Bug #4867
closed
Uninitialized variables in libnsl
100%
Description
I temporarily removed -Wno-uninitialized from usr/src/lib/libnsl/Makefile.com and tried to compile libnsl. Most of the errors reported were just a false positives, but I found few real problems:
Issue 1
In netname2user() the res might be used uninitialized:
421 if (strcmp(look->service_name, "nis") == 0)
422 res = netname2user_nis(&err, (char *)netname, &argp);
423 else if (strcmp(look->service_name, "files") == 0)
424 res = netname2user_files(&err, (char *)netname, &argp);
425 else if (strcmp(look->service_name, "ldap") == 0)
426 res = netname2user_ldap(&err, (char *)netname, &argp);
427 else {
428 syslog(LOG_INFO,
429 "netname2user: unknown nameservice for publickey"
430 "info '%s'\\n", look->service_name);
431 err = __NSW_UNAVAIL;
432 }
433 switch (look->actions[err]) {
434 case __NSW_CONTINUE :
435 break;
436 case __NSW_RETURN :
437 if (needfree)
438 (void) __nsw_freeconfig(conf);
439 (void) mutex_unlock(&serialize_netname_r);
440 return (res);
In a case the last else path is executed (lines 428 to 431), and look->actions[err] is __NSW_RETURN, we will return uninitialized res at line 440.
The very similar issue is also in __getpublickey_cached_g() and getsecretkey_g().
Issue 2
In clnt_vc_control() the ret might be used uninitialized:
880static bool_t
881clnt_vc_control(CLIENT *cl, int request, char *info)
882{
883 bool_t ret;
...
901 case CLFLUSH:
902 if (ct->ct_io_mode == RPC_CL_NONBLOCKING) {
903 int res;
904 res = do_flush(ct, (info == NULL ||
905 /* LINTED pointer cast */
906 *(int *)info == RPC_CL_DEFAULT_FLUSH)?
907 /* LINTED pointer cast */
908 ct->ct_blocking_mode: *(int *)info);
909 ret = (0 == res);
910 }
911 rpc_fd_unlock(vctbl, ct->ct_fd);
912 return (ret);
If ct->ct_io_mode is not RPC_CL_NONBLOCKING, the uninitialized ret will be returned at line 912.
Issue 3
In _tx_sndvudata() the dataptr might be used uninitialized:
48int
49_tx_sndvudata(int fd, const struct t_unitdata *unitdata, struct t_iovec *tiov,
50 unsigned int tiovcount, int api_semantics)
51{
52 struct T_unitdata_req *udreq;
53 struct strbuf ctlbuf;
54 struct strbuf databuf;
55 int size;
56 struct _ti_user *tiptr;
57 int sv_errno;
58 int didalloc;
59 char *dataptr;
...
124 if (_t_aligned_copy(&ctlbuf, unitdata->addr.len, size,
125 unitdata->addr.buf, &udreq->DEST_offset) < 0) {
126 /*
127 * Aligned copy based will overflow buffer
128 * allocated based on maximum transport address
129 * size information
130 */
131 t_errno = TSYSERR;
132 errno = EPROTO;
133 goto err_out;
134 }
...
160 dataptr = NULL;
...
199err_out:
200 sv_errno = errno;
201 if (didalloc)
202 free(ctlbuf.buf);
203 else
204 tiptr->ti_ctlbuf = ctlbuf.buf;
205 if (dataptr != NULL)
206 free(dataptr);
In a case the goto at line 133 is executed, we will use uninitialized dataptr at lines 205 and 206.
Issue 4
Uninitialized getby_flag in _getexecprof():
158execstr_t *
159_getexecprof(char *name,
160 char *type,
161 char *id,
162 int search_flag,
163 execstr_t *result,
164 char *buffer,
165 int buflen,
166 int *errnop)
167{
168 int getby_flag;
...
192 if ((name != NULL) && (id != NULL)) {
193 getby_flag = NSS_DBOP_EXECATTR_BYNAMEID;
194 } else if (name != NULL) {
195 getby_flag = NSS_DBOP_EXECATTR_BYNAME;
196 } else if (id != NULL) {
197 getby_flag = NSS_DBOP_EXECATTR_BYID;
198 }
199
200 arg.key.attrp = &(_priv_exec);
201
202 switch (getby_flag) {
In a case both name and id are NULL, the getby_flag at line 202 will be used uninitialized.
Updated by Marcel Telka about 8 years ago
- Status changed from In Progress to Pending RTI
Updated by Electric Monk about 8 years ago
- Status changed from Pending RTI to Closed
- % Done changed from 0 to 100
git commit d00075c72fe6e0468054c64c53d70554c1d1cb02
commit d00075c72fe6e0468054c64c53d70554c1d1cb02
Author: Marcel Telka <marcel.telka@nexenta.com>
Date: 2014-05-21T20:53:41.000Z
4867 Uninitialized variables in libnsl
Reviewed by: Josef 'Jeff' Sipek <josef.sipek@nexenta.com>
Approved by: Dan McDonald <danmcd@omniti.com>