Juraj Vijtiuk [Sun, 12 Jan 2020 11:26:18 +0000 (12:26 +0100)]
blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The
out of bounds read happens because blob_attr and blobmsg_hdr have
flexible array members, whose size is 0 in the corresponding sizeofs.
For example the __blob_for_each_attr macro checks whether rem >=
sizeof(struct blob_attr). However, what LibFuzzer discovered was,
if the input data was only 4 bytes, the data would be casted to blob_attr,
and later on blob_data(attr) would be called even though attr->data was empty.
The same issue could appear with data larger than 4 bytes, where data
wasn't empty, but contained only the start of the blobmsg_hdr struct,
and blobmsg_hdr name was empty. The bugs were discovered by fuzzing
blobmsg_parse and blobmsg_array_parse with LibFuzzer.
CC: Luka Perkov <luka.perkov@sartura.hr>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
[refactored some checks, added fuzz inputs, adjusted unit test results]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 18 Jan 2020 17:32:55 +0000 (18:32 +0100)]
tests: prefer dynamically allocated buffers
Help detecting Valgrind OOB reads and other issues.
Conditional jump or move depends on uninitialised value(s)
at 0x5452886: blobmsg_parse (blobmsg.c:203)
by 0x400A8E: test_blobmsg (tests/test-blobmsg-parse.c:66)
by 0x400A8E: main (tests/test-blobmsg-parse.c:82)
Conditional jump or move depends on uninitialised value(s)
at 0x545247F: blobmsg_check_name (blobmsg.c:39)
by 0x545247F: blobmsg_check_attr_len (blobmsg.c:79)
by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
by 0x400AB8: main (tests/test-blobmsg-parse.c:82)
Conditional jump or move depends on uninitialised value(s)
at 0x54524A0: blobmsg_check_name (blobmsg.c:42)
by 0x54524A0: blobmsg_check_attr_len (blobmsg.c:79)
by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
by 0x400AB8: main (tests/test-blobmsg-parse.c:82)
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/021204.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 14 Jan 2020 08:05:02 +0000 (09:05 +0100)]
blobmsg_json: prefer snprintf usage
Better safe than sorry and while at it prefer use of PRId16 and PRId32
formatting constants as well.
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 14 Jan 2020 07:57:05 +0000 (08:57 +0100)]
blobmsg: blobmsg_vprintf: prefer vsnprintf
Better safe than sorry and while at it add handling of possible
*printf() failures.
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 14 Jan 2020 07:55:34 +0000 (08:55 +0100)]
jshn: prefer snprintf usage
Better safe than sorry.
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Fri, 10 Jan 2020 21:00:04 +0000 (22:00 +0100)]
cmake: add a possibility to set library version
Add a new `ABIVERSION` define which allows to control the SOVERSION used
for the built shared library. This is needed for downstream packaging to
properly track breaking ABI changes when updating to newer versions of
the library.
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Dainis Jonitis [Fri, 10 Jan 2020 14:41:04 +0000 (16:41 +0200)]
blobmsg: blobmsg_add_json_element() 64-bit values
libjson-c json_type_int values are stored as int64_t. Use
json_object_get_int64() instead of json_object_get_int()
to avoid clamping to INT32_MAX.
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Dainis Jonitis <dainis.jonitis@ubnt.com>
[fixed author to match SoB, added unit test results]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sun, 12 Jan 2020 21:40:18 +0000 (22:40 +0100)]
blobmsg_json: fix int16 serialization
int16 blobmsg type is currently being serialized as uint16_t due to
missing cast during JSON output.
Following blobmsg content:
bar-min: -32768 (i16)
bar-max: 32767 (i16)
Produces following JSON:
{ "bar-min":32768,"bar-max":32767 }
Whereas one would expect:
{ "bar-min":-32768,"bar-max":32767 }
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sun, 12 Jan 2020 14:31:49 +0000 (15:31 +0100)]
tests: blobmsg/json: add more test cases
* add missing test with sanitizers
* add test case for blobmsg_add_json_from_string
* add test cases for all numeric types
* print types for each variable
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Wed, 8 Jan 2020 18:47:22 +0000 (19:47 +0100)]
tests: include json script shunit2 based testing
Include shunit2 based tests into unit testing pipeline until
(eventually) it's converted to cram based unit tests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 28 Dec 2019 18:00:39 +0000 (19:00 +0100)]
blobmsg: fix wrong payload len passed from blobmsg_check_array
Fix incorrect use of blob_raw_len() on passed blobmsg to
blobmsg_check_array_len() introduced in commit
b0e21553ae8c ("blobmsg:
add _len variants for all attribute checking methods") by using correct
blobmsg_len().
