On Thu, Oct 13, 2022 at 02:04:34PM -0500, Eric Blake wrote: > I just fixed a bug in nbdkit for incorrectly calling > free(gnutls_session_t) after gnutls_init(&session, ...) fails: > https://gitlab.com/nbdkit/nbdkit/-/commit/40faf3dfb20c06b9c5faa0a122607e3ae7c6202a > > But in the process, I was browsing the source code to gnutls_init() to > see why Coverity wasn't flagging free(opaque_type) as fishy, and found > that there is a nasty lurking bug: > > int gnutls_init(gnutls_session_t * session, unsigned int flags) > { > int ret; > > FAIL_IF_LIB_ERROR; > > *session = gnutls_calloc(1, sizeof(struct gnutls_session_int)); > > Note that *session is left uninitialized if FAIL_IF_LIB_ERROR; causes > an early return GNUTLS_E_LIB_IN_ERROR_STATE. If a caller (properly) > treats gnutls_session_t as an opaque type, and does not try to > zero-initialize it (as there is no way to know that 0 is a safe value > for an opaque type), then writing: > > gnutls_session_t session; > int err = gnutls_init (&session, GNUTLS_SERVER); > if (err < 0) > gnutls_deinit (session); > > is a bug waiting to happen, because it WILL cause gnutls_deinit() to > attempt to dereference an uninitialized pointer if session remains > uninitialized because of an earlier library error.
Thanks for fixing this - I will do some backports to the stable branches later since this seems like an important fix. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://listman.redhat.com/mailman/listinfo/libguestfs
