Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes from Coverity Report (12/01/2017) #66

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Fixes from Coverity Report (12/01/2017) #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2ee3265
Update nxt_conn_write.c
RanierV Dec 1, 2017
676ab95
Update nxt_php_sapi.c
RanierV Dec 1, 2017
ec6cdeb
Update nxt_time_parse.c
RanierV Dec 1, 2017
858cb4d
Update nxt_socketpair.c
RanierV Dec 1, 2017
9173b78
Update nxt_process_title.c
RanierV Dec 1, 2017
a67463b
Update nxt_linux_sendfile.c
RanierV Dec 1, 2017
d28a21b
Update nxt_event_conn_job_sendfile.c
RanierV Dec 1, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/nxt_conn_write.c
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still looks valid, though likely has a pretty slim chance of triggering due to

#if (NXT_HAVE_LINUX_SENDFILE)                                                   
    .old_sendbuf = nxt_linux_event_conn_io_sendfile,                            
#elif (NXT_HAVE_FREEBSD_SENDFILE)                                               
    .old_sendbuf = nxt_freebsd_event_conn_io_sendfile,                          
#elif (NXT_HAVE_MACOSX_SENDFILE)                                                
    .old_sendbuf = nxt_macosx_event_conn_io_sendfile,                           
#elif (NXT_HAVE_SOLARIS_SENDFILEV)                                              
    .old_sendbuf = nxt_solaris_event_conn_io_sendfilev,                         
#elif (NXT_HAVE_AIX_SEND_FILE)                                                  
    .old_sendbuf = nxt_aix_event_conn_io_send_file,                             
#elif (NXT_HAVE_HPUX_SENDFILE)                                                  
    .old_sendbuf = nxt_hpux_event_conn_io_sendfile,                             
#else                                                                           
    .old_sendbuf = nxt_event_conn_io_sendbuf,                                   
#endif

and we only possibly take the problematic code path if we are using nxt_event_conn_io_sendbuf().

Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,7 @@ nxt_event_conn_io_sendbuf(nxt_conn_t *c, nxt_buf_t *b, size_t limit)
sb.iobuf = iob;
sb.nmax = NXT_IOBUF_MAX;
sb.sync = 0;
sb.last = 0;
sb.size = 0;
sb.limit = limit;

Expand Down
1 change: 1 addition & 0 deletions src/nxt_event_conn_job_sendfile.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ nxt_event_conn_job_sendfile_start(nxt_task_t *task, void *obj, void *data)
sb.nmax = 1;
sb.sync = 0;
sb.size = 0;
sb.last = 0;
sb.limit = jbs->limit;

if (nxt_sendbuf_mem_coalesce(c->socket.task, &sb) != 0 || !sb.sync) {
Expand Down
1 change: 1 addition & 0 deletions src/nxt_linux_sendfile.c
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks valid, assuming that we can go

nxt_linux_event_conn_io_sendfile(() -> nxt_sendbuf_mem_coalesce()

and then

if (nxt_buf_is_mem(b)) {

can be false

Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ nxt_linux_event_conn_io_sendfile(nxt_event_conn_t *c, nxt_buf_t *b,
sb.nmax = NXT_IOBUF_MAX;
sb.sync = 0;
sb.size = 0;
sb.last = 0;
sb.limit = limit;

niov = nxt_sendbuf_mem_coalesce(c->socket.task, &sb);
Expand Down
11 changes: 7 additions & 4 deletions src/nxt_php_sapi.c
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps not too surprisingly this code no longer exists. nxt_mp_create() is no longer called and was removed by

commit 349717fb90edaf50ae2846db7b72a2da4285541b
Author: Max Romanov <[email protected]>
Date:   Thu Jan 11 22:14:20 2018 +0300

    Changing relative php scripts paths to real ones.
    
    This is required to run phpMyAdmin.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... and as such is no longer flagged by coverity...

Original file line number Diff line number Diff line change
Expand Up @@ -361,13 +361,16 @@ nxt_php_run(nxt_task_t *task,
}

nxt_memzero(&run_ctx, sizeof(run_ctx));


run_ctx.mem_pool = nxt_mp_create(1024, 128, 256, 32);
if (nxt_slow_path(run_ctx.mem_pool == NULL)) {
return NXT_ERROR;
}

run_ctx.task = task;
run_ctx.rmsg = rmsg;
run_ctx.wmsg = wmsg;

run_ctx.mem_pool = nxt_mp_create(1024, 128, 256, 32);


h = &run_ctx.r.header;

rc = nxt_php_read_request(task, rmsg, &run_ctx);
Expand Down
18 changes: 12 additions & 6 deletions src/nxt_process_title.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,11 +116,6 @@ nxt_process_arguments(nxt_task_t *task, char **orig_argv, char ***orig_envp)
}
}

p = nxt_malloc(strings_size);
if (p == NULL) {
return;
}

if (argv_end == end) {
/*
* There is no reason to modify environ if arguments
Expand All @@ -130,6 +125,11 @@ nxt_process_arguments(nxt_task_t *task, char **orig_argv, char ***orig_envp)
goto done;
}

p = nxt_malloc(strings_size);
Copy link
Contributor

@alejandro-colomar alejandro-colomar Sep 1, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you move p after the other goto done, you'll arrive at nxt_free() with an uninitialized pointer, which will result in Undefined Behavior.

That is, consider you jump to done from line 125 after this patch. You'll free p, which is uninitialized, and contains a random value. That will likely crash.

if (p == NULL) {
goto done;
}

end = argv[0];

for (i = 0; argv[i] != NULL; i++) {
Expand All @@ -149,7 +149,7 @@ nxt_process_arguments(nxt_task_t *task, char **orig_argv, char ***orig_envp)

env = nxt_malloc(environ_size);
if (env == NULL) {
return;
goto done;
}

/*
Expand Down Expand Up @@ -178,6 +178,12 @@ nxt_process_arguments(nxt_task_t *task, char **orig_argv, char ***orig_envp)
}

done:
if (p != NULL) {
nxt_free(p);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I just saw this old PR around, and had a fast look at it. nxt_free(), as well as free(3), can handle NULL just fine. The conditionals are not necessary.

}
if (env != NULL) {
nxt_free(env);
}

/* Preserve space for the trailing zero. */
end--;
Expand Down
3 changes: 2 additions & 1 deletion src/nxt_socketpair.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,8 @@ nxt_recvmsg(nxt_socket_t s, nxt_fd_t *fd, nxt_iobuf_t *iob, nxt_uint_t niob)
msg.msg_iovlen = niob;
msg.msg_control = (caddr_t) &cmsg;
msg.msg_controllen = sizeof(cmsg);

msg.msg_flags = 0;

*fd = -1;

#if (NXT_VALGRIND)
Expand Down
2 changes: 0 additions & 2 deletions src/nxt_time_parse.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -368,8 +368,6 @@ nxt_term_parse(const u_char *p, size_t len, nxt_bool_t seconds)
if (state == st_first_digit) {
return -1;
}

state = st_letter;
}

switch (ch) {
Expand Down