Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
73 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
81 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 73 defect(s)
** CID 274829: Null pointer dereferences (NULL_RETURNS)
/sys/rump/fs/lib/libsyspuffs/puffs_rumpglue.c: 163 in writethread()
________________________________________________________________________________________________________
*** CID 274829: Null pointer dereferences (NULL_RETURNS)
/sys/rump/fs/lib/libsyspuffs/puffs_rumpglue.c: 163 in writethread()
157 else
158 toread = off - sizeof(struct putter_hdr);
159 } while (toread);
160
161 off = 0;
162 rv = 0;
>>> CID 274829: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "fp" = null return value from "fd_getfile(unsigned int)".
163 fp = fd_getfile(pap->fpfd);
164 error = dofilewrite(pap->fpfd, fp, buf, phdr->pth_framelen,
165 &off, 0, &rv);
166 if (error == ENXIO)
167 goto out;
168 KASSERT(rv == phdr->pth_framelen);
** CID 975184: Error handling issues (CHECKED_RETURN)
/sys/dev/bluetooth/bthub.c: 124 in bthub_attach()
________________________________________________________________________________________________________
*** CID 975184: Error handling issues (CHECKED_RETURN)
/sys/dev/bluetooth/bthub.c: 124 in bthub_attach()
118 BTDEVladdr,
119 addr->b[5], addr->b[4], addr->b[3],
120 addr->b[2], addr->b[1], addr->b[0]);
121
122 aprint_normal("\n");
123
>>> CID 975184: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "pmf_device_register1(self, NULL, NULL, NULL)".
124 pmf_device_register(self, NULL, NULL);
125 }
126
127 static int
128 bthub_detach(device_t self, int flags)
129 {
** CID 975220: (CHECKED_RETURN)
/sys/rump/fs/lib/libsyspuffs/puffs_rumpglue.c: 194 in rump_syspuffs_glueinit()
/sys/rump/fs/lib/libsyspuffs/puffs_rumpglue.c: 195 in rump_syspuffs_glueinit()
________________________________________________________________________________________________________
*** CID 975220: (CHECKED_RETURN)
/sys/rump/fs/lib/libsyspuffs/puffs_rumpglue.c: 194 in rump_syspuffs_glueinit()
188
189 pap = kmem_alloc(sizeof(struct ptargs), KM_SLEEP);
190 pap->comfd = fd;
191 pap->fpfd = curlwp->l_dupfd;
192 pap->fdp = curlwp->l_proc->p_fd;
193
>>> CID 975220: (CHECKED_RETURN)
>>> No check of the return value of "kthread_create(-1, 0, NULL, readthread(void *), pap, NULL, "rputter")".
194 kthread_create(PRI_NONE, 0, NULL, readthread, pap, NULL, "rputter");
195 kthread_create(PRI_NONE, 0, NULL, writethread, pap, NULL, "wputter");
196
197 *newfd = curlwp->l_dupfd;
198 return 0;
/sys/rump/fs/lib/libsyspuffs/puffs_rumpglue.c: 195 in rump_syspuffs_glueinit()
189 pap = kmem_alloc(sizeof(struct ptargs), KM_SLEEP);
190 pap->comfd = fd;
191 pap->fpfd = curlwp->l_dupfd;
192 pap->fdp = curlwp->l_proc->p_fd;
193
194 kthread_create(PRI_NONE, 0, NULL, readthread, pap, NULL, "rputter");
>>> CID 975220: (CHECKED_RETURN)
>>> No check of the return value of "kthread_create(-1, 0, NULL, writethread(void *), pap, NULL, "wputter")".
