Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
11 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 11 of 11 defect(s)
** CID 980463: Null pointer dereferences (REVERSE_INULL)
/sys/net/if_gif.c: 748 in gif_set_tunnel()
________________________________________________________________________________________________________
*** CID 980463: Null pointer dereferences (REVERSE_INULL)
/sys/net/if_gif.c: 748 in gif_set_tunnel()
742
743 if (osrc)
744 sockaddr_free(osrc);
745 if (odst)
746 sockaddr_free(odst);
747
>>> CID 980463: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "sc->gif_psrc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
748 if (sc->gif_psrc && sc->gif_pdst)
749 ifp->if_flags |= IFF_RUNNING;
750 else
751 ifp->if_flags &= ~IFF_RUNNING;
752 splx(s);
753
** CID 1175322: Concurrent data access violations (MISSING_LOCK)
/home/phil/cov/xsrc/external/mit/MesaLib/dist/src/gallium/drivers/nouveau/nouveau_screen.c: 151 in nouveau_screen_init()
________________________________________________________________________________________________________
*** CID 1175322: Concurrent data access violations (MISSING_LOCK)
/home/phil/cov/xsrc/external/mit/MesaLib/dist/src/gallium/drivers/nouveau/nouveau_screen.c: 151 in nouveau_screen_init()
145 nouveau_mesa_debug = atoi(nv_dbg);
146
147 /*
148 * this is initialized to 1 in nouveau_drm_screen_create after screen
149 * is fully constructed and added to the global screen list.
150 */
>>> CID 1175322: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "screen->refcount" without holding lock "nouveau_screen_mutex". Elsewhere, "nouveau_screen.refcount" is accessed with "nouveau_screen_mutex" held 3 out of 4 times (1 of these accesses strongly imply that it is necessary).
151 screen->refcount = -1;
152
153 if (dev->chipset < 0xc0) {
154 data = &nv04_data;
155 size = sizeof(nv04_data);
156 } else {
** CID 1338513: Error handling issues (CHECKED_RETURN)
/lib/libc/rpc/rpc_soc.c: 258 in svc_com_create()
________________________________________________________________________________________________________
*** CID 1338513: Error handling issues (CHECKED_RETURN)
/lib/libc/rpc/rpc_soc.c: 258 in svc_com_create()
252 madefd = TRUE;
253 }
254
255 memset(&sccsin, 0, sizeof sccsin);
256 sccsin.sin_family = AF_INET;
257 (void)bindresvport(fd, &sccsin);
>>> CID 1338513: Error handling issues (CHECKED_RETURN)
>>> Calling "rump_sys_listen" without checking return value (as is done elsewhere 8 out of 9 times).
258 listen(fd, SOMAXCONN);
259 svc = svc_tli_create(fd, nconf, NULL, sendsize, recvsize);
260 (void) freenetconfigent(nconf);
261 if (svc == NULL) {
262 if (madefd)
263 (void) close(fd);
** CID 1338514: Null pointer dereferences (FORWARD_NULL)
/usr.sbin/rpcbind/rpcb_svc_com.c: 1101 in my_svc_run()
________________________________________________________________________________________________________
*** CID 1338514: Null pointer dereferences (FORWARD_NULL)
/usr.sbin/rpcbind/rpcb_svc_com.c: 1101 in my_svc_run()
1095 pollfds = realloc(pollfds, npollfds * sizeof(*pollfds));
1096 }
1097 p = pollfds;
1098 m = *svc_fdset_getmax();
1099 for (n = 0; n <= m; n++) {
1100 if (svc_fdset_isset(n)) {
>>> CID 1338514: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "p".
1101 p->fd = n;
1102 p->events = MASKVAL;
1103 p++;
1104 }
1105 }
1106 nfds = p - pollfds;
** CID 1338515: Null pointer dereferences (FORWARD_NULL)
/lib/libc/rpc/svc_run.c: 168 in svc_run_poll()
________________________________________________________________________________________________________
*** CID 1338515: Null pointer dereferences (FORWARD_NULL)
/lib/libc/rpc/svc_run.c: 168 in svc_run_poll()
162 pfd = svc_pollfd_copy(svc_pollfd_get());
163 if (pfd == NULL) {
164 warn("can't get pollfd");
165 goto out;
166 }
167 } else
>>> CID 1338515: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "pfd" to "memcpy", which dereferences it.
