fix coverity Defect Type: Null pointer dereferences issues 11846 - 11891
Created attachment 432160 [details] 0001-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432161 [details] 0002-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432163 [details] 0003-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432164 [details] 0004-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432165 [details] 0005-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432166 [details] 0006-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432168 [details] 0008-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432169 [details] 0009-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432170 [details] 0010-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432171 [details] 0011-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432173 [details] 0012-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432174 [details] 0013-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432175 [details] 0014-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432176 [details] 0015-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432177 [details] 0016-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432178 [details] 0017-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432180 [details] 0018-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432181 [details] 0019-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432182 [details] 0020-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432183 [details] 0021-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432184 [details] 0022-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Created attachment 432185 [details] 0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch
Comment on attachment 432160 [details] 0001-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11846&streamDefectId=12032&defectInstanceId=13893&fileInstanceId=49269
Comment on attachment 432182 [details] 0020-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11847&streamDefectId=12033&defectInstanceId=13895&fileInstanceId=48981
Comment on attachment 432184 [details] 0022-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11849&streamDefectId=12035&defectInstanceId=13897&fileInstanceId=49057 Comment: slapi_pblock_get does not use pb->pb_op in the SLAPI_BACKEND case but this code should do better checking I agree with your comment. Let's check all the places in pblock.c that references pblock->pb_op w/o checking NULL. E.g., 378 case SLAPI_OPINITIATED_TIME: 379 (*(time_t *)value) = pblock->pb_op->o_time; 380 break;
Comment on attachment 432183 [details] 0021-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11850&streamDefectId=12036&defectInstanceId=13898&fileInstanceId=48999
Comment on attachment 432181 [details] 0019-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11851&streamDefectId=12037&defectInstanceId=13899&fileInstanceId=48964 Let's improve the addlenstr side. diff --git a/ldap/servers/slapd/lenstr.c b/ldap/servers/slapd/lenstr.c index 23229f5..ec343d4 100644 --- a/ldap/servers/slapd/lenstr.c +++ b/ldap/servers/slapd/lenstr.c @@ -56,7 +56,11 @@ void addlenstr( lenstr *l, const char *str ) { - size_t len = strlen( str ); + size_t len; + if (NULL == l || NULL == str) { + return; + } + len = strlen( str ); if ( l->ls_buf == NULL ) { addlenstr( lenstr *l, const char *str ) { - size_t len = strlen( str ); + size_t len; + if (NULL == str) { + return; + } + len = strlen( str ); if ( l->ls_buf == NULL ) {
Comment on attachment 432185 [details] 0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11852&streamDefectId=12038&defectInstanceId=13900&fileInstanceId=49125 Arguments types and buffer_flags are for returning the output from slapi_vattr_list_attrs. int slapi_vattr_list_attrs(/* Entry we're interested in */ Slapi_Entry *e, /* pointer to receive the list */ vattr_type_thang **types, int flags, int *buffer_flags) Probably, we could skip the operation if no output params are given. diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c index b234582..d83b4d0 100644 --- a/ldap/servers/slapd/vattr.c +++ b/ldap/servers/slapd/vattr.c @@ -1215,6 +1215,11 @@ int slapi_vattr_list_attrs(/* Entry we're interested in * size_t block_length = 0; vattr_type_list_context type_context = {0}; + if (NULL == types || NULL == buffer_flags) { + LDAPDebug(LDAP_DEBUG_ANY, "slapi_vattr_list_attrs: invalid param\n", 0, + return -1; + } + block_length = 1 + TYPE_LIST_EXTRA_SPACE;
Comment on attachment 432163 [details] 0003-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11853&streamDefectId=12039&defectInstanceId=13901&fileInstanceId=49274
Comment on attachment 432164 [details] 0004-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11854&streamDefectId=12040&defectInstanceId=13903&fileInstanceId=49276 http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11855&streamDefectId=12041&defectInstanceId=13904&fileInstanceId=49276
Comment on attachment 432161 [details] 0002-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11857&streamDefectId=12043&defectInstanceId=13906&fileInstanceId=49271 Let's improve slapi_sdn_done side. diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c index e50ec76..01ab536 100644 --- a/ldap/servers/slapd/dn.c +++ b/ldap/servers/slapd/dn.c @@ -1872,6 +1872,9 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parent void slapi_sdn_done(Slapi_DN *sdn) { + if (NULL == sdn) { + return; + } /* sdn_dump( sdn, "slapi_sdn_done"); */ if(sdn->dn!=NULL) {
Comment on attachment 432165 [details] 0005-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11858&streamDefectId=12044&defectInstanceId=13907&fileInstanceId=49277
(In reply to comment #34) > (From update of attachment 432161 [details]) > http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11857&streamDefectId=12043&defectInstanceId=13906&fileInstanceId=49271 > > Let's improve slapi_sdn_done side. > diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c > index e50ec76..01ab536 100644 > --- a/ldap/servers/slapd/dn.c > +++ b/ldap/servers/slapd/dn.c > @@ -1872,6 +1872,9 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN > *parent > void > slapi_sdn_done(Slapi_DN *sdn) > { > + if (NULL == sdn) { > + return; > + } > /* sdn_dump( sdn, "slapi_sdn_done"); */ > if(sdn->dn!=NULL) > { This is already proposed in the patch 0020. Therefore, we don't need this change in the patch 0002. 768 if ( aclcb->aclcb_sdn ) slapi_sdn_done ( aclcb->aclcb_sdn );
Comment on attachment 432165 [details] 0005-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11860&streamDefectId=12046&defectInstanceId=13909&fileInstanceId=49277
Comment on attachment 432182 [details] 0020-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11861&streamDefectId=12047&defectInstanceId=13910&fileInstanceId=49271
Comment on attachment 432166 [details] 0006-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11864&streamDefectId=12050&defectInstanceId=13913&fileInstanceId=49279
Comment on attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11866&streamDefectId=12052&defectInstanceId=13915&fileInstanceId=49370
Comment on attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11867&streamDefectId=12053&defectInstanceId=13916&fileInstanceId=49370
Comment on attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11868&streamDefectId=12054&defectInstanceId=13917&fileInstanceId=49370
Comment on attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11869&streamDefectId=12055&defectInstanceId=13918&fileInstanceId=49370
Comment on attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11870&streamDefectId=12056&defectInstanceId=13919&fileInstanceId=49370
Comment on attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11871&streamDefectId=12057&defectInstanceId=13920&fileInstanceId=49370
Comment on attachment 432167 [details] 0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11872&streamDefectId=12058&defectInstanceId=13921&fileInstanceId=49370
Comment on attachment 432168 [details] 0008-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11873&streamDefectId=12059&defectInstanceId=13922&fileInstanceId=49383 0008-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch Instead of using "free", please use slapi_ch_free. @@ -500,6 +507,21 @@ collation_indexer_create (const char* oid) break; /* failed to create the specified collator */ } } + goto done; +error: + if (etc) { + free(etc); + etc = NULL; + } slapi_ch_free((void **)&etc); + if (ix) { + free(ix); + ix = NULL; + } slapi_ch_free((void **)&ix); + if (coll) { + ucol_close (coll); + coll = NULL; + } +done: if (locale) { PR_smprintf_free(locale); locale = NULL;
Comment on attachment 432169 [details] 0009-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11874&streamDefectId=12060&defectInstanceId=13923&fileInstanceId=49421
Comment on attachment 432185 [details] 0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11875&streamDefectId=12061&defectInstanceId=13924&fileInstanceId=49125 0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch slapi_ch_.*alloc functions never returns NULL (rather, it quits if memory allocation fails). So, no need to check the return value from slapi_ch_.*alloc. @@ -2145,21 +2149,32 @@ vattr_map_entry *vattr_map_entry_new(char *type_name, vattr_sp_handle *sph, void { vattr_map_entry *result = NULL; vattr_sp_handle *sp_copy = NULL; [...] result = (vattr_map_entry*)slapi_ch_calloc(1, sizeof (vattr_map_entry)); result->type_name = slapi_ch_strdup(type_name); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ result->sp_list = sp_copy; ^^^^^^^^^^^^^^^^^^^^^^^^^^ /* go get schema */ result->objectclasses = vattr_map_entry_build_schema(type_name);
Comment on attachment 432185 [details] 0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11876&streamDefectId=12062&defectInstanceId=13925&fileInstanceId=49125 0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch Instead of PR_smprintf, please use slapi_ch_smprintf and get rid of this code (checking the return value from slapi_ch_smprintf) Comparing "type_to_add" to null implies that "type_to_add" might be null. 1640 if(!type_to_add) 1641 { 1642 ret = -1; 1643 } 1644
Comment on attachment 432170 [details] 0010-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11879&streamDefectId=12065&defectInstanceId=13928&fileInstanceId=49441 0010-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch It's not what coverity reported, but there is another error to bail? 1859 if ((old_dn = linked_attrs_get_dn(pb))) { At conditional (3): "linked_attrs_dn_is_config(old_dn)" taking the false branch. At conditional (4): "linked_attrs_dn_is_config(new_dn)" taking the false branch. 1860 if (linked_attrs_dn_is_config(old_dn) || linked_attrs_dn_is_config(new_dn)) 1861 linked_attrs_load_config(); 1862 } else { 1863 slapi_log_error(SLAPI_LOG_PLUGIN, LINK_PLUGIN_SUBSYSTEM, 1864 "linked_attrs_modrdn_post_op: Error " 1865 "retrieving dn\n"); ???? NEED TO SET LDAP_OPERATIONS_ERROR to rc and goto done??? 1866 }
Comment on attachment 432171 [details] 0011-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11880&streamDefectId=12066&defectInstanceId=13929&fileInstanceId=49443
Comment on attachment 432177 [details] 0016-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11882&streamDefectId=12068&defectInstanceId=13931&fileInstanceId=49530
Comment on attachment 432173 [details] 0012-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11883&streamDefectId=12069&defectInstanceId=13932&fileInstanceId=49476 0012-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch If we do error return, we should log the cause of the problem as FATAL. static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consumerRuv, Object *replica, Object *fileObj, CL5ReplayIterator **iterator) { [...] /* there is a special case which can occur just after migration - in this case, the consumer RUV will contain the last state of the supplier before migration, but the supplier will have an empty changelog, or the supplier changelog will not contain any entries within the consumer min and max CSN - also, since the purge RUV contains no CSNs, the changelog has never been purged ASSUMPTIONS - it is assumed that the supplier had no pending changes to send to any consumers; that is, we can assume that no changes were lost due to either changelog purging or database reload - bug# 603061 - richm */ if ((rc == DB_NOTFOUND) && !ruv_has_csns(file->purgeRUV)) { /* use the supplier min csn for the buffer start csn - we know this csn is in our changelog */ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, "%s: CSN %s not found and no purging, probably a reinit\n", agmt_name, csnStr); if ((RUV_SUCCESS == ruv_get_min_csn(supplierRuv, &startCSN)) && startCSN) { /* must now free startCSN */ csn_as_string(startCSN, PR_FALSE, csnStr); slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, "%s: Will try to use supplier min CSN %s to load changelog\n", agmt_name, csnStr); rc = clcache_load_buffer (clcache, startCSN, DB_SET); } else { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, + "%s: CSN %s not found and no purging, probably a reinit\n", + agmt_name, csnStr); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, "%s: Could not get the min csn from the supplier RUV\n", agmt_name); + rc = CL5_RUV_ERROR; + goto done; } }
Comment on attachment 432174 [details] 0013-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11884&streamDefectId=12070&defectInstanceId=13933&fileInstanceId=49518 0013-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch Since it's an error return, we should log the message as FATAL. @@ -1515,7 +1515,12 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn) Slapi_PBlock *spb = NULL; char localcsnstr[CSN_STRSIZE + 1] = {0}; - if (!conn_connected(conn)) + if (!remotecsn) + { + return_value = CONN_OPERATION_FAILED; + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "NULL remote CSN\n"); ^^^^^^^^^^^^^^ <-- SLAPI_LOG_FATAL + } + else if (!conn_connected(conn))
Comment on attachment 432178 [details] 0017-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11885&streamDefectId=12071&defectInstanceId=13934&fileInstanceId=49503
Comment on attachment 432177 [details] 0016-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11886&streamDefectId=12072&defectInstanceId=13935&fileInstanceId=49530
Comment on attachment 432177 [details] 0016-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11887&streamDefectId=12073&defectInstanceId=13936&fileInstanceId=49530
Comment on attachment 432175 [details] 0014-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11889&streamDefectId=12075&defectInstanceId=13938&fileInstanceId=49524
Comment on attachment 432176 [details] 0015-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11890&streamDefectId=12076&defectInstanceId=13939&fileInstanceId=49526
Comment on attachment 432180 [details] 0018-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch https://bugzilla.redhat.com/show_bug.cgi?id=614511#c16
(In reply to comment #61) > Comment on attachment 432180 [details] > 0018-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch > > https://bugzilla.redhat.com/show_bug.cgi?id=614511#c16 wrong input... :p http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11891&streamDefectId=12077&defectInstanceId=13941&fileInstanceId=49509
Created attachment 439025 [details] 0001-Bug-614511-fix-coverity-Defect-Type-Null-pointer-der.patch 11856 Comment: If the aci "rule" does not include "($dn)", there is no pointer assigined to aci_macro and matched_val is NULL. In that case, acllas_replace_dn_macro is supposed to return just "user" itself regardless of [$dn].
Created attachment 439242 [details] 0002a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The patch has been modified to remove NULL value checking before slapi_sdn_done().
Created attachment 439243 [details] 0008a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The patch has been modified to use slapi_ch_free().
Created attachment 439244 [details] 0010a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The patch has been modified to return an error when old_dn is NULL.
Created attachment 439246 [details] 0012a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The patch has been modified to log messages as SLAPI_LOG_FATAL when returning an error.
Created attachment 439247 [details] 0013a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The patch has been modified to log messages as SLAPI_LOG_FATAL when returning an error.
Created attachment 439249 [details] 0018a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The patch has been fixed to work with the latest code.
Created attachment 439250 [details] 0019a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The addlenstr() has been modified to handle NULL arguments.
Created attachment 439252 [details] 0022a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The patch has been modified to check NULL pointer before deferencing pblock->pb_op.
Created attachment 439253 [details] 0023a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch The slapi_vattr_list_attrs() has been modified to return an error if either types and buffer_flags is NULL. The vattr_map_entry_new() has been modified not to check the return value of slapi_ch_calloc(). All occurences of PR_smprintf() and PR_smprintf_free() have been replaced with slapi_ch_calloc() and slapi_ch_free().
Comment on attachment 439242 [details] 0002a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11857&streamDefectId=12043&defectInstanceId=13906&fileInstanceId=49271
Comment on attachment 439243 [details] 0008a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11873&streamDefectId=12059&defectInstanceId=13922&fileInstanceId=49383
Comment on attachment 439253 [details] 0023a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11876&streamDefectId=12062&defectInstanceId=13925&fileInstanceId=49125
Comment on attachment 439244 [details] 0010a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11879&streamDefectId=12065&defectInstanceId=13928&fileInstanceId=49441
Comment on attachment 439246 [details] 0012a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030&mergedDefectIds=11883#mergedDefectId=11883&streamDefectId=12069&defectInstanceId=13932&fileInstanceId=49476
Comment on attachment 439252 [details] 0022a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030&mergedDefectIds=11883#mergedDefectId=11849&streamDefectId=12035&defectInstanceId=13897&fileInstanceId=49058
Comment on attachment 439250 [details] 0019a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11851&streamDefectId=12037&defectInstanceId=13899&fileInstanceId=48964
Comment on attachment 439247 [details] 0013a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11884&streamDefectId=12070&defectInstanceId=13933&fileInstanceId=49518
Comment on attachment 439249 [details] 0018a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11891&streamDefectId=12077&defectInstanceId=13941&fileInstanceId=49509
