Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD
Hi,
Please find the latest report on new defect(s) introduced to NetBSD
(NetBSD-amd64-user) found with Coverity Scan
Defect(s) Reported-by: Coverity Scan
Showing 7 of 9 defects
** CID 1128447: Structurally dead code (UNREACHABLE)
/sys/kern/exec_elf.c: 983
** CID 1128381: Use after free (USE_AFTER_FREE)
/crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c: 128
** CID 1128380: Structurally dead code (UNREACHABLE)
/sys/kern/exec_elf.c: 983
** CID 1128379: Time of check time of use (TOCTOU)
/usr.sbin/syslogd/syslogd.c: 3901
** CID 1128378: Array compared against 0 (NO_EFFECT)
/sys/net/npf/npf_if.c: 101
** CID 1128377: Logically dead code (DEADCODE)
/sys/arch/x86/x86/intel_busclock.c: 216
** CID 1128376: Unchecked return value (CHECKED_RETURN)
/crypto/external/bsd/openssh/dist/sftp-client.c: 1214
________________________________________________________________________
CID 1128447: Structurally dead code (UNREACHABLE)
/sys/kern/exec_elf.c: 983 ( unreachable)
980 /*
981 * Dunno, warn for diagnostic
982 */
>>> CID 1128447: Structurally dead code (UNREACHABLE)
>>> This code cannot be reached: "goto bad;".
983 goto bad;
984
985 case ELF_NOTE_TYPE_SUSE_VERSION_TAG:
986 break;
987
________________________________________________________________________
CID 1128381: Use after free (USE_AFTER_FREE)
/crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c: 130 ( freed_arg)
127 key_to_blob(keys[i], &blob, &blen);
128 buffer_put_string(&msg, blob, blen);
129 buffer_put_cstring(&msg, name);
>>> "free(void *)" frees "blob".
130 free(blob);
131 add_key(keys[i], name);
132 }
133 free(keys);
134 } else {
/crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c: 128 ( pass_freed_arg)
125 buffer_put_int(&msg, nkeys);
126 for (i = 0; i < nkeys; i++) {
127 key_to_blob(keys[i], &blob, &blen);
>>> CID 1128381: Use after free (USE_AFTER_FREE)
>>> Passing freed pointer "blob" as an argument to function
>>> "buffer_put_string(Buffer *, void const *, u_int)".
128 buffer_put_string(&msg, blob, blen);
129 buffer_put_cstring(&msg, name);
130 free(blob);
131 add_key(keys[i], name);
132 }
________________________________________________________________________
CID 1128380: Structurally dead code (UNREACHABLE)
/sys/kern/exec_elf.c: 983 ( unreachable)
980 /*
981 * Dunno, warn for diagnostic
982 */
>>> CID 1128380: Structurally dead code (UNREACHABLE)
>>> This code cannot be reached: "goto bad;".
983 goto bad;
984
985 case ELF_NOTE_TYPE_SUSE_VERSION_TAG:
986 break;
987
________________________________________________________________________
CID 1128379: Time of check time of use (TOCTOU)
/usr.sbin/syslogd/syslogd.c: 3901 ( fs_check_call)
3898 f->f_flags |= FFLAG_SIGN;
3899 #endif /* !DISABLE_SIGN */
3900 (void)strlcpy(f->f_un.f_fname, p,
sizeof(f->f_un.f_fname));
>>> CID 1128379: Time of check time of use (TOCTOU)
>>> Calling function "stat(char const *, struct stat *)" to perform check on
>>> "p".
3901 if (!stat(p, &sb) && S_ISFIFO(sb.st_mode)) {
3902 f->f_file = -1;
3903 f->f_type = F_FIFO;
3904 break;
3905 }
/usr.sbin/syslogd/syslogd.c: 3907 ( toctou)
3904 break;
3905 }
3906
>>> Calling function "open(char const *, int, ...)" that uses "p" after a check
>>> function. This can cause a time-of-check, time-of-use race condition.
3907 if ((f->f_file = open(p, O_WRONLY|O_APPEND, 0)) < 0) {
3908 f->f_type = F_UNUSED;
3909 logerror("%s", p);
3910 break;
3911 }
________________________________________________________________________
CID 1128378: Array compared against 0 (NO_EFFECT)
/sys/net/npf/npf_if.c: 101 ( array_null)
98 for (u_int i = 0; i < npf_ifmap_cnt; i++) {
99 npf_ifmap_t *nim = &npf_ifmap[i];
100
>>> CID 1128378: Array compared against 0 (NO_EFFECT)
>>> Comparing an array to null is not useful: "nim->n_ifname".
101 if (nim->n_ifname && strcmp(nim->n_ifname, ifname) == 0)
102 return i + 1;
103 }
104 return INACTIVE_ID;
105 }
________________________________________________________________________
CID 1128377: Logically dead code (DEADCODE)
/sys/arch/x86/x86/intel_busclock.c: 216 ( dead_error_condition)
213 goto print_msr;
214 }
215 break;
>>> The switch value "(ci->ci_signature >> 4) & 0xfU" cannot be "28U".
216 case 0x1c: /* Atom */
217 case 0x26:
218 case 0x27:
219 case 0x35:
220 case 0x36:
/sys/arch/x86/x86/intel_busclock.c: 216 ( dead_error_line)
213 goto print_msr;
214 }
215 break;
>>> CID 1128377: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "case 28U:".
216 case 0x1c: /* Atom */
217 case 0x26:
218 case 0x27:
219 case 0x35:
220 case 0x36:
________________________________________________________________________
CID 1128376: Unchecked return value (CHECKED_RETURN)
/crypto/external/bsd/openssh/dist/sftp-client.c: 1214 ( check_return)
1211 "server reordered requests", local_path);
1212 }
1213 debug("truncating at %llu", (unsigned long
long)highwater);
>>> CID 1128376: Unchecked return value (CHECKED_RETURN)
>>> Calling function "ftruncate(int, __off_t)" without checking return value
>>> (as is done elsewhere 48 out of 58 times).
1214 ftruncate(local_fd, highwater);
1215 }
1216 if (read_error) {
1217 error("Couldn't read from remote file \"%s\" : %s",
1218 remote_path, fx2txt(status));
/crypto/external/bsd/openssh/dist/sftp-client.c: 1214 ( unchecked_value)
1211 "server reordered requests", local_path);
1212 }
1213 debug("truncating at %llu", (unsigned long
long)highwater);
>>> No check of the return value of "ftruncate(local_fd, highwater)".
1214 ftruncate(local_fd, highwater);
1215 }
1216 if (read_error) {
1217 error("Couldn't read from remote file \"%s\" : %s",
1218 remote_path, fx2txt(status));
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index