Possible problems found by static analysis of code.

We analyzed the net-tools-1.60 code with Coverity.
Coverity is commercial enterprise level tool for
static analysis (analysis based only on compiling
of sources, not based on running of binary) of the code.

This change should fix some possible problems like resource (memory,
file descriptors) leaks.

Follow respective parts of the scan log. The line
numbers could be quite different as we analyzed Red Hat's
heavily patched version of net-tools-1.60.

Error: RESOURCE_LEAK
ipmaddr.c:191: alloc_fn: Calling allocation function "malloc".
ipmaddr.c:191: var_assign: Assigning: "ma" =  storage returned from "malloc(sizeof (m) /*64*/)".
ipmaddr.c:203: overwrite_var: Overwriting "ma" in call "ma = malloc(sizeof (m) /*64*/)" leaks the storage that "ma" points to.

Error: RESOURCE_LEAK
iptunnel.c:473: alloc_fn: Calling allocation function "fopen".
iptunnel.c:473: var_assign: Assigning: "fp" =  storage returned from "fopen("/proc/net/dev", "r")".
iptunnel.c:488: leaked_storage: Variable "fp" going out of scope leaks the storage it points to.
iptunnel.c:524: leaked_storage: Variable "fp" going out of scope leaks the storage it points to.

Error: FORWARD_NULL
lib/inet.c:408: var_compare_op: Comparing "item" to null implies that "item" might be null.
lib/inet.c:410: var_deref_op: Dereferencing null variable "item".

Error: RESOURCE_LEAK
lib/masq_info.c:174: alloc_fn: Calling allocation function "malloc".
lib/masq_info.c:174: var_assign: Assigning: "mslist" =  storage returned from "malloc(1152UL)".
lib/masq_info.c:215: leaked_storage: Variable "mslist" going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK
lib/netrom_gr.c:35: alloc_fn: Calling allocation function "fopen".
lib/netrom_gr.c:35: var_assign: Assigning: "f1" =  storage returned from "fopen("/proc/net/nr_nodes", "r")".
lib/netrom_gr.c:42: overwrite_var: Overwriting "f1" in call "f1 = fopen("/proc/net/nr_nodes", "r")" leaks the storage that "f1" points to.

Error: RESOURCE_LEAK
lib/netrom_gr.c:36: alloc_fn: Calling allocation function "fopen".
lib/netrom_gr.c:36: var_assign: Assigning: "f2" =  storage returned from "fopen("/proc/net/nr_neigh", "r")".
lib/netrom_gr.c:44: overwrite_var: Overwriting "f2" in call "f2 = fopen("/proc/net/nr_neigh", "r")" leaks the storage that "f2" points to

Error: FORWARD_NULL
lib/x25.c:101: var_compare_op: Comparing "p" to null implies that "p" might be null.
lib/x25.c:109: var_deref_op: Dereferencing null variable "p".

Error: RESOURCE_LEAK
nameif.c:166: alloc_fn: Calling allocation function "xmalloc".
nameif.c:166: var_assign: Assigning: "ch" =  storage returned from "xmalloc(sizeof (struct change) /*40*/)".
nameif.c:177: leaked_storage: Variable "ch" going out of scope leaks the storage it points to.

Error: NEGATIVE_RETURNS
netstat.c:463: negative_return_fn: Function "readlink(line, lname, 29UL)" returns a negative number.
netstat.c:463: var_assign: Assigning: signed variable "lnamelen" = "readlink".
netstat.c:464: negative_returns: Using variable "lnamelen" as an index to array "lname".

Error: RESOURCE_LEAK
netstat.c:894: alloc_fn: Calling allocation function "fopen".
netstat.c:894: var_assign: Assigning: "f" =  storage returned from "fopen("/proc/net/x25", "r")".
netstat.c:905: overwrite_var: Overwriting "f" in call "f = fopen("/proc/net/x25", "r")" leaks the storage that "f" points to.

