Actions
Bug #6565
opencoverity: new issues after updating to 2023.6.2
Affected Versions:
Effort:
Difficulty:
Label:
Description
** CID 1554240: Data race undermines locking (LOCK_EVASION)
/src/host.c: 353 in HostCleanup()
________________________________________________________________________________________________________
*** CID 1554240: Data race undermines locking (LOCK_EVASION)
/src/host.c: 353 in HostCleanup()
347
348 if (host_hash != NULL) {
349 for (u = 0; u < host_config.hash_size; u++) {
350 h = host_hash[u].head;
351 HostHashRow *hb = &host_hash[u];
352 HRLOCK_LOCK(hb);
>>> CID 1554240: Data race undermines locking (LOCK_EVASION)
>>> Thread2 checks "head", reading it after Thread1 assigns to "head" but before some of the correlated field assignments can occur. It sees the condition "h" as being false. It continues on before the critical section has completed, and can read data changed by that critical section while it is in an inconsistent state.
353 while (h) {
354 if ((SC_ATOMIC_GET(h->use_cnt) > 0) && (h->iprep != NULL)) {
355 /* iprep is attached to host only clear local storage */
356 HostFreeStorage(h);
357 h = h->hnext;
358 } else {
** CID 1554239: Concurrent data access violations (MISSING_LOCK)
/src/util-var-name.c: 324 in VarNameStoreLookupByName()
________________________________________________________________________________________________________
*** CID 1554239: Concurrent data access violations (MISSING_LOCK)
/src/util-var-name.c: 324 in VarNameStoreLookupByName()
318 return name;
319 }
320
321 /** \brief find name for id+type at packet time. */
322 uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
323 {
>>> CID 1554239: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "active_sc_atomic__" without holding lock "base_lock". Elsewhere, "active_sc_atomic__" is written to with "base_lock" held 1 out of 1 times.
324 const VarNameStore *current = SC_ATOMIC_GET(active);
325 if (current) {
326 VariableName lookup = { .name = (char *)name, .type = type };
327 const VariableName *found = HashListTableLookup(current->names, (void *)&lookup, 0);
328 if (found) {
329 return found->id;
** CID 1554238: Program hangs (BAD_CHECK_OF_WAIT_COND)
/src/counters.c: 501 in StatsWakeupThread()
________________________________________________________________________________________________________
*** CID 1554238: Program hangs (BAD_CHECK_OF_WAIT_COND)
/src/counters.c: 501 in StatsWakeupThread()
495 struct timespec cond_time = FROM_TIMEVAL(cur_timev);
496 cond_time.tv_sec += STATS_WUT_TTS;
497
498 /* wait for the set time, or until we are woken up by
499 * the shutdown procedure */
500 SCCtrlMutexLock(tv_local->ctrl_mutex);
>>> CID 1554238: Program hangs (BAD_CHECK_OF_WAIT_COND)
>>> The wait condition prompting the wait upon "ThreadVars_.ctrl_mutex" is not checked correctly. This code can wait for a condition that has already been satisfied, which can cause a never-ending wait.
501 SCCtrlCondTimedwait(tv_local->ctrl_cond, tv_local->ctrl_mutex, &cond_time);
502 SCCtrlMutexUnlock(tv_local->ctrl_mutex);
503
504 SCMutexLock(&tv_root_lock);
505 ThreadVars *tv = tv_root[TVT_PPT];
506 while (tv != NULL) {
** CID 1554237: Resource leaks (RESOURCE_LEAK)
/src/detect-xbits.c: 375 in DetectXbitSetup()
________________________________________________________________________________________________________
*** CID 1554237: Resource leaks (RESOURCE_LEAK)
/src/detect-xbits.c: 375 in DetectXbitSetup()
369 DETECT_SM_LIST_POSTMATCH) == NULL) {
370 goto error;
371 }
372 break;
373 }
374
>>> CID 1554237: Resource leaks (RESOURCE_LEAK)
>>> Variable "cd" going out of scope leaks the storage it points to.
375 return 0;
376
377 error:
378 if (cd != NULL)
379 SCFree(cd);
380 return -1;
** CID 1554236: Program hangs (BAD_CHECK_OF_WAIT_COND)
/src/counters.c: 431 in StatsMgmtThread()
________________________________________________________________________________________________________
*** CID 1554236: Program hangs (BAD_CHECK_OF_WAIT_COND)
/src/counters.c: 431 in StatsMgmtThread()
425 struct timespec cond_time = FROM_TIMEVAL(cur_timev);
426 cond_time.tv_sec += (stats_tts);
427
428 /* wait for the set time, or until we are woken up by
429 * the shutdown procedure */
430 SCCtrlMutexLock(tv_local->ctrl_mutex);
>>> CID 1554236: Program hangs (BAD_CHECK_OF_WAIT_COND)
>>> The wait condition prompting the wait upon "ThreadVars_.ctrl_mutex" is not checked correctly. This code can wait for a condition that has already been satisfied, which can cause a never-ending wait.
