Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-amd64-user



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.

19 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
25 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 19 of 19 defect(s)


** CID 980057:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/sys/net/if_pppoe.c: 952 in pppoe_ioctl()


________________________________________________________________________________________________________
*** CID 980057:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/sys/net/if_pppoe.c: 952 in pppoe_ioctl()
946     	break;
947     	case PPPOEGETPARMS:
948     	{
949     		struct pppoediscparms *parms = (struct pppoediscparms*)data;
950     		memset(parms, 0, sizeof *parms);
951     		if (sc->sc_eth_if)
>>>     CID 980057:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on destination array "parms->ifname" of size 16 bytes might leave the destination string unterminated.
952     			strncpy(parms->ifname, sc->sc_eth_if->if_xname, IFNAMSIZ);
953     		return 0;
954     	}
955     	break;
956     	case PPPOEGETSESSION:
957     	{

** CID 980058:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/sys/net/if_spppsubr.c: 5073 in sppp_params()


________________________________________________________________________________________________________
*** CID 980058:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/sys/net/if_spppsubr.c: 5073 in sppp_params()
5067     		struct spppauthcfg *cfg = (struct spppauthcfg *)data;
5068     		int error;
5069     		size_t len;
5070     
5071     		cfg->myauthflags = sp->myauth.flags;
5072     		cfg->hisauthflags = sp->hisauth.flags;
>>>     CID 980058:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on destination array "cfg->ifname" of size 16 bytes might leave the destination string unterminated.
5073     		strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ);
5074     		cfg->hisauth = 0;
5075     		if (sp->hisauth.proto)
5076     		    cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP;
5077     		cfg->myauth = 0;
5078     		if (sp->myauth.proto)

** CID 980345:  Control flow issues  (MISSING_BREAK)
/sys/net/if_spppsubr.c: 5382 in sppp_auth_type_name()


________________________________________________________________________________________________________
*** CID 980345:  Control flow issues  (MISSING_BREAK)
/sys/net/if_spppsubr.c: 5382 in sppp_auth_type_name()
5376     		switch (type) {
5377     		case CHAP_CHALLENGE:	return "challenge";
5378     		case CHAP_RESPONSE:	return "response";
5379     		case CHAP_SUCCESS:	return "success";
5380     		case CHAP_FAILURE:	return "failure";
5381     		}
>>>     CID 980345:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
5382     	case PPP_PAP:
5383     		switch (type) {
5384     		case PAP_REQ:		return "req";
5385     		case PAP_ACK:		return "ack";
5386     		case PAP_NAK:		return "nak";
5387     		}

** CID 987984:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 562 in Format()


________________________________________________________________________________________________________
*** CID 987984:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 562 in Format()
556                                        XtWindow(man_globals->standby),
557                                        Expose, &event));
558         XtDispatchEvent(&event);
559         XFlush(XtDisplay(man_globals->standby));
560     
561         strcpy(tmp, MANTEMP);       /* Get a temp file. */
>>>     CID 987984:  Security best practices violations  (SECURE_TEMP)
>>>     Calling "mkstemp" without securely setting umask first.
562         fd = mkstemp(tmp);
563         if (fd >= 0) {
564             file = fdopen(fd, "r");
565             if (file == NULL) {
566                 remove(tmp);
567                 close(fd);

** CID 987985:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 395 in UncompressNamed()


________________________________________________________________________________________________________
*** CID 987985:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 395 in UncompressNamed()
389     /*
390      * Using stdin is necessary to fool zcat since we cannot guarantee
391      * the .Z extension.
392      */
393     
394         strcpy(tmp, MANTEMP);       /* get a temp file. */
>>>     CID 987985:  Security best practices violations  (SECURE_TEMP)
>>>     Calling "mkstemp" without securely setting umask first.
395         fd = mkstemp(tmp);
396         if (fd < 0) {
397             PopupWarning(man_globals, "Error creating a temp file");
398             return FALSE;
399         }
400         *output_file = fdopen(fd, "r");

