Tarantool development patches archive
 help / color / mirror / Atom feed
* [Tarantool-patches] Fwd: New Defects reported by Coverity Scan for tarantool/tarantool
@ 2020-10-05 13:18 Cyrill Gorcunov
  0 siblings, 0 replies; only message in thread
From: Cyrill Gorcunov @ 2020-10-05 13:18 UTC (permalink / raw)
  To: TML

Hi! Here is a report for latest master 2.6.0-136-g2711797be worth to take
a look and fix/triage.

----- Forwarded message from scan-admin@coverity.com -----

> Please find the latest report on new defect(s) introduced to tarantool/tarantool found with Coverity Scan.
> 
> 150 new defect(s) introduced to tarantool/tarantool found with Coverity Scan.
> 40 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
> 
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 150 defect(s)
> 
> 
> ** CID 1497676:    (FORWARD_NULL)
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497676:    (FORWARD_NULL)
> /projects/tarantool/tarantool.git/src/box/sql/legacy.c: 160 in sql_exec()
> 154     		azCols = 0;
> 155     	}
> 156     
> 157      exec_out:
> 158     	if (pStmt)
> 159     		sqlVdbeFinalize((Vdbe *) pStmt);
> >>>     CID 1497676:    (FORWARD_NULL)
> >>>     Passing null pointer "azCols" to "sqlDbFree", which dereferences it.
> 160     	sqlDbFree(db, azCols);
> 161     
> 162     	assert(rc == 0);
> 163     	return rc;
> /projects/tarantool/tarantool.git/src/box/sql/legacy.c: 160 in sql_exec()
> 154     		azCols = 0;
> 155     	}
> 156     
> 157      exec_out:
> 158     	if (pStmt)
> 159     		sqlVdbeFinalize((Vdbe *) pStmt);
> >>>     CID 1497676:    (FORWARD_NULL)
> >>>     Passing null pointer "azCols" to "sqlDbFree", which dereferences it.
> 160     	sqlDbFree(db, azCols);
> 161     
> 162     	assert(rc == 0);
> 163     	return rc;
> /projects/tarantool/tarantool.git/src/box/sql/legacy.c: 160 in sql_exec()
> 154     		azCols = 0;
> 155     	}
> 156     
> 157      exec_out:
> 158     	if (pStmt)
> 159     		sqlVdbeFinalize((Vdbe *) pStmt);
> >>>     CID 1497676:    (FORWARD_NULL)
> >>>     Passing null pointer "azCols" to "sqlDbFree", which dereferences it.
> 160     	sqlDbFree(db, azCols);
> 161     
> 162     	assert(rc == 0);
> 163     	return rc;
> /projects/tarantool/tarantool.git/src/box/sql/legacy.c: 153 in sql_exec()
> 147     				while (sqlIsspace(zSql[0]))
> 148     					zSql++;
> 149     				break;
> 150     			}
> 151     		}
> 152     
> >>>     CID 1497676:    (FORWARD_NULL)
> >>>     Passing null pointer "azCols" to "sqlDbFree", which dereferences it.
> 153     		sqlDbFree(db, azCols);
> 154     		azCols = 0;
> 155     	}
> 156     
> 157      exec_out:
> 158     	if (pStmt)
> 
> ** CID 1497675:  Security best practices violations  (TOCTOU)
> /projects/tarantool/tarantool.git/src/box/func.c: 291 in module_load()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497675:  Security best practices violations  (TOCTOU)
> /projects/tarantool/tarantool.git/src/box/func.c: 291 in module_load()
> 285     	if (rc < 0 || (size_t) rc >= sizeof(dir_name)) {
> 286     		diag_set(SystemError, "failed to generate path to DSO");
> 287     		goto error;
> 288     	}
> 289     
> 290     	struct stat st;
> >>>     CID 1497675:  Security best practices violations  (TOCTOU)
> >>>     Calling function "stat" to perform check on "path".
