From 2b6d2dda6b7eb2afb1df47df158b212abde2ef1c Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 21 Jan 2018 19:07:10 +0900 Subject: [PATCH 1/7] fs-util: use _cleanup_close_ attribute The commit f14f1806e329fe92d01f15c22a384702f0cb4ae0 introduced CHASE_SAFE flag. When the flag is set, then `fd_parent` may not be properly closed. This sets `_cleanup_close_` attribute to `fd_parent`. Thus, now `fd_parent` is always closed properly. --- src/basic/fs-util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c index 4bf25e32e0..87d743b617 100644 --- a/src/basic/fs-util.c +++ b/src/basic/fs-util.c @@ -730,7 +730,7 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags, /* Two dots? Then chop off the last bit of what we already found out. */ if (path_equal(first, "/..")) { _cleanup_free_ char *parent = NULL; - int fd_parent = -1; + _cleanup_close_ int fd_parent = -1; /* If we already are at the top, then going up will not change anything. This is in-line with * how the kernel handles this. */ @@ -765,6 +765,7 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags, safe_close(fd); fd = fd_parent; + fd_parent = -1; continue; } From b539437a056953cb0b537db4af61f1f1bf97ed44 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 21 Jan 2018 19:19:25 +0900 Subject: [PATCH 2/7] fs-util: chase_symlinks(): prevent double free Fixes CID #1385316. --- src/basic/fs-util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c index 87d743b617..a8e50d4c78 100644 --- a/src/basic/fs-util.c +++ b/src/basic/fs-util.c @@ -834,8 +834,6 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags, if (fd < 0) return -errno; - free(done); - if (flags & CHASE_SAFE) { if (fstat(fd, &st) < 0) return -errno; @@ -846,6 +844,8 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags, previous_stat = st; } + free(done); + /* Note that we do not revalidate the root, we take it as is. */ if (isempty(root)) done = NULL; From 1eeddba492bafbfc57a87a5012f15c8bd9867829 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 21 Jan 2018 19:27:27 +0900 Subject: [PATCH 3/7] sd-dhcp6-client: do not refer uninitialized variable Fixes CID #1385308. --- src/libsystemd-network/sd-dhcp6-client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c index f98a18268f..25b054e252 100644 --- a/src/libsystemd-network/sd-dhcp6-client.c +++ b/src/libsystemd-network/sd-dhcp6-client.c @@ -948,7 +948,7 @@ static int client_parse_message( pos += sizeof(*option) + optlen; } - if (r < 0 || !clientid) { + if (!clientid) { log_dhcp6_client(client, "%s has incomplete options", dhcp6_message_type_to_string(message->type)); return -EINVAL; From 48eae2e480ad0097ca432e16070e2658670bb06a Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 21 Jan 2018 19:38:29 +0900 Subject: [PATCH 4/7] test-resolve: check return value Closes CID #1385310. --- src/libsystemd/sd-resolve/test-resolve.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/libsystemd/sd-resolve/test-resolve.c b/src/libsystemd/sd-resolve/test-resolve.c index 752eb15228..b728dee9dd 100644 --- a/src/libsystemd/sd-resolve/test-resolve.c +++ b/src/libsystemd/sd-resolve/test-resolve.c @@ -89,7 +89,9 @@ int main(int argc, char *argv[]) { assert_se(sd_resolve_default(&resolve) >= 0); /* Test a floating resolver query */ - sd_resolve_getaddrinfo(resolve, NULL, "redhat.com", "http", NULL, getaddrinfo_handler, NULL); + r = sd_resolve_getaddrinfo(resolve, NULL, "redhat.com", "http", NULL, getaddrinfo_handler, NULL); + if (r < 0) + log_error_errno(r, "sd_resolve_getaddrinfo(): %m"); /* Make a name -> address query */ r = sd_resolve_getaddrinfo(resolve, &q1, argc >= 2 ? argv[1] : "www.heise.de", NULL, &hints, getaddrinfo_handler, NULL); From 7444956723aef43ef84da26b14b5ecd26cc7ae77 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 21 Jan 2018 22:25:37 +0900 Subject: [PATCH 5/7] fuzz: fix coding style --- src/fuzz/fuzz-main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fuzz/fuzz-main.c b/src/fuzz/fuzz-main.c index ca9abe9068..45e46907e2 100644 --- a/src/fuzz/fuzz-main.c +++ b/src/fuzz/fuzz-main.c @@ -44,7 +44,7 @@ int main(int argc, char **argv) { } printf("%s... ", name); fflush(stdout); - (void)LLVMFuzzerTestOneInput((uint8_t*)buf, size); + (void) LLVMFuzzerTestOneInput((uint8_t*)buf, size); printf("ok\n"); } return EXIT_SUCCESS; From 0f3da640de23f59b215af143dbffdf570fb4662d Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 22 Jan 2018 09:55:38 +0900 Subject: [PATCH 6/7] fuzz: check return value Closes CID #1385306 and #1385300. --- src/fuzz/fuzz-dns-packet.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/fuzz/fuzz-dns-packet.c b/src/fuzz/fuzz-dns-packet.c index 3d8d79a42d..0f25081b22 100644 --- a/src/fuzz/fuzz-dns-packet.c +++ b/src/fuzz/fuzz-dns-packet.c @@ -21,23 +21,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; - int r; if (size > DNS_PACKET_SIZE_MAX) return 0; - r = dns_packet_new(&p, DNS_PROTOCOL_DNS, 0, DNS_PACKET_SIZE_MAX); - if (r < 0) - return 0; + assert_se(dns_packet_new(&p, DNS_PROTOCOL_DNS, 0, DNS_PACKET_SIZE_MAX) >= 0); p->size = 0; /* by default append starts after the header, undo that */ - dns_packet_append_blob(p, data, size, NULL); + assert_se(dns_packet_append_blob(p, data, size, NULL) >= 0); if (size < DNS_PACKET_HEADER_SIZE) { /* make sure we pad the packet back up to the minimum header size */ - assert(p->allocated >= DNS_PACKET_HEADER_SIZE); + assert_se(p->allocated >= DNS_PACKET_HEADER_SIZE); memzero(DNS_PACKET_DATA(p) + size, DNS_PACKET_HEADER_SIZE - size); p->size = DNS_PACKET_HEADER_SIZE; } - dns_packet_extract(p); + (void) dns_packet_extract(p); return 0; } From db52db4afa8911516d86f14bba02214238bd6b91 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 22 Jan 2018 09:56:46 +0900 Subject: [PATCH 7/7] fuzz: cast to void when return value is ignored --- src/fuzz/fuzz-dhcp-server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fuzz/fuzz-dhcp-server.c b/src/fuzz/fuzz-dhcp-server.c index bdebb375df..ba903c7158 100644 --- a/src/fuzz/fuzz-dhcp-server.c +++ b/src/fuzz/fuzz-dhcp-server.c @@ -62,7 +62,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { server->bound_leases[pool_offset] = lease; assert_se(hashmap_put(server->leases_by_client_id, &lease->client_id, lease) >= 0); - dhcp_server_handle_message(server, (DHCPMessage*)data, size); + (void) dhcp_server_handle_message(server, (DHCPMessage*)data, size); return 0; }