Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
500 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
43 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 500 defect(s)
** CID 1427724: (TAINTED_SCALAR)
/sys/net80211/ieee80211_input.c: 2123 in ieee80211_recv_mgmt_beacon()
/sys/net80211/ieee80211_input.c: 2123 in ieee80211_recv_mgmt_beacon()
/sys/net80211/ieee80211_input.c: 2119 in ieee80211_recv_mgmt_beacon()
/sys/net80211/ieee80211_input.c: 2115 in ieee80211_recv_mgmt_beacon()
/sys/net80211/ieee80211_input.c: 2171 in ieee80211_recv_mgmt_beacon()
/sys/net80211/ieee80211_input.c: 2164 in ieee80211_recv_mgmt_beacon()
/sys/net80211/ieee80211_input.c: 2151 in ieee80211_recv_mgmt_beacon()
________________________________________________________________________________________________________
*** CID 1427724: (TAINTED_SCALAR)
/sys/net80211/ieee80211_input.c: 2123 in ieee80211_recv_mgmt_beacon()
2117 case IEEE80211_ELEMID_RATES:
2118 /* no length check needed */
2119 scan.sp_rates = frm;
2120 break;
2121 case IEEE80211_ELEMID_COUNTRY:
2122 /* XXX: we don't do anything with this? */
>>> CID 1427724: (TAINTED_SCALAR)
>>> Assigning: "scan.sp_country" = "frm". Both are now tainted.
2123 scan.sp_country = frm;
2124 break;
2125 case IEEE80211_ELEMID_FHPARMS:
2126 IEEE80211_VERIFY_LENGTH(frm[1], 5);
2127 if (ic->ic_phytype == IEEE80211_T_FH) {
2128 scan.sp_fhdwell = LE_READ_2(&frm[2]);
/sys/net80211/ieee80211_input.c: 2123 in ieee80211_recv_mgmt_beacon()
2117 case IEEE80211_ELEMID_RATES:
2118 /* no length check needed */
2119 scan.sp_rates = frm;
2120 break;
2121 case IEEE80211_ELEMID_COUNTRY:
2122 /* XXX: we don't do anything with this? */
>>> CID 1427724: (TAINTED_SCALAR)
>>> Assigning: "scan.sp_country" = "frm". Both are now tainted.
2123 scan.sp_country = frm;
2124 break;
2125 case IEEE80211_ELEMID_FHPARMS:
2126 IEEE80211_VERIFY_LENGTH(frm[1], 5);
2127 if (ic->ic_phytype == IEEE80211_T_FH) {
2128 scan.sp_fhdwell = LE_READ_2(&frm[2]);
/sys/net80211/ieee80211_input.c: 2119 in ieee80211_recv_mgmt_beacon()
2113 case IEEE80211_ELEMID_SSID:
2114 /* no length check needed */
2115 scan.sp_ssid = frm;
2116 break;
2117 case IEEE80211_ELEMID_RATES:
2118 /* no length check needed */
>>> CID 1427724: (TAINTED_SCALAR)
>>> Assigning: "scan.sp_rates" = "frm". Both are now tainted.
2119 scan.sp_rates = frm;
2120 break;
2121 case IEEE80211_ELEMID_COUNTRY:
2122 /* XXX: we don't do anything with this? */
2123 scan.sp_country = frm;
2124 break;
/sys/net80211/ieee80211_input.c: 2115 in ieee80211_recv_mgmt_beacon()
2109 while (frm + 1 < efrm) {
2110 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2111
2112 switch (*frm) {
2113 case IEEE80211_ELEMID_SSID:
2114 /* no length check needed */
>>> CID 1427724: (TAINTED_SCALAR)
>>> Assigning: "scan.sp_ssid" = "frm". Both are now tainted.
2115 scan.sp_ssid = frm;
2116 break;
2117 case IEEE80211_ELEMID_RATES:
2118 /* no length check needed */
2119 scan.sp_rates = frm;
2120 break;
/sys/net80211/ieee80211_input.c: 2171 in ieee80211_recv_mgmt_beacon()
2165 break;
2166 case IEEE80211_ELEMID_VENDOR:
2167 /* no length check needed */
2168 if (iswpaoui(frm))
2169 scan.sp_wpa = frm;
2170 else if (iswmeparam(frm) || iswmeinfo(frm))
>>> CID 1427724: (TAINTED_SCALAR)
>>> Assigning: "scan.sp_wme" = "frm". Both are now tainted.
2171 scan.sp_wme = frm;
2172 /* XXX Atheros OUI support */
2173 break;
2174 default:
2175 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
2176 wh, "unhandled", "id %u, len %u", *frm, frm[1]);
/sys/net80211/ieee80211_input.c: 2164 in ieee80211_recv_mgmt_beacon()
2158 break;
2159 }
2160 scan.sp_erp = frm[2];
2161 break;
2162 case IEEE80211_ELEMID_RSN:
2163 /* no length check needed */
>>> CID 1427724: (TAINTED_SCALAR)
>>> Assigning: "scan.sp_wpa" = "frm". Both are now tainted.
