[PATCH 0/6] Coverity cleanups
A recent Coverity version update discovered some existing issues (and some benign cases). This patch set cleans them all up. John Ferlan (6): VSMS: Coverity cleanups libxkutil:pool_parsing: Coverity cleanups libxkutil:device_parsing: Coverity cleanups libxkutil/xml_parse_test: Coverity cleanup RAFP: Coverity cleanup EAFP: Coverity cleanup libxkutil/device_parsing.c | 41 +++++++++++++++++-------------- libxkutil/pool_parsing.c | 39 +++++++++++++++-------------- libxkutil/xml_parse_test.c | 1 + src/Virt_ElementAllocatedFromPool.c | 6 ++++- src/Virt_ResourceAllocationFromPool.c | 7 ++++-- src/Virt_SettingsDefineCapabilities.c | 2 +- src/Virt_VirtualSystemManagementService.c | 11 ++++++--- 7 files changed, 63 insertions(+), 44 deletions(-) -- 1.8.4.2
A new version of Coverity found a number of issues: parse_ip_address(): FORWARD_NULL - Benign issue regarding how 'tmp_ip' was compared against NULL for the IPv6 processing and then used blindly later when strdup()'ing into *ip. Rather than use NULL check, compare against return of 1 or more which indicates that something is there update_system_settings(): RESOURCE_LEAK - The 'uuid' value was being leaked if strdup()'d. Also rather than strdup()'g and strdup()'d value and risking failure, just assign the initially strdup()'d value and reinitialize uuid to NULL fv_vssd_to_domain(): USE_AFTER_FREE - The domain->os_info.fv.arch is free()'d only to be potentially strdup()'d after processing the 'cu_get_str_prop()' for "Arch". The complaint was that it was possible to not strdup() a new value and thus possible to pass a free()'d value to get_default_machine(). Passing a NULL is not an issue as that is checked. Additionally found by inspection, 'val' was not initialized to NULL, so the setting of os_info.fv.arch may not be what was expected. Also, after processing "Arch" it was not reinitialized to NULL so its contents could potentially have been saved in os_info.fv.machine. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/Virt_VirtualSystemManagementService.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/Virt_VirtualSystemManagementService.c b/src/Virt_VirtualSystemManagementService.c index 5c7238f..b624d8c 100644 --- a/src/Virt_VirtualSystemManagementService.c +++ b/src/Virt_VirtualSystemManagementService.c @@ -464,7 +464,7 @@ static int fv_vssd_to_domain(CMPIInstance *inst, { int ret = 1; int retr; - const char *val; + const char *val = NULL; const char *domtype = NULL; const char *ostype = "hvm"; struct capabilities *capsinfo = NULL; @@ -494,6 +494,7 @@ static int fv_vssd_to_domain(CMPIInstance *inst, } free(domain->os_info.fv.arch); + domain->os_info.fv.arch = NULL; retr = cu_get_str_prop(inst, "Arch", &val); if (retr != CMPI_RC_OK) { if (capsinfo != NULL) { /* set default */ @@ -506,6 +507,8 @@ static int fv_vssd_to_domain(CMPIInstance *inst, domain->os_info.fv.arch = strdup(val); free(domain->os_info.fv.machine); + domain->os_info.fv.machine = NULL; + val = NULL; retr = cu_get_str_prop(inst, "Machine", &val); if (retr != CMPI_RC_OK) { if (capsinfo != NULL && domtype != NULL) { /* set default */ @@ -1415,7 +1418,7 @@ static int parse_ip_address(const char *id, if (strstr(id, "[") != NULL) { /* its an ipv6 address */ ret = sscanf(id, "%a[^]]]:%as", &tmp_ip, &tmp_port); - if (tmp_ip != NULL) { + if (ret >= 1) { tmp_ip = realloc(tmp_ip, strlen(tmp_ip) + 2); if (tmp_ip == NULL) { ret = 0; @@ -2798,7 +2801,8 @@ static CMPIStatus update_system_settings(const CMPIContext *context, } if ((dominfo->uuid == NULL) || (STREQ(dominfo->uuid, ""))) { - dominfo->uuid = strdup(uuid); + dominfo->uuid = uuid; + uuid = NULL; } else if (!STREQ(uuid, dominfo->uuid)) { cu_statusf(_BROKER, &s, CMPI_RC_ERR_FAILED, @@ -2829,6 +2833,7 @@ static CMPIStatus update_system_settings(const CMPIContext *context, } out: + free(uuid); free(xml); virDomainFree(dom); virConnectClose(conn); -- 1.8.4.2
A new version of Coverity found a number of issues:
parse_ip_address(): FORWARD_NULL - Benign issue regarding how 'tmp_ip' was compared against NULL for the IPv6 processing and then used blindly later when strdup()'ing into *ip. Rather than use NULL check, compare against return of 1 or more which indicates that something is there
update_system_settings(): RESOURCE_LEAK - The 'uuid' value was being leaked if strdup()'d. Also rather than strdup()'g and strdup()'d value and risking failure, just assign the initially strdup()'d value and reinitialize uuid to NULL
fv_vssd_to_domain(): USE_AFTER_FREE - The domain->os_info.fv.arch is free()'d only to be potentially strdup()'d after processing the 'cu_get_str_prop()' for "Arch". The complaint was that it was possible to not strdup() a new value and thus possible to pass a free()'d value to get_default_machine(). Passing a NULL is not an issue as that is checked.
Additionally found by inspection, 'val' was not initialized to NULL, so the setting of os_info.fv.arch may not be what was expected. Also, after processing "Arch" it was not reinitialized to NULL so its contents could potentially have been saved in os_info.fv.machine.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/Virt_VirtualSystemManagementService.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/Virt_VirtualSystemManagementService.c b/src/Virt_VirtualSystemManagementService.c index 5c7238f..b624d8c 100644 --- a/src/Virt_VirtualSystemManagementService.c +++ b/src/Virt_VirtualSystemManagementService.c @@ -464,7 +464,7 @@ static int fv_vssd_to_domain(CMPIInstance *inst, { int ret = 1; int retr; - const char *val; + const char *val = NULL; const char *domtype = NULL; const char *ostype = "hvm"; struct capabilities *capsinfo = NULL; @@ -494,6 +494,7 @@ static int fv_vssd_to_domain(CMPIInstance *inst, }
free(domain->os_info.fv.arch); + domain->os_info.fv.arch = NULL; retr = cu_get_str_prop(inst, "Arch", &val); if (retr != CMPI_RC_OK) { if (capsinfo != NULL) { /* set default */ @@ -506,6 +507,8 @@ static int fv_vssd_to_domain(CMPIInstance *inst, domain->os_info.fv.arch = strdup(val);
free(domain->os_info.fv.machine); + domain->os_info.fv.machine = NULL; + val = NULL; retr = cu_get_str_prop(inst, "Machine", &val); if (retr != CMPI_RC_OK) { if (capsinfo != NULL && domtype != NULL) { /* set default */ @@ -1415,7 +1418,7 @@ static int parse_ip_address(const char *id, if (strstr(id, "[") != NULL) { /* its an ipv6 address */ ret = sscanf(id, "%a[^]]]:%as", &tmp_ip, &tmp_port); - if (tmp_ip != NULL) { + if (ret >= 1) { tmp_ip = realloc(tmp_ip, strlen(tmp_ip) + 2); if (tmp_ip == NULL) { ret = 0; @@ -2798,7 +2801,8 @@ static CMPIStatus update_system_settings(const CMPIContext *context, }
if ((dominfo->uuid == NULL) || (STREQ(dominfo->uuid, ""))) { - dominfo->uuid = strdup(uuid); + dominfo->uuid = uuid; + uuid = NULL; I am getting a compile error here and below for the free of uuid. error: assignment discards 'const' qualifier from pointer target type [-Werror] error: passing argument 1 of 'free' discards 'const' qualifier from
On 01/22/2014 08:30 PM, John Ferlan wrote: pointer target type [-Werror] Removing the const in the declaration works... for me.