> 291     	if (stat(path, &st) < 0) {
> 292     		diag_set(SystemError, "failed to stat() module %s", path);
> 293     		goto error;
> 294     	}
> 295     
> 296     	int source_fd = open(path, O_RDONLY);
> 
> ** CID 1497674:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/src/box/vinyl.c: 4034 in vy_build_recover_stmt()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497674:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/src/box/vinyl.c: 4034 in vy_build_recover_stmt()
> 4028     		if (insert == NULL)
> 4029     			return -1;
> 4030     	} else if (type == IPROTO_UPSERT) {
> 4031     		struct tuple *new_tuple = vy_apply_upsert(mem_stmt, old_tuple,
> 4032     							  pk->cmp_def, true);
> 4033     		if (new_tuple == NULL)
> >>>     CID 1497674:  Resource leaks  (RESOURCE_LEAK)
> >>>     Variable "delete" going out of scope leaks the storage it points to.
> 4034     			return -1;
> 4035     		uint32_t data_len;
> 4036     		const char *data = tuple_data_range(new_tuple, &data_len);
> 4037     		insert = vy_stmt_new_insert(lsm->mem_format,
> 4038     					    data, data + data_len);
> 4039     		tuple_unref(new_tuple);
> 
> ** CID 1497673:  Error handling issues  (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/test/unit/ratelimit.c: 70 in main()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497673:  Error handling issues  (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/test/unit/ratelimit.c: 70 in main()
> 64     	for (int i = 0; i < count; i++) {
> 65     		if (ratelimit_check(&rl, now, &suppressed))
> 66     			emitted++;
> 67     		now += interval_count * interval / count;
> 68     	}
> 69     	now += interval;
> >>>     CID 1497673:  Error handling issues  (CHECKED_RETURN)
> >>>     Calling "ratelimit_check" without checking return value (as is done elsewhere 9 out of 10 times).
> 70     	ratelimit_check(&rl, now, &suppressed);
> 71     	check(interval_count * burst, count - interval_count * burst);
> 72     
> 73     	check_plan();
> 74     	footer();
> 75     
> 76     	return 0;
> 
> ** CID 1497672:  Error handling issues  (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/src/box/key_def.c: 212 in key_def_set_part_path()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497672:  Error handling issues  (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/src/box/key_def.c: 212 in key_def_set_part_path()
> 206     
> 207     	/* Skip JSON_TOKEN_ANY token. */
> 208     	struct json_lexer lexer;
> 209     	struct json_token token;
> 210     	json_lexer_create(&lexer, path + multikey_path_len,
> 211     			  path_len - multikey_path_len, TUPLE_INDEX_BASE);
> >>>     CID 1497672:  Error handling issues  (CHECKED_RETURN)
> >>>     Calling "json_lexer_next_token" without checking return value (as is done elsewhere 41 out of 48 times).
> 212     	json_lexer_next_token(&lexer, &token);
> 213     	assert(token.type == JSON_TOKEN_ANY);
> 214     
> 215     	/* The rest of JSON path couldn't be multikey. */
> 216     	int multikey_path_suffix_len =
> 217     		path_len - multikey_path_len - lexer.offset;
> 
> ** CID 1497671:  Memory - illegal accesses  (OVERRUN)
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497671:  Memory - illegal accesses  (OVERRUN)
> /third_party/luajit/src/lj_api.c: 529 in lua_hashstring()
> 523     {
> 524       TValue *o = index2adr(L, idx);
> 525       lua_assert(tvisstr(o));
> 526       GCstr *s = strV(o);
> 527       if (! strsmart(s))
> 528         return s->hash;
> >>>     CID 1497671:  Memory - illegal accesses  (OVERRUN)
> >>>     Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer "(char const *)(s + 1)".
> 529       return lua_hash(strdata(s), s->len);
> 530     }
> 531     
> 532     LUALIB_API const char *luaL_checklstring(lua_State *L, int idx, size_t *len)
> 533     {
> 534       TValue *o = index2adr(L, idx);
> 
> ** CID 1497670:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/src/box/sql/select.c: 2342 in sql_multiselect_orderby_to_key_info()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497670:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/src/box/sql/select.c: 2342 in sql_multiselect_orderby_to_key_info()
> 2336     		uint32_t id;
> 2337     		bool unused;
> 2338     		if ((term->flags & EP_Collate) != 0) {
> 2339     			struct coll *unused_coll;
> 2340     			if (sql_expr_coll(parse, term, &unused, &id,
> 2341     					  &unused_coll) != 0)
> >>>     CID 1497670:  Resource leaks  (RESOURCE_LEAK)
> >>>     Variable "key_info" going out of scope leaks the storage it points to.