195 kthread_create(PRI_NONE, 0, NULL, writethread, pap, NULL, "wputter");
196
197 *newfd = curlwp->l_dupfd;
198 return 0;
** CID 976055: Null pointer dereferences (FORWARD_NULL)
/common/lib/libprop/prop_object.c: 1051 in prop_object_release_emergency()
________________________________________________________________________________________________________
*** CID 976055: Null pointer dereferences (FORWARD_NULL)
/common/lib/libprop/prop_object.c: 1051 in prop_object_release_emergency()
1045 parent = po;
1046 _PROP_ATOMIC_INC32(&po->po_refcnt);
1047 }
1048 _PROP_ASSERT(parent);
1049 /* One object was just freed. */
1050 po = parent;
>>> CID 976055: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "po".
1051 (*po->po_type->pot_emergency_free)(parent);
1052 }
1053
1054 /*
1055 * prop_object_release --
1056 * Decrement the reference count on an object.
** CID 976256: Null pointer dereferences (FORWARD_NULL)
/sys/dev/dm/dm_ioctl.c: 781 in dm_table_load_ioctl()
________________________________________________________________________________________________________
*** CID 976256: Null pointer dereferences (FORWARD_NULL)
/sys/dev/dm/dm_ioctl.c: 781 in dm_table_load_ioctl()
775 DM_TABLE_PARAMS, (char **) &str);
776
777 if (SLIST_EMPTY(tbl))
778 /* insert this table to head */
779 SLIST_INSERT_HEAD(tbl, table_en, next);
780 else
>>> CID 976256: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "last_table".
781 SLIST_INSERT_AFTER(last_table, table_en, next);
782
783 /*
784 * Params string is different for every target,
785 * therfore I have to pass it to target init
786 * routine and parse parameters there.
** CID 976280: Null pointer dereferences (FORWARD_NULL)
/sys/nfs/nfs_subs.c: 1417 in nfs_enterdircache()
________________________________________________________________________________________________________
*** CID 976280: Null pointer dereferences (FORWARD_NULL)
/sys/nfs/nfs_subs.c: 1417 in nfs_enterdircache()
1411 if (np->n_dircachesize == NFS_MAXDIRCACHE) {
1412 nfs_unlinkdircache(np, TAILQ_FIRST(&np->n_dirchain));
1413 } else
1414 np->n_dircachesize++;
1415
1416 KASSERT(ndp->dc_refcnt == 1);
>>> CID 976280: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "ndhp".
1417 LIST_INSERT_HEAD(ndhp, ndp, dc_hash);
1418 TAILQ_INSERT_TAIL(&np->n_dirchain, ndp, dc_chain);
1419 ndp->dc_refcnt++;
1420 done:
1421 KASSERT(ndp->dc_refcnt > 0);
1422 NFSDC_UNLOCK(np);
** CID 976316: Null pointer dereferences (FORWARD_NULL)
/usr.sbin/npf/npftest/libnpftest/npf_table_test.c: 95 in npf_table_test()
________________________________________________________________________________________________________
*** CID 976316: Null pointer dereferences (FORWARD_NULL)
/usr.sbin/npf/npftest/libnpftest/npf_table_test.c: 95 in npf_table_test()
89
90 tblset = npf_tableset_create(3);
91 fail |= !(tblset != NULL);
92
93 /* Table ID 1, using hash table with 256 lists. */
94 t1 = npf_table_create(HASH_TID, 0, NPF_TABLE_HASH, NULL, 256);
>>> CID 976316: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "t1" to null implies that "t1" might be null.
95 fail |= !(t1 != NULL);
96 error = npf_tableset_insert(tblset, t1);
97 fail |= !(error == 0);
98
99 /* Check for double-insert. */
100 error = npf_tableset_insert(tblset, t1);
** CID 976941: (NULL_RETURNS)
/external/cddl/osnet/dist/lib/libzfs/common/libzfs_dataset.c: 294 in zpool_handle()
/external/cddl/osnet/dist/lib/libzfs/common/libzfs_dataset.c: 294 in zpool_handle()
________________________________________________________________________________________________________
*** CID 976941: (NULL_RETURNS)
/external/cddl/osnet/dist/lib/libzfs/common/libzfs_dataset.c: 294 in zpool_handle()
288 {
289 char *pool_name;
290 int len;
291 zpool_handle_t *zph;
292
293 len = strcspn(zhp->zfs_name, "/@") + 1;
>>> CID 976941: (NULL_RETURNS)
>>> Assigning: "pool_name" = null return value from "zfs_alloc(libzfs_handle_t *, size_t)".
