RDK-60291 [telemetry] RDK Coverity Defect Resolution for Device Management

[madhubabutt]

No description provided.

[rdkcmf-jenkins]

Coverity Issue - Data race condition

A wait is performed without a loop. If there is a spurious wakeup, the condition may not be satisfied.

Medium Impact, CWE-none
BAD_CHECK_OF_WAIT_COND

How to fix

Check the wait condition in a loop, with the lock held. The lock must not be released between the condition and the wait.

Issue location

This issue was discovered outside the diff for this Pull Request. You can find it at:
source/bulkdata/profile.c:849

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Data race condition

A wait is performed without a loop. If there is a spurious wakeup, the condition may not be satisfied.

Medium Impact, CWE-none
BAD_CHECK_OF_WAIT_COND

How to fix

Check the wait condition in a loop, with the lock held. The lock must not be released between the condition and the wait.

[Copilot]

Pull request overview

This pull request addresses Coverity static analysis defects in the telemetry Device Management component, focusing on improving thread safety, error handling, and security practices.

Changes:

• Enhanced thread synchronization with proper mutex lock/unlock patterns and condition variable handling
• Added error checking for system calls (write, stat, fread, system) with appropriate error logging
• Fixed potential memory leaks in realloc usage by using temporary pointers
• Improved integer overflow protection when converting uint32_t to int
• Enhanced security by setting secure umask before mkstemp calls
• Replaced insecure rand() with /dev/urandom for better random number generation

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 28 comments.

Show a summary per file

File	Description
source/xconf-client/xconfclient.c	Improved mutex locking patterns for thread safety, added error handling for pipe write operations
source/utils/t2collection.c	Fixed potential integer underflow by checking for zero count before subtraction
source/utils/persistence.c	Added error checking for stat and fread system calls
source/scheduler/scheduler.c	Enhanced thread termination logic and improved mutex handling around sleep operations
source/reportgen/reportgen.c	Fixed potential memory leak in realloc by using temporary pointer
source/protocol/rbusMethod/rbusmethodinterface.c	Added missing mutex lock for thread-safe access to shared variable
source/dcautil/dca.c	Implemented secure temporary file creation with restrictive umask
source/commonlib/telemetry_busmessage_sender.c	Added null pointer check before string operations and proper variable initialization
source/bulkdata/t2eventreceiver.c	Improved thread synchronization and condition variable handling
source/bulkdata/reportprofiles.c	Added integer overflow protection when converting hashmap count to signed int
source/bulkdata/profile.c	Fixed lock ordering to prevent deadlocks and replaced rand() with /dev/urandom
source/bulkdata/datamodel.c	Enhanced thread safety with improved condition variable and mutex handling

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The do-while loop here will continue retrying even after pthread_cond_timedwait succeeds (returns 0). This breaks the intended behavior where the thread should wake up when signaled via pthread_cond_signal. The loop should only retry on spurious wakeups (when the return value is neither ETIMEDOUT nor 0), not when the call succeeds. Consider using while(n != ETIMEDOUT && n != 0 && n == EINTR) if you only want to handle spurious wakeups, or remove this do-while wrapper if spurious wakeup handling isn't necessary.

[Copilot]

The check for hashmap_count == UINT32_MAX is checking for an edge case that is unlikely to occur in practice and may not be the correct way to detect an error from hash_map_count. If hash_map_count returns UINT32_MAX to indicate an error (which would be unusual), this should be documented or verified. More importantly, when hashmap_count == 0, setting count = -1 is correct for the while loop condition while(count >= 0) to immediately exit, but the check should ensure this is the intended behavior. Consider adding a comment explaining why UINT32_MAX is checked.

[Copilot]

There is inconsistent indentation here. The line uses a tab character instead of spaces. This should be indented with spaces to match the project's coding style.