> 2342     				return 0;
> 2343     		} else {
> 2344     			id = multi_select_coll_seq(parse, s,
> 2345     						   item->u.x.iOrderByCol - 1);
> 2346     			if (id != COLL_NONE) {
> 2347     				const char *name = coll_by_id(id)->name;
> 
> ** CID 1497669:    (CONSTANT_EXPRESSION_RESULT)
> /projects/tarantool/tarantool.git/src/box/sql/vdbe.c: 4323 in sqlVdbeExec()
> /projects/tarantool/tarantool.git/src/box/sql/vdbe.c: 4326 in sqlVdbeExec()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497669:    (CONSTANT_EXPRESSION_RESULT)
> /projects/tarantool/tarantool.git/src/box/sql/vdbe.c: 4323 in sqlVdbeExec()
> 4317     	assert(pOp->opcode!=OP_NextIfOpen || pOp->p4.xAdvance == sqlCursorNext);
> 4318     	assert(pOp->opcode!=OP_PrevIfOpen || pOp->p4.xAdvance == sqlCursorPrevious);
> 4319     
> 4320     	/* The Next opcode is only used after SeekGT, SeekGE, and Rewind.
> 4321     	 * The Prev opcode is only used after SeekLT, SeekLE, and Last.
> 4322     	 */
> >>>     CID 1497669:    (CONSTANT_EXPRESSION_RESULT)
> >>>     The "or" condition "pOp->opcode != 8 || pOp->opcode != 3 || pC->seekOp == 40 || pC->seekOp == 39 || pC->seekOp == 48 || pC->seekOp == 43" will always be true because "pOp->opcode" cannot be equal to two different values at the same time, so it must be not equal to at least one of them.
> 4323     	assert(pOp->opcode!=OP_Next || pOp->opcode!=OP_NextIfOpen
> 4324     	       || pC->seekOp==OP_SeekGT || pC->seekOp==OP_SeekGE
> 4325     	       || pC->seekOp==OP_Rewind || pC->seekOp==OP_Found);
> 4326     	assert(pOp->opcode!=OP_Prev || pOp->opcode!=OP_PrevIfOpen
> 4327     	       || pC->seekOp==OP_SeekLT || pC->seekOp==OP_SeekLE
> 4328     	       || pC->seekOp==OP_Last);
> /projects/tarantool/tarantool.git/src/box/sql/vdbe.c: 4326 in sqlVdbeExec()
> 4320     	/* The Next opcode is only used after SeekGT, SeekGE, and Rewind.
> 4321     	 * The Prev opcode is only used after SeekLT, SeekLE, and Last.
> 4322     	 */
> 4323     	assert(pOp->opcode!=OP_Next || pOp->opcode!=OP_NextIfOpen
> 4324     	       || pC->seekOp==OP_SeekGT || pC->seekOp==OP_SeekGE
> 4325     	       || pC->seekOp==OP_Rewind || pC->seekOp==OP_Found);
> >>>     CID 1497669:    (CONSTANT_EXPRESSION_RESULT)
> >>>     The "or" condition "pOp->opcode != 4 || pOp->opcode != 2 || pC->seekOp == 37 || pC->seekOp == 38 || pC->seekOp == 44" will always be true because "pOp->opcode" cannot be equal to two different values at the same time, so it must be not equal to at least one of them.
> 4326     	assert(pOp->opcode!=OP_Prev || pOp->opcode!=OP_PrevIfOpen
> 4327     	       || pC->seekOp==OP_SeekLT || pC->seekOp==OP_SeekLE
> 4328     	       || pC->seekOp==OP_Last);
> 4329     
> 4330     	if (pOp->p4.xAdvance(pC->uc.pCursor, &res) != 0)
> 4331     		goto abort_due_to_error;
> 
> ** CID 1497668:  API usage errors  (PRINTF_ARGS)
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497668:  API usage errors  (PRINTF_ARGS)
> /projects/tarantool/tarantool.git/src/box/memtx_rtree.c: 402 in memtx_rtree_index_new()
> 396     	assert(def->key_def->part_count == 1);
> 397     	assert(def->key_def->parts[0].type == FIELD_TYPE_ARRAY);
> 398     	assert(def->opts.is_unique == false);
> 399     
> 400     	if (def->opts.dimension < 1 ||
> 401     	    def->opts.dimension > RTREE_MAX_DIMENSION) {
> >>>     CID 1497668:  API usage errors  (PRINTF_ARGS)
> >>>     Argument "def->opts.dimension" to format specifier "%lld" was expected to have type "long long" but has type "long".
