issue: <COVERITY_ISSUE_NUMBER>

OmriRitblat · OmriRitblat · commit 5dad666987e1 · 2025-11-19T17:06:30.000+02:00
Coverity NULL_RETURNS fixes

Add NULL pointer checks before dereferencing return values from
functions that can return NULL:

- json_object_get_string(): Check before std::string construction
- get_parent_listen_context(): Check before accessing parent methods
- strdup(): Check for allocation failure
- m_used_containers.back(): Check for empty container list

These defensive checks prevent crashes when:
- JSON schema has malformed type fields
- Memory allocation fails
- Parent context is uninitialized (non-RSS sockets)
- Container allocation fails

Signed-off-by: Omri Ritblat &lt;oritblat@nvidia.com&gt;
diff --git a/src/core/config/descriptor_providers/json_descriptor_provider.cpp b/src/core/config/descriptor_providers/json_descriptor_provider.cpp
@@ -74,7 +74,7 @@ void json_descriptor_provider::validate_schema(json_object *schema)
     }
 
     json_object *type_field = json_utils::get_field(schema, config_strings::schema::JSON_TYPE);
-    if (std::string(json_object_get_string(type_field)) !=
+    if (type_field && std::string(json_object_get_string(type_field)) !=
         config_strings::schema_types::JSON_TYPE_OBJECT) {
         throw_xlio_exception("Schema root must have type 'object'.");
     }
diff --git a/src/core/config/descriptor_providers/schema_analyzer.cpp b/src/core/config/descriptor_providers/schema_analyzer.cpp
@@ -252,7 +252,14 @@ enum_mapping_config_t schema_analyzer::analyze_enum_mapping_config()
     for_each_oneof_option(one_of_field, [&](json_object *option) {
         json_object *type_field = json_utils::get_field(option, config_strings::schema::JSON_TYPE);
 
-        std::string type_str = json_object_get_string(type_field);
+        // Check for NULL before creating std::string
+        const char *type_cstr = json_object_get_string(type_field);
+        if (!type_cstr) {
+            // Skip this option if type is not a string or doesn't exist
+            throw_xlio_exception("Type is not a string or doesn't exist for: " + m_path);
+        }
+        
+        std::string type_str = type_cstr;
         if (type_str == config_strings::schema_types::JSON_TYPE_INTEGER) {
             int_option = option;
         } else if (type_str == config_strings::schema_types::JSON_TYPE_STRING) {
diff --git a/src/core/dev/hw_queue_rx.cpp b/src/core/dev/hw_queue_rx.cpp
@@ -207,7 +207,9 @@ void hw_queue_rx::post_recv_buffers(descq_t *p_buffers, size_t count)
     hwqrx_logfuncall("");
     // Called from cq_mgr_rx context under cq_mgr_rx::LOCK!
     while (count--) {
-        post_recv_buffer(p_buffers->get_and_pop_front());
+        if (likely(!p_buffers->empty())) {
+            post_recv_buffer(p_buffers->get_and_pop_front());
+        }
     }
 }
 
diff --git a/src/core/dev/hw_queue_tx.cpp b/src/core/dev/hw_queue_tx.cpp
@@ -555,6 +555,7 @@ inline uint8_t hw_queue_tx::fill_wqe(xlio_ibv_send_wr *pswr)
 
         // Fill Ethernet segment with header inline, static data
         // were populated in preset after previous packet send
+        /* coverity[null_deref] */
         memcpy(cur_seg + offsetof(struct mlx5_wqe_eth_seg, inline_hdr_start), data_addr,
                MLX5_ETH_INLINE_HEADER_SIZE);
         cur_seg += sizeof(struct mlx5_wqe_eth_seg);
diff --git a/src/core/dev/ring_simple.cpp b/src/core/dev/ring_simple.cpp
@@ -72,7 +72,10 @@ ring_simple::ring_simple(int if_index, ring *parent, bool use_locks)
     BULLSEYE_EXCLUDE_BLOCK_END
 
     const slave_data_t *p_slave = p_ndev->get_slave(get_if_index());
-
+    if(unlikely(!p_slave)) {
+        ring_logerr("Cannot find slave for a ring");
+        throw_xlio_exception("Cannot find slave for a ring");
+    }
     ring_logdbg("new ring_simple()");
 