Suggested change

	if( clock_gettime(CLOCK_MONOTONIC, &_now) == -1 )
	if( clock_gettime(CLOCK_MONOTONIC, &_now) == -1 )

[Copilot]

There is inconsistent indentation here. Lines 666-674 use tab characters instead of spaces. This should be indented with spaces to match the project's coding style.

Suggested change

	// Unlock scMutex before sleeping to avoid holding lock during sleep
	if(pthread_mutex_unlock(&scMutex) != 0)
	{
	T2Error("scMutex unlock failed\n");
	return T2ERROR_FAILURE;
	}
	int count = 0;
	// Unlock scMutex before sleeping to avoid holding lock during sleep
	if(pthread_mutex_unlock(&scMutex) != 0)
	{
	T2Error("scMutex unlock failed\n");
	return T2ERROR_FAILURE;
	}
	int count = 0;

[Copilot]

There are trailing whitespace characters at the end of this line. Trailing whitespace should be removed to maintain code cleanliness.

Suggested change

	{
	{

[Copilot]

The do-while loop here will continue retrying even after pthread_cond_timedwait succeeds (returns 0). This breaks the intended behavior where the thread should wake up when signaled via pthread_cond_signal. The loop should only retry on spurious wakeups (when the return value is neither ETIMEDOUT nor 0), not when the call succeeds. Consider using while(n != ETIMEDOUT && n != 0 && n == EINTR) if you only want to handle spurious wakeups, or remove this do-while wrapper if spurious wakeup handling isn't necessary.

[Copilot]

The do-while loop here will continue retrying even after pthread_cond_timedwait succeeds (returns 0). This breaks the intended behavior where the thread should wake up when signaled via pthread_cond_signal. The loop should only retry on spurious wakeups (when the return value is neither ETIMEDOUT nor 0), not when the call succeeds. Consider using while(n != ETIMEDOUT && n != 0 && n == EINTR) if you only want to handle spurious wakeups, or remove this do-while wrapper if spurious wakeup handling isn't necessary.

Suggested change

	} while(n != ETIMEDOUT && n != 0);
	} while (n == EINTR);

[Copilot]

There is inconsistent indentation here. The line uses a tab character instead of spaces. This should be indented with spaces to match the project's coding style.

Suggested change

	//pthread_create(&xcrThread, NULL, getUpdatedConfigurationThread, NULL);
	//pthread_create(&xcrThread, NULL, getUpdatedConfigurationThread, NULL);

[Copilot]

There is inconsistent indentation here. Lines 208-214 use tab characters instead of spaces. This should be indented with spaces to match the project's coding style.

Suggested change

	bool shouldSignal = false;
	if(pthread_mutex_lock(&sTDMutex) == 0)
	{
	shouldSignal = !stopDispatchThread;
	pthread_mutex_unlock(&sTDMutex);
	}
	if(shouldSignal)
	bool shouldSignal = false;
	if(pthread_mutex_lock(&sTDMutex) == 0)
	{
	shouldSignal = !stopDispatchThread;
	pthread_mutex_unlock(&sTDMutex);
	}
	if(shouldSignal)

[Copilot]

There is inconsistent indentation here. Lines 556, 557, 559, 560, 564, and 565 use tab characters instead of spaces. This should be indented with spaces to match the project's coding style.

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Logically dead code

Execution cannot reach this statement: "pthread_mutex_lock(&tmpRpMu...".

Medium Impact, CWE-561
DEADCODE

[rdkcmf-jenkins]

Coverity issue no longer present as of: undefined

Show issue

Coverity Issue - Resource leak

Variable "curl" going out of scope leaks the storage it points to.

High Impact, CWE-404
RESOURCE_LEAK

[rdkcmf-jenkins]

Coverity Issue - Thread deadlock

Calling "pthread_mutex_lock" acquires lock "sTDMutex" while holding lock "erMutex" (count: 1 / 2).

