Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-kernel
- To: undisclosed-recipients:;
- Subject: New Defects reported by Coverity Scan for NetBSD-i386-kernel
- From: scan-admin%coverity.com@localhost
- Date: Thu, 05 Jun 2014 00:20:32 -0700
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 274353: Explicit null dereferenced (FORWARD_NULL)
/sys/netipsec/key.c: 1775 in key_gather_mbuf()
** CID 1220164: Logically dead code (DEADCODE)
/sys/netinet6/raw_ip6.c: 237 in rip6_input()
** CID 1220165: Logically dead code (DEADCODE)
/sys/netipsec/key.c: 2367 in key_spdacquire()
** CID 1220166: Logically dead code (DEADCODE)
/sys/netipsec/xform_ah.c: 133 in ah_algorithm_lookup()
/sys/netipsec/xform_ah.c: 141 in ah_algorithm_lookup()
/sys/netipsec/xform_ah.c: 143 in ah_algorithm_lookup()
** CID 1220167: Dereference null return value (NULL_RETURNS)
/sys/netipsec/keysock.c: 248 in key_sendup()
** CID 1220168: Dereference before null check (REVERSE_INULL)
/sys/netipsec/key.c: 1226 in key_freeso()
** CID 1220169: Dereference before null check (REVERSE_INULL)
/sys/netipsec/keysock.c: 248 in key_sendup()
/sys/netipsec/keysock.c: 251 in key_sendup()
/sys/netipsec/keysock.c: 251 in key_sendup()
** CID 1220170: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_ah.c: 882 in ah_input_cb()
/sys/netipsec/xform_ah.c: 984 in ah_input_cb()
** CID 1220171: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 378 in esp_input()
/sys/netipsec/xform_esp.c: 420 in esp_input()
/sys/netipsec/xform_esp.c: 463 in esp_input()
** CID 1220172: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 570 in esp_input_cb()
/sys/netipsec/xform_esp.c: 697 in esp_input_cb()
** CID 1220173: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 874 in esp_output()
/sys/netipsec/xform_esp.c: 882 in esp_output()
** CID 1220174: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_ipcomp.c: 292 in ipcomp_input_cb()
________________________________________________________________________________________________________
*** CID 274353: Explicit null dereferenced (FORWARD_NULL)
/sys/netipsec/key.c: 1775 in key_gather_mbuf()
1769 m_cat(result, n);
1770 else
1771 result = n;
1772 }
1773 va_end(ap);
1774
>>> CID 274353: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "result".
1775 if ((result->m_flags & M_PKTHDR) != 0) {
1776 result->m_pkthdr.len = 0;
1777 for (n = result; n; n = n->m_next)
1778 result->m_pkthdr.len += n->m_len;
1779 }
1780
________________________________________________________________________________________________________
*** CID 1220164: Logically dead code (DEADCODE)
/sys/netinet6/raw_ip6.c: 237 in rip6_input()
231 /*
232 * XXX ipsec6_in_reject update stat if there is an error
233 * so we just need to update stats by hand in the case
of last is
234 * NULL
235 */
236 if (!last)
>>> CID 1220164: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "do {
__uint64_t *_stat_ =...".
237 IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
238 IP6_STATDEC(IP6_STAT_DELIVERED);
239 /* do not inject data into pcb */
240 } else
241 #endif /* IPSEC */
242 if (last) {
________________________________________________________________________________________________________
*** CID 1220165: Logically dead code (DEADCODE)
/sys/netipsec/key.c: 2367 in key_spdacquire()
2361 PFKEY_UNIT64(result->m_pkthdr.len);
2362
2363 return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED);
2364
2365 fail:
2366 if (result)
>>> CID 1220165: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "m_freem(result);".
