Hi, Please find the latest report on new defect(s) introduced to libvirt found with Coverity Scan. 9 new defect(s) introduced to libvirt found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 9 of 9 defect(s) ** CID 314804: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 314804: Memory - corruptions (OVERRUN) /src/util/virdevmapper.c: 243 in virDevMapperGetTargetsImpl() 237 if (!virIsDevMapperDevice(path)) 238 return 0; 239 240 if (!(sanitizedPath = virDMSanitizepath(path))) 241 return 0; 242
CID 314804: Memory - corruptions (OVERRUN) Overrunning array "dm.name" of 128 bytes by passing it to a function which accesses it at byte offset 3241737482 using argument "3241737483UL".
243 if (virStrcpy(dm.name, sanitizedPath, DM_TABLE_DEPS) < 0) { 244 virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", 245 _("Resolved device mapper name too long")); 246 return -1; 247 } 248
** CID 314803: (OVERRUN) ________________________________________________________________________________________________________ *** CID 314803: (OVERRUN) /src/nwfilter/nwfilter_ebiptables_driver.c: 2325 in ebtablesCreateRuleInstance() 2319 if (printDataType(vars, 2320 number, sizeof(number), 2321 &rule->p.ipv6HdrFilter.dataICMPTypeStart) < 0) 2322 return -1; 2323 lo = true; 2324 } else {
CID 314803: (OVERRUN) Overrunning array ""0"" of 2 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2325 ignore_value(virStrcpyStatic(number, "0")); 2326 } 2327 2328 virBufferStrcat(&buf, number, ":", NULL); 2329 2330 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd)) { /src/nwfilter/nwfilter_ebiptables_driver.c: 2353 in ebtablesCreateRuleInstance() 2347 if (printDataType(vars, 2348 number, sizeof(number), 2349 &rule->p.ipv6HdrFilter.dataICMPCodeStart) < 0) 2350 return -1; 2351 lo = true; 2352 } else {
CID 314803: (OVERRUN) Overrunning array ""0"" of 2 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2353 ignore_value(virStrcpyStatic(number, "0")); 2354 } 2355 2356 virBufferStrcat(&buf, number, ":", NULL); 2357 2358 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd)) { /src/nwfilter/nwfilter_ebiptables_driver.c: 2367 in ebtablesCreateRuleInstance() 2361 &rule->p.ipv6HdrFilter.dataICMPCodeEnd) < 0) 2362 return -1; 2363 } else { 2364 if (lo) 2365 ignore_value(virStrcpyStatic(numberalt, number)); 2366 else
CID 314803: (OVERRUN) Overrunning array ""255"" of 4 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2367 ignore_value(virStrcpyStatic(numberalt, "255")); 2368 } 2369 2370 virBufferStrcat(&buf, numberalt, NULL); 2371 2372 if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart))
** CID 314802: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 314802: Null pointer dereferences (FORWARD_NULL) /tests/virtypedparamtest.c: 139 in testTypedParamsAddStringList() 133 int nparams = 0, maxparams = 0, i; 134 135 const char *values[] = { 136 "foo", "bar", "foobar", NULL 137 }; 138
CID 314802: Null pointer dereferences (FORWARD_NULL) Passing "¶ms" to "virTypedParamsAddStringList", which dereferences null "params".
139 rv = virTypedParamsAddStringList(¶ms, &nparams, &maxparams, "param", 140 values); 141 142 for (i = 0; i < nparams; i++) { 143 if (STRNEQ(params[i].field, "param") || 144 STRNEQ(params[i].value.s, values[i]) ||
** CID 314801: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 314801: Memory - corruptions (OVERRUN) /src/util/virlog.c: 949 in virLogOutputToJournald() 943 nmetadata++; 944 } 945 } 946 947 memset(&sa, 0, sizeof(sa)); 948 sa.sun_family = AF_UNIX;
CID 314801: Memory - corruptions (OVERRUN) Overrunning array ""/run/systemd/journal/socket"" of 28 bytes by passing it to a function which accesses it at byte offset 107 using argument "108UL".
