Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
22 new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
41 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 22 defect(s)
** CID 1125822: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/xhci.c: 2400 in xhci_new_device()
________________________________________________________________________________________________________
*** CID 1125822: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/xhci.c: 2400 in xhci_new_device()
2394 dd->bMaxPacketSize);
2395 dd->bMaxPacketSize = 9;
2396 }
2397 USETW(dev->ud_ep0desc.wMaxPacketSize,
2398 (1 << dd->bMaxPacketSize));
2399 } else
>>> CID 1125822: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "dd->bMaxPacketSize >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2400 USETW(dev->ud_ep0desc.wMaxPacketSize,
2401 dd->bMaxPacketSize);
2402 DPRINTFN(4, "bMaxPacketSize %u", dd->bMaxPacketSize, 0, 0, 0);
2403 xhci_update_ep0_mps(sc, xs,
2404 UGETW(dev->ud_ep0desc.wMaxPacketSize));
2405 err = usbd_reload_device_desc(dev);
** CID 1362401: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/if_wm.c: 11441 in wm_smbustopci()
________________________________________________________________________________________________________
*** CID 1362401: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/if_wm.c: 11441 in wm_smbustopci()
11435 uint32_t fwsm, reg;
11436
11437 /* Gate automatic PHY configuration by hardware on non-managed 82579 */
11438 wm_gate_hw_phy_config_ich8lan(sc, true);
11439
11440 /* Acquire semaphore */
>>> CID 1362401: Error handling issues (CHECKED_RETURN)
>>> Calling "wm_get_swfwhw_semaphore" without checking return value (as is done elsewhere 8 out of 10 times).
11441 wm_get_swfwhw_semaphore(sc);
11442
11443 fwsm = CSR_READ(sc, WMREG_FWSM);
11444 if (((fwsm & FWSM_FW_VALID) == 0)
11445 && ((wm_phy_resetisblocked(sc) == false))) {
11446 if (sc->sc_type >= WM_T_PCH_LPT) {
** CID 1362402: Error handling issues (CHECKED_RETURN)
/sys/dev/usb/uaudio.c: 2734 in uaudio_chan_abort()
________________________________________________________________________________________________________
*** CID 1362402: Error handling issues (CHECKED_RETURN)
/sys/dev/usb/uaudio.c: 2734 in uaudio_chan_abort()
2728
2729 as = &sc->sc_alts[ch->altidx];
2730 as->sc_busy = 0;
2731 AUFMT_VALIDATE(as->aformat);
2732 if (sc->sc_nullalt >= 0) {
2733 DPRINTF("set null alt=%d\n", sc->sc_nullalt);
>>> CID 1362402: Error handling issues (CHECKED_RETURN)
>>> Calling "usbd_set_interface" without checking return value (as is done elsewhere 17 out of 19 times).
