On Fri, Jun 26, 2009 at 05:45:59PM +0200, Jim Meyering wrote: > I was looking through recent changes and spotted two potential > NULL-dereferences in this change set: > > http://git.et.redhat.com/?p=libvirt.git;a=commitdiff;h=70c01b4c1adea75e9 > > In src/opennebula/one_client.c: > > + one_client.url=(char *)malloc(64); > + snprintf(one_client.url, 63, "http://localhost:%d/RPC2";, ONED_PORT); > +#else > + one_client.url=(char *)"http://localhost:2633/RPC2";; > +#endif Fortunetaly this one is within a #ifdef ONED_PORT, which is not defined so the problem code won't be compiled. We should still kill it though > -- > + file_text=(char *)malloc(size+1); > + bytes_read=read(file, file_text, size); > + close(file); > + > + if(bytes_read==size) { Time for a syntax-check rule to blacklist malloc() & friends from all code. I'd like to blacklist snprintf/sprintf too but there's still quite alot of usage of those. > > Perhaps of more immediate concern, > these syscalls are not checked for failure: > > + file=open(template_file, O_RDONLY); > + size=lseek(file, 0, SEEK_END); > + lseek(file, 0, SEEK_SET); > > and same for the "read" syscall above. This particular method isn't used either - we switched the code to avoid temporary files, so we should kill this too. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list