src/network/res

Bug Summary

File:	network/res_msend.c
Location:	line 186, column 9
Description:	Branch condition evaluates to a garbage value

Annotated Source Code

#include <sys/socket.h>

#include <netinet/in.h>

#include <netdb.h>

#include <arpa/inet.h>

#include <stdint.h>

#include <string.h>

#include <poll.h>

#include <time.h>

#include <ctype.h>

#include <unistd.h>

#include <errno(*__errno_location()).h>

#include <pthread.h>

#include "stdio_impl.h"

#include "syscall.h"

#include "lookup.h"

static void cleanup(void *p)

{

__syscall(SYS_close, (intptr_t)p)__syscall1(3,((long) ((intptr_t)p)));

}

static unsigned long mtime()

{

struct timespec ts;

clock_gettime(CLOCK_REALTIME0, &ts);

return (unsigned long)ts.tv_sec * 1000

+ ts.tv_nsec / 1000000;

}

int __res_msend(int nqueries, const unsigned char *const *queries,

const int *qlens, unsigned char *const *answers, int *alens, int asize)

{

int fd;

FILE *f, _f;

unsigned char _buf[256];

char line[64], *s, *z;

int timeout = 5000, attempts = 2, retry_interval, servfail_retry;

'servfail_retry' declared without an initial value

→

union {

struct sockaddr_in sin;

struct sockaddr_in6 sin6;

} sa = {0}, ns[3] = {{0}};

socklen_t sl = sizeof sa.sin;

int nns = 0;

int family = AF_INET2;

int rlen;

int next;

int i, j;

int cs;

struct pollfd pfd;

unsigned long t0, t1, t2;

struct address iplit;

pthread_setcancelstate(PTHREAD_CANCEL_DISABLE1, &cs);

/* Get nameservers from resolv.conf, fallback to localhost */

f = __fopen_rb_ca("/etc/resolv.conf", &_f, _buf, sizeof _buf);

if (f) for (nns=0; nns<3 && fgets(line, sizeof line, f); ) {

Assuming 'f' is null

Taking false branch

if (!strncmp(line, "options", 7) && isspace(line[7])__isspace(line[7])) {

unsigned long x;

char *p, *z;

p = strstr(line, "timeout:");

if (p && isdigit(p[8])(0 ? isdigit(p[8]) : ((unsigned)(p[8])-'0') < 10)) {

p += 8;

x = strtoul(p, &z, 10);

if (z != p) timeout = x < 30 ? x*1000 : 30000;

}

p = strstr(line, "attempts:");

if (p && isdigit(p[9])(0 ? isdigit(p[9]) : ((unsigned)(p[9])-'0') < 10)) {

p += 9;

x = strtoul(p, &z, 10);

if (z != p) attempts = x < 10 ? x : 10;

if (!attempts) attempts = 1;

}

if (strncmp(line, "nameserver", 10) || !isspace(line[10])__isspace(line[10]))

continue;

for (s=line+11; isspace(*s)__isspace(*s); s++);

for (z=s; *z && !isspace(*z)__isspace(*z); z++);

*z=0;

if (__lookup_ipliteral(&iplit, s, AF_UNSPEC0)>0) {

if (iplit.family == AF_INET2) {

memcpy(&ns[nns].sin.sin_addr, iplit.addr, 4);

ns[nns].sin.sin_port = htons(53);

ns[nns++].sin.sin_family = AF_INET2;

} else {

sl = sizeof sa.sin6;

memcpy(&ns[nns].sin6.sin6_addr, iplit.addr, 16);

ns[nns].sin6.sin6_port = htons(53);

ns[nns].sin6.sin6_scope_id = iplit.scopeid;

ns[nns++].sin6.sin6_family = family = AF_INET610;

}

if (f) __fclose_ca(f);

Taking false branch

if (!nns) {

Taking true branch

ns[0].sin.sin_family = AF_INET2;

ns[0].sin.sin_port = htons(53);

ns[0].sin.sin_addr.s_addr = htonl(0x7f000001);

100

nns=1;

101

}

102

103

/* Get local address and open/bind a socket */

104

sa.sin.sin_family = family;

105

fd = socket(family, SOCK_DGRAM2|SOCK_CLOEXEC02000000|SOCK_NONBLOCK04000, 0);

106

107

/* Handle case where system lacks IPv6 support */

108

if (fd < 0 && family == AF_INET610 && errno(*__errno_location()) == EAFNOSUPPORT97) {

←

Assuming 'fd' is >= 0

→

109

fd = socket(AF_INET2, SOCK_DGRAM2|SOCK_CLOEXEC02000000|SOCK_NONBLOCK04000, 0);

110

family = AF_INET2;

111

}

112

if (fd < 0 || bind(fd, (void *)&sa, sl) < 0) return -1;

