RDKB-64588: High impact coverity issues in utopia#293
RDKB-64588: High impact coverity issues in utopia#293abhishek-kumaracee2 wants to merge 5 commits intodevelopfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses high-impact Coverity findings across the “utopia” codebase by tightening string parsing and improving memory cleanup to prevent buffer overruns and leaks.
Changes:
- Fix potential stack buffer overflows by right-sizing local buffers used with bounded
sscanfformat widths. - Prevent a memory leak in
gen_dibbler_conf()by freeingdhcpv6s_pool_cfg.optson early-continue paths. - Reduce
sscanffield width inulog_GetProcId()to match the actual destination buffer size.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| source/utapi/lib/utapi.c | Adjusts port-range token buffers to correctly accommodate sscanf bounds plus NUL terminator. |
| source/ulog/ulog.c | Fixes potential overflow by bounding %s to the actual ULOG_STR_SIZE buffer. |
| source/service_ipv6/service_ipv6.c | Frees DHCPv6 pool options before continuing when a pool is disabled/invalid to avoid leaks. |
| source/firewall/firewall.c | Enlarges token/IP/MAC buffers by 1 byte to safely fit bounded sscanf reads plus NUL terminator. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| sscanf(buf, "%*d (%63s", str); | ||
|
|
||
| len = strlen(str); |
There was a problem hiding this comment.
sscanf(buf, "%*d (%63s", str); ignores the return value and str is not initialized beforehand. If parsing fails (unexpected /proc/<pid>/stat format), strlen(str) is undefined behavior. Initialize str[0] = '\0' and check that sscanf returns 1 (or switch to a scanset like %63[^)] to read up to ) safely) and return an error if parsing fails.
apattu200
left a comment
apattu200
left a comment
There was a problem hiding this comment.
Looks ok to me.
@snayak002c Can you also please review once
abhishek-kumaracee2
force-pushed
the
topic/RDKB-64588
branch
from
a073c16 to
08624da
Compare
| // FIREWALL_DEBUG("Entering *make_substitutions\n"); | ||
| while (in_str_p < in_str_end && out_str_p < out_str_end) { | ||
| char token[50]; | ||
| char token[51]; |
There was a problem hiding this comment.
Avoid hardcoding the buffer size in the format string, use a macro-based approach instead
char sport[TOKEN_MAX_LEN + 1]
| char ip[20]; | ||
| char mac[20]; | ||
| char ip[21]; | ||
| char mac[21]; |
|
|
||
| Utopia_GetIndexed2(ctx, UtopiaValue_IAP_BlockPortRange, index, i+1, buf, sizeof(buf)); | ||
| char sport[10], eport[10]; | ||
| char sport[11], eport[11]; |
There was a problem hiding this comment.
same as above comments, avoid hard coding of the values.
Reason for change: Fix high impact coverity issues Test Procedure: NA Risks: Low Priority: P1 Signed-off-by: abhishek_kumaracee2@comcast.com
abhishek-kumaracee2
force-pushed
the
topic/RDKB-64588
branch
from
08624da to
1f644f8
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| char ip[BUFLEN_20 + 1]; | ||
| char mac[BUFLEN_20 + 1]; | ||
| sscanf(buf, "%20s %20s", ip, mac); | ||
| fprintf(fp, "-A host_detect -i %s -s %s -j RETURN\n", lan_ifname, ip); |
There was a problem hiding this comment.
sscanf(buf, "%20s %20s", ip, mac) return value is not checked and ip/mac are not initialized. If a line is malformed, ip may contain garbage and get written into iptables rules. Initialize the buffers and continue unless sscanf returns 2.
| char ip[BUFLEN_20 + 1]; | |
| char mac[BUFLEN_20 + 1]; | |
| sscanf(buf, "%20s %20s", ip, mac); | |
| fprintf(fp, "-A host_detect -i %s -s %s -j RETURN\n", lan_ifname, ip); | |
| char ip[BUFLEN_20 + 1] = {0}; | |
| char mac[BUFLEN_20 + 1] = {0}; | |
| if (sscanf(buf, "%20s %20s", ip, mac) != 2) { | |
| continue; | |
| } | |
| fprintf(fp, "-A host_detect -i %s -s %s -j RETURN\n", lan_ifname, ip); |
| char sport[BUFLEN_10 + 1], eport[BUFLEN_10 + 1]; | ||
| if (2 == (sscanf(buf, "%10s %10s", sport, eport))) { | ||
| app[j].port.start = atoi(sport); |
There was a problem hiding this comment.
BUFLEN_10 is introduced for the port token buffer sizing, but the sscanf width remains hard-coded as %10s. This is easy to desynchronize (and would reintroduce the overflow that this change is trying to prevent). Consider deriving the width from BUFLEN_10 via a stringified macro, or keep a single shared constant for both buffer size and scan width.
| char ip[BUFLEN_20 + 1]; | ||
| char mac[BUFLEN_20 + 1]; | ||
| sscanf(buf, "%20s %20s", ip, mac); | ||
| fprintf(fp, "-A host_detect -i %s -s %s -j RETURN\n", lan_ifname, ip); |
There was a problem hiding this comment.
BUFLEN_20 is introduced for the ip/mac buffers, but the scan widths are still hard-coded as "%20s". Consider tying the scan width to BUFLEN_20 (stringified macro) so future changes to the constant can't silently reintroduce a buffer sizing mismatch.
| sscanf(buf, "%*d (%63s", str); | ||
|
|
There was a problem hiding this comment.
The sscanf width is hard-coded as 63, which implicitly depends on ULOG_STR_SIZE being 64. To avoid future desynchronization, consider using ULOG_STR_SIZE - 1 to define the scan width (via a stringified macro) so the bound stays correct if ULOG_STR_SIZE changes.
| sscanf(buf, "%*d (%63s", str); | ||
|
|
||
| len = strlen(str); |
There was a problem hiding this comment.
sscanf() return value is not checked and str is not initialized. If parsing /proc/<pid>/stat fails, strlen(str) will read uninitialized data (undefined behavior). Initialize str[0] = '\0' and verify sscanf(...) returns 1 before using str (otherwise return an error).
| char token[TOKEN_MAX_LEN + 1]; | ||
| if ('$' == *in_str_p) { | ||
| sscanf(in_str_p, "%50s", token); | ||
| in_str_p += strlen(token); |
There was a problem hiding this comment.
TOKEN_MAX_LEN is introduced for buffer sizing, but the scan width is still hard-coded as "%50s". This couples the format string to the macro value and is easy to desync in the future (reintroducing the overflow). Consider deriving the scan width from TOKEN_MAX_LEN (e.g., via a stringified macro) or keep a single source of truth for both.
Reason for change: Fix high impact coverity issues Test Procedure: NA Risks: Low Priority: P1 Signed-off-by: abhishek_kumaracee2@comcast.com
… into topic/RDKB-64588
Reason for change: Fix high impact coverity issues Test Procedure: NA Risks: Low Priority: P1 Signed-off-by: abhishek_kumaracee2@comcast.com
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Reason for change: Fix high impact coverity issues
Test Procedure: NA
Risks: Low
Priority: P1
Signed-off-by: abhishek_kumaracee2@comcast.com