Check for negative return value of read, write and lseek instead of -1

millert · millert · commit a27b989c9c38 · 2025-01-16T19:46:15.000-07:00
The return values are used in ways that assume they are positive.
In practice, it is not possible to have a negative return value
other than -1 due to the size of the buffers being read from or
written to.  Also add overflow checks when updating the buffer len.
Quiets several coverity warnings.
diff --git a/lib/fuzzstub/fuzzstub.c b/lib/fuzzstub/fuzzstub.c
@@ -104,7 +104,7 @@ main(int argc, char *argv[])
 	}
 	nread = read(fd, buf, filesize);
 	if ((size_t)nread != filesize) {
-	    if (nread == -1)
+	    if (nread < 0)
 		fprintf(stderr, "read %s: %s\n", arg, strerror(errno));
 	    else
 		fprintf(stderr, "read %s: short read\n", arg);
diff --git a/lib/iolog/iolog_nextid.c b/lib/iolog/iolog_nextid.c
@@ -107,7 +107,7 @@ iolog_nextid(const char *iolog_dir, char sessid[7])
     /* Read current seq number (base 36). */
     nread = read(fd, buf, sizeof(buf) - 1);
     if (nread != 0) {
-	if (nread == -1) {
+	if (nread < 0) {
 	    goto done;
 	}
 	if (buf[nread - 1] == '\n')
diff --git a/lib/iolog/regress/iolog_filter/check_iolog_filter.c b/lib/iolog/regress/iolog_filter/check_iolog_filter.c
@@ -138,7 +138,7 @@ main(int argc, char *argv[])
 
 	    nread = read(fd, tbuf, timing.u.nbytes);
 	    if ((size_t)nread != timing.u.nbytes) {
-		if (nread == -1)
+		if (nread < 0)
 		    sudo_warn("%s/%s", argv[i], name);
 		else
 		    sudo_warnx("%s/%s: short read", argv[i], name);
@@ -155,8 +155,8 @@ main(int argc, char *argv[])
 
 	    if (timing.event == IO_EVENT_TTYIN) {
 		nread = read(ttyin_ok_fd, fbuf, timing.u.nbytes);
-		if (nread == -1) {
-		    if (nread == -1)
+		if ((size_t)nread != timing.u.nbytes) {
+		    if (nread < 0)
 			sudo_warn("%s/ttyin.filtered", argv[i]);
 		    else
 			sudo_warnx("%s/ttyin.filtered: short read", argv[i]);
diff --git a/lib/util/event.c b/lib/util/event.c
@@ -154,7 +154,7 @@ signal_pipe_cb(int fd, int what, void *v)
 	sudo_debug_printf(SUDO_DEBUG_INFO,
 	    "%s: received signal %d", __func__, (int)ch);
     }
-    if (nread == -1 && errno != EAGAIN) {
+    if (nread < 0 && errno != EAGAIN) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
 	    "%s: error reading from signal pipe fd %d", __func__, fd);
     }
diff --git a/lib/util/regress/fuzz/fuzz_sudo_conf.c b/lib/util/regress/fuzz/fuzz_sudo_conf.c
@@ -85,7 +85,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     if (fd == -1)
 	return 0;
     nwritten = write(fd, data, size);
-    if (nwritten == -1) {
+    if ((size_t)nwritten != size) {
 	close(fd);
 	return 0;
     }
diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c
@@ -969,13 +969,17 @@ server_msg_cb(int fd, int what, void *v)
     } else
 #endif
     {
-	nwritten = (size_t)write(fd, buf->data + buf->off, buf->len - buf->off);
+	const ssize_t n = write(fd, buf->data + buf->off, buf->len - buf->off);
+	if (n < 0) {
+	    if (errno == EAGAIN || errno == EINTR)
+		debug_return;
+	    sudo_warn("%s: write", closure->ipaddr);
+	    goto finished;
+	}
+	nwritten = (size_t)n;
     }
-
-    if (nwritten == (size_t)-1) {
-	if (errno == EAGAIN || errno == EINTR)
-	    debug_return;
-	sudo_warn("%s: write", closure->ipaddr);
+    if (nwritten > SIZE_MAX - buf->off) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
 	goto finished;
     }
     buf->off += nwritten;
@@ -1082,25 +1086,28 @@ client_msg_cb(int fd, int what, void *v)
     } else
 #endif
     {
-        nread = (size_t)read(fd, buf->data + buf->len, buf->size - buf->len);
+	const ssize_t n = read(fd, buf->data + buf->len, buf->size - buf->len);
+	if (n < 0) {
+	    if (errno == EAGAIN || errno == EINTR)
+		debug_return;
+	    sudo_warn("%s: read", closure->ipaddr);
+	    goto close_connection;
+	}
+        nread = (size_t)n;
     }
 
     sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received %zd bytes from client %s",
 	__func__, nread, closure->ipaddr);
-    switch (nread) {
-    case (size_t)-1:
-	if (errno == EAGAIN || errno == EINTR)
-	    debug_return;
-	sudo_warn("%s: read", closure->ipaddr);
-	goto close_connection;
-    case 0:
+    if (nread == 0) {
         if (closure->state != FINISHED) {
             sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
                 "unexpected EOF");
         }
         goto close_connection;
-    default:
-	break;
+    }
+    if (nread > SIZE_MAX - buf->len) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
+        goto close_connection;
     }
     buf->len += nread;
 
diff --git a/logsrvd/logsrvd_local.c b/logsrvd/logsrvd_local.c
@@ -376,7 +376,7 @@ store_exit_info_json(int dfd, struct eventlog *evlog)
     iov[1].iov_len = sudo_json_get_len(&jsonc);
     iov[2].iov_base = (char *)"\n}\n";
     iov[2].iov_len = 3;
-    if (writev(fd, iov, 3) == -1) {
+    if (writev(fd, iov, 3) < 0) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
 	    "unable to write %s/log.json", evlog->iolog_path);
 	/* Back up and try to restore to original state. */
diff --git a/logsrvd/logsrvd_relay.c b/logsrvd/logsrvd_relay.c
@@ -798,23 +798,26 @@ relay_server_msg_cb(int fd, int what, void *v)
     } else
 #endif
     {
+	ssize_t n;
+
 	sudo_debug_printf(SUDO_DEBUG_INFO,
 	    "%s: ServerMessage from relay %s (%s)", __func__,
 	    relay_closure->relay_name.name, relay_closure->relay_name.ipaddr);
-	nread = (size_t)read(fd, buf->data + buf->len, buf->size - buf->len);
+	n = read(fd, buf->data + buf->len, buf->size - buf->len);
+	if (n < 0) {
+	    if (errno == EAGAIN || errno == EINTR)
+		debug_return;
+	    sudo_warn("%s: read", relay_closure->relay_name.ipaddr);
+	    closure->errstr = _("error reading from relay");
+	    goto send_error;
+	}
+	nread = (size_t)n;
     }
 
     sudo_debug_printf(SUDO_DEBUG_INFO,
 	"%s: received %zd bytes from relay %s (%s)", __func__, nread,
 	relay_closure->relay_name.name, relay_closure->relay_name.ipaddr);
-    switch (nread) {
-    case (size_t)-1:
-	if (errno == EAGAIN || errno == EINTR)
-	    debug_return;
-	sudo_warn("%s: read", relay_closure->relay_name.ipaddr);
-	closure->errstr = _("unable to read from relay");
-	goto send_error;
-    case 0:
+    if (nread == 0) {
 	/* EOF from relay server, close the socket. */
 	shutdown(relay_closure->sock, SHUT_RDWR);
 	close(relay_closure->sock);
@@ -833,8 +836,11 @@ relay_server_msg_cb(int fd, int what, void *v)
 	if (closure->sock == -1)
 	    connection_close(closure);
 	debug_return;
-    default:
-	break;
+    }
+    if (nread > SIZE_MAX - buf->len) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
+	closure->errstr = _("error reading from relay");
+	goto send_error;
     }
     buf->len += nread;
 
@@ -979,14 +985,20 @@ relay_client_msg_cb(int fd, int what, void *v)
     } else
 #endif
     {
-	nwritten = (size_t)write(fd, buf->data + buf->off, buf->len - buf->off);
-	if (nwritten == (size_t)-1) {
+	const ssize_t n = write(fd, buf->data + buf->off, buf->len - buf->off);
+	if (n < 0) {
 	    if (errno == EAGAIN || errno == EINTR)
 		debug_return;
 	    sudo_warn("%s: write", relay_closure->relay_name.ipaddr);
 	    closure->errstr = _("error writing to relay");
 	    goto send_error;
 	}
+	nwritten = (size_t)n;
+    }
+    if (nwritten > SIZE_MAX - buf->off) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
+	closure->errstr = _("error writing to relay");
+	goto send_error;
     }
     buf->off += nwritten;
 
