../src/fd-net-device/helper/creator-utils.cc

Bug Summary

File:	/tmp/asd-nat/home/nat/Work/ns-3-dev-git/build/../src/fd-net-device/helper/creator-utils.cc
Location:	line 152, column 20
Description:	Access to field 'cmsg_level' results in a dereference of a null pointer (loaded from variable 'cmsg')

Annotated Source Code

/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */

* Copyright (c) University of Washington

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License version 2 as

* published by the Free Software Foundation;

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

#include <unistd.h>

#include <string>

#include <cstring>

#include <iostream>

#include <iomanip>

#include <sstream>

#include <stdlib.h>

#include <errno(*__errno_location ()).h>

#include <sys/socket.h>

#include <sys/un.h>

#include <sys/ioctl.h>

#include <net/ethernet.h>

#include <net/if.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include "creator-utils.h"

#include "encode-decode.h"

namespace ns3 {

/// Flag to enable / disable verbose log mode

int gVerbose = 0;

/**

* \brief Send the file descriptor back to the code that invoked the creation.

* \param path The socket address information from the Unix socket we use

* to send the created socket back to.

* \param fd The file descriptor we're going to send.

* \param magic_number A verification number to verify the caller is talking to the

* right process.

void

SendSocket (const char *path, int fd, const int magic_number)

{

// Open a Unix (local interprocess) socket to call back to the emu net

// device.

LOG ("Create Unix socket")if (gVerbose) { std::cout << __FUNCTION__ << "(): "
<< "Create Unix socket" << std::endl; };

int sock = socket (PF_UNIX1, SOCK_DGRAMSOCK_DGRAM, 0);

ABORT_IF (sock == -1, "Unable to open socket", 1)if (sock == -1) { std::cout << "../src/fd-net-device/helper/creator-utils.cc"
<< ": fatal error at line " << 62 << ": " <<
__FUNCTION__ << "(): " << "Unable to open socket"
<< std::endl; if (1) { std::cout << " errno = "
<< (*__errno_location ()) << " (" << strerror
((*__errno_location ())) << ")" << std::endl; } exit
(-1);; };

// We have this string called path, which is really a hex representation

// of the endpoint that the net device created. It used a forward encoding

// method (BufferToString) to take the sockaddr_un it made and passed

// the resulting string to us. So we need to take the inverse method

// (StringToBuffer) and build the same sockaddr_un over here.

socklen_t clientAddrLen;

struct sockaddr_un clientAddr;

LOG ("Decode address " << path)if (gVerbose) { std::cout << __FUNCTION__ << "(): "
<< "Decode address " << path << std::endl;
};

bool rc = ns3::StringToBuffer (path, (uint8_t *)&clientAddr, &clientAddrLen);

ABORT_IF (rc == false, "Unable to decode path", 0)if (rc == false) { std::cout << "../src/fd-net-device/helper/creator-utils.cc"
<< ": fatal error at line " << 76 << ": " <<
__FUNCTION__ << "(): " << "Unable to decode path"
<< std::endl; if (0) { std::cout << " errno = "
<< (*__errno_location ()) << " (" << strerror
((*__errno_location ())) << ")" << std::endl; } exit
(-1);; };

LOG ("Connect")if (gVerbose) { std::cout << __FUNCTION__ << "(): "
<< "Connect" << std::endl; };

int status = connect (sock, (struct sockaddr*)&clientAddr, clientAddrLen);

ABORT_IF (status == -1, "Unable to connect to emu device", 1)if (status == -1) { std::cout << "../src/fd-net-device/helper/creator-utils.cc"
<< ": fatal error at line " << 80 << ": " <<
__FUNCTION__ << "(): " << "Unable to connect to emu device"
<< std::endl; if (1) { std::cout << " errno = "
<< (*__errno_location ()) << " (" << strerror
((*__errno_location ())) << ")" << std::endl; } exit
(-1);; };

LOG ("Connected")if (gVerbose) { std::cout << __FUNCTION__ << "(): "
<< "Connected" << std::endl; };

// This is arcane enough that a few words are worthwhile to explain what's

// going on here.

// The interesting information (the socket FD) is going to go back to the

// fd net device as an integer of ancillary data. Ancillary data is bits

// that are not a part a socket payload (out-of-band data). We're also

// going to send one integer back. It's just initialized to a magic number

// we use to make sure that the fd device is talking to the emu socket

// creator and not some other creator process.

