Various Coverity issues found in http1 adaptor #256
Comments
kgiusti
added a commit
to kgiusti/skupper-router
that referenced
this issue
Aug 4, 2022
kgiusti
added a commit
to kgiusti/skupper-router
that referenced
this issue
Aug 8, 2022
kgiusti
added a commit
to kgiusti/skupper-router
that referenced
this issue
Aug 8, 2022
kgiusti
added a commit
that referenced
this issue
Aug 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
http1_codec.c:
1029 // invariant:
CID 390253: Macro compares unsigned to 0 (NO_EFFECT) [select issue]
CID 390252 (#1 of 1): Operands don't affect result (CONSTANT_EXPRESSION_RESULT)result_independent_of_operands: body_ptr->remaining >= 0 is always true regardless of the values of its operands. This occurs as the logical first operand of ?:.
1030 assert(body_ptr->remaining >= 0);
1035 if (flush && body_ptr->remaining) {
1036 // need to copy out remaining body octets into new buffer
1037 qd_buffer_t *tail = qd_buffer();
1038
33. Condition body_ptr->remaining <= qd_buffer_capacity(tail), taking true branch.
34. Falling through to end of if statement.
1039 assert(body_ptr->remaining <= qd_buffer_capacity(tail));
CID 390265 (#1 of 1): Explicit null dereferenced (FORWARD_NULL)35. var_deref_model: Passing null pointer body_ptr->cursor to memcpy, which dereferences it.
1040 memcpy(qd_buffer_cursor(tail), body_ptr->cursor, body_ptr->remaining);
1041 qd_buffer_insert(tail, body_ptr->remaining);
1042 DEQ_INSERT_TAIL(blist, tail);
1043 octets += body_ptr->remaining;
1044 *body_ptr = *rptr;
1045 body_ptr->remaining = 0;
1046 }
http1_server.c:
1352 if (!method_iter) {
1353 return PN_REJECTED;
1354 }
1355
6. alloc_fn: Storage is returned from allocation function qd_iterator_copy. [show details]
7. var_assign: Assigning: method_str = storage returned from qd_iterator_copy(method_iter).
1356 method_str = (char*) qd_iterator_copy(method_iter);
1357 qd_iterator_free(method_iter);
8. Condition !method_str, taking false branch.
9. Condition *method_str == 0, taking true branch.
1358 if (!method_str || *method_str == 0) {
CID 379179 (#1 of 1): Resource leak (RESOURCE_LEAK)10. leaked_storage: Variable method_str going out of scope leaks the storage it points to.
1359 return PN_REJECTED;
1360 }
690 if (!hconn->qdr_conn) {
691 qd_log(log, QD_LOG_DEBUG, "[C%"PRIu64"] HTTP/1.x server connection closed", hconn->conn_id);
692 qdr_http1_connection_free(hconn);
693
694 } else {
CID 379186 (#2-3 of 3): Use after free (USE_AFTER_FREE)16. double_free: Calling _process_request frees pointer hconn->requests.head which has already been freed.
695 bool need_close = _process_request((_server_request_t*) DEQ_HEAD(hconn->requests));
696 if (need_close) {
697 qd_log(log, QD_LOG_DEBUG, "[C%"PRIu64"] HTTP Request requires connection close", hconn->conn_id);
698 qdr_http1_close_connection(hconn, 0);
699 }
700 }
701}
http1_common.c:
678 //
cond_notnull: Condition host, taking true branch. Now the value of host is not NULL.
679 if (!host)
680 return;
681
682 qdr_http_request_info_t* record = _new_qdr_http_request_info_t();
683 record->ingress = ingress;
684 record->address = address ? qd_strdup(address) : 0;
notnull: At condition host, the value of host cannot be NULL.
dead_error_condition: The condition host must be true.
CID 379181 (#1 of 1): Logically dead code (DEADCODE)dead_error_line: Execution cannot reach the expression NULL inside this statement: record->host = (host ? qd_s....
685 record->host = host ? qd_strdup(host) : 0;
686 record->site = remote_site ? qd_strdup(remote_site) : 0;
687 record->key = _record_key(record->host, record->address, remote_site, record->ingress);
688 record->requests = 1;
The text was updated successfully, but these errors were encountered: