Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 20 of 40 defect(s)
** CID 702134: Use of untrusted string value (TAINTED_STRING)
/usr.bin/timeout/timeout.c: 286 in main()
/usr.bin/timeout/timeout.c: 286 in main()
** CID 980273: Logically dead code (DEADCODE)
/sys/dev/pci/ubsec.c: 1016 in ubsec_newsession()
** CID 980274: Logically dead code (DEADCODE)
/sys/dev/pci/ubsec.c: 1575 in ubsec_process()
** CID 1230001: Argument cannot be negative (REVERSE_NEGATIVE)
/usr.bin/timeout/timeout.c: 271 in main()
** CID 1231861: Explicit null dereferenced (FORWARD_NULL)
/sys/netinet/tcp_usrreq.c: 1226 in tcp_disconnect1()
** CID 1231863: Dereference before null check (REVERSE_INULL)
/sys/kern/uipc_usrreq.c: 1316 in unp_disconnect1()
** CID 1231864: Dereference before null check (REVERSE_INULL)
/sys/netbt/hci_socket.c: 425 in hci_send_pcb()
** CID 1231865: Buffer not null terminated (BUFFER_SIZE_WARNING)
/usr.sbin/sysinst/net.c: 267 in get_ifconfig_info()
** CID 1231866: Unchecked return value (CHECKED_RETURN)
/usr.sbin/sysinst/main.c: 393 in toplevel()
** CID 1231867: Unchecked return value (CHECKED_RETURN)
/usr.sbin/sysinst/partman.c: 2600 in pm_upddevlist()
** CID 1231868: Unchecked return value from library (CHECKED_RETURN)
/usr.sbin/sysinst/util.c: 1108 in get_and_unpack_sets()
/usr.sbin/sysinst/util.c: 1109 in get_and_unpack_sets()
** CID 1231871: Same on both sides (CONSTANT_EXPRESSION_RESULT)
/usr.sbin/sysinst/partman.c: 1739 in pm_wedges_fill()
** CID 1231872: Explicit null dereferenced (FORWARD_NULL)
/usr.sbin/sysinst/disks.c: 1387 in get_dkwedges()
** CID 1231873: Explicit null dereferenced (FORWARD_NULL)
/usr.sbin/sysinst/partman.c: 2417 in pm_submenu()
/usr.sbin/sysinst/partman.c: 2427 in pm_submenu()
** CID 1231874: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
3732 in composite_unaligned_boxes_inplace()
** CID 1231875: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
3493 in composite_unaligned_boxes_inplace__solid()
** CID 1231876: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
5663 in inplace_x8r8g8b8_thread()
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
5683 in inplace_x8r8g8b8_thread()
** CID 1231877: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
3620 in rectilinear_inplace_thread()
** CID 1231878: Dereference null return value (NULL_RETURNS)
/sbin/gpt/migrate.c: 428 in migrate()
** CID 1231879: Out-of-bounds write (OVERRUN)
/external/bsd/ekermit/dist/kermit.c: 1304 in gattr()
________________________________________________________________________________________________________
*** CID 702134: Use of untrusted string value (TAINTED_STRING)
/usr.bin/timeout/timeout.c: 286 in main()
280 err(EX_OSERR, "fork()");
281 else if (pid == 0) {
282 /* child process */
283 signal(SIGTTIN, SIG_DFL);
284 signal(SIGTTOU, SIG_DFL);
285
>>> CID 702134: Use of untrusted string value (TAINTED_STRING)
>>> Passing tainted string "*argv" to "execvp(char const *, char * const
>>> *)", which cannot accept tainted data.
286 error = execvp(argv[0], argv);
287 if (error == -1)
288 err(EX_UNAVAILABLE, "exec()");
289 }
290
291 if (sigprocmask(SIG_BLOCK, &signals.sa_mask, NULL) == -1)
/usr.bin/timeout/timeout.c: 286 in main()
280 err(EX_OSERR, "fork()");
281 else if (pid == 0) {
282 /* child process */
283 signal(SIGTTIN, SIG_DFL);
284 signal(SIGTTOU, SIG_DFL);
285
>>> CID 702134: Use of untrusted string value (TAINTED_STRING)
>>> Passing tainted string "argv[0]" to "execvp(char const *, char * const
>>> *)", which cannot accept tainted data.
