Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD
Hi,
Please find the latest report on new defect(s) introduced to NetBSD
(NetBSD-i386-user) found with Coverity Scan
Defect(s) Reported-by: Coverity Scan
Showing 7 of 29 defects
** CID 1125884: Double close (USE_AFTER_FREE)
/tests/net/net/t_unix.c: 247
** CID 1125883: Structurally dead code (UNREACHABLE)
/tests/net/net/t_tcp.c: 82
** CID 1125882: Uninitialized scalar variable (UNINIT)
/usr.sbin/lpr/common_source/common.c: 409
** CID 1125881: Uninitialized scalar variable (UNINIT)
/sys/rump/librump/rumpkern/vm.c: 983
** CID 1125880: Uninitialized scalar variable (UNINIT)
/sys/dev/tprof/tprof.c: 235
** CID 1125879: Uninitialized scalar variable (UNINIT)
/sys/dev/tprof/tprof.c: 283
** CID 1125878: Untrusted loop bound (TAINTED_SCALAR)
/sbin/gpt/migrate.c: 179
________________________________________________________________________
CID 1125884: Double close (USE_AFTER_FREE)
/tests/net/net/t_unix.c: 188 ( closed_arg)
185 FAIL("connect");
186
187 if (closeit) {
>>> "close(int)" closes "clnt".
188 if (close(clnt) == -1)
189 FAIL("close");
190 }
191
192 acpt = acc(srvr);
/tests/net/net/t_unix.c: 247 ( double_close)
244 fail:
245 (void)close(acpt);
246 (void)close(srvr);
>>> CID 1125884: Double close (USE_AFTER_FREE)
>>> Calling "close(int)" closes handle "clnt" which has already been closed.
247 (void)close(clnt);
248 free(sock_addr);
249 free(sun);
250 return -1;
251 }
________________________________________________________________________
CID 1125883: Structurally dead code (UNREACHABLE)
/tests/net/net/t_tcp.c: 82 ( unreachable)
79 if (srvr == -1)
80 FAIL("socket");
81
>>> CID 1125883: Structurally dead code (UNREACHABLE)
>>> This code cannot be reached: "memset(&sin, 0, 16U);".
82 memset(&sin, 0, sizeof(sin));
83 sin.sin_family = AF_INET;
84 #ifdef BSD4_4
85 sin.sin_len = sizeof(sin);
86 #endif
________________________________________________________________________
CID 1125882: Uninitialized scalar variable (UNINIT)
/usr.sbin/lpr/common_source/common.c: 353 ( var_decl)
350 const char *
351 checkremote(void)
352 {
>>> Declaring variable "lname" without initializer.
353 char lname[NI_MAXHOST], rname[NI_MAXHOST];
354 struct addrinfo hints, *res, *res0;
355 static char errbuf[128];
356 int error;
357 struct ifaddrs *ifap, *ifa;
/usr.sbin/lpr/common_source/common.c: 409 ( uninit_use_in_call)
406 continue;
407 }
408
>>> CID 1125882: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized element of array "lname" when calling "strcmp(char
>>> const *, char const *)".
409 if (strcmp(rname, lname) == 0) {
410 remote = 0;
411 goto done;
412 }
413 }
________________________________________________________________________
CID 1125881: Uninitialized scalar variable (UNINIT)
/sys/rump/librump/rumpkern/vm.c: 978 ( var_decl)
975 mutex_exit(uobj->vmobjlock);
976 }
977 } else if (*lockrunning == false && ncpu > 1) {
>>> Declaring variable "cii" without initializer.
978 CPU_INFO_ITERATOR cii;
979 struct cpu_info *ci;
980 struct lwp *l;
981
982 l = mutex_owner(uobj->vmobjlock);
/sys/rump/librump/rumpkern/vm.c: 983 ( uninit_use)
980 struct lwp *l;
981
982 l = mutex_owner(uobj->vmobjlock);
>>> CID 1125881: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "cii".
