/home/stefan/src/qemu/qemu.org/qemu/util/qemu-config.c

Bug Summary

File:	util/qemu-config.c
Location:	line 87, column 12
Description:	Access to field 'next' results in a dereference of a null pointer (loaded from variable 'cur')

Annotated Source Code

#include "qemu-common.h"

#include "qemu/error-report.h"

#include "qemu/option.h"

#include "qemu/config-file.h"

#include "qapi/qmp/qerror.h"

#include "hw/qdev.h"

#include "qapi/error.h"

#include "qmp-commands.h"

static QemuOptsList *vm_config_groups[32];

static QemuOptsList *drive_config_groups[4];

static QemuOptsList *find_list(QemuOptsList **lists, const char *group,

Error **errp)

{

int i;

for (i = 0; lists[i] != NULL((void*)0); i++) {

if (strcmp(lists[i]->name, group) == 0)

break;

}

if (lists[i] == NULL((void*)0)) {

error_set(errp, QERR_INVALID_OPTION_GROUPERROR_CLASS_GENERIC_ERROR, "There is no option group '%s'", group);

}

return lists[i];

}

QemuOptsList *qemu_find_opts(const char *group)

{

QemuOptsList *ret;

Error *local_err = NULL((void*)0);

ret = find_list(vm_config_groups, group, &local_err);

if (error_is_set(&local_err)) {

error_report("%s", error_get_pretty(local_err));

error_free(local_err);

}

return ret;

}

static CommandLineParameterInfoList *query_option_descs(const QemuOptDesc *desc)

{

CommandLineParameterInfoList *param_list = NULL((void*)0), *entry;

CommandLineParameterInfo *info;

int i;

for (i = 0; desc[i].name != NULL((void*)0); i++) {

info = g_malloc0(sizeof(*info));

info->name = g_strdup(desc[i].name);

switch (desc[i].type) {

case QEMU_OPT_STRING:

info->type = COMMAND_LINE_PARAMETER_TYPE_STRING;

break;

case QEMU_OPT_BOOL:

info->type = COMMAND_LINE_PARAMETER_TYPE_BOOLEAN;

break;

case QEMU_OPT_NUMBER:

info->type = COMMAND_LINE_PARAMETER_TYPE_NUMBER;

break;

case QEMU_OPT_SIZE:

info->type = COMMAND_LINE_PARAMETER_TYPE_SIZE;

break;

}

if (desc[i].help) {

info->has_help = true1;

info->help = g_strdup(desc[i].help);

}

entry = g_malloc0(sizeof(*entry));

entry->value = info;

entry->next = param_list;

param_list = entry;

}

return param_list;

}

/* remove repeated entry from the info list */

static void cleanup_infolist(CommandLineParameterInfoList *head)

{

CommandLineParameterInfoList *pre_entry, *cur, *del_entry;

cur = head;

←

Null pointer value stored to 'cur'

→

while (cur->next) {

←

Access to field 'next' results in a dereference of a null pointer (loaded from variable 'cur')

pre_entry = head;

while (pre_entry != cur->next) {

if (!strcmp(pre_entry->value->name, cur->next->value->name)) {

del_entry = cur->next;

cur->next = cur->next->next;

g_free(del_entry);

break;

}

pre_entry = pre_entry->next;

}

cur = cur->next;

}

100

}

101

102

/* merge the description items of two parameter infolists */

103

static void connect_infolist(CommandLineParameterInfoList *head,

104

CommandLineParameterInfoList *new)

105

{

106

CommandLineParameterInfoList *cur;

107

108

cur = head;

109

while (cur->next) {

110

cur = cur->next;

111

}

112

cur->next = new;

113

}

114

115

/* access all the local QemuOptsLists for drive option */

116

static CommandLineParameterInfoList *get_drive_infolist(void)

117

{

118

CommandLineParameterInfoList *head = NULL((void*)0), *cur;

'head' initialized to a null pointer value

→

119

int i;

