From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: False positive coverity bug id: 1351218 Date: Thu, 18 Feb 2016 15:49:58 +0000 Message-ID: <56C5E826.4050700@citrix.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aWQqA-000339-N7 for xen-devel@lists.xenproject.org; Thu, 18 Feb 2016 15:50:02 +0000 In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Harmandeep Kaur , xen-devel@lists.xenproject.org, Dario Faggioli , Konrad Rzeszutek Wilk , ian.jackson@eu.citrix.com, Stefano Stabellini , Ian Campbell , Wei Liu List-Id: xen-devel@lists.xenproject.org On 18/02/16 15:36, Harmandeep Kaur wrote: > This is about a Coverity bug (included in the end), which I think is > a false positive. I don't think pagesize can be zero in any case. > pagesize = 1 << (((flags >> TMEM_POOL_PAGESIZE_SHIFT) & > TMEM_POOL_PAGESIZE_MASK) + 12); > > Which means "pagesize > bufsize" will always be true and buf can > not be null in any case if it reaches line 464 (or call may terminate > if realloc(..) returns NULL). I would agree that given the "1 <<", pagesize will always be larger than 0, and therefore call realloc(). However, every iteration of the "while ( read_exact(io_fd, &pool_id, sizeof(pool_id)) == 0 && pool_id != -1 )" loop leaks buf, as do most of the error paths. This function is currently orphaned code (since Xen 4.6), and in need of some re-development before it can be used again. I wouldn't worry too much about fixing it up. ~Andrew