This wrong (higher) length was then for example causing issues in
procd's instance_config_parse_command() where blobmsg_check_attr_list()
was failing sanity checking of service command, thus resulting in the
startup failures of some services like collectd, nlbwmon and samba4.
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020840.html
Fixes:
b0e21553ae8c ("blobmsg: add _len variants for all attribute checking methods")
Reported-by: Hannu Nyman <hannu.nyman@welho.com>
Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Wed, 25 Dec 2019 09:27:59 +0000 (10:27 +0100)]
blobmsg: fix array out of bounds GCC 10 warning
Fixes following warning reported by GCC 10.0.0
20191203:
blobmsg.c:234:2: error: 'strcpy' offset 6 from the object at 'attr' is out of the bounds of referenced subobject 'name' with type 'uint8_t[0]' {aka 'unsigned char[0]'} at offset 6 [-Werror=array-bounds]
234 | strcpy((char *) hdr->name, (const char *)name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from blobmsg.c:16:
blobmsg.h:42:10: note: subobject 'name' declared here
42 | uint8_t name[];
| ^~~~
Reported-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Thu, 12 Dec 2019 15:42:39 +0000 (16:42 +0100)]
blobmsg: reuse blobmsg_namelen in blobmsg_data
Move blobmsg_namelen into header file so it's possible to reuse it in
blobmsg_data.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Wed, 11 Dec 2019 05:35:17 +0000 (06:35 +0100)]
tests: fuzz: fuzz _len variants of checking methods
In order to increase test coverage.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Tobias Schramm [Thu, 15 Nov 2018 02:42:48 +0000 (03:42 +0100)]
blobmsg: add _len variants for all attribute checking methods
Introduce _len variants of blobmsg attribute checking functions which
aims to provide safer implementation as those functions should limit all
memory accesses performed on the blob to the range [attr, attr + len]
(upper bound non inclusive) and thus should be suited for checking of
untrusted blob attributes.
While at it add some comments in order to make it clear.
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[_safe -> _len, blobmsg_check_array_len fix, commit subject/desc facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Tobias Schramm [Tue, 13 Nov 2018 03:16:12 +0000 (04:16 +0100)]
Replace use of blobmsg_check_attr by blobmsg_check_attr_len
blobmsg_check_attr_len adds a length limit specifying the max offset
from attr that can be read safely.
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[rebased and reworked, line wrapped commit message, _safe -> _len]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Tobias Schramm [Wed, 28 Nov 2018 12:39:29 +0000 (13:39 +0100)]
Ensure blob_attr length check does not perform out of bounds reads
Before there might have been as little as one single byte left which
would result in 3 bytes of blob_attr->id_len being out of bounds.
Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[line wrapped < 72 chars]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 10 Dec 2019 11:02:40 +0000 (12:02 +0100)]
blobmsg: fix heap buffer overflow in blobmsg_parse
Fixes following error found by the fuzzer:
==29774==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 1 at 0x6020004f1c56 thread T0
#0 strcmp sanitizer_common_interceptors.inc:442:3
#1 blobmsg_parse blobmsg.c:168:8
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 10 Dec 2019 10:53:23 +0000 (11:53 +0100)]
blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value
One usually doesn't guard against negative length values in the code.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 10 Dec 2019 10:51:43 +0000 (11:51 +0100)]
tests: add test cases for blobmsg parsing
Increasing test coverage.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 10 Dec 2019 13:58:40 +0000 (14:58 +0100)]
test: fuzz: add blobmsg_check_attr crashes
==31775==ERROR: AddressSanitizer: SEGV on unknown address 0x604000a7c715
==31775==The signal is caused by a READ memory access.
#0 blobmsg_check_attr blobmsg.c:48:6
#1 blobmsg_parse_array blobmsg.c:118:8
#2 fuzz_blobmsg_parse test-blobmsg-parse-fuzzer.c:35:2
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 9 Dec 2019 14:27:16 +0000 (15:27 +0100)]
blob: fix OOB access in blob_check_type
Found by fuzzer:
ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
The signal is caused by a READ memory access.
