Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
34 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
57 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 34 defect(s)
** CID 483259: (UNINIT)
/crypto/external/bsd/openssl/dist/crypto/cms/cms_pwri.c: 93 in CMS_add0_recipient_password()
/crypto/external/bsd/openssl/dist/crypto/cms/cms_pwri.c: 93 in CMS_add0_recipient_password()
________________________________________________________________________________________________________
*** CID 483259: (UNINIT)
/crypto/external/bsd/openssl/dist/crypto/cms/cms_pwri.c: 93 in CMS_add0_recipient_password()
87 ossl_ssize_t passlen,
88 const EVP_CIPHER *kekciph)
89 {
90 CMS_RecipientInfo *ri = NULL;
91 CMS_EnvelopedData *env;
92 CMS_PasswordRecipientInfo *pwri;
>>> CID 483259: (UNINIT)
>>> Declaring variable "ctx" without initializer.
93 EVP_CIPHER_CTX ctx;
94 X509_ALGOR *encalg = NULL;
95 unsigned char iv[EVP_MAX_IV_LENGTH];
96 int ivlen;
97
98 env = cms_get0_enveloped(cms);
/crypto/external/bsd/openssl/dist/crypto/cms/cms_pwri.c: 93 in CMS_add0_recipient_password()
87 ossl_ssize_t passlen,
88 const EVP_CIPHER *kekciph)
89 {
90 CMS_RecipientInfo *ri = NULL;
91 CMS_EnvelopedData *env;
92 CMS_PasswordRecipientInfo *pwri;
>>> CID 483259: (UNINIT)
>>> Declaring variable "ctx" without initializer.
93 EVP_CIPHER_CTX ctx;
94 X509_ALGOR *encalg = NULL;
95 unsigned char iv[EVP_MAX_IV_LENGTH];
96 int ivlen;
97
98 env = cms_get0_enveloped(cms);
** CID 609228: (TOCTOU)
/usr.bin/ftp/fetch.c: 1528 in fetch_url()
/usr.bin/ftp/fetch.c: 1530 in fetch_url()
/usr.bin/ftp/fetch.c: 1695 in fetch_url()
________________________________________________________________________________________________________
*** CID 609228: (TOCTOU)
/usr.bin/ftp/fetch.c: 1528 in fetch_url()
1522 if (pi.rangestart != restart_point) {
1523 warnx(
1524 "Size of `%s' differs from save file `%s'",
1525 url, savefile);
1526 goto cleanup_fetch_url;
1527 }
>>> CID 609228: (TOCTOU)
>>> Calling function "fopen" that uses "savefile" after a check function. This can cause a time-of-check, time-of-use race condition.
1528 fout = fopen(savefile, "a");
1529 } else
1530 fout = fopen(savefile, "w");
1531 if (fout == NULL) {
1532 warn("Can't open `%s'", savefile);
1533 goto cleanup_fetch_url;
/usr.bin/ftp/fetch.c: 1530 in fetch_url()
1524 "Size of `%s' differs from save file `%s'",
1525 url, savefile);
1526 goto cleanup_fetch_url;
1527 }
1528 fout = fopen(savefile, "a");
1529 } else
>>> CID 609228: (TOCTOU)
>>> Calling function "fopen" that uses "savefile" after a check function. This can cause a time-of-check, time-of-use race condition.
1530 fout = fopen(savefile, "w");
1531 if (fout == NULL) {
1532 warn("Can't open `%s'", savefile);
1533 goto cleanup_fetch_url;
1534 }
1535 closefunc = fclose;
/usr.bin/ftp/fetch.c: 1695 in fetch_url()
1689 (void)gettimeofday(&tval[0], NULL);
1690 tval[1].tv_sec = mtime;
1691 tval[1].tv_usec = 0;
1692 (*closefunc)(fout);
1693 fout = NULL;
1694
>>> CID 609228: (TOCTOU)
>>> Calling function "utimes" that uses "savefile" after a check function. This can cause a time-of-check, time-of-use race condition.