} else if (!STREQ(uuid, dominfo->uuid)) { cu_statusf(_BROKER, &s, CMPI_RC_ERR_FAILED, @@ -2829,6 +2833,7 @@ static CMPIStatus update_system_settings(const CMPIContext *context, }
out: + free(uuid); free(xml); virDomainFree(dom); virConnectClose(conn);
-- Mit freundlichen Grüßen/Kind regards Boris Fiuczynski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martina Köderitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
On 02/04/2014 10:24 AM, Boris Fiuczynski wrote:
On 01/22/2014 08:30 PM, John Ferlan wrote:
<...snip...>
@@ -2798,7 +2801,8 @@ static CMPIStatus update_system_settings(const CMPIContext *context, }
if ((dominfo->uuid == NULL) || (STREQ(dominfo->uuid, ""))) { - dominfo->uuid = strdup(uuid); + dominfo->uuid = uuid; + uuid = NULL; I am getting a compile error here and below for the free of uuid. error: assignment discards 'const' qualifier from pointer target type [-Werror] error: passing argument 1 of 'free' discards 'const' qualifier from pointer target type [-Werror]
Removing the const in the declaration works... for me.
Strange - mine didn't complain, but one would also think that the prior code doing a uuid = strdup(dominfo->uuid); would elicit the same issue! Anyway, adjusted the definition from "const char *uuid" to just "char *uuid". In actually reading and thinking about the code, do you think a "free(dominfo->uuid);" prior to the setting should be added too? In the event it was the empty string? Not sure how it gets set that way, but since cleanup_dominfo() would free() it if it was "" or whatever real value is, then I suppose better safe than sorry. Tks, John
} else if (!STREQ(uuid, dominfo->uuid)) { cu_statusf(_BROKER, &s, CMPI_RC_ERR_FAILED, @@ -2829,6 +2833,7 @@ static CMPIStatus update_system_settings(const CMPIContext *context, }
out: + free(uuid); free(xml); virDomainFree(dom); virConnectClose(conn);
On 02/05/2014 02:14 PM, John Ferlan wrote:
On 02/04/2014 10:24 AM, Boris Fiuczynski wrote:
On 01/22/2014 08:30 PM, John Ferlan wrote:
<...snip...>
@@ -2798,7 +2801,8 @@ static CMPIStatus update_system_settings(const CMPIContext *context, }
if ((dominfo->uuid == NULL) || (STREQ(dominfo->uuid, ""))) { - dominfo->uuid = strdup(uuid); + dominfo->uuid = uuid; + uuid = NULL; I am getting a compile error here and below for the free of uuid. error: assignment discards 'const' qualifier from pointer target type [-Werror] error: passing argument 1 of 'free' discards 'const' qualifier from pointer target type [-Werror]
Removing the const in the declaration works... for me.
Strange - mine didn't complain, but one would also think that the prior code doing a uuid = strdup(dominfo->uuid); would elicit the same issue!
Anyway, adjusted the definition from "const char *uuid" to just "char *uuid".
In actually reading and thinking about the code, do you think a "free(dominfo->uuid);" prior to the setting should be added too? In the event it was the empty string? Not sure how it gets set that way, but since cleanup_dominfo() would free() it if it was "" or whatever real value is, then I suppose better safe than sorry.
Yeah, to be 100% sure I guess just freeing it is ok... :-)
Tks,
John
} else if (!STREQ(uuid, dominfo->uuid)) { cu_statusf(_BROKER, &s, CMPI_RC_ERR_FAILED, @@ -2829,6 +2833,7 @@ static CMPIStatus update_system_settings(const CMPIContext *context, }
out: + free(uuid); free(xml); virDomainFree(dom); virConnectClose(conn);
_______________________________________________ Libvirt-cim mailing list Libvirt-cim@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-cim
-- Mit freundlichen Grüßen/Kind regards Boris Fiuczynski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martina Köderitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
A new version of Coverity found a number of issues: get_pool_from_xml(): FORWARD_NULL parse_disk_pool(): RESOURCE_LEAK - If parse_disk_pool() returned name == NULL, then the strdup() of name into pool->id would dereference the NULL pointer leading to a segfault. Furthermore parse_disk_pool() had a few issues. First the 'type_str' could be NULL, so that needs to be checked. Second, 'type_str' was never free()'d (the get_attr_value returns a strdup()'d value). Realizing all that resulted in a few extra changes to not strdup() a value that we strdup()'d Eventually get_pool_from_xml() will return to get_disk_pool() which returns to diskpool_set_capacity() or _new_volume_template() which both error out when return value != 0 (although, I did change the latter to be more explicit and match the former). Finally, even though the parsing of the element will only ever have one "name" value - Coverity doesn't know that, so as a benign fix be sure to not overwrite 'name' if "name" isn't already set. Signed-off-by: John Ferlan <jferlan@redhat.com> --- libxkutil/pool_parsing.c | 39 ++++++++++++++++++----------------- src/Virt_SettingsDefineCapabilities.c | 2 +- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/libxkutil/pool_parsing.c b/libxkutil/pool_parsing.c index 922ff32..80bd4ca 100644 --- a/libxkutil/pool_parsing.c +++ b/libxkutil/pool_parsing.c @@ -194,15 +194,17 @@ char *get_disk_pool_type(uint16_t type) } -static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) +static char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) { xmlNode **nodes = nsv->nodeTab; xmlNode *child; - const char *type_str = NULL; - const char *name = NULL; + char *type_str = NULL; + char *name = NULL; int type = 0; type_str = get_attr_value(nodes[0], "type"); + if (type_str == NULL) + return NULL; if (STREQC(type_str, "dir")) type = DISK_POOL_DIR; @@ -220,12 +222,15 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) type = DISK_POOL_SCSI; else type = DISK_POOL_UNKNOWN; + free(type_str); pool->pool_type = type; - + for (child = nodes[0]->children; child != NULL; child = child->next) { - if (XSTREQ(child->name, "name")) { + if (XSTREQ(child->name, "name") && name == NULL) { name = get_node_content(child); + if (name == NULL) + return NULL; } else if (XSTREQ(child->name, "target")) parse_disk_target(child, pool); else if (XSTREQ(child->name, "source")) @@ -238,14 +243,18 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) { int len; - int ret = 0; + int ret = 1; xmlDoc *xmldoc; xmlXPathContext *xpathctx; xmlXPathObject *xpathobj; const xmlChar *xpathstr = (xmlChar *)"/pool"; - const char *name; CU_DEBUG("Pool XML : %s", xml); + + /* FIXME: Add support for parsing network pools */ + if (type == CIM_RES_TYPE_NET) + return 0; + len = strlen(xml) + 1; if ((xmldoc = xmlParseMemory(xml, len)) == NULL) @@ -257,22 +266,14 @@ int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) if ((xpathobj = xmlXPathEvalExpression(xpathstr, xpathctx)) == NULL) goto err3; - /* FIXME: Add support for parsing network pools */ - if (type == CIM_RES_TYPE_NET) { - ret = 0; - goto err1; - } - memset(pool, 0, sizeof(*pool)); - pool->type = CIM_RES_TYPE_DISK; - name = parse_disk_pool(xpathobj->nodesetval, - &(pool)->pool_info.disk); - if (name == NULL) + pool->type = CIM_RES_TYPE_DISK; + pool->id = parse_disk_pool(xpathobj->nodesetval, + &(pool)->pool_info.disk); + if (pool->id != NULL) ret = 0; - pool->id = strdup(name); - xmlXPathFreeObject(xpathobj); err3: xmlXPathFreeContext(xpathctx); diff --git a/src/Virt_SettingsDefineCapabilities.c b/src/Virt_SettingsDefineCapabilities.c index fe16e3f..756e46b 100644 --- a/src/Virt_SettingsDefineCapabilities.c +++ b/src/Virt_SettingsDefineCapabilities.c @@ -1376,7 +1376,7 @@ static CMPIStatus _new_volume_template(const CMPIObjectPath *ref, } ret = get_disk_pool(poolptr, &pool); - if (ret == 1) { + if (ret != 0) { virt_set_status(_BROKER, &s, CMPI_RC_ERR_FAILED, virStoragePoolGetConnect(poolptr), -- 1.8.4.2
A new version of Coverity found a number of issues:
get_pool_from_xml(): FORWARD_NULL parse_disk_pool(): RESOURCE_LEAK - If parse_disk_pool() returned name == NULL, then the strdup() of name into pool->id would dereference the NULL pointer leading to a segfault.
