Hi,
Please find the latest report on new defect(s) introduced to libvirt found with Coverity
Scan.
82 new defect(s) introduced to libvirt found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build
analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 82 defect(s)
** CID 463071: (INTEGER_OVERFLOW)
/src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent()
/src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent()
________________________________________________________________________________________________________
*** CID 463071: (INTEGER_OVERFLOW)
/src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent()
891 end = true;
892 }
893
894 i++;
895 }
896
>> CID 463071: (INTEGER_OVERFLOW)
>> Expression "i - 1UL", which is equal to 18446744073709551615, where
"i" is known to be equal to 0, underflows the type that receives it, an unsigned
integer 64 bits wide.
897 *nth = i - 1;
898
899 cleanup:
900 VIR_FREE(nlData);
901 return rc;
902 }
/src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent()
891 end = true;
892 }
893
894 i++;
895 }
896
>> CID 463071: (INTEGER_OVERFLOW)
>> Expression "*nth", which is equal to 18446744073709551615, where
"i - 1UL" is known to be equal to 18446744073709551615, overflows the type that
receives it, an unsigned integer 32 bits wide.
897 *nth = i - 1;
898
899 cleanup:
900 VIR_FREE(nlData);
901 return rc;
902 }
** CID 463070: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-completer-checkpoint.c: 51 in virshCheckpointNameCompleter()
________________________________________________________________________________________________________
*** CID 463070: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-completer-checkpoint.c: 51 in virshCheckpointNameCompleter()
45 return NULL;
46
47 if ((ncheckpoints = virDomainListAllCheckpoints(dom, &checkpoints,
48 flags)) < 0)
49 goto error;
50
>> CID 463070: Insecure data handling (INTEGER_OVERFLOW)
>> "__n", which might have overflowed, is passed to
"g_malloc0_n(__n, __s)".
51 ret = g_new0(char *, ncheckpoints +
1);
52
53 for (i = 0; i < ncheckpoints; i++) {
54 const char *name = virDomainCheckpointGetName(checkpoints[i]);
55
56 ret[i] = g_strdup(name);
** CID 463069: (INTEGER_OVERFLOW)
/tools/virsh-network.c: 857 in virshNetworkListCollect()
/tools/virsh-network.c: 834 in virshNetworkListCollect()
________________________________________________________________________________________________________
*** CID 463069: (INTEGER_OVERFLOW)
/tools/virsh-network.c: 857 in virshNetworkListCollect()
851 nInactiveNets) < 0) {
852 vshError(ctl, "%s", _("Failed to list inactive
networks"));
853 goto cleanup;
854 }
855 }
856
>> CID 463069: (INTEGER_OVERFLOW)
>> "__n", which might have overflowed, is passed to
"g_malloc0_n(__n, __s)".
857 list->nets = g_new0(virNetworkPtr,
nAllNets);
858 list->nnets = 0;
859
860 /* get active networks */
861 for (i = 0; i < nActiveNets; i++) {
862 if (!(net = virNetworkLookupByName(priv->conn, names[i])))
/tools/virsh-network.c: 834 in virshNetworkListCollect()
828
829 nAllNets = nActiveNets + nInactiveNets;
830
831 if (nAllNets == 0)
832 return list;
833
>> CID 463069: (INTEGER_OVERFLOW)
>> "__n", which might have overflowed, is passed to
"g_malloc0_n(__n, __s)".
834 names = g_new0(char *, nAllNets);
835
836 /* Retrieve a list of active network names */
837 if (!VSH_MATCH(VIR_CONNECT_LIST_NETWORKS_FILTERS_ACTIVE) ||
838 VSH_MATCH(VIR_CONNECT_LIST_NETWORKS_ACTIVE)) {
839 if (virConnectListNetworks(priv->conn,
** CID 463068: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-interface.c: 256 in virshInterfaceListCollect()
________________________________________________________________________________________________________
*** CID 463068: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-interface.c: 256 in virshInterfaceListCollect()
250 if (nAllIfaces == 0) {
251 VIR_FREE(activeNames);
252 VIR_FREE(inactiveNames);
253 return list;
254 }
255
>> CID 463068: Insecure data handling (INTEGER_OVERFLOW)
>> "__n", which might have overflowed, is passed to
"g_malloc0_n(__n, __s)".