168 memcpy(pfd, svc_pollfd_get(), *maxfd * sizeof(*pfd));
169
170 rwlock_unlock(&svc_fd_lock);
171
172 switch ((i = poll(pfd, *maxfd, 30 * 1000))) {
173 case -1:
** CID 1338516: Control flow issues (MISSING_BREAK)
/tests/lib/libc/rpc/t_rpc.c: 185 in regtest()
________________________________________________________________________________________________________
*** CID 1338516: Control flow issues (MISSING_BREAK)
/tests/lib/libc/rpc/t_rpc.c: 185 in regtest()
179 ERRX(EXIT_FAILURE, "Can't not create server %d", num);
180
181 switch ((pid = fork())) {
182 case 0:
183 DPRINTF("Calling svc_run\n");
184 svc_run();
>>> CID 1338516: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
185 case -1:
186 ERRX(EXIT_FAILURE, "Fork failed (%s)", strerror(errno));
187 default:
188 sleep(1);
189 break;
190 }
** CID 1338517: Error handling issues (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_fdset.c: 437 in svc_pollfd_copy()
________________________________________________________________________________________________________
*** CID 1338517: Error handling issues (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_fdset.c: 437 in svc_pollfd_copy()
431 }
432
433 struct pollfd *
434 svc_pollfd_copy(const struct pollfd *orig)
435 {
436 int size = svc_fdset_getsize(0);
>>> CID 1338517: Error handling issues (NEGATIVE_RETURNS)
>>> "size" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
437 struct pollfd *copy = calloc(size, sizeof(*orig));
438 if (copy == NULL)
439 return NULL;
440 if (orig)
441 memcpy(copy, orig, size * sizeof(*orig));
442 return copy;
** CID 1338518: Integer handling issues (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_raw.c: 116 in _svc_raw_create()
________________________________________________________________________________________________________
*** CID 1338518: Integer handling issues (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_raw.c: 116 in _svc_raw_create()
110 __rpc_rawcombuf = malloc(UDPMSGSIZE);
111 if (__rpc_rawcombuf == NULL)
112 goto out;
113 srp->raw_buf = __rpc_rawcombuf; /* Share it with the client */
114 svc_raw_private = srp;
115 }
>>> CID 1338518: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: "srp->server.xp_fd" = a negative value.
116 srp->server.xp_fd = -1;
117 srp->server.xp_port = 0;
118 srp->server.xp_p3 = NULL;
119 svc_raw_ops(&srp->server);
120 srp->server.xp_verf.oa_base = srp->verf_body;
121 xdrmem_create(&srp->xdr_stream, srp->raw_buf, UDPMSGSIZE, XDR_DECODE);
** CID 1338519: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1338519: Integer handling issues (NEGATIVE_RETURNS)
/lib/libc/rpc/clnt_raw.c: 200 in clnt_raw_call()
194 (void)XDR_GETPOS(xdrs); /* called just to cause overhead */
195
196 /*
197 * We have to call server input routine here because this is
198 * all going on in one process. Yuk.
199 */
>>> CID 1338519: Integer handling issues (NEGATIVE_RETURNS)
>>> Passing negative constant "-1" to a parameter that cannot be negative.
200 svc_getreq_common(-1);
201
202 /*
203 * get results
204 */
205 xdrs->x_op = XDR_DECODE;
** CID 1338520: Null pointer dereferences (NULL_RETURNS)
/lib/libc/rpc/svc_fdset.c: 326 in svc_fdset_zero()
________________________________________________________________________________________________________
*** CID 1338520: Null pointer dereferences (NULL_RETURNS)
/lib/libc/rpc/svc_fdset.c: 326 in svc_fdset_zero()
320 void
321 svc_fdset_zero(void)
322 {
323 DPRINTF("zero");
324
325 struct svc_fdset *fds = svc_fdset_alloc(0);
>>> CID 1338520: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "fds".
326 memset(fds->fdset, 0, fds->fdsize);
327 fds->fdmax = -1;
328
329 free(fds->fdp);
330 fds->fdp = NULL;
331 fds->fdnum = fds->fdused = 0;
** CID 1338521: Resource leaks (RESOURCE_LEAK)
/lib/libc/rpc/svc_fdset.c: 218 in svc_pollfd_add()
________________________________________________________________________________________________________
*** CID 1338521: Resource leaks (RESOURCE_LEAK)
/lib/libc/rpc/svc_fdset.c: 218 in svc_pollfd_add()
212
213 svc_pollfd_init(pfd + fds->fdnum, FD_SETSIZE);
214 pfd[fds->fdnum].fd = fd;
215 fds->fdused = fds->fdnum + 1;
216 DPRINTF("add fd=%d slot=%d fdused=%d", fd, fds->fdnum, fds->fdused);
217 fds->fdnum += FD_SETSIZE;
>>> CID 1338521: Resource leaks (RESOURCE_LEAK)
>>> Variable "pfd" going out of scope leaks the storage it points to.
218 return fds;
219 }
220
221 static struct svc_fdset *
222 svc_pollfd_del(int fd, struct svc_fdset *fds)
223 {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index