| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
When calling nl_addr_parse() is called with "any" or "default", the
constructed address will have zero-length address data. This has the
side effect that a comparison with e.g. an address contructed from
"0.0.0.0/0" will fail, since their address has different lengths, even
if they should be equal.
Fix this by allocating an appropriate zeroed address for "any" and
"default", but do not for "none", since "none" implies no address.
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
|
| | |
|
| |
|
|
|
|
| |
Signed-off-by: Volodymyr Bendiuga <volodymyr.bendiuga@westermo.com>
https://github.com/thom311/libnl/pull/319
|
| |
|
|
| |
https://github.com/thom311/libnl/pull/327
|
| |
|
|
|
|
| |
https://github.com/thom311/libnl/pull/324
Fixes: 5d6e43ebef12 ('lib/route: SRIOV Parse and Read support')
|
| |
|
|
| |
https://github.com/thom311/libnl/pull/325
|
| | |
|
| |
|
|
| |
https://github.com/thom311/libnl/pull/326
|
| | |
|
| |
|
|
|
|
|
| |
Signed-off-by: Magnus Öberg <magnus.oberg@westermo.se>
Signed-off-by: Volodymyr Bendiuga <volodymyr.bendiuga@gmail.com>
https://github.com/thom311/libnl/pull/317
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The following API has been added:
rtnl_flower_set_ipv4_src
rtnl_flower_get_ipv4_src
rtnl_flower_set_ipv4_dst
rtnl_flower_get_ipv4_dst
Signed-off-by: Volodymyr Bendiuga <volodymyr.bendiuga@westermo.com>
https://github.com/thom311/libnl/pull/309
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Volodymyr Bendiuga <volodymyr.bendiuga@westermo.com>
Fixes: ef46de143206 ('route/cls: add flower classifier')
https://github.com/thom311/libnl/pull/316
|
| |\
| |
| |
| | |
https://github.com/thom311/libnl/pull/314
|
| | |
| |
| |
| |
| |
| | |
Based-on-patch-by: Susant Sahani <susant@redhat.com>
https://src.fedoraproject.org/rpms/libnl3/pull-request/4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
`make check` swallows the output, which is kinda important
to debug a problem. I guess, I could print the log file, but
it seems simpler to just run the test directly.
While at it, run it a few times. It's fast enough, and with
the randomization, it might actually hit a faulty code path.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=2081279
Fixes: b50be8fa869b ('rtnl/route: use cleanup attribute in "lib/route/route_obj.c"')
|
| |
|
|
|
|
|
|
|
| |
The cache ops needs to be included in a cloned link for link methods
to work as expected.
Signed-off-by: Jacques de Laval <Jacques.De.Laval@westermo.com>
https://github.com/thom311/libnl/pull/311
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
valgrind reported this memory leak to me in testing an application that
I'm building:
==1807969== 24 bytes in 1 blocks are definitely lost in loss record 2 of 12
==1807969== at 0x4849464: calloc (vg_replace_malloc.c:1328)
==1807969== by 0x160F2F: nl_addr_alloc (addr.c:184)
==1807969== by 0x160F2F: nl_addr_build (addr.c:215)
==1807969== by 0x15CEF1: xfrmnl_sa_parse (sa.c:693)
==1807969== by 0x18F95D: parse_sa (xfrm_monitor.c:82)
==1807969== by 0x18FC5A: parse_nlmsg (xfrm_monitor.c:170)
==1807969== by 0x18FC5A: xfrm_cb (xfrm_monitor.c:181)
==1807969== by 0x169D21: nl_cb_call (netlink.h:138)
==1807969== by 0x169D21: recvmsgs (nl.c:868)
==1807969== by 0x16A42C: nl_recvmsgs_report (nl.c:1051)
==1807969== by 0x16A42C: nl_recvmsgs (nl.c:1075)
==1807969== by 0x16A42C: nl_recvmsgs_default (nl.c:1089)
==1807969== by 0x18FD6F: monitor_xfrm (xfrm_monitor.c:233)
==1807969== by 0x49D8B19: start_thread (pthread_create.c:443)
==1807969== by 0x4A5C8F3: clone (clone.S:100)
when calling xfrmnl_sa_parse, we accidentally get a refcount of 2 on the
selector source and destination addresses. The nl_addr_build calls for
these addresses set the count to one, and the subsequent calls to
xfrmnl_sel_set_[s|d]addr increase the reference count to two.
