/home/stefan/src/qemu/qemu.org/qemu/slirp/misc.c

Bug Summary

File:	slirp/misc.c
Location:	line 324, column 24
Description:	Branch condition evaluates to a garbage value

Annotated Source Code

* Please read the file COPYRIGHT for the

* terms and conditions of the copyright.

#include <slirp.h>

#include <libslirp.h>

#include "monitor/monitor.h"

#include "qemu/main-loop.h"

#ifdef DEBUG

int slirp_debug = DBG_CALL|DBG_MISC|DBG_ERROR;

#endif

struct quehead {

struct quehead *qh_link;

struct quehead *qh_rlink;

};

inline void

insqueslirp_insque(void *a, void *b)

{

element->qh_link = head->qh_link;

head->qh_link = (struct quehead *)element;

element->qh_rlink = (struct quehead *)head;

((struct quehead *)(element->qh_link))->qh_rlink

= (struct quehead *)element;

}

inline void

remqueslirp_remque(void *a)

{

((struct quehead *)(element->qh_link))->qh_rlink = element->qh_rlink;

((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;

element->qh_rlink = NULL((void*)0);

}

int add_exec(struct ex_list **ex_ptr, int do_pty, char *exec,

struct in_addr addr, int port)

{

struct ex_list *tmp_ptr;

/* First, check if the port is "bound" */

for (tmp_ptr = *ex_ptr; tmp_ptr; tmp_ptr = tmp_ptr->ex_next) {

if (port == tmp_ptr->ex_fport &&

addr.s_addr == tmp_ptr->ex_addr.s_addr)

return -1;

}

tmp_ptr = *ex_ptr;

*ex_ptr = (struct ex_list *)malloc(sizeof(struct ex_list));

(*ex_ptr)->ex_fport = port;

(*ex_ptr)->ex_addr = addr;

(*ex_ptr)->ex_pty = do_pty;

(*ex_ptr)->ex_exec = (do_pty == 3) ? exec : strdup(exec);

(*ex_ptr)->ex_next = tmp_ptr;

return 0;

}

#ifndef HAVE_STRERROR

* For systems with no strerror

extern int sys_nerr;

extern char *sys_errlist[];

char *

strerror(error)

int error;

{

if (error < sys_nerr)

return sys_errlist[error];

else

return "Unknown error.";

}

#endif

#ifdef _WIN32

int

fork_exec(struct socket *so, const char *ex, int do_pty)

{

/* not implemented */

return 0;

}

#else

100

* XXX This is ugly

101

* We create and bind a socket, then fork off to another

102

* process, which connects to this socket, after which we

103

* exec the wanted program. If something (strange) happens,

104

* the accept() call could block us forever.

105

106

* do_pty = 0 Fork/exec inetd style

107

* do_pty = 1 Fork/exec using slirp.telnetd

108

* do_ptr = 2 Fork/exec using pty

109

110

int

111

fork_exec(struct socket *so, const char *ex, int do_pty)

112

{

113

int s;

114

struct sockaddr_in addr;

115

socklen_t addrlen = sizeof(addr);

116

int opt;

117

const char *argv[256];

118

/* don't want to clobber the original */

119

char *bptr;

120

const char *curarg;

121

int c, i, ret;

122

pid_t pid;

123

124

DEBUG_CALL("fork_exec");

125

DEBUG_ARG("so = %lx", (long)so);

126

DEBUG_ARG("ex = %lx", (long)ex);

127

DEBUG_ARG("do_pty = %lx", (long)do_pty);

128

129

if (do_pty == 2) {

130

return 0;

131

} else {

132

addr.sin_family = AF_INET2;

133

addr.sin_port = 0;

134

addr.sin_addr.s_addr = INADDR_ANY((in_addr_t) 0x00000000);

135

136

if ((s = qemu_socket(AF_INET2, SOCK_STREAMSOCK_STREAM, 0)) < 0 ||

137

bind(s, (struct sockaddr *)&addr, addrlen) < 0 ||

138

listen(s, 1) < 0) {

139

lprint("Error: inet socket: %s\n", strerror(errno(*__errno_location ())));

140

closesocket(s)close(s);

141

142

return 0;

143

}

144

}

145

146

pid = fork();

147

switch(pid) {

148

case -1:

149

lprint("Error: fork failed: %s\n", strerror(errno(*__errno_location ())));

150

close(s);

151

return 0;

152

153

case 0:

154

setsid();

155

156

/* Set the DISPLAY */

157

getsockname(s, (struct sockaddr *)&addr, &addrlen);

158

close(s);

159

160

* Connect to the socket

161

* XXX If any of these fail, we're in trouble!

162

163

s = qemu_socket(AF_INET2, SOCK_STREAMSOCK_STREAM, 0);

164

addr.sin_addr = loopback_addr;

165

do {

166

ret = connect(s, (struct sockaddr *)&addr, addrlen);

167

} while (ret < 0 && errno(*__errno_location ()) == EINTR4);

168

169

dup2(s, 0);

170

dup2(s, 1);

171

dup2(s, 2);

172

for (s = getdtablesize() - 1; s >= 3; s--)

173

close(s);

174

175

i = 0;

176

bptr = g_strdup(ex); /* No need to free() this */

177

if (do_pty == 1) {

178

/* Setup "slirp.telnetd -x" */

179

argv[i++] = "slirp.telnetd";

180

argv[i++] = "-x";

181

argv[i++] = bptr;

182

} else

183

do {

184

/* Change the string into argv[] */

185

curarg = bptr;

186

while (*bptr != ' ' && *bptr != (char)0)

187

bptr++;

188

c = *bptr;

189

*bptr++ = (char)0;

190

argv[i++] = strdup(curarg);

191

} while (c);

192

193

argv[i] = NULL((void*)0);

194

execvp(argv[0], (char **)argv);

195

196

/* Ooops, failed, let's tell the user why */

197

fprintf(stderrstderr, "Error: execvp of %s failed: %s\n",

198

argv[0], strerror(errno(*__errno_location ())));

199

close(0); close(1); close(2); /* XXX */

200

exit(1);

201

202

default:

203

qemu_add_child_watch(pid);

204

205

* XXX this could block us...

206

* XXX Should set a timer here, and if accept() doesn't

207

* return after X seconds, declare it a failure

208

* The only reason this will block forever is if socket()

209

* of connect() fail in the child process

210

211

do {

212

so->s = accept(s, (struct sockaddr *)&addr, &addrlen);

213

} while (so->s < 0 && errno(*__errno_location ()) == EINTR4);

214

closesocket(s)close(s);

215

socket_set_fast_reuse(so->s);

216

opt = 1;

217

qemu_setsockopt(so->s, SOL_SOCKET, SO_OOBINLINE, &opt, sizeof(int))setsockopt(so->s, 1, 10, &opt, sizeof(int));

218

qemu_set_nonblock(so->s);

219

220

/* Append the telnet options now */

221

if (so->so_m != NULL((void*)0) && do_pty == 1) {

222

sbappend(so, so->so_m);

223

so->so_m = NULL((void*)0);

224

}

225

226

return 1;

227

}

228

}

229

#endif

230

231

#ifndef HAVE_STRDUP

232

char *

233

strdup(str)

234

const char *str;

235

{

236

char *bptr;

237

238

bptr = (char *)malloc(strlen(str)+1);

239

strcpy(bptr, str);

240

241

return bptr;

242

}

243

#endif

244

245

void lprint(const char *format, ...)

246

{

247

va_list args;

248

249

va_start(args, format)__builtin_va_start(args, format);

250

monitor_vprintf(default_mon, format, args);

251

va_end(args)__builtin_va_end(args);

252

}

253

254

void slirp_connection_info(Slirp *slirp, Monitor *mon)

255

{

256

const char * const tcpstates[] = {

257

[TCPS_CLOSED0] = "CLOSED",

258

[TCPS_LISTEN1] = "LISTEN",

259

[TCPS_SYN_SENT2] = "SYN_SENT",

260

[TCPS_SYN_RECEIVED3] = "SYN_RCVD",

261

[TCPS_ESTABLISHED4] = "ESTABLISHED",

262

[TCPS_CLOSE_WAIT5] = "CLOSE_WAIT",

263

[TCPS_FIN_WAIT_16] = "FIN_WAIT_1",

264

[TCPS_CLOSING7] = "CLOSING",

265

[TCPS_LAST_ACK8] = "LAST_ACK",

266

[TCPS_FIN_WAIT_29] = "FIN_WAIT_2",

267

[TCPS_TIME_WAIT10] = "TIME_WAIT",

268

};

269

struct in_addr dst_addr;

270

struct sockaddr_in src;

271

socklen_t src_len;

272

uint16_t dst_port;

273

struct socket *so;

274

const char *state;

275

char buf[20];

276

277

monitor_printf(mon, " Protocol[State] FD Source Address Port "

278

"Dest. Address Port RecvQ SendQ\n");

279

280

for (so = slirp->tcb.so_next; so != &slirp->tcb; so = so->so_next) {

Loop condition is false. Execution continues on line 308

→

281

if (so->so_state & SS_HOSTFWD0x1000) {

282

state = "HOST_FORWARD";

283

} else if (so->so_tcpcb) {

284

state = tcpstates[so->so_tcpcb->t_state];

285

} else {

286

state = "NONE";

287

}

288

if (so->so_state & (SS_HOSTFWD0x1000 | SS_INCOMING0x2000)) {

289

src_len = sizeof(src);

290

getsockname(so->s, (struct sockaddr *)&src, &src_len);

291

dst_addr = so->so_laddr;

292

dst_port = so->so_lport;

293

} else {

294

src.sin_addr = so->so_laddr;

295

src.sin_port = so->so_lport;

296

dst_addr = so->so_faddr;

297

dst_port = so->so_fport;

298

}

299

snprintf(buf, sizeof(buf), " TCP[%s]", state);

300

monitor_printf(mon, "%-19s %3d %15s %5d ", buf, so->s,

301

src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) : "*",

302

ntohs(src.sin_port));

303

monitor_printf(mon, "%15s %5d %5d %5d\n",

304

inet_ntoa(dst_addr), ntohs(dst_port),

305

so->so_rcv.sb_cc, so->so_snd.sb_cc);

306

}

307

308

for (so = slirp->udb.so_next; so != &slirp->udb; so = so->so_next) {

←

Loop condition is true. Entering loop body

→

309

if (so->so_state & SS_HOSTFWD0x1000) {

←

Taking true branch

→

310

snprintf(buf, sizeof(buf), " UDP[HOST_FORWARD]");

311

src_len = sizeof(src);

312

getsockname(so->s, (struct sockaddr *)&src, &src_len);

313

dst_addr = so->so_laddr;

314

dst_port = so->so_lport;

315

} else {

316

snprintf(buf, sizeof(buf), " UDP[%d sec]",

317

(so->so_expire - curtime) / 1000);

318

src.sin_addr = so->so_laddr;

319

src.sin_port = so->so_lport;

320

dst_addr = so->so_faddr;

321

dst_port = so->so_fport;

322

}

323

monitor_printf(mon, "%-19s %3d %15s %5d ", buf, so->s,

324

src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) : "*",

←

Branch condition evaluates to a garbage value

325

ntohs(src.sin_port));

326

monitor_printf(mon, "%15s %5d %5d %5d\n",

327

inet_ntoa(dst_addr), ntohs(dst_port),

328

so->so_rcv.sb_cc, so->so_snd.sb_cc);

329

}

330

331

for (so = slirp->icmp.so_next; so != &slirp->icmp; so = so->so_next) {

332

snprintf(buf, sizeof(buf), " ICMP[%d sec]",

333

(so->so_expire - curtime) / 1000);

334

src.sin_addr = so->so_laddr;

335

dst_addr = so->so_faddr;

336

monitor_printf(mon, "%-19s %3d %15s - ", buf, so->s,

337

src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) : "*");

338

monitor_printf(mon, "%15s - %5d %5d\n", inet_ntoa(dst_addr),

339

so->so_rcv.sb_cc, so->so_snd.sb_cc);

340

}

341

}