Bug 698152

Summary: Coverity scan issues
Product: Red Hat Enterprise Linux 5 Reporter: Michal Luscon <mluscon>
Component: busyboxAssignee: Denys Vlasenko <dvlasenk>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.7CC: ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-15 17:56:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michal Luscon 2011-04-20 10:23:17 UTC 
Description of problem:

Please check suspicious code in file /shell/hush.c.
line 5475: assigning to variable p return value of function strchr, which may be NULL.
line 5545: dereferencing potentially NULL variable p.

Version-Release number of selected component (if applicable):

1.2.0

Additional info: This defect was not present in current supported version of
busybox package.
Comment 2 RHEL Program Management 2011-05-31 15:49:24 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 3 Denys Vlasenko 2011-06-15 17:56:46 UTC 
(In reply to comment #0)
> Description of problem:
> 
> Please check suspicious code in file /shell/hush.c.
> line 5475: assigning to variable p return value of function strchr, which may
> be NULL.
> line 5545: dereferencing potentially NULL variable p.

The code in question is:

        while ((p = strchr(arg, SPECIAL_VAR_SYMBOL)) != NULL) {
                char first_ch;
                char *to_be_freed = NULL;
                const char *val = NULL;
#if defined CONFIG_HUSH_TICK
                o_string subst_result = NULL_O_STRING;
#endif
#if defined CONFIG_SH_MATH_SUPPORT
                char arith_buf[sizeof(arith_t)*3 + 2];
#endif
                o_addblock(output, arg, p - arg);
                debug_print_list("expand_vars_to_list[1]", output, n);
                arg = ++p;
                p = strchr(p, SPECIAL_VAR_SYMBOL);
...
...
...
                arg = ++p;
        } /* end of "while (SPECIAL_VAR_SYMBOL is found) ..." */

Here we process a "compiled" representation of string, where every $var reference is encoded as <SPECIAL_VAR_SYMBOL>var<SPECIAL_VAR_SYMBOL>. IOW: SPECIAL_VAR_SYMBOL's always appear in pairs here.

This is not a bug.