New Defects reported by Coverity Scan for NetBSD-i386-user

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-i386-user
From: scan-admin%coverity.com@localhost
Date: Tue, 13 Oct 2015 19:18:35 -0700
Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.

5 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 978595:    (REVERSE_NEGATIVE)
/sbin/fsck_lfs/segwrite.c: 521 in lfs_update_single()
/sbin/fsck_lfs/segwrite.c: 536 in lfs_update_single()


________________________________________________________________________________________________________
*** CID 978595:    (REVERSE_NEGATIVE)
/sbin/fsck_lfs/segwrite.c: 521 in lfs_update_single()
515     	/*
516     	 * Update segment usage information, based on old size
517     	 * and location.
518     	 */
519     	if (daddr > 0) {
520     		u_int32_t oldsn = lfs_dtosn(fs, daddr);
>>>     CID 978595:    (REVERSE_NEGATIVE)
>>>     You might be using variable "lbn" before verifying that it is >= 0.
521     		if (lbn >= 0 && lbn < ULFS_NDADDR)
522     			osize = ip->i_lfs_fragsize[lbn];
523     		else
524     			osize = lfs_sb_getbsize(fs);
525     		LFS_SEGENTRY(sup, fs, oldsn, bp);
526     		sup->su_nbytes -= osize;
/sbin/fsck_lfs/segwrite.c: 536 in lfs_update_single()
530     	}
531     	/*
532     	 * Now that this block has a new address, and its old
533     	 * segment no longer owns it, we can forget about its
534     	 * old size.
535     	 */
>>>     CID 978595:    (REVERSE_NEGATIVE)
>>>     You might be using variable "lbn" before verifying that it is >= 0.
536     	if (lbn >= 0 && lbn < ULFS_NDADDR)
537     		ip->i_lfs_fragsize[lbn] = size;
538     }
539     
540     /*
541      * Update the metadata that points to the blocks listed in the FINFO

** CID 1327233:  Error handling issues  (CHECKED_RETURN)
/sys/rump/librump/rumpkern/rump_syscalls.c: 6420 in rump___sysimpl_clock_nanosleep()


________________________________________________________________________________________________________
*** CID 1327233:  Error handling issues  (CHECKED_RETURN)
/sys/rump/librump/rumpkern/rump_syscalls.c: 6420 in rump___sysimpl_clock_nanosleep()
6414     	memset(&callarg, 0, sizeof(callarg));
6415     	SPARG(&callarg, clock_id) = clock_id;
6416     	SPARG(&callarg, flags) = flags;
6417     	SPARG(&callarg, rqtp) = rqtp;
6418     	SPARG(&callarg, rmtp) = rmtp;
6419     
>>>     CID 1327233:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "rumpclient_syscall" without checking return value (as is done elsewhere 25 out of 26 times).
6420     	rsys_syscall(SYS_clock_nanosleep, &callarg, sizeof(callarg), retval);
6421     	if (sizeof(int) > sizeof(register_t))
6422     		rv = *(int *)retval;
6423     	else
6424     		rv = *retval;
6425     	return rv;

** CID 1327234:  Memory - illegal accesses  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1327234:  Memory - illegal accesses  (OVERRUN)
/external/mit/lua/dist/src/lvm.c: 121 in luaV_tointeger()
115       if (ttisinteger(obj)) {
116         UNUSED(mode);
117     #endif
118         *p = ivalue(obj);
119         return 1;
120       }
>>>     CID 1327234:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer "(char const *)((char *)&((union GCUnion *)obj->value_.gc)->ts + 16U)".
121       else if (cvt2num(obj) &&
122                 luaO_str2num(svalue(obj), &v) == vslen(obj) + 1) {
123         obj = &v;
124         goto again;  /* convert result from 'luaO_str2num' to an integer */
125       }
126       return 0;  /* conversion failed */

** CID 1327235:    (RESOURCE_LEAK)
/usr.bin/make/var.c: 4087 in Var_Subst()
/usr.bin/make/var.c: 4096 in Var_Subst()


________________________________________________________________________________________________________
*** CID 1327235:    (RESOURCE_LEAK)
/usr.bin/make/var.c: 4087 in Var_Subst()
4081     		str += length;
4082     
4083     		/*
4084     		 * Copy all the characters from the variable value straight
4085     		 * into the new string.
4086     		 */
>>>     CID 1327235:    (RESOURCE_LEAK)
>>>     Overwriting "length" in "length = strlen(val)" leaks the storage that "length" points to.
4087     		length = strlen(val);
4088     		Buf_AddBytes(&buf, length, val);
4089     		trailingBslash = length > 0 && val[length - 1] == '\\';
4090     	    }
4091     	    free(freeIt);
4092     	    freeIt = NULL;
/usr.bin/make/var.c: 4096 in Var_Subst()
4090     	    }
4091     	    free(freeIt);
4092     	    freeIt = NULL;
4093     	}
4094         }
4095     
>>>     CID 1327235:    (RESOURCE_LEAK)
>>>     Variable "length" going out of scope leaks the storage it points to.
4096         return Buf_DestroyCompact(&buf);
4097     }
4098     
4099     /*-
4100      *-----------------------------------------------------------------------
4101      * Var_GetTail --

** CID 1327236:    (RESOURCE_LEAK)
/usr.bin/make/cond.c: 846 in get_mpt_arg()
/usr.bin/make/cond.c: 835 in get_mpt_arg()


________________________________________________________________________________________________________
*** CID 1327236:    (RESOURCE_LEAK)
/usr.bin/make/cond.c: 846 in get_mpt_arg()
840     	val++;
841     
842         /*
843          * For consistency with the other functions we can't generate the
844          * true/false here.
845          */
>>>     CID 1327236:    (RESOURCE_LEAK)
>>>     Overwriting "length" in "length = (*val ? 2 : 1)" leaks the storage that "length" points to.
846         length = *val ? 2 : 1;
847         if (freeIt)
848     	free(freeIt);
849         return length;
850     }
851     
/usr.bin/make/cond.c: 835 in get_mpt_arg()
829          * we subtract one because 'length' is calculated from 'cp - 1'.
830          */
831         *linePtr = cp - 1 + length;
832     
833         if (val == var_Error) {
834     	free(freeIt);
>>>     CID 1327236:    (RESOURCE_LEAK)
>>>     Variable "length" going out of scope leaks the storage it points to.
835     	return -1;
836         }
837     
838         /* A variable is empty when it just contains spaces... 4/15/92, christos */
839         while (isspace(*(unsigned char *)val))
840     	val++;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-user?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Prev by Date: New Defects reported by Coverity Scan for NetBSD-amd64-user
Next by Date: New Defects reported by Coverity Scan for NetBSD-amd64-user
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-i386-user
Next by Thread: New Defects reported by Coverity Scan for NetBSD-i386-user
Indexes:
Home | Main Index | Thread Index | Old Index