| Issue |
134103
|
| Summary |
False-positive: code analyzer does not know what "accept()/recvfrom()" does [initializing arguments by pointer]
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
alavrentiev
|
Consider the following code snippet:
```
struct sockaddr_in addr;
socklen_t addrlen = sizeof(addr);
sock = accept (fd, (struct sockaddr*) &addr, &addrlen);
if (sock < 0) {
// 14←Assuming 'sock' is >= 0
return False;
}
... /* nothing touches "addr" in the interim */
host = addr.sin_addr.s_addr;
// 18←Assigned value is garbage or undefined
```
At "18" a bogus report is flagged. Even if code analyzer did not know what the `accept()` syscall does, giving the function (which can't be previewed at the source code level) a benefit of the doubt, it should be considered that the call did initialize its argument `addr` passed by the pointer, thus validating the entire contents of it. No garbage.
The same happens for the `recvfrom()` call:
```
if (recvfrom(s_Sock[0], buf, sizeof(buf), 0, (struct sockaddr*) &sin, &sinlen) > 0) {
...
from = sin.sin_addr.s_addr;
// 13←Assigned value is garbage or undefined
}
```
BTW, using a different technique of dealing with `accept()` peculiarity, causes the same bogus report:
```
union {
struct sockaddr sa;
struct sockaddr_in in;
struct sockaddr_in6 in6;
struct sockaddr_un un;
} u;
...
fd = accept (sock, &u.sa, &addrlen);
...
assert(u.un.sun_family == AF_UNIX);
// 28←The left operand of '==' is a garbage value
```
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