2734 usbd_set_interface(as->ifaceh, sc->sc_nullalt);
2735 }
2736 pipe = ch->pipe;
2737 if (pipe) {
2738 usbd_abort_pipe(pipe);
2739 }
** CID 1362403: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ohci.c: 2454 in ohci_roothub_ctrl()
________________________________________________________________________________________________________
*** CID 1362403: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ohci.c: 2454 in ohci_roothub_ctrl()
2448
2449 totlen = min(buflen, sizeof(hubd));
2450 memcpy(&hubd, buf, totlen);
2451
2452 v = OREAD4(sc, OHCI_RH_DESCRIPTOR_A);
2453 hubd.bNbrPorts = sc->sc_noport;
>>> CID 1362403: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "((v & 512) ? 2 : ((v & 256) ? 0 : 1)) >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2454 USETW(hubd.wHubCharacteristics,
2455 (v & OHCI_NPS ? UHD_PWR_NO_SWITCH :
2456 v & OHCI_PSM ? UHD_PWR_GANGED : UHD_PWR_INDIVIDUAL)
2457 /* XXX overcurrent */
2458 );
2459 hubd.bPwrOn2PwrGood = OHCI_GET_POTPGT(v);
** CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
________________________________________________________________________________________________________
*** CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
812 kmem_free(endpoints, nendpt * sizeof(struct usbd_endpoint));
813 }
814 KASSERT(iface->ui_idesc != NULL);
815
816 req.bmRequestType = UT_WRITE_INTERFACE;
817 req.bRequest = UR_SET_INTERFACE;
>>> CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bAlternateSetting >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
818 USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
819 USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820 USETW(req.wLength, 0);
821 return usbd_do_request(iface->ui_dev, &req, 0);
822 }
823
** CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
________________________________________________________________________________________________________
*** CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
813 }
814 KASSERT(iface->ui_idesc != NULL);
815
816 req.bmRequestType = UT_WRITE_INTERFACE;
817 req.bRequest = UR_SET_INTERFACE;
818 USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
>>> CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
819 USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820 USETW(req.wLength, 0);
821 return usbd_do_request(iface->ui_dev, &req, 0);
822 }
823
824 int
** CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
________________________________________________________________________________________________________
*** CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
689 */
690 pipe->up_methods->upm_cleartoggle(pipe);
691
692 req.bmRequestType = UT_WRITE_ENDPOINT;
693 req.bRequest = UR_CLEAR_FEATURE;
694 USETW(req.wValue, UF_ENDPOINT_HALT);
>>> CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
695 USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
696 USETW(req.wLength, 0);
697 err = usbd_do_request(dev, &req, 0);
698 #if 0
699 XXX should we do this?
700 if (!err) {
** CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
________________________________________________________________________________________________________
*** CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
714
715 pipe->up_methods->upm_cleartoggle(pipe);
716
717 req.bmRequestType = UT_WRITE_ENDPOINT;
718 req.bRequest = UR_CLEAR_FEATURE;
719 USETW(req.wValue, UF_ENDPOINT_HALT);
>>> CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
720 USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
721 USETW(req.wLength, 0);
722 (void)usbd_do_request(dev, &req, 0);
723 }
724
725 void
** CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
________________________________________________________________________________________________________
*** CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
850 {
851 usb_device_request_t req;
852
853 req.bmRequestType = UT_READ_INTERFACE;
854 req.bRequest = UR_GET_INTERFACE;
855 USETW(req.wValue, 0);
>>> CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
856 USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
857 USETW(req.wLength, 1);
858 return usbd_do_request(iface->ui_dev, &req, aiface);
859 }
860
861 /*** Internal routines ***/
** CID 1362410: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
________________________________________________________________________________________________________
*** CID 1362410: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
2405 return -1;
2406 }
2407 totlen = min(buflen, sizeof(hubd));
2408 memcpy(&hubd, buf, totlen);
2409 hubd.bNbrPorts = sc->sc_noport;
2410 v = EOREAD4(sc, EHCI_HCSPARAMS);
>>> CID 1362410: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "2 | (bus_space_read_4(sc->iot, sc->ioh, 4) & 65536)" is always true regardless of the values of its operands. This occurs as the logical first operand of '?:'.
