[tor-bugs] #21971 [Core Tor/Tor]: Coverity issues in HS circuitmap unittests

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 17 12:59:36 UTC 2017 

#21971: Coverity issues in HS circuitmap unittests
------------------------------+-------------------------------------
     Reporter:  asn           |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.3.1.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  tor-hs prop224 coverity
Actual Points:                |  Parent ID:
       Points:  0.3           |   Reviewer:
      Sponsor:  SponsorR-can  |
------------------------------+-------------------------------------
 We got two reports from coverity about the HS circuitmap unittests
 (#21889) which were merged in 0.3.1.

 First one:
 {{{
 *** CID 1405129:    (NEGATIVE_RETURNS)
 /src/test/test_hs_intropoint.c: 780 in test_received_introduce1_handling()
 774       }
 775
 776       /* Valid case. */
 777       {
 778         cell = helper_create_introduce1_cell();
 779         ssize_t request_len = trn_cell_introduce1_encoded_len(cell);
 >>>     CID 1405129:    (NEGATIVE_RETURNS)
 >>>     Assigning: unsigned variable "print_" = "print1_".
 780         tt_size_op(request_len, OP_GT, 0);
 }}}
 which is caused because we use `tt_size_op` to compare a `ssize_t`.


 ----

 {{{
 *** CID 1405130:    (REVERSE_INULL)
 /src/test/test_circuitlist.c: 440 in test_hs_circuitmap_isolation()
 434          * that token. */
 435         tt_ptr_op(circ4, OP_EQ,
 436                   hs_circuitmap_get_intro_circ_v2_service_side(tok2));
 437       }
 438
 439      done:
 >>>     CID 1405130:    (REVERSE_INULL)
 >>>     Null-checking "circ1" suggests that it may be null, but it has
 already been dereferenced on all paths leading to the check.
 440       if (circ1)
 441         circuit_free(TO_CIRCUIT(circ1));
 }}}

 which I think is caused because we NULL check `circ1`, even tho previous
 code is dereferencing it without any checks. Not sure what the right fix
 is here; perhaps we dont really need to NULL check it, and we can add a
 `tt_assert(circ1)` on the top as well.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21971>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list