check values returned by gmtime() and localtime()

While it is not expected to happen with any time that can be represented by the system clock, the functions are allowed to return NULL. Check the pointer before dereferencing. This issue was found in a Frama-C analysis.
2018-06-20 12:11:55 +02:00 · 2018-06-20 12:11:55 +02:00 · 63fe34e890
commit 63fe34e890
parent 85465afb62
3 changed files with 23 additions and 14 deletions
--- a/logging.c
+++ b/logging.c
@ -132,14 +132,16 @@ void LOG_Message(LOG_Severity severity,
  char buf[2048];
  va_list other_args;
  time_t t;
-  struct tm stm;
+  struct tm *tm;

  if (!system_log && file_log) {
    /* Don't clutter up syslog with timestamps and internal debugging info */
    time(&t);
-    stm = *gmtime(&t);
-    strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%SZ", &stm);
-    fprintf(file_log, "%s ", buf);
+    tm = gmtime(&t);
+    if (tm) {
+      strftime(buf, sizeof (buf), "%Y-%m-%dT%H:%M:%SZ", tm);
+      fprintf(file_log, "%s ", buf);
+    }
 #if DEBUG > 0
    if (debug_level >= DEBUG_LEVEL_PRINT_FUNCTION)
      fprintf(file_log, "%s:%d:(%s) ", filename, line_number, function_name);
--- a/reference.c
+++ b/reference.c
@ -528,7 +528,7 @@ maybe_log_offset(double offset, time_t now)
  double abs_offset;
  FILE *p;
  char buffer[BUFLEN], host[BUFLEN];
-  struct tm stm;
+  struct tm *tm;

  abs_offset = fabs(offset);

@ -547,9 +547,14 @@ maybe_log_offset(double offset, time_t now)
      }
      fprintf(p, "Subject: chronyd reports change to system clock on node [%s]\n", host);
      fputs("\n", p);
-      stm = *localtime(&now);
-      strftime(buffer, sizeof(buffer), "On %A, %d %B %Y\n  with the system clock reading %H:%M:%S (%Z)", &stm);
-      fputs(buffer, p);
+
+      tm = localtime(&now);
+      if (tm) {
+        strftime(buffer, sizeof (buffer),
+                 "On %A, %d %B %Y\n  with the system clock reading %H:%M:%S (%Z)", tm);
+        fputs(buffer, p);
+      }
+
      /* If offset < 0 the local clock is slow, so we are applying a
         positive change to it to bring it into line, hence the
         negation of 'offset' in the next statement (and earlier) */
--- a/rtc_linux.c
+++ b/rtc_linux.c
@ -352,7 +352,7 @@ rtc_from_t(const time_t *t)

 static time_t
 t_from_rtc(struct tm *stm) {
-  struct tm temp1, temp2;
+  struct tm temp1, temp2, *tm;
  long diff;
  time_t t1, t2;

@ -360,12 +360,14 @@ t_from_rtc(struct tm *stm) {
  temp1.tm_isdst = 0;
  
  t1 = mktime(&temp1);
-  if (rtc_on_utc) {
-    temp2 = *gmtime(&t1);
-  } else {
-    temp2 = *localtime(&t1);
+
+  tm = rtc_on_utc ? gmtime(&t1) : localtime(&t1);
+  if (!tm) {
+    DEBUG_LOG("gmtime()/localtime() failed");
+    return -1;
  }

+  temp2 = *tm;
  temp2.tm_isdst = 0;
  t2 = mktime(&temp2);
  diff = t2 - t1;