Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-i386-user

Hi,


Please find the latest report on new defect(s) introduced to NetBSD-i386-user 
found with Coverity Scan.

Defect(s) Reported-by: Coverity Scan
Showing 20 of 140 defect(s)


** CID 274840:  Dereference null return value  (NULL_RETURNS)
/sys/net/bpf.c: 301 in bpf_movein()

** CID 274841:  Dereference null return value  (NULL_RETURNS)
/sys/kern/uipc_socket.c: 981 in sosend()

** CID 274845:  Dereference null return value  (NULL_RETURNS)
/sys/nfs/nfs_subs.c: 612 in nfsm_rpchead()
/sys/nfs/nfs_subs.c: 617 in nfsm_rpchead()
/sys/nfs/nfs_subs.c: 619 in nfsm_rpchead()

** CID 274846:  Dereference null return value  (NULL_RETURNS)
/sys/nfs/nfs_socket.c: 554 in nfs_rephead()
/sys/nfs/nfs_socket.c: 545 in nfs_rephead()

** CID 739552:  Time of check time of use  (TOCTOU)
/external/bsd/bind/dist/lib/isc/unix/socket.c: 5206 in isc__socket_cleanunix()
/external/bsd/bind/dist/lib/isc/unix/socket.c: 5254 in isc__socket_cleanunix()

** CID 741070:  Free of address-of expression  (BAD_FREE)
/external/bsd/bind/dist/lib/isc/mem.c: 1609 in isc___mem_free()
/external/bsd/bind/dist/lib/isc/mem.c: 1609 in isc___mem_free()
/external/bsd/bind/dist/lib/isc/mem.c: 1605 in isc___mem_free()
/external/bsd/bind/dist/lib/isc/mem.c: 1605 in isc___mem_free()

** CID 977112:  Out-of-bounds access  (OVERRUN)
/crypto/external/bsd/netpgp/dist/src/libverify/libverify.c: 461 in 
pgpv_calc_fingerprint()
/crypto/external/bsd/netpgp/dist/src/netpgpverify/libverify.c: 531 in 
pgpv_calc_fingerprint()

** CID 979161:  Use of untrusted string value  (TAINTED_STRING)
/external/bsd/dhcpcd/dist/dhcpcd.c: 1340 in main()
/external/bsd/dhcpcd/dist/dhcpcd.c: 1556 in main()

** CID 979610:  Uninitialized scalar variable  (UNINIT)
/tests/lib/libc/hash/t_sha2.c: 175 in atfu_t_sha256_body()

** CID 979611:  Uninitialized scalar variable  (UNINIT)
/tests/lib/libc/hash/t_sha2.c: 202 in atfu_t_sha384_body()

** CID 979612:  Uninitialized scalar variable  (UNINIT)
/tests/lib/libc/hash/t_sha2.c: 229 in atfu_t_sha512_body()

** CID 993318:  Improper use of negative value  (NEGATIVE_RETURNS)
/external/bsd/dhcp/dist/dst/hmac_link.c: 366 in 
dst_hmac_md5_key_from_file_format()

** CID 1018040:  Division or modulo by zero  (DIVIDE_BY_ZERO)
/external/bsd/elftoolchain/dist/libelf/elf_update.c: 237 in 
_libelf_compute_section_extents()

** CID 1018984:  Unused pointer value  (UNUSED_VALUE)
/external/bsd/elftoolchain/dist/libelf/elf_shstrndx.c: 51 in 
_libelf_getshdrstrndx()

** CID 1018985:  Unused pointer value  (UNUSED_VALUE)
/external/bsd/elftoolchain/dist/libelf/elf_shnum.c: 51 in _libelf_getshdrnum()

** CID 1018986:  Unused pointer value  (UNUSED_VALUE)
/external/bsd/elftoolchain/dist/libelf/elf_phnum.c: 51 in _libelf_getphdrnum()

** CID 1042402:  Missing break in switch  (MISSING_BREAK)
/crypto/external/bsd/netpgp/dist/src/netpgpverify/zlib.c: 1886 in inflate()

** CID 1193195:  Extra sizeof expression  (SIZEOF_MISMATCH)
/sys/kern/subr_vmem.c: 326 in bt_freetrim()

** CID 1193257:  Free of address-of expression  (BAD_FREE)


** CID 1193258:  Buffer not null terminated  (BUFFER_SIZE_WARNING)
/external/bsd/bind/dist/bin/dig/dig.c: 1128 in plus_option()


