Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
61 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
188 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 61 defect(s)
** CID 483378: Null pointer dereferences (REVERSE_INULL)
/crypto/external/bsd/openssl/dist/crypto/ecdsa/ecdsatest.c: 175 in fbytes()
________________________________________________________________________________________________________
*** CID 483378: Null pointer dereferences (REVERSE_INULL)
/crypto/external/bsd/openssl/dist/crypto/ecdsa/ecdsatest.c: 175 in fbytes()
169 }
170 fbytes_counter++;
171 if (num != BN_num_bytes(tmp) || !BN_bn2bin(tmp, buf))
172 ret = 0;
173 else
174 ret = 1;
>>> CID 483378: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "tmp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
175 if (tmp)
176 BN_free(tmp);
177 return ret;
178 }
179
180 /* some tests from the X9.62 draft */
** CID 977755: (RESOURCE_LEAK)
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1245 in netpgp_generate_key()
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1221 in netpgp_generate_key()
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1233 in netpgp_generate_key()
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1215 in netpgp_generate_key()
________________________________________________________________________________________________________
*** CID 977755: (RESOURCE_LEAK)
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1245 in netpgp_generate_key()
1239 } else if (strcmp(numtries, "unlimited") == 0) {
1240 attempts = INFINITE_ATTEMPTS;
1241 }
1242 passc = find_passphrase(netpgp->passfp, &cp[ID_OFFSET], passphrase, sizeof(passphrase), attempts);
1243 if (!pgp_write_xfer_seckey(create, key, (uint8_t *)passphrase, (const unsigned)passc, noarmor)) {
1244 (void) fprintf(io->errs, "Cannot write seckey\n");
>>> CID 977755: (RESOURCE_LEAK)
>>> Variable "key" going out of scope leaks the storage it points to.
1245 return 0;
1246 }
1247 pgp_teardown_file_write(create, fd);
1248 if (netpgp->secring != NULL) {
1249 pgp_keyring_free(netpgp->secring);
1250 }
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1221 in netpgp_generate_key()
1215 return 0;
1216 }
1217 (void) fprintf(io->errs, "netpgp: generated keys in directory %s\n", dir);
1218 (void) snprintf(ringfile = filename, sizeof(filename), "%s/pubring.gpg", dir);
1219 if (!appendkey(io, key, ringfile)) {
1220 (void) fprintf(io->errs, "Cannot write pubkey to '%s'\n", ringfile);
>>> CID 977755: (RESOURCE_LEAK)
>>> Variable "key" going out of scope leaks the storage it points to.
1221 return 0;
1222 }
1223 if (netpgp->pubring != NULL) {
1224 pgp_keyring_free(netpgp->pubring);
1225 }
1226 /* write secret key */
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1233 in netpgp_generate_key()
1227 (void) snprintf(ringfile = filename, sizeof(filename), "%s/secring.gpg", dir);
1228 if ((fd = pgp_setup_file_append(&create, ringfile)) < 0) {
1229 fd = pgp_setup_file_write(&create, ringfile, 0);
1230 }
1231 if (fd < 0) {
1232 (void) fprintf(io->errs, "can't append secring '%s'\n", ringfile);
>>> CID 977755: (RESOURCE_LEAK)
>>> Variable "key" going out of scope leaks the storage it points to.
1233 return 0;
1234 }
1235 /* get the passphrase */
1236 if ((numtries = netpgp_getvar(netpgp, "numtries")) == NULL ||
1237 (attempts = atoi(numtries)) <= 0) {
1238 attempts = MAX_PASSPHRASE_ATTEMPTS;
/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c: 1215 in netpgp_generate_key()
1209 (void) fprintf(stdout, "%s", cp);
1210 /* write public key */
1211 cc = snprintf(dir, sizeof(dir), "%s/%.16s", netpgp_getvar(netpgp, "homedir"), &cp[ID_OFFSET]);
1212 netpgp_setvar(netpgp, "generated userid", &dir[cc - 16]);
1213 if (mkdir(dir, 0700) < 0) {
1214 (void) fprintf(io->errs, "can't mkdir '%s'\n", dir);
>>> CID 977755: (RESOURCE_LEAK)
>>> Variable "key" going out of scope leaks the storage it points to.