1695 if (utimes(savefile, tval) == -1) {
1696 fprintf(ttyout,
1697 "Can't change modification time to %s",
1698 rfc2822time(localtime(&mtime)));
1699 }
1700 }
** CID 978809: Memory - illegal accesses (STRING_NULL)
/usr.bin/fstat/misc.c: 210 in p_rnd()
________________________________________________________________________________________________________
*** CID 978809: Memory - illegal accesses (STRING_NULL)
/usr.bin/fstat/misc.c: 210 in p_rnd()
204 if (!KVM_READ(ctx.rc_cprng, &str, sizeof(str))) {
205 dprintf("can't read cprng_strong at %p for pid %d", f->f_data,\
206 Pid);
207 return 0;
208 }
209 snprintb(buf, sizeof(buf), CPRNG_FMT, str.cs_flags);
>>> CID 978809: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "str.cs_name" to "printf".
210 (void)printf("* rnd \"%s\" flags %s\n", str.cs_name, buf);
211 return 0;
212 }
213
214 static int
215 p_kqueue(struct file *f)
** CID 1018455: Error handling issues (CHECKED_RETURN)
/lib/libc/net/getaddrinfo.c: 901 in set_source()
________________________________________________________________________________________________________
*** CID 1018455: Error handling issues (CHECKED_RETURN)
/lib/libc/net/getaddrinfo.c: 901 in set_source()
895 ai.ai_socktype = SOCK_DGRAM;
896 ai.ai_protocol = IPPROTO_UDP; /* is UDP too specific? */
897 ai.ai_next = NULL;
898 memset(&ss, 0, sizeof(ss));
899 memcpy(&ss, ai.ai_addr, ai.ai_addrlen);
900 ai.ai_addr = (struct sockaddr *)&ss;
>>> CID 1018455: Error handling issues (CHECKED_RETURN)
>>> Calling "get_port" without checking return value (as is done elsewhere 5 out of 6 times).
901 get_port(&ai, "1", 0, svd);
902
903 /* open a socket to get the source address for the given dst */
904 if ((s = socket(ai.ai_family, ai.ai_socktype | SOCK_CLOEXEC,
905 ai.ai_protocol)) < 0)
906 return; /* give up */
** CID 1199823: (RESOURCE_LEAK)
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 997 in test_mod_exp()
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 988 in test_mod_exp()
________________________________________________________________________________________________________
*** CID 1199823: (RESOURCE_LEAK)
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 997 in test_mod_exp()
991 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
992 for (i = 0; i < num2; i++) {
993 BN_bntest_rand(a, 20 + i * 5, 0, 0);
994 BN_bntest_rand(b, 2 + i, 0, 0);
995
996 if (!BN_mod_exp(d, a, b, c, ctx))
>>> CID 1199823: (RESOURCE_LEAK)
>>> Variable "b" going out of scope leaks the storage it points to.
997 return (0);
998
999 if (bp != NULL) {
1000 if (!results) {
1001 BN_print(bp, a);
1002 BIO_puts(bp, " ^ ");
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 988 in test_mod_exp()
982
983 BN_one(a);
984 BN_one(b);
985 BN_zero(c);
986 if (BN_mod_exp(d, a, b, c, ctx)) {
987 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
>>> CID 1199823: (RESOURCE_LEAK)
>>> Variable "b" going out of scope leaks the storage it points to.
988 return 0;
989 }
990
991 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
992 for (i = 0; i < num2; i++) {
993 BN_bntest_rand(a, 20 + i * 5, 0, 0);
** CID 1199824: (RESOURCE_LEAK)
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 997 in test_mod_exp()
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 988 in test_mod_exp()
________________________________________________________________________________________________________
*** CID 1199824: (RESOURCE_LEAK)
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 997 in test_mod_exp()
991 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
992 for (i = 0; i < num2; i++) {
993 BN_bntest_rand(a, 20 + i * 5, 0, 0);
994 BN_bntest_rand(b, 2 + i, 0, 0);
995
996 if (!BN_mod_exp(d, a, b, c, ctx))
>>> CID 1199824: (RESOURCE_LEAK)
>>> Variable "a" going out of scope leaks the storage it points to.
997 return (0);
998
999 if (bp != NULL) {
1000 if (!results) {
1001 BN_print(bp, a);
1002 BIO_puts(bp, " ^ ");
/crypto/external/bsd/openssl/dist/crypto/bn/bntest.c: 988 in test_mod_exp()
982
983 BN_one(a);
984 BN_one(b);
985 BN_zero(c);
986 if (BN_mod_exp(d, a, b, c, ctx)) {
987 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
>>> CID 1199824: (RESOURCE_LEAK)
>>> Variable "a" going out of scope leaks the storage it points to.