** CID 987986:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/search.c: 183 in DoSearch()


________________________________________________________________________________________________________
*** CID 987986:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/search.c: 183 in DoSearch()
177         }
178     
179         if (type == APROPOS) {
180             char label[BUFSIZ];
181     
182             strcpy(tmp, MANTEMP);   /* get a temp file. */
>>>     CID 987986:  Security best practices violations  (SECURE_TEMP)
>>>     Calling "mkstemp" without securely setting umask first.
183             fd = mkstemp(tmp);
184             if (fd < 0) {
185                 PopupWarning(man_globals, "Cant create temp file");
186                 return NULL;
187             }
188             mantmp = tmp;

** CID 1210544:  Insecure data handling  (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2925 in sppp_ipcp_RCR()


________________________________________________________________________________________________________
*** CID 1210544:  Insecure data handling  (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2925 in sppp_ipcp_RCR()
2919     			p[3] = hisaddr >> 16;
2920     			p[4] = hisaddr >> 8;
2921     			p[5] = hisaddr;
2922     			break;
2923     		}
2924     		/* Add the option to nak'ed list. */
>>>     CID 1210544:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "p[1]" to a tainted sink.
2925     		bcopy (p, r, p[1]);
2926     		r += p[1];
2927     		rlen += p[1];
2928     	}
2929     
2930     	/*

** CID 1299086:  Control flow issues  (DEADCODE)
/sys/net/if_spppsubr.c: 623 in sppp_input()


________________________________________________________________________________________________________
*** CID 1299086:  Control flow issues  (DEADCODE)
/sys/net/if_spppsubr.c: 623 in sppp_input()
617     		if (__predict_false(!pktq_enqueue(pktq, m, 0))) {
618     			goto drop;
619     		}
620     		return;
621     	}
622     
>>>     CID 1299086:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "s = splvm();".
623     	s = splnet();
624     	if (IF_QFULL(inq)) {
625     		/* Queue overflow. */
626     		IF_DROP(inq);
627     		splx(s);
628     		if (debug)

** CID 1299246:    (UNUSED_VALUE)
/sys/net/if_spppsubr.c: 779 in sppp_output()
/sys/net/if_spppsubr.c: 799 in sppp_output()


________________________________________________________________________________________________________
*** CID 1299246:    (UNUSED_VALUE)
/sys/net/if_spppsubr.c: 779 in sppp_output()
773     			 * below, we will however remember that we are
774     			 * not ready to carry IP packets, and return
775     			 * ENETDOWN, as opposed to ENOBUFS.
776     			 */
777     			protocol = htons(PPP_IP);
778     			if (sp->state[IDX_IPCP] != STATE_OPENED)
>>>     CID 1299246:    (UNUSED_VALUE)
>>>     Assigning value "50" to "error" here, but that stored value is overwritten before it can be used.
779     				error = ENETDOWN;
780     		}
781     		break;
782     #endif
783     #ifdef INET6
784     	case AF_INET6:   /* Internet Protocol version 6 */
/sys/net/if_spppsubr.c: 799 in sppp_output()
793     			 * below, we will however remember that we are
794     			 * not ready to carry IP packets, and return
795     			 * ENETDOWN, as opposed to ENOBUFS.
796     			 */
797     			protocol = htons(PPP_IPV6);
798     			if (sp->state[IDX_IPV6CP] != STATE_OPENED)
>>>     CID 1299246:    (UNUSED_VALUE)
>>>     Assigning value "50" to "error" here, but that stored value is overwritten before it can be used.
799     				error = ENETDOWN;
800     		}
801     		break;
802     #endif
803     	default:
804     		m_freem(m);

** CID 1358673:  Control flow issues  (DEADCODE)
/sys/net/if_bridge.c: 1788 in bridge_input()


________________________________________________________________________________________________________
*** CID 1358673:  Control flow issues  (DEADCODE)
/sys/net/if_bridge.c: 1788 in bridge_input()
1782     		BRIDGE_IFLIST_READER_FOREACH(_bif, sc) {
1783     			/* It is destined for us. */
1784     			if (bridge_ourether(_bif, eh, 0)) {
1785     				bridge_acquire_member(sc, _bif, &_psref);
1786     				BRIDGE_PSZ_REXIT(s);
1787     				if (_bif == NULL)
>>>     CID 1358673:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto out;".
1788     					goto out;
1789     				if (_bif->bif_flags & IFBIF_LEARNING)
1790     					(void) bridge_rtupdate(sc,
1791     					    eh->ether_shost, ifp, 0, IFBAF_DYNAMIC);
1792     				_ifp = m->m_pkthdr.rcvif = _bif->bif_ifp;
1793     				bridge_release_member(sc, _bif, &_psref);