Furthermore parse_disk_pool() had a few issues. First the 'type_str' could be NULL, so that needs to be checked. Second, 'type_str' was never free()'d (the get_attr_value returns a strdup()'d value).
Realizing all that resulted in a few extra changes to not strdup() a value that we strdup()'d
Eventually get_pool_from_xml() will return to get_disk_pool() which returns to diskpool_set_capacity() or _new_volume_template() which both error out when return value != 0 (although, I did change the latter to be more explicit and match the former).
Finally, even though the parsing of the element will only ever have one "name" value - Coverity doesn't know that, so as a benign fix be sure to not overwrite 'name' if "name" isn't already set.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- libxkutil/pool_parsing.c | 39 ++++++++++++++++++----------------- src/Virt_SettingsDefineCapabilities.c | 2 +- 2 files changed, 21 insertions(+), 20 deletions(-)
diff --git a/libxkutil/pool_parsing.c b/libxkutil/pool_parsing.c index 922ff32..80bd4ca 100644 --- a/libxkutil/pool_parsing.c +++ b/libxkutil/pool_parsing.c @@ -194,15 +194,17 @@ char *get_disk_pool_type(uint16_t type)
}
-static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) +static char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) { xmlNode **nodes = nsv->nodeTab; xmlNode *child; - const char *type_str = NULL; - const char *name = NULL; + char *type_str = NULL; + char *name = NULL; int type = 0;
type_str = get_attr_value(nodes[0], "type"); + if (type_str == NULL) + return NULL;
if (STREQC(type_str, "dir")) type = DISK_POOL_DIR; @@ -220,12 +222,15 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) type = DISK_POOL_SCSI; else type = DISK_POOL_UNKNOWN; + free(type_str);
pool->pool_type = type; - + for (child = nodes[0]->children; child != NULL; child = child->next) { - if (XSTREQ(child->name, "name")) { + if (XSTREQ(child->name, "name") && name == NULL) { name = get_node_content(child); + if (name == NULL) + return NULL; } else if (XSTREQ(child->name, "target")) parse_disk_target(child, pool); else if (XSTREQ(child->name, "source")) @@ -238,14 +243,18 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) { int len; - int ret = 0; + int ret = 1; Isn't this a bug fix... beside a cleanup? Before the return value was always 0! It also changes the method get_disk_pool in Virt_DevicePool.c in its return value behavior in the same way. The usage of get_disk_pool in the method diskpool_set_capacity checks for the return value and being !=0 it is considered an error (Virt_DevicePool.c line 324). Doesn't that need to get changed in this
On 01/22/2014 08:30 PM, John Ferlan wrote: patch? Even so you mention above in your description the two chained exploitation code pieces it seems that you fixed just one ... or did I miss something?
xmlDoc *xmldoc; xmlXPathContext *xpathctx; xmlXPathObject *xpathobj; const xmlChar *xpathstr = (xmlChar *)"/pool"; - const char *name;
CU_DEBUG("Pool XML : %s", xml); + + /* FIXME: Add support for parsing network pools */ + if (type == CIM_RES_TYPE_NET) + return 0; + len = strlen(xml) + 1;
if ((xmldoc = xmlParseMemory(xml, len)) == NULL) @@ -257,22 +266,14 @@ int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) if ((xpathobj = xmlXPathEvalExpression(xpathstr, xpathctx)) == NULL) goto err3;
- /* FIXME: Add support for parsing network pools */ - if (type == CIM_RES_TYPE_NET) { - ret = 0; - goto err1; - } - memset(pool, 0, sizeof(*pool));
- pool->type = CIM_RES_TYPE_DISK; - name = parse_disk_pool(xpathobj->nodesetval, - &(pool)->pool_info.disk); - if (name == NULL) + pool->type = CIM_RES_TYPE_DISK; + pool->id = parse_disk_pool(xpathobj->nodesetval, + &(pool)->pool_info.disk); + if (pool->id != NULL) ret = 0;
- pool->id = strdup(name); - xmlXPathFreeObject(xpathobj); err3: xmlXPathFreeContext(xpathctx); diff --git a/src/Virt_SettingsDefineCapabilities.c b/src/Virt_SettingsDefineCapabilities.c index fe16e3f..756e46b 100644 --- a/src/Virt_SettingsDefineCapabilities.c +++ b/src/Virt_SettingsDefineCapabilities.c @@ -1376,7 +1376,7 @@ static CMPIStatus _new_volume_template(const CMPIObjectPath *ref, }
ret = get_disk_pool(poolptr, &pool); - if (ret == 1) { + if (ret != 0) { virt_set_status(_BROKER, &s, CMPI_RC_ERR_FAILED, virStoragePoolGetConnect(poolptr),
src/Virt_DevicePool.c line 324 =! change seems to be missing. -- Mit freundlichen Grüßen/Kind regards Boris Fiuczynski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martina Köderitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
On 02/04/2014 07:31 AM, Boris Fiuczynski wrote:
On 01/22/2014 08:30 PM, John Ferlan wrote:
A new version of Coverity found a number of issues:
get_pool_from_xml(): FORWARD_NULL parse_disk_pool(): RESOURCE_LEAK - If parse_disk_pool() returned name == NULL, then the strdup() of name into pool->id would dereference the NULL pointer leading to a segfault.