988 return 0;
989 }
990
991 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
992 for (i = 0; i < num2; i++) {
993 BN_bntest_rand(a, 20 + i * 5, 0, 0);
** CID 1257465: (TAINTED_STRING)
/external/bsd/mdocml/dist/main.c: 1016 in spawn_pager()
/external/bsd/mdocml/dist/main.c: 1016 in spawn_pager()
________________________________________________________________________________________________________
*** CID 1257465: (TAINTED_STRING)
/external/bsd/mdocml/dist/main.c: 1016 in spawn_pager()
1010 break;
1011 }
1012 argv[argc] = NULL;
1013
1014 /* Hand over to the pager. */
1015
>>> CID 1257465: (TAINTED_STRING)
>>> Passing tainted string "argv[0]" to "execvp", which cannot accept tainted data.
1016 execvp(argv[0], argv);
1017 fprintf(stderr, "%s: exec: %s\n",
1018 progname, strerror(errno));
1019 exit((int)MANDOCLEVEL_SYSERR);
/external/bsd/mdocml/dist/main.c: 1016 in spawn_pager()
1010 break;
1011 }
1012 argv[argc] = NULL;
1013
1014 /* Hand over to the pager. */
1015
>>> CID 1257465: (TAINTED_STRING)
>>> Passing tainted string "argv" to "execvp", which cannot accept tainted data.
1016 execvp(argv[0], argv);
1017 fprintf(stderr, "%s: exec: %s\n",
1018 progname, strerror(errno));
1019 exit((int)MANDOCLEVEL_SYSERR);
** CID 1257467: Null pointer dereferences (REVERSE_INULL)
/external/bsd/mdocml/dist/read.c: 823 in mparse_open()
________________________________________________________________________________________________________
*** CID 1257467: Null pointer dereferences (REVERSE_INULL)
/external/bsd/mdocml/dist/read.c: 823 in mparse_open()
817 cp = NULL;
818
819 /* Before forking, make sure the file can be read. */
820
821 save_errno = errno;
822 if (access(file, R_OK) == -1) {
>>> CID 1257467: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "cp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
823 if (cp != NULL)
824 errno = save_errno;
825 free(cp);
826 *fd = -1;
827 curp->child = 0;
828 mandoc_msg(MANDOCERR_FILE, curp, 0, 0, strerror(errno));
** CID 1257471: Null pointer dereferences (FORWARD_NULL)
/external/bsd/mdocml/dist/eqn.c: 994 in eqn_parse()
________________________________________________________________________________________________________
*** CID 1257471: Null pointer dereferences (FORWARD_NULL)
/external/bsd/mdocml/dist/eqn.c: 994 in eqn_parse()
988 parent = parent->parent;
989 if (EQN_TOK_BRACE_CLOSE == tok && parent &&
990 (parent->type == EQN_PILE ||
991 parent->type == EQN_MATRIX))
992 parent = parent->parent;
993 /* Close out any "singleton" lists. */
>>> CID 1257471: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "parent".
994 while (parent->type == EQN_LISTONE &&
995 parent->args == parent->expectargs)
996 parent = parent->parent;
997 break;
998 case (EQN_TOK_BRACE_OPEN):
999 case (EQN_TOK_LEFT):
** CID 1257473: Null pointer dereferences (FORWARD_NULL)
/external/bsd/mdocml/dist/man_macro.c: 251 in rew_scope()
________________________________________________________________________________________________________
*** CID 1257473: Null pointer dereferences (FORWARD_NULL)
/external/bsd/mdocml/dist/man_macro.c: 251 in rew_scope()
245 static void
246 rew_scope(enum man_type type, struct man *man, enum mant tok)
247 {
248 struct man_node *n;
249 enum rew c;
250
>>> CID 1257473: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "n" to null implies that "n" might be null.
251 for (n = man->last; n; n = n->parent) {
252 /*
253 * Whether we should stop immediately (REW_HALT), stop
254 * and rewind until this point (REW_REWIND), or keep
255 * rewinding (REW_NOHALT).
256 */
** CID 1288934: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1288934: Memory - illegal accesses (USE_AFTER_FREE)
/external/bsd/mdocml/dist/mdoc_validate.c: 906 in post_fo()
900 }
901 if (n->child != n->last) {
902 mandoc_vmsg(MANDOCERR_ARG_EXCESS, mdoc->parse,
903 n->child->next->line, n->child->next->pos,
904 "Fo ... %s", n->child->next->string);
905 while (n->child != n->last)
>>> CID 1288934: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "mdoc_node_delete" dereferences freed pointer "n->last".