431 SCCtrlCondTimedwait(tv_local->ctrl_cond, tv_local->ctrl_mutex, &cond_time);
432 SCCtrlMutexUnlock(tv_local->ctrl_mutex);
433
434 SCMutexLock(&stats_table_mutex);
435 StatsOutput(tv_local);
436 SCMutexUnlock(&stats_table_mutex);
** CID 1554235: Concurrent data access violations (MISSING_LOCK)
/src/defrag-hash.c: 280 in DefragInitConfig()
________________________________________________________________________________________________________
*** CID 1554235: Concurrent data access violations (MISSING_LOCK)
/src/defrag-hash.c: 280 in DefragInitConfig()
274 SCLogError("preallocating defrag failed: %s", strerror(errno));
275 exit(EXIT_FAILURE);
276 }
277 DefragTrackerEnqueue(&defragtracker_spare_q,h);
278 }
279 if (!quiet) {
>>> CID 1554235: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "defragtracker_spare_q.len" without holding lock "DefragTrackerQueue_.m". Elsewhere, "DefragTrackerQueue_.len" is written to with "DefragTrackerQueue_.m" held 2 out of 2 times.
280 SCLogConfig("preallocated %" PRIu32 " defrag trackers of size %" PRIuMAX "",
281 defragtracker_spare_q.len, (uintmax_t)sizeof(DefragTracker));
282 }
283 }
284 }
285
** CID 1554234: Concurrent data access violations (BAD_CHECK_OF_WAIT_COND)
/src/tmqh-flow.c: 109 in TmqhInputFlow()
________________________________________________________________________________________________________
*** CID 1554234: Concurrent data access violations (BAD_CHECK_OF_WAIT_COND)
/src/tmqh-flow.c: 109 in TmqhInputFlow()
103
104 StatsSyncCountersIfSignalled(tv);
105
106 SCMutexLock(&q->mutex_q);
107 if (q->len == 0) {
108 /* if we have no packets in queue, wait... */
>>> CID 1554234: Concurrent data access violations (BAD_CHECK_OF_WAIT_COND)
>>> The wait condition prompting the wait upon "PacketQueue_.mutex_q" is not checked correctly. If a spurious wakeup occurs, the thread could continue its task before the wait condition is satisfied.
109 SCCondWait(&q->cond_q, &q->mutex_q);
110 }
111
112 if (q->len > 0) {
113 Packet *p = PacketDequeue(q);
114 SCMutexUnlock(&q->mutex_q);
** CID 1554233: Null pointer dereferences (REVERSE_INULL)
/src/detect-xbits.c: 378 in DetectXbitSetup()
________________________________________________________________________________________________________
*** CID 1554233: Null pointer dereferences (REVERSE_INULL)
/src/detect-xbits.c: 378 in DetectXbitSetup()
372 break;
373 }
374
375 return 0;
376
377 error:
>>> CID 1554233: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "cd" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
378 if (cd != NULL)
379 SCFree(cd);
380 return -1;
381 }
382
383 static void DetectXbitFree (DetectEngineCtx *de_ctx, void *ptr)
** CID 1554232: Data race undermines locking (LOCK_EVASION)
/src/ippair.c: 351 in IPPairCleanup()
________________________________________________________________________________________________________
*** CID 1554232: Data race undermines locking (LOCK_EVASION)
/src/ippair.c: 351 in IPPairCleanup()
345
346 if (ippair_hash != NULL) {
347 for (u = 0; u < ippair_config.hash_size; u++) {
348 h = ippair_hash[u].head;
349 IPPairHashRow *hb = &ippair_hash[u];
350 HRLOCK_LOCK(hb);
>>> CID 1554232: Data race undermines locking (LOCK_EVASION)
>>> Thread2 checks "head", reading it after Thread1 assigns to "head" but before some of the correlated field assignments can occur. It sees the condition "h" as being false. It continues on before the critical section has completed, and can read data changed by that critical section while it is in an inconsistent state.