256 list->ifaces =
g_new0(virInterfacePtr, nAllIfaces);
257 list->nifaces = 0;
258
259 /* get active interfaces */
260 for (i = 0; i < nActiveIfaces; i++) {
261 if (!(iface = virInterfaceLookupByName(priv->conn, activeNames[i]))) {
** CID 463067: Insecure data handling (INTEGER_OVERFLOW)
/src/util/virhostmem.c: 705 in virHostMemGetAvailable()
________________________________________________________________________________________________________
*** CID 463067: Insecure data handling (INTEGER_OVERFLOW)
/src/util/virhostmem.c: 705 in virHostMemGetAvailable()
699 }
700 if ((pagesize = sysconf(_SC_PAGESIZE)) < 0) {
701 virReportSystemError(errno, "%s",
702 _("Unable to query memory page size"));
703 return 0;
704 }
>> CID 463067: Insecure data handling (INTEGER_OVERFLOW)
>> "(unsigned long long)pages * (unsigned long long)pagesize", which
might have overflowed, is returned from the function.
705 return (unsigned
long long)pages * (unsigned long long)pagesize;
706 #elif defined WIN32
707 PFN_MS_EX pfnex;
708 HMODULE h = GetModuleHandle("kernel32.dll");
709
710 if (!h) {
** CID 463066: Null pointer dereferences (FORWARD_NULL)
/src/conf/virinterfaceobj.c: 327 in virInterfaceObjListExport()
________________________________________________________________________________________________________
*** CID 463066: Null pointer dereferences (FORWARD_NULL)
/src/conf/virinterfaceobj.c: 327 in virInterfaceObjListExport()
321 if (data.error)
322 goto cleanup;
323
324 if (data.ifaces) {
325 /* trim the array to the final size */
326 VIR_REALLOC_N(data.ifaces, data.nifaces + 1);
>> CID 463066: Null pointer dereferences (FORWARD_NULL)
>> Dereferencing null pointer "ifaces".
327 *ifaces
= g_steal_pointer(&data.ifaces);
328 }
329
330 ret = data.nifaces;
331 cleanup:
332 virObjectRWUnlock(ifaceobjs);
** CID 463065: Insecure data handling (INTEGER_OVERFLOW)
/src/lxc/lxc_process.c: 1037 in virLXCProcessReadLogOutputData()
________________________________________________________________________________________________________
*** CID 463065: Insecure data handling (INTEGER_OVERFLOW)
/src/lxc/lxc_process.c: 1037 in virLXCProcessReadLogOutputData()
1031
1032 /* Filter out debug messages from intermediate libvirt process */
1033 filtered = false;
1034 while ((eol = strchr(filter_next, '\n'))) {
1035 *eol = '\0';
1036 if (virLXCProcessIgnorableLogLine(filter_next)) {
>> CID 463065: Insecure data handling (INTEGER_OVERFLOW)
>> "got - (eol - buf)", which might have underflowed, is passed to
"memmove(filter_next, eol + 1, got - (eol - buf))". [Note: The source code
implementation of the function has been overridden by a builtin model.]
1037
memmove(filter_next, eol + 1, got - (eol - buf));
1038 got -= eol + 1 - filter_next;
1039 filtered = true;
1040 } else {
1041 filter_next = eol + 1;
1042 *eol = '\n';
** CID 463064: Insecure data handling (INTEGER_OVERFLOW)
________________________________________________________________________________________________________
*** CID 463064: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-util.c: 206 in virshStreamSkip()
200 buf = g_new0(char, buflen);
201
202 while (offset) {
203 size_t count = MIN(offset, buflen);
204 ssize_t r;
205
>> CID 463064: Insecure data handling (INTEGER_OVERFLOW)
>> "count", which might be negative, is passed to
"safewrite(cbData->fd, buf, count)".