294 pool_name = zfs_alloc(zhp->zfs_hdl, len);
295 (void) strlcpy(pool_name, zhp->zfs_name, len);
296
297 zph = zpool_find_handle(zhp, pool_name, len);
298 if (zph == NULL)
299 zph = zpool_add_handle(zhp, pool_name);
/external/cddl/osnet/dist/lib/libzfs/common/libzfs_dataset.c: 294 in zpool_handle()
288 {
289 char *pool_name;
290 int len;
291 zpool_handle_t *zph;
292
293 len = strcspn(zhp->zfs_name, "/@") + 1;
>>> CID 976941: (NULL_RETURNS)
>>> Assigning: "pool_name" = null return value from "zfs_alloc(libzfs_handle_t *, size_t)".
294 pool_name = zfs_alloc(zhp->zfs_hdl, len);
295 (void) strlcpy(pool_name, zhp->zfs_name, len);
296
297 zph = zpool_find_handle(zhp, pool_name, len);
298 if (zph == NULL)
299 zph = zpool_add_handle(zhp, pool_name);
** CID 977372: Memory - corruptions (OVERRUN)
/sys/kern/kern_descrip.c: 1442 in fd_copy()
________________________________________________________________________________________________________
*** CID 977372: Memory - corruptions (OVERRUN)
/sys/kern/kern_descrip.c: 1442 in fd_copy()
1436 }
1437 KASSERT(i > NDFILE);
1438 newdt = fd_dtab_alloc(i);
1439 newfdp->fd_dt = newdt;
1440 memcpy(newdt->dt_ff, newfdp->fd_dtbuiltin.dt_ff,
1441 NDFDFILE * sizeof(fdfile_t **));
>>> CID 977372: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "&newdt->dt_ff[6]" of 160 bytes by passing it to a function which accesses it at byte offset 799 using argument "(i - 6) * 8UL" (which evaluates to 752).
1442 memset(newdt->dt_ff + NDFDFILE, 0,
1443 (i - NDFDFILE) * sizeof(fdfile_t **));
1444 }
1445 if (NDHISLOTS(i) <= NDHISLOTS(NDFILE)) {
1446 newfdp->fd_himap = newfdp->fd_dhimap;
1447 newfdp->fd_lomap = newfdp->fd_dlomap;
** CID 977374: Memory - corruptions (OVERRUN)
/sys/kern/kern_descrip.c: 1030 in fd_tryexpand()
________________________________________________________________________________________________________
*** CID 977374: Memory - corruptions (OVERRUN)
/sys/kern/kern_descrip.c: 1030 in fd_tryexpand()
1024 }
1025 return;
1026 }
1027
1028 /* Copy the existing descriptor table and zero the new portion. */
1029 i = sizeof(fdfile_t *) * oldnfiles;
>>> CID 977374: Memory - corruptions (OVERRUN)
>>> Overrunning array "dt->dt_ff" of 160 bytes by passing it to a function which accesses it at byte offset 391 using argument "i" (which evaluates to 392).
1030 memcpy(newdt->dt_ff, dt->dt_ff, i);
1031 memset((uint8_t *)newdt->dt_ff + i, 0,
1032 numfiles * sizeof(fdfile_t *) - i);
1033
1034 /*
1035 * Link old descriptor array into list to be discarded. We defer
** CID 977375: Memory - corruptions (OVERRUN)
/sys/kern/kern_descrip.c: 1030 in fd_tryexpand()
________________________________________________________________________________________________________
*** CID 977375: Memory - corruptions (OVERRUN)
/sys/kern/kern_descrip.c: 1030 in fd_tryexpand()
1024 }
1025 return;
1026 }
1027
1028 /* Copy the existing descriptor table and zero the new portion. */
1029 i = sizeof(fdfile_t *) * oldnfiles;
>>> CID 977375: Memory - corruptions (OVERRUN)
>>> Overrunning array "newdt->dt_ff" of 160 bytes by passing it to a function which accesses it at byte offset 391 using argument "i" (which evaluates to 392).
