packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!607 [sync] PR-606: code improvements and bugfix for code review

Browse Source 
* code improvements and bugfix for code review
This commit is contained in:
openeuler-sync-bot 2023-08-26 10:10:17 +00:00 committed by haozi007
parent bfbf786760
commit ac7f14ac9b
11 changed files with 3772 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

490
0107-improve-coding.patch Normal file
View File

@ -0,0 +1,490 @@
From a305fe5feaf32e5d72c0951b6ef0a522f7a5830d Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 15 Aug 2023 19:08:34 +0800
Subject: [PATCH 01/10] improve coding
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
.../connect/grpc/grpc_containers_client.cc | 2 +-
.../container/container_events_handler.c | 4 ++--
src/daemon/modules/container/container_unix.c | 2 +-
.../modules/runtime/isula/isula_rt_ops.c | 2 +-
src/utils/buffer/buffer.c | 6 +-----
src/utils/cutils/error.h | 2 +-
src/utils/cutils/util_atomic.h | 3 ++-
src/utils/cutils/utils.c | 2 +-
src/utils/cutils/utils_base64.c | 10 +++++++---
src/utils/cutils/utils_file.c | 18 ++++++++++++------
src/utils/cutils/utils_fs.c | 2 +-
src/utils/cutils/utils_mount_spec.c | 3 +--
src/utils/cutils/utils_string.c | 7 +++----
src/utils/cutils/utils_string.h | 2 +-
src/utils/cutils/utils_timestamp.c | 4 ++--
src/utils/http/http.c | 2 +-
src/utils/tar/isulad_tar.c | 4 +---
src/utils/tar/isulad_tar.h | 2 --
src/utils/tar/util_archive.c | 16 ++++++++++------
src/utils/tar/util_gzip.c | 6 +++---
20 files changed, 52 insertions(+), 47 deletions(-)
diff --git a/src/client/connect/grpc/grpc_containers_client.cc b/src/client/connect/grpc/grpc_containers_client.cc
index 301e172b..314f381f 100644
--- a/src/client/connect/grpc/grpc_containers_client.cc
+++ b/src/client/connect/grpc/grpc_containers_client.cc
@@ -17,7 +17,7 @@
#include "container.grpc.pb.h"
#include "isula_libutils/container_copy_to_request.h"
#include "isula_libutils/container_exec_request.h"
-#include "isulad_tar.h"
+#include "util_archive.h"
#include "stoppable_thread.h"
#include "utils.h"
#include <fstream>
diff --git a/src/daemon/modules/container/container_events_handler.c b/src/daemon/modules/container/container_events_handler.c
index 55dbfbe6..d78e6fc1 100644
--- a/src/daemon/modules/container/container_events_handler.c
+++ b/src/daemon/modules/container/container_events_handler.c
@@ -131,7 +131,7 @@ static int container_state_changed(container_t *cont, const struct isulad_events
pid = container_state_get_pid(cont->state);
if (pid != (int)events->pid) {
- DEBUG("Container's pid \'%d\' is not equal to event's pid \'%d\', ignore STOPPED event", pid,
+ DEBUG("Container's pid \'%d\' is not equal to event's pid \'%u\', ignore STOPPED event", pid,
events->pid);
container_unlock(cont);
ret = 0;
@@ -212,7 +212,7 @@ static int handle_one(container_t *cont, container_events_handler_t *handler)
events_handler_unlock(handler);
events = (struct isulad_events_format *)it->elem;
- INFO("Received event %s with pid %d", events->id, events->pid);
+ INFO("Received event %s with pid %u", events->id, events->pid);
if (container_state_changed(cont, events)) {
ERROR("Failed to change container %s state", cont->common_config->id);
diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c
index 9910b3c8..9392cf0d 100644
--- a/src/daemon/modules/container/container_unix.c
+++ b/src/daemon/modules/container/container_unix.c
@@ -438,7 +438,7 @@ out:
int container_v2_spec_merge_contaner_spec(container_config_v2_common_config *v2_spec)
{
int ret = 0;
- int i = 0;
+ size_t i = 0;
container_config *container_spec = NULL;
if (v2_spec == NULL) {
diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c
index 0f18926a..817d663f 100644
--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c
+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c
@@ -704,7 +704,7 @@ static int status_to_exit_code(int status)
shim_exit_code records the exit code of isulad-shim, obtained through waitpid;
*/
static int shim_create(bool fg, const char *id, const char *workdir, const char *bundle, const char *runtime_cmd,
- int *exit_code, const char* timeout, int* shim_exit_code)
+ int *exit_code, const char *timeout, int *shim_exit_code)
{
pid_t pid = 0;
int shim_stderr_pipe[2] = { -1, -1 };
diff --git a/src/utils/buffer/buffer.c b/src/utils/buffer/buffer.c
index 19a933cd..7f6bc527 100644
--- a/src/utils/buffer/buffer.c
+++ b/src/utils/buffer/buffer.c
@@ -36,11 +36,7 @@ Buffer *buffer_alloc(size_t initial_size)
return NULL;
}
- if (initial_size > SIZE_MAX / sizeof(char)) {
- free(buf);
- return NULL;
- }
- tmp = calloc(1, initial_size * sizeof(char));
+ tmp = util_smart_calloc_s(sizeof(char), initial_size);
if (tmp == NULL) {
free(buf);
return NULL;
diff --git a/src/utils/cutils/error.h b/src/utils/cutils/error.h
index e3946cf2..537f4d12 100644
--- a/src/utils/cutils/error.h
+++ b/src/utils/cutils/error.h
@@ -60,11 +60,11 @@ static inline void format_errorf(char **err, const char *format, ...)
char errbuf[BUFSIZ + 1] = { 0 };
va_list argp;
- va_start(argp, format);
if (err == NULL) {
return;
}
+ va_start(argp, format);
ret = vsnprintf(errbuf, BUFSIZ, format, argp);
va_end(argp);
diff --git a/src/utils/cutils/util_atomic.h b/src/utils/cutils/util_atomic.h
index 6fa2a662..5fa2c3d6 100644
--- a/src/utils/cutils/util_atomic.h
+++ b/src/utils/cutils/util_atomic.h
@@ -129,7 +129,8 @@ static inline bool atomic_int_compare_exchange(volatile uint64_t *atomic, uint64
atomic_mutex_lock(&g_atomic_lock);
- if ((success = (*atomic == oldval))) {
+ success = (*atomic == oldval);
+ if (success) {
*atomic = newval;
}
diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c
index 3cede76a..a29de20e 100644
--- a/src/utils/cutils/utils.c
+++ b/src/utils/cutils/utils.c
@@ -1389,7 +1389,7 @@ static char *get_cpu_variant()
int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_variant)
{
int ret = 0;
- int i = 0;
+ size_t i;
struct utsname uts;
char *tmp_variant = NULL;
diff --git a/src/utils/cutils/utils_base64.c b/src/utils/cutils/utils_base64.c
index 8301e4f9..3871140e 100644
--- a/src/utils/cutils/utils_base64.c
+++ b/src/utils/cutils/utils_base64.c
@@ -173,13 +173,13 @@ out:
return ret;
}
-size_t util_base64_decode_len(const char *input, size_t len)
+static size_t util_base64_decode_len(const char *input, size_t len)
{
size_t padding_count = 0;
if (input == NULL || len < 4 || len % 4 != 0) {
ERROR("Invalid param for base64 decode length, length is %zu", len);
- return -1;
+ return 0;
}
if (input[len - 1] == '=') {
@@ -189,7 +189,7 @@ size_t util_base64_decode_len(const char *input, size_t len)
}
}
- return (strlen(input) / 4 * 3) - padding_count;
+ return (((strlen(input) / 4) * 3) - padding_count);
}
int util_base64_decode(const char *input, size_t len, unsigned char **out, size_t *out_len)
@@ -219,6 +219,10 @@ int util_base64_decode(const char *input, size_t len, unsigned char **out, size_
io = BIO_push(base64, io);
out_put_len = util_base64_decode_len(input, len);
+ if (out_put_len == 0) {
+ ret = -1;
+ goto out;
+ }
out_put = util_common_calloc_s(out_put_len + 1); // '+1' for '\0'
if (out_put == NULL) {
ERROR("out of memory");
diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
index 4c62aaa6..9000b0dc 100644
--- a/src/utils/cutils/utils_file.c
+++ b/src/utils/cutils/utils_file.c
@@ -120,14 +120,19 @@ int util_path_remove(const char *path)
ssize_t util_write_nointr_in_total(int fd, const char *buf, size_t count)
{
- ssize_t nret = 0;
- ssize_t nwritten;
+ size_t nwritten;
if (buf == NULL) {
return -1;
}
+ if (count > SSIZE_MAX) {
+ ERROR("Too large data to write");
+ return -1;
+ }
+
for (nwritten = 0; nwritten < count;) {
+ ssize_t nret;
nret = write(fd, buf + nwritten, count - nwritten);
if (nret < 0) {
if (errno == EINTR || errno == EAGAIN) {
@@ -140,7 +145,7 @@ ssize_t util_write_nointr_in_total(int fd, const char *buf, size_t count)
}
}
- return nwritten;
+ return (ssize_t)nwritten;
}
ssize_t util_write_nointr(int fd, const void *buf, size_t count)
@@ -1700,9 +1705,10 @@ int util_set_file_group(const char *fname, const char *group)
grp = getgrnam(group);
if (grp != NULL) {
gid = grp->gr_gid;
- DEBUG("Group %s found, gid: %d", group, gid);
+ DEBUG("Group %s found, gid: %u", group, gid);
+ // set owner to -1, will not change owner
if (chown(fname, -1, gid) != 0) {
- ERROR("Failed to chown %s to gid: %d", fname, gid);
+ ERROR("Failed to chown %s to gid: %u", fname, gid);
ret = -1;
goto out;
}
@@ -2032,7 +2038,7 @@ static int copy_file(char *copy_dst, char *copy_src, struct stat *src_stat, map_
} else if (S_ISCHR(src_stat->st_mode) || S_ISBLK(src_stat->st_mode)) {
ret = copy_device(copy_dst, copy_src, src_stat);
} else { // fifo and socket
- ERROR("copy %s failed, unsupported type %d", copy_src, src_stat->st_mode);
+ ERROR("copy %s failed, unsupported type %u", copy_src, src_stat->st_mode);
return -1;
}
if (ret != 0) {
diff --git a/src/utils/cutils/utils_fs.c b/src/utils/cutils/utils_fs.c
index e7165f26..a8c65f86 100644
--- a/src/utils/cutils/utils_fs.c
+++ b/src/utils/cutils/utils_fs.c
@@ -111,7 +111,7 @@ static struct fs_element const g_fs_names[] = {
struct mount_option_element {
const char *option;
bool clear;
- int flag;
+ unsigned long flag;
};
static struct mount_option_element const g_mount_options[] = {
diff --git a/src/utils/cutils/utils_mount_spec.c b/src/utils/cutils/utils_mount_spec.c
index 6793f93b..5386c115 100644
--- a/src/utils/cutils/utils_mount_spec.c
+++ b/src/utils/cutils/utils_mount_spec.c
@@ -67,8 +67,6 @@ static int parse_mount_item_type(const char *value, char *mount_str, mount_spec
static int parse_mount_item_src(const char *value, char *mount_str, mount_spec *m, char *errmsg)
{
- char srcpath[PATH_MAX] = { 0 };
-
/* If value of source is NULL, ignore it */
if (value == NULL) {
return 0;
@@ -87,6 +85,7 @@ static int parse_mount_item_src(const char *value, char *mount_str, mount_spec *
#endif
if (value[0] == '/') {
+ char srcpath[PATH_MAX] = { 0 };
if (!util_clean_path(value, srcpath, sizeof(srcpath))) {
CACHE_ERRMSG(errmsg, "Invalid mount specification '%s'.Can't translate source path to clean path",
mount_str);
diff --git a/src/utils/cutils/utils_string.c b/src/utils/cutils/utils_string.c
index de1cc60e..ba7dd5b4 100644
--- a/src/utils/cutils/utils_string.c
+++ b/src/utils/cutils/utils_string.c
@@ -83,11 +83,10 @@ bool util_strings_contains_word(const char *str, const char *substr)
return false;
}
-int util_strings_count(const char *str, unsigned char c)
+size_t util_strings_count(const char *str, unsigned char c)
{
- size_t i = 0;
- int res = 0;
- size_t len = 0;
+ size_t i, len;
+ size_t res = 0;
if (str == NULL) {
return 0;
diff --git a/src/utils/cutils/utils_string.h b/src/utils/cutils/utils_string.h
index 4e97c574..0de2266c 100644
--- a/src/utils/cutils/utils_string.h
+++ b/src/utils/cutils/utils_string.h
@@ -28,7 +28,7 @@ bool util_strings_contains_any(const char *str, const char *substr);
bool util_strings_contains_word(const char *str, const char *substr);
-int util_strings_count(const char *str, unsigned char c);
+size_t util_strings_count(const char *str, unsigned char c);
bool util_strings_in_slice(const char **strarray, size_t alen, const char *str);
diff --git a/src/utils/cutils/utils_timestamp.c b/src/utils/cutils/utils_timestamp.c
index 85551d51..3a440ca9 100644
--- a/src/utils/cutils/utils_timestamp.c
+++ b/src/utils/cutils/utils_timestamp.c
@@ -495,7 +495,7 @@ bool util_get_tm_from_str(const char *str, struct tm *tm, int32_t *nanos)
if (util_strings_contains_any(str, ".")) {
format = rFC339NanoLocal;
} else if (util_strings_contains_any(str, "T")) {
- int tcolons = util_strings_count(str, ':');
+ size_t tcolons = util_strings_count(str, ':');
switch (tcolons) {
case 0:
format = "2016-01-02T15";
@@ -952,7 +952,7 @@ err_out:
int util_to_unix_nanos_from_str(const char *str, int64_t *nanos)
{
struct tm tm = { 0 };
- struct types_timezone tz;
+ struct types_timezone tz = { 0 };
int32_t nano = 0;
types_timestamp_t ts;
const int s_hour = 3600;
diff --git a/src/utils/http/http.c b/src/utils/http/http.c
index 2b514666..6759a28d 100644
--- a/src/utils/http/http.c
+++ b/src/utils/http/http.c
@@ -266,7 +266,6 @@ static void free_rpath(char *rpath)
static void check_buf_len(struct http_get_options *options, char *errbuf, CURLcode curl_result)
{
- int nret = 0;
size_t len = 0;
if (options == NULL || options->errmsg != NULL) {
@@ -275,6 +274,7 @@ static void check_buf_len(struct http_get_options *options, char *errbuf, CURLco
len = strlen(errbuf);
if (len == 0) {
+ int nret = 0;
nret = snprintf(errbuf, CURL_ERROR_SIZE, "curl response error code %d", curl_result);
if (nret < 0 || (size_t)nret >= CURL_ERROR_SIZE) {
ERROR("Failed to print string for error buffer, errcode %d", curl_result);
diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c
index 228e091a..d7d69eb2 100644
--- a/src/utils/tar/isulad_tar.c
+++ b/src/utils/tar/isulad_tar.c
@@ -307,10 +307,8 @@ struct archive_copy_info *copy_info_destination_path(const char *path, char **er
nret = copy_info_destination_path_ret(info, st, err, ret, path);
if (nret == 0) {
return info;
- } else {
- goto cleanup;
}
-cleanup:
+
free(info);
return NULL;
}
diff --git a/src/utils/tar/isulad_tar.h b/src/utils/tar/isulad_tar.h
index 31d2d24a..ec085c25 100644
--- a/src/utils/tar/isulad_tar.h
+++ b/src/utils/tar/isulad_tar.h
@@ -31,8 +31,6 @@ struct io_read_wrapper;
extern "C" {
#endif
-#define ARCHIVE_BLOCK_SIZE (32 * 1024)
-
struct archive_copy_info {
char *path;
bool exists;
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index c72e63b8..c63fd00b 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -776,9 +776,8 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co
child_out:
if (ret != 0) {
exit(EXIT_FAILURE);
- } else {
- exit(EXIT_SUCCESS);
}
+ exit(EXIT_SUCCESS);
}
close(pipe_stderr[1]);
pipe_stderr[1] = -1;
@@ -1037,6 +1036,12 @@ static ssize_t stream_write_data(struct archive *a, void *client_data, const voi
struct io_write_wrapper *writer = (struct io_write_wrapper *)client_data;
size_t written_length = 0;
size_t size = 0;
+
+ if (length > SSIZE_MAX) {
+ ERROR("Too large data to write.");
+ return -1;
+ }
+
while (length > written_length) {
if (length - written_length > ARCHIVE_WRITE_BUFFER_SIZE) {
size = ARCHIVE_WRITE_BUFFER_SIZE;
@@ -1050,7 +1055,7 @@ static ssize_t stream_write_data(struct archive *a, void *client_data, const voi
written_length += size;
}
- return size;
+ return (ssize_t)written_length;
}
static int tar_all(const struct io_write_wrapper *writer, const char *tar_dir, const char *src_base,
@@ -1264,7 +1269,7 @@ static int close_wait_pid(struct archive_context *ctx, int *status)
if (ctx->pid > 0) {
if (waitpid(ctx->pid, status, 0) != ctx->pid) {
- ERROR("Failed to wait pid %u", ctx->pid);
+ ERROR("Failed to wait pid %d", ctx->pid);
ret = -1;
}
}
@@ -1409,9 +1414,8 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha
child_out:
if (ret != 0) {
exit(EXIT_FAILURE);
- } else {
- exit(EXIT_SUCCESS);
}
+ exit(EXIT_SUCCESS);
}
close(pipe_stderr[1]);
diff --git a/src/utils/tar/util_gzip.c b/src/utils/tar/util_gzip.c
index 2f4750be..2665e6df 100644
--- a/src/utils/tar/util_gzip.c
+++ b/src/utils/tar/util_gzip.c
@@ -32,7 +32,6 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode)
int srcfd = 0;
gzFile stream = NULL;
ssize_t size = 0;
- size_t n = 0;
void *buffer = 0;
const char *gzerr = NULL;
int errnum = 0;
@@ -58,6 +57,7 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode)
}
while (true) {
+ int n;
size = util_read_nointr(srcfd, buffer, BLKSIZE);
if (size < 0) {
ERROR("read file %s failed: %s", srcfile, strerror(errno));
@@ -68,7 +68,7 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode)
}
n = gzwrite(stream, buffer, size);
- if (n <= 0 || n != (size_t)size) {
+ if (n <= 0 || n != size) {
gzerr = gzerror(stream, &errnum);
if (gzerr != NULL && strcmp(gzerr, "") != 0) {
ERROR("gzread error: %s", gzerr);
@@ -104,7 +104,6 @@ int util_gzip_d(const char *srcfile, const FILE *dstfp)
int ret = 0;
size_t size = 0;
void *buffer = NULL;
- size_t n = 0;
stream = gzopen(srcfile, "r");
if (stream == NULL) {
@@ -120,6 +119,7 @@ int util_gzip_d(const char *srcfile, const FILE *dstfp)
}
while (true) {
+ size_t n;
n = gzread(stream, buffer, BLKSIZE);
if (n <= 0) {
gzerr = gzerror(stream, &errnum);
--
2.25.1

