Bug Summary

File:build-scan/../src/journal-remote/microhttpd-util.c
Warning:line 295, column 13
Potential leak of memory pointed to by 'buf'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name microhttpd-util.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -menable-no-infs -menable-no-nans -menable-unsafe-fp-math -fno-signed-zeros -mreassociate -freciprocal-math -fdenormal-fp-math=preserve-sign,preserve-sign -ffp-contract=fast -fno-rounding-math -ffast-math -ffinite-math-only -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debugger-tuning=gdb -resource-dir /usr/lib64/clang/12.0.0 -include config.h -I systemd-journal-gatewayd.p -I . -I .. -I src/basic -I ../src/basic -I src/shared -I ../src/shared -I src/systemd -I ../src/systemd -I src/journal -I ../src/journal -I src/journal-remote -I ../src/journal-remote -I src/nspawn -I ../src/nspawn -I src/resolve -I ../src/resolve -I src/timesync -I ../src/timesync -I ../src/time-wait-sync -I src/login -I ../src/login -I src/udev -I ../src/udev -I src/libudev -I ../src/libudev -I src/core -I ../src/core -I ../src/libsystemd/sd-bus -I ../src/libsystemd/sd-device -I ../src/libsystemd/sd-hwdb -I ../src/libsystemd/sd-id128 -I ../src/libsystemd/sd-netlink -I ../src/libsystemd/sd-network -I src/libsystemd-network -I ../src/libsystemd-network -I /usr/include/p11-kit-1 -D _FILE_OFFSET_BITS=64 -internal-isystem /usr/local/include -internal-isystem /usr/lib64/clang/12.0.0/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -Wwrite-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wno-format-signedness -Wno-error=nonnull -std=gnu99 -fconst-strings -fdebug-compilation-dir /home/mrc0mmand/repos/@redhat-plumbers/systemd-rhel8/build-scan -ferror-limit 19 -fvisibility hidden -stack-protector 2 -fgnuc-version=4.2.1 -fcolor-diagnostics -analyzer-output=html -faddrsig -o /tmp/scan-build-2021-07-16-221226-1465241-1 -x c ../src/journal-remote/microhttpd-util.c
1/* SPDX-License-Identifier: LGPL-2.1+ */
2
3#include <stddef.h>
4#include <stdio.h>
5#include <string.h>
6
7#if HAVE_GNUTLS1
8#include <gnutls/gnutls.h>
9#include <gnutls/x509.h>
10#endif
11
12#include "alloc-util.h"
13#include "log.h"
14#include "macro.h"
15#include "microhttpd-util.h"
16#include "string-util.h"
17#include "strv.h"
18#include "util.h"
19
20void microhttpd_logger(void *arg, const char *fmt, va_list ap) {
21 char *f;
22
23 f = strjoina("microhttpd: ", fmt)({ const char *_appendees_[] = { "microhttpd: ", fmt }; char *
_d_, *_p_; size_t _len_ = 0; size_t _i_; for (_i_ = 0; _i_ <
__extension__ (__builtin_choose_expr( !__builtin_types_compatible_p
(typeof(_appendees_), typeof(&*(_appendees_))), sizeof(_appendees_
)/sizeof((_appendees_)[0]), ((void)0))) && _appendees_
[_i_]; _i_++) _len_ += strlen(_appendees_[_i_]); _p_ = _d_ = __builtin_alloca
(_len_ + 1); for (_i_ = 0; _i_ < __extension__ (__builtin_choose_expr
( !__builtin_types_compatible_p(typeof(_appendees_), typeof(&
*(_appendees_))), sizeof(_appendees_)/sizeof((_appendees_)[0]
), ((void)0))) && _appendees_[_i_]; _i_++) _p_ = stpcpy
(_p_, _appendees_[_i_]); *_p_ = 0; _d_; });
24
25 DISABLE_WARNING_FORMAT_NONLITERALGCC diagnostic push ; GCC diagnostic ignored "-Wformat-nonliteral"
;
26 log_internalv(LOG_INFO, 0, NULL, 0, NULL, f, ap)log_internalv_realm(((LOG_REALM_SYSTEMD) << 10 | ((6)))
, 0, ((void*)0), 0, ((void*)0), f, ap);
27 REENABLE_WARNINGGCC diagnostic pop ;
28}
29
30static int mhd_respond_internal(struct MHD_Connection *connection,
31 enum MHD_RequestTerminationCode code,
32 const char *buffer,
33 size_t size,
34 enum MHD_ResponseMemoryMode mode) {
35 assert(connection)do { if ((__builtin_expect(!!(!(connection)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("connection"), "../src/journal-remote/microhttpd-util.c"
, 35, __PRETTY_FUNCTION__); } while (0);
36
37 _cleanup_(MHD_destroy_responsep)__attribute__((cleanup(MHD_destroy_responsep))) struct MHD_Response *response