206 if ((r =
safewrite(cbData->fd, buf, count)) < 0)
207 return -1;
208
209 offset -= r;
210 }
211 } else {
** CID 463063: Concurrent data access violations (MISSING_LOCK)
/src/node_device/node_device_udev.c: 2115 in processNodeStateInitializeEnumerate()
________________________________________________________________________________________________________
*** CID 463063: Concurrent data access violations (MISSING_LOCK)
/src/node_device/node_device_udev.c: 2115 in processNodeStateInitializeEnumerate()
2109
2110 error:
2111 VIR_WITH_OBJECT_LOCK_GUARD(priv) {
2112 ignore_value(virEventRemoveHandle(priv->watch));
2113 priv->watch = -1;
2114 priv->udevThreadQuit = true;
>> CID 463063: Concurrent data access violations
(MISSING_LOCK)
>> Accessing "priv->udevThreadCond" without holding lock
"virMutex.lock". Elsewhere, "_udevEventData.udevThreadCond" is written
to with "virMutex.lock" held 1 out of 1 times.
2115
virCondSignal(&priv->udevThreadCond);
2116 }
2117
2118 goto cleanup;
2119 }
2120
** CID 463062: (INTEGER_OVERFLOW)
/src/storage/storage_util.c: 358 in createRawFile()
________________________________________________________________________________________________________
*** CID 463062: (INTEGER_OVERFLOW)
/src/storage/storage_util.c: 358 in createRawFile()
352 * but fallocate failed, fill the rest with zeroes.
353 */
354 pos = inputvol->target.capacity - remain;
355 }
356
357 if (need_alloc && (vol->target.allocation - pos > 0)) {
>> CID 463062: (INTEGER_OVERFLOW)
>> "vol->target.allocation - pos", which might be negative, is
passed to "safezero(fd, pos, vol->target.allocation - pos)".
358
if (safezero(fd, pos, vol->target.allocation - pos) < 0) {
359 virReportSystemError(errno, _("cannot fill file
'%1$s'"),
360 vol->target.path);
361 return -1;
362 }
363 }
/src/storage/storage_util.c: 358 in createRawFile()
352 * but fallocate failed, fill the rest with zeroes.
353 */
354 pos = inputvol->target.capacity - remain;
355 }
356
357 if (need_alloc && (vol->target.allocation - pos > 0)) {
>> CID 463062: (INTEGER_OVERFLOW)
>> The cast of "pos" to a signed type could result in a negative
number.
358 if (safezero(fd, pos, vol->target.allocation - pos) <
0) {
359 virReportSystemError(errno, _("cannot fill file
'%1$s'"),
360 vol->target.path);
361 return -1;
362 }
363 }
** CID 463061: Integer handling issues (INTEGER_OVERFLOW)
/tools/wireshark/src/packet-libvirt.c: 295 in find_payload_dissector()
________________________________________________________________________________________________________
*** CID 463061: Integer handling issues (INTEGER_OVERFLOW)
/tools/wireshark/src/packet-libvirt.c: 295 in find_payload_dissector()
289 if (proc < first || proc > last)
290 return NULL;
291
292 pd = &pds[proc-first];
293 /* There is no guarantee to proc numbers has no gap */
294 if (pd->proc != proc) {
>> CID 463061: Integer handling issues (INTEGER_OVERFLOW)
>> Expression "direction", which is equal to -1, where
"(pd->proc < proc) ? 1 : -1" is known to be equal to -1, overflows the
type that receives it, an unsigned integer 32 bits wide.
295 direction =
(pd->proc < proc) ? 1 : -1;
296 while (pd->proc != proc) {
297 if (pd->proc == first || pd->proc == last)
298 return NULL;
299 pd += direction;
300 }
** CID 463060: Insecure data handling (INTEGER_OVERFLOW)
/src/conf/virdomainsnapshotobjlist.c: 293 in virDomainListSnapshots()
________________________________________________________________________________________________________
*** CID 463060: Insecure data handling (INTEGER_OVERFLOW)
/src/conf/virdomainsnapshotobjlist.c: 293 in virDomainListSnapshots()
287 int ret = -1;
288 size_t i;
289
290 if (!snaps || count < 0)
291 return count;
292 names = g_new0(char *, count);
>> CID 463060: Insecure data handling (INTEGER_OVERFLOW)
>> "__n", which might have overflowed, is passed to
"g_malloc0_n(__n, __s)".