________________________________________________________________________________________________________
*** CID 274840:  Dereference null return value  (NULL_RETURNS)
/sys/net/bpf.c: 301 in bpf_movein()
295              * (Take into account possible alignment bytes)
296              */
297             if (len + align > MCLBYTES)
298                     return (EIO);
299     
300             m = m_gethdr(M_WAIT, MT_DATA);
>>>     CID 274840:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "m".
301             m->m_pkthdr.rcvif = 0;
302             m->m_pkthdr.len = (int)(len - hlen);
303             if (len + align > MHLEN) {
304                     m_clget(m, M_WAIT);
305                     if ((m->m_flags & M_EXT) == 0) {
306                             error = ENOBUFS;

________________________________________________________________________________________________________
*** CID 274841:  Dereference null return value  (NULL_RETURNS)
/sys/kern/uipc_socket.c: 981 in sosend()
975                             } else do {
976                                     sounlock(so);
977                                     splx(s);
978                                     if (top == NULL) {
979                                             m = m_gethdr(M_WAIT, MT_DATA);
980                                             mlen = MHLEN;
>>>     CID 274841:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "m".
981                                             m->m_pkthdr.len = 0;
982                                             m->m_pkthdr.rcvif = NULL;
983                                     } else {
984                                             m = m_get(M_WAIT, MT_DATA);
985                                             mlen = MLEN;
986                                     }

________________________________________________________________________________________________________
*** CID 274845:  Dereference null return value  (NULL_RETURNS)
/sys/nfs/nfs_subs.c: 612 in nfsm_rpchead()
606             char *bpos;
607             int i;
608             struct mbuf *mreq;
609             int siz, grpsiz, authsiz;
610     
611             authsiz = nfsm_rndup(auth_len);
>>>     CID 274845:  Dereference null return value  (NULL_RETURNS)
>>>     Assigning: "mb" = null return value from "m_gethdr(int, int)".
612             mb = m_gethdr(M_WAIT, MT_DATA);
613             MCLAIM(mb, &nfs_mowner);
614             if ((authsiz + 10 * NFSX_UNSIGNED) >= MINCLSIZE) {
615                     m_clget(mb, M_WAIT);
616             } else if ((authsiz + 10 * NFSX_UNSIGNED) < MHLEN) {
617                     MH_ALIGN(mb, authsiz + 10 * NFSX_UNSIGNED);
/sys/nfs/nfs_subs.c: 617 in nfsm_rpchead()
611             authsiz = nfsm_rndup(auth_len);
612             mb = m_gethdr(M_WAIT, MT_DATA);
613             MCLAIM(mb, &nfs_mowner);
614             if ((authsiz + 10 * NFSX_UNSIGNED) >= MINCLSIZE) {
615                     m_clget(mb, M_WAIT);
616             } else if ((authsiz + 10 * NFSX_UNSIGNED) < MHLEN) {
>>>     CID 274845:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "mb".
617                     MH_ALIGN(mb, authsiz + 10 * NFSX_UNSIGNED);
618             } else {
619                     MH_ALIGN(mb, 8 * NFSX_UNSIGNED);
620             }
621             mb->m_len = 0;
622             mreq = mb;
/sys/nfs/nfs_subs.c: 619 in nfsm_rpchead()
613             MCLAIM(mb, &nfs_mowner);
614             if ((authsiz + 10 * NFSX_UNSIGNED) >= MINCLSIZE) {
615                     m_clget(mb, M_WAIT);
616             } else if ((authsiz + 10 * NFSX_UNSIGNED) < MHLEN) {
617                     MH_ALIGN(mb, authsiz + 10 * NFSX_UNSIGNED);
618             } else {
>>>     CID 274845:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "mb".
619                     MH_ALIGN(mb, 8 * NFSX_UNSIGNED);
620             }
621             mb->m_len = 0;
622             mreq = mb;
623             bpos = mtod(mb, void *);
624     