38 = MHD_create_response_from_buffer(size, (char*) buffer, mode);
39 if (!response)
40 return MHD_NO;
41
42 log_debug("Queueing response %u: %s", code, buffer)({ int _level = (((7))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 42, __func__, "Queueing response %u: %s"
, code, buffer) : -abs(_e); });
43 MHD_add_response_header(response, "Content-Type", "text/plain");
44 return MHD_queue_response(connection, code, response);
45}
46
47int mhd_respond(struct MHD_Connection *connection,
48 enum MHD_RequestTerminationCode code,
49 const char *message) {
50
51 const char *fmt;
52
53 fmt = strjoina(message, "\n")({ const char *_appendees_[] = { message, "\n" }; char *_d_, *
_p_; size_t _len_ = 0; size_t _i_; for (_i_ = 0; _i_ < __extension__
(__builtin_choose_expr( !__builtin_types_compatible_p(typeof
(_appendees_), typeof(&*(_appendees_))), sizeof(_appendees_
)/sizeof((_appendees_)[0]), ((void)0))) && _appendees_
[_i_]; _i_++) _len_ += strlen(_appendees_[_i_]); _p_ = _d_ = __builtin_alloca
(_len_ + 1); for (_i_ = 0; _i_ < __extension__ (__builtin_choose_expr
( !__builtin_types_compatible_p(typeof(_appendees_), typeof(&
*(_appendees_))), sizeof(_appendees_)/sizeof((_appendees_)[0]
), ((void)0))) && _appendees_[_i_]; _i_++) _p_ = stpcpy
(_p_, _appendees_[_i_]); *_p_ = 0; _d_; });
54
55 return mhd_respond_internal(connection, code,
56 fmt, strlen(message) + 1,
57 MHD_RESPMEM_PERSISTENT);
58}
59
60int mhd_respond_oom(struct MHD_Connection *connection) {
61 return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE503, "Out of memory.");
62}
63
64int mhd_respondf(struct MHD_Connection *connection,
65 int error,
66 enum MHD_RequestTerminationCode code,
67 const char *format, ...) {
68
69 const char *fmt;
70 char *m;
71 int r;
72 va_list ap;
73
74 assert(connection)do { if ((__builtin_expect(!!(!(connection)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("connection"), "../src/journal-remote/microhttpd-util.c"
, 74, __PRETTY_FUNCTION__); } while (0);
75 assert(format)do { if ((__builtin_expect(!!(!(format)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("format"), "../src/journal-remote/microhttpd-util.c"
, 75, __PRETTY_FUNCTION__); } while (0);
76
77 if (error < 0)
78 error = -error;
79 errno(*__errno_location ()) = -error;
80 fmt = strjoina(format, "\n")({ const char *_appendees_[] = { format, "\n" }; char *_d_, *
_p_; size_t _len_ = 0; size_t _i_; for (_i_ = 0; _i_ < __extension__
(__builtin_choose_expr( !__builtin_types_compatible_p(typeof
(_appendees_), typeof(&*(_appendees_))), sizeof(_appendees_
)/sizeof((_appendees_)[0]), ((void)0))) && _appendees_
[_i_]; _i_++) _len_ += strlen(_appendees_[_i_]); _p_ = _d_ = __builtin_alloca
(_len_ + 1); for (_i_ = 0; _i_ < __extension__ (__builtin_choose_expr
( !__builtin_types_compatible_p(typeof(_appendees_), typeof(&
*(_appendees_))), sizeof(_appendees_)/sizeof((_appendees_)[0]
), ((void)0))) && _appendees_[_i_]; _i_++) _p_ = stpcpy
(_p_, _appendees_[_i_]); *_p_ = 0; _d_; });
81 va_start(ap, format)__builtin_va_start(ap, format);
82#pragma GCC diagnostic push
83#pragma GCC diagnostic ignored "-Wformat-nonliteral"
84 r = vasprintf(&m, fmt, ap);
85#pragma GCC diagnostic pop
86 va_end(ap)__builtin_va_end(ap);
87
88 if (r < 0)
89 return respond_oom(connection)log_oom_internal(LOG_REALM_SYSTEMD, "../src/journal-remote/microhttpd-util.c"
, 89, __func__), mhd_respond_oom(connection);
90
91 return mhd_respond_internal(connection, code, m, r, MHD_RESPMEM_MUST_FREE);
92}
93
94#if HAVE_GNUTLS1
95
96static struct {
97 const char *const names[4];
98 int level;
99 bool_Bool enabled;
100} gnutls_log_map[] = {
101 { {"0"}, LOG_DEBUG7 },
102 { {"1", "audit"}, LOG_WARNING4, true1}, /* gnutls session audit */
103 { {"2", "assert"}, LOG_DEBUG7 }, /* gnutls assert log */
104 { {"3", "hsk", "ext"}, LOG_DEBUG7 }, /* gnutls handshake log */
105 { {"4", "rec"}, LOG_DEBUG7 }, /* gnutls record log */
