From a6e628272efe47d1306823f65f5ca11e1181fa69 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Wed, 25 Jan 2023 19:23:53 -0600 Subject: [PATCH] Update: Add additional sanity checks. The GCC -fanalyzer is reporting a problem that as far as I can tell is a false positive. This program is older code practices and will eventually be rewritten anyway. Add a few more safety checks. --- level_3/firewall/c/private-firewall.c | 16 +++++++++++++++- level_3/firewall/c/private-firewall.h | 3 +++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/level_3/firewall/c/private-firewall.c b/level_3/firewall/c/private-firewall.c index 1029ef9..b644ea6 100644 --- a/level_3/firewall/c/private-firewall.c +++ b/level_3/firewall/c/private-firewall.c @@ -8,6 +8,8 @@ extern "C" { f_status_t firewall_perform_commands(firewall_data_t * const data, firewall_local_data_t * const local) { + if (!data || !local || local->device >= data->devices.used) return F_status_set_error(F_parameter); + f_status_t status = F_none; bool invalid = F_false; @@ -158,7 +160,7 @@ f_status_t firewall_perform_commands(firewall_data_t * const data, firewall_loca continue; } else if (fl_string_dynamic_compare_string(local->buffer.string + local->rule_contents.array[i].array[0].start, firewall_device_this_s, length) == F_equal_to) { - if (data->devices.array[local->device].used > 0) { + if (data->devices.array[local->device].used) { if (data->devices.array[local->device].used > device.size) { status = f_string_dynamic_resize(data->devices.array[local->device].used, &device); if (F_status_is_error(status)) break; @@ -778,6 +780,8 @@ f_status_t firewall_perform_commands(firewall_data_t * const data, firewall_loca f_status_t firewall_create_custom_chains(firewall_data_t * const data, firewall_reserved_chains_t * const reserved, firewall_local_data_t * const local) { + if (!data || !local) return F_status_set_error(F_parameter); + f_status_t status = F_none; uint8_t tool = firewall_program_iptables_e; @@ -968,6 +972,8 @@ f_status_t firewall_create_custom_chains(firewall_data_t * const data, firewall_ f_status_t firewall_delete_chains(firewall_data_t * const data) { + if (!data) return F_status_set_error(F_parameter); + const f_string_static_t tools[2] = { firewall_tool_iptables_s, firewall_tool_ip6tables_s }; f_status_t status = F_none; @@ -1060,6 +1066,8 @@ f_status_t firewall_delete_chains(firewall_data_t * const data) { f_status_t firewall_default_lock(firewall_data_t * const data) { + if (!data) return F_status_set_error(F_parameter); + const f_string_static_t chains[3] = { firewall_chain_input_s, firewall_chain_output_s, firewall_chain_forward_s }; const f_string_static_t tools[2] = { firewall_tool_iptables_s, firewall_tool_ip6tables_s }; @@ -1123,6 +1131,8 @@ f_status_t firewall_default_lock(firewall_data_t * const data) { f_status_t firewall_buffer_rules(firewall_data_t * const data, const f_string_static_t filename, const bool optional, firewall_local_data_t * const local) { + if (!data || !local) return F_status_set_error(F_parameter); + f_file_t file = f_file_t_initialize; f_status_t status = f_file_open(filename, 0, &file); @@ -1235,6 +1245,8 @@ f_status_t firewall_buffer_rules(firewall_data_t * const data, const f_string_st f_status_t firewall_process_rules(firewall_data_t * const data, f_string_range_t * const range, firewall_local_data_t * const local) { + if (!data || !range || !local) return F_status_set_error(F_parameter); + f_status_t status = F_none; f_fss_delimits_t delimits = f_fss_delimits_t_initialize; f_state_t state = f_state_t_initialize; @@ -1275,6 +1287,8 @@ f_status_t firewall_process_rules(firewall_data_t * const data, f_string_range_t f_status_t firewall_delete_local_data(firewall_local_data_t * const local) { + if (!local) return F_status_set_error(F_parameter); + local->is_global = F_true; local->is_main = F_false; local->is_stop = F_false; diff --git a/level_3/firewall/c/private-firewall.h b/level_3/firewall/c/private-firewall.h index c7b5ec9..95f28f9 100644 --- a/level_3/firewall/c/private-firewall.h +++ b/level_3/firewall/c/private-firewall.h @@ -25,6 +25,7 @@ extern "C" { * F_child on child process exiting. * * F_interrupt (with error bit) on receiving a process signal, such as an interrupt signal. + * F_parameter (with error bit) on invalid parameter passed. * * Errors (with error bit) from: f_string_dynamic_append(). * Errors (with error bit) from: f_string_dynamic_partial_append(). @@ -53,6 +54,7 @@ extern f_status_t firewall_perform_commands(firewall_data_t * const data, firewa * F_child on child process exiting. * * F_interrupt (with error bit) on receiving a process signal, such as an interrupt signal. + * F_parameter (with error bit) on invalid parameter passed. * * Status codes (with error bit) are returned on any problem. */ @@ -69,6 +71,7 @@ extern f_status_t firewall_create_custom_chains(firewall_data_t * const data, fi * F_child on child process exiting. * * F_interrupt (with error bit) on receiving a process signal, such as an interrupt signal. + * F_parameter (with error bit) on invalid parameter passed. * * Status codes (with error bit) are returned on any problem. */ -- 1.8.3.1