Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD

Hi,

Please find the latest report on new defect(s) introduced to NetBSD 
(NetBSD-amd64-kernel) found with Coverity Scan

Defect(s) Reported-by: Coverity Scan

        
** CID 1107537: Illegal address computation (OVERRUN)
/sys/kern/uipc_mbuf.c: 778


________________________________________________________________________
CID 1107537: Illegal address computation (OVERRUN)

/sys/kern/uipc_mbuf.c: 760 ( alias)
   757                          goto nospace;
   758                  MCLAIM(n, m->m_owner);
   759                  if (copyhdr) {
>>> Assigning: "n->m_hdr.mh_data" = "n->M_dat.MH.MH_dat.MH_databuf". 
>>> "n->m_hdr.mh_data" now points to byte 0 of "n->M_dat.MH.MH_dat.MH_databuf" 
>>> (which consists of 424 bytes).
   760                          M_COPY_PKTHDR(n, m);
   761                          if (len == M_COPYALL)
   762                                  n->m_pkthdr.len -= off0;
   763                          else
   764                                  n->m_pkthdr.len = len;
  

/sys/kern/uipc_mbuf.c: 761 ( cond_const)
   758                  MCLAIM(n, m->m_owner);
   759                  if (copyhdr) {
   760                          M_COPY_PKTHDR(n, m);
>>> Checking "len == 1000000000" implies that the value of "len" is 1000000000 
>>> on the true branch.
   761                          if (len == M_COPYALL)
   762                                  n->m_pkthdr.len -= off0;
   763                          else
   764                                  n->m_pkthdr.len = len;
   765                          copyhdr = 0;
  

/sys/kern/uipc_mbuf.c: 767 ( identity_transfer)
   764                                  n->m_pkthdr.len = len;
   765                          copyhdr = 0;
   766                  }
>>> Passing variable "len" as argument 1 to function "min(u_int, u_int)", which 
>>> returns that argument.
   767                  n->m_len = min(len, m->m_len - off);
   768                  if (m->m_flags & M_EXT) {
   769                          if (!deep) {
   770                                  n->m_data = m->m_data + off;
   771                                  MCLADDREFERENCE(m, n);
  

/sys/kern/uipc_mbuf.c: 767 ( assignment)
   764                                  n->m_pkthdr.len = len;
   765                          copyhdr = 0;
   766                  }
>>> Assigning: "n->m_hdr.mh_len" = "min(len, m->m_hdr.mh_len - off)". The value 
>>> of "n->m_hdr.mh_len" is now 1000000000.
   767                  n->m_len = min(len, m->m_len - off);
   768                  if (m->m_flags & M_EXT) {
   769                          if (!deep) {
   770                                  n->m_data = m->m_data + off;
   771                                  MCLADDREFERENCE(m, n);
  

/sys/kern/uipc_mbuf.c: 778 ( illegal_address)
   775                                   * copy into multiple MCLBYTES cluster 
mbufs.
   776                                   */
   777                                  MCLGET(n, wait);
>>> CID 1107537: Illegal address computation (OVERRUN)
>>> "n->m_hdr.mh_data + n->m_hdr.mh_len" evaluates to an address that is at 
>>> byte offset 1000000000 of an array of 424 bytes.
   778                                  n->m_len = M_TRAILINGSPACE(n);
   779                                  n->m_len = min(n->m_len, len);
   780                                  n->m_len = min(n->m_len, m->m_len - 
off);
   781                                  memcpy(mtod(n, void *), mtod(m, char *) 
+ off,
   782                                      (unsigned)n->m_len);
  
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com

To unsubscribe from the email notification for new defects, 
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home | Main Index | Thread Index | Old Index