1030 memcpy(newdt->dt_ff, dt->dt_ff, i);
1031 memset((uint8_t *)newdt->dt_ff + i, 0,
1032 numfiles * sizeof(fdfile_t *) - i);
1033
1034 /*
1035 * Link old descriptor array into list to be discarded. We defer
** CID 979557: (UNINIT)
/sys/kern/vfs_syscalls.c: 4563 in do_sys_mkdirat()
/sys/kern/vfs_syscalls.c: 4547 in do_sys_mkdirat()
/sys/kern/vfs_syscalls.c: 4547 in do_sys_mkdirat()
________________________________________________________________________________________________________
*** CID 979557: (UNINIT)
/sys/kern/vfs_syscalls.c: 4563 in do_sys_mkdirat()
4557 NDINIT(&nd, CREATE, LOCKPARENT | CREATEDIR | TRYEMULROOT, pb);
4558
4559 if ((error = fd_nameiat(l, fdat, &nd)) != 0) {
4560 pathbuf_destroy(pb);
4561 return (error);
4562 }
>>> CID 979557: (UNINIT)
>>> Using uninitialized value "nd.ni_vp".
4563 vp = nd.ni_vp;
4564 if (vp != NULL) {
4565 VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
4566 if (nd.ni_dvp == vp)
4567 vrele(nd.ni_dvp);
4568 else
/sys/kern/vfs_syscalls.c: 4547 in do_sys_mkdirat()
4541 {
4542 struct proc *p = curlwp->l_proc;
4543 struct vnode *vp;
4544 struct vattr vattr;
4545 int error;
4546 struct pathbuf *pb;
>>> CID 979557: (UNINIT)
>>> Declaring variable "nd" without initializer.
4547 struct nameidata nd;
4548
4549 KASSERT(l != NULL || fdat == AT_FDCWD);
4550
4551 /* XXX bollocks, should pass in a pathbuf */
4552 error = pathbuf_maybe_copyin(path, seg, &pb);
/sys/kern/vfs_syscalls.c: 4547 in do_sys_mkdirat()
4541 {
4542 struct proc *p = curlwp->l_proc;
4543 struct vnode *vp;
4544 struct vattr vattr;
4545 int error;
4546 struct pathbuf *pb;
>>> CID 979557: (UNINIT)
>>> Declaring variable "nd" without initializer.
4547 struct nameidata nd;
4548
4549 KASSERT(l != NULL || fdat == AT_FDCWD);
4550
4551 /* XXX bollocks, should pass in a pathbuf */
4552 error = pathbuf_maybe_copyin(path, seg, &pb);
** CID 979559: (UNINIT)
/sys/kern/vfs_syscalls.c: 2216 in do_sys_mknodat()
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
________________________________________________________________________________________________________
*** CID 979559: (UNINIT)
/sys/kern/vfs_syscalls.c: 2216 in do_sys_mknodat()
2210 }
2211
2212 NDINIT(&nd, CREATE, LOCKPARENT | TRYEMULROOT, pb);
2213
2214 if ((error = fd_nameiat(l, fdat, &nd)) != 0)
2215 goto out;
>>> CID 979559: (UNINIT)
>>> Using uninitialized value "nd.ni_vp".
2216 vp = nd.ni_vp;
2217
2218 if (vp != NULL)
2219 error = EEXIST;
2220 else {
2221 vattr_null(&vattr);
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
2187 {
2188 struct proc *p = l->l_proc;
2189 struct vnode *vp;
2190 struct vattr vattr;
2191 int error, optype;
2192 struct pathbuf *pb;
>>> CID 979559: (UNINIT)
>>> Declaring variable "nd" without initializer.