Furthermore parse_disk_pool() had a few issues. First the 'type_str' could be NULL, so that needs to be checked. Second, 'type_str' was never free()'d (the get_attr_value returns a strdup()'d value).
Realizing all that resulted in a few extra changes to not strdup() a value that we strdup()'d
Eventually get_pool_from_xml() will return to get_disk_pool() which returns to diskpool_set_capacity() or _new_volume_template() which both error out when return value != 0 (although, I did change the latter to be more explicit and match the former).
Finally, even though the parsing of the element will only ever have one "name" value - Coverity doesn't know that, so as a benign fix be sure to not overwrite 'name' if "name" isn't already set.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- libxkutil/pool_parsing.c | 39 ++++++++++++++++++----------------- src/Virt_SettingsDefineCapabilities.c | 2 +- 2 files changed, 21 insertions(+), 20 deletions(-)
diff --git a/libxkutil/pool_parsing.c b/libxkutil/pool_parsing.c index 922ff32..80bd4ca 100644 --- a/libxkutil/pool_parsing.c +++ b/libxkutil/pool_parsing.c @@ -194,15 +194,17 @@ char *get_disk_pool_type(uint16_t type)
}
-static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) +static char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) { xmlNode **nodes = nsv->nodeTab; xmlNode *child; - const char *type_str = NULL; - const char *name = NULL; + char *type_str = NULL; + char *name = NULL; int type = 0;
type_str = get_attr_value(nodes[0], "type"); + if (type_str == NULL) + return NULL;
if (STREQC(type_str, "dir")) type = DISK_POOL_DIR; @@ -220,12 +222,15 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) type = DISK_POOL_SCSI; else type = DISK_POOL_UNKNOWN; + free(type_str);
pool->pool_type = type; - + for (child = nodes[0]->children; child != NULL; child = child->next) { - if (XSTREQ(child->name, "name")) { + if (XSTREQ(child->name, "name") && name == NULL) { name = get_node_content(child); + if (name == NULL) + return NULL; } else if (XSTREQ(child->name, "target")) parse_disk_target(child, pool); else if (XSTREQ(child->name, "source")) @@ -238,14 +243,18 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) { int len; - int ret = 0; + int ret = 1; Isn't this a bug fix... beside a cleanup? Before the return value was always 0! It also changes the method get_disk_pool in Virt_DevicePool.c in its return value behavior in the same way.
True - a bug fix insomuch as either caller is concerned, but yet still found by Coverity as a RESOURCE_LEAK initially and then me as I was reading the code... I think the primary way to hit the bug would have been through a *alloc()/strdup() failure though.
The usage of get_disk_pool in the method diskpool_set_capacity checks for the return value and being !=0 it is considered an error (Virt_DevicePool.c line 324). Doesn't that need to get changed in this patch?
I don't think so. Prior to my change/cleanup if anything failed in get_pool_from_xml(), then diskpool_set_capacity() could wrongly or even partially set the properties for "Path", "Host", "SourceDirectory", and "OtherResourceType". Although perhaps only the type would be wrong, since all others actually check for non NULL fields before strdup() and CMSetProperty() calls. Thus perhaps "path" could be set, but host and source directory not due to memory constraints, or some combination of the 3. Probably not a good thing to be happening. Of course there are those that contend that if you're that memory constrained, the code isn't going much further anyway... In any case, all my change does is acknowledge and return the failure which the caller already handled properly. FWIW: For context Line 324 in diskpool_set_capacity(): if (get_disk_pool(pool, &pool_vals) != 0) { CU_DEBUG("Error getting pool path for: %s", _pool->tag); } else { if (pool_vals->pool_info.disk.path != NULL) { pool_str = strdup(pool_vals->pool_info.disk.path); CMSetProperty(inst, "Path", (CMPIValue *)pool_str, CMPI_chars); } ...
Even so you mention above in your description the two chained exploitation code pieces it seems that you fixed just one ... or did I miss something?
The reason for the change in _new_volume_template() was to match the return comparison from diskpool_set_capacity()... It's unnecessary technically. One used to fail on "ret == 1" and the other when "ret != 0". Now both fail in the ret != 0 case. It's the "Type A personality" in me that does that. John
xmlDoc *xmldoc; xmlXPathContext *xpathctx; xmlXPathObject *xpathobj; const xmlChar *xpathstr = (xmlChar *)"/pool"; - const char *name;
CU_DEBUG("Pool XML : %s", xml); + + /* FIXME: Add support for parsing network pools */ + if (type == CIM_RES_TYPE_NET) + return 0; + len = strlen(xml) + 1;
if ((xmldoc = xmlParseMemory(xml, len)) == NULL) @@ -257,22 +266,14 @@ int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) if ((xpathobj = xmlXPathEvalExpression(xpathstr, xpathctx)) == NULL) goto err3;
- /* FIXME: Add support for parsing network pools */ - if (type == CIM_RES_TYPE_NET) { - ret = 0; - goto err1; - } - memset(pool, 0, sizeof(*pool));
- pool->type = CIM_RES_TYPE_DISK; - name = parse_disk_pool(xpathobj->nodesetval, - &(pool)->pool_info.disk); - if (name == NULL) + pool->type = CIM_RES_TYPE_DISK; + pool->id = parse_disk_pool(xpathobj->nodesetval, + &(pool)->pool_info.disk); + if (pool->id != NULL) ret = 0;
- pool->id = strdup(name); - xmlXPathFreeObject(xpathobj); err3: xmlXPathFreeContext(xpathctx); diff --git a/src/Virt_SettingsDefineCapabilities.c b/src/Virt_SettingsDefineCapabilities.c index fe16e3f..756e46b 100644 --- a/src/Virt_SettingsDefineCapabilities.c +++ b/src/Virt_SettingsDefineCapabilities.c @@ -1376,7 +1376,7 @@ static CMPIStatus _new_volume_template(const CMPIObjectPath *ref, }
ret = get_disk_pool(poolptr, &pool); - if (ret == 1) { + if (ret != 0) { virt_set_status(_BROKER, &s, CMPI_RC_ERR_FAILED, virStoragePoolGetConnect(poolptr),
src/Virt_DevicePool.c line 324 =! change seems to be missing.
On 02/05/2014 03:08 PM, John Ferlan wrote:
On 02/04/2014 07:31 AM, Boris Fiuczynski wrote:
On 01/22/2014 08:30 PM, John Ferlan wrote:
A new version of Coverity found a number of issues:
get_pool_from_xml(): FORWARD_NULL parse_disk_pool(): RESOURCE_LEAK - If parse_disk_pool() returned name == NULL, then the strdup() of name into pool->id would dereference the NULL pointer leading to a segfault.
Furthermore parse_disk_pool() had a few issues. First the 'type_str' could be NULL, so that needs to be checked. Second, 'type_str' was never free()'d (the get_attr_value returns a strdup()'d value).
Realizing all that resulted in a few extra changes to not strdup() a value that we strdup()'d
Eventually get_pool_from_xml() will return to get_disk_pool() which returns to diskpool_set_capacity() or _new_volume_template() which both error out when return value != 0 (although, I did change the latter to be more explicit and match the former).
