Project

General

Profile

Bug #4867

Uninitialized variables in libnsl

Added by Marcel Telka over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
lib - userland libraries
Start date:
2014-05-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

I temporarily removed -Wno-uninitialized from usr/src/lib/libnsl/Makefile.com and tried to compile libnsl. Most of the errors reported were just a false positives, but I found few real problems:

Issue 1

In netname2user() the res might be used uninitialized:

421        if (strcmp(look->service_name, "nis") == 0)
422            res = netname2user_nis(&err, (char *)netname, &argp);
423        else if (strcmp(look->service_name, "files") == 0)
424            res = netname2user_files(&err, (char *)netname, &argp);
425        else if (strcmp(look->service_name, "ldap") == 0)
426            res = netname2user_ldap(&err, (char *)netname, &argp);
427        else {
428            syslog(LOG_INFO,
429                "netname2user: unknown nameservice for publickey" 
430                "info '%s'\\n", look->service_name);
431            err = __NSW_UNAVAIL;
432        }
433        switch (look->actions[err]) {
434            case __NSW_CONTINUE :
435                break;
436            case __NSW_RETURN :
437                if (needfree)
438                    (void) __nsw_freeconfig(conf);
439                (void) mutex_unlock(&serialize_netname_r);
440                return (res);

In a case the last else path is executed (lines 428 to 431), and look->actions[err] is __NSW_RETURN, we will return uninitialized res at line 440.

The very similar issue is also in __getpublickey_cached_g() and getsecretkey_g().

Issue 2

In clnt_vc_control() the ret might be used uninitialized:

880static bool_t
881clnt_vc_control(CLIENT *cl, int request, char *info)
882{
883    bool_t ret;

...

901    case CLFLUSH:
902        if (ct->ct_io_mode == RPC_CL_NONBLOCKING) {
903            int res;
904            res = do_flush(ct, (info == NULL ||
905                /* LINTED pointer cast */
906                *(int *)info == RPC_CL_DEFAULT_FLUSH)?
907                /* LINTED pointer cast */
908                ct->ct_blocking_mode: *(int *)info);
909            ret = (0 == res);
910        }
911        rpc_fd_unlock(vctbl, ct->ct_fd);
912        return (ret);

If ct->ct_io_mode is not RPC_CL_NONBLOCKING, the uninitialized ret will be returned at line 912.

Issue 3

In _tx_sndvudata() the dataptr might be used uninitialized:

48int
49_tx_sndvudata(int fd, const struct t_unitdata *unitdata, struct t_iovec *tiov,
50    unsigned int tiovcount, int api_semantics)
51{
52    struct T_unitdata_req *udreq;
53    struct strbuf ctlbuf;
54    struct strbuf databuf;
55    int size;
56    struct _ti_user *tiptr;
57    int sv_errno;
58    int didalloc;
59    char *dataptr;

...

124        if (_t_aligned_copy(&ctlbuf, unitdata->addr.len, size,
125            unitdata->addr.buf, &udreq->DEST_offset) < 0) {
126            /*
127             * Aligned copy based will overflow buffer
128             * allocated based on maximum transport address
129             * size information
130             */
131            t_errno = TSYSERR;
132            errno = EPROTO;
133            goto err_out;
134        }

...

160    dataptr = NULL;

...

199err_out:
200    sv_errno = errno;
201    if (didalloc)
202        free(ctlbuf.buf);
203    else
204        tiptr->ti_ctlbuf = ctlbuf.buf;
205    if (dataptr != NULL)
206        free(dataptr);

In a case the goto at line 133 is executed, we will use uninitialized dataptr at lines 205 and 206.

Issue 4

Uninitialized getby_flag in _getexecprof():

158execstr_t *
159_getexecprof(char *name,
160    char *type,
161    char *id,
162    int search_flag,
163    execstr_t *result,
164    char *buffer,
165    int buflen,
166    int *errnop)
167{
168    int        getby_flag;

...

192    if ((name != NULL) && (id != NULL)) {
193        getby_flag = NSS_DBOP_EXECATTR_BYNAMEID;
194    } else if (name != NULL) {
195        getby_flag = NSS_DBOP_EXECATTR_BYNAME;
196    } else if (id != NULL) {
197        getby_flag = NSS_DBOP_EXECATTR_BYID;
198    }
199
200    arg.key.attrp = &(_priv_exec);
201
202    switch (getby_flag) {

In a case both name and id are NULL, the getby_flag at line 202 will be used uninitialized.

#1

Updated by Marcel Telka over 6 years ago

  • Status changed from In Progress to Pending RTI
#2

Updated by Electric Monk over 6 years ago

  • Status changed from Pending RTI to Closed
  • % Done changed from 0 to 100

git commit d00075c72fe6e0468054c64c53d70554c1d1cb02

commit  d00075c72fe6e0468054c64c53d70554c1d1cb02
Author: Marcel Telka <marcel.telka@nexenta.com>
Date:   2014-05-21T20:53:41.000Z

    4867 Uninitialized variables in libnsl
    Reviewed by: Josef 'Jeff' Sipek <josef.sipek@nexenta.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF