[PATCH] udp: Provide dummy iov in udp_peek_addr() to avoid Coverity warning

[PATCH] udp: Provide dummy iov in udp_peek_addr() to avoid Coverity warning

[Jon Maloy]

udp_peek_addr() initialises struct msghdr without setting msg_iov,
leaving it implicitly NULL.  Coverity flags this as FORWARD_NULL,
believing recvmsg() will dereference the NULL pointer.

In practice, msg_iovlen being zero means the kernel never touches
msg_iov, so the warning is a false positive.  We now provide a
one-byte dummy iov to make msg_iov non-NULL, hence suppressing this
warning without changing the function's behaviour.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
 udp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/udp.c b/udp.c
index c28d6ee2..f648cb8b 100644
--- a/udp.c
+++ b/udp.c
@@ -734,9 +734,16 @@ static int udp_peek_addr(int s, union sockaddr_inany *src,
 {
 	char sastr[SOCKADDR_STRLEN], dstr[INANY_ADDRSTRLEN];
 	char cmsg[PKTINFO_SPACE];
+	char dummy;
+	struct iovec iov = {
+		.iov_base = &dummy,
+		.iov_len = sizeof(dummy),
+	};
 	struct msghdr msg = {
 		.msg_name = src,
 		.msg_namelen = sizeof(*src),
+		.msg_iov = &iov,
+		.msg_iovlen = 1,
 		.msg_control = cmsg,
 		.msg_controllen = sizeof(cmsg),
 	};
-- 
2.52.0

Re: [PATCH] udp: Provide dummy iov in udp_peek_addr() to avoid Coverity warning

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 2552 bytes --]

On Sun, May 31, 2026 at 04:20:27PM -0400, Jon Maloy wrote:
> udp_peek_addr() initialises struct msghdr without setting msg_iov,
> leaving it implicitly NULL.  Coverity flags this as FORWARD_NULL,
> believing recvmsg() will dereference the NULL pointer.
> 
> In practice, msg_iovlen being zero means the kernel never touches
> msg_iov, so the warning is a false positive.  We now provide a
> one-byte dummy iov to make msg_iov non-NULL, hence suppressing this
> warning without changing the function's behaviour.
> 
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>

Oof.  I mean, yes, it's worth some amount of code ugliness to prevent
Coverity warnings, but this is definitely on the high end of that
ugliness.  This doesn't have zero runtime cost, since it requires
extra stack jiggery pokery to set up.

The question is how to do it better without explicit Coverity
suppressions or at least mentioning Coverity in line.  This isn't
quite as similar to an existing workaround as I initially thought.
The triggering situation is similar the one handled by #ifdef VALGRIND
in tcp.c + test/valgrind.supp, but that doesn't really help us

Arguably this is a Coverity defect - it should be able to see that
msg_iovlen is statically zero and accept this.  So there's some hope
of the error just going away in future.  Not sure whether that's
likely, or if we can do anything to expedite it.

Hrm.  We don't want to reference Coverity in the code for an explicit
suppression, so I guess using a #if conditional on coverity would have
the same problem.  Could we use a conditional but not refer
specifically to which static checker it's working around?

> ---
>  udp.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/udp.c b/udp.c
> index c28d6ee2..f648cb8b 100644
> --- a/udp.c
> +++ b/udp.c
> @@ -734,9 +734,16 @@ static int udp_peek_addr(int s, union sockaddr_inany *src,
>  {
>  	char sastr[SOCKADDR_STRLEN], dstr[INANY_ADDRSTRLEN];
>  	char cmsg[PKTINFO_SPACE];
> +	char dummy;
> +	struct iovec iov = {
> +		.iov_base = &dummy,
> +		.iov_len = sizeof(dummy),
> +	};
>  	struct msghdr msg = {
>  		.msg_name = src,
>  		.msg_namelen = sizeof(*src),
> +		.msg_iov = &iov,
> +		.msg_iovlen = 1,
>  		.msg_control = cmsg,
>  		.msg_controllen = sizeof(cmsg),
>  	};
> -- 
> 2.52.0
> 

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]