120

121

for (i = 0; drive_config_groups[i] != NULL((void*)0); i++) {

←

Loop condition is false. Execution continues on line 129

→

122

if (!head) {

123

head = query_option_descs(drive_config_groups[i]->desc);

124

} else {

125

cur = query_option_descs(drive_config_groups[i]->desc);

126

connect_infolist(head, cur);

127

}

128

}

129

cleanup_infolist(head);

←

Passing null pointer value via 1st parameter 'head'

→

←

Calling 'cleanup_infolist'

→

130

131

return head;

132

}

133

134

CommandLineOptionInfoList *qmp_query_command_line_options(bool_Bool has_option,

135

const char *option,

136

Error **errp)

137

{

138

CommandLineOptionInfoList *conf_list = NULL((void*)0), *entry;

139

CommandLineOptionInfo *info;

140

int i;

141

142

for (i = 0; vm_config_groups[i] != NULL((void*)0); i++) {

143

if (!has_option || !strcmp(option, vm_config_groups[i]->name)) {

144

info = g_malloc0(sizeof(*info));

145

info->option = g_strdup(vm_config_groups[i]->name);

146

if (!strcmp("drive", vm_config_groups[i]->name)) {

147

info->parameters = get_drive_infolist();

148

} else {

149

info->parameters =

150

query_option_descs(vm_config_groups[i]->desc);

151

}

152

entry = g_malloc0(sizeof(*entry));

153

entry->value = info;

154

entry->next = conf_list;

155

conf_list = entry;

156

}

157

}

158

159

if (conf_list == NULL((void*)0)) {

160

error_setg(errp, "invalid option name: %s", option)error_set(errp, ERROR_CLASS_GENERIC_ERROR, "invalid option name: %s"
, option);

161

}

162

163

return conf_list;

164

}

165

166

QemuOptsList *qemu_find_opts_err(const char *group, Error **errp)

167

{

168

return find_list(vm_config_groups, group, errp);

169

}

170

171

void qemu_add_drive_opts(QemuOptsList *list)

172

{

173

int entries, i;

174

175

entries = ARRAY_SIZE(drive_config_groups)(sizeof(drive_config_groups) / sizeof((drive_config_groups)[0
]));

176

entries--; /* keep list NULL terminated */

177

for (i = 0; i < entries; i++) {

178

if (drive_config_groups[i] == NULL((void*)0)) {

179

drive_config_groups[i] = list;

180

return;

181

}

182

}

183

fprintf(stderrstderr, "ran out of space in drive_config_groups");

184

abort();

185

}

186

187

void qemu_add_opts(QemuOptsList *list)

188

{

189

int entries, i;

190

191

entries = ARRAY_SIZE(vm_config_groups)(sizeof(vm_config_groups) / sizeof((vm_config_groups)[0]));

192

entries--; /* keep list NULL terminated */

193

for (i = 0; i < entries; i++) {

194

if (vm_config_groups[i] == NULL((void*)0)) {

195

vm_config_groups[i] = list;

196

return;

197

}

198

}

199

fprintf(stderrstderr, "ran out of space in vm_config_groups");

200

abort();

201

}

202

203

int qemu_set_option(const char *str)

204

{

205

char group[64], id[64], arg[64];

206

QemuOptsList *list;

207

QemuOpts *opts;

208

int rc, offset;

209

210

rc = sscanf(str, "%63[^.].%63[^.].%63[^=]%n", group, id, arg, &offset);

211

if (rc < 3 || str[offset] != '=') {

212

error_report("can't parse: \"%s\"", str);

213

return -1;

214

}

215

216

list = qemu_find_opts(group);

217

if (list == NULL((void*)0)) {

218

return -1;

219

}

220

221

opts = qemu_opts_find(list, id);

222

if (!opts) {

223

error_report("there is no %s \"%s\" defined",

224

list->name, id);

225

return -1;

226

}

227

228

if (qemu_opt_set(opts, arg, str+offset+1) == -1) {

229

return -1;

