From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Wed, 26 Jul 2017 16:02:56 +0000 (-0400)
Subject: Fix: null check after deref, use uninitialized or freed variable
X-Git-Url: http://git.efficios.com/?p=babeltrace.git;a=commitdiff_plain;h=2c212c058851bd675a5ff33ac0bff981458497be

Fix: null check after deref, use uninitialized or freed variable

Found by Coverity:

CID 1376179 (#1 of 1): Dereference before null check
(REVERSE_INULL)check_after_deref: Null-checking stream_state suggests
that it may be null, but it has already been dereferenced on all paths
leading to the check.

Reorganized this function so we clear the stream_state (set to NULL)
whenever we return success or error, so the caller don't end up using
uninitialized variable.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
---

diff --git a/lib/graph/iterator.c b/lib/graph/iterator.c
index 849543ce..cc1228ba 100644
--- a/lib/graph/iterator.c
+++ b/lib/graph/iterator.c
@@ -1125,9 +1125,10 @@ static
 int ensure_stream_state_exists(struct bt_notification_iterator *iterator,
 		struct bt_notification *stream_begin_notif,
 		struct bt_ctf_stream *notif_stream,
-		struct stream_state **stream_state)
+		struct stream_state **_stream_state)
 {
 	int ret = 0;
+	struct stream_state *stream_state = NULL;
 
 	if (!notif_stream) {
 		/*
@@ -1137,9 +1138,9 @@ int ensure_stream_state_exists(struct bt_notification_iterator *iterator,
 		goto end;
 	}
 
-	*stream_state = g_hash_table_lookup(iterator->stream_states,
+	stream_state = g_hash_table_lookup(iterator->stream_states,
 		notif_stream);
-	if (!*stream_state) {
+	if (!stream_state) {
 		/*
 		 * This iterator did not bump into this stream yet:
 		 * create a stream state and a "stream begin"
@@ -1153,14 +1154,13 @@ int ensure_stream_state_exists(struct bt_notification_iterator *iterator,
 			},
 		};
 
-		*stream_state = create_stream_state(notif_stream);
+		stream_state = create_stream_state(notif_stream);
 		if (!stream_state) {
 			BT_LOGE_STR("Cannot create stream state.");
 			goto error;
 		}
 
-		action.payload.add_stream_state.stream_state =
-			*stream_state;
+		action.payload.add_stream_state.stream_state = stream_state;
 		add_action(iterator, &action);
 
 		if (stream_begin_notif) {
@@ -1174,14 +1174,15 @@ int ensure_stream_state_exists(struct bt_notification_iterator *iterator,
 			}
 		}
 	}
-
 	goto end;
 
 error:
-	destroy_stream_state(*stream_state);
+	destroy_stream_state(stream_state);
+	stream_state = NULL;
 	ret = -1;
 
 end:
+	*_stream_state = stream_state;
 	return ret;
 }