Bug 728169

Summary: Coverity scan revealed defects
Product: Red Hat Enterprise Linux 6 Reporter: Michal Luscon <mluscon>
Component: lldpadAssignee: Petr Šabata <psabata>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 6.2CC: azelinka, kdudka, ppisar, praiskup, psklenar
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: lldpad-0.9.43-3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 14:40:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Prevent resource leaks in mand_clif_cmd() none

Description Michal Luscon 2011-08-04 09:13:58 UTC 
Description of problem:

/open-lldp/lldp_8021qaz.c:526 - Function "find_module_user_data_by_id" without NULL check (checked 4 out of 5 times).

/open-lldp/lldp_rtnl.c:335, 336 - Macro RTA_DATA expands to the pointer at the end of structure rta. 

/open-lldp/lldp_mand_cmds.c:496 - Function mand_clif_cmd returns without freeing variables args and argvals.

Version-Release number of selected component (if applicable):
0.9.43

Additional info:
These defects were added between RHEL-6.1 and RHEL-6.2 version of package.
Comment 1 Petr Šabata 2011-08-08 13:00:05 UTC 
(In reply to comment #0)
> Description of problem:
> 
> /open-lldp/lldp_8021qaz.c:526 - Function "find_module_user_data_by_id" without
> NULL check (checked 4 out of 5 times).
> 
> /open-lldp/lldp_rtnl.c:335, 336 - Macro RTA_DATA expands to the pointer at the
> end of structure rta. 

Could you provide more info on this one?

> 
> /open-lldp/lldp_mand_cmds.c:496 - Function mand_clif_cmd returns without
> freeing variables args and argvals.

This seems to be bogus. both **args and **argvals are free()'d in every case.

> 
> Version-Release number of selected component (if applicable):
> 0.9.43
> 
> Additional info:
> These defects were added between RHEL-6.1 and RHEL-6.2 version of package.
Comment 6 Petr Šabata 2011-08-15 06:25:01 UTC 
Created attachment 518224 [details]
Prevent resource leaks in mand_clif_cmd()
Comment 8 Petr Šabata 2011-08-15 07:19:36 UTC 
Patch applied in CVS, lldpad-0.9.43-3.el6.
Comment 10 Petr Pisar 2011-08-15 15:07:52 UTC 
I can't understand the nltest.c:get_bcn() perfectly, but I suspect the `nlh' structure is not freed at the end of the function.

Apparently a pointer to nlh space is saved as `d' that turns into `rta_parent' and this into `rta_child'. Then the rta_child iterates over rta_parent and data are copied from there into `bcn_data' structure in rest of the function. Finally the function returns 0, nlh data are carried out as copy by bcn_data argument, but the nlh itself is not not freed.
Comment 11 Kamil Dudka 2011-08-15 15:26:37 UTC 
Coverity cannot analyze functions that walk dynamically linked data structures precisely enough to reveal non-trivial memory leaks introduced during the traversal.  The only thing that Coverity is trying to tell you here is that you leak the memory in case an error happens -- see the lines 784 and 790 (return -EIO).  Anyway this bug is about defects introduced in RHEL-6.2 while the defect you are talking about was in lldpad-0.9.41-4.el6 already.
Comment 13 Petr Pisar 2011-08-16 13:40:04 UTC 
(In reply to comment #11)
> Anyway this bug is about defects introduced in RHEL-6.2 while the
> defect you are talking about was in lldpad-0.9.41-4.el6 already.

Ok. Copying as bug #730989.
Comment 17 errata-xmlrpc 2011-12-06 14:40:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1604.html