[libvirt] [PATCH 1/2] virnetserverservice: Resolve Coverity ARRAY_VS_SINGLETON

Eric Blake eblake at redhat.com
Thu Aug 28 20:57:15 UTC 2014 

On 08/28/2014 01:28 PM, John Ferlan wrote:
> Coverity complained about the following:
> 
> (3) Event ptr_arith:
>    Performing pointer arithmetic on "cur_fd" in expression "cur_fd++".
> 130             return virNetServerServiceNewFD(*cur_fd++,
> 
> It seems the belief is their is pointer arithmetic taking place.  By using
> (*cur_fd)++ we avoid this possible issue

Not just their belief, but the actual C language.

> 
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/rpc/virnetserverservice.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/rpc/virnetserverservice.c b/src/rpc/virnetserverservice.c
> index fea05c3..486f93e 100644
> --- a/src/rpc/virnetserverservice.c
> +++ b/src/rpc/virnetserverservice.c
> @@ -127,7 +127,7 @@ virNetServerServiceNewFDOrUNIX(const char *path,
>           * There's still enough file descriptors.  In this case we'll
>           * use the current one and increment it afterwards.
>           */
> -        return virNetServerServiceNewFD(*cur_fd++,

In this function, cur_fd is int* (four bytes wide).  Suppose cur_fd
starts life as 0x1000, and we start with memory contents of 3 at 0x1000,
and 4 at 0x1004.

C precedence says this is equivalent to *(cur_fd++) - take the pointer
cur_fd, do a pointer post-increment, then dereference the memory at the
location before the increment.  We end up calling
virNetServerServiceNewFD(3) (the contents of cur_fd before the deref),
the memory at 0x1000 remains at 3, and any further uses of cur_fd would
be at the next location 0x1004 - but we just returned so cur_fd is no
longer in scope, so who cares about that change - we could have just
written '*cur_fd' and been done with it.

> +        return virNetServerServiceNewFD((*cur_fd)++,

While this says dereference cur_fd, then post-increment that location.
We still end up calling virNetServerServiceNewFD(3) (the contents of the
memory location before post-increment), but now cur_fd remains at
0x1000, whose contents are now 4.

The caller, daemon/libvirtd.c:daemonSetupNetworking(), calls this
function twice in a row.  Without your patch, it ends up calling
virNetServerServiceNewFD(3) for regular AND read-only sockets.  With
your patch, it does the intended registration of fd 3 and 4.  I hope
that's not a security bug.  Can you trace when this was introduced?

ACK.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140828/f7f82dae/attachment-0001.sig>

More information about the libvir-list mailing list