280
0108-2116-clean-up-sensitive-information-in-memory.patch Normal file
View File

@ -0,0 +1,280 @@
From 939caf2a4fb27a1652ca60873551c94377203188 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 23 Aug 2023 01:44:18 +0000
Subject: [PATCH 02/10] !2116 clean up sensitive information in memory * clean
up sensitive information in memory
---
src/client/connect/rest/rest_images_client.c | 2 ++
.../entry/connect/grpc/grpc_images_service.cc | 2 ++
.../entry/connect/rest/rest_images_service.c | 3 +++
src/daemon/modules/image/oci/registry/auths.c | 2 ++
.../modules/image/oci/registry/http_request.c | 18 +++++++------
.../image/oci/registry/registry_apiv2.c | 2 +-
src/daemon/modules/image/oci/registry_type.c | 2 +-
src/utils/cutils/utils_array.c | 27 +++++++++++++++++++
src/utils/cutils/utils_array.h | 4 +++
src/utils/http/http.c | 2 +-
10 files changed, 53 insertions(+), 11 deletions(-)
diff --git a/src/client/connect/rest/rest_images_client.c b/src/client/connect/rest/rest_images_client.c
index 726d5ba5..ea7934af 100644
--- a/src/client/connect/rest/rest_images_client.c
+++ b/src/client/connect/rest/rest_images_client.c
@@ -618,6 +618,7 @@ static int image_login_request_to_rest(const struct isula_login_request *request
out:
free(err);
+ util_memset_sensitive_string(crequest->password);
free_image_login_request(crequest);
return ret;
}
@@ -654,6 +655,7 @@ out:
if (output != NULL) {
buffer_free(output);
}
+ util_memset_sensitive_string(body);
put_body(body);
return ret;
}
diff --git a/src/daemon/entry/connect/grpc/grpc_images_service.cc b/src/daemon/entry/connect/grpc/grpc_images_service.cc
index b1ca98b8..f078711e 100644
--- a/src/daemon/entry/connect/grpc/grpc_images_service.cc
+++ b/src/daemon/entry/connect/grpc/grpc_images_service.cc
@@ -517,6 +517,8 @@ Status ImagesServiceImpl::Login(ServerContext *context, const LoginRequest *requ
(void)cb->image.login(image_req, &image_res);
response_to_grpc(image_res, reply);
+ util_memset_sensitive_string(image_req->password);
+
free_image_login_request(image_req);
free_image_login_response(image_res);
diff --git a/src/daemon/entry/connect/rest/rest_images_service.c b/src/daemon/entry/connect/rest/rest_images_service.c
index bd367f29..d7d77826 100644
--- a/src/daemon/entry/connect/rest/rest_images_service.c
+++ b/src/daemon/entry/connect/rest/rest_images_service.c
@@ -19,6 +19,7 @@
#include "isula_libutils/log.h"
#include "callback.h"
#include "image.rest.h"
+#include "utils.h"
#include "rest_service_common.h"
/* image load request check */
@@ -569,6 +570,7 @@ static int image_login_request_from_rest(evhtp_request_t *req, image_login_reque
}
out:
+ util_memset_sensitive_string(body);
put_body(body);
free(err);
return ret;
@@ -629,6 +631,7 @@ static void rest_image_login_cb(evhtp_request_t *req, void *arg)
evhtp_send_image_login_repsponse(req, cresponse, RESTFUL_RES_OK);
out:
+ util_memset_sensitive_string(crequest->password);
free_image_login_request(crequest);
free_image_login_response(cresponse);
}
diff --git a/src/daemon/modules/image/oci/registry/auths.c b/src/daemon/modules/image/oci/registry/auths.c
index ce67d51b..1fbe2bd3 100644
--- a/src/daemon/modules/image/oci/registry/auths.c
+++ b/src/daemon/modules/image/oci/registry/auths.c
@@ -213,6 +213,7 @@ int auths_load(char *host, char **username, char **password)
}
out:
+ // it is not nessasary to clean auths, because it has been encrypted and load from file.
free_registry_auths(auths);
auths = NULL;
free(err);
@@ -397,6 +398,7 @@ int auths_save(char *host, char *username, char *password)
}
out:
+ // it is not nessasary to clean auth, auths and json, because it has been encrypted and write to file.
free(json);
json = NULL;
free_registry_auths(auths);
diff --git a/src/daemon/modules/image/oci/registry/http_request.c b/src/daemon/modules/image/oci/registry/http_request.c
index f29c2017..10b8bf3c 100644
--- a/src/daemon/modules/image/oci/registry/http_request.c
+++ b/src/daemon/modules/image/oci/registry/http_request.c
@@ -164,11 +164,11 @@ static char *encode_auth(const char *username, const char *password)
}
out:
- free(auth);
+ util_free_sensitive_string(auth);
auth = NULL;
if (ret != 0) {
- free(auth_base64);
+ util_free_sensitive_string(auth_base64);
auth_base64 = NULL;
}
@@ -236,10 +236,10 @@ static char *basic_auth_header(const char *schema, const char *username, const c
}
out:
- free(auth_base64);
+ util_free_sensitive_string(auth_base64);
auth_base64 = NULL;
if (ret != 0) {
- free(auth_header);
+ util_free_sensitive_string(auth_header);
auth_header = NULL;
}
@@ -273,7 +273,7 @@ static int setup_auth_basic(pull_descriptor *desc, char ***custom_headers)
}
out:
- free(auth_header);
+ util_free_sensitive_string(auth_header);
auth_header = NULL;
return ret;
@@ -297,7 +297,7 @@ static int get_bearer_token(pull_descriptor *desc, challenge *c)
return 0;
}
- free(c->cached_token);
+ util_free_sensitive_string(c->cached_token);
c->cached_token = NULL;
c->expires_time = 0;
@@ -317,8 +317,10 @@ static int get_bearer_token(pull_descriptor *desc, challenge *c)
if (token->token != NULL) {
c->cached_token = util_strdup_s(token->token);
+ util_memset_sensitive_string(token->token);
} else if (token->access_token != NULL) {
c->cached_token = util_strdup_s(token->access_token);
+ util_memset_sensitive_string(token->access_token);
} else {
ret = -1;
ERROR("no valid token found");
@@ -399,7 +401,7 @@ static int setup_auth_challenges(pull_descriptor *desc, char ***custom_headers)
goto out;
}
count++;
- free(auth_header);
+ util_free_sensitive_string(auth_header);
auth_header = NULL;
}
@@ -408,7 +410,7 @@ static int setup_auth_challenges(pull_descriptor *desc, char ***custom_headers)
}
out:
- free(auth_header);
+ util_free_sensitive_string(auth_header);
auth_header = NULL;
return ret;
diff --git a/src/daemon/modules/image/oci/registry/registry_apiv2.c b/src/daemon/modules/image/oci/registry/registry_apiv2.c
index d5bfa723..885302cb 100644
--- a/src/daemon/modules/image/oci/registry/registry_apiv2.c
+++ b/src/daemon/modules/image/oci/registry/registry_apiv2.c
@@ -193,7 +193,7 @@ static int parse_auth(pull_descriptor *desc, char *auth)
}
out:
- free(origin_tmp_auth);
+ util_free_sensitive_string(origin_tmp_auth);
origin_tmp_auth = NULL;
return ret;
diff --git a/src/daemon/modules/image/oci/registry_type.c b/src/daemon/modules/image/oci/registry_type.c
index 51fc1697..4556617f 100644
--- a/src/daemon/modules/image/oci/registry_type.c
+++ b/src/daemon/modules/image/oci/registry_type.c
@@ -32,7 +32,7 @@ void free_challenge(challenge *c)
c->realm = NULL;
free(c->service);
c->service = NULL;
- free(c->cached_token);
+ util_free_sensitive_string(c->cached_token);
c->cached_token = NULL;
c->expires_time = 0;
diff --git a/src/utils/cutils/utils_array.c b/src/utils/cutils/utils_array.c
index 4e2ed6fd..2d7dc556 100644
--- a/src/utils/cutils/utils_array.c
+++ b/src/utils/cutils/utils_array.c
@@ -38,6 +38,22 @@ void util_free_array_by_len(char **array, size_t len)
free(array);
}
+void util_free_sensitive_array_by_len(char **array, size_t len)
+{
+ size_t i = 0;
+
+ if (array == NULL) {
+ return;
+ }
+
+ for (; i < len; i++) {
+ util_free_sensitive_string(array[i]);
+ array[i] = NULL;
+ }
+
+ free(array);
+}
+
size_t util_array_len(const char **array)
{
const char **pos;
@@ -60,6 +76,17 @@ void util_free_array(char **array)
free(array);
}
+void util_free_sensitive_array(char **array)
+{
+ char **p;
+
+ for (p = array; p != NULL && *p != NULL; p++) {
+ util_free_sensitive_string(*p);
+ *p = NULL;
+ }
+ free(array);
+}
+
int util_array_append(char ***array, const char *element)
{
size_t len;
diff --git a/src/utils/cutils/utils_array.h b/src/utils/cutils/utils_array.h
index de465d2a..c1403f85 100644
--- a/src/utils/cutils/utils_array.h
+++ b/src/utils/cutils/utils_array.h
@@ -36,6 +36,10 @@ int util_grow_array(char ***orig_array, size_t *orig_capacity, size_t size,
int util_array_append(char ***array, const char *element);
+void util_free_sensitive_array(char **array);
+
+void util_free_sensitive_array_by_len(char **array, size_t len);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/utils/http/http.c b/src/utils/http/http.c
index 6759a28d..2b77c422 100644
--- a/src/utils/http/http.c
+++ b/src/utils/http/http.c
@@ -65,7 +65,7 @@ void free_http_get_options(struct http_get_options *options)
free(options->unix_socket_path);
options->unix_socket_path = NULL;
- util_free_array(options->custom_headers);
+ util_free_sensitive_array(options->custom_headers);
options->custom_headers = NULL;
free(options->ca_file);
--
2.25.1

26
0109-2118-Fix-exec-buffer-overflow.patch Normal file
View File

@ -0,0 +1,26 @@
From d4b763c6359d67e1efe9b5e1fde41c0b82eb3d58 Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Wed, 23 Aug 2023 01:51:35 +0000
Subject: [PATCH 03/10] !2118 Fix exec buffer overflow * Fix buffer overflow
for exec
---
src/daemon/modules/service/service_container.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 9960ace1..0f4a1ed6 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -2016,7 +2016,7 @@ static void get_exec_command(const container_exec_request *request, char *exec_c
for (i = 0; i < request->argv_len; i++) {
if (strlen(request->argv[i]) < len - strlen(exec_command)) {
(void)strcat(exec_command, request->argv[i]);
- if (i != (request->argv_len - 1)) {
+ if (i != (request->argv_len - 1) && len - strlen(exec_command) > 1) {
(void)strcat(exec_command, " ");
}
} else {
--
2.25.1

172
0110-2117-limit-the-length-of-runtime-args-and-increase-t.patch Normal file
View File