1215 return 0;
1216 }
1217 (void) fprintf(io->errs, "netpgp: generated keys in directory %s\n", dir);
1218 (void) snprintf(ringfile = filename, sizeof(filename), "%s/pubring.gpg", dir);
1219 if (!appendkey(io, key, ringfile)) {
1220 (void) fprintf(io->errs, "Cannot write pubkey to '%s'\n", ringfile);
** CID 980287: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 956 in ipf_send_icmp_err()
________________________________________________________________________________________________________
*** CID 980287: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 956 in ipf_send_icmp_err()
950 if (type == ICMP6_DST_UNREACH)
951 code = icmptoicmp6unreach[code];
952
953 if (iclen + max_linkhdr + fin->fin_plen > avail) {
954 MCLGET(m, M_DONTWAIT);
955 if (m == NULL)
>>> CID 980287: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -1;".
956 return -1;
957 if ((m->m_flags & M_EXT) == 0) {
958 FREE_MB_T(m);
959 return -1;
960 }
961 avail = MCLBYTES;
** CID 980288: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 735 in ipf_send_reset()
________________________________________________________________________________________________________
*** CID 980288: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 735 in ipf_send_reset()
729 #endif
730 if (m == NULL)
731 return -1;
732 if (sizeof(*tcp2) + hlen > MHLEN) {
733 MCLGET(m, M_DONTWAIT);
734 if (m == NULL)
>>> CID 980288: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -1;".
735 return -1;
736 if ((m->m_flags & M_EXT) == 0) {
737 FREE_MB_T(m);
738 return -1;
739 }
740 }
** CID 980289: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_irc_pxy.c: 287 in ipf_p_irc_send()
________________________________________________________________________________________________________
*** CID 980289: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_irc_pxy.c: 287 in ipf_p_irc_send()
281 #endif
282 if (dlen <= 0)
283 return 0;
284 COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf);
285
286 if (dlen <= 0)
>>> CID 980289: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0;".
287 return 0;
288 ctcpbuf[sizeof(ctcpbuf) - 1] = '\0';
289 *newbuf = '\0';
290
291 irc = nat->nat_aps->aps_data;
292 if (ipf_p_irc_complete(irc, ctcpbuf, dlen) == 0)
** CID 980360: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2335 in friostat_4_1_0_to_current()
________________________________________________________________________________________________________
*** CID 980360: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2335 in friostat_4_1_0_to_current()
2329 fiop->f_ipf[1][0] = old->f_ipf[1][0];
2330 fiop->f_ipf[1][1] = old->f_ipf[1][1];
2331 fiop->f_acct[0][0] = old->f_acct[0][0];
2332 fiop->f_acct[0][1] = old->f_acct[0][1];
2333 fiop->f_acct[1][0] = old->f_acct[1][0];
2334 fiop->f_acct[1][1] = old->f_acct[1][1];
>>> CID 980360: Incorrect expression (NO_EFFECT)
>>> Assignment operation "fiop->f_auth = fiop->f_auth" has no effect.
2335 fiop->f_auth = fiop->f_auth;
2336 bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups));
2337 bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute));
2338 fiop->f_ticks = old->f_ticks;
2339 bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks));
2340 fiop->f_defpass = old->f_defpass;
** CID 980361: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2305 in friostat_4_1_33_to_current()
________________________________________________________________________________________________________
*** CID 980361: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2305 in friostat_4_1_33_to_current()
2299 fiop->f_ipf[1][0] = old->f_ipf[1][0];
2300 fiop->f_ipf[1][1] = old->f_ipf[1][1];
2301 fiop->f_acct[0][0] = old->f_acct[0][0];
2302 fiop->f_acct[0][1] = old->f_acct[0][1];
2303 fiop->f_acct[1][0] = old->f_acct[1][0];
2304 fiop->f_acct[1][1] = old->f_acct[1][1];
>>> CID 980361: Incorrect expression (NO_EFFECT)
>>> Assignment operation "fiop->f_auth = fiop->f_auth" has no effect.
2305 fiop->f_auth = fiop->f_auth;
2306 bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups));
2307 bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute));
2308 fiop->f_ticks = old->f_ticks;
2309 bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks));
2310 fiop->f_defpass = old->f_defpass;
** CID 980424: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980424: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/fil.c: 7812 in ipf_genericiter()
7806 ipf_genericiter(ipf_main_softc_t *softc, void *data, int uid, void *ctx)
7807 {
7808 ipftoken_t *token;
7809 ipfgeniter_t iter;
7810 int error;
7811
>>> CID 980424: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipfgeniter_t of 16 bytes by passing it to a function which accesses it at byte offset 535.