On behalf of Endi (edewata), pushed to master. $ git merge endi Updating 2a40b4d..5d578b8 Fast-forward ldap/servers/plugins/acl/acl.c | 25 ++++++-- ldap/servers/plugins/acl/acl_ext.c | 7 ++- ldap/servers/plugins/acl/aclgroup.c | 9 ++- ldap/servers/plugins/acl/acllas.c | 31 ++++++--- ldap/servers/plugins/acl/acllist.c | 12 +++- ldap/servers/plugins/acl/aclplugin.c | 11 ++- ldap/servers/plugins/chainingdb/cb_instance.c | 55 +++++++++++---- ldap/servers/plugins/cos/cos_cache.c | 9 +-- ldap/servers/plugins/linkedattrs/linked_attrs.c | 14 +++- ldap/servers/plugins/memberof/memberof.c | 16 ++++- ldap/servers/plugins/replication/cl5_api.c | 13 +++- .../servers/plugins/replication/repl5_connection.c | 11 ++- ldap/servers/plugins/replication/repl5_protocol.c | 7 ++- ldap/servers/plugins/replication/repl5_replica.c | 9 ++- ldap/servers/plugins/replication/repl5_ruv.c | 24 +++---- ldap/servers/plugins/replication/repl_extop.c | 2 +- ldap/servers/plugins/replication/repl_objset.c | 9 +-- ldap/servers/slapd/dn.c | 14 +++- ldap/servers/slapd/filtercmp.c | 6 ++- ldap/servers/slapd/lenstr.c | 6 ++- ldap/servers/slapd/pblock.c | 69 ++++++++++++++----- ldap/servers/slapd/vattr.c | 40 ++++++------ 22 files changed, 270 insertions(+), 129 deletions(-) $ git push Counting objects: 189, done. Delta compression using up to 4 threads. Compressing objects: 100% (156/156), done. Writing objects: 100% (156/156), 16.89 KiB, done. Total 156 (delta 128), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 2a40b4d..5d578b8 master -> master
Pushed to Directory_Server_8_2_Branch. Counting objects: 29, done. Delta compression using up to 2 threads. Compressing objects: 100% (21/21), done. Writing objects: 100% (21/21), 4.23 KiB, done. Total 21 (delta 15), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 1176d3f..975f86c ds82-local -> Directory_Server_8_2_Branch
Verified the patch pushed to Directory_Server_8_2_Branch by Nathan in Comment 83. Note: this "verify" is NOT about all the patches attached to this bug. Also, this bug blocks DSIPA2.0. We have to change the status of this bug back to ON_QA or duplicate a bug for DSIPA2.0. Preparation: 1) Downloaded the SRC RPM file and installed it on the local host. http://download.devel.redhat.com/brewroot/packages/redhat-ds-base/8.2.3/2.el4dsrv/src/redhat-ds-base-8.2.3-2.el4dsrv.src.rpm 2) Checked out the source tree ds.git origin/Directory_Server_8_2_Branch Commit comment: commit 975f86cf41083b91709445c2d5af889cf5aa2e3b Author: Endi S. Dewata <edewata> Date: Mon Jul 12 23:18:20 2010 -0500 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 https://bugzilla.redhat.com/show_bug.cgi?id=614511 Resolves: bug 614511 Bug description: Fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 description: Catch possible NULL pointer in slapi_dn_normalize_ext() and slapi_sdn_done(). Committed patch: $ git diff -r 4c35ffcf54d6f829c9bfe317308e301e99061acf 975f86cf41083b91709445c2d5af889cf5aa2e3b diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c index 0b74c4f..227a41e 100644 --- a/ldap/servers/slapd/dn.c +++ b/ldap/servers/slapd/dn.c @@ -1061,10 +1061,12 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char * *dest_len = d - *dest; bail: if (rc < 0) { - if (*dest != src) { - slapi_ch_free_string(dest); - } else { - *dest = NULL; + if (dest != NULL) { + if (*dest != src) { + slapi_ch_free_string(dest); + } else { + *dest = NULL; + } } *dest_len = 0; } else if (rc > 0) { @@ -1981,6 +1983,10 @@ void slapi_sdn_done(Slapi_DN *sdn) { /* sdn_dump( sdn, "slapi_sdn_done"); */ + if(sdn==NULL) + { + return; + } if(sdn->dn!=NULL) { if(slapi_isbitset_uchar(sdn->flag,FLAG_DN)) Compare dn.c from SRC RPM with the one from git.ds -- MATCHED: # diff rpmbuild/SOURCES/redhat-ds-base-8.2.3/ldap/servers/slapd/dn.c /export/src/ds82/ldapserver/ldap/servers/slapd/dn.c #
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0003.html