949 if (virStrcpyStatic(sa.sun_path, "/run/systemd/journal/socket") < 0) 950 return; 951 952 memset(&mh, 0, sizeof(mh)); 953 mh.msg_name = &sa; 954 mh.msg_namelen = offsetof(struct sockaddr_un, sun_path) + strlen(sa.sun_path);
** CID 314800: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 314800: Memory - corruptions (OVERRUN) /src/util/virnetdevvportprofile.c: 1054 in virNetDevVPortProfileOp8021Qbg() 1048 1049 if (!ifname) 1050 return -1; 1051 1052 vf = PORT_SELF_VF; 1053
CID 314800: Memory - corruptions (OVERRUN) Overrunning array "physdev_ifname" of 16 bytes by passing it to a function which accesses it at byte offset 23.
1054 if (virNetDevVPortProfileGetPhysdevAndVlan(ifname, &physdev_ifindex, 1055 physdev_ifname, &vlanid) < 0) { 1056 return -1; 1057 } 1058 1059 if (vlanid < 0)
** CID 314799: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 314799: Memory - corruptions (OVERRUN) /src/locking/lock_driver_sanlock.c: 205 in virLockManagerSanlockSetupLockspace() 199 char *dir = NULL; 200 int retries = LOCKSPACE_RETRIES; 201 202 path = g_strdup_printf("%s/%s", driver->autoDiskLeasePath, 203 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE); 204
CID 314799: Memory - corruptions (OVERRUN) Overrunning array ""__LIBVIRT__DISKS__"" of 19 bytes by passing it to a function which accesses it at byte offset 47 using argument "48UL".
205 if (virStrcpyStatic(ls.name, 206 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE) < 0) { 207 virReportError(VIR_ERR_INTERNAL_ERROR, 208 _("Lockspace path '%s' exceeded %d characters"), 209 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE, 210 SANLK_PATH_LEN);
** CID 314798: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 314798: Memory - corruptions (OVERRUN) /tools/virsh-domain-monitor.c: 2033 in cmdList() 2027 2028 dom = list->domains[i]; 2029 id = virDomainGetID(dom); 2030 if (id != (unsigned int) -1) 2031 g_snprintf(id_buf, sizeof(id_buf), "%d", id); 2032 else
CID 314798: Memory - corruptions (OVERRUN) Overrunning array ""-"" of 2 bytes by passing it to a function which accesses it at byte offset 20 using argument "21UL".
2033 ignore_value(virStrcpyStatic(id_buf, "-")); 2034 2035 if (optTable) { 2036 state = virshDomainState(ctl, dom, NULL); 2037 2038 /* Domain could've been removed in the meantime */
** CID 314797: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 314797: Memory - corruptions (OVERRUN) /src/locking/lock_driver_sanlock.c: 614 in virLockManagerSanlockAddDisk() 608 virReportError(VIR_ERR_INTERNAL_ERROR, 609 _("Lease path '%s' exceeds %d characters"), 610 path, SANLK_PATH_LEN); 611 return -1; 612 } 613
CID 314797: Memory - corruptions (OVERRUN) Overrunning array ""__LIBVIRT__DISKS__"" of 19 bytes by passing it to a function which accesses it at byte offset 47 using argument "48UL".
614 if (virStrcpy(res->lockspace_name, 615 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE, 616 SANLK_NAME_LEN) < 0) { 617 virReportError(VIR_ERR_INTERNAL_ERROR, 618 _("Resource lockspace '%s' exceeds %d characters"), 619 VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE, SANLK_NAME_LEN);
** CID 309208: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 309208: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_driver.c: 7041 in qemuDomainAttachDeviceLive() 7035 virObjectEventPtr event; 7036 event = virDomainEventDeviceAddedNewFromObj(vm, alias); 7037 virObjectEventStateQueue(driver->domainEventState, event); 7038 } 7039 7040 if (ret == 0)
CID 309208: Memory - illegal accesses (USE_AFTER_FREE) Calling "qemuDomainUpdateDeviceList" dereferences freed pointer "driver->config".
7041 ret = qemuDomainUpdateDeviceList(driver, vm, QEMU_ASYNC_JOB_NONE); 7042 7043 return ret; 7044 } 7045 7046
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...