________________________________________________________________________________________________________
*** CID 274846:  Dereference null return value  (NULL_RETURNS)
/sys/nfs/nfs_socket.c: 554 in nfs_rephead()
548              * try and leave leading space for the lower level headers.
549              */
550             siz += RPC_REPLYSIZ;
551             if (siz >= max_datalen) {
552                     m_clget(mreq, M_WAIT);
553             } else
>>>     CID 274846:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "mreq".
554                     mreq->m_data += max_hdr;
555             tl = mtod(mreq, u_int32_t *);
556             mreq->m_len = 6 * NFSX_UNSIGNED;
557             bpos = ((char *)tl) + mreq->m_len;
558             *tl++ = txdr_unsigned(nd->nd_retxid);
559             *tl++ = rpc_reply;
/sys/nfs/nfs_socket.c: 545 in nfs_rephead()
539             struct mbuf *mreq;
540             char *bpos;
541             struct mbuf *mb;
542     
543             mreq = m_gethdr(M_WAIT, MT_DATA);
544             MCLAIM(mreq, &nfs_mowner);
>>>     CID 274846:  Dereference null return value  (NULL_RETURNS)
>>>     Assigning: "mb" = "mreq".  Both pointers are now null.
545             mb = mreq;
546             /*
547              * If this is a big reply, use a cluster else
548              * try and leave leading space for the lower level headers.
549              */
550             siz += RPC_REPLYSIZ;

________________________________________________________________________________________________________
*** CID 739552:  Time of check time of use  (TOCTOU)
/external/bsd/bind/dist/lib/isc/unix/socket.c: 5206 in isc__socket_cleanunix()
5200                            isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
5201                                          ISC_LOGMODULE_SOCKET, 
ISC_LOG_ERROR,
5202                                          "isc_socket_cleanunix: %s: not a 
socket",
5203                                          sockaddr->type.sunix.sun_path);
5204                            return;
5205                    }
>>>     CID 739552:  Time of check time of use  (TOCTOU)
>>>     Calling function "unlink(char const *)" that uses 
>>> "sockaddr->type.sunix.sun_path" after a check function. This can cause a 
>>> time-of-check, time-of-use race condition.
5206                    if (unlink(sockaddr->type.sunix.sun_path) < 0) {
5207                            isc__strerror(errno, strbuf, sizeof(strbuf));
5208                            isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
5209                                          ISC_LOGMODULE_SOCKET, 
ISC_LOG_ERROR,
5210                                          "isc_socket_cleanunix: 
unlink(%s): %s",
5211                                          sockaddr->type.sunix.sun_path, 
strbuf);
/external/bsd/bind/dist/lib/isc/unix/socket.c: 5254 in isc__socket_cleanunix()
5248     
5249            if (connect(s, (struct sockaddr *)&sockaddr->type.sunix,
5250                        sizeof(sockaddr->type.sunix)) < 0) {
5251                    switch (errno) {
5252                    case ECONNREFUSED:
5253                    case ECONNRESET:
>>>     CID 739552:  Time of check time of use  (TOCTOU)
>>>     Calling function "unlink(char const *)" that uses 
>>> "sockaddr->type.sunix.sun_path" after a check function. This can cause a 
>>> time-of-check, time-of-use race condition.
5254                            if (unlink(sockaddr->type.sunix.sun_path) < 0) {
5255                                    isc__strerror(errno, strbuf, 
sizeof(strbuf));
5256                                    isc_log_write(isc_lctx, 
ISC_LOGCATEGORY_GENERAL,
5257                                                  ISC_LOGMODULE_SOCKET,
5258                                                  ISC_LOG_WARNING,
5259                                                  "isc_socket_cleanunix: "