Medium Impact, CWE-833
ORDER_REVERSAL

[rdkcmf-jenkins]

Coverity Issue - Waiting while holding a lock

Call to "sendCachedReportsOverRBUSMethod" might sleep while holding lock "profile->reuseThreadMutex".

Medium Impact, CWE-667
SLEEP

Issue location

This issue was discovered outside the diff for this Pull Request. You can find it at:
source/bulkdata/profile.c:792

[rdkcmf-jenkins]

Coverity Issue - Thread deadlock

Calling "pthread_mutex_lock" acquires lock "sTDMutex" while holding lock "erMutex" (count: 1 / 2).

Medium Impact, CWE-833
ORDER_REVERSAL

[rdkcmf-jenkins]

Coverity Issue - Thread deadlock

Calling "pthread_mutex_lock" acquires lock "sTDMutex" while holding lock "erMutex" (count: 1 / 2).

Medium Impact, CWE-833
ORDER_REVERSAL

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Inconsistent use of tabs for indentation. The code appears to use spaces for indentation elsewhere. This should be consistent with the rest of the codebase.

Suggested change

	else if(n == 0)
	else if(n == 0)

[Copilot]

Similar to process_rp_thread, the condition variable wait loop checks shouldContinue but doesn't re-evaluate it after pthread_cond_wait returns. If stopProcessing is set while waiting, the thread will continue processing instead of exiting. The shouldContinue variable should be re-checked after pthread_cond_wait returns.

[Copilot]

Inconsistent use of tabs and spaces for indentation. The code appears to use spaces for indentation elsewhere, but tabs are used here. This should be consistent with the rest of the codebase.

Suggested change

	{
	n = pthread_cond_timedwait(&xcCond, &xcMutex, &_ts);
	}
	while(n == EINTR);
	{
	n = pthread_cond_timedwait(&xcCond, &xcMutex, &_ts);
	}
	while(n == EINTR);

[Copilot]

Inconsistent use of tabs for indentation. The code appears to use spaces for indentation elsewhere. This should be consistent with the rest of the codebase.

[Copilot]

Inconsistent use of tabs for indentation. The code appears to use spaces for indentation elsewhere. This should be consistent with the rest of the codebase.

[Copilot]

Inconsistent use of tabs for indentation. The code appears to use spaces for indentation elsewhere. This should be consistent with the rest of the codebase.

[Copilot]

Potential division by zero error if profile->maxUploadLatency is 1. The expression (profile->maxUploadLatency - 1) would be 0, causing a modulo by zero which results in undefined behavior. Similar issue exists at line 565. Add a check to ensure maxUploadLatency is greater than 1 before performing the modulo operation.

Suggested change

	FILE *urandom = fopen("/dev/urandom", "r");
	if(urandom != NULL && fread(&random_value, sizeof(random_value), 1, urandom) == 1)
	{
	maxuploadinmilliSec = random_value % (profile->maxUploadLatency - 1);
	fclose(urandom);
	}
	else
	{
	if(urandom != NULL) fclose(urandom);
	maxuploadinmilliSec = (unsigned int)(time(0) % (profile->maxUploadLatency - 1));
	}
	if (profile->maxUploadLatency > 1)
	{
	FILE *urandom = fopen("/dev/urandom", "r");
	if(urandom != NULL && fread(&random_value, sizeof(random_value), 1, urandom) == 1)
	{
	maxuploadinmilliSec = random_value % (profile->maxUploadLatency - 1);
	fclose(urandom);
	}
	else
	{
	if(urandom != NULL) fclose(urandom);
	maxuploadinmilliSec = (unsigned int)(time(0) % (profile->maxUploadLatency - 1));
	}
	}
	else
	{
	/* For maxUploadLatency == 1, avoid modulo by zero and use no additional delay */
	maxuploadinmilliSec = 0;
	}

[Copilot]

The condition variable wait loop checks shouldContinue but doesn't re-evaluate it after pthread_cond_wait returns. If stopDispatchThread is set while waiting on the condition, the thread will continue processing the event instead of exiting. The shouldContinue variable should be re-checked after pthread_cond_wait returns at line 257.

