Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-amd64-kernel



Hi,


Please find the latest report on new defect(s) introduced to 
NetBSD-amd64-kernel found with Coverity Scan.

Defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)


** CID 274353:  Explicit null dereferenced  (FORWARD_NULL)
/sys/netipsec/key.c: 1775 in key_gather_mbuf()

** CID 1220164:  Logically dead code  (DEADCODE)
/sys/netinet6/raw_ip6.c: 237 in rip6_input()

** CID 1220165:  Logically dead code  (DEADCODE)
/sys/netipsec/key.c: 2367 in key_spdacquire()

** CID 1220166:  Logically dead code  (DEADCODE)
/sys/netipsec/xform_ah.c: 133 in ah_algorithm_lookup()
/sys/netipsec/xform_ah.c: 141 in ah_algorithm_lookup()
/sys/netipsec/xform_ah.c: 143 in ah_algorithm_lookup()

** CID 1220167:  Dereference null return value  (NULL_RETURNS)
/sys/netipsec/keysock.c: 248 in key_sendup()

** CID 1220168:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/key.c: 1226 in key_freeso()

** CID 1220169:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/keysock.c: 248 in key_sendup()
/sys/netipsec/keysock.c: 251 in key_sendup()
/sys/netipsec/keysock.c: 251 in key_sendup()

** CID 1220170:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_ah.c: 882 in ah_input_cb()
/sys/netipsec/xform_ah.c: 984 in ah_input_cb()

** CID 1220171:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 378 in esp_input()
/sys/netipsec/xform_esp.c: 420 in esp_input()
/sys/netipsec/xform_esp.c: 463 in esp_input()

** CID 1220172:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 570 in esp_input_cb()
/sys/netipsec/xform_esp.c: 697 in esp_input_cb()

** CID 1220173:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 874 in esp_output()
/sys/netipsec/xform_esp.c: 882 in esp_output()

** CID 1220174:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_ipcomp.c: 292 in ipcomp_input_cb()


________________________________________________________________________________________________________
*** CID 274353:  Explicit null dereferenced  (FORWARD_NULL)
/sys/netipsec/key.c: 1775 in key_gather_mbuf()
1769                            m_cat(result, n);
1770                    else
1771                            result = n;
1772            }
1773            va_end(ap);
1774     
>>>     CID 274353:  Explicit null dereferenced  (FORWARD_NULL)
>>>     Dereferencing null pointer "result".
1775            if ((result->m_flags & M_PKTHDR) != 0) {
1776                    result->m_pkthdr.len = 0;
1777                    for (n = result; n; n = n->m_next)
1778                            result->m_pkthdr.len += n->m_len;
1779            }
1780     

________________________________________________________________________________________________________
*** CID 1220164:  Logically dead code  (DEADCODE)
/sys/netinet6/raw_ip6.c: 237 in rip6_input()
231                     /*
232                      * XXX ipsec6_in_reject update stat if there is an error
233                      * so we just need to update stats by hand in the case 
of last is
234                      * NULL
235                      */
236                     if (!last)
>>>     CID 1220164:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "do {
  __uint64_t *_stat_ =...".
237                             IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
238                             IP6_STATDEC(IP6_STAT_DELIVERED);
239                             /* do not inject data into pcb */
240                     } else
241     #endif /* IPSEC */
242             if (last) {

________________________________________________________________________________________________________
*** CID 1220165:  Logically dead code  (DEADCODE)
/sys/netipsec/key.c: 2367 in key_spdacquire()
2361                PFKEY_UNIT64(result->m_pkthdr.len);
2362     
2363            return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED);
2364     
2365     fail:
2366            if (result)
>>>     CID 1220165:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "m_freem(result);".
2367                    m_freem(result);
2368            return error;
2369     }
2370     
2371     /*
2372      * SADB_SPDFLUSH processing