7812 error = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_GENITER);
7813 if (error != 0)
7814 return error;
7815
7816 token = ipf_token_find(softc, iter.igi_type, uid, ctx);
7817 if (token != NULL) {
** CID 980425: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980425: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/fil.c: 7000 in ipf_ipftune()
6994 {
6995 ipftuneable_t *ta;
6996 ipftune_t tu;
6997 void *cookie;
6998 int error;
6999
>>> CID 980425: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipftune_t of 120 bytes by passing it to a function which accesses it at byte offset 535.
7000 error = ipf_inobj(softc, data, NULL, &tu, IPFOBJ_TUNEABLE);
7001 if (error != 0)
7002 return error;
7003
7004 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
7005 cookie = tu.ipft_cookie;
** CID 980426: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980426: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1157 in ipf_auth_reply()
1151 int error, i;
1152 #ifdef _KERNEL
1153 mb_t *m;
1154 #endif
1155 SPL_INT(s);
1156
>>> CID 980426: Memory - corruptions (OVERRUN)
>>> Overrunning struct type frauth_t of 288 bytes by passing it to a function which accesses it at byte offset 535.
1157 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1158 if (error != 0)
1159 return error;
1160
1161 SPL_NET(s);
1162 WRITE_ENTER(&softa->ipf_authlk);
** CID 980427: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1021 in ipf_auth_wait()
________________________________________________________________________________________________________
*** CID 980427: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1021 in ipf_auth_wait()
1015 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */
1016 /* to sleep. */
1017 /* ------------------------------------------------------------------------ */
1018 static int
1019 ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data)
1020 {
>>> CID 980427: Memory - corruptions (OVERRUN)
>>> Assigning: "au" = "&auth". "au" now points to element 0 of "auth" (which consists of 1 288-byte elements).
1021 frauth_t auth, *au = &auth;
1022 int error, len, i;
1023 mb_t *m;
1024 char *t;
1025 SPL_INT(s);
1026
** CID 980428: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 1013 in ipf_send_icmp_err()
________________________________________________________________________________________________________
*** CID 980428: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 1013 in ipf_send_icmp_err()
1007 } else { /* make up a number... */
1008 icmp->icmp_nextmtu = htons(fin->fin_plen - 20);
1009 }
1010 }
1011 #endif
1012
>>> CID 980428: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ip of 20 bytes by passing it to a function which accesses it at byte offset 39 using argument "ohlen" (which evaluates to 40).
1013 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
1014
1015 #if defined(M_CSUM_IPv4)
1016 /*
1017 * Clear any in-bound checksum flags for this packet.
1018 */
** CID 980429: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980429: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_lookup.c: 691 in ipf_lookup_iterate()
685 ipf_lookup_softc_t *softl = softc->ipf_lookup_soft;
686 ipflookupiter_t iter;
687 ipftoken_t *token;
688 int err, i;
689 SPL_INT(s);
690
>>> CID 980429: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipflookupiter_t of 32 bytes by passing it to a function which accesses it at byte offset 535.
691 err = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_LOOKUPITER);
692 if (err != 0)
693 return err;
694
695 if (iter.ili_unit < IPL_LOGALL && iter.ili_unit > IPL_LOGMAX) {
696 IPFERROR(50038);
** CID 980430: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980430: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_nat.c: 7811 in ipf_nat_gettable()
7805 static int
7806 ipf_nat_gettable(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, char *data)
7807 {
7808 ipftable_t table;
7809 int error;
7810
>>> CID 980430: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipftable_t of 16 bytes by passing it to a function which accesses it at byte offset 535.
7811 error = ipf_inobj(softc, data, NULL, &table, IPFOBJ_GTABLE);
7812 if (error != 0)
7813 return error;
7814
7815 switch (table.ita_type)
7816 {
** CID 980431: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980431: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_nat.c: 1219 in ipf_nat_ioctl()
1213 }
1214
1215 case SIOCGNATL :
1216 {
1217 natlookup_t nl;
1218
>>> CID 980431: Memory - corruptions (OVERRUN)
>>> Overrunning struct type natlookup_t of 64 bytes by passing it to a function which accesses it at byte offset 535.
