Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-i386-user



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.

14 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
21 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 14 of 14 defect(s)


** CID 1306283:  Insecure data handling  (TAINTED_SCALAR)
/crypto/external/bsd/openssl/dist/apps/asn1pars.c: 387 in do_generate()


________________________________________________________________________________________________________
*** CID 1306283:  Insecure data handling  (TAINTED_SCALAR)
/crypto/external/bsd/openssl/dist/apps/asn1pars.c: 387 in do_generate()
381     
382         if (genconf) {
383             cnf = NCONF_new(NULL);
384             if (!NCONF_load(cnf, genconf, &errline))
385                 goto conferr;
386             if (!genstr)
>>>     CID 1306283:  Insecure data handling  (TAINTED_SCALAR)
>>>     Assigning: "genstr" = "NCONF_get_string", which taints "genstr".
387                 genstr = NCONF_get_string(cnf, "default", "asn1");
388             if (!genstr) {
389                 BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
390                 goto err;
391             }
392         }

** CID 1306282:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1306282:  Insecure data handling  (TAINTED_SCALAR)
/usr.sbin/installboot/installboot.c: 242 in main()
236     
237     	if (argc >= 3) {
238     		params->stage2 = argv[2];
239     	}
240     
241     #if !HAVE_NBTOOL_CONFIG_H
>>>     CID 1306282:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "argv[0]" to a tainted sink.
242     	special = getfsspecname(specname, sizeof(specname), argv[0]);
243     	raw = getdiskrawname(rawname, sizeof(rawname), special);
244     	if (raw != NULL)
245     		special = raw;
246     	params->filesystem = special;
247     #else

** CID 1306281:  Null pointer dereferences  (NULL_RETURNS)
/usr.sbin/installboot/installboot.c: 242 in main()


________________________________________________________________________________________________________
*** CID 1306281:  Null pointer dereferences  (NULL_RETURNS)
/usr.sbin/installboot/installboot.c: 242 in main()
236     
237     	if (argc >= 3) {
238     		params->stage2 = argv[2];
239     	}
240     
241     #if !HAVE_NBTOOL_CONFIG_H
>>>     CID 1306281:  Null pointer dereferences  (NULL_RETURNS)
>>>     Assigning: "special" = null return value from "getfsspecname".
242     	special = getfsspecname(specname, sizeof(specname), argv[0]);
243     	raw = getdiskrawname(rawname, sizeof(rawname), special);
244     	if (raw != NULL)
245     		special = raw;
246     	params->filesystem = special;
247     #else

** CID 1306280:  Integer handling issues  (NEGATIVE_RETURNS)


________________________________________________________________________________________________________
*** CID 1306280:  Integer handling issues  (NEGATIVE_RETURNS)
/crypto/external/bsd/openssl/dist/crypto/hmac/hmactest.c: 209 in main()
203         }
204         if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) {
205             printf("Should fail HMAC_Update with ctx not set up (test 5)\n");
206             err++;
207             goto test6;
208         }
>>>     CID 1306280:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     A negative constant "-1" is passed as an argument to a parameter that cannot be negative.
209         if (HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) {
210             printf("Should fail to initialise HMAC with invalid key len(test 5)\n");
211             err++;
212             goto test6;
213         }
214         if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) {

** CID 1306279:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/crypto/srp/srptest.c: 62 in run_srp()


________________________________________________________________________________________________________
*** CID 1306279:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/crypto/srp/srptest.c: 62 in run_srp()
56         showbn("N", GN->N);
57         showbn("g", GN->g);
58         showbn("Salt", s);
59         showbn("Verifier", v);
60     
61         /* Server random */
>>>     CID 1306279:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "RAND_pseudo_bytes" without checking return value (as is done elsewhere 44 out of 55 times).
62         RAND_pseudo_bytes(rand_tmp, sizeof(rand_tmp));
63         b = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL);
64         /* TODO - check b != 0 */
65         showbn("b", b);
66     
67         /* Server's first message */

