Subject: GCC 10 analyzer findings

GCC 10 analyzer findings

From: Jeffrey Walton <noloader_at_gmail.com>
Date: Sat, 18 Jul 2020 02:21:23 -0400

Hi Everyone,

I'm testing on Fedora 32, which provides GCC 10.1. GCC 10 offers an
analyzer. You can engage the analyzer with -fanalyzer.

I'm not sure if this is related to Jann Horn at Google Project Zero
finding detailed in the 1.16.1 RELEASE-NOTES:

libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.
-DCARES_BUILDING_LIBRARY -DCARES_SYMBOL_HIDING -isystem
/home/jwalton/tmp/ok2delete//include -DNDEBUG -DTEST_ANALYZE=1
-fvisibility=hidden -O2 -fanalyzer -fno-omit-frame-pointer
-march=native -fPIC -pthread -g0 -Wno-system-headers -MT
libcares_la-ares_getnameinfo.lo -MD -MP -MF
.deps/libcares_la-ares_getnameinfo.Tpo -c ares_getnameinfo.c -fPIC
-DPIC -o .libs/libcares_la-ares_getnameinfo.o
ares_getnameinfo.c: In function ‘ares_getnameinfo’:
cc1: warning: dereference of NULL ‘addr’ [CWE-690] [-Wanalyzer-null-dereference]
  ‘ares_getnameinfo’: events 1-15
    |
    |ares_getnameinfo.c:98:11:
    | 98 | else if ((sa->sa_family == AF_INET6) &&
    | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | | |
    | | | (2) ...to here
    | | | (3) following
‘true’ branch (when ‘salen == 28’)...
    | | (1) following ‘true’ branch...
    | 99 | (salen == sizeof(struct sockaddr_in6)))
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |......
    | 102 | port = addr6->sin6_port;
    | | ~~~~~~~~~~~~~~~~
    | | |
    | | (4) ...to here
    |......
    | 111 | if (!(flags & ARES_NI_LOOKUPSERVICE) && !(flags &
ARES_NI_LOOKUPHOST))
    | | ~
    | | |
    | | (5) following ‘false’ branch...
    |......
    | 115 | if ((flags & ARES_NI_LOOKUPSERVICE) && !(flags &
ARES_NI_LOOKUPHOST))
    | |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | | |
    | | | (6) ...to here
    | | (7) following ‘false’ branch...
    |......
    | 126 | if ((flags & ARES_NI_LOOKUPHOST))
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | | |
    | | | (8) ...to here
    | | (9) following ‘true’ branch...
    |......
    | 129 | if ((flags & ARES_NI_NUMERICHOST))
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | | |
    | | | (10) ...to here
    | | (11) following ‘false’ branch...
    |......
    | 166 | niquery = ares_malloc(sizeof(struct nameinfo_query));
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | |
    | | (12) ...to here
    | 167 | if (!niquery)
    | | ~
    | | |
    | | (13) following ‘false’ branch (when ‘niquery’
is non-NULL)...
    |......
    | 172 | niquery->callback = callback;
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | |
    | | (14) ...to here
    |......
    | 176 | if (sa->sa_family == AF_INET)
    | | ~
    | | |
    | | (15) following ‘true’ branch...
    |
  ‘ares_getnameinfo’: event 16
    |
    | 178 | niquery->family = AF_INET;
    | | ^
    | | |
    | | (16) ...to here
    |
  ‘ares_getnameinfo’: event 17
    |
    |cc1:
    | (17): dereference of NULL ‘addr’
    |
ares_getnameinfo.c:187:13: warning: use of NULL ‘addr6’ where non-null
expected [CWE-690] [-Wanalyzer-null-argument]
  187 | memcpy(&niquery->addr.addr6, addr6,
sizeof(niquery->addr.addr6));
      |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ‘ares_getnameinfo’: events 1-13
    |
    | 92 | if ((sa->sa_family == AF_INET) &&
    | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | | |
    | | | (2) ...to here
    | | | (3) following ‘true’
branch (when ‘salen == 16’)...
    | | (1) following ‘true’ branch...
    | 93 | (salen == sizeof(struct sockaddr_in)))
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |......
    | 96 | port = addr->sin_port;
    | | ~~~~~~~~~~~~~~
    | | |
    | | (4) ...to here
    |......
    | 115 | if ((flags & ARES_NI_LOOKUPSERVICE) && !(flags &
ARES_NI_LOOKUPHOST))
    | | ~
    | | |
    | | (5) following ‘false’ branch...
    |......
    | 126 | if ((flags & ARES_NI_LOOKUPHOST))
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | | |
    | | | (6) ...to here
    | | (7) following ‘true’ branch...
    |......
    | 129 | if ((flags & ARES_NI_NUMERICHOST))
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | | |
    | | | (8) ...to here
    | | (9) following ‘false’ branch...
    |......
    | 166 | niquery = ares_malloc(sizeof(struct nameinfo_query));
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | |
    | | (10) ...to here
    | 167 | if (!niquery)
    | | ~
    | | |
    | | (11) following ‘false’ branch (when ‘niquery’
is non-NULL)...
    |......
    | 172 | niquery->callback = callback;
    | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | |
    | | (12) ...to here
    |......
    | 176 | if (sa->sa_family == AF_INET)
    | | ~
    | | |
    | | (13) following ‘false’ branch...
    |
  ‘ares_getnameinfo’: events 14-15
    |
    | 186 | niquery->family = AF_INET6;
    | | ^
    | | |
    | | (14) ...to here
    | 187 | memcpy(&niquery->addr.addr6, addr6,
sizeof(niquery->addr.addr6));
    | |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | | |
    | | (15) argument 2 (‘addr6’) NULL where non-null expected
    |
In file included from setup_once.h:35,
                 from ares_setup.h:214,
                 from ares_getnameinfo.c:16:
/usr/include/string.h:43:14: note: argument 2 of ‘memcpy’ must be non-null
   43 | extern void *memcpy (void *__restrict __dest, const void
*__restrict __src,
      | ^~~~~~
Received on 2020-07-18