** CID 1358674:  Control flow issues  (DEADCODE)
/lib/libedit/keymacro.c: 595 in keymacro_kprint()


________________________________________________________________________________________________________
*** CID 1358674:  Control flow issues  (DEADCODE)
/lib/libedit/keymacro.c: 595 in keymacro_kprint()
589     	char unparsbuf[EL_BUFSIZ];
590     	static const char fmt[] = "%-15s->  %s\n";
591     
592     	if (val != NULL)
593     		switch (ntype) {
594     		case XK_STR:
>>>     CID 1358674:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression ""[]"" inside this statement: "(void)keymacro__decode_str(...".
595     			(void) keymacro__decode_str(val->str, unparsbuf,
596     			    sizeof(unparsbuf),
597     			    ntype == XK_STR ? "\"\"" : "[]");
598     			(void) fprintf(el->el_outfile, fmt,
599     			    ct_encode_string(key, &el->el_scratch), unparsbuf);
600     			break;

** CID 1358675:    (DEADCODE)
/usr.sbin/makemandb/apropos-utils.c: 340 in init_db()
/usr.sbin/makemandb/apropos-utils.c: 341 in init_db()


________________________________________________________________________________________________________
*** CID 1358675:    (DEADCODE)
/usr.sbin/makemandb/apropos-utils.c: 340 in init_db()
334     		/*
335     		 * Database exists. Check if we have the permissions
336     		 * to read/write the files
337     		 */
338     		int access_mode = R_OK;
339     		switch (access_mode) {
>>>     CID 1358675:    (DEADCODE)
>>>     Execution cannot reach this statement: "case MANDB_CREATE:".
340     		case MANDB_CREATE:
341     		case MANDB_WRITE:
342     			access_mode |= W_OK;
343     			break;
344     		default:
345     			break;
/usr.sbin/makemandb/apropos-utils.c: 341 in init_db()
335     		 * Database exists. Check if we have the permissions
336     		 * to read/write the files
337     		 */
338     		int access_mode = R_OK;
339     		switch (access_mode) {
340     		case MANDB_CREATE:
>>>     CID 1358675:    (DEADCODE)
>>>     Execution cannot reach this statement: "case MANDB_WRITE:".
341     		case MANDB_WRITE:
342     			access_mode |= W_OK;
343     			break;
344     		default:
345     			break;
346     		}

** CID 1358676:  Null pointer dereferences  (FORWARD_NULL)
/external/bsd/dhcpcd/dist/dhcp-common.c: 215 in make_option_mask()


________________________________________________________________________________________________________
*** CID 1358676:  Null pointer dereferences  (FORWARD_NULL)
/external/bsd/dhcpcd/dist/dhcp-common.c: 215 in make_option_mask()
209     		if (*token == '\0')
210     			continue;
211     		match = 0;
212     		for (i = 0, opt = odopts; i < odopts_len; i++, opt++) {
213     			if (opt->var == NULL && opt->option == 0)
214     				continue; /* buggy dhcpcd-definitions.conf */
>>>     CID 1358676:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "opt->var" to "strcmp", which dereferences it.
215     			if (strcmp(opt->var, token) == 0)
216     				match = 1;
217     			else {
218     				n = (unsigned int)strtou(token, NULL, 0,
219     				    0, UINT_MAX, &e);
220     				if (e == 0 && opt->option == n)

** CID 1358677:  Integer handling issues  (NEGATIVE_RETURNS)
/external/bsd/dhcpcd/dist/eloop.c: 793 in eloop_new()


________________________________________________________________________________________________________
*** CID 1358677:  Integer handling issues  (NEGATIVE_RETURNS)
/external/bsd/dhcpcd/dist/eloop.c: 793 in eloop_new()
787     		eloop->events_maxfd = -1;
788     		TAILQ_INIT(&eloop->free_events);
789     		TAILQ_INIT(&eloop->timeouts);
790     		TAILQ_INIT(&eloop->free_timeouts);
791     		eloop->exitcode = EXIT_FAILURE;
792     #if defined(HAVE_KQUEUE) || defined(HAVE_EPOLL)
>>>     CID 1358677:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     Assigning: "eloop->poll_fd" = a negative value.
793     		eloop->poll_fd = -1;
794     		if (eloop_open(eloop) == -1) {
795     			eloop_free(eloop);
796     			return NULL;
797     		}
798     #endif