286 error = execvp(argv[0], argv);
287 if (error == -1)
288 err(EX_UNAVAILABLE, "exec()");
289 }
290
291 if (sigprocmask(SIG_BLOCK, &signals.sa_mask, NULL) == -1)
________________________________________________________________________________________________________
*** CID 980273: Logically dead code (DEADCODE)
/sys/dev/pci/ubsec.c: 1016 in ubsec_newsession()
1010 return (EINVAL);
1011 encini = c;
1012 } else
1013 return (EINVAL);
1014 }
1015 if (encini == NULL && macini == NULL)
>>> CID 980273: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "return 22;".
1016 return (EINVAL);
1017
1018 if (encini && encini->cri_alg == CRYPTO_AES_CBC) {
1019 switch (encini->cri_klen) {
1020 case 128:
1021 case 192:
________________________________________________________________________________________________________
*** CID 980274: Logically dead code (DEADCODE)
/sys/dev/pci/ubsec.c: 1575 in ubsec_process()
1569 ubsecstats.hst_nombuf++;
1570 err = sc->sc_nqueue ? ERESTART
: ENOMEM;
1571 goto errout;
1572 }
1573 if (len == MHLEN)
1574 /*XXX was M_DUP_PKTHDR*/
>>> CID 980274: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "do {
m->M_dat.MH.MH_pkthd...".
1575 M_COPY_PKTHDR(m, q->q_src_m);
1576 if (totlen >= MINCLSIZE) {
1577 MCLGET(m, M_DONTWAIT);
1578 if ((m->m_flags & M_EXT) == 0) {
1579 m_free(m);
1580 ubsecstats.hst_nomcl++;
________________________________________________________________________________________________________
*** CID 1230001: Argument cannot be negative (REVERSE_NEGATIVE)
/usr.bin/timeout/timeout.c: 271 in main()
265 sigaddset(&signals.sa_mask, signums[i]);
266
267 signals.sa_handler = sig_handler;
268 signals.sa_flags = SA_RESTART;
269
270 for (i = 0; i < sizeof(signums) / sizeof(signums[0]); i ++)
>>> CID 1230001: Argument cannot be negative (REVERSE_NEGATIVE)
>>> You might be using variable "signums[i]" before verifying that it is >=
>>> 0.
271 if (signums[i] != -1 && signums[i] != 0 &&
272 sigaction(signums[i], &signals, NULL) == -1)
273 err(EX_OSERR, "sigaction()");
274
275 signal(SIGTTIN, SIG_IGN);
276 signal(SIGTTOU, SIG_IGN);
________________________________________________________________________________________________________
*** CID 1231861: Explicit null dereferenced (FORWARD_NULL)
/sys/netinet/tcp_usrreq.c: 1226 in tcp_disconnect1()
1220 #endif
1221 else
1222 so = NULL;
1223
1224 if (TCPS_HAVEESTABLISHED(tp->t_state) == 0)
1225 tp = tcp_close(tp);
>>> CID 1231861: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "so".
1226 else if ((so->so_options & SO_LINGER) && so->so_linger == 0)
1227 tp = tcp_drop(tp, 0);
1228 else {
1229 soisdisconnecting(so);
1230 sbflush(&so->so_rcv);
1231 tp = tcp_usrclosed(tp);
________________________________________________________________________________________________________
*** CID 1231863: Dereference before null check (REVERSE_INULL)
/sys/kern/uipc_usrreq.c: 1316 in unp_disconnect1()
1310 if (unp2->unp_refs == unp)
1311 unp2->unp_refs = unp->unp_nextref;
1312 else {
1313 unp2 = unp2->unp_refs;
1314 for (;;) {
1315 KASSERT(solocked2(so,
unp2->unp_socket));
>>> CID 1231863: Dereference before null check (REVERSE_INULL)
>>> Null-checking "unp2" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
1316 if (unp2 == 0)
1317 panic("unp_disconnect1");
1318 if (unp2->unp_nextref == unp)
1319 break;
1320 unp2 = unp2->unp_nextref;
1321 }
________________________________________________________________________________________________________
*** CID 1231864: Dereference before null check (REVERSE_INULL)
/sys/netbt/hci_socket.c: 425 in hci_send_pcb()
419
420 return 0;
421
422 bad:
423 DPRINTF("packet (%d bytes) not sent (error %d)\n",
424 m->m_pkthdr.len, err);
>>> CID 1231864: Dereference before null check (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been
>>> dereferenced on all paths leading to the check.
425 if (m) m_freem(m);
426 return err;
427 }
428
429 static int
430 hci_attach(struct socket *so, int proto)
________________________________________________________________________________________________________
*** CID 1231865: Buffer not null terminated (BUFFER_SIZE_WARNING)
/usr.sbin/sysinst/net.c: 267 in get_ifconfig_info()
261 isdigit((unsigned char)buf[len]))
262 break;
263 }
264 if (*ignore != NULL)
265 continue;
266
>>> CID 1231865: Buffer not null terminated (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 255 bytes on
>>> destination array "(devs + i).if_dev" of size 255 bytes might leave the
>>> destination string unterminated.
267 strncpy (devs[i].if_dev, buf, STRSIZE);
268 i++;
269 }
270 strcpy(devs[i].if_dev, "\0");
271
272 free(buf);
________________________________________________________________________________________________________
*** CID 1231866: Unchecked return value (CHECKED_RETURN)
/usr.sbin/sysinst/main.c: 393 in toplevel()
387 {
388 /*
389 * Undo any stateful side-effects of previous menu choices.
390 * XXX must be idempotent, since we get run each time the main
391 * menu is displayed.
392 */
>>> CID 1231866: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "chdir(getenv("HOME"))".
393 chdir(getenv("HOME"));
394 unwind_mounts();
395
396 /* Display banner message in (english, francais, deutsch..) */
397 msg_display(MSG_hello);
398 msg_display_add(MSG_md_hello);
________________________________________________________________________________________________________
*** CID 1231867: Unchecked return value (CHECKED_RETURN)
/usr.sbin/sysinst/partman.c: 2600 in pm_upddevlist()
2594 changed = 0;
2595 /* Mark all devices as not found */
2596 SLIST_FOREACH(pm_i, &pm_head, l)
2597 if (pm_i->found > 0)
2598 pm_i->found = 0;
2599 /* Detect all present devices */
>>> CID 1231867: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "find_disks("partman")".
2600 find_disks("partman");
2601 pm_lvm_find();
2602 pm_clean();
2603
2604 if (m == NULL || arg == NULL)
2605 return -1;
________________________________________________________________________________________________________
*** CID 1231868: Unchecked return value from library (CHECKED_RETURN)
/usr.sbin/sysinst/util.c: 1108 in get_and_unpack_sets()
1102 if (set_status[SET_BASE] & SET_INSTALLED)
1103 run_makedev();
1104
1105 if (!update) {
1106 struct stat sb1, sb2;
1107
>>> CID 1231868: Unchecked return value from library (CHECKED_RETURN)
>>> No check of the return value of "stat(target_expand("/"), &sb1)".
1108 stat(target_expand("/"), &sb1);
1109 stat(target_expand("/var"), &sb2);
1110
1111 if (sb1.st_dev != sb2.st_dev) {
1112 add_rc_conf("random_file=/etc/entropy-file\n");
1113 if (target_file_exists_p("/boot.cfg")) {
/usr.sbin/sysinst/util.c: 1109 in get_and_unpack_sets()
1103 run_makedev();
1104
1105 if (!update) {
1106 struct stat sb1, sb2;
1107
1108 stat(target_expand("/"), &sb1);
>>> CID 1231868: Unchecked return value from library (CHECKED_RETURN)
>>> No check of the return value of "stat(target_expand("/var"), &sb2)".
1109 stat(target_expand("/var"), &sb2);
1110
1111 if (sb1.st_dev != sb2.st_dev) {
1112 add_rc_conf("random_file=/etc/entropy-file\n");
1113 if (target_file_exists_p("/boot.cfg")) {
1114 run_program(RUN_CHROOT|RUN_FATAL,
________________________________________________________________________________________________________
*** CID 1231871: Same on both sides (CONSTANT_EXPRESSION_RESULT)
/usr.sbin/sysinst/partman.c: 1739 in pm_wedges_fill()
1733 int i, current;
1734
1735 for (i = 0; i < MAX_WEDGES; i++)
1736 if (wedges[i].pm == pm_cur && ! wedges[i].allocated)
1737 wedges[i].pm = NULL;
1738
>>> CID 1231871: Same on both sides (CONSTANT_EXPRESSION_RESULT)
>>> The expression "i < 16 && i < 16" does not accomplish anything because
>>> it evaluates to either of its identical operands, "i < 16". Did you intend
>>> the operands to be different?
1739 for (i = 0; i < MAXPARTITIONS && i < MAX_WEDGES; i++)
1740 if (pm_cur->bsdlabel[i].pi_fstype != FS_UNUSED) {
1741 current = pm_wedge_getfree();
1742 if (current < 0) {
1743 process_menu(MENU_ok,
deconst(MSG_limitcount));
1744 return;
________________________________________________________________________________________________________
*** CID 1231872: Explicit null dereferenced (FORWARD_NULL)
/usr.sbin/sysinst/disks.c: 1387 in get_dkwedges()
1381 dkwl.dkwl_buf = *dkw;
1382 dkwl.dkwl_bufsize = bufsize;
1383 }
1384 }
1385
1386 if (dkwl.dkwl_nwedges > 0)
>>> CID 1231872: Explicit null dereferenced (FORWARD_NULL)
>>> Passing null pointer "*dkw" to function "qsort(void *, size_t, size_t,
>>> int (*)(void const *, void const *))", which dereferences it.
1387 qsort(*dkw, dkwl.dkwl_nwedges, sizeof(**dkw),
get_dkwedges_sort);
1388
1389 close(fd);
1390 return dkwl.dkwl_nwedges;
1391 }
1392
________________________________________________________________________________________________________
*** CID 1231873: Explicit null dereferenced (FORWARD_NULL)
/usr.sbin/sysinst/partman.c: 2417 in pm_submenu()
2411 default:
2412 break;
2413 }
2414
2415 switch (((part_entry_t *)arg)[m->cursel].type) {
2416 case PM_DISK_T:
>>> CID 1231873: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "pm_cur".
2417 if (pm_cur->gpt) {
2418 process_menu(MENU_pmgptentry,
&part_num);
2419 pm_wedges_fill(pm_cur);
2420 } else
2421 process_menu(MENU_pmdiskentry,
&part_num);
2422 break;
/usr.sbin/sysinst/partman.c: 2427 in pm_submenu()
2421 process_menu(MENU_pmdiskentry,
&part_num);
2422 break;
2423 case PM_WEDGE_T:
2424 case PM_PART_T:
2425 part_num = ((part_entry_t
*)arg)[m->cursel].dev_num;
2426 process_menu(MENU_pmpartentry, &part_num);
>>> CID 1231873: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "pm_cur".
2427 if (pm_cur->gpt)
2428 pm_wedges_fill(pm_cur);
2429 break;
2430 case PM_SPEC_T:
2431 part_num = 0;
2432 process_menu(MENU_pmpartentry, &part_num);
________________________________________________________________________________________________________
*** CID 1231874: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
3732 in composite_unaligned_boxes_inplace()
3726 struct pixman_inplace pi;
3727
3728 pi.image = image_from_pict(dst, false, &pi.dx,
&pi.dy);
3729 pi.source = image_from_pict(src, false, &pi.sx,
&pi.sy);
3730 pi.sx += src_x;
3731 pi.sy += src_y;
>>> CID 1231874: Dereference null return value (NULL_RETURNS)
>>> Assigning: "pi.mask" = null return value from
>>> "pixman_image_create_bits(pixman_format_code_t, int, int, __uint32_t *,
>>> int)".
3732 pi.mask = pixman_image_create_bits(PIXMAN_a8,
1, 1, &pi.color, 4);
3733 pixman_image_set_repeat(pi.mask,
PIXMAN_REPEAT_NORMAL);
3734 pi.bits = pixman_image_get_data(pi.mask);
3735 pi.op = op;
3736
3737 count = REGION_NUM_RECTS(&clip);
________________________________________________________________________________________________________
*** CID 1231875: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
3493 in composite_unaligned_boxes_inplace__solid()
3487 MOVE_WRITE |
MOVE_READ)) {
3488 RegionUninit(&clip);
3489 continue;
3490 }
3491
3492 pi.image = image_from_pict(dst, false, &pi.dx, &pi.dy);
>>> CID 1231875: Dereference null return value (NULL_RETURNS)
>>> Assigning: "pi.source" = null return value from
>>> "pixman_image_create_bits(pixman_format_code_t, int, int, __uint32_t *,
>>> int)".
3493 pi.source = pixman_image_create_bits(PIXMAN_a8r8g8b8,
1, 1, NULL, 0);
3494 pixman_image_set_repeat(pi.source,
PIXMAN_REPEAT_NORMAL);
3495 pi.bits = pixman_image_get_data(pi.source);
3496 pi.color = color;
3497 pi.op = op;
3498
________________________________________________________________________________________________________
*** CID 1231876: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
5663 in inplace_x8r8g8b8_thread()
5657
5658 pi.image = image_from_pict(thread->dst, false, &pi.dx,
&pi.dy);
5659 pi.op = thread->op;
5660 pi.color = thread->color;
5661
5662 pi.bits = (uint32_t *)&pi.sx;
>>> CID 1231876: Dereference null return value (NULL_RETURNS)
>>> Assigning: "pi.source" = null return value from
>>> "pixman_image_create_bits(pixman_format_code_t, int, int, __uint32_t *,
>>> int)".
5663 pi.source = pixman_image_create_bits(PIXMAN_a8r8g8b8,
5664 1, 1, pi.bits, 0);
5665 pixman_image_set_repeat(pi.source,
PIXMAN_REPEAT_NORMAL);
5666
5667 if (clip->data)
5668 span = pixmask_span_solid__clipped;
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
5683 in inplace_x8r8g8b8_thread()
5677 struct pixman_inplace pi;
5678
5679 pi.image = image_from_pict(thread->dst, false, &pi.dx,
&pi.dy);
5680 pi.source = image_from_pict(thread->src, false, &pi.sx,
&pi.sy);
5681 pi.sx += thread->src_x -
pixman_fixed_to_int(thread->traps[0].left.p1.x);
5682 pi.sy += thread->src_y -
pixman_fixed_to_int(thread->traps[0].left.p1.y);
>>> CID 1231876: Dereference null return value (NULL_RETURNS)
>>> Assigning: "pi.mask" = null return value from
>>> "pixman_image_create_bits(pixman_format_code_t, int, int, __uint32_t *,
>>> int)".
5683 pi.mask = pixman_image_create_bits(PIXMAN_a8, 1, 1,
NULL, 0);
5684 pixman_image_set_repeat(pi.mask, PIXMAN_REPEAT_NORMAL);
5685 pi.bits = pixman_image_get_data(pi.mask);
5686 pi.op = thread->op;
5687
5688 if (clip->data)
________________________________________________________________________________________________________
*** CID 1231877: Dereference null return value (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_trapezoids.c:
3620 in rectilinear_inplace_thread()
3614 pi.dy = thread->dy;
3615
3616 pi.source = thread->src;
3617 pi.sx = thread->sx;
3618 pi.sy = thread->sy;
3619
>>> CID 1231877: Dereference null return value (NULL_RETURNS)
>>> Assigning: "pi.mask" = null return value from
>>> "pixman_image_create_bits(pixman_format_code_t, int, int, __uint32_t *,
>>> int)".
3620 pi.mask = pixman_image_create_bits(PIXMAN_a8, 1, 1, &pi.color,
4);
3621 pixman_image_set_repeat(pi.mask, PIXMAN_REPEAT_NORMAL);
3622 pi.bits = pixman_image_get_data(pi.mask);
3623 pi.op = thread->op;
3624
3625 count = region_count(thread->clip);
________________________________________________________________________________________________________
*** CID 1231878: Dereference null return value (NULL_RETURNS)
/sbin/gpt/migrate.c: 428 in migrate()
422 hdr->hdr_crc_self = htole32(crc32(hdr, le32toh(hdr->hdr_size)));
423
424 gpt_write(fd, lbt);
425 gpt_write(fd, tpg);
426
427 map = map_find(MAP_TYPE_MBR);
>>> CID 1231878: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a null pointer "map".
428 mbr = map->map_data;
429 /*
430 * Turn the MBR into a Protective MBR.
431 */
432 bzero(mbr->mbr_part, sizeof(mbr->mbr_part));
433 mbr->mbr_part[0].part_shd = 0x00;
________________________________________________________________________________________________________
*** CID 1231879: Out-of-bounds write (OVERRUN)
/external/bsd/ekermit/dist/kermit.c: 1304 in gattr()
1298 aln = xunchar(*s++); /* Length of attribute string
*/
1299 switch (c) {
1300 case '!': /* File length in K */
1301 case '"': /* File type */
1302 for (i = 0; (i < aln) && (i < SIZEBUFL); i++) /* Copy it */
1303 sizebuf[i] = *s++;
>>> CID 1231879: Out-of-bounds write (OVERRUN)
>>> Overrunning array "sizebuf" of 32 bytes at byte offset 32 using index
>>> "i" (which evaluates to 32).
1304 sizebuf[i] = '\0'; /* Terminate with null */
1305 if (i < aln) s += (aln - i); /* If field was too long for
buffer */
1306 if (c == '!') { /* Length */
1307 fsizek = stringnum(sizebuf,k); /* Convert to number */
1308 } else { /* Type */
1309 if (sizebuf[0] == 'A') /* Text */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1449?tab=overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index