Re: [PATCH 01/11] tlscontext: Make sure to get proper pointer to name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2013年01月31日 03:36, John Ferlan wrote:
The 'dname' string was only filled in within the loop when available;
however, the TRACE macros used it unconditionally and caused Coverity
to compain about BAD_SIZEOF.  Using a dnameptr keeps Coverity at bay and
makes sure dname was properly filled before attempting the TRACE message.
---
  src/rpc/virnettlscontext.c | 8 +++++---
  1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 0f0ddff..29d1508 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -1,7 +1,7 @@
  /*
   * virnettlscontext.c: TLS encryption/x509 handling
   *
- * Copyright (C) 2010-2012 Red Hat, Inc.
+ * Copyright (C) 2010-2013 Red Hat, Inc.
   *
   * This library is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -950,6 +950,7 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
      unsigned int nCerts, i;
      char dname[256];
      size_t dnamesize = sizeof(dname);
+    char *dnameptr = NULL;

      memset(dname, 0, dnamesize);

@@ -1025,6 +1026,7 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
                                 "[session]", gnutls_strerror(ret));
                  goto authfail;
              }
+            dnameptr = dname;
              VIR_DEBUG("Peer DN is %s", dname);

              if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
@@ -1062,14 +1064,14 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,

      PROBE(RPC_TLS_CONTEXT_SESSION_ALLOW,
            "ctxt=%p sess=%p dname=%s",
-          ctxt, sess, dname);
+          ctxt, sess, dnameptr ? dnameptr : "(unknown)");

      return 0;

  authdeny:
      PROBE(RPC_TLS_CONTEXT_SESSION_DENY,
            "ctxt=%p sess=%p dname=%s",
-          ctxt, sess, dname);
+          ctxt, sess, dnameptr ? dnameptr : "(unknown)");

      return -1;


I guess dname[0] is guaranteed to be not nul as long as
gnutls_x509_crt_get_dn succeeded.

If so, the patch can be simplified as:

dname[0] ? dname : "(unknown)"

Osier

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]