2367 m_freem(result);
2368 return error;
2369 }
2370
2371 /*
2372 * SADB_SPDFLUSH processing
________________________________________________________________________________________________________
*** CID 1220166: Logically dead code (DEADCODE)
/sys/netipsec/xform_ah.c: 133 in ah_algorithm_lookup()
127 const struct auth_hash *
128 ah_algorithm_lookup(int alg)
129 {
130 if (alg >= AH_ALG_MAX)
131 return NULL;
132 switch (alg) {
>>> CID 1220166: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "case 251:".
133 case SADB_X_AALG_NULL:
134 return &auth_hash_null;
135 case SADB_AALG_MD5HMAC:
136 return &auth_hash_hmac_md5_96;
137 case SADB_AALG_SHA1HMAC:
138 return &auth_hash_hmac_sha1_96;
/sys/netipsec/xform_ah.c: 141 in ah_algorithm_lookup()
135 case SADB_AALG_MD5HMAC:
136 return &auth_hash_hmac_md5_96;
137 case SADB_AALG_SHA1HMAC:
138 return &auth_hash_hmac_sha1_96;
139 case SADB_X_AALG_RIPEMD160HMAC:
140 return &auth_hash_hmac_ripemd_160_96;
>>> CID 1220166: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "case 249:".
141 case SADB_X_AALG_MD5:
142 return &auth_hash_key_md5;
143 case SADB_X_AALG_SHA:
144 return &auth_hash_key_sha1;
145 case SADB_X_AALG_SHA2_256:
146 return &auth_hash_hmac_sha2_256;
/sys/netipsec/xform_ah.c: 143 in ah_algorithm_lookup()
137 case SADB_AALG_SHA1HMAC:
138 return &auth_hash_hmac_sha1_96;
139 case SADB_X_AALG_RIPEMD160HMAC:
140 return &auth_hash_hmac_ripemd_160_96;
141 case SADB_X_AALG_MD5:
142 return &auth_hash_key_md5;
>>> CID 1220166: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "case 250:".
143 case SADB_X_AALG_SHA:
144 return &auth_hash_key_sha1;
145 case SADB_X_AALG_SHA2_256:
146 return &auth_hash_hmac_sha2_256;
147 case SADB_X_AALG_SHA2_384:
148 return &auth_hash_hmac_sha2_384;
________________________________________________________________________________________________________
*** CID 1220167: Dereference null return value (NULL_RETURNS)
/sys/netipsec/keysock.c: 248 in key_sendup()
242 */
243 tlen = len;
244 m = mprev = NULL;
245 while (tlen > 0) {
246 if (tlen == len) {
247 MGETHDR(n, M_DONTWAIT, MT_DATA);
>>> CID 1220167: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a null pointer "n".
248 n->m_len = MHLEN;
249 } else {
250 MGET(n, M_DONTWAIT, MT_DATA);
251 n->m_len = MLEN;
252 }
253 if (!n) {
________________________________________________________________________________________________________
*** CID 1220168: Dereference before null check (REVERSE_INULL)
/sys/netipsec/key.c: 1226 in key_freeso()
1220 case PF_INET:
1221 {
1222 struct inpcb *pcb = sotoinpcb(so);
1223 struct inpcbpolicy *sp = pcb->inp_sp;
1224
1225 /* Does it have a PCB ? */
>>> CID 1220168: Dereference before null check (REVERSE_INULL)
>>> Null-checking "pcb" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
1226 if (pcb == NULL)
1227 return;
1228 key_freesp_so(&sp->sp_in);
1229 key_freesp_so(&sp->sp_out);
1230 }
1231 break;
________________________________________________________________________________________________________
*** CID 1220169: Dereference before null check (REVERSE_INULL)
/sys/netipsec/keysock.c: 248 in key_sendup()
242 */
243 tlen = len;
244 m = mprev = NULL;
245 while (tlen > 0) {
246 if (tlen == len) {
247 MGETHDR(n, M_DONTWAIT, MT_DATA);
>>> CID 1220169: Dereference before null check (REVERSE_INULL)
>>> Directly dereferencing pointer "n".
248 n->m_len = MHLEN;
249 } else {
250 MGET(n, M_DONTWAIT, MT_DATA);
251 n->m_len = MLEN;
252 }
253 if (!n) {
/sys/netipsec/keysock.c: 251 in key_sendup()
245 while (tlen > 0) {
246 if (tlen == len) {
247 MGETHDR(n, M_DONTWAIT, MT_DATA);
248 n->m_len = MHLEN;
249 } else {
250 MGET(n, M_DONTWAIT, MT_DATA);
>>> CID 1220169: Dereference before null check (REVERSE_INULL)
>>> Directly dereferencing pointer "n".
251 n->m_len = MLEN;
252 }
253 if (!n) {
254 PFKEY_STATINC(PFKEY_STAT_IN_NOMEM);
255 return ENOBUFS;
256 }
/sys/netipsec/keysock.c: 251 in key_sendup()
245 while (tlen > 0) {
246 if (tlen == len) {
247 MGETHDR(n, M_DONTWAIT, MT_DATA);
248 n->m_len = MHLEN;
249 } else {
250 MGET(n, M_DONTWAIT, MT_DATA);
>>> CID 1220169: Dereference before null check (REVERSE_INULL)
>>> Directly dereferencing pointer "n".
251 n->m_len = MLEN;
252 }
253 if (!n) {
254 PFKEY_STATINC(PFKEY_STAT_IN_NOMEM);
255 return ENOBUFS;
256 }
________________________________________________________________________________________________________
*** CID 1220170: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_ah.c: 882 in ah_input_cb()
876 AH_STATINC(AH_STAT_HIST + sav->alg_auth);
877 crypto_freereq(crp); /* No longer needed. */
878 crp = NULL;
879 }
880
881 /* Shouldn't happen... */
>>> CID 1220170: Dereference before null check (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been
>>> dereferenced on all paths leading to the check.
882 if (m == NULL) {
883 AH_STATINC(AH_STAT_CRYPTO);
884 DPRINTF(("ah_input_cb: bogus returned buffer from
crypto\n"));
885 error = EINVAL;
886 goto bad;
887 }
/sys/netipsec/xform_ah.c: 984 in ah_input_cb()
978 return error;
979 bad:
980 if (sav)
981 KEY_FREESAV(&sav);
982 mutex_exit(softnet_lock);
983 splx(s);
>>> CID 1220170: Dereference before null check (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been
>>> dereferenced on all paths leading to the check.
984 if (m != NULL)
985 m_freem(m);
986 if (tc != NULL)
987 free(tc, M_XDATA);
988 if (crp != NULL)
989 crypto_freereq(crp);
________________________________________________________________________________________________________
*** CID 1220171: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 378 in esp_input()
372 !memcmp(&tdbi->dst, &sav->sah->saidx.dst,
373 sizeof(union sockaddr_union)))
374 break;
375 }
376
377 /* Get crypto descriptors */
>>> CID 1220171: Dereference before null check (REVERSE_INULL)
>>> Null-checking "espx" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
378 crp = crypto_getreq(esph && espx ? 2 : 1);
379 if (crp == NULL) {
380 DPRINTF(("esp_input: failed to acquire crypto
descriptors\n"));
381 ESP_STATINC(ESP_STAT_CRYPTO);
382 m_freem(m);
383 return ENOBUFS;
/sys/netipsec/xform_esp.c: 420 in esp_input()
414 struct cryptodesc *crda = crp->crp_desc;
415
416 IPSEC_ASSERT(crda != NULL, ("esp_input: null ah crypto
descriptor"));
417
418 /* Authentication descriptor */
419 crda->crd_skip = skip;
>>> CID 1220171: Dereference before null check (REVERSE_INULL)
>>> Null-checking "espx" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
420 if (espx && espx->type == CRYPTO_AES_GCM_16)
421 crda->crd_len = hlen - sav->ivlen;
422 else
423 crda->crd_len = m->m_pkthdr.len - (skip + alen);
424 crda->crd_inject = m->m_pkthdr.len - alen;
425
/sys/netipsec/xform_esp.c: 463 in esp_input()
457 tc->tc_dst = sav->sah->saidx.dst;
458 tc->tc_proto = sav->sah->saidx.proto;
459 tc->tc_protoff = protoff;
460 tc->tc_skip = skip;
461
462 /* Decryption descriptor */
>>> CID 1220171: Dereference before null check (REVERSE_INULL)
>>> Null-checking "espx" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
463 if (espx) {
464 IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto
descriptor"));
465 crde->crd_skip = skip + hlen;
466 if (espx->type == CRYPTO_AES_GMAC)
467 crde->crd_len = 0;
468 else
________________________________________________________________________________________________________
*** CID 1220172: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 570 in esp_input_cb()
564 DPRINTF(("esp_input_cb: crypto error %d\n",
crp->crp_etype));
565 error = crp->crp_etype;
566 goto bad;
567 }
568
569 /* Shouldn't happen... */
>>> CID 1220172: Dereference before null check (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been
>>> dereferenced on all paths leading to the check.