906 mdoc_node_delete(mdoc, n->last);
907 }
908
909 post_fname(mdoc);
910 }
911
** CID 1288941: Incorrect expression (SIZEOF_MISMATCH)
/external/bsd/mdocml/dist/term.c: 360 in term_fontpush()
________________________________________________________________________________________________________
*** CID 1288941: Incorrect expression (SIZEOF_MISMATCH)
/external/bsd/mdocml/dist/term.c: 360 in term_fontpush()
354 term_fontpush(struct termp *p, enum termfont f)
355 {
356
357 p->fontl = p->fontq[p->fonti];
358 if (++p->fonti == p->fontsz) {
359 p->fontsz += 8;
>>> CID 1288941: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "p->fontq" of type "enum termfont *" and argument "8UL /* sizeof (enum termfont *) */" to function "mandoc_reallocarray" is suspicious.
360 p->fontq = mandoc_reallocarray(p->fontq,
361 p->fontsz, sizeof(enum termfont *));
362 }
363 p->fontq[p->fonti] = f;
364 }
365
** CID 1288947: (RESOURCE_LEAK)
/external/bsd/mdocml/dist/read.c: 534 in mparse_buf_r()
/external/bsd/mdocml/dist/read.c: 615 in mparse_buf_r()
________________________________________________________________________________________________________
*** CID 1288947: (RESOURCE_LEAK)
/external/bsd/mdocml/dist/read.c: 534 in mparse_buf_r()
528 continue;
529 case ROFF_SO:
530 if ( ! (curp->options & MPARSE_SO) &&
531 (i >= blk.sz || blk.buf[i] == '\0')) {
532 curp->sodest = mandoc_strdup(ln.buf + of);
533 free(ln.buf);
>>> CID 1288947: (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
534 return;
535 }
536 /*
537 * We remove `so' clauses from our lookaside
538 * buffer because we're going to descend into
539 * the file recursively.
/external/bsd/mdocml/dist/read.c: 615 in mparse_buf_r()
609 /* Start the next input line. */
610
611 pos = 0;
612 }
613
614 free(ln.buf);
>>> CID 1288947: (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
615 }
616
617 static int
618 read_whole_file(struct mparse *curp, const char *file, int fd,
619 struct buf *fb, int *with_mmap)
620 {
** CID 1288958: Null pointer dereferences (FORWARD_NULL)
/external/bsd/mdocml/dist/mdoc_validate.c: 1467 in post_bl()
________________________________________________________________________________________________________
*** CID 1288958: Null pointer dereferences (FORWARD_NULL)
/external/bsd/mdocml/dist/mdoc_validate.c: 1467 in post_bl()
1461 if (0 == --nbody->nchild) {
1462 nbody->child = NULL;
1463 nbody->last = NULL;
1464 assert(NULL == nnext);
1465 } else {
1466 nbody->child = nnext;
>>> CID 1288958: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "nnext".
1467 nnext->prev = NULL;
1468 }
1469
1470 /*
1471 * Relink this child.
1472 */
** CID 1288962: Control flow issues (DEADCODE)
/external/bsd/mdocml/dist/eqn.c: 383 in eqn_next()
________________________________________________________________________________________________________
*** CID 1288962: Control flow issues (DEADCODE)
/external/bsd/mdocml/dist/eqn.c: 383 in eqn_next()
377 lim = 0;
378 ep->rew = ep->cur;
379 again:
380 /* Prevent self-definitions. */
381
382 if (lim >= EQN_NEST_MAX) {
>>> CID 1288962: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "mandoc_msg(MANDOCERR_ROFFLO...".
383 mandoc_msg(MANDOCERR_ROFFLOOP, ep->parse,
384 ep->eqn.ln, ep->eqn.pos, NULL);
385 return(NULL);
386 }
387
388 ep->cur = ep->rew;
** CID 1338177: Null pointer dereferences (FORWARD_NULL)
/crypto/external/bsd/openssl/dist/crypto/srp/srp_vfy.c: 651 in SRP_create_verifier_BN()
________________________________________________________________________________________________________
*** CID 1338177: Null pointer dereferences (FORWARD_NULL)
/crypto/external/bsd/openssl/dist/crypto/srp/srp_vfy.c: 651 in SRP_create_verifier_BN()
645 srp_bn_print(*verifier);
646
647 result = 1;
648 *salt = salttmp;
649
650 err:
>>> CID 1338177: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "salt".
