[PATCH] Some Coverity fixes

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Mar 26 06:28:04 MDT 2015 

On Thu, Mar 26, 2015 at 01:26:35PM +0100, Guenther Deschner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> ENOPATCH
> 
> On 26/03/15 13:19, Volker Lendecke wrote:
> > Hi!
> > 
> > Review&push appreciated!
> > 
> > Thanks,
> > 
> > Volker

Gna. Thanks!

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 9f8facce59de3fea118d20021340d4329e7ad485 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 26 Mar 2015 10:14:22 +0100
Subject: [PATCH 1/4] loadparm: Fix CID 1273054 Improper use of negative value

Probably a "can't happen", but formally lpcfg_map_parameter can return -1

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 lib/param/loadparm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index e2b0ca2..ddb806a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -1338,6 +1338,9 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
 
 	if (parm_num == -1) {
 		parm_num = lpcfg_map_parameter("smb ports");
+		if (parm_num == -1) {
+			return false;
+		}
 	}
 
 	if(!set_variable_helper(lp_ctx->globals->ctx, parm_num, ptr, "smb ports",
-- 
1.9.1


From a4dd8d47a0ebd7342328c93c8cbfe70bf0352415 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 26 Mar 2015 10:21:20 +0100
Subject: [PATCH 2/4] lib: Fix CID 1273009 Dereference after null check

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/lib/messages.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index aa67640..f0d2797 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -1066,6 +1066,7 @@ static void mess_parent_dgm_cleanup_done(struct tevent_req *req)
 		mess_parent_dgm_cleanup, msg);
 	if (req == NULL) {
 		DEBUG(1, ("background_job_send failed\n"));
+		return;
 	}
 	tevent_req_set_callback(req, mess_parent_dgm_cleanup_done, msg);
 }
-- 
1.9.1


From d8142cdaab4cf5ebfd13bd0cb0be505d49b86160 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 26 Mar 2015 13:06:26 +0100
Subject: [PATCH 3/4] ctdb: Fix CID 1125634 Out-of-bounds write

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 ctdb/tests/src/ctdb_takeover_tests.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctdb/tests/src/ctdb_takeover_tests.c b/ctdb/tests/src/ctdb_takeover_tests.c
index 8b07325..7ff8755 100644
--- a/ctdb/tests/src/ctdb_takeover_tests.c
+++ b/ctdb/tests/src/ctdb_takeover_tests.c
@@ -431,7 +431,7 @@ static void ctdb_test_init(const char nodestates[],
 	while (tok != NULL) {
 		nodeflags[numnodes] = (uint32_t) strtol(tok, NULL, 0);
 		numnodes++;
-		if (numnodes > CTDB_TEST_MAX_NODES) {
+		if (numnodes >= CTDB_TEST_MAX_NODES) {
 			DEBUG(DEBUG_ERR, ("ERROR: Exceeding CTDB_TEST_MAX_NODES: %d\n", CTDB_TEST_MAX_NODES));
 			exit(1);
 		}
-- 
1.9.1


From c8a3ddc01aa92503904061929b04e5f8587f164d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 26 Mar 2015 13:11:14 +0100
Subject: [PATCH 4/4] ctdb: Fix CID 1125615 Copy into fixed size buffer

Might be a "can't happen", but strcpy always looks fishy

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 ctdb/tests/src/ctdb_test_stubs.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ctdb/tests/src/ctdb_test_stubs.c b/ctdb/tests/src/ctdb_test_stubs.c
index 3ea508a..a9947b1 100644
--- a/ctdb/tests/src/ctdb_test_stubs.c
+++ b/ctdb/tests/src/ctdb_test_stubs.c
@@ -597,7 +597,12 @@ int32_t ctdb_control_get_ifaces(struct ctdb_context *ctdb,
 
 	i = 0;
 	for (cur=ctdb->ifaces;cur;cur=cur->next) {
-		strcpy(ifaces->ifaces[i].name, cur->name);
+		size_t nlen = strlcpy(ifaces->ifaces[i].name, cur->name,
+				      sizeof(ifaces->ifaces[i].name));
+		if (nlen >= sizeof(ifaces->ifaces[i].name)) {
+			/* Ignore invalid name */
+			continue;
+		}
 		ifaces->ifaces[i].link_state = cur->link_up;
 		ifaces->ifaces[i].references = cur->references;
 		i++;
-- 
1.9.1

More information about the samba-technical mailing list