From 3613dd9935511a8e469451214c4ec5735a01e28a Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Wed, 27 Jul 2016 11:45:49 +1000 Subject: [PATCH 01/10] ctdb-daemon: Fix CID 1364527/8/9: Null pointer dereferences (NULL_RETURNS) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Volker Lendecke (cherry picked from commit ed81e51cc1633cecfef05b84c0595418db8a384b) --- ctdb/client/ctdb_client.c | 4 ++++ ctdb/server/ctdb_daemon.c | 4 ++++ ctdb/server/ctdbd.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/ctdb/client/ctdb_client.c b/ctdb/client/ctdb_client.c index 7bffefe..906d418 100644 --- a/ctdb/client/ctdb_client.c +++ b/ctdb/client/ctdb_client.c @@ -4383,6 +4383,10 @@ int switch_from_server_to_client(struct ctdb_context *ctdb, const char *fmt, ... /* get a new event context */ ctdb->ev = event_context_init(ctdb); + if (ctdb->ev == NULL) { + DEBUG(DEBUG_ALERT,("tevent_context_init() failed\n")); + exit(1); + } tevent_loop_allow_nesting(ctdb->ev); /* Connect to main CTDB daemon */ diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c index ac2db75..6d7edc2 100644 --- a/ctdb/server/ctdb_daemon.c +++ b/ctdb/server/ctdb_daemon.c @@ -1241,6 +1241,10 @@ int ctdb_start_daemon(struct ctdb_context *ctdb, bool do_fork) } ctdb->ev = event_context_init(NULL); + if (ctdb->ev == NULL) { + DEBUG(DEBUG_ALERT,("tevent_context_init() failed\n")); + exit(1); + } tevent_loop_allow_nesting(ctdb->ev); tevent_set_trace_callback(ctdb->ev, ctdb_tevent_trace, ctdb); ret = ctdb_init_tevent_logging(ctdb); diff --git a/ctdb/server/ctdbd.c b/ctdb/server/ctdbd.c index ec285c0..bb15ea3 100644 --- a/ctdb/server/ctdbd.c +++ b/ctdb/server/ctdbd.c @@ -164,6 +164,10 @@ int main(int argc, const char *argv[]) fault_setup(); ev = event_context_init(NULL); + if (ev == NULL) { + DEBUG(DEBUG_ALERT,("tevent_context_init() failed\n")); + exit(1); + } tevent_loop_allow_nesting(ev); ctdb = ctdb_cmdline_init(ev); -- 2.8.1 From bf7e748c3d5019fd07425a946dfc5e7a38f5340d Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Wed, 27 Jul 2016 16:22:36 +1000 Subject: [PATCH 02/10] ctdb-common: Fix CID 1125553 Buffer not null terminated (BUFFER_SIZE_WARNING) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 763f9c13f2998a8858e8a3ec013d166a3d429835) --- ctdb/common/system_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c index 9872070..f871a47 100644 --- a/ctdb/common/system_linux.c +++ b/ctdb/common/system_linux.c @@ -194,7 +194,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) } DEBUG(DEBUG_DEBUG, (__location__ " Created SOCKET FD:%d for sending arp\n", s)); - strncpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); + strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); if (ioctl(s, SIOCGIFINDEX, &ifr) < 0) { DEBUG(DEBUG_CRIT,(__location__ " interface '%s' not found\n", iface)); close(s); -- 2.8.1 From c0250b4f6b2cebe06c820f67701b82a87e58ff11 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Mon, 1 Aug 2016 15:03:56 +1000 Subject: [PATCH 03/10] ctdb-common: Consistently use strlcpy() on interface names BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit aff33a59479cafcb1f24a07ff76383d47bb196b3) --- ctdb/common/system_linux.