#0 in blob_check_type blob.c:214:43
#1 in blob_parse_attr blob.c:234:9
#2 in blob_parse_untrusted blob.c:272:12
#3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
#4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2
Caused by following line:
if (type == BLOB_ATTR_STRING && data[len - 1] != 0)
where len was pointing outside of the data buffer.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 9 Dec 2019 13:47:40 +0000 (14:47 +0100)]
tests: use blob_parse_untrusted variant
In order to be able to use invalid input for testing as well.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 9 Dec 2019 13:11:45 +0000 (14:11 +0100)]
blob: introduce blob_parse_untrusted
blob_parse can be only used on trusted input as it has no possibility to
check the length of the provided input buffer, which might lead to
undefined behaviour and/or crashes when supplied with malformed,
corrupted or otherwise specially crafted input.
So this introduces blob_parse_untrusted variant which expects additional
input buffer length argument and thus should be able to process also
inputs from untrusted sources.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 9 Dec 2019 12:53:27 +0000 (13:53 +0100)]
blob: refactor attr parsing into separate function
Making blob_parse easier to review.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 10 Dec 2019 16:12:07 +0000 (17:12 +0100)]
test: fuzz: add blob_parse crashes
==5872==ERROR: AddressSanitizer: SEGV on unknown address 0x6020004100b4
==5872==The signal is caused by a READ memory access.
#0 blob_data blob.h
#1 blob_parse blob.c:228:2
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 9 Dec 2019 12:28:25 +0000 (13:28 +0100)]
tests: add test cases for blob parsing
Increasing test coverage.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sun, 8 Dec 2019 14:11:02 +0000 (15:11 +0100)]
tests: add libFuzzer based tests
LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine.
LibFuzzer is linked with the library under test, and feeds fuzzed inputs
to the library via a specific fuzzing entrypoint (aka "target
function"); the fuzzer then tracks which areas of the code are reached,
and generates mutations on the corpus of input data in order to maximize
the code coverage.
Lets use libFuzzer to fuzz blob and blobmsg parsing for the start.
Ref: https://llvm.org/docs/LibFuzzer.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sun, 8 Dec 2019 12:12:47 +0000 (13:12 +0100)]
tests: add unit tests covered with Clang sanitizers
Currently we run all tests via Valgrind. This patch adds 2nd batch of
tests which are compiled with Clang AddressSanitizer[1],
LeakSanitizer[2] and UndefinedBehaviorSanitizer[3] in order to catch
more issues during QA on CI.
AddressSanitizer is a fast memory error detector. The tool can detect
the following types of bugs:
* Out-of-bounds accesses to heap, stack and globals
* Use-after-free, use-after-return, use-after-scope
* Double-free, invalid free
LeakSanitizer is a run-time memory leak detector. It can be combined
with AddressSanitizer to get both memory error and leak detection, or
used in a stand-alone mode.
UndefinedBehaviorSanitizer (UBSan) is a fast undefined behavior
detector. UBSan modifies the program at compile-time to catch various
kinds of undefined behavior during program execution, for example:
* Using misaligned or null pointer
* Signed integer overflow
* Conversion to, from, or between floating-point types which would
overflow the destination
1. http://clang.llvm.org/docs/AddressSanitizer.html
2. http://http://clang.llvm.org/docs/LeakSanitizer.html
3. http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 7 Dec 2019 12:29:05 +0000 (13:29 +0100)]
cmake: add more hardening compiler flags
In order to spot possible issues with direct impact on security during
QA on CI (GCC version 6 and higher).
Ref: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 7 Dec 2019 12:34:25 +0000 (13:34 +0100)]
blobmsg/ulog: fix format string compiler warnings
Fixes following compiler warnings:
blobmsg.c:242:39: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
blobmsg.c:248:23: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
ulog.c:100:18: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
ulog.c:112:16: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
ulog.c:117:20: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 26 Nov 2019 07:32:57 +0000 (08:32 +0100)]
cmake: use extra compiler warnings only on gcc6+
gcc version 4.8.4 (Ubuntu 14.04) and -Wextra produces following:
json_script.c:124:3: error: missing initializer for field 'name' of 'struct blobmsg_policy' [-Werror=missing-field-initializers]
Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 23 Nov 2019 22:51:20 +0000 (23:51 +0100)]
tests: jshn: add more test cases
In order to cover all command line options.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 23 Nov 2019 22:40:48 +0000 (23:40 +0100)]
jshn: fix missing usage for -p and -o arguments
Add missing usage hints for -p and -o arguments.
