[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PULL 3/4] usb-mtp: prevent null dereference while dele
|
From: |
Bandan Das |
|
Subject: |
Re: [Qemu-devel] [PULL 3/4] usb-mtp: prevent null dereference while deleting objects |
|
Date: |
Fri, 08 Mar 2019 14:46:41 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Peter Maydell <address@hidden> writes:
> On Thu, 7 Mar 2019 at 09:56, Gerd Hoffmann <address@hidden> wrote:
>>
>> From: Bandan Das <address@hidden>
>>
>> Spotted by Coverity: CID 1399144
>>
>> Signed-off-by: Bandan Das <address@hidden>
>> Message-id: address@hidden
>> Signed-off-by: Gerd Hoffmann <address@hidden>
>> ---
>> hw/usb/dev-mtp.c | 4 +---
>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
>> index 1f22284949df..06e376bcd211 100644
>> --- a/hw/usb/dev-mtp.c
>> +++ b/hw/usb/dev-mtp.c
>> @@ -1177,9 +1177,7 @@ static int usb_mtp_deletefn(MTPState *s, MTPObject *o,
>> uint32_t trans)
>> usb_mtp_object_free_one(s, o);
>> success = true;
>> }
>> - }
>> -
>> - if (o->format == FMT_ASSOCIATION) {
>> + } else if (o->format == FMT_ASSOCIATION) {
>> if (rmdir(o->path)) {
>> partial_delete = true;
>> } else {
>> --
>
> Hi; following this change Coverity now complains (CID 1399414)
> about dead code later in the file:
>
> In this set of if/else clauses, either we
> set partial_delete to true, or we set success to
> true, but never both:
>
> if (o->format == FMT_UNDEFINED_OBJECT) {
> if (remove(o->path)) {
> partial_delete = true;
> } else {
> usb_mtp_object_free_one(s, o);
> success = true;
> }
> } else if (o->format == FMT_ASSOCIATION) {
> if (rmdir(o->path)) {
> partial_delete = true;
> } else {
> usb_mtp_object_free_one(s, o);
> success = true;
> }
> }
>
> and so here:
>
> if (success && partial_delete) {
> return PARTIAL_DELETE;
> }
>
> the condition can never be true and the code inside
> the if () {} is dead.
>
> When is the routine intended to return the PARTIAL_DELETE
> return value ?
>
This is very broken! I think something like this should work:
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 06e376bcd2..87a4bfb415 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1138,8 +1138,8 @@ static MTPData *usb_mtp_get_object_prop_value(MTPState
*s, MTPControl *c,
/* Return correct return code for a delete event */
enum {
ALL_DELETE,
- PARTIAL_DELETE,
READ_ONLY,
+ PARTIAL_DELETE,
};
/* Assumes that children, if any, have been already freed */
@@ -1155,8 +1155,7 @@ static void usb_mtp_object_free_one(MTPState *s,
MTPObject *o)
static int usb_mtp_deletefn(MTPState *s, MTPObject *o, uint32_t trans)
{
MTPObject *iter, *iter2;
- bool partial_delete = false;
- bool success = false;
+ int ret = 0;
/*
* TODO: Add support for Protection Status
@@ -1165,34 +1164,28 @@ static int usb_mtp_deletefn(MTPState *s, MTPObject *o,
uint32_t trans)
QLIST_FOREACH(iter, &o->children, list) {
if (iter->format == FMT_ASSOCIATION) {
QLIST_FOREACH(iter2, &iter->children, list) {
- usb_mtp_deletefn(s, iter2, trans);
+ ret |= usb_mtp_deletefn(s, iter2, trans);
}
}
}
if (o->format == FMT_UNDEFINED_OBJECT) {
if (remove(o->path)) {
- partial_delete = true;
+ ret |= READ_ONLY;
} else {
usb_mtp_object_free_one(s, o);
- success = true;
+ ret |= ALL_DELETE;
}
} else if (o->format == FMT_ASSOCIATION) {
if (rmdir(o->path)) {
- partial_delete = true;
+ ret |= READ_ONLY;
} else {
usb_mtp_object_free_one(s, o);
- success = true;
+ ret |= ALL_DELETE;
}
}
- if (success && partial_delete) {
- return PARTIAL_DELETE;
- }
- if (!success && partial_delete) {
- return READ_ONLY;
- }
- return ALL_DELETE;
+ return ret;
}
static void usb_mtp_object_delete(MTPState *s, uint32_t handle,
I will test this and send a patch...
Bandan
> thanks
> -- PMM
- [Qemu-devel] [PULL 0/4] Usb 20190307 patches, Gerd Hoffmann, 2019/03/07
- [Qemu-devel] [PULL 1/4] usb-mtp: return incomplete transfer on a lstat failure, Gerd Hoffmann, 2019/03/07
- [Qemu-devel] [PULL 4/4] Introduce new "no_guest_reset" parameter for usb-host device, Gerd Hoffmann, 2019/03/07
- [Qemu-devel] [PULL 2/4] usb-mtp: fix some usb_mtp_write_data return paths, Gerd Hoffmann, 2019/03/07
- [Qemu-devel] [PULL 3/4] usb-mtp: prevent null dereference while deleting objects, Gerd Hoffmann, 2019/03/07
- Re: [Qemu-devel] [PULL 3/4] usb-mtp: prevent null dereference while deleting objects, Peter Maydell, 2019/03/08
- Re: [Qemu-devel] [PULL 3/4] usb-mtp: prevent null dereference while deleting objects,
Bandan Das <=
- [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Bandan Das, 2019/03/08
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Peter Maydell, 2019/03/09
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Bandan Das, 2019/03/11
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Peter Maydell, 2019/03/11
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Bandan Das, 2019/03/11
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Peter Maydell, 2019/03/11
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Bandan Das, 2019/03/11
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Peter Maydell, 2019/03/11
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Bandan Das, 2019/03/11
- Re: [Qemu-devel] [PATCH] usb-mtp: fix return status of delete, Peter Maydell, 2019/03/11