Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
200 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
347 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 200 defect(s)
** CID 274427: Null pointer dereferences (FORWARD_NULL)
/sys/net/if_srt.c: 487 in srt_ioctl()
________________________________________________________________________________________________________
*** CID 274427: Null pointer dereferences (FORWARD_NULL)
/sys/net/if_srt.c: 487 in srt_ioctl()
481 if (i < sc->nrt) {
482 memcpy(sc->rts+i, sc->rts+i+1,
483 (sc->nrt-i)*sizeof(*sc->rts));
484 }
485 if (sc->nrt == 0) {
486 free(sc->rts, M_DEVBUF);
>>> CID 274427: Null pointer dereferences (FORWARD_NULL)
>>> Assigning: "sc->rts" = "NULL".
487 sc->rts = 0;
488 sc->intf.if_flags &= ~IFF_UP;
489 }
490 update_mtu(sc);
491 return 0;
492 case SRT_SFLAGS:
** CID 460069: Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/xf86-video-ati/xorg-server-copy/msp3430.c: 486 in InitMSP34x5D()
________________________________________________________________________________________________________
*** CID 460069: Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/xf86-video-ati/xorg-server-copy/msp3430.c: 486 in InitMSP34x5D()
480 default:
481 standard=MSPSTANDARD_AUTO;
482 }
483
484 /*no NICAM support in MSP3410D - force to autodetect*/
485 if ((m->chip_id==0x405) && (standard>=MSPSTANDARD_NICAM_BG))
>>> CID 460069: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "standard = 1;".
486 standard=MSPSTANDARD_AUTO;
487
488 if (m->c_standard != standard) {
489
490 SetMSP3430Data (m, WR_DEM, 0x00, 0x20, standard>>8, standard & 0xFF);
491 if (standard==MSPSTANDARD_AUTO) {
** CID 709075: Control flow issues (DEADCODE)
/external/gpl3/gdb/dist/gdb/common/signals.c: 342 in gdb_signal_from_host()
________________________________________________________________________________________________________
*** CID 709075: Control flow issues (DEADCODE)
/external/gpl3/gdb/dist/gdb/common/signals.c: 342 in gdb_signal_from_host()
336 if (hostsig >= REALTIME_LO && hostsig < REALTIME_HI)
337 {
338 /* This block of GDB_SIGNAL_REALTIME value is in order. */
339 if (33 <= hostsig && hostsig <= 63)
340 return (enum gdb_signal)
341 (hostsig - 33 + (int) GDB_SIGNAL_REALTIME_33);
>>> CID 709075: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "if (hostsig == 32)
return...".
342 else if (hostsig == 32)
343 return GDB_SIGNAL_REALTIME_32;
344 else if (64 <= hostsig && hostsig <= 127)
345 return (enum gdb_signal)
346 (hostsig - 64 + (int) GDB_SIGNAL_REALTIME_64);
347 else
** CID 975000: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 975000: Error handling issues (CHECKED_RETURN)
/external/bsd/tmux/dist/cmd-pipe-pane.c: 122 in cmd_pipe_pane_exec()
116 _exit(1);
117 if (dup2(null_fd, STDERR_FILENO) == -1)
118 _exit(1);
119 if (null_fd != STDOUT_FILENO && null_fd != STDERR_FILENO)
120 close(null_fd);
121
>>> CID 975000: Error handling issues (CHECKED_RETURN)
>>> Calling "closefrom(3)" without checking return value. It wraps a library function that may fail and return an error code.
122 closefrom(STDERR_FILENO + 1);
123
124 execl(_PATH_BSHELL, "sh", "-c", cmd, (char *) NULL);
125 _exit(1);
126 default:
127 /* Parent process. */
** CID 975002: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 975002: Error handling issues (CHECKED_RETURN)
/external/bsd/tmux/dist/job.c: 94 in job_run()
88 fatal("open failed");
89 if (dup2(nullfd, STDERR_FILENO) == -1)
90 fatal("dup2 failed");
91 if (nullfd != STDERR_FILENO)
92 close(nullfd);
93
>>> CID 975002: Error handling issues (CHECKED_RETURN)
>>> Calling "closefrom(3)" without checking return value. It wraps a library function that may fail and return an error code.