// The struct iovec below is part of a scatter-gather list. It describes a

// buffer. In this case, it describes a buffer (an integer) containing the

// data that we're going to send back to the emu net device (that magic

// number).

100

struct iovec iov;

101

uint32_t magic = magic_number;

102

iov.iov_base = &magic;

103

iov.iov_len = sizeof(magic);

104

105

106

// The CMSG macros you'll see below are used to create and access control

107

// messages (which is another name for ancillary data). The ancillary

108

// data is made up of pairs of struct cmsghdr structures and associated

109

// data arrays.

110

111

// First, we're going to allocate a buffer on the stack to contain our

112

// data array (that contains the socket). Sometimes you'll see this called

113

// an "ancillary element" but the msghdr uses the control message termimology

114

// so we call it "control."

115

116

size_t msg_size = sizeof(int);

117

char control[CMSG_SPACE (msg_size)((((msg_size) + sizeof (size_t) - 1) & (size_t) ~(sizeof (
size_t) - 1)) + (((sizeof (struct cmsghdr)) + sizeof (size_t)
- 1) & (size_t) ~(sizeof (size_t) - 1)))];

118

119

120

// There is a msghdr that is used to minimize the number of parameters

121

// passed to sendmsg (which we will use to send our ancillary data). This

122

// structure uses terminology corresponding to control messages, so you'll

123

// see msg_control, which is the pointer to the ancillary data and controllen

124

// which is the size of the ancillary data array.

125

126

// So, initialize the message header that describes our ancillary/control data

127

// and point it to the control message/ancillary data we just allocated space

128

// for.

129

130

struct msghdr msg;

131

msg.msg_name = 0;

132

msg.msg_namelen = 0;

133

msg.msg_iov = &iov;

134

msg.msg_iovlen = 1;

135

msg.msg_control = control;

136

msg.msg_controllen = sizeof (control);

137

msg.msg_flags = 0;

138

139

140

// A cmsghdr contains a length field that is the length of the header and

141

// the data. It has a cmsg_level field corresponding to the originating

142

// protocol. This takes values which are legal levels for getsockopt and

143

// setsockopt (here SOL_SOCKET). We're going to use the SCM_RIGHTS type of

144

// cmsg, that indicates that the ancillary data array contains access rights

145

// that we are sending back to the emu net device.

146

147

// We have to put together the first (and only) cmsghdr that will describe

148

// the whole package we're sending.

149

150

struct cmsghdr *cmsg;

151

cmsg = CMSG_FIRSTHDR (&msg)((size_t) (&msg)->msg_controllen >= sizeof (struct cmsghdr
) ? (struct cmsghdr *) (&msg)->msg_control : (struct cmsghdr
*) 0);

Null pointer value stored to 'cmsg'

→

152

cmsg->cmsg_level = SOL_SOCKET1;

←

Access to field 'cmsg_level' results in a dereference of a null pointer (loaded from variable 'cmsg')

153

cmsg->cmsg_type = SCM_RIGHTSSCM_RIGHTS;

154

cmsg->cmsg_len = CMSG_LEN (msg_size)((((sizeof (struct cmsghdr)) + sizeof (size_t) - 1) & (size_t
) ~(sizeof (size_t) - 1)) + (msg_size));

155

156

// We also have to update the controllen in case other stuff is actually

157

// in there we may not be aware of (due to macros).

158

159

msg.msg_controllen = cmsg->cmsg_len;

160

161

162

// Finally, we get a pointer to the start of the ancillary data array and

163

// put our file descriptor in.

164

165

int *fdptr = (int*)(CMSG_DATA (cmsg)((unsigned char *) ((struct cmsghdr *) (cmsg) + 1)));

166

*fdptr = fd; //

167

168

169

// Actually send the file descriptor back to the emulated net device.

170

171

ssize_t len = sendmsg (sock, &msg, 0);

172

ABORT_IF (len == -1, "Could not send socket back to emu net device", 1)if (len == -1) { std::cout << "../src/fd-net-device/helper/creator-utils.cc"
<< ": fatal error at line " << 172 << ": "
<< __FUNCTION__ << "(): " << "Could not send socket back to emu net device"
<< std::endl; if (1) { std::cout << " errno = "
<< (*__errno_location ()) << " (" << strerror
((*__errno_location ())) << ")" << std::endl; } exit
(-1);; };

173

174

LOG ("sendmsg complete")if (gVerbose) { std::cout << __FUNCTION__ << "(): "
<< "sendmsg complete" << std::endl; };

175

}

176

177

} // namespace ns3