351 while (h) {
352 if ((SC_ATOMIC_GET(h->use_cnt) > 0)) {
353 /* iprep is attached to ippair only clear local storage */
354 IPPairFreeStorage(h);
355 h = h->hnext;
356 } else {
** CID 1554231: (LOCK_EVASION)
/src/detect-mark.c: 245 in DetectMarkPacket()
/src/detect-mark.c: 245 in DetectMarkPacket()
________________________________________________________________________________________________________
*** CID 1554231: (LOCK_EVASION)
/src/detect-mark.c: 245 in DetectMarkPacket()
239 * are fine. */
240 if (p->flags & PKT_REBUILT_FRAGMENT) {
241 Packet *tp = p->root ? p->root : p;
242 SCSpinLock(&tp->persistent.tunnel_lock);
243 tp->nfq_v.mark = (nf_data->mark & nf_data->mask)
244 | (tp->nfq_v.mark & ~(nf_data->mask));
>>> CID 1554231: (LOCK_EVASION)
>>> Thread1 sets "flags" to a new value. Now the two threads have an inconsistent view of "flags" and updates to fields correlated with "flags" may be lost.
245 tp->flags |= PKT_MARK_MODIFIED;
246 SCSpinUnlock(&tp->persistent.tunnel_lock);
247 }
248 }
249 }
250 #endif
/src/detect-mark.c: 245 in DetectMarkPacket()
239 * are fine. */
240 if (p->flags & PKT_REBUILT_FRAGMENT) {
241 Packet *tp = p->root ? p->root : p;
242 SCSpinLock(&tp->persistent.tunnel_lock);
243 tp->nfq_v.mark = (nf_data->mark & nf_data->mask)
244 | (tp->nfq_v.mark & ~(nf_data->mask));
>>> CID 1554231: (LOCK_EVASION)
>>> Thread1 sets "flags" to a new value. Now the two threads have an inconsistent view of "flags" and updates to fields correlated with "flags" may be lost.
245 tp->flags |= PKT_MARK_MODIFIED;
246 SCSpinUnlock(&tp->persistent.tunnel_lock);
247 }
248 }
249 }
250 #endif
** CID 1554230: Concurrent data access violations (BAD_CHECK_OF_WAIT_COND)
/src/tmqh-simple.c: 57 in TmqhInputSimple()
________________________________________________________________________________________________________
*** CID 1554230: Concurrent data access violations (BAD_CHECK_OF_WAIT_COND)
/src/tmqh-simple.c: 57 in TmqhInputSimple()
51 StatsSyncCountersIfSignalled(t);
52
53 SCMutexLock(&q->mutex_q);
54
55 if (q->len == 0) {
56 /* if we have no packets in queue, wait... */
>>> CID 1554230: Concurrent data access violations (BAD_CHECK_OF_WAIT_COND)
>>> The wait condition prompting the wait upon "PacketQueue_.mutex_q" is not checked correctly. If a spurious wakeup occurs, the thread could continue its task before the wait condition is satisfied.
57 SCCondWait(&q->cond_q, &q->mutex_q);
58 }
59
60 if (q->len > 0) {
61 Packet *p = PacketDequeue(q);
62 SCMutexUnlock(&q->mutex_q);
** CID 1554229: Concurrent data access violations (MISSING_LOCK)
/src/util-pool-thread.c: 218 in PoolThreadReturnRaw()
________________________________________________________________________________________________________
*** CID 1554229: Concurrent data access violations (MISSING_LOCK)
/src/util-pool-thread.c: 218 in PoolThreadReturnRaw()
212 }
213
214 void PoolThreadReturnRaw(PoolThread *pt, PoolThreadId id, void *data)
215 {
216 BUG_ON(pt == NULL || id >= pt->size);
217 PoolThreadElement *e = &pt->array[id];
>>> CID 1554229: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "e->pool" without holding lock "PoolThreadElement_.lock". Elsewhere, "PoolThreadElement_.pool" is written to with "PoolThreadElement_.lock" held 5 out of 6 times (2 of these accesses strongly imply that it is necessary).
218 PoolReturn(e->pool, data);
219 }
220
221 void PoolThreadUnlock(PoolThread *pt, PoolThreadId id)
222 {
223 BUG_ON(pt == NULL || id >= pt->size);
** CID 1554228: Program hangs (BAD_CHECK_OF_WAIT_COND)
/src/tmqh-packetpool.c: 76 in PacketPoolWait()
________________________________________________________________________________________________________
*** CID 1554228: Program hangs (BAD_CHECK_OF_WAIT_COND)
/src/tmqh-packetpool.c: 76 in PacketPoolWait()
70 {
71 PktPool *my_pool = GetThreadPacketPool();
72
73 if (PacketPoolIsEmpty(my_pool)) {
74 SCMutexLock(&my_pool->return_stack.mutex);
75 SC_ATOMIC_ADD(my_pool->return_stack.sync_now, 1);
>>> CID 1554228: Program hangs (BAD_CHECK_OF_WAIT_COND)
>>> The wait condition prompting the wait upon "PktPoolLockedStack_.mutex" is not checked correctly. This code can wait for a condition that has already been satisfied, which can cause a never-ending wait.
