From 415bd4e43b2c27e3999923c16f5ff39f9b1adcae Mon Sep 17 00:00:00 2001

From: Jerome Marchand <jmarchan@redhat.com>

Date: Thu, 1 Nov 2018 06:18:14 +0100

Subject: [PATCH] covscan: fix miscellaneaous errors (#2003)

* Coverity #def53: COPY_PASTE_ERROR

* Coverity #def18: DC.STREAM_BUFFER. Double-check max length of dev

* Coverity #def44: MISSING_BREAK. This looks like it should be here

* Coverity #def67: STRING_NULL: potential OOB read if 0 bytes read.

* Coverity #def66: FORWARD_NULL: potential null ptr deref

* Coverity #def17: RESOURCE_LEAK: missing free()

* Dont free the result of dirname

dirname() may return pointers to statically allocated memory. Don't

free the pointer it returns.

---

 src/cc/bcc_elf.c                          | 11 +++++++----

 src/cc/bcc_proc.c                         |  4 ++--

 src/cc/frontends/b/type_check.cc          |  1 +

 src/cc/frontends/p4/compiler/ebpfTable.py |  2 +-

 src/cc/libbpf.c                           | 20 +++++++++++---------

 5 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/src/cc/bcc_elf.c b/src/cc/bcc_elf.c

index c425db6..0c696bd 100644

--- a/src/cc/bcc_elf.c

+++ b/src/cc/bcc_elf.c

@@ -398,6 +398,7 @@ static int verify_checksum(const char *file, unsigned int crc) {

 static char *find_debug_via_debuglink(Elf *e, const char *binpath,

                                       int check_crc) {

   char fullpath[PATH_MAX];

+  char *tmppath;

   char *bindir = NULL;

   char *res = NULL;

   unsigned int crc;

@@ -406,8 +407,8 @@ static char *find_debug_via_debuglink(Elf *e, const char *binpath,

   if (!find_debuglink(e, &name, &crc))

     return NULL;

-  bindir = strdup(binpath);

-  bindir = dirname(bindir);

+  tmppath = strdup(binpath);

+  bindir = dirname(tmppath);

   // Search for the file in 'binpath', but ignore the file we find if it

   // matches the binary itself: the binary will always be probed later on,

@@ -434,9 +435,11 @@ static char *find_debug_via_debuglink(Elf *e, const char *binpath,

   }

 DONE:

-  free(bindir);

-  if (res && check_crc && !verify_checksum(res, crc))

+  free(tmppath);

+  if (res && check_crc && !verify_checksum(res, crc)) {

+    free(res);

     return NULL;

+  }

   return res;

 }

diff --git a/src/cc/bcc_proc.c b/src/cc/bcc_proc.c

index d694eb9..f1c30c2 100644

--- a/src/cc/bcc_proc.c

+++ b/src/cc/bcc_proc.c

@@ -92,14 +92,14 @@ int bcc_procutils_each_module(int pid, bcc_procutils_modulecb callback,

   if (!procmap)

     return -1;

-  char buf[PATH_MAX + 1], perm[5], dev[8];

+  char buf[PATH_MAX + 1], perm[5], dev[6];

   char *name;

   uint64_t begin, end, inode;

   unsigned long long offset;

   while (true) {

     buf[0] = '\0';

     // From fs/proc/task_mmu.c:show_map_vma

-    if (fscanf(procmap, "%lx-%lx %s %llx %s %lu%[^\n]", &begin, &end, perm,

+    if (fscanf(procmap, "%lx-%lx %4s %llx %5s %lu%[^\n]", &begin, &end, perm,

                &offset, dev, &inode, buf) != 7)

       break;

diff --git a/src/cc/frontends/b/type_check.cc b/src/cc/frontends/b/type_check.cc

index 8d49de9..7c5b7ce 100644

--- a/src/cc/frontends/b/type_check.cc

+++ b/src/cc/frontends/b/type_check.cc

@@ -204,6 +204,7 @@ StatusTuple TypeCheck::visit_binop_expr_node(BinopExprNode *n) {

     case Tok::TCGT:

     case Tok::TCGE:

       n->bit_width_ = 1;

+      break;

     default:

       n->bit_width_ = std::max(n->lhs_->bit_width_, n->rhs_->bit_width_);

   }

diff --git a/src/cc/frontends/p4/compiler/ebpfTable.py b/src/cc/frontends/p4/compiler/ebpfTable.py

index eb1efd9..4b7e023 100644

--- a/src/cc/frontends/p4/compiler/ebpfTable.py

+++ b/src/cc/frontends/p4/compiler/ebpfTable.py

@@ -110,7 +110,7 @@ import ebpfAction

                 ebpfHeader = program.getInstance(instance.name)

                 assert isinstance(ebpfHeader, ebpfInstance.SimpleInstance)

                 basetype = ebpfHeader.type

-                eInstance = program.getInstance(instance.base_name)

+                eInstance = program.getInstance(instance.name)

             ebpfField = basetype.getField(fieldname)

             assert isinstance(ebpfField, ebpfStructType.EbpfField)

diff --git a/src/cc/libbpf.c b/src/cc/libbpf.c

index 8a7caec..5cf3554 100644

--- a/src/cc/libbpf.c

+++ b/src/cc/libbpf.c

@@ -521,14 +521,16 @@ int bpf_prog_load(enum bpf_prog_type prog_type, const char *name,

     }

   }

-  if (strncmp(name, "kprobe__", 8) == 0)

-    name_offset = 8;

-  else if (strncmp(name, "tracepoint__", 12) == 0)

-    name_offset = 12;

-  else if (strncmp(name, "raw_tracepoint__", 16) == 0)

-    name_offset = 16;

-  memcpy(attr.prog_name, name + name_offset,

-         min(name_len - name_offset, BPF_OBJ_NAME_LEN - 1));

+  if (name_len) {

+    if (strncmp(name, "kprobe__", 8) == 0)

+      name_offset = 8;

+    else if (strncmp(name, "tracepoint__", 12) == 0)

+      name_offset = 12;

+    else if (strncmp(name, "raw_tracepoint__", 16) == 0)

+      name_offset = 16;

+    memcpy(attr.prog_name, name + name_offset,

+           min(name_len - name_offset, BPF_OBJ_NAME_LEN - 1));

+  }

   ret = syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));

   // BPF object name is not supported on older Kernels.

@@ -698,7 +700,7 @@ static int bpf_get_retprobe_bit(const char *event_type)

   close(fd);

   if (ret < 0 || ret >= sizeof(buf))

     return -1;

-  if (strlen(buf) < strlen("config:"))

+  if (strncmp(buf, "config:", strlen("config:")))

     return -1;

   errno = 0;

   ret = (int)strtol(buf + strlen("config:"), NULL, 10);

-- 

2.17.2