2411 USETW(hubd.wHubCharacteristics,
2412 EHCI_HCS_PPC(v) ? UHD_PWR_INDIVIDUAL : UHD_PWR_NO_SWITCH |
2413 EHCI_HCS_P_INDICATOR(EREAD4(sc, EHCI_HCSPARAMS))
2414 ? UHD_PORT_IND : 0);
2415 hubd.bPwrOn2PwrGood = 200; /* XXX can't find out? */
2416 for (i = 0, l = sc->sc_noport; l > 0; i++, l -= 8, v >>= 8)
** CID 1362411: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
________________________________________________________________________________________________________
*** CID 1362411: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
2405 return -1;
2406 }
2407 totlen = min(buflen, sizeof(hubd));
2408 memcpy(&hubd, buf, totlen);
2409 hubd.bNbrPorts = sc->sc_noport;
2410 v = EOREAD4(sc, EHCI_HCSPARAMS);
>>> CID 1362411: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "((v & 16) ? 1 : ((2 | (bus_space_read_4(sc->iot, sc->ioh, 4) & 65536)) ? 128 : 0)) >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2411 USETW(hubd.wHubCharacteristics,
2412 EHCI_HCS_PPC(v) ? UHD_PWR_INDIVIDUAL : UHD_PWR_NO_SWITCH |
2413 EHCI_HCS_P_INDICATOR(EREAD4(sc, EHCI_HCSPARAMS))
2414 ? UHD_PORT_IND : 0);
2415 hubd.bPwrOn2PwrGood = 200; /* XXX can't find out? */
2416 for (i = 0, l = sc->sc_noport; l > 0; i++, l -= 8, v >>= 8)
** CID 1362412: Control flow issues (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
________________________________________________________________________________________________________
*** CID 1362412: Control flow issues (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
340 /* Any string left? Check that '0x' is not followed by white space. */
341
342 if (!(*String) || isspace ((int) *String) || *String == '\t')
343 {
344 if (Base == ACPI_ANY_BASE)
345 {
>>> CID 1362412: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "goto ErrorExit;".
346 goto ErrorExit;
347 }
348 else
349 {
350 goto AllDone;
351 }
** CID 1362413: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/ohci.c: 3128 in ohci_device_intr_fini()
________________________________________________________________________________________________________
*** CID 1362413: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/ohci.c: 3128 in ohci_device_intr_fini()
3122 OHCIHIST_FUNC(); OHCIHIST_CALLED();
3123 DPRINTFN(8, "xfer %p nstd %d", xfer, ox->ox_nstd, 0, 0);
3124
3125 mutex_enter(&sc->sc_lock);
3126 for (size_t i = 0; i < ox->ox_nstd; i++) {
3127 ohci_soft_td_t *std = ox->ox_stds[i];
>>> CID 1362413: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "std" to null implies that "std" might be null.
3128 if (std != NULL)
3129 break;
3130 if (std != opipe->tail.td)
3131 ohci_free_std_locked(sc, std);
3132 }
3133 mutex_exit(&sc->sc_lock);
** CID 1362414: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362414: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
372 /* Default to error */
373 buflen = -1;
374 }
375 break;
376 case C(UR_GET_DESCRIPTOR, UT_READ_CLASS_DEVICE):
377 buflen = min(len, sizeof(usbroothub_hubd));
>>> CID 1362414: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "buf" to "memcpy", which dereferences it.
378 memcpy(buf, &usbroothub_hubd, buflen);
379 break;
380 case C(UR_GET_INTERFACE, UT_READ_INTERFACE):
381 /* Get Interface, 9.4.4 */
382 if (len > 0) {
383 uint8_t *out = buf;
** CID 1362416: Incorrect expression (SIZEOF_MISMATCH)
/sys/dev/usb/xhci.c: 2168 in xhci_allocx()
________________________________________________________________________________________________________
*** CID 1362416: Incorrect expression (SIZEOF_MISMATCH)
/sys/dev/usb/xhci.c: 2168 in xhci_allocx()
2162 struct usbd_xfer *xfer;
2163
2164 XHCIHIST_FUNC(); XHCIHIST_CALLED();
2165
2166 xfer = pool_cache_get(sc->sc_xferpool, PR_NOWAIT);
2167 if (xfer != NULL) {
>>> CID 1362416: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "xfer" of type "struct usbd_xfer *" and argument "656UL" ("sizeof (struct xhci_xfer)") to function "memset" is suspicious because a multiple of "sizeof (struct usbd_xfer)" /*288*/ is expected.