@ -0,0 +1,172 @@
From b3dcf63e7eab586cad660e74bcbaf0385c690ac3 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 23 Aug 2023 02:24:45 +0000
Subject: [PATCH 04/10] !2117 limit the length of runtime args and increase the
length of exec param * limit the length of runtime args and increase the
length of exec param
---
src/cmd/isulad-shim/common.h | 2 +-
.../modules/runtime/isula/isula_rt_ops.c | 57 +++++++++++++++----
src/utils/cutils/utils.h | 2 +
3 files changed, 49 insertions(+), 12 deletions(-)
diff --git a/src/cmd/isulad-shim/common.h b/src/cmd/isulad-shim/common.h
index a5991cc3..f6bc24b5 100644
--- a/src/cmd/isulad-shim/common.h
+++ b/src/cmd/isulad-shim/common.h
@@ -50,7 +50,7 @@ extern "C" {
#define MAX_RT_NAME_LEN 64
#define MAX_CONSOLE_SOCK_LEN 32
-#define MAX_RUNTIME_ARGS 20
+#define MAX_RUNTIME_ARGS 100
#define SHIM_BINARY "isulad-shim"
#define SHIM_LOG_NAME "shim-log.json"
diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c
index 817d663f..7374c3c6 100644
--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c
+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c
@@ -314,7 +314,7 @@ out:
}
}
-static int get_runtime_args(const char *runtime, const char ***args)
+static int get_runtime_args(const char *runtime, const char ***args, size_t *args_len)
{
int ret = 0;
struct service_arguments *gargs = NULL;
@@ -344,11 +344,18 @@ static int get_runtime_args(const char *runtime, const char ***args)
}
for (i = 0; i < runtimes->len; i++) {
- if (strcmp(runtime, runtimes->keys[i]) == 0) {
+ if (strcmp(runtime, runtimes->keys[i]) != 0) {
+ continue;
+ }
+ if (runtimes->values[i]->runtime_args_len > MAX_OCI_RUNTIME_ARGS) {
+ isulad_set_error_message("Too many runtimeArgs, runtimeArgs must be less than %d", MAX_OCI_RUNTIME_ARGS);
+ ERROR("Too many runtimeArgs, runtimeArgs must be less than %d", MAX_OCI_RUNTIME_ARGS);
+ ret = -1;
+ } else {
*args = (const char **)runtimes->values[i]->runtime_args;
- ret = runtimes->values[i]->runtime_args_len;
- goto unlock_out;
+ *args_len = runtimes->values[i]->runtime_args_len;
}
+ goto unlock_out;
}
unlock_out:
if (isulad_server_conf_unlock()) {
@@ -438,12 +445,16 @@ static void runtime_exec_param_init(runtime_exec_info *rei)
}
}
-static void runtime_exec_info_init(runtime_exec_info *rei, const char *workdir, const char *runtime, const char *subcmd,
+static int runtime_exec_info_init(runtime_exec_info *rei, const char *workdir, const char *runtime, const char *subcmd,
const char **opts, size_t opts_len, const char *id, char **params, size_t params_num)
{
+ int ret = 0;
rei->workdir = workdir;
rei->runtime = runtime;
- rei->args_len = get_runtime_args(runtime, &rei->args);
+ ret = get_runtime_args(runtime, &rei->args, &rei->args_len);
+ if (ret != 0) {
+ return -1;
+ }
get_runtime_cmd(runtime, &rei->cmd);
rei->subcmd = subcmd;
rei->opts = opts;
@@ -454,6 +465,7 @@ static void runtime_exec_info_init(runtime_exec_info *rei, const char *workdir,
runtime_exec_param_init(rei);
runtime_exec_param_dump((const char **)rei->params);
+ return 0;
}
static void runtime_exec_func(void *arg)
@@ -507,7 +519,12 @@ static int runtime_call_status(const char *workdir, const char *runtime, const c
int ret = 0;
char *params[PARAM_NUM] = { 0 };
- runtime_exec_info_init(&rei, workdir, runtime, "state", NULL, 0, id, params, PARAM_NUM);
+ ret = runtime_exec_info_init(&rei, workdir, runtime, "state", NULL, 0, id, params, PARAM_NUM);
+ if (ret != 0) {
+ ERROR("Failed to init runtime exec info");
+ ret = -1;
+ goto out;
+ }
if (!util_exec_cmd(runtime_exec_func, &rei, NULL, &stdout_msg, &stderr_msg)) {
ERROR("call runtime status failed: %s", stderr_msg);
@@ -557,7 +574,12 @@ static int runtime_call_stats(const char *workdir, const char *runtime, const ch
char *params[PARAM_NUM] = { 0 };
const char *opts[1] = { "--stats" };
- runtime_exec_info_init(&rei, workdir, runtime, "events", opts, 1, id, params, PARAM_NUM);
+ ret = runtime_exec_info_init(&rei, workdir, runtime, "events", opts, 1, id, params, PARAM_NUM);
+ if (ret != 0) {
+ ERROR("Failed to init runtime exec info");
+ ret = -1;
+ goto out;
+ }
if (!util_exec_cmd(runtime_exec_func, &rei, NULL, &stdout_msg, &stderr_msg)) {
ERROR("call runtime events --stats failed: %s", stderr_msg);
@@ -610,7 +632,12 @@ static int runtime_call_simple(const char *workdir, const char *runtime, const c
int ret = 0;
char *params[PARAM_NUM] = { 0 };
- runtime_exec_info_init(&rei, workdir, runtime, subcmd, opts, opts_len, id, params, PARAM_NUM);
+ ret = runtime_exec_info_init(&rei, workdir, runtime, subcmd, opts, opts_len, id, params, PARAM_NUM);
+ if (ret != 0) {
+ ERROR("Failed to init runtime exec info");
+ return -1;
+ }
+
if (!util_exec_cmd(runtime_exec_func, &rei, NULL, &stdout_msg, &stderr_msg)) {
ERROR("call runtime %s failed stderr %s", subcmd, stderr_msg);
ret = -1;
@@ -940,7 +967,11 @@ int rt_isula_create(const char *id, const char *runtime, const rt_create_params_
return -1;
}
config = params->oci_config_data;
- runtime_args_len = get_runtime_args(runtime, &runtime_args);
+ ret = get_runtime_args(runtime, &runtime_args, &runtime_args_len);
+ if (ret != 0) {
+ ERROR("Failed to get runtime args");
+ return -1;
+ }
if (snprintf(workdir, sizeof(workdir), "%s/%s", params->state, id) < 0) {
INFO("make full workdir failed");
@@ -1186,7 +1217,11 @@ static int preparation_exec(const char *id, const char *runtime, const char *wor
}
process = params->spec;
- runtime_args_len = get_runtime_args(runtime, &runtime_args);
+ ret = get_runtime_args(runtime, &runtime_args, &runtime_args_len);
+ if (ret < 0) {
+ ERROR("Failed to get runtime args");
+ return -1;
+ }
p.exec = true;
p.isulad_stdin = (char *)params->console_fifos[0];
diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h
index d14d048e..8489ca63 100644
--- a/src/utils/cutils/utils.h
+++ b/src/utils/cutils/utils.h
@@ -76,6 +76,8 @@ int malloc_trim(size_t pad);
#define PARAM_NUM 100
+#define MAX_OCI_RUNTIME_ARGS 50
+
/* image error start */
#define EIMAGEBUSY 2
#define ENAMECONFLICT 3
--
2.25.1

