New Defects reported by Coverity Scan for NetBSD-i386-kernel

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-i386-kernel
From: scan-admin%coverity.com@localhost
Date: Thu, 16 Apr 2015 10:56:22 -0700

Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.

3 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 1293640:  Memory - corruptions  (OVERRUN)
/sys/dev/bluetooth/btmagic.c: 1565 in btmagic_input_magict()


________________________________________________________________________________________________________
*** CID 1293640:  Memory - corruptions  (OVERRUN)
/sys/dev/bluetooth/btmagic.c: 1565 in btmagic_input_magict()
1559     				sc->sc_nfingers--;
1560     				KASSERT(sc->sc_nfingers >= 0);
1561     			}
1562     			break;
1563     		}
1564     
>>>     CID 1293640:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "sc->sc_ax" of 16 4-byte elements at element index 64 (byte offset 256) using index "id" (which evaluates to 64).
1565     		sc->sc_ax[id] = ax;
1566     		sc->sc_ay[id] = ay;
1567     	}
1568     
1569     	if (dx != 0 || dy != 0 || dz != 0 || dw != 0 || mb != sc->sc_mb) {
1570     		sc->sc_mb = mb;

** CID 1293641:  Memory - corruptions  (OVERRUN)
/sys/dev/bluetooth/btmagic.c: 1566 in btmagic_input_magict()


________________________________________________________________________________________________________
*** CID 1293641:  Memory - corruptions  (OVERRUN)
/sys/dev/bluetooth/btmagic.c: 1566 in btmagic_input_magict()
1560     				KASSERT(sc->sc_nfingers >= 0);
1561     			}
1562     			break;
1563     		}
1564     
1565     		sc->sc_ax[id] = ax;
>>>     CID 1293641:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "sc->sc_ay" of 16 4-byte elements at element index 64 (byte offset 256) using index "id" (which evaluates to 64).
1566     		sc->sc_ay[id] = ay;
1567     	}
1568     
1569     	if (dx != 0 || dy != 0 || dz != 0 || dw != 0 || mb != sc->sc_mb) {
1570     		sc->sc_mb = mb;
1571     

** CID 1294556:    (FORWARD_NULL)
/sys/netinet/tcp_input.c: 3919 in syn_cache_get()
/sys/netinet/tcp_input.c: 4014 in syn_cache_get()
/sys/netinet/tcp_input.c: 3994 in syn_cache_get()
/sys/netinet/tcp_input.c: 4049 in syn_cache_get()


________________________________________________________________________________________________________
*** CID 1294556:    (FORWARD_NULL)
/sys/netinet/tcp_input.c: 3919 in syn_cache_get()
3913         struct socket *so, struct mbuf *m)
3914     {
3915     	struct syn_cache *sc;
3916     	struct syn_cache_head *scp;
3917     	struct inpcb *inp = NULL;
3918     #ifdef INET6
>>>     CID 1294556:    (FORWARD_NULL)
>>>     Assigning: "in6p" = "NULL".
3919     	struct in6pcb *in6p = NULL;
3920     #endif
3921     	struct tcpcb *tp = 0;
3922     	struct mbuf *am;
3923     	int s;
3924     	struct socket *oso;
/sys/netinet/tcp_input.c: 4014 in syn_cache_get()
4008     		}
4009     #endif
4010     		break;
4011     #endif
4012     #ifdef INET6
4013     	case AF_INET6:
>>>     CID 1294556:    (FORWARD_NULL)
>>>     Comparing "in6p" to null implies that "in6p" might be null.
4014     		if (in6p) {
4015     			in6p->in6p_laddr = ((struct sockaddr_in6 *)dst)->sin6_addr;
4016     			in6p->in6p_lport = ((struct sockaddr_in6 *)dst)->sin6_port;
4017     			in6_pcbstate(in6p, IN6P_BOUND);
4018     		}
4019     		break;
/sys/netinet/tcp_input.c: 3994 in syn_cache_get()
3988     			if (inp->inp_options == NULL) {
3989     				inp->inp_options = sc->sc_ipopts;
3990     				sc->sc_ipopts = NULL;
3991     			}
3992     		}
3993     #ifdef INET6
>>>     CID 1294556:    (FORWARD_NULL)
>>>     Comparing "in6p" to null implies that "in6p" might be null.
3994     		else if (in6p) {
3995     			/* IPv4 packet to AF_INET6 socket */
3996     			memset(&in6p->in6p_laddr, 0, sizeof(in6p->in6p_laddr));
3997     			in6p->in6p_laddr.s6_addr16[5] = htons(0xffff);
3998     			bcopy(&((struct sockaddr_in *)dst)->sin_addr,
3999     				&in6p->in6p_laddr.s6_addr32[3],
/sys/netinet/tcp_input.c: 4049 in syn_cache_get()
4043     			/* copy old policy into new socket's */
4044     			if (ipsec_copy_pcbpolicy(sotoinpcb(oso)->inp_sp,
4045     			    inp->inp_sp))
4046     				printf("tcp_input: could not copy policy\n");
4047     		}
4048     #ifdef INET6
>>>     CID 1294556:    (FORWARD_NULL)
>>>     Comparing "in6p" to null implies that "in6p" might be null.
4049     		else if (in6p) {
4050     			/* copy old policy into new socket's */
4051     			if (ipsec_copy_pcbpolicy(sotoin6pcb(oso)->in6p_sp,
4052     			    in6p->in6p_sp))
4053     				printf("tcp_input: could not copy policy\n");
4054     		}


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1450?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .

Prev by Date: New Defects reported by Coverity Scan for NetBSD-amd64-user
Next by Date: New Defects reported by Coverity Scan for NetBSD-i386-user
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Next by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Indexes:

Home | Main Index | Thread Index | Old Index