1219 error = ipf_inobj(softc, data, NULL, &nl, IPFOBJ_NATLOOKUP);
1220 if (error == 0) {
1221 void *ptr;
1222
1223 if (getlock) {
1224 READ_ENTER(&softc->ipf_nat);
** CID 980432: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980432: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_proxy.c: 720 in ipf_proxy_ioctl()
714
715 mode = mode; /* LINT */
716
717 switch (cmd)
718 {
719 case SIOCPROXY :
>>> CID 980432: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ap_ctl_t of 72 bytes by passing it to a function which accesses it at byte offset 535.
720 error = ipf_inobj(softc, data, NULL, &ctl, IPFOBJ_PROXYCTL);
721 if (error != 0) {
722 return error;
723 }
724 ptr = NULL;
725
** CID 980433: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980433: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_state.c: 4819 in ipf_state_gettable()
4813 ipf_state_gettable(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
4814 char *data)
4815 {
4816 ipftable_t table;
4817 int error;
4818
>>> CID 980433: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipftable_t of 16 bytes by passing it to a function which accesses it at byte offset 535.
4819 error = ipf_inobj(softc, data, NULL, &table, IPFOBJ_GTABLE);
4820 if (error != 0)
4821 return error;
4822
4823 if (table.ita_type != IPFTABLE_BUCKETS) {
4824 IPFERROR(100031);
** CID 980513: (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 4352 in frrequest()
________________________________________________________________________________________________________
*** CID 980513: (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 4347 in frrequest()
4341 return error;
4342 }
4343 if ((fp->fr_type & FR_T_BUILTIN) != 0) {
4344 IPFERROR(6);
4345 return EINVAL;
4346 }
>>> CID 980513: (TAINTED_SCALAR)
>>> Passing tainted variable "fp->fr_size" to a tainted sink.
4347 KMALLOCS(f, frentry_t *, fp->fr_size);
4348 if (f == NULL) {
4349 IPFERROR(131);
4350 return ENOMEM;
4351 }
4352 bzero(f, fp->fr_size);
/sys/external/bsd/ipf/netinet/fil.c: 4352 in frrequest()
4346 }
4347 KMALLOCS(f, frentry_t *, fp->fr_size);
4348 if (f == NULL) {
4349 IPFERROR(131);
4350 return ENOMEM;
4351 }
>>> CID 980513: (TAINTED_SCALAR)
>>> Passing tainted variable "fp->fr_size" to a tainted sink.
4352 bzero(f, fp->fr_size);
4353 error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY,
4354 fp->fr_size);
4355 if (error) {
4356 KFREES(f, fp->fr_size);
4357 return error;
/sys/external/bsd/ipf/netinet/fil.c: 4353 in frrequest()
4347 KMALLOCS(f, frentry_t *, fp->fr_size);
4348 if (f == NULL) {
4349 IPFERROR(131);
4350 return ENOMEM;
4351 }
4352 bzero(f, fp->fr_size);
>>> CID 980513: (TAINTED_SCALAR)
>>> Passing tainted variable "fp->fr_size" to a tainted sink.
4353 error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY,
4354 fp->fr_size);
4355 if (error) {
4356 KFREES(f, fp->fr_size);
4357 return error;
4358 }
** CID 980514: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 980514: Insecure data handling (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7758 in ipf_frruleiter()
7752 RWLOCK_EXIT(&softc->ipf_tokens);
7753 } else {
7754 error = ipf_inobj(softc, data, &obj, &it, IPFOBJ_IPFITER);
7755 if (error != 0)
7756 return error;
7757 it.iri_rule = NULL;
>>> CID 980514: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "it" to a tainted sink.
7758 error = ipf_outobj(softc, data, &it, IPFOBJ_IPFITER);
7759 }
7760
7761 return error;
7762 }
7763
** CID 980515: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 980515: Insecure data handling (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7978 in ipf_ipf_ioctl()
7972 case SIOCGETFS :
7973 error = ipf_inobj(softc, (void *)data, &obj, &fio,
7974 IPFOBJ_IPFSTAT);
7975 if (error != 0)
7976 break;
7977 ipf_getstat(softc, &fio, obj.ipfo_rev);
>>> CID 980515: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "fio" to a tainted sink.
7978 error = ipf_outobj(softc, (void *)data, &fio, IPFOBJ_IPFSTAT);
7979 break;
7980
7981 case SIOCFRZST :
7982 if (!(mode & FWRITE)) {
7983 IPFERROR(104);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index