966
0111-ensure-argument-of-interface-is-not-null.patch Normal file
View File

@ -0,0 +1,966 @@
From c60b974f2b3279b132d7562071a9b9c6549366d1 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 22 Aug 2023 14:25:17 +0800
Subject: [PATCH 05/10] ensure argument of interface is not null
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/common/constants.h | 2 +-
src/daemon/modules/container/container_unix.c | 15 +++--------
.../container/health_check/health_check.c | 3 ++-
.../leftover_cleanup/clean_context.c | 2 +-
.../restart_manager/restartmanager.c | 2 +-
.../modules/container/supervisor/supervisor.c | 3 ++-
src/daemon/modules/events/collector.c | 4 +--
src/daemon/modules/image/oci/registry/auths.c | 3 +++
src/daemon/modules/log/log_gather.c | 5 ++++
src/daemon/modules/plugin/plugin.c | 18 +++++++++++--
src/daemon/modules/runtime/runtime.c | 18 ++++++-------
src/daemon/modules/runtime/shim/shim_rt_ops.c | 10 +++++--
src/utils/buffer/buffer.c | 6 ++++-
src/utils/console/console.c | 5 ++++
src/utils/cutils/filters.c | 1 +
src/utils/cutils/mainloop.c | 26 ++++++++++++++++++-
src/utils/cutils/path.c | 4 +++
src/utils/cutils/utils.c | 14 ++++++++++
src/utils/cutils/utils_file.c | 26 +++++++++++++++----
src/utils/cutils/utils_fs.c | 16 ++++++++++++
src/utils/cutils/utils_network.c | 8 +++++-
src/utils/cutils/utils_string.c | 8 ++++++
src/utils/cutils/utils_timestamp.c | 6 ++++-
src/utils/http/http.c | 5 ++++
src/utils/http/parser.c | 4 +--
src/utils/tar/isulad_tar.c | 16 ++++++++++--
src/utils/tar/util_archive.c | 4 +--
src/utils/tar/util_gzip.c | 8 ++++++
test/cutils/utils_file/utils_file_ut.cc | 3 +++
29 files changed, 196 insertions(+), 49 deletions(-)
diff --git a/src/common/constants.h b/src/common/constants.h
index 37854291..e968d8cd 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -42,7 +42,7 @@ extern "C" {
#define SECURE_CONFIG_FILE_MODE 0600
-#define ARCH_LOG_FILE_MODE 0440
+#define ARCH_LOG_FILE_MODE 0400
#define WORKING_LOG_FILE_MODE 0640
diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c
index 9392cf0d..d9706f08 100644
--- a/src/daemon/modules/container/container_unix.c
+++ b/src/daemon/modules/container/container_unix.c
@@ -410,16 +410,11 @@ static int pack_path_and_args_from_container_spec(const container_config *contai
v2_spec->path = util_strdup_s(container_spec->cmd[0]);
total = container_spec->cmd_len - 1;
- if (total > SIZE_MAX / sizeof(char *)) {
- ERROR("Container oci spec process args elements is too much!");
- ret = -1;
- goto out;
- }
if (total == 0) {
goto out;
}
- v2_spec->args = util_common_calloc_s(total * sizeof(char *));
+ v2_spec->args = util_smart_calloc_s(sizeof(char *), total);
if (v2_spec->args == NULL) {
ERROR("Out of memory");
ret = -1;
@@ -1137,19 +1132,15 @@ int container_exit_on_next(container_t *cont)
/* this function should be called in container_lock*/
int container_wait_stop(container_t *cont, int timeout)
{
- int ret = 0;
-
if (cont == NULL) {
return -1;
}
if (!container_is_running(cont->state)) {
- goto unlock;
+ return 0;
}
- ret = container_wait_stop_cond_wait(cont, timeout);
-unlock:
- return ret;
+ return container_wait_stop_cond_wait(cont, timeout);
}
/* container wait stop locking */
diff --git a/src/daemon/modules/container/health_check/health_check.c b/src/daemon/modules/container/health_check/health_check.c
index e9dcbdb9..2b840228 100644
--- a/src/daemon/modules/container/health_check/health_check.c
+++ b/src/daemon/modules/container/health_check/health_check.c
@@ -376,6 +376,7 @@ static void *stop_container_on_unhealthy(void *arg)
ret = pthread_detach(pthread_self());
if (ret != 0) {
CRIT("Set thread detach fail");
+ return NULL;
}
if (arg == NULL) {
@@ -603,7 +604,7 @@ static void health_check_run(const char *container_id)
cont = containers_store_get(container_id);
if (cont == NULL) {
ERROR("Failed to get container info");
- goto out;
+ return;
}
config = cont->common_config->config;
diff --git a/src/daemon/modules/container/leftover_cleanup/clean_context.c b/src/daemon/modules/container/leftover_cleanup/clean_context.c
index 6ccc39ed..517d3cbd 100644
--- a/src/daemon/modules/container/leftover_cleanup/clean_context.c
+++ b/src/daemon/modules/container/leftover_cleanup/clean_context.c
@@ -62,7 +62,7 @@ void clean_ctx_fill_broken_rootfs(struct clean_ctx *ctx, const char *id)
struct linked_list *new_node = NULL;
char *broken_id = NULL;
- if (!ctx->inited) {
+ if (ctx == NULL || !ctx->inited) {
return;
}
diff --git a/src/daemon/modules/container/restart_manager/restartmanager.c b/src/daemon/modules/container/restart_manager/restartmanager.c
index 7bd0f4d5..e5fffcb6 100644
--- a/src/daemon/modules/container/restart_manager/restartmanager.c
+++ b/src/daemon/modules/container/restart_manager/restartmanager.c
@@ -431,7 +431,7 @@ bool restart_manager_should_restart(const char *id, uint32_t exit_code, bool has
restart_manager_set_items(rm, exit_code, exec_duration);
restart = should_be_restart(rm, exit_code, has_been_manually_stopped);
- if (restart) {
+ if (restart && timeout != NULL) {
*timeout = (uint64_t)rm->timeout;
}
diff --git a/src/daemon/modules/container/supervisor/supervisor.c b/src/daemon/modules/container/supervisor/supervisor.c
index d5997b63..3ce4ec1e 100644
--- a/src/daemon/modules/container/supervisor/supervisor.c
+++ b/src/daemon/modules/container/supervisor/supervisor.c
@@ -170,6 +170,7 @@ static void *clean_resources_thread(void *arg)
ret = pthread_detach(pthread_self());
if (ret != 0) {
CRIT("Set thread detach fail");
+ return NULL;
}
prctl(PR_SET_NAME, "Clean resource");
@@ -217,7 +218,7 @@ retry:
}
/* new clean resources thread */
-int new_clean_resources_thread(struct supervisor_handler_data *data)
+static int new_clean_resources_thread(struct supervisor_handler_data *data)
{
int ret = 0;
pthread_t clean_thread;
diff --git a/src/daemon/modules/events/collector.c b/src/daemon/modules/events/collector.c
index b3c7622a..3c1eae1a 100644
--- a/src/daemon/modules/events/collector.c
+++ b/src/daemon/modules/events/collector.c
@@ -514,8 +514,6 @@ out:
static void events_append(const struct isulad_events_format *event)
{
struct isulad_events_format *tmpevent = NULL;
- struct linked_list *newnode = NULL;
- struct linked_list *firstnode = NULL;
if (pthread_mutex_lock(&g_events_buffer.event_mutex)) {
WARN("Failed to lock");
@@ -523,6 +521,7 @@ static void events_append(const struct isulad_events_format *event)
}
if (g_events_buffer.size < EVENTSLIMIT) {
+ struct linked_list *newnode = NULL;
newnode = util_common_calloc_s(sizeof(struct linked_list));
if (newnode == NULL) {
CRIT("Memory allocation error.");
@@ -547,6 +546,7 @@ static void events_append(const struct isulad_events_format *event)
linked_list_add_tail(&g_events_buffer.event_list, newnode);
g_events_buffer.size++;
} else {
+ struct linked_list *firstnode = NULL;
firstnode = linked_list_first_node(&g_events_buffer.event_list);
if (firstnode != NULL) {
linked_list_del(firstnode);
diff --git a/src/daemon/modules/image/oci/registry/auths.c b/src/daemon/modules/image/oci/registry/auths.c
index 1fbe2bd3..98202cf6 100644
--- a/src/daemon/modules/image/oci/registry/auths.c
+++ b/src/daemon/modules/image/oci/registry/auths.c
@@ -103,6 +103,9 @@ static int decode_auth_aes(char *encoded, char **username, char **password)
goto out;
}
+ free(*username);
+ util_free_sensitive_string(*password);
+
*username = util_strdup_s(auth_parts[0]);
*password = util_strdup_s(auth_parts[1]);
(void)memset(auth_parts[0], 0, strlen(auth_parts[0]));
diff --git a/src/daemon/modules/log/log_gather.c b/src/daemon/modules/log/log_gather.c
index 414c9ad1..8c19f33b 100644
--- a/src/daemon/modules/log/log_gather.c
+++ b/src/daemon/modules/log/log_gather.c
@@ -89,6 +89,11 @@ static int file_rotate_me(const char *file_name)
return -1;
}
+ if (chmod(tmp_path, ARCH_LOG_FILE_MODE) != 0) {
+ ERROR("Change mode of %s failed", tmp_path);
+ return -1;
+ }
+
if (gzip(tmp_path, sizeof(tmp_path))) {
WARN("Gzip file failed");
return -2;
diff --git a/src/daemon/modules/plugin/plugin.c b/src/daemon/modules/plugin/plugin.c
index 1c0af368..e08479ab 100644
--- a/src/daemon/modules/plugin/plugin.c
+++ b/src/daemon/modules/plugin/plugin.c
@@ -794,7 +794,7 @@ static int plugin_set_activated(plugin_t *plugin, bool activated, const char *er
int plugin_set_manifest(plugin_t *plugin, const plugin_manifest_t *manifest)
{
- if (manifest == NULL) {
+ if (plugin == NULL || manifest == NULL) {
return -1;
}
@@ -974,7 +974,7 @@ static bool plugin_useby_container(const plugin_t *plugin, const container_t *co
}
free(plugin_names);
- free(pnames);
+ util_free_array(pnames);
return ok;
}
@@ -1175,6 +1175,11 @@ out:
int pm_add_plugin(plugin_t *plugin)
{
int ok = 0;
+
+ if (plugin == NULL) {
+ return -1;
+ }
+
pm_wrlock();
ok = map_insert(g_plugin_manager->np, (void *)plugin->name, plugin);
pm_unlock();
@@ -1191,6 +1196,11 @@ int pm_add_plugin(plugin_t *plugin)
int pm_del_plugin(const plugin_t *plugin)
{
int ok;
+
+ if (plugin == NULL) {
+ return -1;
+ }
+
pm_wrlock();
/* plugin_put() called in map_remove() by pm_np_item_free() */
ok = map_remove(g_plugin_manager->np, (void *)plugin->name);
@@ -1204,6 +1214,10 @@ int pm_del_plugin(const plugin_t *plugin)
int pm_get_plugin(const char *name, plugin_t **rplugin)
{
+ if (rplugin == NULL) {
+ return -1;
+ }
+
if (do_get_plugin(name, rplugin) == 0) {
return 0;
}
diff --git a/src/daemon/modules/runtime/runtime.c b/src/daemon/modules/runtime/runtime.c
index 93ce987f..f2222315 100644
--- a/src/daemon/modules/runtime/runtime.c
+++ b/src/daemon/modules/runtime/runtime.c
@@ -121,7 +121,7 @@ int runtime_create(const char *name, const char *runtime, const rt_create_params
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL) {
ERROR("Invalide arguments for runtime create");
ret = -1;
goto out;
