Re: Coverity & clang scan

Sat, 03 Apr 2021 14:48:37 -0700 

Viktor Dukhovni:
> On Fri, Mar 19, 2021 at 11:18:27AM -0400, Jaroslav Skarvada wrote:
> 
> > 14. postfix-3.5.8/src/util/dict_inline.c:124: uninit_use_in_call: Using 
> > uninitialized value "value" when calling "dict_file_to_b64".
> > 17. postfix-3.5.8/src/util/dict_inline.c:125: overwrite_var: Overwriting 
> > "err" in "err = free_me = dict_file_get_error(dict)" leaks the storage that 
> > "err" points to.
> > #   123|   
> > #   124|->      if ((base64_buf = dict_file_to_b64(dict, value)) == 0) {
> > #   125|->          err = free_me = dict_file_get_error(dict);
> > #   126|            break;
> > #   127|        }
> > 
> > I think it could call dict_file_to_b64 with uninitialized value.
> 
> Yes, when inline tables in the main.cf file are malformed in a
> particular way, this may not be handled correctly.  Patch below.

Can someone provide an input that demonstrates there is a problem?

The 'value' variable is initialized only when 'err' is zero. Otherwise,
the loop will be exited before the 'value' variable would be used.

Also, the claim that 'err' loses a reference to allocated memory is
irrelevant, because such memory is tracked with the 'free_me' variable,
and once it is set, 'free_me' is not overwritten.

I'll simplify the code a bit to make it easier to analyze.

> --- a/src/util/dict_inline.c
> +++ b/src/util/dict_inline.c
> @@ -113,9 +113,11 @@ DICT   *dict_inline_open(const char *name, int 
> open_flags, int dict_flags)
>      dict = dict_open3(DICT_TYPE_HT, name, open_flags, dict_flags);
>      dict_type_override(dict, DICT_TYPE_INLINE);
>      while ((nameval = mystrtokq(&cp, CHARS_COMMA_SP, CHARS_BRACE)) != 0) {
> -     if ((nameval[0] != CHARS_BRACE[0]
> -          || (err = free_me = extpar(&nameval, CHARS_BRACE, 
> EXTPAR_FLAG_STRIP)) == 0)
> -         && (err = split_qnameval(nameval, &vname, &value)) != 0)
> +     if (nameval[0] != CHARS_BRACE[0])
> +         err = free_me = extpar(&nameval, CHARS_BRACE, EXTPAR_FLAG_STRIP);
> +     if (!err)
> +         err = split_qnameval(nameval, &vname, &value);
> +     if (err)
>           break;
>  
>       if ((dict->flags & DICT_FLAG_SRC_RHS_IS_FILE) != 0) {

I think that the patch should use 'nameval[0]  == CHARS_BRACE[0]'

        Wietse

Reply via email to