Fixes:
e16fa068a573 ("jshn: add support for namespaces")
Fixes:
eb30a03048f8 ("libubox, jshn: add option to write output to a file")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 23 Nov 2019 21:48:25 +0000 (22:48 +0100)]
jshn: fix off by one in jshn_parse_file
Fixes following error:
Invalid read of size 1
at 0x4C32D04: strlen
by 0x5043367: json_tokener_parse_ex
by 0x5045316: json_tokener_parse_verbose
by 0x504537D: json_tokener_parse
by 0x401AB1: jshn_parse (jshn.c:179)
by 0x40190D: jshn_parse_file (jshn.c:370)
by 0x40190D: main (jshn.c:434)
Address 0x5848c4c is 0 bytes after a block of size 1,036 alloc'd
at 0x4C2FB0F: malloc
by 0x4018E2: jshn_parse_file (jshn.c:357)
by 0x4018E2: main (jshn.c:434)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 19 Nov 2019 13:09:43 +0000 (14:09 +0100)]
jshn: jshn_parse: fix leaks of memory pointed to by 'obj'
Fixes following leaks of memory:
352 (72 direct, 280 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3
at 0x4C31B25: calloc
by 0x5042E1F: json_object_new_array
by 0x5044B02: json_tokener_parse_ex
by 0x5045316: json_tokener_parse_verbose
by 0x504537D: json_tokener_parse
by 0x401AA9: jshn_parse (jshn.c:179)
by 0x401977: main (jshn.c:378)
752 (72 direct, 680 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
at 0x4C31B25: calloc
by 0x50424CF: json_object_new_object
by 0x5044B38: json_tokener_parse_ex
by 0x5045316: json_tokener_parse_verbose
by 0x504537D: json_tokener_parse
by 0x401AA9: jshn_parse (jshn.c:179)
by 0x401977: main (jshn.c:380)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 19 Nov 2019 11:34:14 +0000 (12:34 +0100)]
jshn: main: fix leak of memory pointed to by 'vars'
Fixes following leak of memory:
6,016 bytes in 1 blocks are possibly lost in loss record 1 of 1
at 0x4C31B25: calloc
by 0x1098F8: main (jshn.c:353)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sat, 23 Nov 2019 21:27:46 +0000 (22:27 +0100)]
jshn: refactor main into smaller pieces
Turn longer switch cases into separate functions in order to make it
easier to follow. Don't return from the cases as it makes future
cleaning up harder.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Wed, 20 Nov 2019 08:31:08 +0000 (09:31 +0100)]
avl: guard against theoretical null pointer dereference
clang-10 analyzer reports following:
avl.c:671:25: warning: Access to field 'parent' results in a dereference of a null pointer (loaded from field 'right')
node->right->parent = parent;
~~~~~ ^
Which seems to be impossible to trigger via exported AVL public API, but
it could be probably trigerred by fiddling with the AVL tree node struct
members manually as they are exposed.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 19 Nov 2019 16:34:25 +0000 (17:34 +0100)]
blobmsg_json: fix possible uninitialized struct member
clang-10 analyzer reports following:
blobmsg_json.c:285:2: warning: The expression is an uninitialized value. The computed value will also be garbage
s->indent_level++;
^~~~~~~~~~~~~~~~~
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 19 Nov 2019 16:16:40 +0000 (17:16 +0100)]
base64: fix possible null pointer dereference
clang-10 analyzer reports following:
base64.c:325:20: warning: Array access (from variable 'target') results in a null pointer dereference
target[tarindex] = 0;
~~~~~~ ^
and prepared test case confirms it:
Invalid write of size 1
at 0x4E4463F: b64_decode (base64.c:325)
by 0x40088C: test_invalid_inputs (tests/test-base64.c:26)
by 0x40088C: main (tests/test-base64.c:32)
Address 0x1 is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x1
at 0x4E4463F: b64_decode (base64.c:325)
by 0x40088C: test_invalid_inputs (tests/test-base64.c:26)
by 0x40088C: main (tests/test-base64.c:32)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Wed, 20 Nov 2019 17:02:39 +0000 (18:02 +0100)]
add assert.h component
In order to allow seamless assert() usage in release builds without the
need for fiddling with CMake C flags as CMake adds -DNDEBUG switch in
release builds which disable assert().
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 19 Nov 2019 13:31:44 +0000 (14:31 +0100)]
add cram based unit tests
For improved QA etc. For the start with initial test cases for avl,
base64, jshn and list components. Moved runqueue and blobmsg from
examples to tests. Converted just a few first test cases from
json-script example into the new cram based unit test, more to come.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Fri, 27 Sep 2019 21:24:44 +0000 (23:24 +0200)]
add initial GitLab CI support
Uses currently proof-of-concept openwrt-ci[1] in order to:
* improve the quality of the codebase in various areas
* decrease code review time and help merging contributions faster
* get automagic feedback loop on various platforms and tools
- out of tree build with OpenWrt SDK on following targets:
* ath79-generic
* imx6-generic
* malta-be
* mvebu-cortexa53
- out of tree native build on x86/64 with GCC (versions 7, 8, 9) and Clang 10
- out of tree native x86/64 static code analysis with cppcheck and
scan-build from Clang 10
1. https://gitlab.com/ynezz/openwrt-ci/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 10 Jun 2019 06:45:56 +0000 (08:45 +0200)]
enable extra compiler checks
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 10 Jun 2019 06:47:38 +0000 (08:47 +0200)]
iron out all extra compiler warnings
gcc-9 on x86/64 has reported following issues:
base64.c:173:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:230:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:238:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:242:22: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:252:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:256:22: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:266:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:315:27: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
base64.c:329:15: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
blob.c:207:11: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
blob.c:210:11: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
blob.c:243:31: error: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Werror=sign-compare]
blob.c:246:31: error: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Werror=sign-compare]
blob.h:245:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
blob.h:253:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
blobmsg.h:269:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
blobmsg_json.c:155:10: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
examples/../blob.h:245:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
examples/../blobmsg.h:269:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
json_script.c:590:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Yousong Zhou [Tue, 29 Oct 2019 07:24:20 +0000 (07:24 +0000)]
vlist: add more macros for loop iteration
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Roman Yeryomin [Fri, 13 Sep 2019 22:22:48 +0000 (01:22 +0300)]
libubox, jshn: add option to write output to a file
This would allow board_config_flush to run one command instead
of two and would be faster and safer than redirecting output
and moving a file between filesystems.
Originally discussed here:
http://lists.openwrt.org/pipermail/openwrt-devel/2017-December/010127.html
Signed-off-by: Roman Yeryomin <roman@advem.lv>
Hauke Mehrtens [Sun, 9 Jun 2019 11:00:21 +0000 (13:00 +0200)]
ustream: Add format string checks to ustream_(v)printf()
This tells the compiler that these functions are takeing a format
string, the compiler will now do additional checks and is able to emitt
a compile warning in case the format string is not valid.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Kristupas Savickas [Thu, 6 Jun 2019 18:28:32 +0000 (21:28 +0300)]
libubox: add format string checking to ulog()
This offers an increased level of security, as the arguments will be
checked for validity against the format string at compile time. The
format attribute is supported by both GCC and Clang, so there shouldn't
be any portability issues.
Signed-off-by: Kristupas Savickas <savickas.kristupas@gmail.com>
Yousong Zhou [Wed, 27 Feb 2019 02:48:47 +0000 (02:48 +0000)]
blobmsg_json: blobmsg_format_string: do not escape '/'
Resolves FS#2147
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
John Crispin [Wed, 25 Jul 2018 08:30:05 +0000 (10:30 +0200)]
fix segfault when passed blobmsg attr is NULL
Signed-off-by: John Crispin <john@phrozen.org>
Felix Fietkau [Thu, 7 Jun 2018 13:18:51 +0000 (15:18 +0200)]
utils: add const_* byteswapping functions
Some gcc versions have issues with the __builtin_choose_expr construct
which attempts to automatically use the const versions of those
functions.
Make it possible to explicitly use const_* versions to avoid that.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Thu, 12 Apr 2018 08:26:22 +0000 (10:26 +0200)]
utils: fix build error with g++
g++ does not support __builtin_choose_expr, so we can't support
byte swapping as constant expression there.