One of the references is dropped when we call xfrmnl_sa_put, which calls
down through xfrmnl_sa_free_data->xfrmnl_sel_put->nl_addr_put(), but the
other reference count is leaked, leading to the above leak of both the
saddr and daddr pointers.
Not sure if this is the ideal fix, but it works for me, we just drop
the refrence count incremented by the call to set_[s|d]addr.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
https://github.com/thom311/libnl/pull/312
|
| |\
| |
| |
| | |
https://github.com/thom311/libnl/pull/310
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Error: UNINIT (CWE-457):
libnl-3.6.0/lib/xfrm/ae.c:377: var_decl: Declaring variable "ae_id" without initializer.
libnl-3.6.0/lib/xfrm/ae.c:402: uninit_use_in_call: Using uninitialized value "ae_id". Field "ae_id.flags" is uninitialized when calling "nlmsg_append".
# 400| return -NLE_NOMEM;
# 401|···
# 402|-> if (nlmsg_append(msg, &ae_id, sizeof(ae_id), NLMSG_ALIGNTO) < 0)
# 403| goto nla_put_failure;
# 404|···
Error: UNINIT (CWE-457):
libnl-3.6.0/lib/xfrm/ae.c:377: var_decl: Declaring variable "ae_id" without initializer.
libnl-3.6.0/lib/xfrm/ae.c:402: uninit_use_in_call: Using uninitialized value "ae_id". Field "ae_id.reqid" is uninitialized when calling "nlmsg_append".
# 400| return -NLE_NOMEM;
# 401|···
# 402|-> if (nlmsg_append(msg, &ae_id, sizeof(ae_id), NLMSG_ALIGNTO) < 0)
# 403| goto nla_put_failure;
# 404|···
Error: UNINIT (CWE-457):
libnl-3.6.0/lib/xfrm/ae.c:377: var_decl: Declaring variable "ae_id" without initializer.
libnl-3.6.0/lib/xfrm/ae.c:402: uninit_use_in_call: Using uninitialized value "ae_id". Field "ae_id.saddr" is uninitialized when calling "nlmsg_append".
# 400| return -NLE_NOMEM;
# 401|···
# 402|-> if (nlmsg_append(msg, &ae_id, sizeof(ae_id), NLMSG_ALIGNTO) < 0)
# 403| goto nla_put_failure;
# 404|···
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Error: REVERSE_INULL (CWE-476):
libnl-3.6.0/lib/route/nexthop_encap.c:35: deref_ptr: Directly dereferencing pointer "rtnh_encap->ops".
libnl-3.6.0/lib/route/nexthop_encap.c:37: check_after_deref: Null-checking "rtnh_encap->ops" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
# 35| nh_encap_type2str(rtnh_encap->ops->encap_type));
# 36|···
# 37|-> if (rtnh_encap->ops && rtnh_encap->ops->dump)
# 38| rtnh_encap->ops->dump(rtnh_encap->priv, dp);
# 39| }
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
rtnl_qdisc_mqprio_set_*()
rtnl_qdisc_mqprio_set_priomap() would access the input array prio after
len.
Also these setters did the wrong argument checking (arguably, the caller
is not supposed to provide an invalid argument, so that part is less
severe).
Coverity:
Error: OVERRUN (CWE-119):
libnl-3.6.0/lib/route/qdisc/mqprio.c:363: cond_at_most: Checking "len / 2UL > 16UL" implies that "len" may be up to 33 on the false branch.
libnl-3.6.0/lib/route/qdisc/mqprio.c:366: overrun-buffer-arg: Overrunning array "mqprio->qm_count" of 32 bytes by passing it to a function which accesses it at byte offset 65 using argument "len * 2UL" (which evaluates to 66). [Note: The source code implementation of the function has been overridden by a builtin model.]
