New Defects reported by Coverity Scan for libvirt
by scan-admin@coverity.com
Hi,
Please find the latest report on new defect(s) introduced to libvirt found with Coverity Scan.
9 new defect(s) introduced to libvirt found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)
** CID 314804: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 314804: Memory - corruptions (OVERRUN)
/src/util/virdevmapper.c: 243 in virDevMapperGetTargetsImpl()
237 if (!virIsDevMapperDevice(path))
238 return 0;
239
240 if (!(sanitizedPath = virDMSanitizepath(path)))
241 return 0;
242
>>> CID 314804: Memory - corruptions (OVERRUN)
>>> Overrunning array "dm.name" of 128 bytes by passing it to a function which accesses it at byte offset 3241737482 using argument "3241737483UL".
243 if (virStrcpy(dm.name, sanitizedPath, DM_TABLE_DEPS) < 0) {
244 virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
245 _("Resolved device mapper name too long"));
246 return -1;
247 }
248
** CID 314803: (OVERRUN)
________________________________________________________________________________________________________
*** CID 314803: (OVERRUN)
/src/nwfilter/nwfilter_ebiptables_driver.c: 2325 in ebtablesCreateRuleInstance()
2319 if (printDataType(vars,
2320 number, sizeof(number),
2321 &rule->p.ipv6HdrFilter.dataICMPTypeStart) < 0)
2322 return -1;
2323 lo = true;
2324 } else {
>>> CID 314803: (OVERRUN)
>>> Overrunning array ""0"" of 2 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2325 ignore_value(virStrcpyStatic(number, "0"));
2326 }
2327
2328 virBufferStrcat(&buf, number, ":", NULL);
2329
2330 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd)) {
/src/nwfilter/nwfilter_ebiptables_driver.c: 2353 in ebtablesCreateRuleInstance()
2347 if (printDataType(vars,
2348 number, sizeof(number),
2349 &rule->p.ipv6HdrFilter.dataICMPCodeStart) < 0)
2350 return -1;
2351 lo = true;
2352 } else {
>>> CID 314803: (OVERRUN)
>>> Overrunning array ""0"" of 2 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2353 ignore_value(virStrcpyStatic(number, "0"));
2354 }
2355
2356 virBufferStrcat(&buf, number, ":", NULL);
2357
2358 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd)) {
/src/nwfilter/nwfilter_ebiptables_driver.c: 2367 in ebtablesCreateRuleInstance()
2361 &rule->p.ipv6HdrFilter.dataICMPCodeEnd) < 0)
2362 return -1;
2363 } else {
2364 if (lo)
2365 ignore_value(virStrcpyStatic(numberalt, number));
2366 else
>>> CID 314803: (OVERRUN)
>>> Overrunning array ""255"" of 4 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2367 ignore_value(virStrcpyStatic(numberalt, "255"));
2368 }
2369
2370 virBufferStrcat(&buf, numberalt, NULL);
2371
2372 if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart))
** CID 314802: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 314802: Null pointer dereferences (FORWARD_NULL)
/tests/virtypedparamtest.c: 139 in testTypedParamsAddStringList()
133 int nparams = 0, maxparams = 0, i;
134
135 const char *values[] = {
136 "foo", "bar", "foobar", NULL
137 };
138
>>> CID 314802: Null pointer dereferences (FORWARD_NULL)
>>> Passing "¶ms" to "virTypedParamsAddStringList", which dereferences null "params".
139 rv = virTypedParamsAddStringList(¶ms, &nparams, &maxparams, "param",
140 values);
141
142 for (i = 0; i < nparams; i++) {
143 if (STRNEQ(params[i].field, "param") ||
144 STRNEQ(params[i].value.s, values[i]) ||
** CID 314801: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 314801: Memory - corruptions (OVERRUN)
/src/util/virlog.c: 949 in virLogOutputToJournald()
943 nmetadata++;
944 }
945 }
946
947 memset(&sa, 0, sizeof(sa));
948 sa.sun_family = AF_UNIX;
>>> CID 314801: Memory - corruptions (OVERRUN)
>>> Overrunning array ""/run/systemd/journal/socket"" of 28 bytes by passing it to a function which accesses it at byte offset 107 using argument "108UL".
