[PATCH] Fix new Coverity IDs

Jeremy Allison jra at samba.org
Wed Jan 11 19:07:18 UTC 2017 

On Wed, Jan 11, 2017 at 08:24:26AM +0100, Volker Lendecke wrote:
> On Wed, Jan 11, 2017 at 07:56:04AM +0100, Andreas Schneider wrote:
> > > diff --git a/source3/winbindd/winbindd_samr.c
> > > b/source3/winbindd/winbindd_samr.c index dd674965f17..d2ce1d2d5e2 100644
> > > --- a/source3/winbindd/winbindd_samr.c
> > > +++ b/source3/winbindd/winbindd_samr.c
> > > @@ -176,8 +176,6 @@ static NTSTATUS sam_query_user_list(struct
> > > winbindd_domain *domain,
> > > 
> > >         DEBUG(3,("samr_query_user_list\n"));
> > > 
> > > -       *prids = NULL;
> > > -
> > >         tmp_ctx = talloc_stackframe();
> > >         if (tmp_ctx == NULL) {
> > >                 return NT_STATUS_NO_MEMORY;
> > > 
> > > instead ?
> > 
> > Yes, and we need backports to 4.6 which has already been branched. So could 
> > someone please create a bug for them?
> 
> This comes from previous code where "num_entries" was unconditionally
> initialized always. Now we have rids only as a talloc array carrying
> its own length, no "pnum_rids" anymore.

Just looked at the (one) caller:

source3/winbindd/winbindd_cache.c:

1498                 rids = NULL;
1499                 status = domain->backend->query_user_list(domain, mem_ctx,
1500                                                           &rids);
1501                 num_rids = talloc_array_length(rids);

so 'rids' is already initialized to NULL, but we then
call talloc_array_length(rids) without checking if
the return was NULL. This works (I think), but goes
via:

#define talloc_array_length(ctx) (talloc_get_size(ctx)/sizeof(*ctx))

and talloc_get_size() is:

_PUBLIC_ size_t talloc_get_size(const void *context)
{
        struct talloc_chunk *tc;

        if (context == NULL) {
                context = null_context;
        }
        if (context == NULL) {
                return 0;
        }

        tc = talloc_chunk_from_ptr(context);

        return tc->size;
}

- which uses null_context - which can change what it returns
if someone ever calls talloc_enable_null_tracking() !!!!!

Oh. And winbindd *does* do that :-(.

from source3/winbindd/winbindd.c:

1543         /*
1544          * Do this before any other talloc operation
1545          */
1546         talloc_enable_null_tracking();

So does nmbd and smbd.

That's really ugly, shitty code in talloc. Changing it is
an ABI change though :-(.

git show d1895d2fee9e

Metze - what were you *thinking* (although this has been in the code
since 2009 so I guess forgiveness is in order) ?

--------------------------------------------------------------------------------
commit d1895d2fee9eec6f0b16dd38728b34d2f8233b0c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jul 13 18:51:24 2009 +0200

    talloc: let talloc_total_blocks() and talloc_get_size() operate on the null_context
    
    metze

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 0126567c45a..8e91b60c99b 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1227,7 +1227,16 @@ size_t talloc_total_size(const void *ptr)
 size_t talloc_total_blocks(const void *ptr)
 {
        size_t total = 0;
-       struct talloc_chunk *c, *tc = talloc_chunk_from_ptr(ptr);
+       struct talloc_chunk *c, *tc;
+
+       if (ptr == NULL) {
+               ptr = null_context;
+       }
+       if (ptr == NULL) {
+               return 0;
+       }
+
+       tc = talloc_chunk_from_ptr(ptr);
 
        if (tc->flags & TALLOC_FLAG_LOOP) {
                return 0;
@@ -1807,8 +1816,12 @@ size_t talloc_get_size(const void *context)
 {
        struct talloc_chunk *tc;
 
-       if (context == NULL)
+       if (context == NULL) {
+               context = null_context;
+       }
+       if (context == NULL) {
                return 0;
+       }
 
        tc = talloc_chunk_from_ptr(context);
--------------------------------------------------------------------------------

This might be the cause of *MANY* subtle bugs, so we need
to address this I think.

I think the safest thing to do right now is ensure we don't
call talloc_array_length(NULL) here by doing (not a git-am
fix as I think we need to discuss this).

diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 4431cb52b64..39ff14824de 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1498,7 +1498,11 @@ do_query:
 		rids = NULL;
 		status = domain->backend->query_user_list(domain, mem_ctx,
 							  &rids);
-		num_rids = talloc_array_length(rids);
+		if (rids != NULL) {
+			num_rids = talloc_array_length(rids);
+		} else {
+			num_rids == NULL;
+		}
 
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(3, ("query_user_list: returned 0x%08x, "
-------------- next part --------------
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 4431cb52b64..39ff14824de 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1498,7 +1498,11 @@ do_query:
 		rids = NULL;
 		status = domain->backend->query_user_list(domain, mem_ctx,
 							  &rids);
-		num_rids = talloc_array_length(rids);
+		if (rids != NULL) {
+			num_rids = talloc_array_length(rids);
+		} else {
+			num_rids == NULL;
+		}
 
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(3, ("query_user_list: returned 0x%08x, "

More information about the samba-technical mailing list