651 if (*salt != salttmp)
652 BN_clear_free(salttmp);
653 BN_clear_free(x);
654 BN_CTX_free(bn_ctx);
655 return result;
656 }
657
** CID 1338195: (TAINTED_SCALAR)
/crypto/external/bsd/openssl/dist/apps/spkac.c: 250 in spkac_main()
/crypto/external/bsd/openssl/dist/apps/spkac.c: 250 in spkac_main()
________________________________________________________________________________________________________
*** CID 1338195: (TAINTED_SCALAR)
/crypto/external/bsd/openssl/dist/apps/spkac.c: 250 in spkac_main()
244 if (!i) {
245 BIO_printf(bio_err, "Error parsing config file\n");
246 ERR_print_errors(bio_err);
247 goto end;
248 }
249
>>> CID 1338195: (TAINTED_SCALAR)
>>> Assigning: "spkstr" = "NCONF_get_string", which taints "spkstr".
250 spkstr = NCONF_get_string(conf, spksect, spkac);
251
252 if (!spkstr) {
253 BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
254 ERR_print_errors(bio_err);
255 goto end;
/crypto/external/bsd/openssl/dist/apps/spkac.c: 250 in spkac_main()
244 if (!i) {
245 BIO_printf(bio_err, "Error parsing config file\n");
246 ERR_print_errors(bio_err);
247 goto end;
248 }
249
>>> CID 1338195: (TAINTED_SCALAR)
>>> Assigning: "spkstr" = "NCONF_get_string", which taints "spkstr".
250 spkstr = NCONF_get_string(conf, spksect, spkac);
251
252 if (!spkstr) {
253 BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
254 ERR_print_errors(bio_err);
255 goto end;
** CID 1338226: Control flow issues (DEADCODE)
/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ameth.c: 335 in dsa_priv_encode()
________________________________________________________________________________________________________
*** CID 1338226: Control flow issues (DEADCODE)
/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ameth.c: 335 in dsa_priv_encode()
329 err:
330 if (dp != NULL)
331 OPENSSL_free(dp);
332 if (params != NULL)
333 ASN1_STRING_free(params);
334 if (prkey != NULL)
>>> CID 1338226: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "ASN1_STRING_clear_free(prkey);".
335 ASN1_STRING_clear_free(prkey);
336 return 0;
337 }
338
339 static int int_dsa_size(const EVP_PKEY *pkey)
340 {
** CID 1341627: Control flow issues (MISSING_BREAK)
/crypto/external/bsd/openssl/dist/ssl/d1_clnt.c: 307 in dtls1_connect()
________________________________________________________________________________________________________
*** CID 1341627: Control flow issues (MISSING_BREAK)
/crypto/external/bsd/openssl/dist/ssl/d1_clnt.c: 307 in dtls1_connect()
301 case SSL3_ST_CW_CLNT_HELLO_A:
302 s->shutdown = 0;
303
304 /* every DTLS ClientHello resets Finished MAC */
305 ssl3_init_finished_mac(s);
306
>>> CID 1341627: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
307 case SSL3_ST_CW_CLNT_HELLO_B:
308 dtls1_start_timer(s);
309 ret = dtls1_client_hello(s);
310 if (ret <= 0)
311 goto end;
312
** CID 1347189: Null pointer dereferences (NULL_RETURNS)
/sys/dev/raidframe/rf_netbsdkintf.c: 721 in raid_dumpblocks()
________________________________________________________________________________________________________
*** CID 1347189: Null pointer dereferences (NULL_RETURNS)
/sys/dev/raidframe/rf_netbsdkintf.c: 721 in raid_dumpblocks()
715 error = EINVAL;
716 goto out;
717 }
718
719 bdev = bdevsw_lookup(raidPtr->Disks[dumpto].dev);
720
>>> CID 1347189: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "bdev".
721 error = (*bdev->d_dump)(raidPtr->Disks[dumpto].dev,
722 blkno, va, nblk);
723
724 out:
725 raidunlock(rs);
726
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index