________________________________________________________________________________________________________
*** CID 741070:  Free of address-of expression  (BAD_FREE)
/external/bsd/bind/dist/lib/isc/mem.c: 1609 in isc___mem_free()
1603     
1604            if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
1605                    si = &(((size_info *)ptr)[-2]);
1606                    REQUIRE(si->u.ctx == ctx);
1607                    size = si[1].u.size;
1608            } else {
>>>     CID 741070:  Free of address-of expression  (BAD_FREE)
>>>     Assigning: "si" = "(size_info *)ptr + -1".
1609                    si = &(((size_info *)ptr)[-1]);
1610                    size = si->u.size;
1611            }
1612     
1613            MCTXLOCK(ctx, &ctx->lock);
1614     
/external/bsd/bind/dist/lib/isc/mem.c: 1609 in isc___mem_free()
1603     
1604            if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
1605                    si = &(((size_info *)ptr)[-2]);
1606                    REQUIRE(si->u.ctx == ctx);
1607                    size = si[1].u.size;
1608            } else {
>>>     CID 741070:  Free of address-of expression  (BAD_FREE)
>>>     Assigning: "si" = "(size_info *)ptr + -1".
1609                    si = &(((size_info *)ptr)[-1]);
1610                    size = si->u.size;
1611            }
1612     
1613            MCTXLOCK(ctx, &ctx->lock);
1614     
/external/bsd/bind/dist/lib/isc/mem.c: 1605 in isc___mem_free()
1599            isc_boolean_t call_water= ISC_FALSE;
1600     
1601            REQUIRE(VALID_CONTEXT(ctx));
1602            REQUIRE(ptr != NULL);
1603     
1604            if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
>>>     CID 741070:  Free of address-of expression  (BAD_FREE)
>>>     Assigning: "si" = "(size_info *)ptr + -2".
1605                    si = &(((size_info *)ptr)[-2]);
1606                    REQUIRE(si->u.ctx == ctx);
1607                    size = si[1].u.size;
1608            } else {
1609                    si = &(((size_info *)ptr)[-1]);
1610                    size = si->u.size;
/external/bsd/bind/dist/lib/isc/mem.c: 1605 in isc___mem_free()
1599            isc_boolean_t call_water= ISC_FALSE;
1600     
1601            REQUIRE(VALID_CONTEXT(ctx));
1602            REQUIRE(ptr != NULL);
1603     
1604            if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
>>>     CID 741070:  Free of address-of expression  (BAD_FREE)
>>>     Assigning: "si" = "(size_info *)ptr + -2".
1605                    si = &(((size_info *)ptr)[-2]);
1606                    REQUIRE(si->u.ctx == ctx);
1607                    size = si[1].u.size;
1608            } else {
1609                    si = &(((size_info *)ptr)[-1]);
1610                    size = si->u.size;

________________________________________________________________________________________________________
*** CID 977112:  Out-of-bounds access  (OVERRUN)
/crypto/external/bsd/netpgp/dist/src/libverify/libverify.c: 461 in 
pgpv_calc_fingerprint()
455                     /* v3 keys are RSA */
456                     fingerprint->hashalg = digest_get_alg("md5");
457                     digest_init(&fphash, (unsigned)fingerprint->hashalg);
458                     if (pubkey->bn[RSA_N].bn && pubkey->bn[RSA_E].bn) {
459                             cc = fmt_binary_mpi(&pubkey->bn[RSA_N], buf, 
sizeof(buf));
460                             digest_update(&fphash, &buf[2], cc - 2);
>>>     CID 977112:  Out-of-bounds access  (OVERRUN)
>>>     Assigning: "cc" = "fmt_binary_mpi(&pubkey->bn[1], buf, 8195U)". The 
>>> value of "cc" is now 0.
461                             cc = fmt_binary_mpi(&pubkey->bn[RSA_E], buf, 
sizeof(buf));
462                             digest_update(&fphash, &buf[2], cc - 2);
463                             fingerprint->len = digest_final(fingerprint->v, 
&fphash);
464                             return 1;
465                     }
466             }
/crypto/external/bsd/netpgp/dist/src/netpgpverify/libverify.c: 531 in 
pgpv_calc_fingerprint()
525                     /* v3 keys are RSA */
526                     fingerprint->hashalg = digest_get_alg("md5");
527                     digest_init(&fphash, (unsigned)fingerprint->hashalg);
528                     if (pubkey->bn[RSA_N].bn && pubkey->bn[RSA_E].bn) {
529                             cc = fmt_binary_mpi(&pubkey->bn[RSA_N], buf, 
sizeof(buf));
530                             digest_update(&fphash, &buf[2], (unsigned)(cc - 
2));
>>>     CID 977112:  Out-of-bounds access  (OVERRUN)
>>>     Assigning: "cc" = "fmt_binary_mpi(&pubkey->bn[1], buf, 8195U)". The 
>>> value of "cc" is now 0.
531                             cc = fmt_binary_mpi(&pubkey->bn[RSA_E], buf, 
sizeof(buf));
532                             digest_update(&fphash, &buf[2], (unsigned)(cc - 
2));
533                             fingerprint->len = digest_final(fingerprint->v, 
&fphash);
534                             return 1;
535                     }
536             }

