Returning automatic variable buffer from a function
Testing, NormalPublic


The commit ff7d01fc6d396fc3b8d37baa9bd4cdebc8853648 and the equivalent on master introduced a bug where a pointer to automatic buffer is returned from the function where it is declared.

Found by inspection of a Coverity scan.

t8m created this task.May 4 2020, 11:36 AM
werner assigned this task to gniibe.May 4 2020, 3:06 PM
werner added subscribers: gniibe, werner.

@gniibe, will you be so kind and look into this?

aheinecke triaged this task as Normal priority.May 8 2020, 11:43 AM
aheinecke added a subscriber: aheinecke.

I'm giving this an initial priority of "Normal" so that it's out of the triage list.

Could you please show more information, a specific point of the bug?
I can't locate any place where a function returns a pointer to automatic buffer.

Possibly, it would be dns_p_init which was caught. If so, it's false positive; It returns a pointer given to the function (which is automatic variable of parent function), but it is valid within the scope of parent function.

t8m added a comment.EditedMay 20 2020, 9:56 AM

I have to disagree. Unless I am completely confused the modified functions use automatic buffer variable and then basically return it.

For example let's look at the dns_strsection():

You have _dns automatic char array. You create a struct dns_buf with it as the base pointer. Then you manipulate the data in the dns_buf and when returning you return dns_b_tostring(&dst); which just returns the base pointer at the end. Which is pointer to the automatic char array _dns.

Sorry, I was reading the next commit (libdns: Avoid using compound literals (3)).

gniibe changed the task status from Open to Testing.May 21 2020, 7:39 AM
gniibe added projects: Testing, dirmngr.

Fixed in master and applied to 2.2 branch too.