2193 struct nameidata nd;
2194 const char *pathstring;
2195
2196 if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_MKNOD,
2197 0, NULL, NULL, NULL)) != 0)
2198 return (error);
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
2187 {
2188 struct proc *p = l->l_proc;
2189 struct vnode *vp;
2190 struct vattr vattr;
2191 int error, optype;
2192 struct pathbuf *pb;
>>> CID 979559: (UNINIT)
>>> Declaring variable "nd" without initializer.
2193 struct nameidata nd;
2194 const char *pathstring;
2195
2196 if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_MKNOD,
2197 0, NULL, NULL, NULL)) != 0)
2198 return (error);
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
2187 {
2188 struct proc *p = l->l_proc;
2189 struct vnode *vp;
2190 struct vattr vattr;
2191 int error, optype;
2192 struct pathbuf *pb;
>>> CID 979559: (UNINIT)
>>> Declaring variable "nd" without initializer.
2193 struct nameidata nd;
2194 const char *pathstring;
2195
2196 if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_MKNOD,
2197 0, NULL, NULL, NULL)) != 0)
2198 return (error);
/sys/kern/vfs_syscalls.c: 2193 in do_sys_mknodat()
2187 {
2188 struct proc *p = l->l_proc;
2189 struct vnode *vp;
2190 struct vattr vattr;
2191 int error, optype;
2192 struct pathbuf *pb;
>>> CID 979559: (UNINIT)
>>> Declaring variable "nd" without initializer.
2193 struct nameidata nd;
2194 const char *pathstring;
2195
2196 if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_MKNOD,
2197 0, NULL, NULL, NULL)) != 0)
2198 return (error);
** CID 979562: (UNINIT)
/sys/kern/vfs_syscalls.c: 4208 in do_sys_renameat()
/sys/kern/vfs_syscalls.c: 4209 in do_sys_renameat()
________________________________________________________________________________________________________
*** CID 979562: (UNINIT)
/sys/kern/vfs_syscalls.c: 4208 in do_sys_renameat()
4202 goto out2;
4203
4204 /*
4205 * Pull out the important results of the lookup, fdvp and fvp.
4206 * Of course, fvp is bogus because we're about to unlock fdvp.
4207 */
>>> CID 979562: (UNINIT)
>>> Using uninitialized value "fnd.ni_dvp".
4208 fdvp = fnd.ni_dvp;
4209 fvp = fnd.ni_vp;
4210 KASSERT(fdvp != NULL);
4211 KASSERT(fvp != NULL);
4212 KASSERT((fdvp == fvp) || (VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE));
4213
/sys/kern/vfs_syscalls.c: 4209 in do_sys_renameat()
4203
4204 /*
4205 * Pull out the important results of the lookup, fdvp and fvp.
4206 * Of course, fvp is bogus because we're about to unlock fdvp.
4207 */
4208 fdvp = fnd.ni_dvp;
>>> CID 979562: (UNINIT)
>>> Using uninitialized value "fnd.ni_vp".
4209 fvp = fnd.ni_vp;
4210 KASSERT(fdvp != NULL);
4211 KASSERT(fvp != NULL);
4212 KASSERT((fdvp == fvp) || (VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE));
4213
4214 /*
** CID 979563: (UNINIT)
/sys/kern/vfs_syscalls.c: 4263 in do_sys_renameat()
/sys/kern/vfs_syscalls.c: 4264 in do_sys_renameat()
________________________________________________________________________________________________________
*** CID 979563: (UNINIT)
/sys/kern/vfs_syscalls.c: 4263 in do_sys_renameat()
4257 goto abort0;
4258
4259 /*
4260 * Pull out the important results of the lookup, tdvp and tvp.
4261 * Of course, tvp is bogus because we're about to unlock tdvp.
4262 */
>>> CID 979563: (UNINIT)
>>> Using uninitialized value "tnd.ni_dvp".