# 364| return -NLE_RANGE;
# 365|···
# 366|-> memcpy(mqprio->qm_count, count, len * sizeof(uint16_t));
# 367| memcpy(mqprio->qm_offset, offset, len * sizeof(uint16_t));
# 368| mqprio->qm_mask |= SCH_MQPRIO_ATTR_QUEUE;
Error: OVERRUN (CWE-119):
libnl-3.6.0/lib/route/qdisc/mqprio.c:363: cond_at_most: Checking "len / 2UL > 16UL" implies that "len" may be up to 33 on the false branch.
libnl-3.6.0/lib/route/qdisc/mqprio.c:367: overrun-buffer-arg: Overrunning array "mqprio->qm_offset" of 32 bytes by passing it to a function which accesses it at byte offset 65 using argument "len * 2UL" (which evaluates to 66). [Note: The source code implementation of the function has been overridden by a builtin model.]
# 365|···
# 366| memcpy(mqprio->qm_count, count, len * sizeof(uint16_t));
# 367|-> memcpy(mqprio->qm_offset, offset, len * sizeof(uint16_t));
# 368| mqprio->qm_mask |= SCH_MQPRIO_ATTR_QUEUE;
# 369|···
Error: OVERRUN (CWE-119):
libnl-3.6.0/lib/route/qdisc/mqprio.c:496: cond_at_most: Checking "len / 8UL > 16UL" implies that "len" may be up to 135 on the false branch.
libnl-3.6.0/lib/route/qdisc/mqprio.c:499: overrun-buffer-arg: Overrunning array "mqprio->qm_min_rate" of 128 bytes by passing it to a function which accesses it at byte offset 1079 using argument "len * 8UL" (which evaluates to 1080). [Note: The source code implementation of the function has been overridden by a builtin model.]
# 497| return -NLE_RANGE;
# 498|···
# 499|-> memcpy(mqprio->qm_min_rate, min, len * sizeof(uint64_t));
# 500| mqprio->qm_mask |= SCH_MQPRIO_ATTR_MIN_RATE;
# 501|···
Error: OVERRUN (CWE-119):
libnl-3.6.0/lib/route/qdisc/mqprio.c:545: cond_at_most: Checking "len / 8UL > 16UL" implies that "len" may be up to 135 on the false branch.
libnl-3.6.0/lib/route/qdisc/mqprio.c:548: overrun-buffer-arg: Overrunning array "mqprio->qm_max_rate" of 128 bytes by passing it to a function which accesses it at byte offset 1079 using argument "len * 8UL" (which evaluates to 1080). [Note: The source code implementation of the function has been overridden by a builtin model.]
# 546| return -NLE_RANGE;
# 547|···
# 548|-> memcpy(mqprio->qm_max_rate, max, len * sizeof(uint64_t));
# 549| mqprio->qm_mask |= SCH_MQPRIO_ATTR_MAX_RATE;
# 550|···
Fixes: 25cf1d39eded ('route:qdisc: add MQPRIO Qdisc'
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Coverity:
Error: OVERRUN (CWE-119):
libnl-3.6.0/lib/route/link/sriov.c:653: overrun-buffer-arg: Overrunning array "stb" of 6 8-byte elements by passing it to a function which accesses it at element index 8 (byte offset 71) u
# 651|···
# 652| if (t[IFLA_VF_STATS]) {
# 653|-> err = nla_parse_nested(stb, IFLA_VF_STATS_MAX,
# 654| t[IFLA_VF_STATS],
# 655| sriov_stats_policy);
Fixes: 5d6e43ebef12 ('lib/route: SRIOV Parse and Read support')
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Coverity thinks that we can bitshift by a negative number:
Error: BAD_SHIFT (CWE-682):
libnl-3.6.0/lib/socket.c:69: return_constant: Function call "time(NULL)" may return -1.
libnl-3.6.0/lib/socket.c:69: assignment: Assigning: "t" = "time(NULL)". The value of "t" is now 4294967295.
libnl-3.6.0/lib/socket.c:73: assignment: Assigning: "idx_state" = "t ^ (t >> 16) ^ 0x3047U". The value of "idx_state" is now 12359.
libnl-3.6.0/lib/socket.c:78: assignment: Assigning: "n" = "idx_state". The value of "n" is now -53177.
libnl-3.6.0/lib/socket.c:94: assignment: Assigning: "n" = "(n + 13) % 32". The value of "n" is now -12.
libnl-3.6.0/lib/socket.c:95: negative_shift: In expression "used_ports_map[i] >> n", shifting by a negative amount has undefined behavior. The shift amount, "n", is -12.