________________________________________________________________________________________________________
*** CID 979161:  Use of untrusted string value  (TAINTED_STRING)
/external/bsd/dhcpcd/dist/dhcpcd.c: 1340 in main()
1334                            if (sig != SIGHUP && errno != EPERM)
1335                                    syslog(LOG_ERR, ""PACKAGE" not 
running");
1336                            if (pid != 0 && errno != ESRCH) {
1337                                    syslog(LOG_ERR, "kill: %m");
1338                                    goto exit_failure;
1339                            }
>>>     CID 979161:  Use of untrusted string value  (TAINTED_STRING)
>>>     Passing tainted string "pidfile" to "unlink(char const *)", which 
>>> cannot accept tainted data.
1340                            unlink(pidfile);
1341                            if (sig != SIGHUP)
1342                                    goto exit_failure;
1343                    } else {
1344                            if (sig == SIGHUP || sig == SIGUSR1)
1345                                    goto exit_success;
/external/bsd/dhcpcd/dist/dhcpcd.c: 1556 in main()
1550            ipv6_ctxfree(&ctx);
1551            dev_stop(&ctx, !(ctx.options & DHCPCD_FORKED));
1552            if (!(ctx.options & DHCPCD_FORKED) && control_stop(&ctx) == -1)
1553                    syslog(LOG_ERR, "control_stop: %m:");
1554            if (ctx.pid_fd != -1) {
1555                    close(ctx.pid_fd);
>>>     CID 979161:  Use of untrusted string value  (TAINTED_STRING)
>>>     Passing tainted string "pidfile" to "unlink(char const *)", which 
>>> cannot accept tainted data.
1556                    unlink(pidfile);
1557            }
1558            eloop_free(ctx.eloop);
1559     
1560            if (ctx.options & DHCPCD_STARTED && !(ctx.options & 
DHCPCD_FORKED))
1561                    syslog(LOG_INFO, "exited");
1562            closelog();
1563            return i;

________________________________________________________________________________________________________
*** CID 979610:  Uninitialized scalar variable  (UNINIT)
/tests/lib/libc/hash/t_sha2.c: 175 in atfu_t_sha256_body()
169     
170     ATF_TC_BODY(t_sha256, tc)
171     {
172             size_t i, j, len;
173             SHA256_CTX ctx;
174             unsigned char buf[256];
>>>     CID 979610:  Uninitialized scalar variable  (UNINIT)
>>>     Declaring variable "digest" without initializer.
175             unsigned char digest[8 + SHA256_DIGEST_LENGTH];
176             char output[SHA256_DIGEST_STRING_LENGTH];
177     
178             for (i = 0; i < sizeof(test256) / sizeof(test256[0]); ++i) {
179                     len = strlen(test256[i].vector);
180                     for (j = 0; j < 8; ++j) {

________________________________________________________________________________________________________
*** CID 979611:  Uninitialized scalar variable  (UNINIT)
/tests/lib/libc/hash/t_sha2.c: 202 in atfu_t_sha384_body()
196     
197     ATF_TC_BODY(t_sha384, tc)
198     {
199             size_t i, j, len;
200             SHA384_CTX ctx;
201             unsigned char buf[384];
>>>     CID 979611:  Uninitialized scalar variable  (UNINIT)
>>>     Declaring variable "digest" without initializer.
202             unsigned char digest[8 + SHA384_DIGEST_LENGTH];
203             char output[SHA384_DIGEST_STRING_LENGTH];
204     
205             for (i = 0; i < sizeof(test384) / sizeof(test384[0]); ++i) {
206                     len = strlen(test384[i].vector);
207                     for (j = 0; j < 8; ++j) {

________________________________________________________________________________________________________
*** CID 979612:  Uninitialized scalar variable  (UNINIT)
/tests/lib/libc/hash/t_sha2.c: 229 in atfu_t_sha512_body()
223     
224     ATF_TC_BODY(t_sha512, tc)
225     {
226             size_t i, j, len;
227             SHA512_CTX ctx;
228             unsigned char buf[512];
>>>     CID 979612:  Uninitialized scalar variable  (UNINIT)
>>>     Declaring variable "digest" without initializer.
229             unsigned char digest[8 + SHA512_DIGEST_LENGTH];
230             char output[SHA512_DIGEST_STRING_LENGTH];
231     
232             for (i = 0; i < sizeof(test512) / sizeof(test512[0]); ++i) {
233                     len = strlen(test512[i].vector);
234                     for (j = 0; j < 8; ++j) {