106 { {"5", "dtls"}, LOG_DEBUG7 }, /* gnutls DTLS log */
107 { {"6", "buf"}, LOG_DEBUG7 },
108 { {"7", "write", "read"}, LOG_DEBUG7 },
109 { {"8"}, LOG_DEBUG7 },
110 { {"9", "enc", "int"}, LOG_DEBUG7 },
111};
112
113static void log_func_gnutls(int level, const char *message) {
114 assert_se(message)do { if ((__builtin_expect(!!(!(message)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("message"), "../src/journal-remote/microhttpd-util.c"
, 114, __PRETTY_FUNCTION__); } while (0);
115
116 if (0 <= level && level < (int) ELEMENTSOF(gnutls_log_map)__extension__ (__builtin_choose_expr( !__builtin_types_compatible_p
(typeof(gnutls_log_map), typeof(&*(gnutls_log_map))), sizeof
(gnutls_log_map)/sizeof((gnutls_log_map)[0]), ((void)0)))) {
117 if (gnutls_log_map[level].enabled)
118 log_internal(gnutls_log_map[level].level, 0, NULL, 0, NULL, "gnutls %d/%s: %s", level, gnutls_log_map[level].names[1], message)log_internal_realm(((LOG_REALM_SYSTEMD) << 10 | ((gnutls_log_map
[level].level))), 0, ((void*)0), 0, ((void*)0), "gnutls %d/%s: %s"
, level, gnutls_log_map[level].names[1], message);
119 } else {
120 log_debug("Received GNUTLS message with unknown level %d.", level)({ int _level = (((7))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 120, __func__, "Received GNUTLS message with unknown level %d."
, level) : -abs(_e); });
121 log_internal(LOG_DEBUG, 0, NULL, 0, NULL, "gnutls: %s", message)log_internal_realm(((LOG_REALM_SYSTEMD) << 10 | ((7))),
0, ((void*)0), 0, ((void*)0), "gnutls: %s", message);
122 }
123}
124
125static void log_reset_gnutls_level(void) {
126 int i;
127
128 for (i = ELEMENTSOF(gnutls_log_map)__extension__ (__builtin_choose_expr( !__builtin_types_compatible_p
(typeof(gnutls_log_map), typeof(&*(gnutls_log_map))), sizeof
(gnutls_log_map)/sizeof((gnutls_log_map)[0]), ((void)0))) - 1; i >= 0; i--)
129 if (gnutls_log_map[i].enabled) {
130 log_debug("Setting gnutls log level to %d", i)({ int _level = (((7))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 130, __func__, "Setting gnutls log level to %d"
, i) : -abs(_e); });
131 gnutls_global_set_log_level(i);
132 break;
133 }
134}
135
136static int log_enable_gnutls_category(const char *cat) {
137 unsigned i;
138
139 if (streq(cat, "all")(strcmp((cat),("all")) == 0)) {
140 for (i = 0; i < ELEMENTSOF(gnutls_log_map)__extension__ (__builtin_choose_expr( !__builtin_types_compatible_p
(typeof(gnutls_log_map), typeof(&*(gnutls_log_map))), sizeof
(gnutls_log_map)/sizeof((gnutls_log_map)[0]), ((void)0))); i++)
141 gnutls_log_map[i].enabled = true1;
142 log_reset_gnutls_level();
143 return 0;
144 } else
145 for (i = 0; i < ELEMENTSOF(gnutls_log_map)__extension__ (__builtin_choose_expr( !__builtin_types_compatible_p
(typeof(gnutls_log_map), typeof(&*(gnutls_log_map))), sizeof
(gnutls_log_map)/sizeof((gnutls_log_map)[0]), ((void)0))); i++)
146 if (strv_contains((char**)gnutls_log_map[i].names, cat)(!!strv_find(((char**)gnutls_log_map[i].names), (cat)))) {
147 gnutls_log_map[i].enabled = true1;
148 log_reset_gnutls_level();
149 return 0;
150 }
151 log_error("No such log category: %s", cat)({ int _level = (((3))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 151, __func__, "No such log category: %s"
, cat) : -abs(_e); });
152 return -EINVAL22;
153}
154
155int setup_gnutls_logger(char **categories) {
156 char **cat;
157 int r;
158
159 gnutls_global_set_log_function(log_func_gnutls);
160
161 if (categories) {
162 STRV_FOREACH(cat, categories)for ((cat) = (categories); (cat) && *(cat); (cat)++) {
163 r = log_enable_gnutls_category(*cat);
164 if (r < 0)
165 return r;
166 }
167 } else
168 log_reset_gnutls_level();
169
170 return 0;
171}
172
173static int verify_cert_authorized(gnutls_session_t session) {
174 unsigned status;
175 gnutls_certificate_type_t type;
176 gnutls_datum_t out;
177 int r;
178
179 r = gnutls_certificate_verify_peers2(session, &status);
180 if (r < 0)
