Re: [libvirt] unchecked malloc+syscall uses
On Fri, Jun 26, 2009 at 05:45:59PM +0200, Jim Meyering wrote:
I was looking through recent changes and spotted two potential
NULL-dereferences in this change set:
http://git.et.redhat.com/?p=libvirt.git;a=commitdiff;h=70c01b4c1adea75e9
In src/opennebula/one_client.c:
+ one_client.url=(char *)malloc(64);
+ snprintf(one_client.url, 63, "http://localhost:%d/RPC2", ONED_PORT);
+#else
+ one_client.url=(char *)"http://localhost:2633/RPC2";
+#endif
Fortunetaly this one is within a #ifdef ONED_PORT, which is not defined
so the problem code won't be compiled. We should still kill it though
--
+ file_text=(char *)malloc(size+1);
+ bytes_read=read(file, file_text, size);
+ close(file);
+
+ if(bytes_read==size) {
Time for a syntax-check rule to blacklist malloc() & friends from all
code. I'd like to blacklist snprintf/sprintf too but there's still quite
alot of usage of those.
Perhaps of more immediate concern,
these syscalls are not checked for failure:
+ file=open(template_file, O_RDONLY);
+ size=lseek(file, 0, SEEK_END);
+ lseek(file, 0, SEEK_SET);
and same for the "read" syscall above.
This particular method isn't used either - we switched the code to avoid
temporary files, so we should kill this too.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|