76 SCCondWait(&my_pool->return_stack.cond, &my_pool->return_stack.mutex);
77 SCMutexUnlock(&my_pool->return_stack.mutex);
78 }
79
80 while(PacketPoolIsEmpty(my_pool))
81 cc_barrier();
** CID 1554227: Concurrent data access violations (MISSING_LOCK)
/src/tm-threads.c: 2292 in TmThreadsInjectFlowById()
________________________________________________________________________________________________________
*** CID 1554227: Concurrent data access violations (MISSING_LOCK)
/src/tm-threads.c: 2292 in TmThreadsInjectFlowById()
2286 void TmThreadsInjectFlowById(Flow *f, const int id)
2287 {
2288 BUG_ON(id <= 0 || id > (int)thread_store.threads_size);
2289
2290 int idx = id - 1;
2291
>>> CID 1554227: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "thread_store.threads" without holding lock "thread_store_lock". Elsewhere, "Threads_.threads" is written to with "thread_store_lock" held 3 out of 3 times.
2292 Thread *t = &thread_store.threads[idx];
2293 ThreadVars *tv = t->tv;
2294
2295 BUG_ON(tv == NULL || tv->flow_queue == NULL);
2296
2297 FlowEnqueue(tv->flow_queue, f);
** CID 1554226: (LOCK_EVASION)
/src/app-layer-htp-range.c: 211 in HttpRangeContainersTimeoutHash()
/src/app-layer-htp-range.c: 211 in HttpRangeContainersTimeoutHash()
________________________________________________________________________________________________________
*** CID 1554226: (LOCK_EVASION)
/src/app-layer-htp-range.c: 211 in HttpRangeContainersTimeoutHash()
205 /* remove from the hash */
206 if (h->prev != NULL)
207 h->prev->next = h->next;
208 if (h->next != NULL)
209 h->next->prev = h->prev;
210 if (hb->head == h)
>>> CID 1554226: (LOCK_EVASION)
>>> Thread1 sets "head" to a new value. Now the two threads have an inconsistent view of "head" and updates to fields of "head" or fields correlated with "head" may be lost.
211 hb->head = h->next;
212 if (hb->tail == h)
213 hb->tail = h->prev;
214 h->next = NULL;
215 h->prev = NULL;
216 // we should log the timed out file somehow...
/src/app-layer-htp-range.c: 211 in HttpRangeContainersTimeoutHash()
205 /* remove from the hash */
206 if (h->prev != NULL)
207 h->prev->next = h->next;
208 if (h->next != NULL)
209 h->next->prev = h->prev;
210 if (hb->head == h)
>>> CID 1554226: (LOCK_EVASION)
>>> Thread1 sets "head" to a new value. Now the two threads have an inconsistent view of "head" and updates to fields of "head" or fields correlated with "head" may be lost.
211 hb->head = h->next;
212 if (hb->tail == h)
213 hb->tail = h->prev;
214 h->next = NULL;
215 h->prev = NULL;
216 // we should log the timed out file somehow...
** CID 1554225: Concurrent data access violations (MISSING_LOCK)
/src/detect-engine.c: 3806 in DetectEngineMultiTenantEnabled()
________________________________________________________________________________________________________
*** CID 1554225: Concurrent data access violations (MISSING_LOCK)
/src/detect-engine.c: 3806 in DetectEngineMultiTenantEnabled()
3800 }
3801
3802 /** TODO locking? Not needed if this is a one time setting at startup */
3803 int DetectEngineMultiTenantEnabled(void)
3804 {
3805 DetectEngineMasterCtx *master = &g_master_de_ctx;
>>> CID 1554225: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "master->multi_tenant_enabled" without holding lock "DetectEngineMasterCtx_.lock". Elsewhere, "DetectEngineMasterCtx_.multi_tenant_enabled" is written to with "DetectEngineMasterCtx_.lock" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary).
3806 return (master->multi_tenant_enabled);
3807 }
3808
3809 /** \internal
3810 * \brief load a tenant from a yaml file
3811 *
** CID 1554224: Concurrent data access violations (MISSING_LOCK)
/src/util-var-name.c: 327 in VarNameStoreLookupByName()
________________________________________________________________________________________________________
*** CID 1554224: Concurrent data access violations (MISSING_LOCK)
/src/util-var-name.c: 327 in VarNameStoreLookupByName()
321 /** \brief find name for id+type at packet time. */
322 uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
323 {
324 const VarNameStore *current = SC_ATOMIC_GET(active);
325 if (current) {
326 VariableName lookup = { .name = (char *)name, .type = type };
>>> CID 1554224: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "current->names" without holding lock "base_lock". Elsewhere, "VarNameStore_.names" is written to with "base_lock" held 3 out of 3 times (1 of these accesses strongly imply that it is necessary).