181 return log_error_errno(r, "gnutls_certificate_verify_peers2 failed: %m")({ int _level = ((3)), _e = ((r)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 181, __func__, "gnutls_certificate_verify_peers2 failed: %m"
) : -abs(_e); });
182
183 type = gnutls_certificate_type_get(session);
184 r = gnutls_certificate_verification_status_print(status, type, &out, 0);
185 if (r < 0)
186 return log_error_errno(r, "gnutls_certificate_verification_status_print failed: %m")({ int _level = ((3)), _e = ((r)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 186, __func__, "gnutls_certificate_verification_status_print failed: %m"
) : -abs(_e); });
187
188 log_debug("Certificate status: %s", out.data)({ int _level = (((7))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 188, __func__, "Certificate status: %s"
, out.data) : -abs(_e); });
189 gnutls_free(out.data);
190
191 return status == 0 ? 0 : -EPERM1;
192}
193
194static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
195 const gnutls_datum_t *pcert;
196 unsigned listsize;
197 gnutls_x509_crt_t cert;
198 int r;
199
200 assert(session)do { if ((__builtin_expect(!!(!(session)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("session"), "../src/journal-remote/microhttpd-util.c"
, 200, __PRETTY_FUNCTION__); } while (0);
201 assert(client_cert)do { if ((__builtin_expect(!!(!(client_cert)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("client_cert"), "../src/journal-remote/microhttpd-util.c"
, 201, __PRETTY_FUNCTION__); } while (0);
202
203 pcert = gnutls_certificate_get_peers(session, &listsize);
204 if (!pcert || !listsize) {
205 log_error("Failed to retrieve certificate chain")({ int _level = (((3))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 205, __func__, "Failed to retrieve certificate chain"
) : -abs(_e); });
206 return -EINVAL22;
207 }
208
209 r = gnutls_x509_crt_init(&cert);
210 if (r < 0) {
211 log_error("Failed to initialize client certificate")({ int _level = (((3))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 211, __func__, "Failed to initialize client certificate"
) : -abs(_e); });
212 return r;
213 }
214
215 /* Note that by passing values between 0 and listsize here, you
216 can get access to the CA's certs */
217 r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
218 if (r < 0) {
219 log_error("Failed to import client certificate")({ int _level = (((3))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 219, __func__, "Failed to import client certificate"
) : -abs(_e); });
220 gnutls_x509_crt_deinit(cert);
221 return r;
222 }
223
224 *client_cert = cert;
225 return 0;
226}
227
228static int get_auth_dn(gnutls_x509_crt_t client_cert, char **buf) {
229 size_t len = 0;
230 int r;
231
232 assert(buf)do { if ((__builtin_expect(!!(!(buf)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("buf"), "../src/journal-remote/microhttpd-util.c"
, 232, __PRETTY_FUNCTION__); } while (0);
14
Taking false branch
15
Loop condition is false. Exiting loop
233 assert(*buf == NULL)do { if ((__builtin_expect(!!(!(*buf == ((void*)0))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("*buf == NULL"), "../src/journal-remote/microhttpd-util.c"
, 233, __PRETTY_FUNCTION__); } while (0);
16
Taking false branch
17
Loop condition is false. Exiting loop
234
235 r = gnutls_x509_crt_get_dn(client_cert, NULL((void*)0), &len);
236 if (r != GNUTLS_E_SHORT_MEMORY_BUFFER-51) {
18
Assuming the condition is false
19
Taking false branch
237 log_error("gnutls_x509_crt_get_dn failed")({ int _level = (((3))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 237, __func__, "gnutls_x509_crt_get_dn failed"
) : -abs(_e); });
238 return r;
239 }
240
241 *buf = malloc(len);
20
Memory is allocated
242 if (!*buf)
21
Assuming the condition is false
22
Taking false branch
243 return log_oom()log_oom_internal(LOG_REALM_SYSTEMD, "../src/journal-remote/microhttpd-util.c"
, 243, __func__);
244
245 gnutls_x509_crt_get_dn(client_cert, *buf, &len);
