From 79712feff47b2c275cf1cb1291863476ac45070a Mon Sep 17 00:00:00 2001

From: Thomas Haller <thaller@redhat.com>

Date: Thu, 8 Aug 2019 10:16:54 +0200

Subject: [PATCH 1/4] route: fix strncpy() warning from coverity about

 unterminated string

Coverity says:

  Error: BUFFER_SIZE_WARNING (CWE-120): [#def1]

  libnl-3.4.0/lib/route/cls/ematch/text.c:94: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "t->cfg.algo" of size 16 bytes might leave the destination string unterminated.

  #   92|   	struct text_data *t = rtnl_ematch_data(e);

  #   93|

  #   94|-> 	strncpy(t->cfg.algo, algo, sizeof(t->cfg.algo));

  #   95|   }

  #   96|

  Error: BUFFER_SIZE_WARNING (CWE-120): [#def11]

  libnl-3.4.0/lib/xfrm/sa.c:1192: buffer_size_warning: Calling strncpy with a maximum size argument of 64 bytes on destination array "auth->alg_name" of size 64 bytes might leave the destination string unterminated.

  # 1190|   			}

  # 1191|

  # 1192|-> 			strncpy(auth->alg_name, tmpl->auth->alg_name, sizeof(auth->alg_name));

  # 1193|   			auth->alg_key_len = tmpl->auth->alg_key_len;

  # 1194|   			memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);

(cherry picked from commit f6f163d68e756d7ee69b93b0ccb4ab24f9764f77)

---

 lib/route/cls/ematch/text.c | 1 +

 lib/xfrm/sa.c               | 1 +

 2 files changed, 2 insertions(+)

diff --git a/lib/route/cls/ematch/text.c b/lib/route/cls/ematch/text.c

index b14c4abb92a7..12a1e747b48a 100644

--- a/lib/route/cls/ematch/text.c

+++ b/lib/route/cls/ematch/text.c

@@ -92,6 +92,7 @@ void rtnl_ematch_text_set_algo(struct rtnl_ematch *e, const char *algo)

 	struct text_data *t = rtnl_ematch_data(e);

 	strncpy(t->cfg.algo, algo, sizeof(t->cfg.algo));

+	t->cfg.algo[sizeof(t->cfg.algo) - 1] = '\0';

 }

 char *rtnl_ematch_text_get_algo(struct rtnl_ematch *e)

diff --git a/lib/xfrm/sa.c b/lib/xfrm/sa.c

index 995df9fd9769..15a3661a9699 100644

--- a/lib/xfrm/sa.c

+++ b/lib/xfrm/sa.c

@@ -1190,6 +1190,7 @@ static int build_xfrm_sa_message(struct xfrmnl_sa *tmpl, int cmd, int flags, str

 			}

 			strncpy(auth->alg_name, tmpl->auth->alg_name, sizeof(auth->alg_name));

+			auth->alg_name[sizeof(auth->alg_name) - 1] = '\0';

 			auth->alg_key_len = tmpl->auth->alg_key_len;

 			memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);

 			if (nla_put(msg, XFRMA_ALG_AUTH, len, auth) < 0) {

-- 

2.21.0

From d7b51a8a3d2f0ac0e2c306a77bdf479f64154d43 Mon Sep 17 00:00:00 2001

From: Thomas Haller <thaller@redhat.com>

Date: Thu, 8 Aug 2019 10:38:12 +0200

Subject: [PATCH 2/4] link/sriov: fix memleak in rtnl_link_sriov_clone()

Found by Coverity.

(cherry picked from commit f1a085994a78a69abcd583d682b9850bc20ed482)

---

 lib/route/link/sriov.c | 24 ++++++++++++++++++------

 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/lib/route/link/sriov.c b/lib/route/link/sriov.c

index 5c20ecff68f6..2a87cfe5ff3f 100644

--- a/lib/route/link/sriov.c

+++ b/lib/route/link/sriov.c

@@ -109,8 +109,10 @@ int rtnl_link_sriov_clone(struct rtnl_link *dst, struct rtnl_link *src) {

 		if (s_vf->ce_mask & SRIOV_ATTR_ADDR) {

 			vf_addr = nl_addr_clone(s_vf->vf_lladdr);

-			if (!vf_addr)

+			if (!vf_addr) {

+				rtnl_link_vf_put(d_vf);

 				return -NLE_NOMEM;

+			}

 			d_vf->vf_lladdr = vf_addr;

 		}

@@ -120,8 +122,10 @@ int rtnl_link_sriov_clone(struct rtnl_link *dst, struct rtnl_link *src) {

 			err = rtnl_link_vf_vlan_alloc(&dst_vlans,

 						      src_vlans->size);

-			if (err < 0)

+			if (err < 0) {

+				rtnl_link_vf_put(d_vf);

 				return err;

+			}

 			dst_vlan_info = dst_vlans->vlans;

 			memcpy(dst_vlans, src_vlans, sizeof(nl_vf_vlans_t));

 			memcpy(dst_vlan_info, src_vlan_info,

@@ -558,8 +562,10 @@ int rtnl_link_sriov_parse_vflist(struct rtnl_link *link, struct nlattr **tb) {

 			vf_data->vf_lladdr = nl_addr_build(AF_LLC,

 							   vf_lladdr->mac, 6);

