RDK-60307 [RRD] RDK Coverity Defect Resolution for Device Management

[madhubabutt]

No description provided.

[github-actions]

Code Coverage Summary

                               Total:|83.6%   5104|97.6%  1301|    -      0

[Copilot]

Pull request overview

This pull request addresses Coverity defects in the RDK Remote Debugger Device Management code, focusing on fixing memory leaks, buffer overflows, and resource handling issues.

Changes:

• Added NULL checks for memory allocations (malloc, strdup, fread) with proper error handling and resource cleanup
• Fixed buffer overflow vulnerabilities by using correct size parameters in strncpy/strncat operations
• Corrected file pointer closure to only occur when pointers are valid (v_secure_pclose moved inside if blocks)
• Fixed memory management issues with rfcbuf allocations and ownership

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
src/rrdRunCmdThread.c	Added mutex protection for cacheDataNode initialization; fixed buffer overflow in strncpy/strncat; corrected v_secure_pclose placement to prevent potential crashes
src/rrdJsonParser.c	Added NULL checks for malloc/strdup/fread operations with proper cleanup; fixed rfcbuf memory leaks in error paths; clarified rfcbuf ownership with comment
src/rrdEventProcess.c	Fixed staticstrlen calculation after quote removal; corrected appendstrlen calculation; improved realloc error handling with proper log level

[Copilot]

The mutex lock/unlock around setting cacheDataNode to NULL in initCache() is unnecessary and potentially problematic. This function is called once during initialization before any threads are created (from main), so there's no concurrent access to protect against. Additionally, locking a newly initialized mutex that no other thread can access yet serves no purpose. The assignment to NULL is already atomic and thread-safe for pointer writes.

Suggested change

	pthread_mutex_lock(&rrdCacheMut);
	cacheDataNode = NULL;
	pthread_mutex_unlock(&rrdCacheMut);
	cacheDataNode = NULL;

[Copilot]

When realloc fails, there are multiple memory leaks: 1) The original memory pointed to by staticprofiledata->command is not freed (realloc leaves the original pointer valid when it returns NULL), 2) staticprofiledata->rfcvalue is not freed, 3) staticprofiledata itself is not freed, 4) dynamicprofiledata->rfcvalue, dynamicprofiledata->command, and dynamicprofiledata itself are not freed. All of these allocated resources need to be properly freed before returning from the function on this error path.

Suggested change

	RDK_LOG(RDK_LOG_ERROR, LOG_REMDEBUG, "[%s:%d]: Memory Allocation Failed... \n", __FUNCTION__, __LINE__);
	RDK_LOG(RDK_LOG_ERROR, LOG_REMDEBUG, "[%s:%d]: Memory Allocation Failed... \n", __FUNCTION__, __LINE__);
	/* Cleanup allocated resources on realloc failure */
	if (staticprofiledata != NULL)
	{
	if (staticprofiledata->command != NULL)
	{
	free(staticprofiledata->command);
	staticprofiledata->command = NULL;
	}
	if (staticprofiledata->rfcvalue != NULL)
	{
	free(staticprofiledata->rfcvalue);
	staticprofiledata->rfcvalue = NULL;
	}
	free(staticprofiledata);
	staticprofiledata = NULL;
	}
	if (dynamicprofiledata != NULL)
	{
	if (dynamicprofiledata->command != NULL)
	{
	free(dynamicprofiledata->command);
	dynamicprofiledata->command = NULL;
	}
	if (dynamicprofiledata->rfcvalue != NULL)
	{
	free(dynamicprofiledata->rfcvalue);
	dynamicprofiledata->rfcvalue = NULL;
	}
	free(dynamicprofiledata);
	dynamicprofiledata = NULL;
	}

[rdkcmf-jenkins]

Coverity Issue - Resource leak

Variable "staticprofiledata" going out of scope leaks the storage it points to.

High Impact, CWE-404
RESOURCE_LEAK

Issue location

This issue was discovered outside the diff for this Pull Request. You can find it at:
src/rrdEventProcess.c:251

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Dereference before null check

Null-checking "dynamicprofiledata->command" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.

Medium Impact, CWE-476
REVERSE_INULL

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

Missing cleanup for dynamicprofiledata and staticprofiledata when realloc fails. After logging the memory allocation error at line 198, only pIssueNode is freed. However, both dynamicprofiledata and staticprofiledata contain allocated memory that needs to be freed (their rfcvalue and command fields). This causes memory leaks when realloc fails.