[rdkcmf-jenkins]

Coverity Issue - Thread deadlock

Calling "pthread_mutex_lock" acquires lock "sTDMutex" while holding lock "erMutex" (count: 1 / 2).

Medium Impact, CWE-833
ORDER_REVERSAL

[rdkcmf-jenkins]

Coverity Issue - Thread deadlock

Calling "pthread_mutex_lock" acquires lock "sTDMutex" while holding lock "erMutex" (count: 1 / 2).

Medium Impact, CWE-833
ORDER_REVERSAL

[rdkcmf-jenkins]

Coverity Issue - Thread deadlock

Calling "pthread_mutex_lock" acquires lock "sTDMutex" while holding lock "erMutex" (count: 1 / 2).

Medium Impact, CWE-833
ORDER_REVERSAL

[rdkcmf-jenkins]

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[rdkcmf-jenkins]

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[rdkcmf-jenkins]

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Same issue in the RBUS_METHOD maxUploadLatency path: the while(profile->enable && n != ETIMEDOUT) loop won't break on n==0, so a signal won't cause an early exit as the subsequent logging suggests. Use a single timedwait (retry only on EINTR) or introduce a predicate and break appropriately.

Suggested change

	while (profile->enable && n != ETIMEDOUT)
	{
	n = pthread_cond_timedwait(&profile->reportcond, &profile->reportMutex, &timeout);
	}
	int waitResult;
	do
	{
	waitResult = pthread_cond_timedwait(&profile->reportcond, &profile->reportMutex, &timeout);
	} while (waitResult == EINTR);
	n = waitResult;

[Copilot]

The status pipe write() result is checked, but a short/failed write is only logged and the child still exits normally. This can cause the parent to read an uninitialized/partial T2ERROR value. Consider treating a short/failed write as fatal (set a fallback failure code and exit), and have the parent verify it read exactly sizeof(T2ERROR).

[Copilot]

filestat.st_size is off_t, but the new error message prints it with %ld. On some platforms off_t is not long (e.g., long long), which can cause incorrect logs/UB. Use a portable format (e.g., cast to intmax_t and print with %jd) or cast to long long and use %lld consistently.

[rdkcmf-jenkins]

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[rdkcmf-jenkins]

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[rdkcmf-jenkins]

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[rdkcmf-jenkins]

Coverity Issue - Data race condition

Accessing "profile->reportInProgress" without holding lock "_Profile.reuseThreadMutex". Elsewhere, "_Profile.reportInProgress" is written to with "_Profile.reuseThreadMutex" held 11 out of 11 times.

Medium Impact, CWE-366
MISSING_LOCK

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

source/bulkdata/profile.c:645

• In this error path, reportcond is destroyed but reportMutex (initialized earlier when maxUploadLatency > 0) is not destroyed before jumping to reportThreadEnd. This can leak resources and make subsequent pthread_mutex_init on reportMutex undefined. Ensure reportMutex is destroyed on this error path as well.

                                T2Error("Profile : %s pthread_cond_timedwait ERROR!!!\n", profile->name);
                                pthread_mutex_unlock(&profile->reportMutex);
                                pthread_cond_destroy(&profile->reportcond);
                                if(httpUrl)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In this RBUS_METHOD timedwait error path, reportcond is destroyed but reportMutex (initialized earlier when maxUploadLatency > 0) is not destroyed before jumping to reportThreadEnd. This can leak resources and make subsequent pthread_mutex_init on reportMutex undefined. Ensure reportMutex is destroyed on this error path (and consistently on all paths that destroy reportcond).

[Copilot]

If writing the status to the pipe fails (short write or -1), the parent may read an uninitialized/partial status and take the wrong code path. Consider making pipe write failure fatal (e.g., log, set an error status, and exit) rather than continuing with an unreliable IPC result.

Suggested change

	if (write(sharedPipeFdStatus[1], &ret, sizeof(T2ERROR)) != sizeof(T2ERROR))
	{
	T2Error("Failed to write status to pipe\n");
	{
	size_t totalWritten = 0;
	unsigned char *buf = (unsigned char *)&ret;
	while (totalWritten < sizeof(T2ERROR))
	{
	ssize_t bytes = write(sharedPipeFdStatus[1], buf + totalWritten, sizeof(T2ERROR) - totalWritten);
	if (bytes < 0)
	{
	T2Error("Failed to write status to pipe: write error\n");
	close(sharedPipeFdStatus[1]);
	exit(EXIT_FAILURE);
	}
	if (bytes == 0)
	{
	T2Error("Failed to write status to pipe: wrote 0 bytes\n");
	close(sharedPipeFdStatus[1]);
	exit(EXIT_FAILURE);
	}
	totalWritten += (size_t)bytes;
	}

[Copilot]

Same pattern here: xcThreadMutex is held while doing pthread_cond_timedwait on xcCond with xcMutex. This can prevent stop/uninit from acquiring xcThreadMutex to signal the condition, causing long delays/hangs. Consider not holding xcThreadMutex across the timed wait (use a single mutex for the stop flag + condition, or unlock/relock around the wait).

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

source/bulkdata/profile.c:1293

• deleteAllProfiles() writes tempProfile->threadExists = false without holding reuseThreadMutex (or any other lock consistently protecting threadExists). Since CollectAndReport() updates/destroys reuseThreadMutex based on threadExists, this unsynchronized write can race with the worker thread and lead to signaling/joining the wrong state. Update threadExists under reuseThreadMutex (or make it atomic) consistently.

        if (tempProfile->threadExists)
        {
            pthread_mutex_lock(&tempProfile->reuseThreadMutex);
            tempProfile->restartRequested = true;
            pthread_cond_signal(&tempProfile->reuseThread);
            pthread_mutex_unlock(&tempProfile->reuseThreadMutex);
            pthread_join(tempProfile->reportThread, NULL);
            tempProfile->threadExists = false;
        }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

CollectAndReport() initializes profile->reportMutex/profile->reportcond when maxUploadLatency > 0, but teardown is not symmetric across all branches (e.g., the HTTP path destroys both, while the RBUS_METHOD maxUploadLatency path later only destroys the cond var). This can leak pthread resources across repeated reports. Ensure reportMutex is destroyed on every path that initializes it (success, error, and both protocol branches).

[Copilot]

prepareHttpUrl() calls snprintf with httpParamVal using a "%s" format, but httpParamVal can be NULL if curl_easy_escape fails (OOM) or returns NULL. Passing NULL to "%s" is undefined behavior and can crash. Add an explicit check for httpParamVal == NULL and skip/abort building that parameter before calling snprintf.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Typo in log message: "Recieve" -> "Receive".

Suggested change

	T2Info("T2 is now Ready to Recieve Events\n");
	T2Info("T2 is now Ready to Receive Events\n");

[Copilot]

tmpRpQueue operations are protected by tmpRpMutex in this thread, but producers push to tmpRpQueue under rpMutex (see datamodel_processProfile using pthread_mutex_lock(&rpMutex) before t2_queue_push(tmpRpQueue, ...)). This means tmpRpQueue is accessed under different mutexes, which is a data race and can corrupt the queue. Use a single mutex consistently for tmpRpQueue (and pair tmpRpCond with that same mutex), or remove the extra mutex.

[Copilot]

This thread waits on tmpRpCond, but datamodel_unInit() never signals tmpRpCond when setting stopProcessing = true. If tmpRpQueue is empty, pthread_join(tmpRpThread, ...) can hang indefinitely. Ensure datamodel_unInit() signals/broadcasts tmpRpCond during shutdown so this wait can be released and the thread can exit.