4263 tdvp = tnd.ni_dvp;
4264 tvp = tnd.ni_vp;
4265 KASSERT(tdvp != NULL);
4266 KASSERT((tdvp == tvp) || (VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE));
4267
4268 /*
/sys/kern/vfs_syscalls.c: 4264 in do_sys_renameat()
4258
4259 /*
4260 * Pull out the important results of the lookup, tdvp and tvp.
4261 * Of course, tvp is bogus because we're about to unlock tdvp.
4262 */
4263 tdvp = tnd.ni_dvp;
>>> CID 979563: (UNINIT)
>>> Using uninitialized value "tnd.ni_vp".
4264 tvp = tnd.ni_vp;
4265 KASSERT(tdvp != NULL);
4266 KASSERT((tdvp == tvp) || (VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE));
4267
4268 /*
4269 * Make sure neither tdvp nor tvp is locked.
** CID 979565: (UNINIT)
/sys/kern/vfs_syscalls.c: 2503 in do_sys_symlinkat()
/sys/kern/vfs_syscalls.c: 2479 in do_sys_symlinkat()
/sys/kern/vfs_syscalls.c: 2479 in do_sys_symlinkat()
________________________________________________________________________________________________________
*** CID 979565: (UNINIT)
/sys/kern/vfs_syscalls.c: 2503 in do_sys_symlinkat()
2497 }
2498 ktrkuser("symlink-target", path, strlen(path));
2499
2500 NDINIT(&nd, CREATE, LOCKPARENT | TRYEMULROOT, linkpb);
2501 if ((error = fd_nameiat(l, fdat, &nd)) != 0)
2502 goto out2;
>>> CID 979565: (UNINIT)
>>> Using uninitialized value "nd.ni_vp".
2503 if (nd.ni_vp) {
2504 VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
2505 if (nd.ni_dvp == nd.ni_vp)
2506 vrele(nd.ni_dvp);
2507 else
2508 vput(nd.ni_dvp);
/sys/kern/vfs_syscalls.c: 2479 in do_sys_symlinkat()
2473 {
2474 struct proc *p = curproc;
2475 struct vattr vattr;
2476 char *path;
2477 int error;
2478 struct pathbuf *linkpb;
>>> CID 979565: (UNINIT)
>>> Declaring variable "nd" without initializer.
2479 struct nameidata nd;
2480
2481 KASSERT(l != NULL || fdat == AT_FDCWD);
2482
2483 path = PNBUF_GET();
2484 if (seg == UIO_USERSPACE) {
/sys/kern/vfs_syscalls.c: 2479 in do_sys_symlinkat()
2473 {
2474 struct proc *p = curproc;
2475 struct vattr vattr;
2476 char *path;
2477 int error;
2478 struct pathbuf *linkpb;
>>> CID 979565: (UNINIT)
>>> Declaring variable "nd" without initializer.
2479 struct nameidata nd;
2480
2481 KASSERT(l != NULL || fdat == AT_FDCWD);
2482
2483 path = PNBUF_GET();
2484 if (seg == UIO_USERSPACE) {
** CID 979566: (UNINIT)
/sys/kern/vfs_syscalls.c: 2661 in do_sys_unlinkat()
/sys/kern/vfs_syscalls.c: 2679 in do_sys_unlinkat()
/sys/kern/vfs_syscalls.c: 2643 in do_sys_unlinkat()
________________________________________________________________________________________________________
*** CID 979566: (UNINIT)
/sys/kern/vfs_syscalls.c: 2661 in do_sys_unlinkat()
2655 return ENOMEM;
2656 }
2657
2658 NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF | TRYEMULROOT, pb);
2659 if ((error = fd_nameiat(l, fdat, &nd)) != 0)
2660 goto out;
>>> CID 979566: (UNINIT)
>>> Using uninitialized value "nd.ni_vp".
2661 vp = nd.ni_vp;
2662
2663 /*
2664 * The root of a mounted filesystem cannot be deleted.