Finally, even though the parsing of the element will only ever have one "name" value - Coverity doesn't know that, so as a benign fix be sure to not overwrite 'name' if "name" isn't already set.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- libxkutil/pool_parsing.c | 39 ++++++++++++++++++----------------- src/Virt_SettingsDefineCapabilities.c | 2 +- 2 files changed, 21 insertions(+), 20 deletions(-)
diff --git a/libxkutil/pool_parsing.c b/libxkutil/pool_parsing.c index 922ff32..80bd4ca 100644 --- a/libxkutil/pool_parsing.c +++ b/libxkutil/pool_parsing.c @@ -194,15 +194,17 @@ char *get_disk_pool_type(uint16_t type)
}
-static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) +static char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) { xmlNode **nodes = nsv->nodeTab; xmlNode *child; - const char *type_str = NULL; - const char *name = NULL; + char *type_str = NULL; + char *name = NULL; int type = 0;
type_str = get_attr_value(nodes[0], "type"); + if (type_str == NULL) + return NULL;
if (STREQC(type_str, "dir")) type = DISK_POOL_DIR; @@ -220,12 +222,15 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) type = DISK_POOL_SCSI; else type = DISK_POOL_UNKNOWN; + free(type_str);
pool->pool_type = type; - + for (child = nodes[0]->children; child != NULL; child = child->next) { - if (XSTREQ(child->name, "name")) { + if (XSTREQ(child->name, "name") && name == NULL) { name = get_node_content(child); + if (name == NULL) + return NULL; } else if (XSTREQ(child->name, "target")) parse_disk_target(child, pool); else if (XSTREQ(child->name, "source")) @@ -238,14 +243,18 @@ static const char *parse_disk_pool(xmlNodeSet *nsv, struct disk_pool *pool) int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) { int len; - int ret = 0; + int ret = 1; Isn't this a bug fix... beside a cleanup? Before the return value was always 0! It also changes the method get_disk_pool in Virt_DevicePool.c in its return value behavior in the same way.
True - a bug fix insomuch as either caller is concerned, but yet still found by Coverity as a RESOURCE_LEAK initially and then me as I was reading the code... I think the primary way to hit the bug would have been through a *alloc()/strdup() failure though.
The usage of get_disk_pool in the method diskpool_set_capacity checks for the return value and being !=0 it is considered an error (Virt_DevicePool.c line 324). Doesn't that need to get changed in this patch?
I don't think so. Prior to my change/cleanup if anything failed in get_pool_from_xml(), then diskpool_set_capacity() could wrongly or even partially set the properties for "Path", "Host", "SourceDirectory", and "OtherResourceType". Although perhaps only the type would be wrong, since all others actually check for non NULL fields before strdup() and CMSetProperty() calls. Thus perhaps "path" could be set, but host and source directory not due to memory constraints, or some combination of the 3. Probably not a good thing to be happening. Of course there are those that contend that if you're that memory constrained, the code isn't going much further anyway...
In any case, all my change does is acknowledge and return the failure which the caller already handled properly.
FWIW: For context
Line 324 in diskpool_set_capacity():
if (get_disk_pool(pool, &pool_vals) != 0) { CU_DEBUG("Error getting pool path for: %s", _pool->tag); } else { if (pool_vals->pool_info.disk.path != NULL) { pool_str = strdup(pool_vals->pool_info.disk.path); CMSetProperty(inst, "Path", (CMPIValue *)pool_str, CMPI_chars); } ...
Sorry, but you are right. I missed one line in get_pool_from_xml that screwed up my logic. Works fine. I also did run cimtest on my system and it remained the same.
Even so you mention above in your description the two chained exploitation code pieces it seems that you fixed just one ... or did I miss something?
The reason for the change in _new_volume_template() was to match the return comparison from diskpool_set_capacity()... It's unnecessary technically. One used to fail on "ret == 1" and the other when "ret != 0". Now both fail in the ret != 0 case. It's the "Type A personality" in me that does that.
John
xmlDoc *xmldoc; xmlXPathContext *xpathctx; xmlXPathObject *xpathobj; const xmlChar *xpathstr = (xmlChar *)"/pool"; - const char *name;
CU_DEBUG("Pool XML : %s", xml); + + /* FIXME: Add support for parsing network pools */ + if (type == CIM_RES_TYPE_NET) + return 0; + len = strlen(xml) + 1;
if ((xmldoc = xmlParseMemory(xml, len)) == NULL) @@ -257,22 +266,14 @@ int get_pool_from_xml(const char *xml, struct virt_pool *pool, int type) if ((xpathobj = xmlXPathEvalExpression(xpathstr, xpathctx)) == NULL) goto err3;
- /* FIXME: Add support for parsing network pools */ - if (type == CIM_RES_TYPE_NET) { - ret = 0; - goto err1; - } - memset(pool, 0, sizeof(*pool));
- pool->type = CIM_RES_TYPE_DISK; - name = parse_disk_pool(xpathobj->nodesetval, - &(pool)->pool_info.disk); - if (name == NULL) + pool->type = CIM_RES_TYPE_DISK; + pool->id = parse_disk_pool(xpathobj->nodesetval, + &(pool)->pool_info.disk); + if (pool->id != NULL) ret = 0;
- pool->id = strdup(name); - xmlXPathFreeObject(xpathobj); err3: xmlXPathFreeContext(xpathctx); diff --git a/src/Virt_SettingsDefineCapabilities.c b/src/Virt_SettingsDefineCapabilities.c index fe16e3f..756e46b 100644 --- a/src/Virt_SettingsDefineCapabilities.c +++ b/src/Virt_SettingsDefineCapabilities.c @@ -1376,7 +1376,7 @@ static CMPIStatus _new_volume_template(const CMPIObjectPath *ref, }
ret = get_disk_pool(poolptr, &pool); - if (ret == 1) { + if (ret != 0) { virt_set_status(_BROKER, &s, CMPI_RC_ERR_FAILED, virStoragePoolGetConnect(poolptr),
src/Virt_DevicePool.c line 324 =! change seems to be missing.
