Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD
Hi,
Please find the latest report on new defect(s) introduced to NetBSD found with
Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 20 of 247 defect(s)
** CID 270864: Null pointer dereference (FORWARD_NULL)
/src/external/bsd/am-utils/dist/hlfsd/homedir.c: 280 in delay()
** CID 270855: Null pointer dereference (FORWARD_NULL)
/src/sys/net/route.c: 290 in rtalloc1()
** CID 270737: Logically dead code (DEADCODE)
/src/sys/netinet/tcp_input.c: 3814 in syn_cache_get()
** CID 270739: Logically dead code (DEADCODE)
/src/sys/netinet/tcp_usrreq.c: 710 in tcp_ctloutput()
** CID 30133: Improper use of negative value (REVERSE_NEGATIVE)
/src/gnu/dist/gcc4/gcc/regmove.c: 1583 in find_matches()
** CID 30236: Null pointer dereference (FORWARD_NULL)
/src/gnu/dist/gcc4/gcc/c-common.c: 4752 in handle_aligned_attribute()
** CID 222532: Use after free (USE_AFTER_FREE)
/src/lib/libevent/evdns.c: 1129 in server_port_flush()
** CID 222535: Use after free (USE_AFTER_FREE)
/src/lib/libevent/evrpc.c: 411 in evrpc_pool_free()
** CID 97183: Use after free (USE_AFTER_FREE)
/src/lib/libevent/evrpc.c: 405 in evrpc_pool_free()
** CID 97174: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 822 in evhttp_connection_free()
** CID 97177: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 2104 in evhttp_free()
** CID 97178: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 2093 in evhttp_free()
** CID 270554: Function address comparison (BAD_COMPARE)
/src/gnu/dist/gcc4/gcc/crtstuff.c: 295 in __do_global_dtors_aux()
** CID 270556: Function address comparison (BAD_COMPARE)
/src/gnu/dist/gcc4/gcc/crtstuff.c: 329 in frame_dummy()
** CID 270854: Null pointer dereference (FORWARD_NULL)
/src/sys/net/rtsock.c: 1006 in sysctl_dumpentry()
** CID 270793: Null pointer dereference (FORWARD_NULL)
/src/dist/nvi/common/msg.c: 924 in msg_print()
** CID 222141: Resource leak (RESOURCE_LEAK)
/src/lib/libevent/evrpc.c: 549 in evrpc_schedule_request()
** CID 97173: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 1149 in evhttp_clear_headers()
** CID 222539: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 2096 in evhttp_free()
** CID 222537: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 1003 in evhttp_connectioncb()
________________________________________________________________________________________________________
*** CID 270864: Null pointer dereference (FORWARD_NULL)
/src/external/bsd/am-utils/dist/hlfsd/homedir.c: 280 in delay()
274 tv.tv_usec = 0;
275
276 do {
277 tv.tv_sec = secs;
278 if (select(0, NULL, NULL, NULL, &tv) == 0)
279 break;
>>> CID 270864: Null pointer dereference (FORWARD_NULL)
>>> Variable "found" tracked as NULL was dereferenced.
280 } while (--secs && found->child);
281 }
282
283
284 /*
285 * This function is called when a child has terminated after
________________________________________________________________________________________________________
*** CID 270855: Null pointer dereference (FORWARD_NULL)
/src/sys/net/route.c: 290 in rtalloc1()
284 if (err) {
285 newrt = rt;
286 rt->rt_refcnt++;
287 goto miss;
288 }
289 KASSERT(newrt != NULL);
>>> CID 270855: Null pointer dereference (FORWARD_NULL)
>>> Added "rt" due to comparison "rt = newrt != 0"
290 if ((rt = newrt) && (rt->rt_flags &
RTF_XRESOLVE)) {
291 msgtype = RTM_RESOLVE;
292 goto miss;
293 }
294 /* Inform listeners of the new route */
295 memset(&info, 0, sizeof(info));
________________________________________________________________________________________________________
*** CID 270737: Logically dead code (DEADCODE)
/src/sys/netinet/tcp_input.c: 3814 in syn_cache_get()
3808 tp = intotcpcb(inp);
3809 #ifdef INET6
3810 else if (in6p)
3811 tp = in6totcpcb(in6p);
3812 #endif
3813 else
>>> CID 270737: Logically dead code (DEADCODE)
>>> Cannot reach this line of code
3814 tp = NULL;
3815 tp->t_flags = sototcpcb(oso)->t_flags & TF_NODELAY;
3816 if (sc->sc_request_r_scale != 15) {
3817 tp->requested_s_scale = sc->sc_requested_s_scale;
3818 tp->request_r_scale = sc->sc_request_r_scale;
3819 tp->snd_scale = sc->sc_requested_s_scale;
________________________________________________________________________________________________________
*** CID 270739: Logically dead code (DEADCODE)
/src/sys/netinet/tcp_usrreq.c: 710 in tcp_ctloutput()
704 tp = intotcpcb(inp);
705 #ifdef INET6
706 else if (in6p)
707 tp = in6totcpcb(in6p);
708 #endif
709 else
>>> CID 270739: Logically dead code (DEADCODE)
>>> Cannot reach this line of code
710 tp = NULL;
711
712 switch (op) {
713 case PRCO_SETOPT:
714 switch (optname) {
715 #ifdef TCP_SIGNATURE
________________________________________________________________________________________________________
*** CID 30133: Improper use of negative value (REVERSE_NEGATIVE)
/src/gnu/dist/gcc4/gcc/regmove.c: 1583 in find_matches()
1577 p = end;
1578
1579 if (match < op_no && likely_spilled[match])
1580 continue;
1581 matchp->with[op_no] = match;
1582 any_matches = 1;
>>> CID 30133: Improper use of negative value (REVERSE_NEGATIVE)
>>> Variable "(matchp)->commutative[op_no]" possibly misused before
>>> NEGATIVE check
1583 if (matchp->commutative[op_no] >= 0)
1584 matchp->with[matchp->commutative[op_no]] = match;
1585 }
1586 continue;
1587
1588 case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
case 'h':
________________________________________________________________________________________________________
*** CID 30236: Null pointer dereference (FORWARD_NULL)
/src/gnu/dist/gcc4/gcc/c-common.c: 4752 in handle_aligned_attribute()
4746 else if (!(flags & (int) ATTR_FLAG_TYPE_IN_PLACE))
4747 *type = build_variant_type_copy (*type);
4748
4749 TYPE_ALIGN (*type) = (1 << i) * BITS_PER_UNIT;
4750 TYPE_USER_ALIGN (*type) = 1;
4751 }
>>> CID 30236: Null pointer dereference (FORWARD_NULL)
>>> Variable "decl" tracked as NULL was dereferenced.
4752 else if (TREE_CODE (decl) != VAR_DECL
4753 && TREE_CODE (decl) != FIELD_DECL)
4754 {
4755 error ("alignment may not be specified for %q+D", decl);
4756 *no_add_attrs = true;
4757 }
________________________________________________________________________________________________________
*** CID 222532: Use after free (USE_AFTER_FREE)
/src/lib/libevent/evdns.c: 1129 in server_port_flush()
1123
1124 /* Try to write all pending replies on a given DNS server port. */
1125 static void
1126 server_port_flush(struct evdns_server_port *port)
1127 {
1128 while (port->pending_replies) {
>>> CID 222532: Use after free (USE_AFTER_FREE)
>>> Using freed pointer "(port)->pending_replies"
1129 struct server_request *req = port->pending_replies;
1130 int r = sendto(port->socket, req->response,
req->response_len, 0,
1131 (struct sockaddr*) &req->addr, req->addrlen);
1132 if (r < 0) {
1133 int err = last_error(port->socket);
1134 if (error_is_eagain(err))
________________________________________________________________________________________________________
*** CID 222535: Use after free (USE_AFTER_FREE)
/src/lib/libevent/evrpc.c: 411 in evrpc_pool_free()
405 while ((request = TAILQ_FIRST(&pool->requests)) != NULL) {
406 TAILQ_REMOVE(&pool->requests, request, next);
407 /* if this gets more complicated we need our own
function */
408 evrpc_request_wrapper_free(request);
409 }
410
>>> CID 222535: Use after free (USE_AFTER_FREE)
>>> aliasing "((pool)->connections).tqh_first" with "connection"
411 while ((connection = TAILQ_FIRST(&pool->connections)) != NULL) {
412 TAILQ_REMOVE(&pool->connections, connection, next);
413 evhttp_connection_free(connection);
414 }
415
416 while ((hook = TAILQ_FIRST(&pool->input_hooks)) != NULL) {
________________________________________________________________________________________________________
*** CID 97183: Use after free (USE_AFTER_FREE)
/src/lib/libevent/evrpc.c: 405 in evrpc_pool_free()
