Coverity fixups (#36503)

Details in individual commits.

src/libsystemd/sd-event/event-util.c

@@ -274,16 +274,17 @@ int event_forward_signals(
                 return -ENOMEM;
 
         FOREACH_ARRAY(sig, signals, n_signals) {
-                r = sd_event_add_signal(e, &sources[n_sources], *sig | SD_EVENT_SIGNAL_PROCMASK, event_forward_signal_callback, child);
+                _cleanup_(sd_event_source_unrefp) sd_event_source *s = NULL;
+                r = sd_event_add_signal(e, &s, *sig | SD_EVENT_SIGNAL_PROCMASK, event_forward_signal_callback, child);
                 if (r < 0)
                         return r;
 
-                r = sd_event_source_set_destroy_callback(sources[n_sources], event_forward_signal_destroy);
+                r = sd_event_source_set_destroy_callback(s, event_forward_signal_destroy);
                 if (r < 0)
                         return r;
 
                 sd_event_source_ref(child);
-                n_sources++;
+                sources[n_sources++] = TAKE_PTR(s);
         }
 
         *ret_sources = TAKE_PTR(sources);

src/shared/group-record.c

@@ -344,12 +344,15 @@ bool group_record_matches_group_name(const GroupRecord *g, const char *group_nam
         return false;
 }
 
-int group_record_match(GroupRecord *h, const UserDBMatch *match) {
+bool group_record_match(GroupRecord *h, const UserDBMatch *match) {
         assert(h);
 
         if (!match)
                 return true;
 
+        if (!gid_is_valid(h->gid))
+                return false;
+
         if (h->gid < match->gid_min || h->gid > match->gid_max)
                 return false;
 

src/shared/group-record.h

@@ -43,7 +43,7 @@ int group_record_load(GroupRecord *h, sd_json_variant *v, UserRecordLoadFlags fl
 int group_record_build(GroupRecord **ret, ...);
 int group_record_clone(GroupRecord *g, UserRecordLoadFlags flags, GroupRecord **ret);
 
-int group_record_match(GroupRecord *h, const UserDBMatch *match);
+bool group_record_match(GroupRecord *h, const UserDBMatch *match);
 
 const char* group_record_group_name_and_realm(GroupRecord *h);
 UserDisposition group_record_disposition(GroupRecord *h);

src/shared/user-record.c

@@ -2769,12 +2769,15 @@ bool user_name_fuzzy_match(const char *names[], size_t n_names, char **matches)
         return false;
 }
 
-int user_record_match(UserRecord *u, const UserDBMatch *match) {
+bool user_record_match(UserRecord *u, const UserDBMatch *match) {
         assert(u);
 
         if (!match)
                 return true;
 
+        if (!uid_is_valid(u->uid))
+                return false;
+
         if (u->uid < match->uid_min || u->uid > match->uid_max)
                 return false;
 

src/shared/user-record.h

@@ -532,7 +532,7 @@ static inline void userdb_match_done(UserDBMatch *match) {
 }
 
 bool user_name_fuzzy_match(const char *names[], size_t n_names, char **matches);
-int user_record_match(UserRecord *u, const UserDBMatch *match);
+bool user_record_match(UserRecord *u, const UserDBMatch *match);
 
 bool user_record_matches_user_name(const UserRecord *u, const char *username);
 

src/shared/userdb.c

@@ -915,10 +915,7 @@ int userdb_by_name(const char *name, const UserDBMatch *match, UserDBFlags flags
         /* NB: we always apply our own filtering here, explicitly, regardless if the server supported it or
          * not. It's more robust this way, we never know how carefully the server is written, and whether it
          * properly implements all details of the filtering logic. */
-        r = user_record_match(ur, match);
-        if (r < 0)
-                return r;
-        if (r == 0)
+        if (!user_record_match(ur, match))
                 return -ENOEXEC;
 
         if (ret)
@@ -1001,10 +998,7 @@ int userdb_by_uid(uid_t uid, const UserDBMatch *match, UserDBFlags flags, UserRe
                         return r;
         }
 
-        r = user_record_match(ur, match);
-        if (r < 0)
-                return r;
-        if (r == 0)
+        if (!user_record_match(ur, match))
                 return -ENOEXEC;
 
         if (ret)
@@ -1347,16 +1341,13 @@ int groupdb_by_name(const char *name, const UserDBMatch *match, UserDBFlags flag
         }
 
         /* As above, we apply our own client-side filtering even if server-side filtering worked, for robustness and simplicity reasons. */
-        r = group_record_match(gr, match);
-        if (r < 0)
-                return r;
-        if (r == 0)
+        if (!group_record_match(gr, match))
                 return -ENOEXEC;
 
         if (ret)
                 *ret = TAKE_PTR(gr);
 
-        return r;
+        return 0;
 }
 
 static int groupdb_by_gid_fallbacks(
@@ -1432,10 +1423,7 @@ int groupdb_by_gid(gid_t gid, const UserDBMatch *match, UserDBFlags flags, Group
                         return r;
         }
 
-        r = group_record_match(gr, match);
-        if (r < 0)
-                return r;
-        if (r == 0)
+        if (!group_record_match(gr, match))
                 return -ENOEXEC;
 
         if (ret)

test/units/TEST-13-NSPAWN.nss-mymachines.sh

@@ -114,8 +114,8 @@ for i in {100..120}; do
     run_and_grep "^10\.2\.0\.$i\s+STREAM" getent ahostsv4 -s mymachines nss-mymachines-manyips
 done
 run_and_grep "^fd00:dead:beef:cafe::2\s+STREAM" getent ahostsv6 -s mymachines nss-mymachines-manyips
-(! run_and_grep "^fd00:" getent ahostsv4 -s mymachines nss-mymachines-manyips)
-(! run_and_grep "^10\.2:" getent ahostsv6 -s mymachines nss-mymachines-manyips)
+run_and_grep -n "^fd00:" getent ahostsv4 -s mymachines nss-mymachines-manyips
+run_and_grep -n "^10\.2:" getent ahostsv6 -s mymachines nss-mymachines-manyips
 
 # Multiple machines at once
 run_and_grep "^10\.1\.0\.2\s+nss-mymachines-singleip$" getent hosts -s mymachines nss-mymachines-{singleip,manyips}