@@ -145,7 +145,7 @@ int runtime_start(const char *name, const char *runtime, const rt_start_params_t
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL || pid_info == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL || pid_info == NULL) {
ERROR("Invalide arguments for runtime start");
ret = -1;
goto out;
@@ -169,7 +169,7 @@ int runtime_kill(const char *name, const char *runtime, const rt_kill_params_t *
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL) {
ERROR("Invalid arguments for runtime kill");
ret = -1;
goto out;
@@ -193,7 +193,7 @@ int runtime_restart(const char *name, const char *runtime, const rt_restart_para
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL) {
ERROR("Invalide arguments for runtime restart");
ret = -1;
goto out;
@@ -217,7 +217,7 @@ int runtime_clean_resource(const char *name, const char *runtime, const rt_clean
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL) {
ERROR("Invalide arguments for runtime clean");
ret = -1;
goto out;
@@ -241,7 +241,7 @@ int runtime_rm(const char *name, const char *runtime, const rt_rm_params_t *para
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL) {
ERROR("Invalide arguments for runtime rm");
ret = -1;
goto out;
@@ -266,7 +266,7 @@ int runtime_status(const char *name, const char *runtime, const rt_status_params
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL || status == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL || status == NULL) {
ERROR("Invalide arguments for runtime status");
ret = -1;
goto out;
@@ -291,7 +291,7 @@ int runtime_resources_stats(const char *name, const char *runtime, const rt_stat
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL || rs_stats == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL || rs_stats == NULL) {
ERROR("Invalide arguments for runtime stats");
ret = -1;
goto out;
@@ -315,7 +315,7 @@ int runtime_exec(const char *name, const char *runtime, const rt_exec_params_t *
int ret = 0;
const struct rt_ops *ops = NULL;
- if (name == NULL || runtime == NULL || exit_code == NULL) {
+ if (name == NULL || runtime == NULL || params == NULL || exit_code == NULL) {
ERROR("Invalide arguments for runtime exec");
ret = -1;
goto out;
diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c
index 9afb9ce7..8cdf0138 100644
--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c
+++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c
@@ -188,12 +188,14 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
}
close(exec_fd[1]);
+ exec_fd[1] = -1;
if (util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1) > 0) {
ERROR("exec failed: %s", exec_buff);
ret = -1;
goto out;
}
close(exec_fd[0]);
+ exec_fd[0] = -1;
status = util_wait_for_pid_status(pid);
if (status < 0) {
@@ -207,9 +209,13 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
close(out_fd[1]);
util_read_nointr(out_fd[0], stdout_buff, sizeof(stdout_buff) - 1);
close(out_fd[0]);
+ out_fd[0] = -1;
+ out_fd[1] = -1;
close(err_fd[1]);
util_read_nointr(err_fd[0], stderr_buff, sizeof(stderr_buff) - 1);
close(err_fd[0]);
+ err_fd[0] = -1;
+ err_fd[1] = -1;
if (status != 0) {
ERROR("shim-v2 binary %d exit in %d with %s, %s", pid, status, stdout_buff, stderr_buff);
@@ -342,7 +348,7 @@ int rt_shim_clean_resource(const char *id, const char *runtime, const rt_clean_p
int ret = 0;
int nret = 0;
char workdir[PATH_MAX] = {0};
- struct DeleteResponse res = {};
+ struct DeleteResponse res = {0};
if (id == NULL || runtime == NULL || params == NULL) {
ERROR("Invalid input params");
@@ -518,7 +524,7 @@ int rt_shim_status(const char *id, const char *runtime, const rt_status_params_t
char address[PATH_MAX] = {0};
int ret = 0;
int nret = 0;
- struct State ss = {};
+ struct State ss = {0};
if (id == NULL || params == NULL || status == NULL) {
ERROR("Invalid input params");
diff --git a/src/utils/buffer/buffer.c b/src/utils/buffer/buffer.c
index 7f6bc527..172809a2 100644
--- a/src/utils/buffer/buffer.c
+++ b/src/utils/buffer/buffer.c
@@ -78,7 +78,7 @@ void buffer_empty(Buffer *buf)
}
/* buffer grow */
-int buffer_grow(Buffer *buffer, size_t min_size)
+static int buffer_grow(Buffer *buffer, size_t min_size)
{
size_t factor = 0;
size_t new_size = 0;
@@ -128,6 +128,10 @@ int buffer_append(Buffer *buf, const char *append, size_t len)
return -1;
}
+ if (append == NULL || len == 0) {
+ return 0;
+ }
+
desired_length = len + 1;
if ((buf->total_size - buf->bytes_used) < desired_length) {
int status = buffer_grow(buf, desired_length);
diff --git a/src/utils/console/console.c b/src/utils/console/console.c
index d5e5d9af..a160d685 100644
--- a/src/utils/console/console.c
+++ b/src/utils/console/console.c
@@ -208,6 +208,11 @@ int console_fifo_create(const char *fifo_path)
{
int ret;
+ if (fifo_path == NULL || strlen(fifo_path) > PATH_MAX) {
+ ERROR("Invalid input!");
+ return -1;
+ }
+
ret = mknod(fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0);
if (ret < 0 && errno != EEXIST) {
ERROR("Failed to mknod monitor fifo %s: %s.", fifo_path, strerror(errno));
diff --git a/src/utils/cutils/filters.c b/src/utils/cutils/filters.c
index 43ccde20..bb0d81be 100644
--- a/src/utils/cutils/filters.c
+++ b/src/utils/cutils/filters.c
@@ -287,6 +287,7 @@ bool filters_args_match(const struct filters_args *filters, const char *field, c
map_t *field_values_map = NULL;
map_itor *itor = NULL;
+ // if filters == NULL, filters_args_exact_match will return true
if (filters_args_exact_match(filters, field, source)) {
return true;
}
diff --git a/src/utils/cutils/mainloop.c b/src/utils/cutils/mainloop.c
index 1028087a..365d1e53 100644
--- a/src/utils/cutils/mainloop.c
+++ b/src/utils/cutils/mainloop.c
@@ -37,6 +37,10 @@ int epoll_loop(struct epoll_descr *descr, int t)
struct epoll_loop_handler *epoll_handler = NULL;
struct epoll_event evs[MAX_EVENTS];
+ if (descr == NULL) {
+ return -1;
+ }
+
while (1) {
int ep_fds = epoll_wait(descr->fd, evs, MAX_EVENTS, t);
if (ep_fds < 0) {
@@ -77,6 +81,10 @@ int epoll_loop_add_handler(struct epoll_descr *descr, int fd, epoll_loop_callbac
struct epoll_loop_handler *epoll_handler = NULL;
struct linked_list *node = NULL;
+ if (descr == NULL) {
+ return -1;
+ }
+
epoll_handler = util_common_calloc_s(sizeof(*epoll_handler));
if (epoll_handler == NULL) {
goto fail_out;
@@ -114,6 +122,10 @@ int epoll_loop_del_handler(struct epoll_descr *descr, int fd)
struct epoll_loop_handler *epoll_handler = NULL;
struct linked_list *index = NULL;
+ if (descr == NULL) {
+ return -1;
+ }
+
linked_list_for_each(index, &descr->handler_list) {
epoll_handler = index->elem;
@@ -136,6 +148,10 @@ fail_out:
/* epoll loop open */
int epoll_loop_open(struct epoll_descr *descr)
{
+ if (descr == NULL) {
+ return -1;
+ }
+
descr->fd = epoll_create1(EPOLL_CLOEXEC);
if (descr->fd < 0) {
return -1;
@@ -152,6 +168,11 @@ int epoll_loop_close(struct epoll_descr *descr)
{
struct linked_list *index = NULL;
struct linked_list *next = NULL;
+ int ret = 0;
+
+ if (descr == NULL) {
+ return ret;
+ }
linked_list_for_each_safe(index, &(descr->handler_list), next) {
linked_list_del(index);
@@ -159,5 +180,8 @@ int epoll_loop_close(struct epoll_descr *descr)
free(index);
}
- return close(descr->fd);
+ ret = close(descr->fd);
+ descr->fd = -1;
+
+ return ret;
}
diff --git a/src/utils/cutils/path.c b/src/utils/cutils/path.c
index 5a743632..d586e981 100644
--- a/src/utils/cutils/path.c
+++ b/src/utils/cutils/path.c
@@ -567,6 +567,10 @@ char *util_get_resource_path(const char *rootpath, const char *path)
char tmppath[PATH_MAX] = { 0 };
char fullpath[PATH_MAX] = { 0 };
+ if (rootpath == NULL) {
+ return NULL;
+ }
+
nret = snprintf(tmppath, sizeof(tmppath), "/%s/%s", rootpath, path);
if (nret < 0 || (size_t)nret >= sizeof(tmppath)) {
return NULL;
diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c
index a29de20e..d628e1f6 100644
--- a/src/utils/cutils/utils.c
+++ b/src/utils/cutils/utils.c
@@ -1182,6 +1182,10 @@ int util_input_readall(char *buf, size_t maxlen)
size_t i = 0;
int ret = 0;
+ if (buf == NULL) {
+ return 0;
+ }
+
for (;;) {
int c = getchar();
if (c == EOF) {
@@ -1234,12 +1238,18 @@ static int util_input(char *buf, size_t maxlen, bool echo_back)
// Get input from stdin, echo back if get any character.
int util_input_echo(char *buf, size_t maxlen)
{
+ if (buf == NULL) {
+ return 0;
+ }
return util_input(buf, maxlen, true);
}
// Get input from stdin, no echo back.
int util_input_noecho(char *buf, size_t maxlen)
{
+ if (buf == NULL) {
+ return 0;
+ }
return util_input(buf, maxlen, false);
}
@@ -1269,6 +1279,10 @@ int util_generate_random_str(char *id, size_t len)
size_t i;
const int m = 256;
+ if (id == NULL) {
+ return -1;
+ }
+
len = len / 2;
fd = open("/dev/urandom", O_RDONLY);
if (fd == -1) {
diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
index 9000b0dc..5fa556f3 100644
--- a/src/utils/cutils/utils_file.c
+++ b/src/utils/cutils/utils_file.c
@@ -41,7 +41,7 @@
#include "utils_array.h"
#include "utils_string.h"
-int copy_dir_recursive(char *copy_dst, char *copy_src, map_t *inodes);
+static int copy_dir_recursive(char *copy_dst, char *copy_src, map_t *inodes);
static void do_calculate_dir_size_without_hardlink(const char *dirpath, int recursive_depth, int64_t *total_size,
int64_t *total_inode, map_t *map);
@@ -303,14 +303,18 @@ out:
bool util_force_remove_file(const char *fname, int *saved_errno)
{
+ if (fname == NULL) {
+ return true;
+ }
+
if (unlink(fname) == 0) {
return true;
}
- WARN("Failed to delete %s: %s", fname, strerror(errno));
- if (*saved_errno == 0) {
+ if (saved_errno != NULL && *saved_errno == 0) {
*saved_errno = errno;
}
+ WARN("Failed to delete %s: %s", fname, strerror(errno));
if (mark_file_mutable(fname) != 0) {
WARN("Failed to mark file mutable");
@@ -711,6 +715,10 @@ int util_gzip_compressed(const char *filename, bool *gzip)
FILE *f = NULL;