293 list = g_new0(virDomainSnapshotPtr,
count + 1);
294
295 if (virDomainSnapshotObjListGetNames(snapshots, from, names, count,
296 flags) < 0)
297 goto cleanup;
298 for (i = 0; i < count; i++)
** CID 463059: (INTEGER_OVERFLOW)
/src/util/virstring.c: 630 in virStringSearch()
/src/util/virstring.c: 616 in virStringSearch()
________________________________________________________________________________________________________
*** CID 463059: (INTEGER_OVERFLOW)
/src/util/virstring.c: 630 in virStringSearch()
624 VIR_EXPAND_N(*matches, nmatches, 1);
625
626 match = g_match_info_fetch(info, 1);
627
628 VIR_DEBUG("Got '%s'", match);
629
>> CID 463059: (INTEGER_OVERFLOW)
>> Expression "nmatches - 2UL", which is equal to
18446744073709551614, where "nmatches" is known to be equal to 0, underflows the
type that receives it, an unsigned integer 64 bits wide.
630
(*matches)[nmatches-2] = match;
631
632 g_match_info_fetch_pos(info, 1, NULL, &endpos);
633 str += endpos;
634 }
635
/src/util/virstring.c: 616 in virStringSearch()
610
611 /* '*matches' must always be NULL terminated in every iteration
612 * of the loop, so start by allocating 1 element
613 */
614 VIR_EXPAND_N(*matches, nmatches, 1);
615
>> CID 463059: (INTEGER_OVERFLOW)
>> Expression "nmatches - 1UL", which is equal to
18446744073709551615, where "nmatches" is known to be equal to 0, underflows the
type that receives it, an unsigned integer 64 bits wide.
616 while
((nmatches - 1) < max_matches) {
617 g_autoptr(GMatchInfo) info = NULL;
618 char *match;
619 int endpos;
620
621 if (!g_regex_match(regex, str, 0, &info))
** CID 463058: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-completer-interface.c: 52 in virshInterfaceStringHelper()
________________________________________________________________________________________________________
*** CID 463058: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-completer-interface.c: 52 in virshInterfaceStringHelper()
46 if (!priv->conn || virConnectIsAlive(priv->conn) <= 0)
47 return NULL;
48
49 if ((nifaces = virConnectListAllInterfaces(priv->conn, &ifaces, flags))
< 0)
50 return NULL;
51
>> CID 463058: Insecure data handling (INTEGER_OVERFLOW)
>> "__n", which might have overflowed, is passed to
"g_malloc0_n(__n, __s)".
52 tmp = g_new0(char *, nifaces + 1);
53
54 for (i = 0; i < nifaces; i++) {
55 const char *name = (cb)(ifaces[i]);
56
57 tmp[i] = g_strdup(name);
** CID 463057: Resource leaks (RESOURCE_LEAK)
/tests/qemufirmwaretest.c: 74 in testParseFailureFW()
________________________________________________________________________________________________________
*** CID 463057: Resource leaks (RESOURCE_LEAK)
/tests/qemufirmwaretest.c: 74 in testParseFailureFW()
68 g_autofree char *inpath = NULL;
69
70 inpath = g_strdup_printf("%s/qemufirmwaredata/%s", abs_srcdir,
filename);
71
72 /* This is a negative test case, so if the file was parsed
73 * successfully we need to report a failure */
>> CID 463057: Resource leaks (RESOURCE_LEAK)
>> Failing to save or free storage allocated by
"qemuFirmwareParse(inpath)" leaks it.