399 evrpc_pool_free(struct evrpc_pool *pool)
400 {
401 struct evhttp_connection *connection;
402 struct evrpc_request_wrapper *request;
403 struct evrpc_hook *hook;
404
>>> CID 97183: Use after free (USE_AFTER_FREE)
>>> Using freed pointer "((pool)->requests).tqh_first"
405 while ((request = TAILQ_FIRST(&pool->requests)) != NULL) {
406 TAILQ_REMOVE(&pool->requests, request, next);
407 /* if this gets more complicated we need our own
function */
408 evrpc_request_wrapper_free(request);
409 }
410
________________________________________________________________________________________________________
*** CID 97174: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 822 in evhttp_connection_free()
816 if (evcon->fd != -1) {
817 if (evcon->state == EVCON_CONNECTED && evcon->closecb
!= NULL)
818 (*evcon->closecb)(evcon, evcon->closecb_arg);
819 }
820
821 /* remove all requests that might be queued on this connection
*/
>>> CID 97174: Use after free (USE_AFTER_FREE)
>>> Using freed pointer "((evcon)->requests).tqh_first"
822 while ((req = TAILQ_FIRST(&evcon->requests)) != NULL) {
823 TAILQ_REMOVE(&evcon->requests, req, next);
824 evhttp_request_free(req);
825 }
826
827 if (evcon->http_server != NULL) {
________________________________________________________________________________________________________
*** CID 97177: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 2104 in evhttp_free()
2098 evhttp_connection_free(evcon);
2099 }
2100
2101 while ((http_cb = TAILQ_FIRST(&http->callbacks)) != NULL) {
2102 TAILQ_REMOVE(&http->callbacks, http_cb, next);
2103 free(http_cb->what);
>>> CID 97177: Use after free (USE_AFTER_FREE)
>>> Pointer "http_cb" freed by function "free"
2104 free(http_cb);
2105 }
2106
2107 free(http);
2108 }
2109
________________________________________________________________________________________________________
*** CID 97178: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 2093 in evhttp_free()
2087 TAILQ_REMOVE(&http->sockets, bound, next);
2088
2089 fd = bound->bind_ev.ev_fd;
2090 event_del(&bound->bind_ev);
2091 EVUTIL_CLOSESOCKET(fd);
2092
>>> CID 97178: Use after free (USE_AFTER_FREE)
>>> Pointer "bound" freed by function "free"
2093 free(bound);
2094 }
2095
2096 while ((evcon = TAILQ_FIRST(&http->connections)) != NULL) {
2097 /* evhttp_connection_free removes the connection */
2098 evhttp_connection_free(evcon);
________________________________________________________________________________________________________
*** CID 270554: Function address comparison (BAD_COMPARE)
/src/gnu/dist/gcc4/gcc/crtstuff.c: 295 in __do_global_dtors_aux()
289 #ifdef CRT_GET_RFIB_DATA
290 /* If we used the new __register_frame_info_bases interface,
291 make sure that we deregister from the same place. */
292 if (__deregister_frame_info_bases)
293 __deregister_frame_info_bases (__EH_FRAME_BEGIN__);
294 #else
>>> CID 270554: Function address comparison (BAD_COMPARE)
>>> Suspicious implicit conversion to function pointer:
>>> "&__deregister_frame_info != 0"; did you intend to call the function?
295 if (__deregister_frame_info)
296 __deregister_frame_info (__EH_FRAME_BEGIN__);
297 #endif
298 #endif
299
300 completed = 1;
________________________________________________________________________________________________________
*** CID 270556: Function address comparison (BAD_COMPARE)
/src/gnu/dist/gcc4/gcc/crtstuff.c: 329 in frame_dummy()
323 void *tbase, *dbase;
324 tbase = 0;
325 CRT_GET_RFIB_DATA (dbase);
326 if (__register_frame_info_bases)
327 __register_frame_info_bases (__EH_FRAME_BEGIN__, &object, tbase,
dbase);
328 #else
>>> CID 270556: Function address comparison (BAD_COMPARE)
>>> Suspicious implicit conversion to function pointer:
>>> "&__register_frame_info != 0"; did you intend to call the function?