94 closefrom(STDERR_FILENO + 1);
95
96 execl(_PATH_BSHELL, "sh", "-c", cmd, (char *) NULL);
97 fatal("execl failed");
98 }
99
** CID 976707: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/tmux/dist/cmd-pipe-pane.c: 115 in cmd_pipe_pane_exec()
________________________________________________________________________________________________________
*** CID 976707: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/tmux/dist/cmd-pipe-pane.c: 115 in cmd_pipe_pane_exec()
109 if (dup2(pipe_fd[1], STDIN_FILENO) == -1)
110 _exit(1);
111 if (pipe_fd[1] != STDIN_FILENO)
112 close(pipe_fd[1]);
113
114 null_fd = open(_PATH_DEVNULL, O_WRONLY, 0);
>>> CID 976707: Error handling issues (NEGATIVE_RETURNS)
>>> "null_fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
115 if (dup2(null_fd, STDOUT_FILENO) == -1)
116 _exit(1);
117 if (dup2(null_fd, STDERR_FILENO) == -1)
118 _exit(1);
119 if (null_fd != STDOUT_FILENO && null_fd != STDERR_FILENO)
120 close(null_fd);
** CID 980104: Error handling issues (CHECKED_RETURN)
/sys/net/ppp_tty.c: 883 in pppasyncctlp()
________________________________________________________________________________________________________
*** CID 980104: Error handling issues (CHECKED_RETURN)
/sys/net/ppp_tty.c: 883 in pppasyncctlp()
877 {
878 struct tty *tp;
879
880 /* Put a placeholder byte in canq for ttselect()/ttnread(). */
881 mutex_spin_enter(&tty_lock);
882 tp = (struct tty *) sc->sc_devp;
>>> CID 980104: Error handling issues (CHECKED_RETURN)
>>> Calling "putc" without checking return value (as is done elsewhere 13 out of 15 times).
883 putc(0, &tp->t_canq);
884 ttwakeup(tp);
885 mutex_spin_exit(&tty_lock);
886 }
887
888 /*
** CID 980105: Error handling issues (CHECKED_RETURN)
/sys/net/ppp_tty.c: 358 in pppread()
________________________________________________________________________________________________________
*** CID 980105: Error handling issues (CHECKED_RETURN)
/sys/net/ppp_tty.c: 358 in pppread()
352 mutex_spin_exit(&tty_lock);
353 return error;
354 }
355 }
356
357 /* Pull place-holder byte out of canonical queue */
>>> CID 980105: Error handling issues (CHECKED_RETURN)
>>> Calling "getc(&tp->t_canq)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
358 getc(&tp->t_canq);
359
360 /* Get the packet from the input queue */
361 IF_DEQUEUE(&sc->sc_inq, m0);
362 mutex_spin_exit(&tty_lock);
363
** CID 980441: Memory - corruptions (OVERRUN)
/sys/net/slcompress.c: 281 in sl_compress_tcp()
________________________________________________________________________________________________________
*** CID 980441: Memory - corruptions (OVERRUN)
/sys/net/slcompress.c: 281 in sl_compress_tcp()
275 deltaS = hlen;
276 hlen += th->th_off;
277 hlen <<= 2;
278 if (hlen > m->m_len)
279 return (TYPE_IP);
280
>>> CID 980441: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ip of 20 bytes by passing it to a function which accesses it at byte offset 20.
281 if (((uint16_t *)ip)[0] != ((uint16_t *)&cs->cs_ip)[0] ||
282 ((uint16_t *)ip)[3] != ((uint16_t *)&cs->cs_ip)[3] ||
283 ((uint16_t *)ip)[4] != ((uint16_t *)&cs->cs_ip)[4] ||
284 th->th_off != oth->th_off ||
285 (deltaS > 5 &&
286 memcmp(ip + 1, &cs->cs_ip + 1, (deltaS - 5) << 2)) ||
** CID 980442: Memory - corruptions (OVERRUN)
/sys/net/slcompress.c: 508 in sl_uncompress_tcp_core()
________________________________________________________________________________________________________
*** CID 980442: Memory - corruptions (OVERRUN)
/sys/net/slcompress.c: 508 in sl_uncompress_tcp_core()
502 hlen = ip->ip_hl << 2;
503 if (hlen + sizeof(struct tcphdr) > buflen)
504 goto bad;
505 hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
506 if (hlen > MAX_HDR || hlen > buflen)
507 goto bad;
>>> CID 980442: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ip of 20 bytes by passing it to a function which accesses it at byte offset 455 using argument "hlen" (which evaluates to 456).