-			if (vf_data->vf_lladdr == NULL)

+			if (vf_data->vf_lladdr == NULL) {

+				rtnl_link_vf_put(vf_data);

 				return -NLE_NOMEM;

+			}

 			nl_addr_set_family(vf_data->vf_lladdr, AF_LLC);

 			vf_data->ce_mask |= SRIOV_ATTR_ADDR;

 		}

@@ -576,8 +582,10 @@ int rtnl_link_sriov_parse_vflist(struct rtnl_link *link, struct nlattr **tb) {

 			err = rtnl_link_vf_vlan_info(list_len, vf_vlan_info,

 						     &vf_vlans);

-			if (err < 0)

+			if (err < 0) {

+				rtnl_link_vf_put(vf_data);

 				return err;

+			}

 			vf_data->vf_vlans = vf_vlans;

 			vf_data->ce_mask |= SRIOV_ATTR_VLAN;

@@ -586,8 +594,10 @@ int rtnl_link_sriov_parse_vflist(struct rtnl_link *link, struct nlattr **tb) {

 			if (vf_vlan->vlan) {

 				err = rtnl_link_vf_vlan_alloc(&vf_vlans, 1);

-				if (err < 0)

+				if (err < 0) {

+					rtnl_link_vf_put(vf_data);

 					return err;

+				}

 				vf_vlans->vlans[0].vf_vlan = vf_vlan->vlan;

 				vf_vlans->vlans[0].vf_vlan_qos = vf_vlan->qos;

@@ -649,8 +659,10 @@ int rtnl_link_sriov_parse_vflist(struct rtnl_link *link, struct nlattr **tb) {

 			err = nla_parse_nested(stb, IFLA_VF_STATS_MAX,

 					       t[IFLA_VF_STATS],

 					       sriov_stats_policy);

-			if (err < 0)

+			if (err < 0) {

+				rtnl_link_vf_put(vf_data);

 				return err;

+			}

 			SET_VF_STAT(link, cur, stb,

 				    RTNL_LINK_VF_STATS_RX_PACKETS,

-- 

2.21.0

From 9f910abd4b39015cfdcc78566915ed1d852c0fd1 Mon Sep 17 00:00:00 2001

From: Thomas Haller <thaller@redhat.com>

Date: Tue, 27 Aug 2019 14:43:54 +0200

Subject: [PATCH 3/4] lib: accept %NULL arguments for nl_addr_cmp()

Just be more forgiving. Also, this avoids a coverity warning:

    Error: FORWARD_NULL (CWE-476): [#def1]

    libnl-3.4.0/lib/route/addr.c:502: var_compare_op: Comparing "a->a_peer" to null implies that "a->a_peer" might be null.

    libnl-3.4.0/lib/route/addr.c:513: var_deref_model: Passing null pointer "a->a_peer" to "nl_addr_cmp", which dereferences it.

    libnl-3.4.0/lib/addr.c:587:8: deref_parm: Directly dereferencing parameter "a".

    #  585|   int nl_addr_cmp(const struct nl_addr *a, const struct nl_addr *b)

    #  586|   {

    #  587|-> 	int d = a->a_family - b->a_family;

    #  588|

    #  589|   	if (d == 0) {

https://bugzilla.redhat.com/show_bug.cgi?id=1606988

(cherry picked from commit 34708e2ef048f3788f3f2d5018735b27b156d244)

---

 lib/addr.c | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/addr.c b/lib/addr.c

index c299b402a12b..b43791d52179 100644

--- a/lib/addr.c

+++ b/lib/addr.c

@@ -584,8 +584,16 @@ int nl_addr_shared(const struct nl_addr *addr)

  */

 int nl_addr_cmp(const struct nl_addr *a, const struct nl_addr *b)

 {

-	int d = a->a_family - b->a_family;

+	int d;

+

+	if (a == b)

+		return 0;

+	if (!a)

+		return -1;

+	if (!b)

+		return 1;

+	d = a->a_family - b->a_family;

 	if (d == 0) {

 		d = a->a_len - b->a_len;

-- 

2.21.0

From 0fd322bb429228a200cc7935a5b597748faaadf8 Mon Sep 17 00:00:00 2001

From: Thomas Haller <thaller@redhat.com>

Date: Tue, 27 Aug 2019 14:58:35 +0200

Subject: [PATCH 4/4] lib: fix error code from nfnl_exp_build_message()

Otherwise we return success but don't actually set the output

result. This can lead to a crash, in case of out-of-memory.

Found by Coverity.

https://bugzilla.redhat.com/show_bug.cgi?id=1606988

(cherry picked from commit f3d5c44d21243d5eb59bfc2878d4977df2fd1369)

---

 lib/netfilter/exp.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/lib/netfilter/exp.c b/lib/netfilter/exp.c

index 24ec55f4c374..947eea0d4bcd 100644

--- a/lib/netfilter/exp.c

+++ b/lib/netfilter/exp.c

@@ -490,6 +490,8 @@ static int nfnl_exp_build_message(const struct nfnl_exp *exp, int cmd, int flags

 	return 0;

 nla_put_failure:

+	err = -NLE_NOMEM;

+

 err_out:

 	nlmsg_free(msg);

 	return err;

-- 

2.21.0