Array 'message_buf' of size 500 may use index value(s) -1
Object 'enc_key.data' was freed at line 164 after being freed
by calling 'free' at line 150. Also there are 3 similar errors
on line(s) 164.
Suspicious dereference of pointer 'vmsg' before NULL check at
line 187. Also there are 2 similar errors on line(s) 196, 205.
Suspicious dereference of pointer 'rmsg' before NULL check at
line 191. Also there are 2 similar errors on line(s) 200, 209.
Signed-off-by: Dmitry Eremin <dmitry.eremin@intel.com>
Change-Id: I50905ea99d904123df30ba7078b180b44b8a6e06
Reviewed-on: http://review.whamcloud.com/9274
Tested-by: Jenkins
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: James Simmons <uja.ornl@gmail.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
switch (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
case SPTLRPC_SVC_NULL:
vmsg = req->rq_repdata;
switch (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
case SPTLRPC_SVC_NULL:
vmsg = req->rq_repdata;
+ LASSERT(vmsg != NULL && vmsg->lm_bufcount >= 3);
voff = vmsg->lm_bufcount - 1;
voff = vmsg->lm_bufcount - 1;
- LASSERT(vmsg && vmsg->lm_bufcount >= 3);
+ LASSERT(rmsg != NULL && rmsg->lm_bufcount >= 3);
roff = rmsg->lm_bufcount - 1; /* last segment */
roff = rmsg->lm_bufcount - 1; /* last segment */
- LASSERT(rmsg && rmsg->lm_bufcount >= 3);
break;
case SPTLRPC_SVC_AUTH:
case SPTLRPC_SVC_INTG:
vmsg = req->rq_repdata;
break;
case SPTLRPC_SVC_AUTH:
case SPTLRPC_SVC_INTG:
vmsg = req->rq_repdata;
+ LASSERT(vmsg != NULL && vmsg->lm_bufcount >= 4);
voff = vmsg->lm_bufcount - 2;
voff = vmsg->lm_bufcount - 2;
- LASSERT(vmsg && vmsg->lm_bufcount >= 4);
+ LASSERT(rmsg != NULL && rmsg->lm_bufcount >= 4);
roff = rmsg->lm_bufcount - 2; /* second last segment */
roff = rmsg->lm_bufcount - 2; /* second last segment */
- LASSERT(rmsg && rmsg->lm_bufcount >= 4);
break;
case SPTLRPC_SVC_PRIV:
vmsg = req->rq_repdata;
break;
case SPTLRPC_SVC_PRIV:
vmsg = req->rq_repdata;
+ LASSERT(vmsg != NULL && vmsg->lm_bufcount >= 2);
voff = vmsg->lm_bufcount - 1;
voff = vmsg->lm_bufcount - 1;
- LASSERT(vmsg && vmsg->lm_bufcount >= 2);
+ LASSERT(rmsg != NULL && rmsg->lm_bufcount >= 2);
roff = rmsg->lm_bufcount - 1; /* last segment */
roff = rmsg->lm_bufcount - 1; /* last segment */
- LASSERT(rmsg && rmsg->lm_bufcount >= 2);
gss_krb5_lucid_key_t enc_key;
int i;
char *skd, *dkd;
gss_krb5_lucid_key_t enc_key;
int i;
char *skd, *dkd;
- gss_buffer_desc fakeoid;
/*
* The new Kerberos interface to get the gss context
/*
* The new Kerberos interface to get the gss context
* interface to the kernel.
*/
memset(&enc_key, 0, sizeof(enc_key));
* interface to the kernel.
*/
memset(&enc_key, 0, sizeof(enc_key));
- memset(&fakeoid, 0, sizeof(fakeoid));
if (!(buf->value = calloc(1, MAX_CTX_LEN)))
goto out_err;
if (!(buf->value = calloc(1, MAX_CTX_LEN)))
goto out_err;
dkd = (char *) enc_key.data;
for (i = 0; i < enc_key.length; i++)
dkd[i] = skd[i] ^ 0xf0;
dkd = (char *) enc_key.data;
for (i = 0; i < enc_key.length; i++)
dkd[i] = skd[i] ^ 0xf0;
- if (write_lucid_keyblock(&p, end, &enc_key)) {
- free(enc_key.data);
+ if (write_lucid_keyblock(&p, end, &enc_key))
- }
- free(enc_key.data);
-
if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
goto out_err;
if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
goto out_err;
buf->length = p - (char *)buf->value;
return 0;
out_err:
printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
buf->length = p - (char *)buf->value;
return 0;
out_err:
printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
- if (buf->value) free(buf->value);
+ if (buf->value) {
+ free(buf->value);
+ buf->value = NULL;
+ }
buf->length = 0;
if (enc_key.data) free(enc_key.data);
return -1;
buf->length = 0;
if (enc_key.data) free(enc_key.data);
return -1;
strcat(message_buf, "...\n");
goto printit;
}
strcat(message_buf, "...\n");
goto printit;
}
- if (message_buf[strlen(message_buf) - 1] == '\n')
+ buf_used = strlen(message_buf);
+ if (buf_used > 0 && message_buf[buf_used - 1] == '\n')
goto printit;
return;
printit:
goto printit;
return;
printit: