@@ -400,7 +400,9 @@ int nl_recv(struct nl_sock *sk, struct sockaddr_nl *nla,
page_size = getpagesize() * 4;
iov.iov_len = page_size;
- iov.iov_base = *buf = malloc(iov.iov_len);
+ iov.iov_base = *buf = calloc(1, iov.iov_len);
+ if (!*buf)
+ return -nl_syserr2nlerr(errno);
if (sk->s_flags & NL_SOCK_PASSCRED) {
msg.msg_controllen = CMSG_SPACE(sizeof(struct ucred));
@@ -421,6 +423,7 @@ retry:
} else {
free(msg.msg_control);
free(*buf);
+ *buf = NULL;
return -nl_syserr2nlerr(errno);
}
}
@@ -445,6 +448,7 @@ retry:
if (msg.msg_namelen != sizeof(struct sockaddr_nl)) {
free(msg.msg_control);
free(*buf);
+ *buf = NULL;
return -NLE_NOADDR;
}
@@ -463,6 +467,7 @@ retry:
abort:
free(msg.msg_control);
free(*buf);
+ *buf = NULL;
return 0;
}
@@ -501,6 +506,9 @@ continue_reading:
if (n <= 0)
return n;
+ /* make clang analyzer happy */
+ assert(n > 0 && buf);
+
NL_DBG(3, "recvmsgs(%p): Read %d bytes\n", sk, n);
hdr = (struct nlmsghdr *) buf;
scan-build from clang version 9 complains about following: nl.c:507:9: warning: Use of memory after it is freed while (nlmsg_ok(hdr, n)) { ^~~~~~~~~~~~~~~~ which seems to be impossible codepath as clang analyzer doesn't somehow account properly nl_syserr2nlerr(errno) return value: } else { free(msg.msg_control); free(*buf); return -nl_syserr2nlerr(errno); } which should be always < 0, but analyzer is still checking for > 0 code path as well for some reason. So in order to make the analyzer happy, set the buf pointer to NULL explicitly and add assert to make it clear, that this codepath should never happen. Signed-off-by: Petr Štetiar <ynezz@true.cz> --- nl.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)