508 memcpy(&cs->cs_ip, ip, hlen);
509 cs->cs_hlen = hlen;
510 INCR(sls_uncompressedin)
511 *hdrp = (u_char *) &cs->cs_ip;
512 *hlenp = hlen;
513 return (0);
** CID 1087984: Uninitialized variables (UNINIT)
/external/bsd/unbound/dist/daemon/remote.c: 2538 in handle_req()
________________________________________________________________________________________________________
*** CID 1087984: Uninitialized variables (UNINIT)
/external/bsd/unbound/dist/daemon/remote.c: 2538 in handle_req()
2532 static void
2533 handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
2534 {
2535 int r;
2536 char pre[10];
2537 char magic[7];
>>> CID 1087984: Uninitialized variables (UNINIT)
>>> Declaring variable "buf" without initializer.
2538 char buf[1024];
2539 #ifdef USE_WINSOCK
2540 /* makes it possible to set the socket blocking again. */
2541 /* basically removes it from winsock_event ... */
2542 WSAEventSelect(s->c->fd, NULL, 0);
2543 #endif
** CID 1087985: (TAINTED_SCALAR)
/external/bsd/unbound/dist/util/tube.c: 367 in tube_read_msg()
/external/bsd/unbound/dist/util/tube.c: 374 in tube_read_msg()
/external/bsd/unbound/dist/util/tube.c: 367 in tube_read_msg()
/external/bsd/unbound/dist/util/tube.c: 374 in tube_read_msg()
________________________________________________________________________________________________________
*** CID 1087985: (TAINTED_SCALAR)
/external/bsd/unbound/dist/util/tube.c: 367 in tube_read_msg()
361 (void)fd_set_nonblock(fd);
362 return 0;
363 }
364 d += r;
365 }
366 log_assert(*len < 65536*2);
>>> CID 1087985: (TAINTED_SCALAR)
>>> Passing tainted variable "*len" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
367 *buf = (uint8_t*)malloc(*len);
368 if(!*buf) {
369 log_err("tube read out of memory");
370 (void)fd_set_nonblock(fd);
371 return 0;
372 }
/external/bsd/unbound/dist/util/tube.c: 374 in tube_read_msg()
368 if(!*buf) {
369 log_err("tube read out of memory");
370 (void)fd_set_nonblock(fd);
371 return 0;
372 }
373 d = 0;
>>> CID 1087985: (TAINTED_SCALAR)
>>> Using tainted variable "(ssize_t)*len" as a loop boundary.
374 while(d < (ssize_t)*len) {
375 if((r=read(fd, (*buf)+d, (size_t)((ssize_t)*len)-d)) == -1) {
376 log_err("tube msg read failed: %s", strerror(errno));
377 (void)fd_set_nonblock(fd);
378 free(*buf);
379 return 0;
/external/bsd/unbound/dist/util/tube.c: 367 in tube_read_msg()
361 (void)fd_set_nonblock(fd);
362 return 0;
363 }
364 d += r;
365 }
366 log_assert(*len < 65536*2);
>>> CID 1087985: (TAINTED_SCALAR)
>>> Passing tainted variable "*len" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
367 *buf = (uint8_t*)malloc(*len);
368 if(!*buf) {
369 log_err("tube read out of memory");
370 (void)fd_set_nonblock(fd);
371 return 0;
372 }
/external/bsd/unbound/dist/util/tube.c: 374 in tube_read_msg()
368 if(!*buf) {
369 log_err("tube read out of memory");
370 (void)fd_set_nonblock(fd);
371 return 0;
372 }
373 d = 0;
>>> CID 1087985: (TAINTED_SCALAR)
>>> Using tainted variable "(ssize_t)*len" as a loop boundary.
374 while(d < (ssize_t)*len) {
375 if((r=read(fd, (*buf)+d, (size_t)((ssize_t)*len)-d)) == -1) {
376 log_err("tube msg read failed: %s", strerror(errno));
377 (void)fd_set_nonblock(fd);
378 free(*buf);
379 return 0;
** CID 1088005: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/unbound/dist/smallapp/unbound-anchor.c: 1385 in xml_is_zone_name()
________________________________________________________________________________________________________
*** CID 1088005: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/unbound/dist/smallapp/unbound-anchor.c: 1385 in xml_is_zone_name()
1379 long zlen;
1380 (void)BIO_seek(zone, 0);
1381 zlen = BIO_get_mem_data(zone, &z);
1382 if(!zlen || !z) return 0;
1383 /* zero terminate */
1384 if(zlen >= (long)sizeof(buf)) return 0;
>>> CID 1088005: Error handling issues (NEGATIVE_RETURNS)
>>> "(size_t)zlen" is passed to a parameter that cannot be negative.
1385 memmove(buf, z, (size_t)zlen);
1386 buf[zlen] = 0;
1387 /* compare */
1388 return (strncasecmp(buf, name, strlen(name)) == 0);
1389 }
1390
** CID 1088006: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/unbound/dist/smallapp/unbound-anchor.c: 1862 in write_root_anchor()
________________________________________________________________________________________________________
*** CID 1088006: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/unbound/dist/smallapp/unbound-anchor.c: 1862 in write_root_anchor()
1856 }
1857 out = fopen(root_anchor_file, "w");
1858 if(!out) {
1859 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1860 return;
1861 }
>>> CID 1088006: Error handling issues (NEGATIVE_RETURNS)
>>> "(size_t)len" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
1862 if(fwrite(pp, (size_t)len, 1, out) != 1) {
1863 if(verb) printf("failed to write all data to %s\n",
1864 root_anchor_file);
1865 if(verb && errno != 0) printf("%s\n", strerror(errno));
1866 }
1867 fflush(out);
** CID 1088007: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/unbound/dist/smallapp/unbound-anchor.c: 1059 in read_chunked_zero_terminate()
________________________________________________________________________________________________________
*** CID 1088007: Error handling issues (NEGATIVE_RETURNS)
/external/bsd/unbound/dist/smallapp/unbound-anchor.c: 1059 in read_chunked_zero_terminate()
1053 if(verb>=2) printf("chunked data is %d\n", (int)l);
1054 if(l == 0 || d == NULL) {
1055 if(verb) printf("out of memory\n");
1056 return NULL;
1057 }
1058 *len = l-1;
>>> CID 1088007: Error handling issues (NEGATIVE_RETURNS)
>>> "l" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
1059 data = (char*)malloc(l);
1060 if(data == NULL) {
1061 if(verb) printf("out of memory\n");
1062 return NULL;
1063 }
1064 memcpy(data, d, l);
** CID 1088013: Insecure data handling (INTEGER_OVERFLOW)
/external/bsd/unbound/dist/util/tube.c: 375 in tube_read_msg()
________________________________________________________________________________________________________
*** CID 1088013: Insecure data handling (INTEGER_OVERFLOW)
/external/bsd/unbound/dist/util/tube.c: 375 in tube_read_msg()
369 log_err("tube read out of memory");
370 (void)fd_set_nonblock(fd);
371 return 0;
372 }
373 d = 0;
374 while(d < (ssize_t)*len) {
>>> CID 1088013: Insecure data handling (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "(size_t)(ssize_t)*len - d" used as critical argument to function. [Note: The source code implementation of the function has been overridden by a builtin model.]
375 if((r=read(fd, (*buf)+d, (size_t)((ssize_t)*len)-d)) == -1) {
376 log_err("tube msg read failed: %s", strerror(errno));
377 (void)fd_set_nonblock(fd);
378 free(*buf);
379 return 0;
380 }
** CID 1088017: Control flow issues (DEADCODE)
/external/bsd/unbound/dist/util/data/msgparse.c: 663 in calc_size()
________________________________________________________________________________________________________
*** CID 1088017: Control flow issues (DEADCODE)
/external/bsd/unbound/dist/util/data/msgparse.c: 663 in calc_size()
657 count--;
658 len = 0;
659 break;
660 case LDNS_RDF_TYPE_STR:
661 if(pkt_len < 1) {
662 /* NOTREACHED, due to 'while(>0)' */
>>> CID 1088017: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0;".