74 if
(qemuFirmwareParse(inpath))
75 return -1;
76
77 return 0;
78 }
79
** CID 463056: Integer handling issues (INTEGER_OVERFLOW)
/src/security/security_util.c: 322 in virSecurityGetRememberedLabel()
________________________________________________________________________________________________________
*** CID 463056: Integer handling issues (INTEGER_OVERFLOW)
/src/security/security_util.c: 322 in virSecurityGetRememberedLabel()
316 value, path);
317 return -1;
318 }
319
320 VIR_FREE(value);
321
>> CID 463056: Integer handling issues (INTEGER_OVERFLOW)
>> Expression "refcount--", which is equal to 4294967295, where
"refcount" is known to be equal to 0, underflows the type that receives it, an
unsigned integer 32 bits wide.
322 refcount--;
323
324 if (refcount > 0) {
325 value = g_strdup_printf("%u", refcount);
326
327 if (virFileSetXAttr(path, ref_name, value) < 0)
** CID 463055: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-domain.c: 6774 in cmdVcpuinfo()
________________________________________________________________________________________________________
*** CID 463055: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-domain.c: 6774 in cmdVcpuinfo()
6768
6769 if (virDomainGetInfo(dom, &info) != 0)
6770 return false;
6771
6772 cpuinfo = g_new0(virVcpuInfo, info.nrVirtCpu);
6773 cpumaplen = VIR_CPU_MAPLEN(maxcpu);
>> CID 463055: Insecure data handling (INTEGER_OVERFLOW)
>> "__n", which might have underflowed, is passed to
"g_malloc0(__n)".
6774 cpumaps = g_new0(unsigned char,
info.nrVirtCpu * cpumaplen);
6775
6776 if ((ncpus = virDomainGetVcpus(dom,
6777 cpuinfo, info.nrVirtCpu,
6778 cpumaps, cpumaplen)) < 0) {
6779 if (info.state != VIR_DOMAIN_SHUTOFF)
** CID 463054: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-completer-domain.c: 71 in virshDomainNameCompleter()
________________________________________________________________________________________________________
*** CID 463054: Insecure data handling (INTEGER_OVERFLOW)
/tools/virsh-completer-domain.c: 71 in virshDomainNameCompleter()
65 if (!priv->conn || virConnectIsAlive(priv->conn) <= 0)
66 return NULL;
67
68 if ((ndomains = virConnectListAllDomains(priv->conn, &domains, flags))
< 0)
69 return NULL;
70
>> CID 463054: Insecure data handling (INTEGER_OVERFLOW)
>> "__n", which might have overflowed, is passed to
"g_malloc0_n(__n, __s)".
71 tmp = g_new0(char *, ndomains + 1);
72
73 for (i = 0; i < ndomains; i++) {
74 const char *name = virDomainGetName(domains[i]);
75
76 tmp[i] = g_strdup(name);
** CID 463053: Insecure data handling (INTEGER_OVERFLOW)
/src/util/virfdstream.c: 984 in virFDStreamRead()
________________________________________________________________________________________________________
*** CID 463053: Insecure data handling (INTEGER_OVERFLOW)
/src/util/virfdstream.c: 984 in virFDStreamRead()
978
979 if (fdst->length)
980 fdst->offset += ret;
981
982 cleanup:
983 virObjectUnlock(fdst);
>> CID 463053: Insecure data handling (INTEGER_OVERFLOW)
>> "ret", which might have overflowed, is returned from the function.
984 return ret;
985 }
986
987
988 static int
989 virFDStreamSendHole(virStreamPtr st,
** CID 463052: Null pointer dereferences (FORWARD_NULL)
/src/conf/virnodedeviceobj.c: 997 in virNodeDeviceObjListExport()
________________________________________________________________________________________________________
*** CID 463052: Null pointer dereferences (FORWARD_NULL)
/src/conf/virnodedeviceobj.c: 997 in virNodeDeviceObjListExport()
991
992 if (data.error)
993 goto cleanup;
994
995 if (data.devices) {
996 VIR_REALLOC_N(data.devices, data.ndevices + 1);
>> CID 463052: Null pointer dereferences (FORWARD_NULL)
>> Dereferencing null pointer "devices".
997
*devices = data.devices;
998 }
999
1000 return data.ndevices;
1001
1002 cleanup:
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy...