704564 – Possible problems found by static analysis of code

Bug 704564 - Possible problems found by static analysis of code

Summary: Possible problems found by static analysis of code

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	symlinks
Sub Component:
Version:	15
Hardware:	All
OS:	All
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Tim Waugh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-13 15:37 UTC by Jiri Popelka
Modified:	2011-05-20 15:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:	symlinks-1.4-4.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-20 15:01:29 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
readlink (496 bytes, patch) 2011-05-13 15:39 UTC, Jiri Popelka	no flags	Details \| Diff
overrun_dynamic (473 bytes, patch) 2011-05-13 15:40 UTC, Jiri Popelka	no flags	Details \| Diff
View All

Description Jiri Popelka 2011-05-13 15:37:33 UTC

Description of problem:
Static analysis of the code with/without applied patches discovered
some possible problems in the code.


Version-Release number of selected component (if applicable):
symlinks-1.4-3.fc15

Comment 1 Jiri Popelka 2011-05-13 15:39:39 UTC

Created attachment 498791 [details]
readlink

Error: READLINK:
symlinks-1.4/symlinks.c:163: readlink_call: Passing size argument "sizeof (lpath) /*4096*/" implies readlink() can return up to "sizeof (lpath) /*4096*/" bytes.
symlinks-1.4/symlinks.c:163: readlink_assign: Assigning: "c" = readlink().
symlinks-1.4/symlinks.c:167: readlink: "lpath[c]" is essentially buffer[sizeof(buffer)] which is an off-by-one error.

Comment 2 Jiri Popelka 2011-05-13 15:40:36 UTC

Created attachment 498792 [details]
overrun_dynamic

Error: OVERRUN_DYNAMIC:
symlinks-1.4/symlinks.c:47: buffer_alloc: Calling allocating function "malloc" which allocated memory dictated by argument "strlen(s)".
symlinks-1.4/symlinks.c:47: var_assign: Assigning: "tmp" = "malloc(strlen(s))".
symlinks-1.4/symlinks.c:58: strcpy_overrun: strcpy, whose first argument "tmp" has length equal to strlen of its second argument "s", will overrun its first argument because of the terminating null.

Error: SIZECHECK:
symlinks-1.4/symlinks.c:47: size_is_strlen: Calling allocating function "malloc" with function argument "strlen(s)". Did you intend to add 1 to the byte count?

Note You need to log in before you can comment on or make changes to this bug.