Reported-by: Cleynhens Stijn <Stijn.Cleynhens@technicolor.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Sat, 7 Apr 2018 13:21:25 +0000 (15:21 +0200)]
switch from typeof to the more portable __typeof__
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Sat, 7 Apr 2018 08:43:48 +0000 (10:43 +0200)]
utils: ensure that byte-order conversion functions evaluate the argument only once
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Sat, 7 Apr 2018 08:36:38 +0000 (10:36 +0200)]
jshn: fix format string for int64 type
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Wed, 21 Mar 2018 16:53:40 +0000 (17:53 +0100)]
utils: use constant byte-order conversion
Simplifies portability and ensures that cpu_to_* can be used in const
declarations. If the architecture has special instructions, the compiler
should be able to detect the pattern and use them.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Rosen Penev [Fri, 2 Feb 2018 06:52:12 +0000 (22:52 -0800)]
libubox: Plug a small memory leak.
va_end was not called if calloc fails.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Hans Dedecker [Thu, 1 Feb 2018 15:41:27 +0000 (16:41 +0100)]
sh/jshn.sh: add json_for_each_item()
Function usefull to iterate through the different elements of an
array or object; the provided callback function is called for each
element which is passed the value, key and user provided arguments.
For field types different from array or object the callback is called
with the retrieved value.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Christian Beier [Thu, 18 Jan 2018 20:21:09 +0000 (21:21 +0100)]
jshn: add functionality to read big JSON
The existing read functionality feeds the complete JSON to jshn as a
cmdline argument, leading to `-ash: jshn: Argument list too long`
errors for JSONs bigger than ca. 100KB.
This commit adds the ability to read the JSON directly from a file if
wanted, removing this shell-imposed size limit.
Tested on x86-64 and ar71xx. An mmap()-based solution was also evaluated,
but found to make no performance difference on either platform.
Signed-off-by: Christian Beier <dontmind@freeshell.org>
Jo-Philipp Wich [Sun, 7 Jan 2018 14:46:31 +0000 (15:46 +0100)]
jshn: properly support JSON "null" type
Instead of abort parsing, properly deal with "null" values by implementing
support for reading and formatting such values.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Christian Beier [Sat, 21 Oct 2017 23:42:29 +0000 (01:42 +0200)]
jshn: read and write 64-bit integers
This allows for reading in and writing out bigger JSON Numbers.
Following test script (that fails to print correct values _without_ this
commit) verifies the functionality (tested on x86-64 as well as on ar71xx):
---snip---
# assumes you built jshn and sourced jshn.sh
echo testing reading-in JSON
SHELL_BIGNUM=
12147483647
json_init
json_load "{ \"bignum\": $SHELL_BIGNUM }"
json_get_var BIGNUM bignum
echo jshn bignum: $BIGNUM
echo shll bignum: $SHELL_BIGNUM
echo testing writing-out JSON
json_init
json_add_int bigint $SHELL_BIGNUM
json_dump
--snap---
Signed-off-by: Christian Beier <dontmind@freeshell.org>
Stijn Tintel [Thu, 17 Aug 2017 13:50:03 +0000 (15:50 +0200)]
utils: nuke bitfield functions and macros
The bitfield functions and macros were committed without explaining
their purpose in the commit message.
As they are only used in uci, and conflict with similar functions added
in hostapd, breaking our hostapd ubus patch, nuke them from libubox and
add them in uci instead.
If we need them anywhere else in the future we can add it to libubox
again, but preferably prefixed with ubox_.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Petar Paradzik [Mon, 3 Jul 2017 11:37:56 +0000 (13:37 +0200)]
uloop: make SIGCHLD signal handling optional
Some programs want to manage their own child life cycle without using
SIGCHLD signal handler. In these cases, uloop is reaping children for
them because they don't have SIGCHLD handler set. This patch makes it
possible to disable reaping children through 'uloop_handle_sigchld'
variable.
Signed-off-by: Petar Paradzik <petar.paradzik@sartura.hr>
Michal Sojka [Tue, 12 Sep 2017 11:12:31 +0000 (13:12 +0200)]
uloop: Fix race condition in SIGCHLD handling
When uloop_process_add() is called outside of uloop_run(), i.e. not
from a callback (which is the case of at least utrace and ujail),
child events can be missed. The reason is that when SIGCHILD handler
is installed in uloop_run(), after the uloop_process_add() is called,
then an initial signal could be missed.
Commit
4e3a47a ("uloop: use a waker for notifying sigchld and loop
cancel events", 2016-06-09) solved a similar problem and introduced
uloop_init() but forgot to move a call to uloop_setup_signals() there.
This is what this commit does.
Now, uloop_process_add() can be called any time after uloop_init()
without missing any event.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
Felix Fietkau [Sat, 17 Jun 2017 09:47:21 +0000 (11:47 +0200)]
uloop: allow passing 0 as timeout to uloop_run
Useful for processing only immediate timers and fds
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Sat, 17 Jun 2017 09:39:24 +0000 (11:39 +0200)]
uloop: fix a regression in timeout handling
Variable confusion was breaking timers
Fixes:
368fd2645878 ("uloop: allow specifying a timeout for uloop_run()")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Wed, 14 Jun 2017 10:08:42 +0000 (12:08 +0200)]
runqueue: fix use-after-free bug
Calling t->complete in runqueue_task_complete can free the memory
associated with t. Change the runqueue_start_next accordingly.