diff --git a/logsrvd/regress/fuzz/fuzz_logsrvd_conf.c b/logsrvd/regress/fuzz/fuzz_logsrvd_conf.c
@@ -193,7 +193,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     if (fd == -1)
 	return 0;
     nwritten = write(fd, data, size);
-    if (nwritten == -1) {
+    if ((size_t)nwritten != size) {
 	close(fd);
 	return 0;
     }
diff --git a/logsrvd/sendlog.c b/logsrvd/sendlog.c
@@ -1370,23 +1370,28 @@ server_msg_cb(int fd, int what, void *v)
     } else
 #endif
     {
+	ssize_t n;
+
 	sudo_debug_printf(SUDO_DEBUG_INFO, "%s: reading ServerMessage", __func__);
-	nread = (size_t)read(fd, buf->data + buf->len, buf->size - buf->len);
+	n = read(fd, buf->data + buf->len, buf->size - buf->len);
+	if (n < 0) {
+	    if (errno == EAGAIN || errno == EINTR)
+		debug_return;
+	    sudo_warn("read");
+	    goto bad;
+	}
+	nread = (size_t)n;
     }
     sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received %zd bytes from server",
 	__func__, nread);
-    switch (nread) {
-    case (size_t)-1:
-	if (errno == EAGAIN || errno == EINTR)
-	    debug_return;
-	sudo_warn("read");
-	goto bad;
-    case 0:
+    if (nread == 0) {
 	if (closure->state != FINISHED)
 	    sudo_warnx("%s", U_("premature EOF"));
 	goto bad;
-    default:
-	break;
+    }
+    if (nread > SIZE_MAX - buf->len) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
+	goto bad;
     }
     buf->len += nread;
 
@@ -1496,12 +1501,17 @@ client_msg_cb(int fd, int what, void *v)
     } else
 #endif
     {
-	nwritten = (size_t)write(fd, buf->data + buf->off, buf->len - buf->off);
+	const ssize_t n = write(fd, buf->data + buf->off, buf->len - buf->off);
+	if (n < 0) {
+	    if (errno == EAGAIN || errno == EINTR)
+		debug_return;
+	    sudo_warn("write");
+	    goto bad;
+	}
+	nwritten = (size_t)n;
     }
-    if (nwritten == (size_t)-1) {
-	if (errno == EAGAIN || errno == EINTR)
-	    debug_return;
-	sudo_warn("write");
+    if (nwritten > SIZE_MAX - buf->off) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
 	goto bad;
     }
     buf->off += nwritten;
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
@@ -1293,21 +1293,27 @@ sudo_krb5_copy_cc_file(struct sudoers_context *ctx)
 			do {
 			    nwritten = write(nfd, buf + off,
 				(size_t)(nread - off));
-			    if (nwritten == -1) {
+			    if (nwritten < 0) {
 				sudo_warn("error writing to %s", new_ccname);
 				goto write_error;
 			    }
+			    if (nwritten > SSIZE_MAX - off) {
+				sudo_warnx(U_("internal error, %s overflow"),
+				    __func__);
+				nwritten = -1;
+				goto write_error;
+			    }
 			    off += nwritten;
 			} while (off < nread);
 		    }
-		    if (nread == -1)
+		    if (nread < 0)
 			sudo_warn("unable to read %s", new_ccname);
 write_error:
 		    close(nfd);
-		    if (nread != -1 && nwritten != -1) {
-			ret = new_ccname;	/* success! */
-		    } else {
+		    if (nread < 0 || nwritten < 0) {
 			unlink(new_ccname);	/* failed */
+		    } else {
+			ret = new_ccname;	/* success! */
 		    }
 		} else {
 		    sudo_warn("unable to create temp file %s", new_ccname);
diff --git a/plugins/sudoers/log_client.c b/plugins/sudoers/log_client.c
@@ -1791,21 +1791,24 @@ server_msg_cb(int fd, int what, void *v)
     } else
 #endif /* HAVE_OPENSSL */
     {
-        nread = (size_t)read(fd, buf->data + buf->len, buf->size - buf->len);
+	const ssize_t n = read(fd, buf->data + buf->len, buf->size - buf->len);
+	if (n < 0) {
+	    if (errno == EAGAIN)
+		debug_return;
+	    sudo_warn("read");
+	    goto bad;
+	}
+	nread = (size_t)n;
     }
     sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received %zd bytes from server",
 	__func__, nread);
-    switch (nread) {
-    case (size_t)-1:
-	if (errno == EAGAIN)
-	    debug_return;
-	sudo_warn("read");
-	goto bad;
-    case 0:
+    if (nread == 0) {
 	sudo_warnx("%s", U_("lost connection to log server"));
 	goto bad;
-    default:
-	break;
+    }
+    if (nread > SIZE_MAX - buf->len) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
+	goto bad;
     }
     buf->len += nread;
 