Error: RESOURCE_LEAK
netstat.c:1916: alloc_fn: Calling allocation function "fopen".
netstat.c:1916: var_assign: Assigning: "f" =  storage returned from "fopen("/proc/net/ipx", "r")".
netstat.c:1934: leaked_storage: Variable "f" going out of scope leaks the storage it points to.
netstat.c:1947: leaked_storage: Variable "f" going out of scope leaks the storage it points to.
netstat.c:1957: leaked_storage: Variable "f" going out of scope leaks the storage it points to.

ipmaddr.c

@@ -32,6 +32,7 @@
 
 #include "config.h"
 #include "intl.h"
+#include "util.h"
 #include "util-ank.h"
 #include "net-support.h"
 #include "version.h"
@@ -159,8 +160,7 @@ void read_dev_mcast(struct ma_info **result_p)
 
 		len = parse_hex(hexa, (unsigned char*)&m.addr.data);
 		if (len >= 0) {
-			struct ma_info *ma = malloc(sizeof(m));
-
+			struct ma_info *ma = xmalloc(sizeof(m));
 			memcpy(ma, &m, sizeof(m));
 			ma->addr.bytelen = len;
 			ma->addr.bitlen = len<<3;
@@ -174,7 +174,7 @@ void read_dev_mcast(struct ma_info **result_p)
 
 void read_igmp(struct ma_info **result_p)
 {
-	struct ma_info m;
+	struct ma_info m, *ma = NULL;
 	char buf[256];
 	FILE *fp = fopen(_PATH_PROCNET_IGMP, "r");
 
@@ -189,8 +189,6 @@ void read_igmp(struct ma_info **result_p)
 	m.addr.bytelen = 4;
 
 	while (fgets(buf, sizeof(buf), fp)) {
-		struct ma_info *ma = malloc(sizeof(m));
-
 		if (buf[0] != '\t') {
 			sscanf(buf, "%d%s", &m.index, m.name);
 			continue;
@@ -201,7 +199,7 @@ void read_igmp(struct ma_info **result_p)
 
 		sscanf(buf, "%08x%d", (__u32*)&m.addr.data, &m.users);
 
-		ma = malloc(sizeof(m));
+		ma = xmalloc(sizeof(m));
 		memcpy(ma, &m, sizeof(m));
 		maddr_ins(result_p, ma);
 	}
@@ -232,8 +230,7 @@ void read_igmp6(struct ma_info **result_p)
 
 		len = parse_hex(hexa, (unsigned char*)&m.addr.data);
 		if (len >= 0) {
-			struct ma_info *ma = malloc(sizeof(m));
-
+			struct ma_info *ma = xmalloc(sizeof(m));
 			memcpy(ma, &m, sizeof(m));
 
 			ma->addr.bytelen = len;

iptunnel.c

@@ -487,6 +487,7 @@ static int do_tunnels_list(struct ip_tunnel_parm *p)
 		if ((ptr = strchr(buf, ':')) == NULL ||
 		    (*ptr++ = 0, sscanf(buf, "%s", name) != 1)) {
 			fprintf(stderr, _("Wrong format of /proc/net/dev. Sorry.\n"));
+			fclose(fp);
 			return -1;
 		}
 		if (sscanf(ptr, "%ld%ld%ld%ld%ld%ld%ld%*d%ld%ld%ld%ld%ld%ld%ld",
@@ -523,6 +524,7 @@ static int do_tunnels_list(struct ip_tunnel_parm *p)
 			       tx_packets, tx_bytes, tx_errs, tx_colls, tx_carrier, tx_drops);
 		}
 	}
+	fclose(fp);
 	return 0;
 }
 

lib/inet.c

@@ -210,11 +210,11 @@ static int INET_rresolve(char *name, size_t len, struct sockaddr_in *sin,
     }
     if ((ent == NULL) && (np == NULL))
 	safe_strncpy(name, inet_ntoa(sin->sin_addr), len);
-    pn = (struct addr *) malloc(sizeof(struct addr));
+    pn = (struct addr *) xmalloc(sizeof(struct addr));
     pn->addr = *sin;
     pn->next = INET_nn;
     pn->host = host;
-    pn->name = (char *) malloc(strlen(name) + 1);
+    pn->name = (char *) xmalloc(strlen(name) + 1);
     strcpy(pn->name, name);
     INET_nn = pn;
 
@@ -385,9 +385,7 @@ static int read_services(void)
     setservent(1);
     while ((se = getservent())) {
 	/* Allocate a service entry. */
-	item = (struct service *) malloc(sizeof(struct service));
-	if (item == NULL)
-	    perror("netstat");
+	item = (struct service *) xmalloc(sizeof(struct service));
 	item->name = strdup(se->s_name);
 	item->number = se->s_port;
 