> 402     		diag_set(UnsupportedIndexFeature, def,
> 403     			 tt_sprintf("dimension (%lld): must belong to "
> 404     				    "range [%u, %u]", def->opts.dimension,
> 405     				    1, RTREE_MAX_DIMENSION));
> 406     		return NULL;
> 407     	}
> 
> ** CID 1497667:  API usage errors  (PRINTF_ARGS)
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497667:  API usage errors  (PRINTF_ARGS)
> /projects/tarantool/tarantool.git/extra/lemon.c: 2661 in parseonetoken()
> 2655             }
> 2656           }
> 2657           break;
> 2658         case WAITING_FOR_CLASS_ID:
> 2659           if( !ISLOWER(x[0]) ){
> 2660             ErrorMsg(psp->filename, psp->tokenlineno,
> >>>     CID 1497667:  API usage errors  (PRINTF_ARGS)
> >>>     This argument was not used by the format string: "x".
> 2661               "%%token_class must be followed by an identifier: ", x);
> 2662             psp->errorcnt++;
> 2663             psp->state = RESYNC_AFTER_DECL_ERROR;
> 2664          }else if( Symbol_find(x) ){
> 2665             ErrorMsg(psp->filename, psp->tokenlineno,
> 2666               "Symbol \"%s\" already used", x);
> 
> ** CID 1497666:  Integer handling issues  (BAD_SHIFT)
> /projects/tarantool/tarantool.git/src/box/iproto_constants.h: 174 in iproto_dml_body_has_key()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497666:  Integer handling issues  (BAD_SHIFT)
> /projects/tarantool/tarantool.git/src/box/iproto_constants.h: 174 in iproto_dml_body_has_key()
> 168     }
> 169     
> 170     static inline bool
> 171     iproto_dml_body_has_key(const char *pos, const char *end)
> 172     {
> 173     	unsigned char key = pos < end ? *pos : (unsigned char) IPROTO_KEY_MAX;
> >>>     CID 1497666:  Integer handling issues  (BAD_SHIFT)
> >>>     In expression "1ULL << key", left shifting by more than 63 bits has undefined behavior.  The shift amount, "key", is as much as 82.
> 174     	return key < IPROTO_KEY_MAX && IPROTO_DML_BODY_BMAP & (1ULL<<key);
> 175     }
> 176     
> 177     #undef bit
> 178     
> 179     static inline uint64_t
> 
> ** CID 1497665:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/src/box/vy_lsm.c: 1217 in vy_lsm_split_range()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497665:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/src/box/vy_lsm.c: 1217 in vy_lsm_split_range()
> 1211     		 vy_range_str(range), tuple_str(split_key.stmt));
> 1212     
> 1213     	rlist_foreach_entry(slice, &range->slices, in_range)
> 1214     		vy_slice_wait_pinned(slice);
> 1215     	vy_range_delete(range);
> 1216     	tuple_unref(split_key.stmt);
> >>>     CID 1497665:  Resource leaks  (RESOURCE_LEAK)
> >>>     Variable "new_slice" going out of scope leaks the storage it points to.
> 1217     	return true;
> 1218     fail:
> 1219     	for (int i = 0; i < n_parts; i++) {
> 1220     		if (parts[i] != NULL)
> 1221     			vy_range_delete(parts[i]);
> 1222     	}
> 
> ** CID 1497664:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/test/unit/sio.c: 110 in check_auto_bind()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497664:  Resource leaks  (RESOURCE_LEAK)
> /projects/tarantool/tarantool.git/test/unit/sio.c: 110 in check_auto_bind()
> 104     	is(sio_getsockname(fd, (struct sockaddr *) &addr, &addrlen), 0,
> 105     	   "getsockname works on 0 bind");
> 106     	isnt(addr.sin_port, 0, "a real port is returned");
> 107     
> 108     	check_plan();
> 109     	footer();
> >>>     CID 1497664:  Resource leaks  (RESOURCE_LEAK)
> >>>     Handle variable "fd" going out of scope leaks the handle.