int ret = 0;
+ if (filename == NULL || gzip == NULL) {
+ return -1;
+ }
+
f = fopen(filename, "rb");
if (f == NULL) {
ERROR("Failed to open file %s: %s", filename, strerror(errno));
@@ -1663,7 +1671,7 @@ int util_proc_file_line_by_line(FILE *fp, read_line_callback_t cb, void *context
ssize_t nret = 0;
int ret = 0;
- if (fp == NULL) {
+ if (fp == NULL || cb == NULL) {
ERROR("Invalid parameter");
return -1;
}
@@ -1730,6 +1738,10 @@ int util_recursive_remove_path(const char *path)
{
int ret = 0;
+ if (path == NULL) {
+ return -1;
+ }
+
if (unlink(path) != 0 && errno != ENOENT) {
ret = util_recursive_rmdir(path, 0);
}
@@ -2053,6 +2065,10 @@ int util_copy_dir_recursive(char *copy_dst, char *copy_src)
int ret = 0;
map_t *inodes = NULL;
+ if (copy_dst == NULL || copy_src == NULL) {
+ return -1;
+ }
+
// key: source inode, value: target file path
inodes = map_new(MAP_INT_STR, MAP_DEFAULT_CMP_FUNC, MAP_DEFAULT_FREE_FUNC);
if (inodes == NULL) {
@@ -2067,7 +2083,7 @@ int util_copy_dir_recursive(char *copy_dst, char *copy_src)
return ret;
}
-int copy_dir_recursive(char *copy_dst, char *copy_src, map_t *inodes)
+static int copy_dir_recursive(char *copy_dst, char *copy_src, map_t *inodes)
{
char **entries = NULL;
size_t entry_num = 0;
diff --git a/src/utils/cutils/utils_fs.c b/src/utils/cutils/utils_fs.c
index a8c65f86..ae71f3ba 100644
--- a/src/utils/cutils/utils_fs.c
+++ b/src/utils/cutils/utils_fs.c
@@ -362,6 +362,10 @@ bool util_detect_mounted(const char *path)
size_t length = 0;
bool bret = false;
+ if (path == NULL) {
+ return false;
+ }
+
fp = util_fopen("/proc/self/mountinfo", "r");
if (fp == NULL) {
ERROR("Failed opening /proc/self/mountinfo");
@@ -396,6 +400,10 @@ bool util_deal_with_mount_info(mount_info_call_back_t cb, const char *pattern)
bool bret = true;
int nret = 0;
+ if (cb == NULL) {
+ return false;
+ }
+
fp = util_fopen("/proc/self/mountinfo", "r");
if (fp == NULL) {
ERROR("Failed opening /proc/self/mountinfo");
@@ -582,6 +590,10 @@ int util_mount_from(const char *base, const char *src, const char *dst, const ch
pid_t pid = -1;
int keepfds[] = { -1 };
+ if (base == NULL || src == NULL || dst == NULL || mtype == NULL) {
+ return -1;
+ }
+
pid = fork();
if (pid == (pid_t) -1) {
ERROR("Failed to fork: %s", strerror(errno));
@@ -628,6 +640,10 @@ bool util_check_readonly_fs(const char *path)
const int max_retry = 10;
struct statfs fsbuf;
+ if (path == NULL) {
+ return false;
+ }
+
for (i = 0; i < max_retry; i++) {
if (statfs(path, &fsbuf) == 0) {
break;
diff --git a/src/utils/cutils/utils_network.c b/src/utils/cutils/utils_network.c
index c77edc3c..7f67b326 100644
--- a/src/utils/cutils/utils_network.c
+++ b/src/utils/cutils/utils_network.c
@@ -102,6 +102,10 @@ int util_mount_namespace(const char *netns_path)
int ret = 0;
void *status = NULL;
+ if (netns_path == NULL) {
+ return -1;
+ }
+
ret = pthread_create(&newns_thread, NULL, mount_netns, (void *)netns_path);
if (ret != 0) {
ERROR("Failed to create thread");
@@ -135,8 +139,10 @@ out:
int util_umount_namespace(const char *netns_path)
{
int i = 0;
+
if (netns_path == NULL) {
- WARN("Invalid path to umount");
+ WARN("Empty netns path to umount");
+ return 0;
}
for (i = 0; i < 50; i++) {
diff --git a/src/utils/cutils/utils_string.c b/src/utils/cutils/utils_string.c
index ba7dd5b4..64afb570 100644
--- a/src/utils/cutils/utils_string.c
+++ b/src/utils/cutils/utils_string.c
@@ -190,6 +190,10 @@ int util_parse_size_int_and_float(const char *numstr, int64_t mlt, int64_t *conv
char *dot = NULL;
int nret;
+ if (numstr == NULL || converted == NULL) {
+ return -1;
+ }
+
dot = strchr(numstr, '.');
if (dot != NULL) {
char tmp;
@@ -824,6 +828,10 @@ int util_string_array_unique(const char **elements, size_t length, char ***uniqu
char **tmp_elements = NULL;
size_t tmp_elements_len = 0;
+ if (unique_elements == NULL || unique_elements_len == NULL) {
+ return -1;
+ }
+
if (elements == NULL || length == 0) {
return 0;
}
diff --git a/src/utils/cutils/utils_timestamp.c b/src/utils/cutils/utils_timestamp.c
index 3a440ca9..2f378078 100644
--- a/src/utils/cutils/utils_timestamp.c
+++ b/src/utils/cutils/utils_timestamp.c
@@ -214,6 +214,10 @@ out:
/* get time buffer */
bool util_get_time_buffer(const types_timestamp_t *timestamp, char *timebuffer, size_t maxsize)
{
+ if (timestamp == NULL) {
+ return false;
+ }
+
return get_time_buffer_help(timestamp, timebuffer, maxsize, false);
}
@@ -382,7 +386,7 @@ bool util_parsing_time(const char *format, const char *time, struct tm *tm, int3
size_t len_time = 0;
size_t index_nanos = 0;
- if (format == NULL || time == NULL) {
+ if (format == NULL || time == NULL || tm == NULL || nanos == NULL) {
return false;
}
diff --git a/src/utils/http/http.c b/src/utils/http/http.c
index 2b77c422..47d17455 100644
--- a/src/utils/http/http.c
+++ b/src/utils/http/http.c
@@ -528,6 +528,11 @@ int authz_http_request(const char *username, const char *action, char **resp)
int nret = 0;
size_t length = 0;
struct http_get_options *options = NULL;
+
+ if (username == NULL || action == NULL || resp == NULL) {
+ return -1;
+ }
+
if (strlen(username) > ((SIZE_MAX - strlen(action)) - strlen(":")) - 1) {
ERROR("Invalid arguments");
return -1;
diff --git a/src/utils/http/parser.c b/src/utils/http/parser.c
index 30b26a00..5f61d336 100644
--- a/src/utils/http/parser.c
+++ b/src/utils/http/parser.c
@@ -307,8 +307,7 @@ int parse_http(const char *buf, size_t len, struct parsed_http_message *m,
parser = parser_init(type, m);
if (parser == NULL) {
- ret = -1;
- goto out;
+ return -1;
}
nparsed = parse(buf, len, parser);
@@ -320,7 +319,6 @@ int parse_http(const char *buf, size_t len, struct parsed_http_message *m,
free_out:
parser_free(parser);
-out:
return ret;
}
diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c
index d7d69eb2..7264282f 100644
--- a/src/utils/tar/isulad_tar.c
+++ b/src/utils/tar/isulad_tar.c
@@ -97,7 +97,7 @@ cleanup:
return ret;
}
-int resolve_host_source_path(const char *path, bool follow_link, char **resolved_path, char **rebase_name, char **err)
+static int resolve_host_source_path(const char *path, bool follow_link, char **resolved_path, char **rebase_name, char **err)
{
int ret = -1;
int nret = 0;
@@ -174,6 +174,10 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li
char *resolved_path = NULL;
char *rebase_name = NULL;
+ if (path == NULL || err == NULL) {
+ return NULL;
+ }
+
info = util_common_calloc_s(sizeof(struct archive_copy_info));
if (info == NULL) {
ERROR("Out of memory");
@@ -283,7 +287,7 @@ cleanup:
return -1;
}
-struct archive_copy_info *copy_info_destination_path(const char *path, char **err)
+static struct archive_copy_info *copy_info_destination_path(const char *path, char **err)
{
struct archive_copy_info *info = NULL;
struct stat st;
@@ -389,6 +393,10 @@ int archive_copy_to(const struct io_read_wrapper *content, const struct archive_
char *src_base = NULL;
char *dst_base = NULL;
+ if (err == NULL || dstpath == NULL || srcinfo == NULL || content == NULL) {
+ return -1;
+ }
+
dstinfo = copy_info_destination_path(dstpath, err);
if (dstinfo == NULL) {
ERROR("Can not get destination info: %s", dstpath);
@@ -444,5 +452,9 @@ cleanup:
int tar_resource(const struct archive_copy_info *info, struct io_read_wrapper *archive_reader, char **err)
{
+ if (info == NULL || archive_reader == NULL || err == NULL) {
+ return -1;
+ }
+
return tar_resource_rebase(info->path, info->rebase_name, archive_reader, err);
}
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index c63fd00b..08116589 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -66,7 +66,7 @@ struct archive_content_data {
char buff[ARCHIVE_READ_BUFFER_SIZE];
};
-ssize_t read_content(struct archive *a, void *client_data, const void **buff)
+static ssize_t read_content(struct archive *a, void *client_data, const void **buff)
{
struct archive_content_data *mydata = client_data;
@@ -535,8 +535,6 @@ static void try_to_replace_exited_dst(const char *dst_path, struct archive_entry
if (util_recursive_remove_path(dst_path) != 0) {
ERROR("Failed to remove path %s while unpack", dst_path);
}
-
- return;
}
int archive_unpack_handler(const struct io_read_wrapper *content, const struct archive_options *options)
diff --git a/src/utils/tar/util_gzip.c b/src/utils/tar/util_gzip.c
index 2665e6df..bf649300 100644
--- a/src/utils/tar/util_gzip.c
+++ b/src/utils/tar/util_gzip.c
@@ -36,6 +36,10 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode)
const char *gzerr = NULL;
int errnum = 0;
+ if (srcfile == NULL || dstfile == NULL) {
+ return -1;
+ }
+
srcfd = util_open(srcfile, O_RDONLY, SECURE_CONFIG_FILE_MODE);
if (srcfd < 0) {
ERROR("Open src file: %s, failed: %s", srcfile, strerror(errno));
@@ -105,6 +109,10 @@ int util_gzip_d(const char *srcfile, const FILE *dstfp)
size_t size = 0;
void *buffer = NULL;
+ if (srcfile == NULL || dstfp == NULL) {
+ return -1;
+ }
+
stream = gzopen(srcfile, "r");
if (stream == NULL) {
ERROR("gzopen %s failed: %s", srcfile, strerror(errno));
diff --git a/test/cutils/utils_file/utils_file_ut.cc b/test/cutils/utils_file/utils_file_ut.cc
index 78c07e60..cacfef45 100644
--- a/test/cutils/utils_file/utils_file_ut.cc
+++ b/test/cutils/utils_file/utils_file_ut.cc
@@ -197,8 +197,11 @@ TEST(utils_file, test_util_proc_file_line_by_line)
fp = util_fopen(path.c_str(), "r");
checked_layers = map_new(MAP_STR_BOOL, MAP_DEFAULT_CMP_FUNC, MAP_DEFAULT_FREE_FUNC);
ASSERT_EQ(util_proc_file_line_by_line(fp, parse_checked_layer_cb, (void *)checked_layers), 0);
+ ASSERT_EQ(util_proc_file_line_by_line(fp, nullptr, (void *)checked_layers), -1);
fclose(fp);
ASSERT_EQ(util_path_remove(path.c_str()), 0);
+
+ ASSERT_EQ(util_proc_file_line_by_line(nullptr, parse_checked_layer_cb, (void *)checked_layers), -1);
}
TEST(utils_file, test_util_recursive_remove_path)
--
2.25.1