Suggested change

	RDK_LOG(RDK_LOG_ERROR, LOG_REMDEBUG, "[%s:%d]: Memory Allocation Failed... \n", __FUNCTION__, __LINE__);
	free(pIssueNode); // free issue node struct on realloc failure
	RDK_LOG(RDK_LOG_ERROR, LOG_REMDEBUG, "[%s:%d]: Memory Allocation Failed... \n", __FUNCTION__, __LINE__);
	/* Cleanup on realloc failure to avoid memory leaks */
	if (dynamicprofiledata != NULL)
	{
	if (dynamicprofiledata->rfcvalue != NULL)
	{
	free(dynamicprofiledata->rfcvalue);
	}
	if (dynamicprofiledata->command != NULL)
	{
	free(dynamicprofiledata->command);
	}
	free(dynamicprofiledata);
	}
	if (staticprofiledata != NULL)
	{
	if (staticprofiledata->rfcvalue != NULL)
	{
	free(staticprofiledata->rfcvalue);
	}
	if (staticprofiledata->command != NULL)
	{
	free(staticprofiledata->command);
	}
	free(staticprofiledata);
	}
	free(pIssueNode); // free issue node struct on realloc failure
	return;

[Copilot]

Critical memory leak when realloc fails. Both staticprofiledata and dynamicprofiledata contain allocated memory (rfcvalue and command fields) that must be freed when realloc fails. The current code only frees pIssueNode. Add cleanup code similar to lines 212-220 here to free both profile data structures and their members. Additionally, staticprofiledata->command should be freed since realloc failure means the old pointer is still valid.

[github-actions]

Code Coverage Summary

                               Total:|83.2%   5126|97.6%  1301|    -      0

[github-actions]

Code Coverage Summary

                               Total:|83.0%   5136|97.6%  1301|    -      0

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

src/rrdInterface.c:348

• dataMsg is freed only in the empty-message branch. In the non-empty case, dataMsg is passed to pushIssueTypesToMsgQueue and never freed anywhere in the current flow, which leaks per event. Either make pushIssueTypesToMsgQueue deep-copy the string so the caller can always free dataMsg, or ensure the consumer frees the message buffer after processing (but keep ownership consistent to avoid double-free).

    strncpy(dataMsg, rbusValue_GetString(value, NULL), len-1);
    dataMsg[len-1]='\0';

    if (dataMsg[0] == '\0' || len <= 0  )
    {
        RDK_LOG(RDK_LOG_DEBUG,LOG_REMDEBUG,"[%s:%d]: Message Received is empty, Exit Processing!!! \n", __FUNCTION__, __LINE__);
        free(dataMsg);
    }
    else
    {
        pushIssueTypesToMsgQueue(dataMsg, EVENT_MSG);
    }

[Copilot]

In the dynamicprofiledata == NULL path, pIssueNode is freed but pIssueNode->Node / pIssueNode->subNode allocated by getIssueInfo() are not freed, which leaks memory on this early-exit path. Free the node strings (when non-null) before freeing pIssueNode, or centralize cleanup in a helper.

[Copilot]

The realloc failure branch frees dynamicprofiledata/pIssueNode, but execution continues after the if (appendcommandstr == NULL) block and later unconditionally frees dynamicprofiledata again ("Free dynamicprofiledata after use"), which can lead to a double-free. Add an early return/goto-cleanup after handling realloc failure, and ensure dynamicprofiledata is freed exactly once.

[Copilot]

In the staticprofiledata == NULL path, pIssueNode is freed but its Node/subNode members allocated by getIssueInfo() are not freed, causing a leak. Free pIssueNode->Node and pIssueNode->subNode (if set) before freeing pIssueNode here.

[Copilot]

pushIssueTypesToMsgQueue allocates sbuf and enqueues it, but there is no corresponding free of sbuf/sbuf->mdata in the consumer path (and this function does not free it either). Adding /* coverity[leaked_storage] */ here suppresses a real unbounded leak in a long-running daemon. Prefer defining clear ownership and freeing the message buffer after processing (e.g., call RRD_data_buff_deAlloc in the receiver thread once processing is complete, or make the queue payload a deep copy and free the original here).