329 if (__register_frame_info)
330 __register_frame_info (__EH_FRAME_BEGIN__, &object);
331 #endif /* CRT_GET_RFIB_DATA */
332 #endif /* USE_EH_FRAME_REGISTRY */
333 #ifdef JCR_SECTION_NAME
334 if (__JCR_LIST__[0])
________________________________________________________________________________________________________
*** CID 270854: Null pointer dereference (FORWARD_NULL)
/src/sys/net/rtsock.c: 1006 in sysctl_dumpentry()
1000 struct rt_msghdr *rtm = (struct rt_msghdr *)w->w_tmem;
1001
1002 rtm->rtm_flags = rt->rt_flags;
1003 rtm->rtm_use = rt->rt_use;
1004 cvtmetrics(&rtm->rtm_rmx, &rt->rt_rmx);
1005 KASSERT(rt->rt_ifp != NULL);
>>> CID 270854: Null pointer dereference (FORWARD_NULL)
>>> Variable "(rt)->rt_ifp" tracked as NULL was dereferenced.
1006 rtm->rtm_index = rt->rt_ifp->if_index;
1007 rtm->rtm_errno = rtm->rtm_pid = rtm->rtm_seq = 0;
1008 rtm->rtm_addrs = info.rti_addrs;
1009 if ((error = copyout(rtm, w->w_where, size)) != 0)
1010 w->w_where = NULL;
1011 else
________________________________________________________________________________________________________
*** CID 270793: Null pointer dereference (FORWARD_NULL)
/src/dist/nvi/common/msg.c: 924 in msg_print()
918 if (0) {
919 alloc_err: return __UNCONST("");
920 }
921 *needfree = 1;
922
923 for (p = bp, ep = (bp + blen) - 1, cp = s; *cp != '\0' && p <
ep; ++cp)
>>> CID 270793: Null pointer dereference (FORWARD_NULL)
>>> Variable "sp" tracked as NULL was dereferenced.
924 for (t = KEY_NAME(sp, *cp); *t != '\0' && p < ep; *p++
= *t++);
925 if (p == ep)
926 goto retry;
927 *p = '\0';
928 return (bp);
________________________________________________________________________________________________________
*** CID 222141: Resource leak (RESOURCE_LEAK)
/src/lib/libevent/evrpc.c: 549 in evrpc_schedule_request()
543
544 error:
545 memset(&status, 0, sizeof(status));
546 status.error = EVRPC_STATUS_ERR_UNSTARTED;
547 (*ctx->cb)(&status, ctx->request, ctx->reply, ctx->cb_arg);
548 evrpc_request_wrapper_free(ctx);
>>> CID 222141: Resource leak (RESOURCE_LEAK)
>>> Returned without freeing storage "uri"
549 return (-1);
550 }
551
552 int
553 evrpc_make_request(struct evrpc_request_wrapper *ctx)
554 {
________________________________________________________________________________________________________
*** CID 97173: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 1149 in evhttp_clear_headers()
1143 for (header = TAILQ_FIRST(headers);
1144 header != NULL;
1145 header = TAILQ_FIRST(headers)) {
1146 TAILQ_REMOVE(headers, header, next);
1147 free(header->key);
1148 free(header->value);
>>> CID 97173: Use after free (USE_AFTER_FREE)
>>> Pointer "header" freed by function "free"
1149 free(header);
1150 }
1151 }
1152
1153 /*
1154 * Returns 0, if the header was successfully removed.
________________________________________________________________________________________________________
*** CID 222539: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 2096 in evhttp_free()
2090 event_del(&bound->bind_ev);
2091 EVUTIL_CLOSESOCKET(fd);
2092
2093 free(bound);
2094 }
2095
>>> CID 222539: Use after free (USE_AFTER_FREE)
>>> aliasing "((http)->connections).tqh_first" with "evcon"
2096 while ((evcon = TAILQ_FIRST(&http->connections)) != NULL) {
2097 /* evhttp_connection_free removes the connection */
2098 evhttp_connection_free(evcon);
2099 }
2100
2101 while ((http_cb = TAILQ_FIRST(&http->callbacks)) != NULL) {
________________________________________________________________________________________________________
*** CID 222537: Use after free (USE_AFTER_FREE)
/src/lib/libevent/http.c: 1003 in evhttp_connectioncb()
997 return;
998 }
999 evhttp_connection_reset(evcon);
1000
1001 /* for now, we just signal all requests by executing their
callbacks */
1002 while (TAILQ_FIRST(&evcon->requests) != NULL) {
>>> CID 222537: Use after free (USE_AFTER_FREE)
>>> aliasing "((evcon)->requests).tqh_first" with "request"
1003 struct evhttp_request *request =
TAILQ_FIRST(&evcon->requests);
1004 TAILQ_REMOVE(&evcon->requests, request, next);
1005 request->evcon = NULL;
1006
1007 /* we might want to set an error here */
1008 request->cb(request, request->cb_arg);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/156?tab=Overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index