@@ -404,9 +402,7 @@ static int read_services(void)
     setprotoent(1);
     while ((pe = getprotoent())) {
 	/* Allocate a service entry. */
-	item = (struct service *) malloc(sizeof(struct service));
-	if (item == NULL)
-	    perror("netstat");
+	item = (struct service *) xmalloc(sizeof(struct service));
 	item->name = strdup(pe->p_name);
 	item->number = htons(pe->p_proto);
 	add2list(&raw_name, item);

lib/masq_info.c

@@ -208,10 +208,9 @@ int ip_masq_info(int numeric_host, int numeric_port, int ext)
 	}
 	for (i = 0; i < ntotal; i++)
 	    print_masq(&(mslist[i]), numeric_host, numeric_port, ext);
-	if (mslist)
-	    free(mslist);
-
     }
+
+    free(mslist);
     return 0;
 }
 #endif

lib/netrom_gr.c

@@ -39,9 +39,7 @@ int NETROM_rprint(int options)
     /*int ext = options & FLAG_EXT;
        int numeric = options & FLAG_NUM_HOST; */
 
-    f1 = fopen(_PATH_PROCNET_NR_NODES, "r");
     if (!f1) perror(_PATH_PROCNET_NR_NODES);
-    f2 = fopen(_PATH_PROCNET_NR_NEIGH, "r");
     if (!f2) perror(_PATH_PROCNET_NR_NEIGH);
 
     if (f1 == NULL || f2 == NULL) {

lib/x25.c

@@ -105,7 +105,8 @@ X25_input(int type, char *bufp, struct sockaddr *sap)
   }
 
   if (strlen(bufp) < 1 || strlen(bufp) > 15 || sigdigits > strlen(bufp)) {
-	*p = '/';
+        if (p != NULL)
+                *p = '/';
         strcpy(X25_errmsg, _("Invalid address"));
 #ifdef DEBUG
         fprintf(stderr, "x25_input(%s): %s !\n", X25_errmsg, orig);

nameif.c

@@ -153,6 +153,7 @@ void readconf(void)
 	FILE *ifh;
 	char *p;
 	int n;
+	struct change *ch = NULL;
 
 	ifh = fopen(fname, "r");
 	if (!ifh) 
@@ -162,7 +163,6 @@ void readconf(void)
 	linel = 0;
 	linenum = 1; 
 	while (getdelim(&line, &linel, '\n', ifh) > 0) {
-		struct change *ch = xmalloc(sizeof(struct change)); 
 		char pos[20]; 
 
 		sprintf(pos, _("line %d"), linenum); 
@@ -177,6 +177,7 @@ void readconf(void)
 		n = strcspn(p, " \t"); 
 		if (n > IFNAMSIZ-1) 
 			complain(_("interface name too long at line %d"), line);  
+		ch = xmalloc(sizeof(struct change));
 		memcpy(ch->ifname, p, n); 
 		ch->ifname[n] = 0; 
 		p += n; 

netstat.c

@@ -405,6 +405,8 @@ static void prg_cache_load(void)
 		   PATH_FD_SUFFl+1);
 	    strcpy(line + procfdlen + 1, direfd->d_name);
 	    lnamelen=readlink(line,lname,sizeof(lname)-1);
+	    if (lnamelen == -1)
+		    continue;
             lname[lnamelen] = '\0';  /*make it a null-terminated string*/
 
             if (extract_type_1_socket_inode(lname, &inode) < 0)
@@ -677,7 +679,7 @@ static int x25_info(void)
                "ESTABLISHED",
                "RECOVERY"
        };
-       if(!(f=proc_fopen(_PATH_PROCNET_X25)))
+       if(!f)
        {
                if (errno != ENOENT) {
                        perror(_PATH_PROCNET_X25);
@@ -1547,6 +1549,7 @@ static int ipx_info(void)
     printf("\n");
     if ((ap = get_afntype(AF_IPX)) == NULL) {
 	EINTERN("netstat.c", "AF_IPX missing");
+	fclose(f);
 	return (-1);
     }
     if (fgets(buf, 255, f))
@@ -1561,6 +1564,7 @@ static int ipx_info(void)
 	    sport = ntohs(sport);
 	} else {
 	    EINTERN("netstat.c", "ipx socket format error in source port");
+	    fclose(f);
 	    return (-1);
 	}
 	nc = 0;
@@ -1571,6 +1575,7 @@ static int ipx_info(void)
 		dport = ntohs(dport);
 	    } else {
 		EINTERN("netstat.c", "ipx soket format error in destination port");
+		fclose(f);
 		return (-1);
 	    }
 	} else