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c index f871a47..5995cb2 100644 --- a/ctdb/common/system_linux.c +++ b/ctdb/common/system_linux.c @@ -108,7 +108,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) } /* get the mac address */ - strncpy(if_hwaddr.ifr_name, iface, sizeof(if_hwaddr.ifr_name)-1); + strlcpy(if_hwaddr.ifr_name, iface, sizeof(if_hwaddr.ifr_name)); ret = ioctl(s, SIOCGIFHWADDR, &if_hwaddr); if ( ret < 0 ) { close(s); @@ -202,7 +202,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) } /* get the mac address */ - strncpy(if_hwaddr.ifr_name, iface, sizeof(if_hwaddr.ifr_name)-1); + strlcpy(if_hwaddr.ifr_name, iface, sizeof(if_hwaddr.ifr_name)); ret = ioctl(s, SIOCGIFHWADDR, &if_hwaddr); if ( ret < 0 ) { close(s); @@ -575,7 +575,7 @@ bool ctdb_sys_check_iface_exists(const char *iface) return true; } - strncpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)-1); + strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); if (ioctl(s, SIOCGIFINDEX, &ifr) < 0 && errno == ENODEV) { DEBUG(DEBUG_CRIT,(__location__ " interface '%s' not found\n", iface)); close(s); -- 2.8.1 From abbc0a31df66a0274f7cc930f875969b4f499af4 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Wed, 27 Jul 2016 17:43:34 +1000 Subject: [PATCH 04/10] ctdb-utils: Fix CID 1297451 Explicit null dereferenced (FORWARD_NULL) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit d46960f20e795cd4abc1c727705f77b2f0e0e564) --- ctdb/utils/ping_pong/ping_pong.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ctdb/utils/ping_pong/ping_pong.c b/ctdb/utils/ping_pong/ping_pong.c index fdb575d..aec3ff0 100644 --- a/ctdb/utils/ping_pong/ping_pong.c +++ b/ctdb/utils/ping_pong/ping_pong.c @@ -141,7 +141,9 @@ static void ping_pong(int fd, int num_locks) val = (unsigned char *)calloc(num_locks+1, sizeof(unsigned char)); if (val == NULL) { printf("calloc failed\n"); - munmap(p, num_locks+1); + if (use_mmap) { + munmap(p, num_locks+1); + } return; } -- 2.8.1 From ea093a38bd73a16d94f3aff8e1292120aec141f9 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Thu, 28 Jul 2016 12:00:27 +1000 Subject: [PATCH 05/10] ctdb-daemon: Fix CID 1363233 Resource leak (RESOURCE_LEAK) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 74aca5f4c671d9f15ae6c3a901978a1cf247dd6f) --- ctdb/server/ctdb_recover.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ctdb/server/ctdb_recover.c b/ctdb/server/ctdb_recover.c index 23f793b..19a84d2 100644 --- a/ctdb/server/ctdb_recover.c +++ b/ctdb/server/ctdb_recover.c @@ -1008,6 +1008,7 @@ int32_t ctdb_control_try_delete_records(struct ctdb_context *ctdb, TDB_DATA inda if (data.dsize < sizeof(struct ctdb_ltdb_header)) { DEBUG(DEBUG_CRIT,(__location__ " bad ltdb record in indata\n")); + talloc_free(records); return -1; } -- 2.8.1 From 9bba266a2edc0a72cc27eda3ae7d871dbecd8100 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Thu, 28 Jul 2016 12:06:23 +1000 Subject: [PATCH 06/10] ctdb-daemon: Fix CID 1363067 Resource leak (RESOURCE_LEAK) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit c6a7f680ce74d4a630fa9305d0a926cc1a4b3d2c) --- ctdb/server/ctdb_recover.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ctdb/server/ctdb_recover.c b/ctdb/server/ctdb_recover.c index 19a84d2..1007f9c 100644 --- a/ctdb/server/ctdb_recover.c +++ b/ctdb/server/ctdb_recover.c @@ -1201,6 +1201,7 @@ int32_t ctdb_control_receive_records(struct ctdb_context *ctdb, if (data.dsize < sizeof(struct ctdb_ltdb_header)) { DEBUG(DEBUG_CRIT, (__location__ " bad ltdb record " "in indata\n")); + talloc_free(records); return -1; } -- 2.8.1 From 5d4a2533ca75b670fca4738bb3bf70b13dbe57b8 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Fri, 5 Aug 2016 16:37:00 +1000 Subject: [PATCH 07/10] ctdb-common: Fix CID 1125581 Dereference after null check (FORWARD_NULL) This also fixes CID 1125582. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 7ae3699831427725f12e0a26a0681e59f2fbb2d9) --- ctdb/common/rb_tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ctdb/common/rb_tree.c b/ctdb/common/rb_tree.c index 6b131bc..5a5c649 100644 --- a/ctdb/common/rb_tree.c +++ b/ctdb/common/rb_tree.c @@ -224,7 +224,7 @@ static inline void trbt_set_color_left(trbt_node_t *node, int color) } static inline void trbt_set_color_right(trbt_node_t *node, int color) { - if ( ((node==NULL)||(node->right==NULL)) && (color==TRBT_BLACK) ) { + if (node == NULL || node->right == NULL) { return; } node->right->rb_color = color; -- 2.8.1 From 1f142710e82f96d399f490b4dc143aa47e2d213d Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Fri, 5 Aug 2016 16:38:45 +1000 Subject: [PATCH 08/10] ctdb-common: Fix CID 1125583 Dereference after null check (FORWARD_NULL) This also fixes CID 1125584. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit bbf0b907cb04184515d0f5f09f14824df1c2e59f) --- ctdb/common/rb_tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ctdb/common/rb_tree.c b/ctdb/common/rb_tree.c index 5a5c649..d73a43e 100644 --- a/ctdb/common/rb_tree.c +++ b/ctdb/common/rb_tree.c @@ -217,7 +217,7 @@ static inline void trbt_set_color(trbt_node_t *node, int color) } static inline void trbt_set_color_left(trbt_node_t *node, int color) { - if ( ((node==NULL)||(node->left==NULL)) && (color==TRBT_BLACK) ) { + if (node == NULL || node->left == NULL) { return; } node->left->rb_color = color; -- 2.8.1 From 3200b7c630306a3d8c1fb2bc0d9da818bf9cfdf1 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Fri, 5 Aug 2016 16:39:50 +1000 Subject: [PATCH 09/10] ctdb-common: Fix CID 1125585 Dereference after null check (FORWARD_NULL) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit b4f23a7e95cd9c8fc4a6324d4ec5a2881eaec207) --- ctdb/common/rb_tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ctdb/common/rb_tree.c b/ctdb/common/rb_tree.c index d73a43e..18418f3 100644 --- a/ctdb/common/rb_tree.c +++ b/ctdb/common/rb_tree.c @@ -210,7 +210,7 @@ static inline int trbt_get_color_right(trbt_node_t *node) /* setting a NULL node to black is a nop */ static inline void trbt_set_color(trbt_node_t *node, int color) { - if ( (node==NULL) && (color==TRBT_BLACK) ) { + if (node == NULL) { return; } node->rb_color = color; -- 2.8.1 From f8f77de2447f05a0d2cb276bc11b1be51218bc42 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Fri, 5 Aug 2016 16:50:58 +1000 Subject: [PATCH 10/10] ctdb-daemon: Fix CID 1125627 Resource leak (RESOURCE_LEAK) Also fixes CID 1125628. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12110 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 940272d215049f5f5079aa926e69eae1985a4bfa) --- ctdb/server/ctdb_logging.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ctdb/server/ctdb_logging.c b/ctdb/server/ctdb_logging.c index 129bdc9..a72d8bf 100644 --- a/ctdb/server/ctdb_logging.c +++ b/ctdb/server/ctdb_logging.c @@ -269,9 +269,14 @@ int ctdb_set_child_logging(struct ctdb_context *ctdb) /* We'll fail if stderr/stdout not already open; it's simpler. */ old_stdout = dup(STDOUT_FILENO); + if (old_stdout < 0) { + DEBUG(DEBUG_ERR, ("Failed to dup stdout for child logging\n")); + return -1; + } old_stderr = dup(STDERR_FILENO); - if (old_stdout < 0 || old_stderr < 0) { - DEBUG(DEBUG_ERR, ("Failed to dup stdout/stderr for child logging\n")); + if (old_stderr < 0) { + DEBUG(DEBUG_ERR, ("Failed to dup stderr for child logging\n")); + close(old_stdout); return -1; } if (dup2(p[1], STDOUT_FILENO) < 0 || dup2(p[1], STDERR_FILENO) < 0) { -- 2.8.1