From 553b2adb9b58412e42ac11720ef9363d520123f6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=A9mie=20Galarneau?= Date: Fri, 28 Jul 2017 10:59:30 -0400 Subject: [PATCH] Fix: NULL passed to memcpy in error path MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit CID 1378708: Null pointer dereferences (FORWARD_NULL) Passing null pointer "data" to "memcpy", which dereferences it. Reported-by: Coverity Scan Signed-off-by: Jérémie Galarneau --- src/bin/lttng-relayd/live.c | 50 +++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/src/bin/lttng-relayd/live.c b/src/bin/lttng-relayd/live.c index 9029a5955..8a8550f40 100644 --- a/src/bin/lttng-relayd/live.c +++ b/src/bin/lttng-relayd/live.c @@ -1483,12 +1483,11 @@ static int viewer_get_packet(struct relay_connection *conn) { int ret; - char *data = NULL; + char *reply = NULL; struct lttng_viewer_get_packet get_packet_info; - struct lttng_viewer_trace_packet reply; + struct lttng_viewer_trace_packet reply_header; struct relay_viewer_stream *vstream = NULL; - bool skip_send_data = false; - uint32_t send_len = sizeof(reply); + uint32_t reply_size = sizeof(reply_header); uint32_t packet_data_len = 0; ssize_t read_len; @@ -1504,29 +1503,26 @@ int viewer_get_packet(struct relay_connection *conn) health_code_update(); /* From this point on, the error label can be reached. */ - memset(&reply, 0, sizeof(reply)); + memset(&reply_header, 0, sizeof(reply_header)); vstream = viewer_stream_get_by_id(be64toh(get_packet_info.stream_id)); if (!vstream) { - skip_send_data = true; DBG("Client requested packet of unknown stream id %" PRIu64, be64toh(get_packet_info.stream_id)); - reply.status = htobe32(LTTNG_VIEWER_GET_PACKET_ERR); + reply_header.status = htobe32(LTTNG_VIEWER_GET_PACKET_ERR); + goto send_reply_nolock; } else { packet_data_len = be32toh(get_packet_info.len); - send_len += packet_data_len; + reply_size += packet_data_len; } - data = zmalloc(send_len); - if (!data) { - PERROR("relay data zmalloc"); + reply = zmalloc(reply_size); + if (!reply) { + PERROR("packet reply zmalloc"); + reply_size = sizeof(reply_header); goto error; } - if (skip_send_data) { - goto send_reply_nolock; - } - pthread_mutex_lock(&vstream->stream->lock); ret = lseek(vstream->stream_fd->fd, be64toh(get_packet_info.offset), SEEK_SET); @@ -1536,7 +1532,7 @@ int viewer_get_packet(struct relay_connection *conn) goto error; } read_len = lttng_read(vstream->stream_fd->fd, - data + sizeof(reply), + reply + sizeof(reply_header), packet_data_len); if (read_len < packet_data_len) { PERROR("Relay reading trace file, fd: %d, offset: %" PRIu64, @@ -1544,12 +1540,12 @@ int viewer_get_packet(struct relay_connection *conn) be64toh(get_packet_info.offset)); goto error; } - reply.status = htobe32(LTTNG_VIEWER_GET_PACKET_OK); - reply.len = htobe32(packet_data_len); + reply_header.status = htobe32(LTTNG_VIEWER_GET_PACKET_OK); + reply_header.len = htobe32(packet_data_len); goto send_reply; error: - reply.status = htobe32(LTTNG_VIEWER_GET_PACKET_ERR); + reply_header.status = htobe32(LTTNG_VIEWER_GET_PACKET_ERR); send_reply: if (vstream) { @@ -1559,20 +1555,26 @@ send_reply_nolock: health_code_update(); - memcpy(data, &reply, sizeof(reply)); - health_code_update(); - ret = send_response(conn->sock, data, send_len); + if (reply) { + memcpy(reply, &reply_header, sizeof(reply_header)); + ret = send_response(conn->sock, reply, reply_size); + } else { + /* No reply to send. */ + ret = send_response(conn->sock, &reply_header, + reply_size); + } + health_code_update(); if (ret < 0) { PERROR("sendmsg of packet data failed"); goto end_free; } - DBG("Sent %u bytes for stream %" PRIu64, send_len, + DBG("Sent %u bytes for stream %" PRIu64, reply_size, be64toh(get_packet_info.stream_id)); end_free: - free(data); + free(reply); end: if (vstream) { viewer_stream_put(vstream); -- 2.34.1