1516
0112-2123-add-verify-for-snprintf-and-fix-some-codecheck-.patch Normal file
View File

File diff suppressed because it is too large Load Diff

44
0113-clear-author-msg-in-isulad-check.sh-and-use-EANBLE_I.patch Normal file
View File

@ -0,0 +1,44 @@
From deb3e52ca981edb943fa77f2f2d5ef4ea2f6839a Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 23 Aug 2023 16:39:14 +1400
Subject: [PATCH 07/10] clear author msg in isulad-check.sh and use
EANBLE_IMAGE_LIBARAY to isolate image_api.h
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
CMakeLists.txt | 6 ++++--
src/contrib/sysmonitor/isulad-check.sh | 1 -
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index d1ec1cc1..a22a3702 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -91,8 +91,10 @@ ENDIF(ENABLE_FUZZ AND (NOT ENABLE_UT))
# install all files
install(FILES ${CMAKE_BINARY_DIR}/conf/isulad.pc
DESTINATION ${LIB_INSTALL_DIR_DEFAULT}/pkgconfig PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ GROUP_WRITE)
-install(FILES src/daemon/modules/api/image_api.h
- DESTINATION include/isulad)
+if (EANBLE_IMAGE_LIBARAY)
+ install(FILES src/daemon/modules/api/image_api.h
+ DESTINATION include/isulad)
+endif()
# install config files
set(conf_prefix "/etc")
diff --git a/src/contrib/sysmonitor/isulad-check.sh b/src/contrib/sysmonitor/isulad-check.sh
index 0df88a44..adb1700e 100755
--- a/src/contrib/sysmonitor/isulad-check.sh
+++ b/src/contrib/sysmonitor/isulad-check.sh
@@ -10,7 +10,6 @@
# - PURPOSE.
# - See the Mulan PSL v2 for more details.
##- @Description: isulad check
-##- @Author: maoweiyong
##- @Create: 2019-02-25
#######################################################################*/
--
2.25.1

31
0114-2126-do-not-judge-the-snprintf-result-of-hostname.patch Normal file
View File

@ -0,0 +1,31 @@
From eb6beefdfb9b854f7dd761830d50713e1ab45627 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 23 Aug 2023 07:25:50 +0000
Subject: [PATCH 08/10] !2126 do not judge the snprintf result of hostname * do
not judge the snprintf result of hostname
---
src/daemon/executor/container_cb/execution_network.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c
index 09aadd9b..95cfcce3 100644
--- a/src/daemon/executor/container_cb/execution_network.c
+++ b/src/daemon/executor/container_cb/execution_network.c
@@ -924,10 +924,10 @@ static int create_default_hostname(const char *id, const char *rootpath, bool sh
ret = gethostname(hostname, sizeof(hostname));
} else {
// max length of hostname from ID is 12 + '\0'
+ // the purpose is to truncate the first 12 bits of id,
+ // nret is 64, no need to judge
nret = snprintf(hostname, 13, "%s", id);
- if (nret < 0 || (size_t)nret >= 13) {
- ret = -1;
- }
+ ret = nret < 0 ? 1 : 0;
}
if (ret != 0) {
ERROR("Create hostname error");
--
2.25.1

199
0115-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch Normal file
View File

@ -0,0 +1,199 @@
From abcd0d5cf419224d6a016b5ebee0786e96544be3 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 23 Aug 2023 15:42:42 +0800
Subject: [PATCH 09/10] [image] ensure id of loaded and pulled image is valid
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/daemon/modules/image/oci/oci_import.c | 14 ++++++++++---
src/daemon/modules/image/oci/oci_load.c | 21 ++++++-------------
.../modules/image/oci/registry/registry.c | 8 ++++++-
src/daemon/modules/image/oci/utils_images.c | 15 +++++++++++++
src/daemon/modules/image/oci/utils_images.h | 3 +++
src/utils/cutils/utils.h | 2 --
src/utils/sha256/sha256.c | 1 -
7 files changed, 42 insertions(+), 22 deletions(-)
diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c
index 335ee8d4..b261188d 100644
--- a/src/daemon/modules/image/oci/oci_import.c
+++ b/src/daemon/modules/image/oci/oci_import.c
@@ -97,7 +97,7 @@ static int register_layer(import_desc *desc)
return -1;
}
- id = util_without_sha256_prefix(desc->uncompressed_digest);
+ id = oci_image_id_from_digest(desc->uncompressed_digest);
if (id == NULL) {
ERROR("Invalid NULL param");
return -1;
@@ -318,8 +318,16 @@ static int register_image(import_desc *desc)
opts.create_time = &desc->now_time;
opts.digest = desc->manifest_digest;
- image_id = util_without_sha256_prefix(desc->config_digest);
- top_layer_id = util_without_sha256_prefix(desc->uncompressed_digest);
+ image_id = oci_image_id_from_digest(desc->config_digest);
+ if (image_id == NULL) {
+ ret = -1;
+ goto out;
+ }
+ top_layer_id = oci_image_id_from_digest(desc->uncompressed_digest);
+ if (top_layer_id == NULL) {
+ ret = -1;
+ goto out;
+ }
ret = storage_img_create(image_id, top_layer_id, NULL, &opts);
if (ret != 0) {
pre_top_layer = storage_get_img_top_layer(image_id);
diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c
index 64ef2a1a..01b9ef6e 100644
--- a/src/daemon/modules/image/oci/oci_load.c
+++ b/src/daemon/modules/image/oci/oci_load.c
@@ -283,16 +283,6 @@ out:
return full_digest;
}
-static char *oci_load_without_sha256_prefix(char *digest)
-{
- if (digest == NULL) {
- ERROR("Invalid digest NULL when strip sha256 prefix");
- return NULL;
- }
-
- return digest + strlen(SHA256_PREFIX);
-}
-
static int registry_layer_from_tarball(const load_layer_blob_t *layer, const char *id, const char *parent)
{
int ret = 0;
@@ -338,7 +328,7 @@ static int oci_load_register_layers(load_image_t *desc)
}
for (i = 0; i < desc->layers_len; i++) {
- id = oci_load_without_sha256_prefix(desc->layers[i]->chain_id);
+ id = oci_image_id_from_digest(desc->layers[i]->chain_id);
if (id == NULL) {
ERROR("layer %zu have NULL digest for image %s", i, desc->im_id);
ret = -1;
@@ -450,7 +440,7 @@ static int oci_load_create_image(load_image_t *desc, const char *dst_tag)
top_layer_index = desc->layers_len - 1;
opts.create_time = &timestamp;
opts.digest = desc->manifest_digest;
- top_layer_id = oci_load_without_sha256_prefix(desc->layers[top_layer_index]->chain_id);
+ top_layer_id = oci_image_id_from_digest(desc->layers[top_layer_index]->chain_id);
if (top_layer_id == NULL) {
ERROR("NULL top layer id found for image %s", desc->im_id);
ret = -1;
@@ -735,7 +725,7 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items
}
parent_chain_id_sha256 = im->layers[i]->chain_id;
- id = oci_load_without_sha256_prefix(im->layers[i]->chain_id);
+ id = oci_image_id_from_digest(im->layers[i]->chain_id);
if (id == NULL) {
ERROR("Wipe out sha256 prefix failed from layer with chain id : %s", im->layers[i]->chain_id);
ret = -1;
@@ -803,7 +793,8 @@ static load_image_t *oci_load_process_manifest(const image_manifest_items_elemen
goto out;
}
- image_id = oci_load_without_sha256_prefix(image_digest);
+ // call util_valid_digest to ensure digest is valid, so image id is valid
+ image_id = oci_image_id_from_digest(image_digest);
if (image_id == NULL) {
ret = -1;
ERROR("Remove sha256 prefix error from image digest %s", image_digest);
@@ -843,7 +834,7 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre)
return -1;
}
- id = oci_load_without_sha256_prefix(chain_id_pre);
+ id = oci_image_id_from_digest(chain_id_pre);
if (id == NULL) {
ERROR("Get chain id failed from value:%s", chain_id_pre);
size = -1;
diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c
index 14e84f81..402863a0 100644
--- a/src/daemon/modules/image/oci/registry/registry.c
+++ b/src/daemon/modules/image/oci/registry/registry.c
@@ -869,7 +869,13 @@ static int register_image(pull_descriptor *desc)
// lock when create image to make sure image content all exist
mutex_lock(&g_shared->image_mutex);
- image_id = util_without_sha256_prefix(desc->config.digest);
+ image_id = oci_image_id_from_digest(desc->config.digest);
+ if (image_id == NULL) {
+ ERROR("Invalid digest: %s", desc->config.digest);
+ isulad_try_set_error_message("invalid image digest: %s", desc->config.digest);
+ ret = -1;
+ goto out;
+ }
ret = create_image(desc, image_id, &reuse);
if (ret != 0) {
ERROR("create image %s failed", desc->image_name);
diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c
index 794f0d16..6acbbb12 100644
--- a/src/daemon/modules/image/oci/utils_images.c
+++ b/src/daemon/modules/image/oci/utils_images.c
@@ -639,3 +639,18 @@ out:
return ret;
}
+
+char *oci_image_id_from_digest(char *digest)
+{
+ if (digest == NULL) {
+ ERROR("Empty digest");
+ return NULL;
+ }
+
+ if (!util_valid_digest(digest)) {
+ ERROR("Load image with invalid digest: %s", digest);
+ return NULL;
+ }
+
+ return digest + strlen(SHA256_PREFIX);
+}
diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h
index 53bce4e0..86c1b2a7 100644
--- a/src/daemon/modules/image/oci/utils_images.h
+++ b/src/daemon/modules/image/oci/utils_images.h
@@ -58,6 +58,9 @@ char *get_hostname_to_strip();
char *oci_image_digest_pos(const char *name);
+// return a pointer to digest string without 'sha256:' prefix
+char *oci_image_id_from_digest(char *digest);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h
index 8489ca63..bb510062 100644
--- a/src/utils/cutils/utils.h
+++ b/src/utils/cutils/utils.h
@@ -379,8 +379,6 @@ int util_generate_random_str(char *id, size_t len);
int util_check_inherited_exclude_fds(bool closeall, int *fds_to_ignore, size_t len_fds);
-char *util_without_sha256_prefix(char *digest);
-
int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_variant);
int util_read_pid_ppid_info(uint32_t pid, pid_ppid_info_t *pid_info);
diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c
index 938e3692..81375111 100644
--- a/src/utils/sha256/sha256.c
+++ b/src/utils/sha256/sha256.c
@@ -390,7 +390,6 @@ char *sha256_full_digest_str(char *str)
char *util_without_sha256_prefix(char *digest)
{
if (digest == NULL || !util_has_prefix(digest, SHA256_PREFIX)) {
- ERROR("Invalid digest when strip sha256 prefix");
return NULL;
}
--
2.25.1

31
0116-2129-Limit-the-response-size-of-ExecSync.patch Normal file
View File

@ -0,0 +1,31 @@
From df06219fd70592e049d392a03662ace9d40c2988 Mon Sep 17 00:00:00 2001
From: jake <jikai11@huawei.com>
Date: Thu, 24 Aug 2023 02:20:23 +0000
Subject: [PATCH 10/10] !2129 Limit the response size of ExecSync * Limit the
response size of ExecSync
---
src/daemon/entry/cri/cri_container_manager_service_impl.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/daemon/entry/cri/cri_container_manager_service_impl.cc b/src/daemon/entry/cri/cri_container_manager_service_impl.cc
index 101824ae..ed9e8e72 100644
--- a/src/daemon/entry/cri/cri_container_manager_service_impl.cc
+++ b/src/daemon/entry/cri/cri_container_manager_service_impl.cc
@@ -1316,7 +1316,13 @@ static auto WriteToString(void *context, const void *data, size_t len) -> ssize_
return 0;
}
+ // Limit the response size of ExecSync, outside of the response limit will never be seen
+ // Allow last write to exceed the limited size since every single write has a limit len
+ const size_t max_stream_size = 1024 * 1024 * 16;
std::string *str = reinterpret_cast<std::string *>(context);
+ if (str->length() >= max_stream_size) {
+ return (ssize_t)len;
+ }
str->append(reinterpret_cast<const char *>(data), len);
return (ssize_t)len;
--
2.25.1

18
iSulad.spec
View File

@ -1,5 +1,5 @@
%global _version 2.0.18
%global _release 11
%global _release 12
%global is_systemd 1
%global enable_shimv2 1
%global is_embedded 1
@ -119,6 +119,16 @@ Patch0103: 0103-Added-restrictions-on-container-health-checks.patch
Patch0104: 0104-add-testcases-for-restrictions-on-container-health-c.patch
Patch0105: 0105-link-libcap-for-storage_layers_ut-and-storage_d.patch
Patch0106: 0106-modify-the-help-information-of-health-timeout.patch
Patch0107: 0107-improve-coding.patch
Patch0108: 0108-2116-clean-up-sensitive-information-in-memory.patch
Patch0109: 0109-2118-Fix-exec-buffer-overflow.patch
Patch0110: 0110-2117-limit-the-length-of-runtime-args-and-increase-t.patch
Patch0111: 0111-ensure-argument-of-interface-is-not-null.patch
Patch0112: 0112-2123-add-verify-for-snprintf-and-fix-some-codecheck-.patch
Patch0113: 0113-clear-author-msg-in-isulad-check.sh-and-use-EANBLE_I.patch
Patch0114: 0114-2126-do-not-judge-the-snprintf-result-of-hostname.patch
Patch0115: 0115-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch
Patch0116: 0116-2129-Limit-the-response-size-of-ExecSync.patch
%ifarch x86_64 aarch64
Provides: libhttpclient.so()(64bit)
@ -363,6 +373,12 @@ fi
%endif
%changelog
* THU Aug 24 2023 zhongtao <zhongtao17@huawei.com> - 2.0.18-12
- Type: bugfix
- ID: NA
- SUG: NA
- DESC: code improvements and bugfix for code review
* Tue Aug 15 2023 zhongtao <zhongtao17@huawei.com> - 2.0.18-11
- Type: bugfix
- ID: NA