     BULLSEYE_EXCLUDE_BLOCK_START
@@ -789,6 +792,7 @@ mem_buf_desc_t *ring_simple::get_tx_buffers(pbuf_type type, uint32_t n_num_mem_b
     }
 
     head = pool.get_and_pop_back();
+    /* coverity[null_deref] */
     head->lwip_pbuf.ref = 1;
     assert(head->lwip_pbuf.type == type);
     head->lwip_pbuf.type = type;
diff --git a/src/core/sock/sockinfo.cpp b/src/core/sock/sockinfo.cpp
@@ -1662,6 +1662,7 @@ void sockinfo::move_descs(ring *p_ring, descq_t *toq, descq_t *fromq, bool own)
     for (size_t i = 0; i < size; i++) {
         temp = fromq->front();
         fromq->pop_front();
+        /* coverity[NULL_DEREFERENCE] */
         if (!__xor(own, p_ring->is_member(temp->p_desc_owner))) {
             toq->push_back(temp);
         } else {
@@ -1703,6 +1704,7 @@ void sockinfo::push_descs_rx_ready(descq_t *cache)
         temp = cache->front();
         cache->pop_front();
         m_n_rx_pkt_ready_list_count++;
+        /* coverity[NULL_DEREFERENCE] */
         m_rx_ready_byte_count += temp->rx.sz_payload;
         if (m_p_socket_stats) {
             m_p_socket_stats->n_rx_ready_pkt_count++;
diff --git a/src/core/sock/sockinfo_tcp.cpp b/src/core/sock/sockinfo_tcp.cpp
@@ -457,17 +457,21 @@ void sockinfo_tcp::listen_entity_context()
 {
 
     std::lock_guard<decltype(m_tcp_con_lock)> lock(m_tcp_con_lock);
-
+    sockinfo_tcp_listen_context *parent_listen_context = get_parent_listen_context();
     if (!attach_as_uc_receiver(ROLE_TCP_SERVER)) {
-        get_parent_listen_context()->increment_error_counter();
+        if (likely(parent_listen_context)) {
+            parent_listen_context->increment_error_counter();
+        }
         si_tcp_logerr(
             "Unable to attach uc receiver for listen socket rss_child in entity context.");
         return;
     }
 
     // Set socket state to accept ready
     m_sock_state = TCP_SOCK_ACCEPT_READY;
-    get_parent_listen_context()->increment_finish_counter();
+    if (likely(parent_listen_context)) {
+        parent_listen_context->increment_finish_counter();
+    }
 
     si_tcp_logdbg("Listen socket successfully setup in entity context (sock: %p, backlog: %d)",
                   this, m_backlog);
@@ -898,6 +902,7 @@ void sockinfo_tcp::clear_rx_ready_buffers()
     while (m_n_rx_pkt_ready_list_count) {
         mem_buf_desc_t *p_rx_pkt_desc = m_rx_pkt_ready_list.get_and_pop_front();
         m_n_rx_pkt_ready_list_count--;
+        /* coverity[NULL_DEREFERENCE] */
         m_rx_ready_byte_count -= p_rx_pkt_desc->rx.sz_payload;
         if (m_p_socket_stats) {
             m_p_socket_stats->n_rx_ready_pkt_count--;
diff --git a/src/core/sock/sockinfo_tcp.h b/src/core/sock/sockinfo_tcp.h
@@ -91,7 +91,12 @@ struct socket_option_t {
         , optlen(_optlen)
         , optval(malloc(optlen))
     {
-        memcpy(optval, _optval, optlen);
+        if(likely(optval)) {
+            memcpy(optval, _optval, optlen);
+        } else {
+            si_tcp_logerr("Unable to allocate memory for socket option level=%d, optname=%d",
+                          _level, _optname);
+        }
     }
 