327 const VariableName *found = HashListTableLookup(current->names, (void *)&lookup, 0);
328 if (found) {
329 return found->id;
330 }
331 }
332
** CID 1554223: Data race undermines locking (LOCK_EVASION)
/src/flow-queue.c: 126 in FlowQueueAppendPrivate()
________________________________________________________________________________________________________
*** CID 1554223: Data race undermines locking (LOCK_EVASION)
/src/flow-queue.c: 126 in FlowQueueAppendPrivate()
120 {
121 if (fqc->top == NULL)
122 return;
123
124 FQLOCK_LOCK(fq);
125 if (fq->qbot == NULL) {
>>> CID 1554223: Data race undermines locking (LOCK_EVASION)
>>> Thread1 sets "top" to a new value. Now the two threads have an inconsistent view of "top" and updates to fields of "top" or fields correlated with "top" may be lost.
126 fq->qtop = fqc->top;
127 fq->qbot = fqc->bot;
128 fq->qlen = fqc->len;
129 } else {
130 fq->qbot->next = fqc->top;
131 fq->qbot = fqc->bot;
** CID 1554222: (LOCK_EVASION)
/src/tmqh-packetpool.c: 310 in TmqhOutputPacketpool()
/src/tmqh-packetpool.c: 397 in TmqhOutputPacketpool()
________________________________________________________________________________________________________
*** CID 1554222: (LOCK_EVASION)
/src/tmqh-packetpool.c: 310 in TmqhOutputPacketpool()
304 {
305 bool proot = false;
306
307 SCEnter();
308 SCLogDebug("Packet %p, p->root %p, alloced %s", p, p->root, BOOL2STR(p->pool == NULL));
309
>>> CID 1554222: (LOCK_EVASION)
>>> Thread2 checks "flags", reading it after Thread1 assigns to "flags" but before some of the correlated field assignments can occur. It sees the condition "p->flags & 0x2000UL" as being false. It continues on before the critical section has completed, and can read data changed by that critical section while it is in an inconsistent state.
310 if (IS_TUNNEL_PKT(p)) {
311 SCLogDebug("Packet %p is a tunnel packet: %s",
312 p,p->root ? "upper layer" : "tunnel root");
313
314 /* get a lock to access root packet fields */
315 SCSpinlock *lock = p->root ? &p->root->persistent.tunnel_lock : &p->persistent.tunnel_lock;
/src/tmqh-packetpool.c: 397 in TmqhOutputPacketpool()
391 /* we're done with the tunnel root now as well */
392 if (proot == true) {
393 SCLogDebug("getting rid of root pkt... alloc'd %s", BOOL2STR(p->root->pool == NULL));
394
395 PacketReleaseRefs(p->root);
396 p->root->ReleasePacket(p->root);
>>> CID 1554222: (LOCK_EVASION)
>>> Thread1 sets "root" to a new value. Now the two threads have an inconsistent view of "root" and updates to fields of "root" or fields correlated with "root" may be lost.
397 p->root = NULL;
398 }
399
400 PACKET_PROFILING_END(p);
401
402 PacketReleaseRefs(p);
** CID 1554221: Concurrent data access violations (MISSING_LOCK)
/src/detect-engine.c: 3103 in DetectEngineThreadCtxInitForMT()
________________________________________________________________________________________________________
*** CID 1554221: Concurrent data access violations (MISSING_LOCK)
/src/detect-engine.c: 3103 in DetectEngineThreadCtxInitForMT()
3097 uint32_t map_array_size = 0;
3098 uint32_t map_cnt = 0;
3099 uint32_t max_tenant_id = 0;
3100 DetectEngineCtx *list = master->list;
3101 HashTable *mt_det_ctxs_hash = NULL;
3102
>>> CID 1554221: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "master->tenant_selector" without holding lock "DetectEngineMasterCtx_.lock". Elsewhere, "DetectEngineMasterCtx_.tenant_selector" is written to with "DetectEngineMasterCtx_.lock" held 4 out of 4 times.
3103 if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
3104 SCLogError("no tenant selector set: "
3105 "set using multi-detect.selector");
3106 return TM_ECODE_FAILED;
3107 }
3108
No data to display
Actions