[Copilot]

In _rdmDownloadEventHandler, sendbuf is heap-allocated and passed to RRDMsgDeliver, but there is no matching deallocation shown for sendbuf after the message is processed. The added /* coverity[leaked_storage] */ suppression doesn’t address the underlying leak. Please establish where ownership is released (e.g., free in the receiver after handling the message, or change the queue to transmit a copy rather than a pointer).

[Copilot]

ReturnsValidStruct now asserts result == nullptr, but the test JSON includes "kill" and the Sanity.Check.Commands list contains "kill", so getIssueCommandInfo correctly returns NULL (harmful command). Either rename the test to reflect the harmful-command case, or update the JSON to use a non-harmful command and assert result != nullptr. Also ensure root is deleted (and result freed when non-null) to avoid leaking test allocations.

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Read from pointer after free

Dereferencing freed pointer "dynamicprofiledata".

High Impact, CWE-416
USE_AFTER_FREE

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Dereference before null check

Null-checking "staticprofiledata->command" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.

Medium Impact, CWE-476
REVERSE_INULL

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Dereference before null check

Null-checking "dynamicprofiledata->command" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.

Medium Impact, CWE-476
REVERSE_INULL

[github-actions]

Code Coverage Summary

                               Total:|83.1%   5132|97.6%  1301|    -      0

[github-actions]

Code Coverage Summary

                               Total:|82.8%   5148|97.6%  1301|    -      0

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

[Copilot]

When staticprofiledata == NULL, the code frees dynamicprofiledata and pIssueNode (struct) but does not free pIssueNode->Node/subNode (which are still allocated in this path) and does not clean up the incoming rbuf message buffer. This leaves leaks on the failure path; add a cleanup that frees the issue node members and the message buffer when you can’t proceed.

[Copilot]

processAllDebugCommand no longer frees rfcbuf (to avoid a double-free from checkIssueNodeInfo), but the function’s doc comment still doesn’t state the ownership contract, and existing unit tests pass a strdup’d buffer without freeing it. Please update the function/header documentation to explicitly say the caller owns rfcbuf (and ensure tests/callers free it accordingly).

Suggested change

	// Note: rfcbuf is owned by caller and will be freed there
	// Note: rfcbuf is owned by the caller; this function must not free it.
	// The caller is responsible for freeing rfcbuf after this function returns.

[Copilot]

In the append-mode path, checkIssueNodeInfo(..., appendprofiledata) calls executeCommands(appendprofiledata), and executeCommands frees the passed issueData in non-test builds. Freeing staticprofiledata here will double-free/use-after-free in production. Avoid freeing staticprofiledata after checkIssueNodeInfo (or change ownership so executeCommands doesn’t free its input) and ensure the pointer is not reused.

Suggested change

	// Free staticprofiledata after use (only if not already freed)
	if (staticprofiledata != NULL)
	{
	if (staticprofiledata->rfcvalue != NULL)
	{
	free(staticprofiledata->rfcvalue);
	}
	if (staticprofiledata->command != NULL)
	{
	free(staticprofiledata->command);
	}
	free(staticprofiledata);
	}
	/*
	* Do not free staticprofiledata here.
	* Ownership is transferred to checkIssueNodeInfo/executeCommands,
	* which frees issueData in non-test builds. Freeing it again here
	* would cause a double free/use-after-free.
	*/
	staticprofiledata = NULL;

[Copilot]

When dynamicprofiledata == NULL, the code frees only pIssueNode (struct) and returns to the caller without freeing the node members (pIssueNode->Node / pIssueNode->subNode) or the incoming rbuf data. processIssueTypeInDynamicProfileappend can return NULL without calling RRDRdmManagerDownloadRequest (e.g., allocation failure or issue not found), so the members will leak in those cases. Ensure consistent ownership/cleanup here (free members + struct, and free the message buffer if it won’t be processed further).

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Dereference before null check

Null-checking "staticprofiledata->command" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.

Medium Impact, CWE-476
REVERSE_INULL

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Dereference before null check

Null-checking "dynamicprofiledata->command" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.

Medium Impact, CWE-476
REVERSE_INULL

[github-actions]

Code Coverage Summary

                               Total:|82.7%   5157|97.6%  1301|    -      0

[nhanasi]

can u check dynamic test on RDKB and RDKE?

[nhanasi]

Not needed as we go for dynamic download