qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] why does our coverity-model.c g_strdup() say it is a si


From: Peter Maydell
Subject: Re: [Qemu-devel] why does our coverity-model.c g_strdup() say it is a size-sink?
Date: Thu, 14 Mar 2019 12:16:06 +0000

On Thu, 14 Mar 2019 at 11:23, Paolo Bonzini <address@hidden> wrote:
>
> On 14/03/19 11:51, Peter Maydell wrote:
> > Our coverity model of g_strdup() includes:
> >   __coverity_string_size_sink__(s);
> >
> > This seems to be causing Coverity to report false positives like
> > CID1399705 and 1399699 where we take a string from getenv() and
> > pass it to g_strdup() The getenv() string is untrusted data of unknown
> > length, and g_strdup() being marked as a size-sink makes Coverity
> > think the function wants "a string of a particular size".
> >
> > Markus, you wrote this model initially -- can you remember why it's
> > marked as a size-sink? Unfortunately I can't find any documentation
> > online about what the coverity model annotation here means :-(
>
> I think it means that we don't want a g_strdup that can potentially do
> an unbounded allocation.

Mmm, that makes sense. So in this particular case, do we
want to try to avoid doing an unbounded allocation based
on whatever rubbish the user passed us in the environment,
or do we say "this particular case is OK" and mark it
as a false-positive ?

Cc'ing Gerd since the Coverity issues in question are
in the audio code (in get_str() and in
audio_handle_legacy_opts()).

thanks
-- PMM



reply via email to

[Prev in Thread] Current Thread [Next in Thread]