949 if (virStrcpyStatic(sa.sun_path, "/run/systemd/journal/socket") < 0)
950 return;
951
952 memset(&mh, 0, sizeof(mh));
953 mh.msg_name = &sa;
954 mh.msg_namelen = offsetof(struct sockaddr_un, sun_path) + strlen(sa.sun_path);
** CID 314800: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 314800: Memory - corruptions (OVERRUN)
/src/util/virnetdevvportprofile.c: 1054 in virNetDevVPortProfileOp8021Qbg()
1048
1049 if (!ifname)
1050 return -1;
1051
1052 vf = PORT_SELF_VF;
1053
>>> CID 314800: Memory - corruptions (OVERRUN)
>>> Overrunning array "physdev_ifname" of 16 bytes by passing it to a function which accesses it at byte offset 23.
1054 if (virNetDevVPortProfileGetPhysdevAndVlan(ifname, &physdev_ifindex,
1055 physdev_ifname, &vlanid) < 0) {
1056 return -1;
1057 }
1058
1059 if (vlanid < 0)
** CID 314799: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 314799: Memory - corruptions (OVERRUN)
/src/locking/lock_driver_sanlock.c: 205 in virLockManagerSanlockSetupLockspace()
199 char *dir = NULL;
200 int retries = LOCKSPACE_RETRIES;
201
202 path = g_strdup_printf("%s/%s", driver->autoDiskLeasePath,
203 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE);
204
>>> CID 314799: Memory - corruptions (OVERRUN)
>>> Overrunning array ""__LIBVIRT__DISKS__"" of 19 bytes by passing it to a function which accesses it at byte offset 47 using argument "48UL".
205 if (virStrcpyStatic(ls.name,
206 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE) < 0) {
207 virReportError(VIR_ERR_INTERNAL_ERROR,
208 _("Lockspace path '%s' exceeded %d characters"),
209 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE,
210 SANLK_PATH_LEN);
** CID 314798: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 314798: Memory - corruptions (OVERRUN)
/tools/virsh-domain-monitor.c: 2033 in cmdList()
2027
2028 dom = list->domains[i];
2029 id = virDomainGetID(dom);
2030 if (id != (unsigned int) -1)
2031 g_snprintf(id_buf, sizeof(id_buf), "%d", id);
2032 else
>>> CID 314798: Memory - corruptions (OVERRUN)
>>> Overrunning array ""-"" of 2 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2033 ignore_value(virStrcpyStatic(id_buf, "-"));
2034
2035 if (optTable) {
2036 state = virshDomainState(ctl, dom, NULL);
2037
2038 /* Domain could've been removed in the meantime */
** CID 314797: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 314797: Memory - corruptions (OVERRUN)
/src/locking/lock_driver_sanlock.c: 614 in virLockManagerSanlockAddDisk()
608 virReportError(VIR_ERR_INTERNAL_ERROR,
609 _("Lease path '%s' exceeds %d characters"),
610 path, SANLK_PATH_LEN);
611 return -1;
612 }
613
>>> CID 314797: Memory - corruptions (OVERRUN)
>>> Overrunning array ""__LIBVIRT__DISKS__"" of 19 bytes by passing it to a function which accesses it at byte offset 47 using argument "48UL".
614 if (virStrcpy(res->lockspace_name,
615 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE,
616 SANLK_NAME_LEN) < 0) {
617 virReportError(VIR_ERR_INTERNAL_ERROR,
618 _("Resource lockspace '%s' exceeds %d characters"),
619 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE, SANLK_NAME_LEN);
** CID 309208: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 309208: Memory - illegal accesses (USE_AFTER_FREE)
/src/qemu/qemu_driver.c: 7041 in qemuDomainAttachDeviceLive()
7035 virObjectEventPtr event;
7036 event = virDomainEventDeviceAddedNewFromObj(vm, alias);
7037 virObjectEventStateQueue(driver->domainEventState, event);
7038 }
7039
7040 if (ret == 0)
>>> CID 309208: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "qemuDomainUpdateDeviceList" dereferences freed pointer "driver->config".
7041 ret = qemuDomainUpdateDeviceList(driver, vm, QEMU_ASYNC_JOB_NONE);
7042
7043 return ret;
7044 }
7045
7046
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my...