________________________________________________________________________________________________________
*** CID 1220166:  Logically dead code  (DEADCODE)
/sys/netipsec/xform_ah.c: 133 in ah_algorithm_lookup()
127     const struct auth_hash *
128     ah_algorithm_lookup(int alg)
129     {
130             if (alg >= AH_ALG_MAX)
131                     return NULL;
132             switch (alg) {
>>>     CID 1220166:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "case 251:".
133             case SADB_X_AALG_NULL:
134                     return &auth_hash_null;
135             case SADB_AALG_MD5HMAC:
136                     return &auth_hash_hmac_md5_96;
137             case SADB_AALG_SHA1HMAC:
138                     return &auth_hash_hmac_sha1_96;
/sys/netipsec/xform_ah.c: 141 in ah_algorithm_lookup()
135             case SADB_AALG_MD5HMAC:
136                     return &auth_hash_hmac_md5_96;
137             case SADB_AALG_SHA1HMAC:
138                     return &auth_hash_hmac_sha1_96;
139             case SADB_X_AALG_RIPEMD160HMAC:
140                     return &auth_hash_hmac_ripemd_160_96;
>>>     CID 1220166:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "case 249:".
141             case SADB_X_AALG_MD5:
142                     return &auth_hash_key_md5;
143             case SADB_X_AALG_SHA:
144                     return &auth_hash_key_sha1;
145             case SADB_X_AALG_SHA2_256:
146                     return &auth_hash_hmac_sha2_256;
/sys/netipsec/xform_ah.c: 143 in ah_algorithm_lookup()
137             case SADB_AALG_SHA1HMAC:
138                     return &auth_hash_hmac_sha1_96;
139             case SADB_X_AALG_RIPEMD160HMAC:
140                     return &auth_hash_hmac_ripemd_160_96;
141             case SADB_X_AALG_MD5:
142                     return &auth_hash_key_md5;
>>>     CID 1220166:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "case 250:".
143             case SADB_X_AALG_SHA:
144                     return &auth_hash_key_sha1;
145             case SADB_X_AALG_SHA2_256:
146                     return &auth_hash_hmac_sha2_256;
147             case SADB_X_AALG_SHA2_384:
148                     return &auth_hash_hmac_sha2_384;

________________________________________________________________________________________________________
*** CID 1220167:  Dereference null return value  (NULL_RETURNS)
/sys/netipsec/keysock.c: 248 in key_sendup()
242              */
243             tlen = len;
244             m = mprev = NULL;
245             while (tlen > 0) {
246                     if (tlen == len) {
247                             MGETHDR(n, M_DONTWAIT, MT_DATA);
>>>     CID 1220167:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "n".
248                             n->m_len = MHLEN;
249                     } else {
250                             MGET(n, M_DONTWAIT, MT_DATA);
251                             n->m_len = MLEN;
252                     }
253                     if (!n) {

________________________________________________________________________________________________________
*** CID 1220168:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/key.c: 1226 in key_freeso()
1220            case PF_INET:
1221                {
1222                    struct inpcb *pcb = sotoinpcb(so);
1223                    struct inpcbpolicy *sp = pcb->inp_sp;
1224     
1225                    /* Does it have a PCB ? */
>>>     CID 1220168:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "pcb" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
1226                    if (pcb == NULL)
1227                            return;
1228                    key_freesp_so(&sp->sp_in);
1229                    key_freesp_so(&sp->sp_out);
1230                }
1231                    break;

________________________________________________________________________________________________________
*** CID 1220169:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/keysock.c: 248 in key_sendup()
242              */
243             tlen = len;
244             m = mprev = NULL;
245             while (tlen > 0) {
246                     if (tlen == len) {
247                             MGETHDR(n, M_DONTWAIT, MT_DATA);
>>>     CID 1220169:  Dereference before null check  (REVERSE_INULL)
>>>     Directly dereferencing pointer "n".
248                             n->m_len = MHLEN;
249                     } else {
250                             MGET(n, M_DONTWAIT, MT_DATA);
251                             n->m_len = MLEN;
252                     }
253                     if (!n) {
/sys/netipsec/keysock.c: 251 in key_sendup()
245             while (tlen > 0) {
246                     if (tlen == len) {
247                             MGETHDR(n, M_DONTWAIT, MT_DATA);
248                             n->m_len = MHLEN;
249                     } else {
250                             MGET(n, M_DONTWAIT, MT_DATA);
>>>     CID 1220169:  Dereference before null check  (REVERSE_INULL)
>>>     Directly dereferencing pointer "n".
251                             n->m_len = MLEN;
252                     }
253                     if (!n) {
254                             PFKEY_STATINC(PFKEY_STAT_IN_NOMEM);
255                             return ENOBUFS;
256                     }
/sys/netipsec/keysock.c: 251 in key_sendup()
245             while (tlen > 0) {
246                     if (tlen == len) {
247                             MGETHDR(n, M_DONTWAIT, MT_DATA);
248                             n->m_len = MHLEN;
249                     } else {
250                             MGET(n, M_DONTWAIT, MT_DATA);
>>>     CID 1220169:  Dereference before null check  (REVERSE_INULL)
>>>     Directly dereferencing pointer "n".
251                             n->m_len = MLEN;
252                     }
253                     if (!n) {
254                             PFKEY_STATINC(PFKEY_STAT_IN_NOMEM);
255                             return ENOBUFS;
256                     }

________________________________________________________________________________________________________
*** CID 1220170:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_ah.c: 882 in ah_input_cb()
876                     AH_STATINC(AH_STAT_HIST + sav->alg_auth);
877                     crypto_freereq(crp);            /* No longer needed. */
878                     crp = NULL;
879             }
880     
881             /* Shouldn't happen... */
>>>     CID 1220170:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "m" suggests that it may be null, but it has already been 
>>> dereferenced on all paths leading to the check.
882             if (m == NULL) {
883                     AH_STATINC(AH_STAT_CRYPTO);
884                     DPRINTF(("ah_input_cb: bogus returned buffer from 
crypto\n"));
885                     error = EINVAL;
886                     goto bad;
887             }
/sys/netipsec/xform_ah.c: 984 in ah_input_cb()
978             return error;
979     bad:
980             if (sav)
981                     KEY_FREESAV(&sav);
982             mutex_exit(softnet_lock);
983             splx(s);
>>>     CID 1220170:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "m" suggests that it may be null, but it has already been 
>>> dereferenced on all paths leading to the check.
984             if (m != NULL)
985                     m_freem(m);
986             if (tc != NULL)
987                     free(tc, M_XDATA);
988             if (crp != NULL)
989                     crypto_freereq(crp);

________________________________________________________________________________________________________
*** CID 1220171:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 378 in esp_input()
372                         !memcmp(&tdbi->dst, &sav->sah->saidx.dst,
373                               sizeof(union sockaddr_union)))
374                             break;
375             }
376     
377             /* Get crypto descriptors */
>>>     CID 1220171:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "espx" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
378             crp = crypto_getreq(esph && espx ? 2 : 1);
379             if (crp == NULL) {
380                     DPRINTF(("esp_input: failed to acquire crypto 
descriptors\n"));
381                     ESP_STATINC(ESP_STAT_CRYPTO);
382                     m_freem(m);
383                     return ENOBUFS;
/sys/netipsec/xform_esp.c: 420 in esp_input()
414                     struct cryptodesc *crda = crp->crp_desc;
415     
416                     IPSEC_ASSERT(crda != NULL, ("esp_input: null ah crypto 
descriptor"));
417     
418                     /* Authentication descriptor */
419                     crda->crd_skip = skip;
>>>     CID 1220171:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "espx" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
420                     if (espx && espx->type == CRYPTO_AES_GCM_16)
421                             crda->crd_len = hlen - sav->ivlen;
422                     else
423                             crda->crd_len = m->m_pkthdr.len - (skip + alen);
424                     crda->crd_inject = m->m_pkthdr.len - alen;
425     
/sys/netipsec/xform_esp.c: 463 in esp_input()
457             tc->tc_dst = sav->sah->saidx.dst;
458             tc->tc_proto = sav->sah->saidx.proto;
459             tc->tc_protoff = protoff;
460             tc->tc_skip = skip;
461     
462             /* Decryption descriptor */
>>>     CID 1220171:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "espx" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
463             if (espx) {
464                     IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto 
descriptor"));
465                     crde->crd_skip = skip + hlen;
466                     if (espx->type == CRYPTO_AES_GMAC)
467                             crde->crd_len = 0;
468                     else