# 93| for (m = 0; m < 32; m++) {
# 94| n = (n + 13) % 32;
# 95|-> if (1UL & (used_ports_map[i] >> n))
# 96| continue;
# 97|···
Error: BAD_SHIFT (CWE-682):
libnl-3.6.0/lib/socket.c:69: return_constant: Function call "time(NULL)" may return -1.
libnl-3.6.0/lib/socket.c:69: assignment: Assigning: "t" = "time(NULL)". The value of "t" is now 4294967295.
libnl-3.6.0/lib/socket.c:73: assignment: Assigning: "idx_state" = "t ^ (t >> 16) ^ 0x3047U". The value of "idx_state" is now 12359.
libnl-3.6.0/lib/socket.c:78: assignment: Assigning: "n" = "idx_state". The value of "n" is now -53177.
libnl-3.6.0/lib/socket.c:94: assignment: Assigning: "n" = "(n + 13) % 32". The value of "n" is now -12.
libnl-3.6.0/lib/socket.c:98: negative_shift: In expression "1UL << n", shifting by a negative amount has undefined behavior. The shift amount, "n", is -12.
# 96| continue;
# 97|···
# 98|-> used_ports_map[i] |= (1UL << n);
# 99| n += (i * 32);
# 100|···
I don't see how that can happen. "n" was type int (32 bit, in practice),
but was initialized from an uint16_t (idx_state). Thus the number is positive
and small. Then we keep adding small numbers and modulo 32.
Anyway, try to silence the warning by using unsigned.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While at it, avoid global variables.
Coverity also warned at this place, though the warning from
coverity was bogus:
Error: STRING_OVERFLOW (CWE-120):
libnl-3.6.0/src/nl-pktloc-lookup.c:72: fixed_size_dest: You might overrun the 16-character fixed-size string "buf" by copying "align_txt[loc->align]" without checking the length.
# 70|···
# 71| if (loc->align <= 4)
# 72|-> strcpy(buf, align_txt[loc->align]);
# 73| else
# 74| snprintf(buf, sizeof(buf), "%u", loc->align);
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Error: SIZEOF_MISMATCH (CWE-398):
libnl-3.6.0/lib/route/link/sriov.c:125: suspicious_sizeof: Passing argument "dst_vlan_info" of type "nl_vf_vlan_info_t *" and argument "dst_vlans->size * 8UL /* sizeof (dst_vlan_info) */"
libnl-3.6.0/lib/route/link/sriov.c:125: remediation: Did you intend to use "sizeof (*dst_vlan_info)" instead of "sizeof (dst_vlan_info)"?
# 123| dst_vlan_info = dst_vlans->vlans;
# 124| memcpy(dst_vlans, src_vlans, sizeof(nl_vf_vlans_t));
# 125|-> memcpy(dst_vlan_info, src_vlan_info,
# 126| dst_vlans->size * sizeof(dst_vlan_info));
# 127| d_vf->vf_vlans = dst_vlans;
Fixes: a59cab6d0b0f ('lib/route: SRIOV Clone Support')
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was wrong. Also, coverity warns about the trailing % in the format
string.
Error: PRINTF_ARGS (CWE-475):
libnl-3.6.0/lib/route/qdisc/netem.c:164: format_error: Format string ended in the middle of specifier "%".
# 162|···
# 163| if (netem->qnm_mask & SCH_NETEM_ATTR_DELAY_CORR && netem->qnm_corr.nmc_delay > 0)
# 164|-> nl_dump(p, " %d%", netem->qnm_corr.nmc_delay);
# 165| }
# 166| }
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The if statement was wrong and always true. Drop it,
the remaining code handles the cases of no flags already
correctly.
Error: DEADCODE (CWE-561):
libnl-3.6.0/lib/route/cls/u32.c:361: dead_error_condition: The condition "!(u->cu_mask & 0)" must be true.
libnl-3.6.0/lib/route/cls/u32.c:366: dead_error_line: Execution cannot reach this statement: "if (!(u->cu_mask & 0x20)) {...".
