;
110}
111
112/*
113 * CHILD is asking for configuration; hence log against child.
114 */
115
116bool_Bool emit_v2_child_configuration_payload(const struct child_sa *child, struct pbs_outpacket_byte_stream *outpbs)
117{
118 struct connection *c = child->sa.st_connection;
119 pb_stream cp_pbs;
120 bool_Bool cfg_reply = c->spd.that.has_lease;
121 struct ikev2_cp cp = {
122 .isacp_critical = ISAKMP_PAYLOAD_NONCRITICAL0x00,
123 .isacp_type = cfg_reply ? IKEv2_CP_CFG_REPLY : IKEv2_CP_CFG_REQUEST,
1
Assuming 'cfg_reply' is false
2
'?' condition is false
124 };
125
126 dbg("Send Configuration Payload %s ",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("Send Configuration Payload %s ", cfg_reply ? "reply"
: "request"); } }
3
Assuming the condition is false
4
Taking false branch
127 cfg_reply ? "reply" : "request"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("Send Configuration Payload %s ", cfg_reply ? "reply"
: "request"); } };
128
129 if (!out_struct(&cp, &ikev2_cp_desc, outpbs, &cp_pbs))
5
Assuming the condition is false
6
Taking false branch
130 return false0;
131
132 if (cfg_reply
6.1
'cfg_reply' is false
) {
7
Taking false branch
133 ip_address that_client_address = selector_prefix(c->spd.that.client);
134 ikev2_ship_cp_attr_ip(selector_type(&c->spd.that.client) == &ipv4_info ?
135 IKEv2_INTERNAL_IP4_ADDRESS : IKEv2_INTERNAL_IP6_ADDRESS,
136 &that_client_address, "Internal IP Address", &cp_pbs);
137
138 if (c->modecfg_dns != NULL((void*)0)) {
139 char *ipstr;
140
141 ipstr = strtok(c->modecfg_dns, ", ");
142 while (ipstr != NULL((void*)0)) {
143 if (strchr(ipstr, '.') != NULL((void*)0)) {
144 ip_address ip;
145 err_t e = ttoaddress_num(shunk1(ipstr), &ipv4_info, &ip);
146 if (e != NULL((void*)0)) {
147 log_state(RC_LOG_SERIOUS, &child->sa,
148 "Ignored bogus DNS IP address '%s'", ipstr);
149 } else {
150 if (ikev2_ship_cp_attr_ip(IKEv2_INTERNAL_IP4_DNS, &ip,
151 "IP4_DNS", &cp_pbs) != STF_OK)
152 return false0;
153 }
154 } else if (strchr(ipstr, ':') != NULL((void*)0)) {
155 ip_address ip;
156 err_t e = ttoaddress_num(shunk1(ipstr), &ipv6_info, &ip);
157 if (e != NULL((void*)0)) {
158 log_state(RC_LOG_SERIOUS, &child->sa,
159 "Ignored bogus DNS IP address '%s'", ipstr);
160 } else {
161 if (ikev2_ship_cp_attr_ip(IKEv2_INTERNAL_IP6_DNS, &ip,
162 "IP6_DNS", &cp_pbs) != STF_OK)
163 return false0;
164 }
165 } else {
166 log_state(RC_LOG_SERIOUS, &child->sa,
167 "Ignored bogus DNS IP address '%s'", ipstr);
168 }
169 ipstr = strtok(NULL((void*)0), ", ");
170 }
171 }
172
173 if (c->modecfg_domains != NULL((void*)0)) {
174 char *domain;
175
176 domain = strtok(c->modecfg_domains, ", ");
177 while (domain != NULL((void*)0)) {
178 if (ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, domain,
179 "IKEv2_INTERNAL_DNS_DOMAIN", &cp_pbs) != STF_OK)
180 return false0;
181 domain = strtok(NULL((void*)0), ", ");
182 }
183 }
184 } else { /* cfg request */
185 ikev2_ship_cp_attr_ip(IKEv2_INTERNAL_IP4_ADDRESS, NULL((void*)0), "IPV4 Address", &cp_pbs);
8
Passing null pointer value via 2nd parameter 'ip'
9
Calling 'ikev2_ship_cp_attr_ip'
186 ikev2_ship_cp_attr_ip(IKEv2_INTERNAL_IP4_DNS, NULL((void*)0), "DNSv4", &cp_pbs);
187 ikev2_ship_cp_attr_ip(IKEv2_INTERNAL_IP6_ADDRESS, NULL((void*)0), "IPV6 Address", &cp_pbs);
188 ikev2_ship_cp_attr_ip(IKEv2_INTERNAL_IP6_DNS, NULL((void*)0), "DNSv6", &cp_pbs);
189 ikev2_ship_cp_attr_ip(IKEv2_INTERNAL_DNS_DOMAIN, NULL((void*)0), "Domain", &cp_pbs);
190 }
191
192 close_output_pbs(&cp_pbs);
193 return true1;
194}