-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: libmongoc
A common pattern for functions in libmongoc is to return a boolean and have an out parameter bson_error_t. If the return value is false, callers can assume the bson_error_t was set. In the past, we've discovered bugs due to code not abiding by this contract (e.g. CDRIVER-3332).
The following cases appear to be times where functions return false without setting the out bson_error_t param when they should be:
- mongoc_cmd_parts_append_opts
- multiple returns in _mongoc_host_list_from_string_with_err
- mongoc_stream_tls_openssl_handshake
- mongoc_topology_scanner_node_connect_unix
- mongoc_uri_apply_options
Instances were found using this CodeQL query and skimming through the 54 results:
import cpp from Function f, Parameter err, ReturnStmt r where // Check that f has a bson_error_t * output parameter. err.getType().getName() = "bson_error_t *" and err.getFunction() = f and // And that f returns a boolean f.getType().getName() = "bool" and // And there is a return false; r.getExpr().(Literal).getValue().toInt() = 0 and r.getEnclosingFunction() = f and // no a call to bson_set_error in the same block. not exists (FunctionCall fc | fc.getTarget().getQualifiedName() = "bson_set_error" and r.getEnclosingBlock() = fc.getEnclosingBlock() ) and // no a call to a function taking a bson_error_t in the same block. not exists (FunctionCall fc, Parameter arg | arg.getName() = err.getName() and arg.getFunction() = fc.getTarget() and r.getEnclosingBlock() = fc.getEnclosingBlock() ) and // no call to a function in an if condition containing not exists (FunctionCall fc, Parameter arg, IfStmt ifstmt | arg.getName() = err.getName() and arg.getFunction() = fc.getTarget() and fc.getParent*() = ifstmt.getCondition() and r.getParent*() = ifstmt.getThen() ) // Not a call to bson_set_error in the if condition of the nested block select r, f
Can be run here (or locally): https://lgtm.com/query/8792356789210846853/
- is related to
-
CDRIVER-3332 Kerberos auth with Windows SSPI broken with pooled client
- Closed