________________________________________________________________________________________________________
*** CID 1220172:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 570 in esp_input_cb()
564                     DPRINTF(("esp_input_cb: crypto error %d\n", 
crp->crp_etype));
565                     error = crp->crp_etype;
566                     goto bad;
567             }
568     
569             /* Shouldn't happen... */
>>>     CID 1220172:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "m" suggests that it may be null, but it has already been 
>>> dereferenced on all paths leading to the check.
570             if (m == NULL) {
571                     ESP_STATINC(ESP_STAT_CRYPTO);
572                     DPRINTF(("esp_input_cb: bogus returned buffer from 
crypto\n"));
573                     error = EINVAL;
574                     goto bad;
575             }
/sys/netipsec/xform_esp.c: 697 in esp_input_cb()
691             return error;
692     bad:
693             if (sav)
694                     KEY_FREESAV(&sav);
695             mutex_exit(softnet_lock);
696             splx(s);
>>>     CID 1220172:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "m" suggests that it may be null, but it has already been 
>>> dereferenced on all paths leading to the check.
697             if (m != NULL)
698                     m_freem(m);
699             if (tc != NULL)
700                     free(tc, M_XDATA);
701             if (crp != NULL)
702                     crypto_freereq(crp);

________________________________________________________________________________________________________
*** CID 1220173:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_esp.c: 874 in esp_output()
868     
869             /* Fix Next Protocol in IPv4/IPv6 header. */
870             prot = IPPROTO_ESP;
871             m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
872     
873             /* Get crypto descriptors. */
>>>     CID 1220173:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "espx" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
874             crp = crypto_getreq(esph && espx ? 2 : 1);
875             if (crp == NULL) {
876                     DPRINTF(("esp_output: failed to acquire crypto 
descriptors\n"));
877                     ESP_STATINC(ESP_STAT_CRYPTO);
878                     error = ENOBUFS;
879                     goto bad;
/sys/netipsec/xform_esp.c: 882 in esp_output()
876                     DPRINTF(("esp_output: failed to acquire crypto 
descriptors\n"));
877                     ESP_STATINC(ESP_STAT_CRYPTO);
878                     error = ENOBUFS;
879                     goto bad;
880             }
881     
>>>     CID 1220173:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "espx" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
882             if (espx) {
883                     crde = crp->crp_desc;
884                     crda = crde->crd_next;
885     
886                     /* Encryption descriptor. */
887                     crde->crd_skip = skip + hlen;

________________________________________________________________________________________________________
*** CID 1220174:  Dereference before null check  (REVERSE_INULL)
/sys/netipsec/xform_ipcomp.c: 292 in ipcomp_input_cb()
286                     IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
287                     DPRINTF(("ipcomp_input_cb: crypto error %d\n", 
crp->crp_etype));
288                     error = crp->crp_etype;
289                     goto bad;
290             }
291             /* Shouldn't happen... */
>>>     CID 1220174:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "m" suggests that it may be null, but it has already been 
>>> dereferenced on all paths leading to the check.
292             if (m == NULL) {
293                     IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
294                     DPRINTF(("ipcomp_input_cb: null mbuf returned from 
crypto\n"));
295                     error = EINVAL;
296                     goto bad;
297             }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
http://scan.coverity.com/projects/1447?tab=overview

To unsubscribe from the email notification for new defects, 
http://scan5.coverity.com/cgi-bin/unsubscribe.py




Home | Main Index | Thread Index | Old Index