Fixes https://github.com/openwrt/openwrt/issues/493
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Thu, 1 Jun 2017 09:24:37 +0000 (11:24 +0200)]
uloop: allow specifying a timeout for uloop_run()
This can be useful for cleanup with pending timers, or for hooking into
existing code that does not use uloop
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Denis Osvald [Thu, 18 May 2017 07:39:28 +0000 (09:39 +0200)]
json_script: enable custom expr handler callback
This wires in custom expression handler functionality, which was present
in json script since the original version, but never used.
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [error handling fix]
Yousong Zhou [Mon, 20 Mar 2017 11:42:01 +0000 (19:42 +0800)]
md5: add "const" qualifier to the "file" argument
This is intended to fix the following compiler warning in opkg-lede:
/home/yousong/git-repo/lede-project/opkg-lede/libopkg/file_util.c: In function ‘file_md5sum_alloc’:
/home/yousong/git-repo/lede-project/opkg-lede/libopkg/file_util.c:144:2: warning: passing argument 1 of ‘md5sum’ discards ‘const’ qualifier from pointer target type [enabled by default]
In file included from /home/yousong/git-repo/lede-project/opkg-lede/libopkg/file_util.c:28:0:
/home/yousong/.usr/include/libubox/md5.h:56:5: note: expected ‘char *’ but argument is of type ‘const char *’
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Ted Hess [Thu, 23 Feb 2017 20:57:02 +0000 (15:57 -0500)]
libubox: Change calloc_a() to return size_t aligned pointers
Un-aligned pointers were causing seg faults on some targets
Signed-off-by: Ted Hess <thess@kitschensync.net>
Felix Fietkau [Fri, 3 Feb 2017 15:52:17 +0000 (16:52 +0100)]
uloop: add uloop_cancelling function
Returns true if uloop_run is still running and uloop_cancelled is set
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Fri, 20 Jan 2017 10:29:51 +0000 (11:29 +0100)]
utils: fix build on Mac OS X 10.12
clock_gettime and CLOCK_MONOTONIC are supported now
Signed-off-by: Felix Fietkau <nbd@nbd.name>
André Gaul [Sat, 19 Nov 2016 17:55:49 +0000 (18:55 +0100)]
blobmsg: add support for double
This adds support for double floating point type to make it more JSON
compatible. For type checking it also adds a stub BLOB_ATTR_DOUBLE type.
If necessary, the accessor functions for blob can be added later
Signed-off-by: André Gaul <andre@gaul.io>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Wed, 14 Dec 2016 22:26:51 +0000 (23:26 +0100)]
utils: add helper functions useful for allocating a ring buffer
This creates a mapping with twice the size of the allocated memory. The
second half of that mapping points at the same memory as the first half.
This is useful for ring buffers, because any read starting in the first
half can overflow into the second half as long as the read size is
smaller than the size of the memory area.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Rosen Penev [Thu, 22 Dec 2016 19:53:25 +0000 (11:53 -0800)]
libubox: replace strtok with _r version.
_r is re-entrant. Also happens to silence a cppcheck warning.
Signed-off by: Rosen Penev <rosenp@gmail.com>
Florian Eckert [Tue, 13 Dec 2016 11:34:31 +0000 (12:34 +0100)]
libubox: allow reading out the pid of uloop process in lua
Add Lua method to get the forked pid of a uloop process
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Felix Fietkau [Mon, 12 Dec 2016 11:24:13 +0000 (12:24 +0100)]
uloop: remove useless epoll data assignment
ev.data is a union, so setting ev.data.fd is lost after setting
ev.data.ptr
Reported-by: Song Yaofei <songyaofei@joyware.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Stijn Cleynhens [Mon, 5 Dec 2016 14:11:05 +0000 (15:11 +0100)]
libubox: allow reading out the remaining time of a uloop timer in Lua
Add Lua method to the uloop wrapper to allow reading out the remaining time of a uloop timer
Signed-off-by: Stijn Cleynhens <stijncleynhens@gmail.com>
Felix Fietkau [Tue, 29 Nov 2016 13:02:54 +0000 (14:02 +0100)]
blob/blobmsg: add explicit typecasts for attribute iterators
Fixes C++ compatibility.
Reported in https://forum.lede-project.org/t/blobmsg-for-each-attr-from-c/389
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Mon, 24 Oct 2016 10:34:09 +0000 (12:34 +0200)]
kvlist: add static initializer macros
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Fri, 29 Jul 2016 10:00:15 +0000 (12:00 +0200)]
libubox: add static initializer macro for runqueues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Fri, 29 Jul 2016 08:58:55 +0000 (10:58 +0200)]
avl: add blob comparator function
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Matthias Schiffer [Mon, 27 Jun 2016 06:50:29 +0000 (08:50 +0200)]
blobmsg_json: add new functions blobmsg_format_json_value*
The current blobmsg_format_json* functions will return invalid JSON when
the "list" argument is given as false (blobmsg_format_element() will
output the name of the blob_attr as if the value is printed as part of a
JSON object).
To avoid breaking software relying on this behaviour, introduce new
functions which will never print the blob_attr name and thus always
produce valid JSON.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cosmetic style fix]
Eyal Birger [Mon, 20 Jun 2016 05:36:47 +0000 (08:36 +0300)]
uloop: handle waker pipe write() return value
Recent glibc warns if result of read() or write() is unused.
Added a retry in case of EINTR, all other faults are silently discarded.
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
-----
- I was not able to reproduce the EINTR case, but it seems to be the right
thing to do
- Retrying on EAGAIN in this case would be weird as there is no one to read
from the other end of the pipe. We could call waker_consume() directly but
since the size of the message is just one byte, I think this would be dead
code
Matthias Schiffer [Tue, 21 Jun 2016 15:19:11 +0000 (17:19 +0200)]
loop: make uloop_run() return the cancelling signal
When a process quits in response to a signal it handles, it should to so
be re-sending the signal to itself. This especially important for SIGINT,
as is explained in [1].
uloop currently hides the reason for quitting uloop_run(). Fix this by
returning the signal that caused the loop to quit (or 0 when uloop_end()
was used), so a program using loop an comply with [1].
[1] https://www.cons.org/cracauer/sigint.html
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Tue, 21 Jun 2016 15:19:10 +0000 (17:19 +0200)]
Fix various memory management issues
Consistently handle allocation failures. Some functions are changed to
return bool or int instead of void to allow returning an error.
Also fix a buffer size miscalculation in lua/uloop and use _exit() instead
of exit() on errors after forking.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Felix Fietkau [Wed, 15 Jun 2016 13:14:51 +0000 (15:14 +0200)]
uloop: add missing waker_pipe initialization
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Yousong Zhou [Thu, 9 Jun 2016 02:20:32 +0000 (10:20 +0800)]
uloop: use a waker for notifying sigchld and loop cancel events
Fix a race condition when do_sigchld, uloop_cancelled were set just
before epoll_wait(timeout=-1), resulting the loop stuck in the syscall
without noticing the events just happened
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Thu, 19 May 2016 08:59:46 +0000 (10:59 +0200)]
uloop: revert signalfd support for now
It hasn't fixed the reported race condition and it introduced some new
issues.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Tue, 17 May 2016 11:59:05 +0000 (13:59 +0200)]
uloop: add back support for overriding signal handlers when signalfd is in use
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Tue, 17 May 2016 11:35:00 +0000 (13:35 +0200)]
uloop: fix signal unblocking
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Tue, 17 May 2016 11:27:44 +0000 (13:27 +0200)]
uloop: retry waitpid on signal interrupt
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Tue, 17 May 2016 11:23:28 +0000 (13:23 +0200)]
uloop: try to use signalfd for signal handling if available
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Tue, 17 May 2016 10:25:19 +0000 (12:25 +0200)]
uloop: move epoll code into a separate file
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Tue, 17 May 2016 10:24:04 +0000 (12:24 +0200)]
uloop: move kqueue code into a separate file
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Matthias Schiffer [Wed, 6 Apr 2016 15:40:22 +0000 (17:40 +0200)]
blobmsg_json: simplify add_separator and fix thread-safety
The hard-coded length limits are replaced with strlen to make the code more
robust.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Felix Fietkau [Sat, 5 Mar 2016 17:51:31 +0000 (18:51 +0100)]
jshn: use an avl tree for env variables to speed up processing of bigger json files
Signed-off-by: Felix Fietkau <nbd@openwrt.org>