←

Taking false branch

→

113

114

/* Past this point, there are no errors. Each individual query will

115

* yield either no reply (indicated by zero length) or an answer

116

* packet which is up to the caller to interpret. */

117

118

pthread_cleanup_push(cleanup, (void *)(intptr_t)fd)do { struct __ptcb __cb; _pthread_cleanup_push(&__cb, cleanup
, (void *)(intptr_t)fd);;

119

pthread_setcancelstate(cs, 0);

120

121

/* Convert any IPv4 addresses in a mixed environment to v4-mapped */

122

if (family == AF_INET610) {

←

Taking false branch

→

123

setsockopt(fd, IPPROTO_IPV641, IPV6_V6ONLY26, &(int){0}, sizeof 0);

124

for (i=0; i<nns; i++) {

125

if (ns[i].sin.sin_family != AF_INET2) continue;

126

memcpy(ns[i].sin6.sin6_addr.s6_addr__in6_union.__s6_addr+12,

127

&ns[i].sin.sin_addr, 4);

128

memcpy(ns[i].sin6.sin6_addr.s6_addr__in6_union.__s6_addr,

129

"\0\0\0\0\0\0\0\0\0\0\xff\xff", 12);

130

ns[i].sin6.sin6_family = AF_INET610;

131

ns[i].sin6.sin6_flowinfo = 0;

132

ns[i].sin6.sin6_scope_id = 0;

133

}

134

}

135

136

memset(alens, 0, sizeof *alens * nqueries);

137

138

pfd.fd = fd;

139

pfd.events = POLLIN0x001;

140

retry_interval = timeout / attempts;

141

next = 0;

142

t0 = t2 = mtime();

143

t1 = t2 - retry_interval;

144

145

for (; t2-t0 < timeout; t2=mtime()) {

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

146

if (t2-t1 >= retry_interval) {

Taking false branch

Taking false branch

Taking false branch

147

/* Query all configured namservers in parallel */

148

for (i=0; i<nqueries; i++)

149

if (!alens[i])

150

for (j=0; j<nns; j++)

151

sendto(fd, queries[i],

152

qlens[i], MSG_NOSIGNAL0x4000,

153

(void *)&ns[j], sl);

154

t1 = t2;

155

servfail_retry = 2 * nqueries;

156

}

157

158

/* Wait for a response, or until time to retry */

159

if (poll(&pfd, 1, t1+retry_interval-t2) <= 0) continue;

Taking false branch

Taking false branch

Taking false branch

160

161

while ((rlen = recvfrom(fd, answers[next], asize, 0,

←

Loop condition is false. Execution continues on line 145

→

←

Loop condition is false. Execution continues on line 145

→

←

Loop condition is true. Entering loop body

→

162

(void *)&sa, (socklen_t[1]){sl})) >= 0) {

163

164

/* Ignore non-identifiable packets */

165

if (rlen < 4) continue;

←

Assuming 'rlen' is >= 4

→

←

Taking false branch

→

166

167

/* Ignore replies from addresses we didn't send to */

168

for (j=0; j<nns && memcmp(ns+j, &sa, sl); j++);

←

Loop condition is false. Execution continues on line 169

→

169

if (j==nns) continue;

←

Taking false branch

→

170

171

/* Find which query this answer goes with, if any */

172

for (i=next; i<nqueries && (

←

Assuming 'i' is >= 'nqueries'

→

173

answers[next][0] != queries[i][0] ||

174

answers[next][1] != queries[i][1] ); i++);

175

if (i==nqueries) continue;

←

Assuming 'i' is not equal to 'nqueries'

→

←

Taking false branch

→

176

if (alens[i]) continue;

←

Taking false branch

→

177

178

/* Only accept positive or negative responses;

179

* retry immediately on server failure, and ignore

180

* all other codes such as refusal. */

181

switch (answers[next][3] & 15) {

←

Control jumps to 'case 2:' at line 185

→

182

case 0:

183

case 3:

184

break;

185

case 2:

186

if (servfail_retry && servfail_retry--)

←

Branch condition evaluates to a garbage value

187

sendto(fd, queries[i],

188

qlens[i], MSG_NOSIGNAL0x4000,

189

(void *)&ns[j], sl);

190

default:

191

continue;

192

}

193

194

/* Store answer in the right slot, or update next

195

* available temp slot if it's already in place. */

196

alens[i] = rlen;

197

if (i == next)

198

for (; next<nqueries && alens[next]; next++);

199

else

200

memcpy(answers[i], answers[next], rlen);

201

202

if (next == nqueries) goto out;

203

}

204

}

205

out:

206

pthread_cleanup_pop(1)_pthread_cleanup_pop(&__cb, (1)); } while(0);

207

208

return 0;

209

}