663 return 0; /* len byte exceeds rdata */
664 }
665 len = sldns_buffer_current(pkt)[0] + 1;
666 break;
667 default:
668 len = get_rdf_size(desc->_wireformat[rdf]);
** CID 1107541: Error handling issues (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/legacy/i810/i810_dri.c: 1405 in I810DRIEnter()
________________________________________________________________________________________________________
*** CID 1107541: Error handling issues (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/legacy/i810/i810_dri.c: 1405 in I810DRIEnter()
1399 {
1400 I810Ptr pI810 = I810PTR(pScrn);
1401
1402 if (pI810->directRenderingEnabled) {
1403
1404 if (pI810->agpAcquired == FALSE)
>>> CID 1107541: Error handling issues (CHECKED_RETURN)
>>> Calling "drmAgpAcquire" without checking return value (as is done elsewhere 5 out of 6 times).
1405 drmAgpAcquire(pI810->drmSubFD);
1406 pI810->agpAcquired = TRUE;
1407 if (pI810->dcacheHandle != 0)
1408 if (drmAgpBind(pI810->drmSubFD, pI810->dcacheHandle,
1409 pI810->DepthOffset) != 0)
1410 return FALSE;
** CID 1193743: Control flow issues (MISSING_RESTORE)
/external/bsd/unbound/dist/util/data/msgparse.c: 239 in pkt_rrsig_covered()
________________________________________________________________________________________________________
*** CID 1193743: Control flow issues (MISSING_RESTORE)
/external/bsd/unbound/dist/util/data/msgparse.c: 239 in pkt_rrsig_covered()
233 pkt_rrsig_covered(sldns_buffer* pkt, uint8_t* here, uint16_t* type)
234 {
235 size_t pos = sldns_buffer_position(pkt);
236 sldns_buffer_set_position(pkt, (size_t)(here-sldns_buffer_begin(pkt)));
237 /* ttl + len + size of small rrsig(rootlabel, no signature) */
238 if(sldns_buffer_remaining(pkt) < 4+2+19)
>>> CID 1193743: Control flow issues (MISSING_RESTORE)
>>> Value of non-local "pkt->_position" that was saved in "pos" is not restored as it was along other paths.
239 return 0;
240 sldns_buffer_skip(pkt, 4); /* ttl */
241 if(sldns_buffer_read_u16(pkt) < 19) /* too short */ {
242 sldns_buffer_set_position(pkt, pos);
243 return 0;
244 }
** CID 1210465: (TAINTED_SCALAR)
/external/bsd/unbound/dist/util/data/msgparse.c: 911 in parse_packet()
/external/bsd/unbound/dist/util/data/msgparse.c: 912 in parse_packet()
/external/bsd/unbound/dist/util/data/msgparse.c: 924 in parse_packet()
/external/bsd/unbound/dist/util/data/msgparse.c: 913 in parse_packet()
________________________________________________________________________________________________________
*** CID 1210465: (TAINTED_SCALAR)
/external/bsd/unbound/dist/util/data/msgparse.c: 911 in parse_packet()
905 if(sldns_buffer_remaining(pkt) < LDNS_HEADER_SIZE)
906 return LDNS_RCODE_FORMERR;
907 /* read the header */
908 sldns_buffer_read(pkt, &msg->id, sizeof(uint16_t));
909 msg->flags = sldns_buffer_read_u16(pkt);
910 msg->qdcount = sldns_buffer_read_u16(pkt);
>>> CID 1210465: (TAINTED_SCALAR)
>>> Assigning: "msg->ancount" = "sldns_buffer_read_u16", which taints "msg->ancount".
911 msg->ancount = sldns_buffer_read_u16(pkt);
912 msg->nscount = sldns_buffer_read_u16(pkt);
913 msg->arcount = sldns_buffer_read_u16(pkt);
914 if(msg->qdcount > 1)
915 return LDNS_RCODE_FORMERR;
916 if((ret = parse_query_section(pkt, msg)) != 0)
/external/bsd/unbound/dist/util/data/msgparse.c: 912 in parse_packet()
906 return LDNS_RCODE_FORMERR;
907 /* read the header */
908 sldns_buffer_read(pkt, &msg->id, sizeof(uint16_t));
909 msg->flags = sldns_buffer_read_u16(pkt);
910 msg->qdcount = sldns_buffer_read_u16(pkt);
911 msg->ancount = sldns_buffer_read_u16(pkt);
>>> CID 1210465: (TAINTED_SCALAR)
>>> Assigning: "msg->nscount" = "sldns_buffer_read_u16", which taints "msg->nscount".
