Bug 698152 - Coverity scan issues
Summary: Coverity scan issues
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: busybox
Version: 5.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Denys Vlasenko
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-20 10:23 UTC by Michal Luscon
Modified: 2011-06-15 17:56 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-15 17:56:46 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Michal Luscon 2011-04-20 10:23:17 UTC
Description of problem:

Please check suspicious code in file /shell/hush.c.
line 5475: assigning to variable p return value of function strchr, which may be NULL.
line 5545: dereferencing potentially NULL variable p.

Version-Release number of selected component (if applicable):

1.2.0

Additional info: This defect was not present in current supported version of
busybox package.

Comment 2 RHEL Program Management 2011-05-31 15:49:24 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 3 Denys Vlasenko 2011-06-15 17:56:46 UTC
(In reply to comment #0)
> Description of problem:
> 
> Please check suspicious code in file /shell/hush.c.
> line 5475: assigning to variable p return value of function strchr, which may
> be NULL.
> line 5545: dereferencing potentially NULL variable p.

The code in question is:

        while ((p = strchr(arg, SPECIAL_VAR_SYMBOL)) != NULL) {
                char first_ch;
                char *to_be_freed = NULL;
                const char *val = NULL;
#if defined CONFIG_HUSH_TICK
                o_string subst_result = NULL_O_STRING;
#endif
#if defined CONFIG_SH_MATH_SUPPORT
                char arith_buf[sizeof(arith_t)*3 + 2];
#endif
                o_addblock(output, arg, p - arg);
                debug_print_list("expand_vars_to_list[1]", output, n);
                arg = ++p;
                p = strchr(p, SPECIAL_VAR_SYMBOL);
...
...
...
                arg = ++p;
        } /* end of "while (SPECIAL_VAR_SYMBOL is found) ..." */

Here we process a "compiled" representation of string, where every $var reference is encoded as <SPECIAL_VAR_SYMBOL>var<SPECIAL_VAR_SYMBOL>. IOW: SPECIAL_VAR_SYMBOL's always appear in pairs here.

This is not a bug.


Note You need to log in before you can comment on or make changes to this bug.