# 364| }
# 365|···
# 366|-> if (!(u->cu_mask & U32_ATTR_SELECTOR)) {
# 367| nl_dump(p, "no-selector");
# 368| } else {
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CONSTANT_EXPRESSION_RESULT
Error: CONSTANT_EXPRESSION_RESULT (CWE-569):
libnl-3.6.0/lib/route/link/vrf.c:237: result_independent_of_operands: "id > RT_TABLE_MAX" is always false regardless of the values of its operands. This occurs as the logical operand of "i
# 235|···
# 236| IS_VRF_LINK_ASSERT(link);
# 237|-> if(id > VRF_TABLE_ID_MAX)
# 238| return -NLE_INVAL;
# 239|···
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It's unclear to me, how to avoid this "leak". It's intentional, given the
existing API. Try to suppress the warning.
Error: RESOURCE_LEAK (CWE-772):
libnl-3.6.0/src/lib/utils.c:232: alloc_fn: Storage is returned from allocation function "dlopen".
libnl-3.6.0/src/lib/utils.c:232: var_assign: Assigning: "handle" = storage returned from "dlopen(path, 2)".
libnl-3.6.0/src/lib/utils.c:236: leaked_storage: Variable "handle" going out of scope leaks the storage it points to.
# 234| path, dlerror());
# 235| }
# 236|-> }
# 237| #else
# 238| nl_cli_fatal(ENOTSUP, "Unable to load module \"%s\": built without dynamic libraries support\n",
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Coverity doesn't like this:
libnl-3.6.0/lib/route/link/ip6vti.c:209: invalid_type: Argument "ip6vti->remote" to format specifier "%#x" was expected to have type "unsigned int" but has type "struct in6_addr".
libnl-3.6.0/lib/route/link/ip6vti.c:201: invalid_type: Argument "ip6vti->local" to format specifier "%#x" was expected to have type "unsigned int" but has type "struct in6_addr".
libnl-3.6.0/lib/route/link/ip6gre.c:285: invalid_type: Argument "ip6gre->remote" to format specifier "%#x" was expected to have type "unsigned int" but has type "struct in6_addr".
libnl-3.6.0/lib/route/link/ip6gre.c:277: invalid_type: Argument "ip6gre->local" to format specifier "%#x" was expected to have type "unsigned int" but has type "struct in6_addr".
Coverity is right. But in practice, this code was unreachable
because there is no scenario when inet_ntop() will fail.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
inet_ntop() is documented to fail, so we have various places
with pointless (and wrong) error checking. Well, it can fail
if we pass an unexpected address family (which we must not and
assert against that), or if we pass an invalid string buffer (which we
must not, and cannot meaningfully assert for that). So it can only fail
in case of a bug and there is no need for error checking.
Yes, libc could theoretically fail, but if it fails on such a function that
requires no memory allocation, then it really needs to be fixed.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I think the following warning is bogus. Still, warnings are annoying, so
let's try to workaround.
Error: CLANG_WARNING: [#def47]
libnl-3.6.0/lib/route/link.c:2566:11: warning[unix.Malloc]: Potential leak of memory pointed to by 'kind'
# 2564| if ( io->io_alloc
# 2565| && (err = io->io_alloc(link)) < 0)
# 2566|-> return err;
# 2567|
# 2568| link->l_info_ops = io;
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Workaround coverity warnings like:
Error: CLANG_WARNING:
libnl-3.6.0/lib/netfilter/exp.c:428:7: warning[deadcode.DeadStores]: Although the value stored to 'err' is used in the enclosing expression, the value is never actually read from 'err'
# 426| }
# 427|···
# 428|-> if ((err = nfnl_exp_build_tuple(msg, exp, CTA_EXPECT_NAT)) < 0)
# 429| goto nla_put_failure;
# 430|···
|
| | |
| |
| |
| |
| |
| | |
Coverity says:
libnl-3.6.0/lib/route/mdb.c:198: check_return: Calling "nla_parse_nested" without checking return value (as is done elsewhere 43 out of 44 times).
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Found by coverity:
libnl-3.6.0/lib/route/mdb.c:242: leaked_storage: Variable "entry" going out of scope leaks the storage it points to.
|
| |/ |
|
| |
|
|
|
|
|
|
| |
Found by coverity:
4. libnl-3.6.0/lib/route/mdb.c:198: overrun-buffer-arg: Overrunning array "db_attr" of 1 8-byte elements by passing it to a function which accesses it at element index 1 (byte offset 15) using argument "1".
Fixes: 0ec6c6c2f023 ('mdb: support bridge multicast database notification')
|