912 msg->nscount = sldns_buffer_read_u16(pkt);
913 msg->arcount = sldns_buffer_read_u16(pkt);
914 if(msg->qdcount > 1)
915 return LDNS_RCODE_FORMERR;
916 if((ret = parse_query_section(pkt, msg)) != 0)
917 return ret;
/external/bsd/unbound/dist/util/data/msgparse.c: 924 in parse_packet()
918 if((ret = parse_section(pkt, msg, region, LDNS_SECTION_ANSWER,
919 msg->ancount, &msg->an_rrsets)) != 0)
920 return ret;
921 if((ret = parse_section(pkt, msg, region, LDNS_SECTION_AUTHORITY,
922 msg->nscount, &msg->ns_rrsets)) != 0)
923 return ret;
>>> CID 1210465: (TAINTED_SCALAR)
>>> Casting narrower unsigned "msg->arcount" to wider signed type "int" effectively tests its lower bound.
924 if(sldns_buffer_remaining(pkt) == 0 && msg->arcount == 1) {
925 /* BIND accepts leniently that an EDNS record is missing.
926 * so, we do too. */
927 } else if((ret = parse_section(pkt, msg, region,
928 LDNS_SECTION_ADDITIONAL, msg->arcount, &msg->ar_rrsets)) != 0)
929 return ret;
/external/bsd/unbound/dist/util/data/msgparse.c: 913 in parse_packet()
907 /* read the header */
908 sldns_buffer_read(pkt, &msg->id, sizeof(uint16_t));
909 msg->flags = sldns_buffer_read_u16(pkt);
910 msg->qdcount = sldns_buffer_read_u16(pkt);
911 msg->ancount = sldns_buffer_read_u16(pkt);
912 msg->nscount = sldns_buffer_read_u16(pkt);
>>> CID 1210465: (TAINTED_SCALAR)
>>> Assigning: "msg->arcount" = "sldns_buffer_read_u16", which taints "msg->arcount".
913 msg->arcount = sldns_buffer_read_u16(pkt);
914 if(msg->qdcount > 1)
915 return LDNS_RCODE_FORMERR;
916 if((ret = parse_query_section(pkt, msg)) != 0)
917 return ret;
918 if((ret = parse_section(pkt, msg, region, LDNS_SECTION_ANSWER,
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRb2JZfDAOAZcqzsy8LMBKBjWas0CuiLQxeHDPm0bvVkx3qGSbylcqhUWgyuH34f4u8-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05XJbFI55O-2B-2BV1-2Fn4QtROU3VUmiyqfcRIdxIJFywdQXSuBBxkpepToARxbXne14J4N9smH2T97vjx89YihLkalTt-2FJaCu4Pb1fZ3bERC4WCXFcPjI2t-2FZdxd8diuZ0RYVGgb1143GflpyUajbAXTItbxviY0lHZMY1j6UyNdayP1zjQVRA2aVOZppEpx0ypJHSM-3D
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4m7U7Yoel-2F6MYPxol7ToiLwYIjoNbVQOCAwEeTNJofEDwTlN0JRhKMyijhpnAObR-2FlLVG-2Fr3EBKWgiICNdX1HPA6Ws0-2F1wHBf2tG9AnMDB8g-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05XJbFI55O-2B-2BV1-2Fn4QtROU3VUmiyqfcRIdxIJFywdQXSuPdJF-2FdjYk3lS8jWyayb3CqfwmQhezSFfQiBe5gyeeD68nultpxTCsq7pKhLnrPjA5C0u27UaQE06aYOoHLicSL-2FAJppBUchDB6VGPP1n1hOxa6wvRnu7t2CItuU0c7SBcxXq46-2FjdtZOgB8AYxQUWM-3D
Home |
Main Index |
Thread Index |
Old Index