983 for (CPU_INFO_FOREACH(cii, ci)) {
984 if (ci->ci_curlwp == l) {
985 *lockrunning = true;
986 break;
987 }
________________________________________________________________________
CID 1125880: Uninitialized scalar variable (UNINIT)
/sys/dev/tprof/tprof.c: 229 ( var_decl)
226 static void
227 tprof_stop1(void)
228 {
>>> Declaring variable "cii" without initializer.
229 CPU_INFO_ITERATOR cii;
230 struct cpu_info *ci;
231
232 KASSERT(mutex_owned(&tprof_startstop_lock));
233 KASSERT(tprof_nworker == 0);
/sys/dev/tprof/tprof.c: 235 ( uninit_use)
232 KASSERT(mutex_owned(&tprof_startstop_lock));
233 KASSERT(tprof_nworker == 0);
234
>>> CID 1125880: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "cii".
235 for (CPU_INFO_FOREACH(cii, ci)) {
236 tprof_cpu_t * const c = tprof_cpu(ci);
237 tprof_buf_t *old;
238
239 old = tprof_buf_switch(c, NULL);
________________________________________________________________________
CID 1125879: Uninitialized scalar variable (UNINIT)
/sys/dev/tprof/tprof.c: 251 ( var_decl)
248 static int
249 tprof_start(const struct tprof_param *param)
250 {
>>> Declaring variable "cii" without initializer.
251 CPU_INFO_ITERATOR cii;
252 struct cpu_info *ci;
253 int error;
254 uint64_t freq;
255 tprof_backend_t *tb;
/sys/dev/tprof/tprof.c: 283 ( uninit_use)
280 goto done;
281 }
282
>>> CID 1125879: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "cii".
283 for (CPU_INFO_FOREACH(cii, ci)) {
284 tprof_cpu_t * const c = tprof_cpu(ci);
285 tprof_buf_t *new;
286 tprof_buf_t *old;
287
________________________________________________________________________
CID 1125878: Untrusted loop bound (TAINTED_SCALAR)
/sbin/gpt/migrate.c: 167 ( tainted_data_return)
164 off_t ofs, rawofs;
165 int i;
166
>>> Function "gpt_read(int, __off_t, size_t)" returns tainted data.
167 buf = gpt_read(fd, start + LABELSECTOR, 1);
168 dl = (void*)(buf + LABELOFFSET);
169
170 if (le32toh(dl->d_magic) != DISKMAGIC ||
171 le32toh(dl->d_magic2) != DISKMAGIC) {
/sbin/gpt/migrate.c: 167 ( var_assign)
164 off_t ofs, rawofs;
165 int i;
166
>>> Assigning: "buf" = "gpt_read(int, __off_t, size_t)", which taints "buf".
167 buf = gpt_read(fd, start + LABELSECTOR, 1);
168 dl = (void*)(buf + LABELOFFSET);
169
170 if (le32toh(dl->d_magic) != DISKMAGIC ||
171 le32toh(dl->d_magic2) != DISKMAGIC) {
/sbin/gpt/migrate.c: 168 ( var_assign_var)
165 int i;
166
167 buf = gpt_read(fd, start + LABELSECTOR, 1);
>>> Assigning: "dl" = "(void *)(buf + 0)". Both are now tainted.
168 dl = (void*)(buf + LABELOFFSET);
169
170 if (le32toh(dl->d_magic) != DISKMAGIC ||
171 le32toh(dl->d_magic2) != DISKMAGIC) {
172 warnx("%s: warning: NetBSD slice without disklabel",
/sbin/gpt/migrate.c: 179 ( tainted_data)
176
177 rawofs = le32toh(dl->d_partitions[RAW_PART].p_offset) *
178 le32toh(dl->d_secsize);
>>> CID 1125878: Untrusted loop bound (TAINTED_SCALAR)
>>> Using tainted variable "dl->d_npartitions" as a loop boundary.
179 for (i = 0; i < le16toh(dl->d_npartitions); i++) {
180 if (dl->d_partitions[i].p_fstype == FS_UNUSED)
181 continue;
182 ofs = le32toh(dl->d_partitions[i].p_offset) *
183 le32toh(dl->d_secsize);
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index