_______________________________________________ Libvirt-cim mailing list Libvirt-cim@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-cim
-- Mit freundlichen Grüßen/Kind regards Boris Fiuczynski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martina Köderitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
A new version of Coverity found a number of issues: parse_os(): RESOURCE_LEAK - A benign issue due to using a for() loop in order to process the XML fields. Although it's not possible to have a second entry with the same text, Coverity doesn't know that so flagged each of the get_attr_value() calls with a possible overwrite of allocated memory. In order to "fix' that - just check for each being NULL prior to the setting - a benign fix that shuts Coverity up - A real issue was found - the 'loader' variable wasn't free()'d parse_console_device(): RESOURCE_LEAK - A benign issue due to using a for() loop in order to process the XML fields results in 'target_port_ID' and 'udp_source_mode' being flagged for possible overwrites. For the 'udp_source_mode' changed the code to declare, use, free only within the scope of the case. Signed-off-by: John Ferlan <jferlan@redhat.com> --- libxkutil/device_parsing.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/libxkutil/device_parsing.c b/libxkutil/device_parsing.c index 56e39c7..4dd9e58 100644 --- a/libxkutil/device_parsing.c +++ b/libxkutil/device_parsing.c @@ -853,7 +853,6 @@ static int parse_console_device(xmlNode *node, struct virt_device **vdevs) struct console_device *cdev = NULL; char *source_type_str = NULL; char *target_port_ID = NULL; - char *udp_source_mode = NULL; xmlNode *child = NULL; @@ -875,7 +874,7 @@ static int parse_console_device(xmlNode *node, struct virt_device **vdevs) CU_DEBUG("console device type ID = %d", cdev->source_type); for (child = node->children; child != NULL; child = child->next) { - if (XSTREQ(child->name, "target")) { + if (XSTREQ(child->name, "target") && target_port_ID == NULL) { cdev->target_type = get_attr_value(child, "type"); CU_DEBUG("Console device target type = '%s'", cdev->target_type ? : "NULL"); @@ -910,7 +909,9 @@ static int parse_console_device(xmlNode *node, struct virt_device **vdevs) get_attr_value(child, "path"); break; case CIM_CHARDEV_SOURCE_TYPE_UDP: - udp_source_mode = get_attr_value(child, "mode"); + { + char *udp_source_mode = get_attr_value(child, + "mode"); if (udp_source_mode == NULL) goto err; if (STREQC(udp_source_mode, "bind")) { @@ -925,10 +926,13 @@ static int parse_console_device(xmlNode *node, struct virt_device **vdevs) get_attr_value(child, "service"); } else { CU_DEBUG("unknown udp mode: %s", - udp_source_mode ? : "NULL"); + udp_source_mode); + free(udp_source_mode); goto err; } + free(udp_source_mode); break; + } case CIM_CHARDEV_SOURCE_TYPE_TCP: cdev->source_dev.tcp.mode = get_attr_value(child, "mode"); @@ -965,14 +969,12 @@ static int parse_console_device(xmlNode *node, struct virt_device **vdevs) *vdevs = vdev; free(source_type_str); free(target_port_ID); - free(udp_source_mode); return 1; err: free(source_type_str); free(target_port_ID); - free(udp_source_mode); cleanup_console_device(cdev); free(vdev); @@ -1500,33 +1502,35 @@ static int parse_os(struct domain *dominfo, xmlNode *os) for (child = os->children; child != NULL; child = child->next) { if (XSTREQ(child->name, "type")) { STRPROP(dominfo, os_info.pv.type, child); - arch = get_attr_value(child, "arch"); - machine = get_attr_value(child, "machine"); - } else if (XSTREQ(child->name, "kernel")) + if (arch == NULL) + arch = get_attr_value(child, "arch"); + if (machine == NULL) + machine = get_attr_value(child, "machine"); + } else if (XSTREQ(child->name, "kernel") && kernel == NULL) kernel = get_node_content(child); - else if (XSTREQ(child->name, "initrd")) + else if (XSTREQ(child->name, "initrd") && initrd == NULL) initrd = get_node_content(child); - else if (XSTREQ(child->name, "cmdline")) + else if (XSTREQ(child->name, "cmdline") && cmdline == NULL) cmdline = get_node_content(child); - else if (XSTREQ(child->name, "loader")) + else if (XSTREQ(child->name, "loader") && loader == NULL) loader = get_node_content(child); - else if (XSTREQ(child->name, "boot")) { + else if (XSTREQ(child->name, "boot") && boot == NULL) { char **tmp_list = NULL; - tmp_list = (char **)realloc(blist, - (bl_size + 1) * + tmp_list = (char **)realloc(blist, + (bl_size + 1) * sizeof(char *)); if (tmp_list == NULL) { // Nothing you can do. Just go on. CU_DEBUG("Could not alloc space for " "boot device"); - continue; + continue; } blist = tmp_list; - + blist[bl_size] = get_attr_value(child, "dev"); bl_size++; - } else if (XSTREQ(child->name, "init")) + } else if (XSTREQ(child->name, "init") && init == NULL) init = get_node_content(child); } @@ -1580,6 +1584,7 @@ static int parse_os(struct domain *dominfo, xmlNode *os) free(kernel); free(initrd); free(cmdline); + free(loader); free(boot); free(init); cleanup_bootlist(blist, bl_size); -- 1.8.4.2
A new version of Coverity found: print_domxml(): RESOURCE_LEAK - The 'xml' variable needs to be free()'d Signed-off-by: John Ferlan <jferlan@redhat.com> --- libxkutil/xml_parse_test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libxkutil/xml_parse_test.c b/libxkutil/xml_parse_test.c index 374bcf6..303880d 100644 --- a/libxkutil/xml_parse_test.c +++ b/libxkutil/xml_parse_test.c @@ -192,6 +192,7 @@ static void print_domxml(struct domain *dominfo, printf("Failed to create system XML\n"); else printf("%s\n", xml); + free(xml); } static char *read_from_file(FILE *file) -- 1.8.4.2
A new version of Coverity found: filter_by_pool(): RESOURCE_LEAK - Because the code is run within a for() loop Coverity complains that the returned 'poolid' is not free'd during each pass through the loop. So even though it may not be fetched again, just free() and reinitialize 'poolid' after usage Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/Virt_ResourceAllocationFromPool.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Virt_ResourceAllocationFromPool.c b/src/Virt_ResourceAllocationFromPool.c index 7088900..7bee729 100644 --- a/src/Virt_ResourceAllocationFromPool.c +++ b/src/Virt_ResourceAllocationFromPool.c @@ -120,9 +120,12 @@ static int filter_by_pool(struct inst_list *dest, poolid = pool_member_of(_BROKER, CLASSNAME(op), type, rasd_id); if ((poolid != NULL) && STREQ(poolid, _poolid)) inst_list_add(dest, inst); - } - free(poolid); + if (poolid != NULL) { + free(poolid); + poolid = NULL; + } + } return dest->cur; } -- 1.8.4.2
