[libvirt] unchecked malloc+syscall uses
Daniel P. Berrange
berrange at redhat.com
Sun Jun 28 15:42:49 UTC 2009
On Fri, Jun 26, 2009 at 05:45:59PM +0200, Jim Meyering wrote:
> I was looking through recent changes and spotted two potential
> NULL-dereferences in this change set:
>
> http://git.et.redhat.com/?p=libvirt.git;a=commitdiff;h=70c01b4c1adea75e9
>
> In src/opennebula/one_client.c:
>
> + one_client.url=(char *)malloc(64);
> + snprintf(one_client.url, 63, "http://localhost:%d/RPC2", ONED_PORT);
> +#else
> + one_client.url=(char *)"http://localhost:2633/RPC2";
> +#endif
Fortunetaly this one is within a #ifdef ONED_PORT, which is not defined
so the problem code won't be compiled. We should still kill it though
> --
> + file_text=(char *)malloc(size+1);
> + bytes_read=read(file, file_text, size);
> + close(file);
> +
> + if(bytes_read==size) {
Time for a syntax-check rule to blacklist malloc() & friends from all
code. I'd like to blacklist snprintf/sprintf too but there's still quite
alot of usage of those.
>
> Perhaps of more immediate concern,
> these syscalls are not checked for failure:
>
> + file=open(template_file, O_RDONLY);
> + size=lseek(file, 0, SEEK_END);
> + lseek(file, 0, SEEK_SET);
>
> and same for the "read" syscall above.
This particular method isn't used either - we switched the code to avoid
temporary files, so we should kill this too.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list