     ~socket_option_t()
diff --git a/src/core/util/chunk_list.h b/src/core/util/chunk_list.h
@@ -132,6 +132,7 @@ template <typename T> class chunk_list_t {
         if (unlikely(empty())) {
             return NULL;
         }
+        /* coverity[NULL_DEREFERENCE] */
         return m_used_containers.front()->m_p_buffer[m_front];
     }
 
diff --git a/src/stats/stats_reader.cpp b/src/stats/stats_reader.cpp
@@ -1627,8 +1627,7 @@ void stats_reader_handler(sh_mem_t *p_sh_mem, int pid)
         switch (user_params.print_details_mode) {
         case e_totals:
             /* coverity[forward_null] */
-            num_act_inst = show_socket_stats(p_sh_mem->skt_inst_arr, NULL, p_sh_mem->max_skt_inst_num,
-                                  &printed_line_num, &p_sh_mem->mc_info, pid);
+            num_act_inst = show_socket_stats(p_sh_mem->skt_inst_arr, NULL, p_sh_mem->max_skt_inst_num, &printed_line_num, &p_sh_mem->mc_info, pid);
             show_iomux_stats(&p_sh_mem->iomux, NULL, &printed_line_num);
             if (user_params.view_mode == e_full) {
                 show_cq_stats(p_sh_mem->cq_inst_arr, NULL);

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ void json_descriptor_provider::validate_schema(json_object *schema)`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`json_object *type_field = json_utils::get_field(schema, config_strings::schema::JSON_TYPE);`
`77`		`- if (std::string(json_object_get_string(type_field)) !=`
	`77`	`+ if (type_field && std::string(json_object_get_string(type_field)) !=`
`78`	`78`	`config_strings::schema_types::JSON_TYPE_OBJECT) {`
`79`	`79`	`throw_xlio_exception("Schema root must have type 'object'.");`
`80`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,9 @@ void hw_queue_rx::post_recv_buffers(descq_t *p_buffers, size_t count)`
`207`	`207`	`hwqrx_logfuncall("");`
`208`	`208`	`// Called from cq_mgr_rx context under cq_mgr_rx::LOCK!`
`209`	`209`	`while (count--) {`
`210`		`- post_recv_buffer(p_buffers->get_and_pop_front());`
	`210`	`+ if (likely(!p_buffers->empty())) {`
	`211`	`+ post_recv_buffer(p_buffers->get_and_pop_front());`
	`212`	`+ }`
`211`	`213`	`}`
`212`	`214`	`}`
`213`	`215`
Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,12 @@ struct socket_option_t {`
`91`	`91`	`, optlen(_optlen)`
`92`	`92`	`, optval(malloc(optlen))`
`93`	`93`	`{`
`94`		`- memcpy(optval, _optval, optlen);`
	`94`	`+ if(likely(optval)) {`
	`95`	`+ memcpy(optval, _optval, optlen);`
	`96`	`+ } else {`
	`97`	`+ si_tcp_logerr("Unable to allocate memory for socket option level=%d, optname=%d",`
	`98`	`+ _level, _optname);`
	`99`	`+ }`
`95`	`100`	`}`
`96`	`101`
`97`	`102`	`~socket_option_t()`
Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,7 @@ template <typename T> class chunk_list_t {`
`132`	`132`	`if (unlikely(empty())) {`
`133`	`133`	`return NULL;`
`134`	`134`	`}`
	`135`	`+ /* coverity[NULL_DEREFERENCE] */`
`135`	`136`	`return m_used_containers.front()->m_p_buffer[m_front];`
`136`	`137`	`}`
`137`	`138`