Bug 704564

Summary: Possible problems found by static analysis of code
Product: [Fedora] Fedora Reporter: Jiri Popelka <jpopelka>
Component: symlinksAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 15CC: twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: symlinks-1.4-4.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-20 15:01:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
readlink
none
overrun_dynamic none

Description Jiri Popelka 2011-05-13 15:37:33 UTC 
Description of problem:
Static analysis of the code with/without applied patches discovered
some possible problems in the code.


Version-Release number of selected component (if applicable):
symlinks-1.4-3.fc15
Comment 1 Jiri Popelka 2011-05-13 15:39:39 UTC 
Created attachment 498791 [details]
readlink

Error: READLINK:
symlinks-1.4/symlinks.c:163: readlink_call: Passing size argument "sizeof (lpath) /*4096*/" implies readlink() can return up to "sizeof (lpath) /*4096*/" bytes.
symlinks-1.4/symlinks.c:163: readlink_assign: Assigning: "c" = readlink().
symlinks-1.4/symlinks.c:167: readlink: "lpath[c]" is essentially buffer[sizeof(buffer)] which is an off-by-one error.
Comment 2 Jiri Popelka 2011-05-13 15:40:36 UTC 
Created attachment 498792 [details]
overrun_dynamic

Error: OVERRUN_DYNAMIC:
symlinks-1.4/symlinks.c:47: buffer_alloc: Calling allocating function "malloc" which allocated memory dictated by argument "strlen(s)".
symlinks-1.4/symlinks.c:47: var_assign: Assigning: "tmp" = "malloc(strlen(s))".
symlinks-1.4/symlinks.c:58: strcpy_overrun: strcpy, whose first argument "tmp" has length equal to strlen of its second argument "s", will overrun its first argument because of the terminating null.

Error: SIZECHECK:
symlinks-1.4/symlinks.c:47: size_is_strlen: Calling allocating function "malloc" with function argument "strlen(s)". Did you intend to add 1 to the byte count?