570 if (m == NULL) {
571 ESP_STATINC(ESP_STAT_CRYPTO);
572 DPRINTF(("esp_input_cb: bogus returned buffer from
crypto\n"));
573 error = EINVAL;
574 goto bad;
575 }
/sys/netipsec/xform_esp.c: 697 in esp_input_cb()
691 return error;
692 bad:
693 if (sav)
694 KEY_FREESAV(&sav);
695 mutex_exit(softnet_lock);
696 splx(s);
>>> CID 1220172: Dereference before null check (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been
>>> dereferenced on all paths leading to the check.
697 if (m != NULL)
698 m_freem(m);
699 if (tc != NULL)
700 free(tc, M_XDATA);
701 if (crp != NULL)
702 crypto_freereq(crp);
________________________________________________________________________________________________________
*** CID 1220173: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 874 in esp_output()
868
869 /* Fix Next Protocol in IPv4/IPv6 header. */
870 prot = IPPROTO_ESP;
871 m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
872
873 /* Get crypto descriptors. */
>>> CID 1220173: Dereference before null check (REVERSE_INULL)
>>> Null-checking "espx" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
874 crp = crypto_getreq(esph && espx ? 2 : 1);
875 if (crp == NULL) {
876 DPRINTF(("esp_output: failed to acquire crypto
descriptors\n"));
877 ESP_STATINC(ESP_STAT_CRYPTO);
878 error = ENOBUFS;
879 goto bad;
/sys/netipsec/xform_esp.c: 882 in esp_output()
876 DPRINTF(("esp_output: failed to acquire crypto
descriptors\n"));
877 ESP_STATINC(ESP_STAT_CRYPTO);
878 error = ENOBUFS;
879 goto bad;
880 }
881
>>> CID 1220173: Dereference before null check (REVERSE_INULL)
>>> Null-checking "espx" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
882 if (espx) {
883 crde = crp->crp_desc;
884 crda = crde->crd_next;
885
886 /* Encryption descriptor. */
887 crde->crd_skip = skip + hlen;
________________________________________________________________________________________________________
*** CID 1220174: Dereference before null check (REVERSE_INULL)
/sys/netipsec/xform_ipcomp.c: 292 in ipcomp_input_cb()
286 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
287 DPRINTF(("ipcomp_input_cb: crypto error %d\n",
crp->crp_etype));
288 error = crp->crp_etype;
289 goto bad;
290 }
291 /* Shouldn't happen... */
>>> CID 1220174: Dereference before null check (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been
>>> dereferenced on all paths leading to the check.
292 if (m == NULL) {
293 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
294 DPRINTF(("ipcomp_input_cb: null mbuf returned from
crypto\n"));
295 error = EINVAL;
296 goto bad;
297 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1450?tab=overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index