2665 */
2666 if ((vp->v_vflag & VV_ROOT) != 0) {
/sys/kern/vfs_syscalls.c: 2679 in do_sys_unlinkat()
2673 goto abort;
2674 }
2675
2676 /*
2677 * No rmdir "." please.
2678 */
>>> CID 979566: (UNINIT)
>>> Using uninitialized value "nd.ni_dvp".
2679 if (nd.ni_dvp == vp) {
2680 error = EINVAL;
2681 goto abort;
2682 }
2683
2684 /*
/sys/kern/vfs_syscalls.c: 2643 in do_sys_unlinkat()
2637 do_sys_unlinkat(struct lwp *l, int fdat, const char *arg, int flags,
2638 enum uio_seg seg)
2639 {
2640 struct vnode *vp;
2641 int error;
2642 struct pathbuf *pb;
>>> CID 979566: (UNINIT)
>>> Declaring variable "nd" without initializer.
2643 struct nameidata nd;
2644 const char *pathstring;
2645
2646 KASSERT(l != NULL || fdat == AT_FDCWD);
2647
2648 error = pathbuf_maybe_copyin(arg, seg, &pb);
** CID 980724: Error handling issues (CHECKED_RETURN)
/sys/kern/subr_autoconf.c: 1506 in config_add_attrib_dict()
________________________________________________________________________________________________________
*** CID 980724: Error handling issues (CHECKED_RETURN)
/sys/kern/subr_autoconf.c: 1506 in config_add_attrib_dict()
1500 prop_dictionary_set_cstring_nocopy(loc_dict,
1501 "loc-name", ci->ci_locdesc[j].cld_name);
1502 if (ci->ci_locdesc[j].cld_defaultstr != NULL)
1503 prop_dictionary_set_cstring_nocopy(
1504 loc_dict, "default",
1505 ci->ci_locdesc[j].cld_defaultstr);
>>> CID 980724: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "prop_array_set(loc_array, j, loc_dict)".
1506 prop_array_set(loc_array, j, loc_dict);
1507 prop_object_release(loc_dict);
1508 }
1509 prop_dictionary_set_and_rel(attr_dict, "locators",
1510 loc_array);
1511 }
** CID 980725: Error handling issues (CHECKED_RETURN)
/sys/rump/librump/rumpkern/rump_syscalls.c: 4890 in rump___sysimpl_posix_fadvise50()
________________________________________________________________________________________________________
*** CID 980725: Error handling issues (CHECKED_RETURN)
/sys/rump/librump/rumpkern/rump_syscalls.c: 4890 in rump___sysimpl_posix_fadvise50()
4884 SPARG(&callarg, fd) = fd;
4885 SPARG(&callarg, PAD) = 0;
4886 SPARG(&callarg, offset) = offset;
4887 SPARG(&callarg, len) = len;
4888 SPARG(&callarg, advice) = advice;
4889
>>> CID 980725: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "rumpclient_syscall(416, &callarg, 40UL, retval)".
4890 rsys_syscall(SYS___posix_fadvise50, &callarg, sizeof(callarg), retval);
4891 if (sizeof(int) > sizeof(register_t))
4892 rv = *(int *)retval;
4893 else
4894 rv = *retval;
4895 return rv;
** CID 980762: Null pointer dereferences (FORWARD_NULL)
/sbin/ifconfig/parse.c: 691 in pkw_match()
________________________________________________________________________________________________________
*** CID 980762: Null pointer dereferences (FORWARD_NULL)
/sbin/ifconfig/parse.c: 691 in pkw_match()
685 goto err;
686 break;
687 default:
688 errx(EXIT_FAILURE, "unknown keyword type %d", k->k_type);
689 }
690
>>> CID 980762: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "o" to null implies that "o" might be null.
691 if (match_setenv(im, om, (o == NULL) ? NULL : k->k_key, o) == -1)
692 return -1;
693
694 om->m_argidx = argidx;
695 om->m_parser = p;
696 om->m_nextparser = k->k_nextparser;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1449?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .
Home |
Main Index |
Thread Index |
Old Index