@@ -1928,11 +1931,15 @@ client_msg_cb(int fd, int what, void *v)
     } else
 #endif /* HAVE_OPENSSL */
     {
-        nwritten = (size_t)write(fd, buf->data + buf->off, buf->len - buf->off);
+	const ssize_t n = write(fd, buf->data + buf->off, buf->len - buf->off);
+	if (n < 0) {
+	    sudo_warn("send");
+	    goto bad;
+	}
+	nwritten = (size_t)n;
     }
-
-    if (nwritten == (size_t)-1) {
-	sudo_warn("send");
+    if (nwritten > SIZE_MAX - buf->off) {
+	sudo_warnx(U_("internal error, %s overflow"), __func__);
 	goto bad;
     }
     buf->off += nwritten;
diff --git a/plugins/sudoers/timestamp.c b/plugins/sudoers/timestamp.c
@@ -348,7 +348,7 @@ ts_write(const struct sudoers_context *ctx, int fd, const char *fname,
 	nwritten = pwrite(fd, entry, entry->size, offset);
     }
     if ((size_t)nwritten != entry->size) {
-	if (nwritten == -1) {
+	if (nwritten < 0) {
 	    log_warning(ctx, SLOG_SEND_MAIL,
 		N_("unable to write to %s"), fname);
 	} else {
diff --git a/plugins/sudoers/tsdump.c b/plugins/sudoers/tsdump.c
@@ -147,7 +147,7 @@ main(int argc, char *argv[])
 
 	if ((nread = read(fd, &cur, sizeof(cur))) == 0)
 	    break;
-	if (nread == -1)
+	if (nread < 0)
 	    sudo_fatal(U_("unable to read %s"), fname);
 
 	valid = valid_entry(&cur, pos);
diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
@@ -510,15 +510,15 @@ edit_sudoers(struct sudoersfile *sp, char *editor, int editor_argc,
 
 	    (void) lseek(sp->fd, (off_t)0, SEEK_SET);
 	    while ((nread = read(sp->fd, buf, sizeof(buf))) > 0) {
-		if (write(tfd, buf, (size_t)nread) == -1)
+		if (write(tfd, buf, (size_t)nread) != nread)
 		    sudo_fatal("%s", U_("write error"));
 		lastch = buf[nread - 1];
 	    }
 
 	    /* Add missing newline at EOF if needed. */
 	    if (lastch != '\n') {
 		lastch = '\n';
-		if (write(tfd, &lastch, 1) == -1)
+		if (write(tfd, &lastch, 1) != 1)
 		    sudo_fatal("%s", U_("write error"));
 	    }
 	}
diff --git a/src/conversation.c b/src/conversation.c
diff --git a/src/copy_file.c b/src/copy_file.c
diff --git a/src/exec_monitor.c b/src/exec_monitor.c
diff --git a/src/exec_ptrace.c b/src/exec_ptrace.c
diff --git a/src/sudo_intercept_common.c b/src/sudo_intercept_common.c
diff --git a/src/tgetpass.c b/src/tgetpass.c
diff --git a/src/ttyname.c b/src/ttyname.c

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ main(int argc, char *argv[])`
`104`	`104`	`}`
`105`	`105`	`nread = read(fd, buf, filesize);`
`106`	`106`	`if ((size_t)nread != filesize) {`
`107`		`- if (nread == -1)`
	`107`	`+ if (nread < 0)`
`108`	`108`	`fprintf(stderr, "read %s: %s\n", arg, strerror(errno));`
`109`	`109`	`else`
`110`	`110`	`fprintf(stderr, "read %s: short read\n", arg);`
Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ iolog_nextid(const char *iolog_dir, char sessid[7])`
`107`	`107`	`/* Read current seq number (base 36). */`
`108`	`108`	`nread = read(fd, buf, sizeof(buf) - 1);`
`109`	`109`	`if (nread != 0) {`
`110`		`- if (nread == -1) {`
	`110`	`+ if (nread < 0) {`
`111`	`111`	`goto done;`
`112`	`112`	`}`
`113`	`113`	`if (buf[nread - 1] == '\n')`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ signal_pipe_cb(int fd, int what, void *v)`
`154`	`154`	`sudo_debug_printf(SUDO_DEBUG_INFO,`
`155`	`155`	`"%s: received signal %d", __func__, (int)ch);`
`156`	`156`	`}`
`157`		`- if (nread == -1 && errno != EAGAIN) {`
	`157`	`+ if (nread < 0 && errno != EAGAIN) {`
`158`	`158`	`sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_LINENO\|SUDO_DEBUG_ERRNO,`
`159`	`159`	`"%s: error reading from signal pipe fd %d", __func__, fd);`
`160`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)`
`85`	`85`	`if (fd == -1)`
`86`	`86`	`return 0;`
`87`	`87`	`nwritten = write(fd, data, size);`
`88`		`- if (nwritten == -1) {`
	`88`	`+ if ((size_t)nwritten != size) {`
`89`	`89`	`close(fd);`
`90`	`90`	`return 0;`
`91`	`91`	`}`
Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)`
`193`	`193`	`if (fd == -1)`
`194`	`194`	`return 0;`
`195`	`195`	`nwritten = write(fd, data, size);`
`196`		`- if (nwritten == -1) {`
	`196`	`+ if ((size_t)nwritten != size) {`
`197`	`197`	`close(fd);`
`198`	`198`	`return 0;`
`199`	`199`	`}`