New Defects reported by Coverity Scan for NetBSD-amd64-user

[scan-admin%coverity.com@localhost]

Hi,

Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.

7 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
20 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)


** CID 1018734:  Uninitialized variables  (UNINIT)
/crypto/external/bsd/openssh/dist/packet.c: 1390 in ssh_packet_read_seqnr()


________________________________________________________________________________________________________
*** CID 1018734:  Uninitialized variables  (UNINIT)
/crypto/external/bsd/openssh/dist/packet.c: 1390 in ssh_packet_read_seqnr()
1384      */
1385     
1386     int
1387     ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1388     {
1389     	struct session_state *state = ssh->state;
>>>     CID 1018734:  Uninitialized variables  (UNINIT)
>>>     Declaring variable "ms_remain" without initializer.
1390     	int len, r, ms_remain;
1391     	fd_set *setp;
1392     	char buf[8192];
1393     	struct timeval timeout, start, *timeoutp = NULL;
1394     
1395     	DBG(debug("packet_read()"));

** CID 1356384:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssh/dist/ssh-keyscan.c: 317 in keyprint_one()


________________________________________________________________________________________________________
*** CID 1356384:  Error handling issues  (CHECKED_RETURN)
/crypto/external/bsd/openssh/dist/ssh-keyscan.c: 317 in keyprint_one()
311     	if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
312     		fatal("host_hash failed");
313     
314     	hostport = put_host_port(host, ssh_port);
315     	if (!get_cert)
316     		fprintf(stdout, "%s ", hostport);
>>>     CID 1356384:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "sshkey_write" without checking return value (as is done elsewhere 9 out of 10 times).
317     	sshkey_write(key, stdout);
318     	fputs("\n", stdout);
319     	free(hostport);
320     }
321     
322     static void

** CID 1356385:  Control flow issues  (MISSING_BREAK)
/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c: 175 in ident_i1send()


________________________________________________________________________________________________________
*** CID 1356385:  Control flow issues  (MISSING_BREAK)
/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c: 175 in ident_i1send()
169     			plog(LLV_ERROR, LOCATION, NULL,
170     			     "Xauth vendor ID generation failed\n");
171     		else
172     			plist = isakmp_plist_append(plist,
173     			    vid_xauth, ISAKMP_NPTYPE_VID);
174     
>>>     CID 1356385:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
175     	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
176     		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
177     			plog(LLV_ERROR, LOCATION, NULL,
178     			     "Unity vendor ID generation failed\n");
179     		else
180     			plist = isakmp_plist_append(plist,

** CID 1356386:    (RESOURCE_LEAK)
/crypto/external/bsd/openssh/dist/sshconnect.c: 1547 in maybe_add_key_to_agent()
/crypto/external/bsd/openssh/dist/sshconnect.c: 1555 in maybe_add_key_to_agent()


________________________________________________________________________________________________________
*** CID 1356386:    (RESOURCE_LEAK)
/crypto/external/bsd/openssh/dist/sshconnect.c: 1547 in maybe_add_key_to_agent()
1541     		return;
1542     	}
1543     
1544     	if (options.add_keys_to_agent == 2 &&
1545     	    !ask_permission("Add key %s (%s) to agent?", authfile, comment)) {
1546     		debug3("user denied adding this key");
>>>     CID 1356386:    (RESOURCE_LEAK)
>>>     Handle variable "auth_sock" going out of scope leaks the handle.
1547     		return;
1548     	}
1549     
1550     	if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
1551     	    (options.add_keys_to_agent == 3))) == 0)
1552     		debug("identity added to agent: %s", authfile);
1553     	else
1554     		debug("could not add identity to agent: %s (%d)", authfile, r);
/crypto/external/bsd/openssh/dist/sshconnect.c: 1555 in maybe_add_key_to_agent()
1549     
1550     	if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
1551     	    (options.add_keys_to_agent == 3))) == 0)
1552     		debug("identity added to agent: %s", authfile);
1553     	else
1554     		debug("could not add identity to agent: %s (%d)", authfile, r);
>>>     CID 1356386:    (RESOURCE_LEAK)
>>>     Handle variable "auth_sock" going out of scope leaks the handle.

** CID 1356387:  Incorrect expression  (SIZEOF_MISMATCH)
/usr.bin/infocmp/infocmp.c: 509 in use_terms()


________________________________________________________________________________________________________
*** CID 1356387:  Incorrect expression  (SIZEOF_MISMATCH)
/usr.bin/infocmp/infocmp.c: 509 in use_terms()
503     use_terms(TERMINAL *term, size_t nuse, char **uterms)
504     {
505     	TERMINAL **terms;
506     	TERMUSERDEF *ud, *tud;
507     	size_t i, j, agree, absent, data;
508     
>>>     CID 1356387:  Incorrect expression  (SIZEOF_MISMATCH)
>>>     Passing argument "328UL /* sizeof (**terms) */" to function "ecalloc" and then casting the return value to "TERMINAL **" is suspicious.
509     	terms = ecalloc(nuse, sizeof(**terms));
510     	for (i = 0; i < nuse; i++) {
511     		if (strcmp(term->name, *uterms) == 0)
512     			errx(EXIT_FAILURE, "cannot use same terminal");
513     		for (j = 0; j < i; j++)
514     			if (strcmp(terms[j]->name, *uterms) == 0)

** CID 1356388:  Insecure data handling  (TAINTED_SCALAR)
/crypto/external/bsd/openssh/dist/kex.c: 367 in kex_input_ext_info()


________________________________________________________________________________________________________
*** CID 1356388:  Insecure data handling  (TAINTED_SCALAR)
/crypto/external/bsd/openssh/dist/kex.c: 367 in kex_input_ext_info()
361     	int r;
362     
363     	debug("SSH2_MSG_EXT_INFO received");
364     	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
365     	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
366     		return r;
>>>     CID 1356388:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "ninfo" as a loop boundary.
367     	for (i = 0; i < ninfo; i++) {
368     		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
369     			return r;
370     		if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) {
371     			free(name);
372     			return r;

** CID 1356389:  Security best practices violations  (TOCTOU)
/crypto/external/bsd/openssh/dist/ssh-keygen.c: 1926 in do_show_cert()


________________________________________________________________________________________________________
*** CID 1356389:  Security best practices violations  (TOCTOU)
/crypto/external/bsd/openssh/dist/ssh-keygen.c: 1926 in do_show_cert()
1920     
1921     	path = identity_file;
1922     	if (strcmp(path, "-") == 0) {
1923     		f = stdin;
1924     		path = "(stdin)";
1925     		is_stdin = 1;
>>>     CID 1356389:  Security best practices violations  (TOCTOU)
>>>     Calling function "fopen" that uses "identity_file" after a check function. This can cause a time-of-check, time-of-use race condition.
1926     	} else if ((f = fopen(identity_file, "r")) == NULL)
1927     		fatal("fopen %s: %s", identity_file, strerror(errno));
1928     
1929     	while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {
1930     		sshkey_free(key);
1931     		key = NULL;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782