** CID 1358678:  Error handling issues  (NEGATIVE_RETURNS)
/home/phil/cov/xsrc/external/mit/xrdb/dist/xrdb.c: 1228 in Process()


________________________________________________________________________________________________________
*** CID 1358678:  Error handling issues  (NEGATIVE_RETURNS)
/home/phil/cov/xsrc/external/mit/xrdb/dist/xrdb.c: 1228 in Process()
1222     #ifndef HAVE_MKSTEMP
1223     	(void) mktemp(template);
1224     	output = fopen(template, "w");
1225     #else
1226     	{
1227     	int fd = mkstemp(template);
>>>     CID 1358678:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "fd" is passed to a parameter that cannot be negative.
1228     	output = fdopen(fd, "w");
1229     	}
1230     #endif
1231     	if (!output)
1232     	    fatal("%s: can't open temporary file '%s'\n", ProgramName, template);
1233     	GetEntriesString(&newDB, xdefs);

** CID 1358679:  Resource leaks  (RESOURCE_LEAK)
/libexec/httpd/cgi-bozo.c: 341 in parse_search_string()


________________________________________________________________________________________________________
*** CID 1358679:  Resource leaks  (RESOURCE_LEAK)
/libexec/httpd/cgi-bozo.c: 341 in parse_search_string()
335     
336     	free (*args);
337     	free (str);
338     	*args = NULL;
339     	*args_len = 0;
340     
>>>     CID 1358679:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "args" going out of scope leaks the storage it points to.
341     	return 0;
342     
343     }
344     
345     void
346     bozo_cgi_setbin(bozohttpd_t *httpd, const char *path)

** CID 1358680:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 862 in unique_file()


________________________________________________________________________________________________________
*** CID 1358680:  Security best practices violations  (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 862 in unique_file()
856                 strcpy(template, tmp);
857             if ((mktemp(template) == NULL) || (template[0] == '\0'))
858                 return NULL;
859             fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600);
860         } while ((fd == -1) && (errno == EEXIST || errno == EINTR));
861     #else
>>>     CID 1358680:  Security best practices violations  (SECURE_TEMP)
>>>     Calling "mkstemp" without securely setting umask first.
862         if ((fd = mkstemp(tmp)) == -1)
863     	return NULL;
864     #endif
865         if ((fp = fdopen(fd, "wb")) == NULL)
866     	close(fd);
867         *filename = strdup(template);

** CID 1358681:  Uninitialized variables  (UNINIT)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 867 in unique_file()


________________________________________________________________________________________________________
*** CID 1358681:  Uninitialized variables  (UNINIT)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 867 in unique_file()
861     #else
862         if ((fd = mkstemp(tmp)) == -1)
863     	return NULL;
864     #endif
865         if ((fp = fdopen(fd, "wb")) == NULL)
866     	close(fd);
>>>     CID 1358681:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized element of array "template" when calling "strdup". [Note: The source code implementation of the function has been overridden by a builtin model.]
867         *filename = strdup(template);
868         return fp;
869     }
870     
871     /*===[ SAVE WINDOW INFORMATION ]=============================================*/
872     

** CID 1358682:  Error handling issues  (CHECKED_RETURN)
/lib/libedit/chartype.c: 137 in ct_decode_string()


________________________________________________________________________________________________________
*** CID 1358682:  Error handling issues  (CHECKED_RETURN)
/lib/libedit/chartype.c: 137 in ct_decode_string()
131     		return NULL;
132     
133     	if (conv->wsize < ++len)
134     		if (ct_conv_wbuff_resize(conv, len + CT_BUFSIZ) == -1)
135     			return NULL;
136     
>>>     CID 1358682:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "mbstowcs" without checking return value (as is done elsewhere 12 out of 15 times).
137     	mbstowcs(conv->wbuff, s, conv->wsize);
138     	return conv->wbuff;
139     }
140     
141     
142     protected wchar_t **


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782



Home | Main Index | Thread Index | Old Index