230

}

231

return 0;

232

}

233

234

struct ConfigWriteData {

235

QemuOptsList *list;

236

FILE *fp;

237

};

238

239

static int config_write_opt(const char *name, const char *value, void *opaque)

240

{

241

struct ConfigWriteData *data = opaque;

242

243

fprintf(data->fp, " %s = \"%s\"\n", name, value);

244

return 0;

245

}

246

247

static int config_write_opts(QemuOpts *opts, void *opaque)

248

{

249

struct ConfigWriteData *data = opaque;

250

const char *id = qemu_opts_id(opts);

251

252

if (id) {

253

fprintf(data->fp, "[%s \"%s\"]\n", data->list->name, id);

254

} else {

255

fprintf(data->fp, "[%s]\n", data->list->name);

256

}

257

qemu_opt_foreach(opts, config_write_opt, data, 0);

258

fprintf(data->fp, "\n");

259

return 0;

260

}

261

262

void qemu_config_write(FILE *fp)

263

{

264

struct ConfigWriteData data = { .fp = fp };

265

QemuOptsList **lists = vm_config_groups;

266

int i;

267

268

fprintf(fp, "# qemu config file\n\n");

269

for (i = 0; lists[i] != NULL((void*)0); i++) {

270

data.list = lists[i];

271

qemu_opts_foreach(data.list, config_write_opts, &data, 0);

272

}

273

}

274

275

int qemu_config_parse(FILE *fp, QemuOptsList **lists, const char *fname)

276

{

277

char line[1024], group[64], id[64], arg[64], value[1024];

278

Location loc;

279

QemuOptsList *list = NULL((void*)0);

280

Error *local_err = NULL((void*)0);

281

QemuOpts *opts = NULL((void*)0);

282

int res = -1, lno = 0;

283

284

loc_push_none(&loc);

285

while (fgets(line, sizeof(line), fp) != NULL((void*)0)) {

286

loc_set_file(fname, ++lno);

287

if (line[0] == '\n') {

288

/* skip empty lines */

289

continue;

290

}

291

if (line[0] == '#') {

292

/* comment */

293

continue;

294

}

295

if (sscanf(line, "[%63s \"%63[^\"]\"]", group, id) == 2) {

296

/* group with id */

297

list = find_list(lists, group, &local_err);

298

if (error_is_set(&local_err)) {

299

error_report("%s", error_get_pretty(local_err));

300

error_free(local_err);

301

goto out;

302

}

303

opts = qemu_opts_create(list, id, 1, NULL((void*)0));

304

continue;

305

}

306

if (sscanf(line, "[%63[^]]]", group) == 1) {

307

/* group without id */

308

list = find_list(lists, group, &local_err);

309

if (error_is_set(&local_err)) {

310

error_report("%s", error_get_pretty(local_err));

311

error_free(local_err);

312

goto out;

313

}

314

opts = qemu_opts_create_nofail(list);

315

continue;

316

}

317

if (sscanf(line, " %63s = \"%1023[^\"]\"", arg, value) == 2) {

318

/* arg = value */

319

if (opts == NULL((void*)0)) {

320

error_report("no group defined");

321

goto out;

322

}

323

if (qemu_opt_set(opts, arg, value) != 0) {

324

goto out;

325

}

326

continue;

327

}

328

error_report("parse error");

329

goto out;

330

}

331

if (ferror(fp)) {

332

error_report("error reading file");

333

goto out;

334

}

335

res = 0;

336

out:

337

loc_pop(&loc);

338

return res;

339

}

340

341

int qemu_read_config_file(const char *filename)

342

{

343

FILE *f = fopen(filename, "r");

344

int ret;

345

346

if (f == NULL((void*)0)) {

347

return -errno(*__errno_location ());

348

}

349

350

ret = qemu_config_parse(f, vm_config_groups, filename);

351

fclose(f);

352

353

if (ret == 0) {

354

return 0;

355

} else {

356

return -EINVAL22;

357

}

358

}