** CID 1306278:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/crypto/bn/divtest.c: 7 in Rand()


________________________________________________________________________________________________________
*** CID 1306278:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/crypto/bn/divtest.c: 7 in Rand()
1     #include <openssl/bn.h>
2     #include <openssl/rand.h>
3     
4     static int Rand(void)
5     {
6         unsigned char x[2];
>>>     CID 1306278:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "RAND_pseudo_bytes" without checking return value (as is done elsewhere 44 out of 55 times).
7         RAND_pseudo_bytes(x, 2);
8         return (x[0] + 2 * x[1]);
9     }
10     
11     static void bug(const char *m, BIGNUM *a, BIGNUM *b)
12     {

** CID 1306277:  Code maintainability issues  (UNUSED_VALUE)
/sys/ddb/db_write_cmd.c: 72 in db_write_cmd()


________________________________________________________________________________________________________
*** CID 1306277:  Code maintainability issues  (UNUSED_VALUE)
/sys/ddb/db_write_cmd.c: 72 in db_write_cmd()
66     	case 'l':
67     	case '\0':
68     		size = 4;
69     		break;
70     	case 'q':
71     		if (sizeof(db_expr_t) != sizeof(uint64_t)) {
>>>     CID 1306277:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value "-1" to "size" here, but that stored value is overwritten before it can be used.
72     			size = -1;
73     			db_error("q not supported\n");
74     			/*NOTREACHED*/
75     		}
76     	case 'L':
77     		size = sizeof(db_expr_t);

** CID 1306276:  Code maintainability issues  (UNUSED_VALUE)
/sys/ufs/ufs/ufs_inode.c: 105 in ufs_inactive()


________________________________________________________________________________________________________
*** CID 1306276:  Code maintainability issues  (UNUSED_VALUE)
/sys/ufs/ufs/ufs_inode.c: 105 in ufs_inactive()
99     		goto out;
100     	if (ip->i_nlink <= 0 && (mp->mnt_flag & MNT_RDONLY) == 0) {
101     #ifdef UFS_EXTATTR
102     		ufs_extattr_vnode_inactive(vp, curlwp);
103     #endif
104     		if (ip->i_size != 0)
>>>     CID 1306276:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value from "ufs_truncate(vp, 0ULL, (kauth_cred_t)0xffffffff)" to "error" here, but that stored value is overwritten before it can be used.
105     			error = ufs_truncate(vp, 0, NOCRED);
106     #if defined(QUOTA) || defined(QUOTA2)
107     		error = UFS_WAPBL_BEGIN(mp);
108     		if (error == 0) {
109     			wapbl_locked = true;
110     			(void)chkiq(ip, -1, NOCRED, 0);

** CID 1306275:  Code maintainability issues  (UNUSED_VALUE)
/sys/ddb/db_examine.c: 106 in db_examine()


________________________________________________________________________________________________________
*** CID 1306275:  Code maintainability issues  (UNUSED_VALUE)
/sys/ddb/db_examine.c: 106 in db_examine()
100     			case 'l':	/* long-word */
101     				size = 4;
102     				width = 12;
103     				break;
104     			case 'q':
105     				if (sizeof(db_expr_t) != sizeof(uint64_t)) {
>>>     CID 1306275:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value "-1" to "size" here, but that stored value is overwritten before it can be used.
106     					size = -1;
107     					db_error("q not supported\n");
108     					/*NOTREACHED*/
109     				}
110     			case 'L':	/* implementation maximum */
111     				size = sizeof value;

** CID 1306233:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/heimdal/dist/kdc/pkinit.c: 269 in generate_dh_keyblock()


________________________________________________________________________________________________________
*** CID 1306233:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/heimdal/dist/kdc/pkinit.c: 269 in generate_dh_keyblock()
263     
264     	client_params->u.ecdh.key = EC_KEY_new();
265     	if (client_params->u.ecdh.key == NULL) {
266     	    ret = ENOMEM;
267     	    goto out;
268     	}
>>>     CID 1306233:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "EC_KEY_set_group" without checking return value (as is done elsewhere 16 out of 18 times).
269     	EC_KEY_set_group(client_params->u.ecdh.key,
270     			 EC_KEY_get0_group(client_params->u.ecdh.public_key));
271     
272     	if (EC_KEY_generate_key(client_params->u.ecdh.key) != 1) {
273     	    ret = ENOMEM;
274     	    goto out;

** CID 1306232:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c: 1630 in do_dtls1_write()


________________________________________________________________________________________________________
*** CID 1306232:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c: 1630 in do_dtls1_write()
1624         /* this is true regardless of mac size */
1625         wr->input = p;
1626         wr->data = p;
1627     
1628         /* ssl3_enc can only have an error on read */
1629         if (bs) {                   /* bs != 0 in case of CBC */
>>>     CID 1306232:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "RAND_pseudo_bytes" without checking return value (as is done elsewhere 44 out of 55 times).
1630             RAND_pseudo_bytes(p, bs);
1631             /*
1632              * master IV and last CBC residue stand for the rest of randomness
1633              */
1634             wr->length += bs;
1635         }

** CID 1201485:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/engines/ccgost/gost_ameth.c: 737 in pub_encode_gost01()


________________________________________________________________________________________________________
*** CID 1201485:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/engines/ccgost/gost_ameth.c: 737 in pub_encode_gost01()
731         if (pk->save_parameters) {
732             ASN1_STRING *params = encode_gost_algor_params(pk);
733             pval = params;
734             ptype = V_ASN1_SEQUENCE;
735         }
736         order = BN_new();
>>>     CID 1201485:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "EC_GROUP_get_order" without checking return value (as is done elsewhere 21 out of 23 times).
737         EC_GROUP_get_order(EC_KEY_get0_group(ec), order, NULL);
738         pub_key = EC_KEY_get0_public_key(ec);
739         if (!pub_key) {
740             GOSTerr(GOST_F_PUB_ENCODE_GOST01, GOST_R_PUBLIC_KEY_UNDEFINED);
741             return 0;
742         }

** CID 483290:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/engines/ccgost/gost_sign.c: 86 in gost_do_sign()


________________________________________________________________________________________________________
*** CID 483290:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/engines/ccgost/gost_sign.c: 86 in gost_do_sign()
80         }
81         do {
82             do {
83                 /*
84                  * Generate random number k less than q
85                  */
>>>     CID 483290:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "BN_rand_range" without checking return value (as is done elsewhere 9 out of 11 times).
86                 BN_rand_range(k, dsa->q);
87                 /* generate r = (a^x mod p) mod q */
88                 BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx);
89                 if (!(newsig->r)) {
90                     newsig->r = BN_new();
91                     if(!newsig->r) {

** CID 483285:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/engines/ccgost/gost2001_keyx.c: 45 in VKO_compute_key()


________________________________________________________________________________________________________
*** CID 483285:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/engines/ccgost/gost2001_keyx.c: 45 in VKO_compute_key()
39         p = BN_CTX_get(ctx);
40         order = BN_CTX_get(ctx);
41         X = BN_CTX_get(ctx);
42         Y = BN_CTX_get(ctx);
43         EC_GROUP_get_order(EC_KEY_get0_group(priv_key), order, ctx);
44         BN_mod_mul(p, key, UKM, order, ctx);
>>>     CID 483285:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "EC_POINT_mul" without checking return value (as is done elsewhere 20 out of 21 times).
45         EC_POINT_mul(EC_KEY_get0_group(priv_key), pnt, NULL, pub_key, p, ctx);
46         EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(priv_key),
47                                             pnt, X, Y, ctx);
48         /*
49          * Serialize elliptic curve point same way as we do it when saving key
50          */


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1448?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .



Home | Main Index | Thread Index | Old Index