[PATCH v2] udp: Provide dummy iov in udp_peek_addr() to avoid Coverity warning

[PATCH v2] udp: Provide dummy iov in udp_peek_addr() to avoid Coverity warning

[Jon Maloy]

udp_peek_addr() initialises struct msghdr without setting msg_iov,
leaving it implicitly NULL.  Coverity flags this as FORWARD_NULL,
believing recvmsg() will dereference the NULL pointer.

In practice, msg_iovlen being zero means the kernel never touches
msg_iov, so the warning is a false positive.  We now provide a
one-byte dummy iov to make msg_iov non-NULL, hence suppressing this
warning without changing the function's behaviour.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>

----
v2: - Make the dummy iov conditional on an ANALYZER macro, so it has
      zero runtime cost in production builds.
    - Add a new 'analyzer' Makefile target (similar to 'valgrind')
      that defines ANALYZER via CPPFLAGS for use with static analysis
      builds.
---
 Makefile |  3 +++
 udp.c    | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/Makefile b/Makefile
index 0a0a60b0..4dcf4cd1 100644
--- a/Makefile
+++ b/Makefile
@@ -122,6 +122,9 @@ passt-repair: $(PASST_REPAIR_SRCS) $(PASST_REPAIR_HEADERS) seccomp_repair.h
 pesto: BASE_CPPFLAGS += -DPESTO
 pesto: $(PESTO_SRCS) $(PESTO_HEADERS) seccomp_pesto.h
 
+analyzer: BASE_CPPFLAGS += -DANALYZER
+analyzer: all
+
 valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction	\
 			    rt_sigreturn getpid gettid kill clock_gettime \
 			    mmap|mmap2 munmap open unlink gettimeofday futex \
diff --git a/udp.c b/udp.c
index c28d6ee2..36c8c070 100644
--- a/udp.c
+++ b/udp.c
@@ -734,9 +734,20 @@ static int udp_peek_addr(int s, union sockaddr_inany *src,
 {
 	char sastr[SOCKADDR_STRLEN], dstr[INANY_ADDRSTRLEN];
 	char cmsg[PKTINFO_SPACE];
+#ifdef ANALYZER
+	char dummy;
+	struct iovec iov = {
+		.iov_base = &dummy,
+		.iov_len = sizeof(dummy),
+	};
+#endif /* ANALYZER */
 	struct msghdr msg = {
 		.msg_name = src,
 		.msg_namelen = sizeof(*src),
+#ifdef ANALYZER
+		.msg_iov = &iov,
+		.msg_iovlen = 1,
+#endif /* ANALYZER */
 		.msg_control = cmsg,
 		.msg_controllen = sizeof(cmsg),
 	};
-- 
2.52.0

Re: [PATCH v2] udp: Provide dummy iov in udp_peek_addr() to avoid Coverity warning

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 2827 bytes --]

On Sun, Jun 07, 2026 at 08:50:26PM -0400, Jon Maloy wrote:
> udp_peek_addr() initialises struct msghdr without setting msg_iov,
> leaving it implicitly NULL.  Coverity flags this as FORWARD_NULL,
> believing recvmsg() will dereference the NULL pointer.
> 
> In practice, msg_iovlen being zero means the kernel never touches
> msg_iov, so the warning is a false positive.  We now provide a
> one-byte dummy iov to make msg_iov non-NULL, hence suppressing this
> warning without changing the function's behaviour.
> 
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>

Following on from our discussion yesterday.  Although this is based on
my suggestion, I'm now inclined to believe v1 is marginally less ugly.

Fwiw, I double checked the code and can now confirm that this is only
called for packets arriving on a "listening" socket, rather than a
flow-specific socket.  Typically that will only be once, or at worst a
handful of times, per flow.

> 
> ----
> v2: - Make the dummy iov conditional on an ANALYZER macro, so it has
>       zero runtime cost in production builds.
>     - Add a new 'analyzer' Makefile target (similar to 'valgrind')
>       that defines ANALYZER via CPPFLAGS for use with static analysis
>       builds.
> ---
>  Makefile |  3 +++
>  udp.c    | 11 +++++++++++
>  2 files changed, 14 insertions(+)
> 
> diff --git a/Makefile b/Makefile
> index 0a0a60b0..4dcf4cd1 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -122,6 +122,9 @@ passt-repair: $(PASST_REPAIR_SRCS) $(PASST_REPAIR_HEADERS) seccomp_repair.h
>  pesto: BASE_CPPFLAGS += -DPESTO
>  pesto: $(PESTO_SRCS) $(PESTO_HEADERS) seccomp_pesto.h
>  
> +analyzer: BASE_CPPFLAGS += -DANALYZER
> +analyzer: all
> +
>  valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction	\
>  			    rt_sigreturn getpid gettid kill clock_gettime \
>  			    mmap|mmap2 munmap open unlink gettimeofday futex \
> diff --git a/udp.c b/udp.c
> index c28d6ee2..36c8c070 100644
> --- a/udp.c
> +++ b/udp.c
> @@ -734,9 +734,20 @@ static int udp_peek_addr(int s, union sockaddr_inany *src,
>  {
>  	char sastr[SOCKADDR_STRLEN], dstr[INANY_ADDRSTRLEN];
>  	char cmsg[PKTINFO_SPACE];
> +#ifdef ANALYZER
> +	char dummy;
> +	struct iovec iov = {
> +		.iov_base = &dummy,
> +		.iov_len = sizeof(dummy),
> +	};
> +#endif /* ANALYZER */
>  	struct msghdr msg = {
>  		.msg_name = src,
>  		.msg_namelen = sizeof(*src),
> +#ifdef ANALYZER
> +		.msg_iov = &iov,
> +		.msg_iovlen = 1,
> +#endif /* ANALYZER */
>  		.msg_control = cmsg,
>  		.msg_controllen = sizeof(cmsg),
>  	};
> -- 
> 2.52.0
> 
> 

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]