246 return 0;
247}
248
249static inline void gnutls_x509_crt_deinitp(gnutls_x509_crt_t *p) {
250 gnutls_x509_crt_deinit(*p);
251}
252
253int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
254 const union MHD_ConnectionInfo *ci;
255 gnutls_session_t session;
256 _cleanup_(gnutls_x509_crt_deinitp)__attribute__((cleanup(gnutls_x509_crt_deinitp))) gnutls_x509_crt_t client_cert = NULL((void*)0);
257 _cleanup_free___attribute__((cleanup(freep))) char *buf = NULL((void*)0);
258 int r;
259
260 assert(connection)do { if ((__builtin_expect(!!(!(connection)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("connection"), "../src/journal-remote/microhttpd-util.c"
, 260, __PRETTY_FUNCTION__); } while (0);
1
Assuming 'connection' is non-null
2
Taking false branch
3
Loop condition is false. Exiting loop
261 assert(code)do { if ((__builtin_expect(!!(!(code)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("code"), "../src/journal-remote/microhttpd-util.c"
, 261, __PRETTY_FUNCTION__); } while (0);
4
Assuming 'code' is non-null
5
Taking false branch
6
Loop condition is false. Exiting loop
262
263 *code = 0;
264
265 ci = MHD_get_connection_info(connection,
266 MHD_CONNECTION_INFO_GNUTLS_SESSION);
267 if (!ci) {
7
Assuming 'ci' is non-null
8
Taking false branch
268 log_error("MHD_get_connection_info failed: session is unencrypted")({ int _level = (((3))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 268, __func__, "MHD_get_connection_info failed: session is unencrypted"
) : -abs(_e); });
269 *code = mhd_respond(connection, MHD_HTTP_FORBIDDEN403,
270 "Encrypted connection is required");
271 return -EPERM1;
272 }
273 session = ci->tls_session;
274 assert(session)do { if ((__builtin_expect(!!(!(session)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("session"), "../src/journal-remote/microhttpd-util.c"
, 274, __PRETTY_FUNCTION__); } while (0);
9
Assuming 'session' is non-null
10
Taking false branch
11
Loop condition is false. Exiting loop
275
276 r = get_client_cert(session, &client_cert);
277 if (r
11.1
'r' is >= 0
 < 0) {
12
Taking false branch
278 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED401,
279 "Authorization through certificate is required");
280 return -EPERM1;
281 }
282
283 r = get_auth_dn(client_cert, &buf);
13
Calling 'get_auth_dn'
23
Returned allocated memory via 2nd parameter
284 if (r
23.1
'r' is >= 0
 < 0) {
24
Taking false branch
285 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED401,
286 "Failed to determine distinguished name from certificate");
287 return -EPERM1;
288 }
289
290 log_debug("Connection from %s", buf)({ int _level = (((7))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 290, __func__, "Connection from %s"
, buf) : -abs(_e); });
25
Assuming the condition is false
26
'?' condition is false
291
292 if (hostname)
27
Assuming 'hostname' is null
28
Taking false branch
293 *hostname = TAKE_PTR(buf)({ typeof(buf) _ptr_ = (buf); (buf) = ((void*)0); _ptr_; });
294
295 r = verify_cert_authorized(session);
29
Potential leak of memory pointed to by 'buf'
296 if (r < 0) {
297 log_warning("Client is not authorized")({ int _level = (((4))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 297, __func__, "Client is not authorized"
) : -abs(_e); });
298 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED401,
299 "Client certificate not signed by recognized authority");
300 }
301 return r;
302}
303
304#else
305int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
306 return -EPERM1;
307}
308
309int setup_gnutls_logger(char **categories) {
310 if (categories)
311 log_notice("Ignoring specified gnutls logging categories — gnutls not available.")({ int _level = (((5))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/journal-remote/microhttpd-util.c", 311, __func__, "Ignoring specified gnutls logging categories — gnutls not available."
) : -abs(_e); });
312 return 0;
313}
314#endif