A new version of Coverity found: get_dev_from_pool(): RESOURCE_LEAK - Because the code is run within a for() loop Coverity complains that the returned 'poolid' is not free'd during each pass through the loop. So even though it may not be fetched again, just free() and reinitialize 'poolid' after usage Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/Virt_ElementAllocatedFromPool.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Virt_ElementAllocatedFromPool.c b/src/Virt_ElementAllocatedFromPool.c index 03d856a..2c2f2d1 100644 --- a/src/Virt_ElementAllocatedFromPool.c +++ b/src/Virt_ElementAllocatedFromPool.c @@ -124,10 +124,14 @@ static CMPIStatus get_dev_from_pool(const CMPIObjectPath *ref, poolid = pool_member_of(_BROKER, cn, type, dev_id); if (poolid && STREQ(poolid, _poolid)) inst_list_add(list, inst); + + if (poolid) { + free(poolid); + poolid = NULL; + } } out: - free(poolid); inst_list_free(&tmp); return s; -- 1.8.4.2
Currently the sscanf() calls use "%as" or "%a[" in order to allocate and return strings for read fields. It was pointed out to me that this is an older and non-portable method. Instead the "%ms" or "%m[" should be used. Signed-off-by: John Ferlan <jferlan@redhat.com> --- libxkutil/acl_parsing.c | 2 +- libxkutil/device_parsing.c | 2 +- libxkutil/misc_util.c | 2 +- src/Virt_ComputerSystemIndication.c | 2 +- src/Virt_Device.c | 6 +++--- src/Virt_DevicePool.c | 8 ++++---- src/Virt_SettingsDefineState.c | 2 +- src/Virt_VirtualSystemManagementService.c | 12 ++++++------ 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/libxkutil/acl_parsing.c b/libxkutil/acl_parsing.c index 3de6a65..c368b99 100644 --- a/libxkutil/acl_parsing.c +++ b/libxkutil/acl_parsing.c @@ -666,7 +666,7 @@ int parse_rule_id(const char *rule_id, char **filter, int *index) if ((filter == NULL) || (index == NULL)) return 0; - ret = sscanf(rule_id, "%as[^:]:%u", filter, index); + ret = sscanf(rule_id, "%ms[^:]:%u", filter, index); if (ret != 2) { free(*filter); *filter = NULL; diff --git a/libxkutil/device_parsing.c b/libxkutil/device_parsing.c index 4dd9e58..c9ae886 100644 --- a/libxkutil/device_parsing.c +++ b/libxkutil/device_parsing.c @@ -1463,7 +1463,7 @@ int parse_fq_devid(const char *devid, char **host, char **device) { int ret; - ret = sscanf(devid, "%a[^/]/%a[^\n]", host, device); + ret = sscanf(devid, "%m[^/]/%m[^\n]", host, device); if (ret != 2) { free(*host); free(*device); diff --git a/libxkutil/misc_util.c b/libxkutil/misc_util.c index 2164dd0..6a54815 100644 --- a/libxkutil/misc_util.c +++ b/libxkutil/misc_util.c @@ -671,7 +671,7 @@ int parse_id(const char *id, char *tmp_pfx = NULL; char *tmp_name = NULL; - ret = sscanf(id, "%a[^:]:%a[^\n]", &tmp_pfx, &tmp_name); + ret = sscanf(id, "%m[^:]:%m[^\n]", &tmp_pfx, &tmp_name); if (ret != 2) { ret = 0; goto out; diff --git a/src/Virt_ComputerSystemIndication.c b/src/Virt_ComputerSystemIndication.c index 20c60bc..32bee97 100644 --- a/src/Virt_ComputerSystemIndication.c +++ b/src/Virt_ComputerSystemIndication.c @@ -382,7 +382,7 @@ static char *sys_name_from_xml(char *xml) goto out; } - rc = sscanf(tmp, "<name>%a[^<]s</name>", &name); + rc = sscanf(tmp, "<name>%m[^<]s</name>", &name); if (rc != 1) { name = NULL; } diff --git a/src/Virt_Device.c b/src/Virt_Device.c index b93e592..12ae6bd 100644 --- a/src/Virt_Device.c +++ b/src/Virt_Device.c @@ -675,7 +675,7 @@ static CMPIStatus return_enum_devices(const CMPIObjectPath *reference, s = enum_devices(_BROKER, reference, - NULL, + NULL, res_type_from_device_classname(CLASSNAME(reference)), &list); if (s.rc != CMPI_RC_OK) @@ -696,7 +696,7 @@ static int parse_devid(const char *devid, char **dom, char **dev) { int ret; - ret = sscanf(devid, "%a[^/]/%as", dom, dev); + ret = sscanf(devid, "%m[^/]/%ms", dom, dev); if (ret != 2) { free(*dom); free(*dev); @@ -711,7 +711,7 @@ static int proc_dev_list(uint64_t quantity, { int i; - *list = (struct virt_device *)calloc(quantity, + *list = (struct virt_device *)calloc(quantity, sizeof(struct virt_device)); for (i = 0; i < quantity; i++) { diff --git a/src/Virt_DevicePool.c b/src/Virt_DevicePool.c index d6e51ba..aae7ed4 100644 --- a/src/Virt_DevicePool.c +++ b/src/Virt_DevicePool.c @@ -383,11 +383,11 @@ static bool _diskpool_is_member(virConnectPtr conn, pool_vol = virStoragePoolLookupByVolume(vol); if (vol != NULL) { - pool_name = virStoragePoolGetName(pool_vol); + pool_name = virStoragePoolGetName(pool_vol); if ((pool_name != NULL) && (STREQC(pool_name, pool->tag))) result = true; } - + out: CU_DEBUG("Image %s in pool %s: %s", file, @@ -405,7 +405,7 @@ static bool parse_diskpool_line(struct tmp_disk_pool *pool, { int ret; - ret = sscanf(line, "%as %as", &pool->tag, &pool->path); + ret = sscanf(line, "%ms %ms", &pool->tag, &pool->path); if (ret != 2) { free(pool->tag); free(pool->path); @@ -1610,7 +1610,7 @@ CMPIStatus get_pool_by_name(const CMPIBroker *broker, goto out; } - ret = sscanf(id, "%*[^/]/%a[^\n]", &poolid); + ret = sscanf(id, "%*[^/]/%m[^\n]", &poolid); if (ret != 1) { cu_statusf(broker, &s, CMPI_RC_ERR_NOT_FOUND, diff --git a/src/Virt_SettingsDefineState.c b/src/Virt_SettingsDefineState.c index be2ded5..c8cda97 100644 --- a/src/Virt_SettingsDefineState.c +++ b/src/Virt_SettingsDefineState.c @@ -298,7 +298,7 @@ static CMPIStatus vssd_to_vs(const CMPIObjectPath *ref, goto out; } - ret = sscanf(id, "%a[^:]:%as", &pfx, &name); + ret = sscanf(id, "%m[^:]:%ms", &pfx, &name); if (ret != 2) { cu_statusf(_BROKER, &s, CMPI_RC_ERR_FAILED, diff --git a/src/Virt_VirtualSystemManagementService.c b/src/Virt_VirtualSystemManagementService.c index b624d8c..d31e477 100644 --- a/src/Virt_VirtualSystemManagementService.c +++ b/src/Virt_VirtualSystemManagementService.c @@ -1330,7 +1330,7 @@ static int parse_console_address(const char *id, CU_DEBUG("Entering parse_console_address, address is %s", id); - ret = sscanf(id, "%a[^:]:%as", &tmp_path, &tmp_port); + ret = sscanf(id, "%m[^:]:%ms", &tmp_path, &tmp_port); if (ret != 2) { ret = 0; @@ -1366,10 +1366,10 @@ static int parse_sdl_address(const char *id, CU_DEBUG("Entering parse_sdl_address, address is %s", id); - ret = sscanf(id, "%a[^:]:%as", &tmp_xauth, &tmp_display); + ret = sscanf(id, "%m[^:]:%ms", &tmp_xauth, &tmp_display); if (ret <= 0) { - ret = sscanf(id, ":%as", &tmp_display); + ret = sscanf(id, ":%ms", &tmp_display); if (ret <= 0) { if (STREQC(id, ":")) { /* do nothing, it is empty */ @@ -1417,7 +1417,7 @@ static int parse_ip_address(const char *id, CU_DEBUG("Entering parse_ip_address, address is %s", id); if (strstr(id, "[") != NULL) { /* its an ipv6 address */ - ret = sscanf(id, "%a[^]]]:%as", &tmp_ip, &tmp_port); + ret = sscanf(id, "%m[^]]]:%ms", &tmp_ip, &tmp_port); if (ret >= 1) { tmp_ip = realloc(tmp_ip, strlen(tmp_ip) + 2); if (tmp_ip == NULL) { @@ -1427,7 +1427,7 @@ static int parse_ip_address(const char *id, strcat(tmp_ip, "]"); } } else { - ret = sscanf(id, "%a[^:]:%as", &tmp_ip, &tmp_port); + ret = sscanf(id, "%m[^:]:%ms", &tmp_ip, &tmp_port); } /* ret == 2: address and port, ret == 1: address only */ @@ -1464,7 +1464,7 @@ static bool parse_console_url(const char *url, CU_DEBUG("Entering parse_console_url:'%s'", url); - if (sscanf(url,"%a[^:]://%as", &tmp_protocol, &tmp_address) != 2) + if (sscanf(url,"%m[^:]://%ms", &tmp_protocol, &tmp_address) != 2) goto out; if (parse_ip_address(tmp_address, host, port) < 1) -- 1.8.4.2
Hello, I have compile errors when installing libvirt-cim from sources on UBUNTU 13.10 (amd-64 plateform) I am using openpegasus as cimom, and i installed libcmpiutil successfully Bellow are the erros i get after make command (i followed instructions on the website http://wiki.libvirt.org/page/Libvirt-cim_setup) ..... make[2]: Entering directory `/usr/local/src/libvirt-cim/libvirt-cim-0.6.3/src' CC Virt_VirtualSystemManagementService.lo Virt_VirtualSystemManagementService.c: In function '_update_resources_for': Virt_VirtualSystemManagementService.c:2936:17: warning: implicit declaration of function 'cu_merge_instances' [-Wimplicit-function-declaration] s = cu_merge_instances(rasd, orig_inst); ^ Virt_VirtualSystemManagementService.c:2936:19: error: incompatible types when assigning to type 'CMPIStatus' from type 'int' s = cu_merge_instances(rasd, orig_inst); ^ make[2]: *** [Virt_VirtualSystemManagementService.lo] Error 1 make[2]: Leaving directory `/usr/local/src/libvirt-cim/libvirt-cim-0.6.3/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/libvirt-cim/libvirt-cim-0.6.3' make: *** [all] Error 2 ... PS: the following commands do not working: $ hg clone http://libvirt.org/hg/libcmpiutil/ $ hg clone http://libvirt.org/hg/libvirt-cim/ the server says : abort: HTTP Error 404: Not Found Best Regards Amine Bouabid
On 01/22/2014 02:30 PM, John Ferlan wrote:
A recent Coverity version update discovered some existing issues (and some benign cases). This patch set cleans them all up.
John Ferlan (6): VSMS: Coverity cleanups libxkutil:pool_parsing: Coverity cleanups libxkutil:device_parsing: Coverity cleanups libxkutil/xml_parse_test: Coverity cleanup RAFP: Coverity cleanup EAFP: Coverity cleanup
libxkutil/device_parsing.c | 41 +++++++++++++++++-------------- libxkutil/pool_parsing.c | 39 +++++++++++++++-------------- libxkutil/xml_parse_test.c | 1 + src/Virt_ElementAllocatedFromPool.c | 6 ++++- src/Virt_ResourceAllocationFromPool.c | 7 ++++-- src/Virt_SettingsDefineCapabilities.c | 2 +- src/Virt_VirtualSystemManagementService.c | 11 ++++++--- 7 files changed, 63 insertions(+), 44 deletions(-)
Patch 1 & 2 are now pushed. Tks, John
On 01/22/2014 02:30 PM, John Ferlan wrote:
A recent Coverity version update discovered some existing issues (and some benign cases). This patch set cleans them all up.
John Ferlan (6): VSMS: Coverity cleanups libxkutil:pool_parsing: Coverity cleanups libxkutil:device_parsing: Coverity cleanups libxkutil/xml_parse_test: Coverity cleanup RAFP: Coverity cleanup EAFP: Coverity cleanup
libxkutil/device_parsing.c | 41 +++++++++++++++++-------------- libxkutil/pool_parsing.c | 39 +++++++++++++++-------------- libxkutil/xml_parse_test.c | 1 + src/Virt_ElementAllocatedFromPool.c | 6 ++++- src/Virt_ResourceAllocationFromPool.c | 7 ++++-- src/Virt_SettingsDefineCapabilities.c | 2 +- src/Virt_VirtualSystemManagementService.c | 11 ++++++--- 7 files changed, 63 insertions(+), 44 deletions(-)
Ping? Any thoughts/comments on patches 3 -> 7? Tks, John
On 02/17/2014 08:40 PM, John Ferlan wrote:
On 01/22/2014 02:30 PM, John Ferlan wrote:
A recent Coverity version update discovered some existing issues (and some benign cases). This patch set cleans them all up.
John Ferlan (6): VSMS: Coverity cleanups libxkutil:pool_parsing: Coverity cleanups libxkutil:device_parsing: Coverity cleanups libxkutil/xml_parse_test: Coverity cleanup RAFP: Coverity cleanup EAFP: Coverity cleanup
libxkutil/device_parsing.c | 41 +++++++++++++++++-------------- libxkutil/pool_parsing.c | 39 +++++++++++++++-------------- libxkutil/xml_parse_test.c | 1 + src/Virt_ElementAllocatedFromPool.c | 6 ++++- src/Virt_ResourceAllocationFromPool.c | 7 ++++-- src/Virt_SettingsDefineCapabilities.c | 2 +- src/Virt_VirtualSystemManagementService.c | 11 ++++++--- 7 files changed, 63 insertions(+), 44 deletions(-)
Ping? Any thoughts/comments on patches 3 -> 7?
Look OK to me. Sorry, for the late answer. Distraction made me forget to send you a response on these. -- Mit freundlichen Grüßen/Kind regards Boris Fiuczynski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martina Köderitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
On 02/18/2014 08:56 AM, Boris Fiuczynski wrote:
On 02/17/2014 08:40 PM, John Ferlan wrote:
On 01/22/2014 02:30 PM, John Ferlan wrote:
A recent Coverity version update discovered some existing issues (and some benign cases). This patch set cleans them all up.
John Ferlan (6): VSMS: Coverity cleanups libxkutil:pool_parsing: Coverity cleanups libxkutil:device_parsing: Coverity cleanups libxkutil/xml_parse_test: Coverity cleanup RAFP: Coverity cleanup EAFP: Coverity cleanup
libxkutil/device_parsing.c | 41 +++++++++++++++++-------------- libxkutil/pool_parsing.c | 39 +++++++++++++++-------------- libxkutil/xml_parse_test.c | 1 + src/Virt_ElementAllocatedFromPool.c | 6 ++++- src/Virt_ResourceAllocationFromPool.c | 7 ++++-- src/Virt_SettingsDefineCapabilities.c | 2 +- src/Virt_VirtualSystemManagementService.c | 11 ++++++--- 7 files changed, 63 insertions(+), 44 deletions(-)
Ping? Any thoughts/comments on patches 3 -> 7?
Look OK to me. Sorry, for the late answer. Distraction made me forget to send you a response on these.
Great - thanks. These are now pushed. John
participants (3)
-
Boris Fiuczynski -
bouabid@dtri.cerist.dz -
John Ferlan