The commit ff7d01fc6d396fc3b8d37baa9bd4cdebc8853648 and the equivalent on master introduced a bug where a pointer to automatic buffer is returned from the function where it is declared.
Found by inspection of a Coverity scan.
Description
Description
Revisions and Commits
Revisions and Commits
| rG GnuPG | |||
| rGab724d3206c8 dirmngr: dns: Fix allocation of string buffer in stack. | |||
| rG30eef28bc0f5 dirmngr: dns: Fix allocation of string buffer in stack. | |||
Related Objects
Related Objects
- Mentioned Here
- rGff7d01fc6d39: libdns: Avoid using compound literals (2).
Event Timeline
Comment Actions
Could you please show more information, a specific point of the bug?
I can't locate any place where a function returns a pointer to automatic buffer.
Comment Actions
Possibly, it would be dns_p_init which was caught. If so, it's false positive; It returns a pointer given to the function (which is automatic variable of parent function), but it is valid within the scope of parent function.
Comment Actions
I have to disagree. Unless I am completely confused the modified functions use automatic buffer variable and then basically return it.
For example let's look at the dns_strsection():
You have _dns automatic char array. You create a struct dns_buf with it as the base pointer. Then you manipulate the data in the dns_buf and when returning you return dns_b_tostring(&dst); which just returns the base pointer at the end. Which is pointer to the automatic char array _dns.