> 110     }
> 111     
> 112     int
> 113     main(void)
> 114     {
> 115     	memory_init();
> 
> ** CID 1497663:  Memory - corruptions  (OVERLAPPING_COPY)
> /projects/tarantool/tarantool.git/src/box/sql/vdbemem.c: 601 in vdbe_mem_numerify()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497663:  Memory - corruptions  (OVERLAPPING_COPY)
> /projects/tarantool/tarantool.git/src/box/sql/vdbemem.c: 601 in vdbe_mem_numerify()
> 595     int
> 596     vdbe_mem_numerify(struct Mem *mem)
> 597     {
> 598     	if ((mem->flags & (MEM_Int | MEM_UInt | MEM_Real | MEM_Null)) != 0)
> 599     		return 0;
> 600     	if ((mem->flags & MEM_Bool) != 0) {
> >>>     CID 1497663:  Memory - corruptions  (OVERLAPPING_COPY)
> >>>     Assigning "mem->u.b" to "mem->u.u", which have overlapping memory locations and different types.
> 601     		mem->u.u = mem->u.b;
> 602     		MemSetTypeFlag(mem, MEM_UInt);
> 603     		return 0;
> 604     	}
> 605     	assert((mem->flags & (MEM_Blob | MEM_Str)) != 0);
> 606     	bool is_neg;
> 
> ** CID 1497662:  Error handling issues  (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/src/box/sql/vdbeapi.c: 533 in createAggContext()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497662:  Error handling issues  (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/src/box/sql/vdbeapi.c: 533 in createAggContext()
> 527     	Mem *pMem = p->pMem;
> 528     	assert((pMem->flags & MEM_Agg) == 0);
> 529     	if (nByte <= 0) {
> 530     		sqlVdbeMemSetNull(pMem);
> 531     		pMem->z = 0;
> 532     	} else {
> >>>     CID 1497662:  Error handling issues  (CHECKED_RETURN)
> >>>     Calling "sqlVdbeMemClearAndResize" without checking return value (as is done elsewhere 8 out of 9 times).
> 533     		sqlVdbeMemClearAndResize(pMem, nByte);
> 534     		pMem->flags = MEM_Agg;
> 535     		pMem->u.func = p->func;
> 536     		if (pMem->z) {
> 537     			memset(pMem->z, 0, nByte);
> 538     		}
> 
> ** CID 1497661:  Null pointer dereferences  (FORWARD_NULL)
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497661:  Null pointer dereferences  (FORWARD_NULL)
> /projects/tarantool/tarantool.git/src/box/sql/build.c: 2057 in sql_create_foreign_key()
> 2051     	}
> 2052     
> 2053     exit_create_fk:
> 2054     	sql_expr_list_delete(db, child_cols);
> 2055     	if (!is_self_referenced)
> 2056     		sql_expr_list_delete(db, parent_cols);
> >>>     CID 1497661:  Null pointer dereferences  (FORWARD_NULL)
> >>>     Passing null pointer "parent_name" to "sqlDbFree", which dereferences it.
> 2057     	sqlDbFree(db, parent_name);
> 2058     	sqlDbFree(db, constraint_name);
> 2059     	return;
> 2060     tnt_error:
> 2061     	parse_context->is_aborted = true;
> 2062     	goto exit_create_fk;
> 
> ** CID 1497660:  Memory - corruptions  (USE_AFTER_FREE)
> /projects/tarantool/tarantool.git/src/box/sql/func.c: 1624 in replaceFunc()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497660:  Memory - corruptions  (USE_AFTER_FREE)
> /projects/tarantool/tarantool.git/src/box/sql/func.c: 1624 in replaceFunc()
> 1618     				return;
> 1619     			}
> 1620     			zOld = zOut;
> 1621     			zOut = sql_realloc64(zOut, (int)nOut);
> 1622     			if (zOut == 0) {
> 1623     				context->is_aborted = true;
> >>>     CID 1497660:  Memory - corruptions  (USE_AFTER_FREE)
> >>>     Calling "sql_free" frees pointer "zOld" which has already been freed.
> 1624     				sql_free(zOld);
> 1625     				return;
> 1626     			}
> 1627     			memcpy(&zOut[j], zRep, nRep);
> 1628     			j += nRep;
> 1629     			i += nPattern - 1;
> 
> ** CID 1497659:  Null pointer dereferences  (REVERSE_INULL)
> /projects/tarantool/tarantool.git/src/box/vy_write_iterator.c: 964 in vy_read_view_merge()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497659:  Null pointer dereferences  (REVERSE_INULL)
> /projects/tarantool/tarantool.git/src/box/vy_write_iterator.c: 964 in vy_read_view_merge()
> 958     		 */
> 959     		struct tuple *copy = vy_stmt_dup(rv->entry.stmt);
> 960     		if (is_first_insert)
> 961     			vy_stmt_set_type(copy, IPROTO_INSERT);
> 962     		else
> 963     			vy_stmt_set_type(copy, IPROTO_REPLACE);
> >>>     CID 1497659:  Null pointer dereferences  (REVERSE_INULL)
> >>>     Null-checking "copy" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 964     		if (copy == NULL)
> 965     			return -1;
> 966     		vy_stmt_set_lsn(copy, vy_stmt_lsn(rv->entry.stmt));
> 967     		vy_stmt_unref_if_possible(rv->entry.stmt);
> 968     		rv->entry.stmt = copy;
> 969     	}
> 
> ** CID 1497658:  Security best practices violations  (TOCTOU)
> /projects/tarantool/tarantool.git/src/box/wal.c: 480 in wal_open()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497658:  Security best practices violations  (TOCTOU)
> /projects/tarantool/tarantool.git/src/box/wal.c: 480 in wal_open()
> 474      */
> 475     static int
> 476     wal_open(struct wal_writer *writer)
> 477     {
> 478     	const char *path = xdir_format_filename(&writer->wal_dir,
> 479     				vclock_sum(&writer->vclock), NONE);
> >>>     CID 1497658:  Security best practices violations  (TOCTOU)
> >>>     Calling function "access" to perform check on "path".
> 480     	if (access(path, F_OK) != 0) {
> 481     		if (errno == ENOENT) {
> 482     			/* No WAL, nothing to do. */
> 483     			return 0;
> 484     		}
> 485     		diag_set(SystemError, "failed to access %s", path);
> 
> ** CID 1497657:    (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/src/box/xrow.c: 630 in xrow_decode_sql()
> /projects/tarantool/tarantool.git/src/box/xrow.c: 629 in xrow_decode_sql()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1497657:    (CHECKED_RETURN)
> /projects/tarantool/tarantool.git/src/box/xrow.c: 630 in xrow_decode_sql()
> 624     	request->stmt_id = NULL;
> 625     	for (uint32_t i = 0; i < map_size; ++i) {
> 626     		uint8_t key = *data;
> 627     		if (key != IPROTO_SQL_BIND && key != IPROTO_SQL_TEXT &&
> 628     		    key != IPROTO_STMT_ID) {
> 629     			mp_check(&data, end);   /* skip the key */
> >>>     CID 1497657:    (CHECKED_RETURN)
> >>>     Calling "mp_check" without checking return value (as is done elsewhere 206 out of 208 times).
> 630     			mp_check(&data, end);   /* skip the value */
> 631     			continue;
> 632     		}
> 633     		const char *value = ++data;     /* skip the key */
> 634     		if (mp_check(&data, end) != 0)  /* check the value */
> 635     			goto error;
> /projects/tarantool/tarantool.git/src/box/xrow.c: 629 in xrow_decode_sql()
> 623     	request->bind = NULL;
> 624     	request->stmt_id = NULL;
> 625     	for (uint32_t i = 0; i < map_size; ++i) {
> 626     		uint8_t key = *data;
> 627     		if (key != IPROTO_SQL_BIND && key != IPROTO_SQL_TEXT &&
> 628     		    key != IPROTO_STMT_ID) {
> >>>     CID 1497657:    (CHECKED_RETURN)
> >>>     Calling "mp_check" without checking return value (as is done elsewhere 206 out of 208 times).
> 629     			mp_check(&data, end);   /* skip the key */
> 630     			mp_check(&data, end);   /* skip the value */
> 631     			continue;
> 632     		}
> 633     		const char *value = ++data;     /* skip the key */
> 634     		if (mp_check(&data, end) != 0)  /* check the value */
> 
> 
----- End forwarded message -----

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-10-05 13:19 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-05 13:18 [Tarantool-patches] Fwd: New Defects reported by Coverity Scan for tarantool/tarantool Cyrill Gorcunov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox