Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-amd64-user



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.

6 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)


** CID 1257495:  Out-of-bounds write  (OVERRUN)
/sbin/ifconfig/parse.c: 257 in parse_linkaddr()

** CID 1257496:  Out-of-bounds access  (OVERRUN)
/sbin/routed/if.c: 779 in ifinit()

** CID 1257498:  Out-of-bounds access  (OVERRUN)
/usr.bin/netstat/if.c: 984 in fetchifs()

** CID 1257497:  Out-of-bounds access  (OVERRUN)
/usr.bin/netstat/if.c: 193 in intpr_sysctl()

** CID 1257619:  Unintended sign extension  (SIGN_EXTENSION)
/sys/compat/netbsd32/netbsd32_exec_aout.c: 435 in netbsd32_exec_aout_nomid()

** CID 1257499:  Untrusted value as argument  (TAINTED_SCALAR)
/tests/net/if/ifconf.c: 127 in main()


________________________________________________________________________________________________________
*** CID 1257495:  Out-of-bounds write  (OVERRUN)
/sbin/ifconfig/parse.c: 257 in parse_linkaddr()
251     		if (*p == '\0') {
252     			dbg_warnx("%s.%d", __func__, __LINE__);
253     			if (state != LLADDR_S_ONE_OCTET &&
254     			    state != LLADDR_S_TWO_OCTETS)
255     				return -1;
256     			dbg_warnx("%s.%d", __func__, __LINE__);
>>>     CID 1257495:  Out-of-bounds write  (OVERRUN)
>>>     Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes at byte offset 119 using index "i++" (which evaluates to 119).
257     			sdl->sdl_data[i++] = octet;
258     			sdl->sdl_len = offsetof(struct sockaddr_dl, sdl_data)
259     			    + i * sizeof(sdl->sdl_data[0]);
260     			sdl->sdl_alen = i;
261     			return 0;
262     		}

________________________________________________________________________________________________________
*** CID 1257496:  Out-of-bounds access  (OVERRUN)
/sbin/routed/if.c: 779 in ifinit()
773     #ifdef sgi
774     			ifs0.int_data.odrops = ifm.ifm_data.ifi_odrops;
775     #endif
776     			sdl = (const struct sockaddr_dl *)
777     				((struct if_msghdr *)ifam + 1);
778     			/* NUL-termination by memset, above. */
>>>     CID 1257496:  Out-of-bounds access  (OVERRUN)
>>>     Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes by passing it to a function which accesses it at byte offset 78 using argument "(79UL < sdl->sdl_addr.dl_nlen) ? 79UL : sdl->sdl_addr.dl_nlen" (which evaluates to 79).
779     			memcpy(ifs0.int_name, sdl->sdl_data,
780     				MIN(sizeof(ifs0.int_name) - 1, sdl->sdl_nlen));
781     			continue;
782     		}
783     		if (ifam->ifam_type != RTM_NEWADDR) {
784     			logbad(1,"ifinit: out of sync");

________________________________________________________________________________________________________
*** CID 1257498:  Out-of-bounds access  (OVERRUN)
/usr.bin/netstat/if.c: 984 in fetchifs()
978     
979     			sdl = (struct sockaddr_dl *)rti_info[RTAX_IFP];
980     			if (sdl == NULL || sdl->sdl_family != AF_LINK)
981     				continue;
982     			bzero(name, sizeof(name));
983     			if (sdl->sdl_nlen >= IFNAMSIZ)
>>>     CID 1257498:  Out-of-bounds access  (OVERRUN)
>>>     Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes by passing it to a function which accesses it at byte offset 14 using argument "15UL".
984     				memcpy(name, sdl->sdl_data, IFNAMSIZ - 1);
985     			else if (sdl->sdl_nlen > 0) 
986     				memcpy(name, sdl->sdl_data, sdl->sdl_nlen);
987     
988     			if (interface != 0 && !strcmp(name, interface)) {
989     				strlcpy(ip_cur.ift_name, name,

________________________________________________________________________________________________________
*** CID 1257497:  Out-of-bounds access  (OVERRUN)
/usr.bin/netstat/if.c: 193 in intpr_sysctl()
187     			sdl = (struct sockaddr_dl *)rti_info[RTAX_IFP];
188     			if (sdl == NULL || sdl->sdl_family != AF_LINK) {
189     				continue;
190     			}
191     			bzero(name, sizeof(name));
192     			if (sdl->sdl_nlen >= IFNAMSIZ)
>>>     CID 1257497:  Out-of-bounds access  (OVERRUN)
>>>     Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes by passing it to a function which accesses it at byte offset 14 using argument "15UL".
193     				memcpy(name, sdl->sdl_data, IFNAMSIZ - 1);
194     			else if (sdl->sdl_nlen > 0) 
195     				memcpy(name, sdl->sdl_data, sdl->sdl_nlen);
196     
197     			if (interface != 0 && strcmp(name, interface) != 0)
198     				continue;

________________________________________________________________________________________________________
*** CID 1257619:  Unintended sign extension  (SIGN_EXTENSION)
/sys/compat/netbsd32/netbsd32_exec_aout.c: 435 in netbsd32_exec_aout_nomid()
429     
430     	if (magic == 0) {
431     		magic = (execp->a_midmag & 0xffff);
432     		mid = MID_ZERO;
433     	}
434     
>>>     CID 1257619:  Unintended sign extension  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "mid" with type "unsigned short" (16 bits, unsigned) is promoted in "mid << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "mid << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
435     	midmag = mid << 16 | magic;
436     
437     	switch (midmag) {
438     	case (MID_ZERO << 16) | ZMAGIC:
439     		/*
440     		 * 386BSD's ZMAGIC format:

________________________________________________________________________________________________________
*** CID 1257499:  Untrusted value as argument  (TAINTED_SCALAR)
/tests/net/if/ifconf.c: 127 in main()
121     	if (strcmp(argv[1], "total") == 0) {
122     		show_number_of_entries();
123     	} else if (strcmp(argv[1], "list") == 0) {
124     		if (argc == 2)
125     			show_interfaces(0);
126     		else if (argc == 3)
>>>     CID 1257499:  Untrusted value as argument  (TAINTED_SCALAR)
>>>     Call to function "atoi(char const *)" with tainted argument "argv[2]" returns tainted data.
127     			show_interfaces(atoi(argv[2]));
128     		else
129     			help();
130     	} else
131     		help();
132     
133     	return EXIT_SUCCESS;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/1449?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click http://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .



Home | Main Index | Thread Index | Old Index