[BlueZ,v1,1/5] obexd: add NULL checks to file_stat_line()

Commit Message

Roman Smirnov July 4, 2024, 6:07 p.m. UTC

gmtime() may return NULL. It is necessary to prevent
dereferencing of a NULL pointer.

Found with the SVACE static analysis tool.
---
 obexd/plugins/filesystem.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Comments

bluez.test.bot@gmail.com July 4, 2024, 7:01 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=868563

---Test result---

Test Summary:
CheckPatch                    PASS      1.41 seconds
GitLint                       PASS      0.96 seconds
BuildEll                      PASS      24.94 seconds
BluezMake                     FAIL      20.08 seconds
MakeCheck                     FAIL      37.87 seconds
MakeDistcheck                 PASS      179.50 seconds
CheckValgrind                 FAIL      16.91 seconds
CheckSmatch                   FAIL      25.91 seconds
bluezmakeextell               FAIL      14.82 seconds
IncrementalBuild              FAIL      1632.23 seconds
ScanBuild                     FAIL      554.27 seconds

Details
##############################
Test: BluezMake - FAIL
Desc: Build BlueZ
Output:

src/shared/shell.c: In function ‘bt_shell_init’:
src/shared/shell.c:1336:21: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 1336 |    if (opt && index >= offset) {
      |                     ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8680: src/shared/libshared_mainloop_la-shell.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4666: all] Error 2
##############################
Test: MakeCheck - FAIL
Desc: Run Bluez Make Check
Output:

src/shared/shell.c: In function ‘bt_shell_init’:
src/shared/shell.c:1336:21: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 1336 |    if (opt && index >= offset) {
      |                     ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8435: src/shared/libshared_glib_la-shell.lo] Error 1
make: *** [Makefile:12292: check] Error 2
##############################
Test: CheckValgrind - FAIL
Desc: Run Bluez Make Check with Valgrind
Output:

src/shared/shell.c: In function ‘bt_shell_init’:
src/shared/shell.c:1336:21: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 1336 |    if (opt && index >= offset) {
      |                     ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8680: src/shared/libshared_mainloop_la-shell.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:12292: check] Error 2
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:

src/shared/crypto.c:271:21: warning: Variable length array is used.
src/shared/crypto.c:272:23: warning: Variable length array is used.
src/shared/gatt-helpers.c:768:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:830:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1323:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1354:23: warning: Variable length array is used.
src/shared/gatt-server.c:278:25: warning: Variable length array is used.
src/shared/gatt-server.c:621:25: warning: Variable length array is used.
src/shared/gatt-server.c:720:25: warning: Variable length array is used.
src/shared/bap.c:286:25: warning: array of flexible structures
src/shared/bap.c: note: in included file:
./src/shared/ascs.h:88:25: warning: array of flexible structures
src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
src/shared/shell.c: In function ‘bt_shell_init’:
src/shared/shell.c:1336:21: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 1336 |    if (opt && index >= offset) {
      |                     ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8680: src/shared/libshared_mainloop_la-shell.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4666: all] Error 2
##############################
Test: bluezmakeextell - FAIL
Desc: Build Bluez with External ELL
Output:

src/shared/shell.c: In function ‘bt_shell_init’:
src/shared/shell.c:1336:21: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 1336 |    if (opt && index >= offset) {
      |                     ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8680: src/shared/libshared_mainloop_la-shell.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4666: all] Error 2
##############################
Test: IncrementalBuild - FAIL
Desc: Incremental build with the patches in the series
Output:
[BlueZ,v1,2/5] shared/shell: prevent integer overflow in bt_shell_init()

src/shared/shell.c: In function ‘bt_shell_init’:
src/shared/shell.c:1336:21: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 1336 |    if (opt && index >= offset) {
      |                     ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8680: src/shared/libshared_mainloop_la-shell.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4666: all] Error 2
##############################
Test: ScanBuild - FAIL
Desc: Run Scan Build
Output:

src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
        gatt_db_unregister(op->client->db, op->db_id);
                           ^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
        discovery_op_complete(op, false, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:996:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1102:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1294:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1359:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1634:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1639:2: warning: Use of memory after it is freed
        discover_all(op);
        ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2143:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2151:8: warning: Use of memory after it is freed
                                                        discovery_op_ref(op),
                                                        ^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3240:2: warning: Use of memory after it is freed
        complete_write_long_op(req, success, 0, false);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3262:2: warning: Use of memory after it is freed
        request_unref(req);
        ^~~~~~~~~~~~~~~~~~
12 warnings generated.
src/shared/shell.c: In function ‘bt_shell_init’:
src/shared/shell.c:1336:21: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 1336 |    if (opt && index >= offset) {
      |                     ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8680: src/shared/libshared_mainloop_la-shell.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4666: all] Error 2


---
Regards,
Linux Bluetooth

Patch

diff --git a/obexd/plugins/filesystem.c b/obexd/plugins/filesystem.c
index 4887a0b8a..a57b25a83 100644
--- a/obexd/plugins/filesystem.c
+++ b/obexd/plugins/filesystem.c
@@ -113,6 +113,7 @@  static char *file_stat_line(char *filename, struct stat *fstat,
 {
 	char perm[51], atime[18], ctime[18], mtime[18];
 	char *escaped, *ret = NULL;
+	struct tm a_gmtime, c_gmtime, m_gmtime;
 
 	snprintf(perm, 50, "user-perm=\"%s%s%s\" group-perm=\"%s%s%s\" "
 			"other-perm=\"%s%s%s\"",
@@ -126,9 +127,16 @@  static char *file_stat_line(char *filename, struct stat *fstat,
 			(fstat->st_mode & 0002 ? "W" : ""),
 			(dstat->st_mode & 0002 ? "D" : ""));
 
-	strftime(atime, 17, "%Y%m%dT%H%M%SZ", gmtime(&fstat->st_atime));
-	strftime(ctime, 17, "%Y%m%dT%H%M%SZ", gmtime(&fstat->st_ctime));
-	strftime(mtime, 17, "%Y%m%dT%H%M%SZ", gmtime(&fstat->st_mtime));
+	if (!gmtime_r(&fstat->st_atime, &a_gmtime) ||
+			!gmtime_r(&fstat->st_ctime, &c_gmtime) ||
+			!gmtime_r(&fstat->st_mtime, &m_gmtime)) {
+		error("gmtime_r() returned NULL");
+		return ret;
+	}
+
+	strftime(atime, 17, "%Y%m%dT%H%M%SZ", &a_gmtime);
+	strftime(ctime, 17, "%Y%m%dT%H%M%SZ", &c_gmtime);
+	strftime(mtime, 17, "%Y%m%dT%H%M%SZ", &m_gmtime);
 
 	escaped = g_markup_escape_text(filename, -1);