[libvirt] [PATCH 02/26] remote_driver: Resolve Coverity RESOURCE_LEAK
John Ferlan
jferlan at redhat.com
Thu Sep 11 16:25:30 UTC 2014
On 09/11/2014 11:55 AM, Eric Blake wrote:
> On 09/11/2014 02:38 AM, Peter Krempa wrote:
>> On 09/05/14 00:26, John Ferlan wrote:
>>> Since 98b9acf5aa02551dd37d0209339aba2e22e4004a
>>>
>>> This ends up being a false positive for two reasons...
>>>
>>> expected to be already allocated and thus is passed by value; whereas,
>>> the call into remoteDomainGetJobStats() 'params' is passed by reference.
>>> Thus if the VIR_ALLOC is done there is no way for it to be leaked for
>>> callers that passed by value.
>>>
>>> path that handles 'nparams == 0 && params == NULL' on entry. Thus all
>
> Careful, my virDomainBlockCopy API passes nparams==0 && params ==
> (non-NULL 0-length array) from the RPC daemon/remote.c receiver into the
> libvirtd side of the API call. It tripped me up the first time I tried
> to assert that nparams==0 implied params==NULL, and failed the test.
>
Well in general the newer Coverity has been squawking about this case -
that is assumptions where nparams/params type parameters are used. In
most cases, it's a "for (i = 0; i < nparams; i++)" do something with
"params[i]" that get flagged on the params[i] reference because there's
no nparams == 0 type check.
Particular to this query though the code in question is
remoteDeserializeTypedParameters(); whereas, the remoteDomainBlockCopy()
uses remoteSerializeTypedParameters().
And yes, it's all very tricky. While I do believe from reading the code
that this particular case is a false positive - I really was trying to
find a way around making too many changes. Open to suggestions naturally!
John
>>> other callers have guaranteed that 'params' is non NULL. Of course
>>> Coverity isn't wise enough to pick up on this, but nonetheless is
>>> does point out something "future callers" for which future callers
>>> need to be aware.
>>>
>>> Even though it is a false positive, it's probably a good idea to at
>>> least make some sort of check (and to "trick" Coverity into believing
>>> we know what we're doing). The easiest/cheapest way was to check
>>> the input 'limit' value. For the remoteDomainGetJobStats() it is
>>> passed as 0 indicating (perhaps) that the caller has done the
>>> limits length checking already and that its caller can handle
>>> allocating something that can be passed back to the caller.
>
>>
>> This unfortunately breaks the remote driver impl of GetAllDomainStats.
>> As it seems that the limit parameter isn't used for automatically
>> allocated arrays and I expected that it is I'll need either fix the
>> remote impl of the stats function or add support for checking the limit
>> here. And I probably prefer option 2, fixing
>> remoteDeserializeTypedParameters to use limit correctly even for
>> auto-alloced typed parameters.
>
> I haven't looked closely at the patch, but it is a tricky area of code.
>
More information about the libvir-list
mailing list