2168 memset(xfer, 0, sizeof(struct xhci_xfer));
2169 #ifdef DIAGNOSTIC
2170 xfer->ux_state = XFER_BUSY;
2171 #endif
2172 }
2173
** CID 1362417: (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
________________________________________________________________________________________________________
*** CID 1362417: (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
** CID 1362418: (TAINTED_SCALAR)
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362418: (TAINTED_SCALAR)
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
2703 if (sc->sc_dying)
2704 return USBD_IOERROR;
2705
2706 KASSERT(xfer->ux_rqflags & URQ_REQUEST);
2707
2708 isread = req->bmRequestType & UT_READ;
>>> CID 1362418: (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
2709 len = UGETW(req->wLength);
2710
2711 DPRINTF("xfer=%p len=%d, addr=%d, endpt=%d", xfer, len, dev->ud_addr,
2712 opipe->pipe.up_endpoint->ue_edesc->bEndpointAddress);
2713 DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
2714 req->bmRequestType, req->bRequest, UGETW(req->wValue),
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
2703 if (sc->sc_dying)
2704 return USBD_IOERROR;
2705
2706 KASSERT(xfer->ux_rqflags & URQ_REQUEST);
2707
2708 isread = req->bmRequestType & UT_READ;
>>> CID 1362418: (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
2709 len = UGETW(req->wLength);
2710
2711 DPRINTF("xfer=%p len=%d, addr=%d, endpt=%d", xfer, len, dev->ud_addr,
2712 opipe->pipe.up_endpoint->ue_edesc->bEndpointAddress);
2713 DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
2714 req->bmRequestType, req->bRequest, UGETW(req->wValue),
** CID 1362419: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/ehci.c: 3534 in ehci_device_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362419: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/ehci.c: 3534 in ehci_device_ctrl_start()
3528 KASSERT(xfer->ux_rqflags & URQ_REQUEST);
3529
3530 if (sc->sc_dying)
3531 return USBD_IOERROR;
3532
3533 const int isread = req->bmRequestType & UT_READ;
>>> CID 1362419: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
3534 const int len = UGETW(req->wLength);
3535
3536 DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
3537 req->bmRequestType, req->bRequest, UGETW(req->wValue),
3538 UGETW(req->wIndex));
3539 DPRINTF("len=%d, addr=%d, endpt=%d", len, epipe->pipe.up_dev->ud_addr,
** CID 1362420: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/uhci.c: 2540 in uhci_device_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362420: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/uhci.c: 2540 in uhci_device_ctrl_start()
2534 req->bmRequestType, req->bRequest, UGETW(req->wValue),
2535 UGETW(req->wIndex));
2536 DPRINTFN(3, "len=%d, addr=%d, endpt=%d",
2537 UGETW(req->wLength), dev->ud_addr, endpt, 0);
2538
2539 isread = req->bmRequestType & UT_READ;
>>> CID 1362420: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
2540 len = UGETW(req->wLength);
2541
2542 setup = upipe->ctrl.setup;
2543 stat = upipe->ctrl.stat;
2544 sqh = upipe->ctrl.sqh;
2545
** CID 1362421: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/xhci.c: 3385 in xhci_device_ctrl_done()
________________________________________________________________________________________________________
*** CID 1362421: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/xhci.c: 3385 in xhci_device_ctrl_done()
3379
3380 static void
3381 xhci_device_ctrl_done(struct usbd_xfer *xfer)
3382 {
3383 XHCIHIST_FUNC(); XHCIHIST_CALLED();
3384 usb_device_request_t *req = &xfer->ux_request;
>>> CID 1362421: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
3385 int len = UGETW(req->wLength);
3386 int rd = req->bmRequestType & UT_READ;
3387
3388 if (len)
3389 usb_syncmem(&xfer->ux_dmabuf, 0, len,
3390 rd ? BUS_DMASYNC_POSTREAD : BUS_DMASYNC_POSTWRITE);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-kernel?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index