________________________________________________________________________________________________________
*** CID 993318:  Improper use of negative value  (NEGATIVE_RETURNS)
/external/bsd/dhcp/dist/dst/hmac_link.c: 366 in 
dst_hmac_md5_key_from_file_format()
360             if (eol == NULL)
361                     return (-4);
362             len = eol - p;
363             tmp = malloc(len + 2);
364             memcpy(tmp, p, len);
365             *(tmp + len) = 0x0;
>>>     CID 993318:  Improper use of negative value  (NEGATIVE_RETURNS)
>>>     Assigning: unsigned variable "key_len" = "MRb64_pton(char const *, 
>>> u_char *, size_t)".
366             key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);       /* see 
above */
367             SAFE_FREE2(tmp, len + 2);
368     
369             if (dst_buffer_to_hmac_md5(dkey, key, key_len) < 0) {
370                     return (-6);
371             }

________________________________________________________________________________________________________
*** CID 1018040:  Division or modulo by zero  (DIVIDE_BY_ZERO)
/external/bsd/elftoolchain/dist/libelf/elf_update.c: 237 in 
_libelf_compute_section_extents()
231     
232                     /*
233                      * The buffer's size should be a multiple of the
234                      * memory size of the underlying type.
235                      */
236                     msz = _libelf_msize(d->d_type, ec, e->e_version);
>>>     CID 1018040:  Division or modulo by zero  (DIVIDE_BY_ZERO)
>>>     In expression "d->d_size % msz" modulo by expression "msz" which may be 
>>> zero has undefined behavior.
237                     if (d->d_size % msz) {
238                             LIBELF_SET_ERROR(DATA, 0);
239                             return (0);
240                     }
241     
242                     /*

________________________________________________________________________________________________________
*** CID 1018984:  Unused pointer value  (UNUSED_VALUE)
/external/bsd/elftoolchain/dist/libelf/elf_shstrndx.c: 51 in 
_libelf_getshdrstrndx()
45      if (e == NULL || e->e_kind != ELF_K_ELF ||
46          ((ec = e->e_class) != ELFCLASS32 && ec != ELFCLASS64)) {
47              LIBELF_SET_ERROR(ARGUMENT, 0);
48              return (-1);
49      }
50     
>>>     CID 1018984:  Unused pointer value  (UNUSED_VALUE)
>>>     Pointer "eh" returned by "_libelf_ehdr(e, ec, 0)" is never used.
51      if ((eh = _libelf_ehdr(e, ec, 0)) == NULL)
52              return (-1);
53     
54      *strndx = e->e_u.e_elf.e_strndx;
55     
56      return (0);

________________________________________________________________________________________________________
*** CID 1018985:  Unused pointer value  (UNUSED_VALUE)
/external/bsd/elftoolchain/dist/libelf/elf_shnum.c: 51 in _libelf_getshdrnum()
45      if (e == NULL || e->e_kind != ELF_K_ELF ||
46          ((ec = e->e_class) != ELFCLASS32 && ec != ELFCLASS64)) {
47              LIBELF_SET_ERROR(ARGUMENT, 0);
48              return (-1);
49      }
50     
>>>     CID 1018985:  Unused pointer value  (UNUSED_VALUE)
>>>     Pointer "eh" returned by "_libelf_ehdr(e, ec, 0)" is never used.
51      if ((eh = _libelf_ehdr(e, ec, 0)) == NULL)
52              return (-1);
53     
54      *shnum = e->e_u.e_elf.e_nscn;
55     
56      return (0);

________________________________________________________________________________________________________
*** CID 1018986:  Unused pointer value  (UNUSED_VALUE)
/external/bsd/elftoolchain/dist/libelf/elf_phnum.c: 51 in _libelf_getphdrnum()
45      if (e == NULL || e->e_kind != ELF_K_ELF ||
46          ((ec = e->e_class) != ELFCLASS32 && ec != ELFCLASS64)) {
47              LIBELF_SET_ERROR(ARGUMENT, 0);
48              return (-1);
49      }
50     
>>>     CID 1018986:  Unused pointer value  (UNUSED_VALUE)
>>>     Pointer "eh" returned by "_libelf_ehdr(e, ec, 0)" is never used.
51      if ((eh = _libelf_ehdr(e, ec, 0)) == NULL)
52              return (-1);
53     
54      *phnum = e->e_u.e_elf.e_nphdr;
55     
56      return (0);

________________________________________________________________________________________________________
*** CID 1042402:  Missing break in switch  (MISSING_BREAK)
/crypto/external/bsd/netpgp/dist/src/netpgpverify/zlib.c: 1886 in inflate()
1880                     NEEDBITS(state->extra);
1881                     state->length += BITS(state->extra);
1882                     DROPBITS(state->extra);
1883                 }
1884                 Tracevv((stderr, "inflate:         length %u\n", 
state->length));
1885                 state->mode = DIST;
>>>     CID 1042402:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
1886             case DIST:
1887                 for (;;) {
1888                     this = state->distcode[BITS(state->distbits)];
1889                     if ((unsigned)(this.bits) <= bits) break;
1890                     PULLBYTE();
1891                 }

________________________________________________________________________________________________________
*** CID 1193195:  Extra sizeof expression  (SIZEOF_MISMATCH)
/sys/kern/subr_vmem.c: 326 in bt_freetrim()
320     
321             VMEM_LOCK(vm);
322             while (vm->vm_nfreetags > freelimit) {
323                     bt_t *bt = LIST_FIRST(&vm->vm_freetags);
324                     LIST_REMOVE(bt, bt_freelist);
325                     vm->vm_nfreetags--;
>>>     CID 1193195:  Extra sizeof expression  (SIZEOF_MISMATCH)
>>>     Adding "5600U /* sizeof (static_bts) */" to pointer "static_bts" of 
>>> type "struct vmem_btag [200]" is suspicious because adding an integral 
>>> value to this pointer automatically scales that value by the size, 28 
>>> bytes, of the pointed-to type, "struct vmem_btag".  Most likely, you 
>>> intended to use the number of elements in "static_bts" rather than its size 
>>> in bytes.
326                     if (bt >= static_bts
327                         && bt < static_bts + sizeof(static_bts)) {
328                             mutex_enter(&vmem_btag_lock);
329                             LIST_INSERT_HEAD(&vmem_btag_freelist, bt, 
bt_freelist);
330                             vmem_btag_freelist_count++;
331                             mutex_exit(&vmem_btag_lock);

________________________________________________________________________________________________________
*** CID 1193257:  Free of address-of expression  (BAD_FREE)
/crypto/external/bsd/netpgp/dist/src/netpgpverify/libverify.c: 2256 in 
read_ssh_file()
2250     
2251            memset(primary, 0x0, sizeof(*primary));
2252            (void) memset(&bg, 0x0, sizeof(bg));
2253            va_start(args, fmt);
2254            vsnprintf(f, sizeof(f), fmt, args);
2255            va_end(args);
>>>     CID 1193257:  Free of address-of expression  (BAD_FREE)
>>>     "bufgap_open(bufgap_t *, char const *)" frees address of "bg".
2256            if (!bufgap_open(&bg, f)) {
2257                    (void) fprintf(stderr, "pgp_ssh2pubkey: can't open 
'%s'\n", f);
2258                    return 0;
2259            }
2260            (void)stat(f, &st);
2261            if ((buf = calloc(1, (size_t)st.st_size)) == NULL) {

________________________________________________________________________________________________________
*** CID 1193258:  Buffer not null terminated  (BUFFER_SIZE_WARNING)
/external/bsd/bind/dist/bin/dig/dig.c: 1128 in plus_option()
1122                            case 't': /* sit */
1123                                    FULLCHECK("sit");
1124                                    if (state && lookup->edns == -1)
1125                                            lookup->edns = 0;
1126                                    lookup->sit = state;
1127                                    if (value != NULL) {
>>>     CID 1193258:  Buffer not null terminated  (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 256 bytes on 
>>> destination array "sitvalue" of size 256 bytes might leave the destination 
>>> string unterminated.
1128                                            strncpy(sitvalue, value,
1129                                                    sizeof(sitvalue));
1130                                            lookup->sitvalue = sitvalue;
1131                                    } else
1132                                            lookup->sitvalue = NULL;
1133                                    break;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
http://scan.coverity.com/projects/1448?tab=Overview

To unsubscribe from the email notification for new defects, 
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home | Main Index | Thread Index | Old Index