Fix time-of-check time-of-use bugs

Fixing 'bugs' of the pattern: 'assert(ptr != 0)' after 'ptr' was already dereferenced
memcached · Nov 23, 2021 · 75e4d57 · 75e4d57
1 parent b95ca35
commit 75e4d57
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 13 deletions.
diff --git a/memcached.c b/memcached.c
@@ -2319,8 +2319,8 @@ enum delta_result_type do_add_delta(conn *c, const char *key, const size_t nkey,
 }
 
 static int try_read_command_negotiate(conn *c) {
-    assert(c->protocol == negotiating_prot);
     assert(c != NULL);
+    assert(c->protocol == negotiating_prot);
     assert(c->rcurr <= (c->rbuf + c->rsize));
     assert(c->rbytes > 0);
 

diff --git a/proto_bin.c b/proto_bin.c
@@ -262,10 +262,10 @@ static void complete_incr_bin(conn *c, char *extbuf) {
     char tmpbuf[INCR_MAX_STORAGE_LEN];
     uint64_t cas = 0;
 
+    assert(c != NULL);
     protocol_binary_response_incr* rsp = (protocol_binary_response_incr*)c->resp->wbuf;
     protocol_binary_request_incr* req = (void *)extbuf;
 
-    assert(c != NULL);
     //assert(c->wsize >= sizeof(*rsp));
 
     /* fix byteorder in the request */
@@ -1283,11 +1283,10 @@ static void process_bin_delete(conn *c) {
     item *it;
     uint32_t hv;
 
+    assert(c != NULL);
     char* key = binary_get_key(c);
     size_t nkey = c->binary_header.request.keylen;
 
-    assert(c != NULL);
-
     if (settings.verbose > 1) {
         int ii;
         fprintf(stderr, "Deleting ");

diff --git a/proto_text.c b/proto_text.c
@@ -283,11 +283,10 @@ void complete_nread_ascii(conn *c) {
 static size_t tokenize_command(char *command, token_t *tokens, const size_t max_tokens) {
     char *s, *e;
     size_t ntokens = 0;
+    assert(command != NULL && tokens != NULL && max_tokens > 1);
     size_t len = strlen(command);
     unsigned int i = 0;
 
-    assert(command != NULL && tokens != NULL && max_tokens > 1);
-
     s = e = command;
     for (i = 0; i < len; i++) {
         if (*e == ' ') {
@@ -1059,10 +1058,10 @@ static void process_mget_command(conn *c, token_t *tokens, const size_t ntokens)
     bool won_token = false;
     bool ttl_set = false;
     char *errstr = "CLIENT_ERROR bad command line format";
+    assert(c != NULL);
     mc_resp *resp = c->resp;
     char *p = resp->wbuf;
 
-    assert(c != NULL);
     WANT_TOKENS_MIN(ntokens, 3);
 
     // FIXME: do we move this check to after preparse?
@@ -1360,10 +1359,10 @@ static void process_mset_command(conn *c, token_t *tokens, const size_t ntokens)
     char *errstr = "CLIENT_ERROR bad command line format";
     uint32_t hv; // cached hash value.
     int vlen = 0; // value from data line.
+    assert(c != NULL);
     mc_resp *resp = c->resp;
     char *p = resp->wbuf;
 
-    assert(c != NULL);
     WANT_TOKENS_MIN(ntokens, 3);
 
     // TODO: most of this is identical to mget.
@@ -1550,11 +1549,11 @@ static void process_mdelete_command(conn *c, token_t *tokens, const size_t ntoke
     uint32_t hv;
     struct _meta_flags of = {0}; // option bitflags.
     char *errstr = "CLIENT_ERROR bad command line format";
+    assert(c != NULL);
     mc_resp *resp = c->resp;
     // reserve 3 bytes for status code
     char *p = resp->wbuf + 3;
 
-    assert(c != NULL);
     WANT_TOKENS_MIN(ntokens, 3);
 
     // TODO: most of this is identical to mget.
@@ -1575,12 +1574,12 @@ static void process_mdelete_command(conn *c, token_t *tokens, const size_t ntoke
         out_errstring(c, "CLIENT_ERROR invalid or duplicate flag");
         return;
     }
+    assert(c != NULL);
     c->noreply = of.no_reply;
 
     key = tokens[KEY_TOKEN].value;
     nkey = tokens[KEY_TOKEN].length;
 
-    assert(c != NULL);
     for (i = KEY_TOKEN+1; i < ntokens-1; i++) {
         switch (tokens[i].value[0]) {
             // TODO: macro perhaps?
@@ -1680,6 +1679,7 @@ static void process_marithmetic_command(conn *c, token_t *tokens, const size_t n
     int i;
     struct _meta_flags of = {0}; // option bitflags.
     char *errstr = "CLIENT_ERROR bad command line format";
+    assert(c != NULL);
     mc_resp *resp = c->resp;
     // no reservation (like del/set) since we post-process the status line.
     char *p = resp->wbuf;
@@ -1692,7 +1692,6 @@ static void process_marithmetic_command(conn *c, token_t *tokens, const size_t n
     uint32_t hv = 0;
     item *it = NULL; // item returned by do_add_delta.
 
-    assert(c != NULL);
     WANT_TOKENS_MIN(ntokens, 3);
 
     // TODO: most of this is identical to mget.
@@ -1712,12 +1711,12 @@ static void process_marithmetic_command(conn *c, token_t *tokens, const size_t n
         out_errstring(c, "CLIENT_ERROR invalid or duplicate flag");
         return;
     }
+    assert(c != NULL);
     c->noreply = of.no_reply;
 
     key = tokens[KEY_TOKEN].value;
     nkey = tokens[KEY_TOKEN].length;
 
-    assert(c != NULL);
     // "mode switch" to alternative commands
     switch (of.mode) {
         case 0: // no switch supplied.

diff --git a/storage.c b/storage.c
@@ -379,9 +379,9 @@ static void recache_or_free(io_pending_t *pending) {
 
     conn *c = p->c;
     obj_io *io = &p->io_ctx;
+    assert(io != NULL);
     item *it = (item *)io->buf;
     assert(c != NULL);
-    assert(io != NULL);
     bool do_free = true;
     if (p->active) {
         // If request never dispatched, free the read buffer but leave the