2164 scan.sp_wpa = frm;
2165 break;
2166 case IEEE80211_ELEMID_VENDOR:
2167 /* no length check needed */
2168 if (iswpaoui(frm))
2169 scan.sp_wpa = frm;
/sys/net80211/ieee80211_input.c: 2151 in ieee80211_recv_mgmt_beacon()
2145 scan.sp_tim = frm;
2146 scan.sp_timoff = frm - mtod(m0, u_int8_t *);
2147 break;
2148 case IEEE80211_ELEMID_IBSSPARMS:
2149 break;
2150 case IEEE80211_ELEMID_XRATES:
>>> CID 1427724: (TAINTED_SCALAR)
>>> Assigning: "scan.sp_xrates" = "frm". Both are now tainted.
2151 scan.sp_xrates = frm;
2152 break;
2153 case IEEE80211_ELEMID_ERP:
2154 if (frm[1] != 1) {
2155 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
2156 wh, "ERP", "bad len %u", frm[1]);
** CID 1427723: (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 505 in ixgbe_initialize_rss_mapping()
/sys/dev/pci/ixgbe/ixgbe.c: 507 in ixgbe_initialize_rss_mapping()
/sys/dev/pci/ixgbe/ixgbe.c: 509 in ixgbe_initialize_rss_mapping()
________________________________________________________________________________________________________
*** CID 1427723: (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 505 in ixgbe_initialize_rss_mapping()
499 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_TCP;
500 if (rss_hash_config & RSS_HASHTYPE_RSS_IPV6_EX)
501 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX;
502 if (rss_hash_config & RSS_HASHTYPE_RSS_TCP_IPV6_EX)
503 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX_TCP;
504 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV4)
>>> CID 1427723: (DEADCODE)
>>> Execution cannot reach this statement: "mrqc |= 0x400000U;".
505 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV4_UDP;
506 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6)
507 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_UDP;
508 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6_EX)
509 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX_UDP;
510 mrqc |= ixgbe_get_mrqc(adapter->iov_mode);
/sys/dev/pci/ixgbe/ixgbe.c: 507 in ixgbe_initialize_rss_mapping()
501 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX;
502 if (rss_hash_config & RSS_HASHTYPE_RSS_TCP_IPV6_EX)
503 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX_TCP;
504 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV4)
505 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV4_UDP;
506 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6)
>>> CID 1427723: (DEADCODE)
>>> Execution cannot reach this statement: "mrqc |= 0x800000U;".
507 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_UDP;
508 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6_EX)
509 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX_UDP;
510 mrqc |= ixgbe_get_mrqc(adapter->iov_mode);
511 IXGBE_WRITE_REG(hw, IXGBE_MRQC, mrqc);
512 } /* ixgbe_initialize_rss_mapping */
/sys/dev/pci/ixgbe/ixgbe.c: 509 in ixgbe_initialize_rss_mapping()
503 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX_TCP;
504 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV4)
505 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV4_UDP;
506 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6)
507 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_UDP;
508 if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6_EX)
>>> CID 1427723: (DEADCODE)
>>> Execution cannot reach this statement: "mrqc |= 0x1000000U;".
509 mrqc |= IXGBE_MRQC_RSS_FIELD_IPV6_EX_UDP;
510 mrqc |= ixgbe_get_mrqc(adapter->iov_mode);
511 IXGBE_WRITE_REG(hw, IXGBE_MRQC, mrqc);
512 } /* ixgbe_initialize_rss_mapping */
513
514 /************************************************************************
** CID 1427722: Memory - illegal accesses (OVERRUN)
/sys/dev/pci/if_iwm.c: 3970 in iwm_rx_rx_mpdu()
________________________________________________________________________________________________________
*** CID 1427722: Memory - illegal accesses (OVERRUN)
/sys/dev/pci/if_iwm.c: 3970 in iwm_rx_rx_mpdu()
3964 if (__predict_false(sc->sc_drvbpf != NULL)) {
3965 struct iwm_rx_radiotap_header *tap = &sc->sc_rxtap;
3966
3967 tap->wr_flags = 0;
3968 if (phy_info->phy_flags & htole16(IWM_PHY_INFO_FLAG_SHPREAMBLE))
3969 tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
>>> CID 1427722: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "ic->ic_channels" of 256 4-byte elements at element index 256 (byte offset 1024) using index "phy_info->channel" (which evaluates to 256).
3970 tap->wr_chan_freq =
3971 htole16(ic->ic_channels[phy_info->channel].ic_freq);
3972 tap->wr_chan_flags =
3973 htole16(ic->ic_channels[phy_info->channel].ic_flags);
3974 tap->wr_dbm_antsignal = (int8_t)rssi;
3975 tap->wr_dbm_antnoise = (int8_t)sc->sc_noise;
** CID 1427721: Memory - corruptions (OVERRUN)
/sys/netinet/ip_input.c: 1219 in save_rte()
________________________________________________________________________________________________________
*** CID 1427721: Memory - corruptions (OVERRUN)
/sys/netinet/ip_input.c: 1219 in save_rte()
1213
1214 mtag = m_tag_get(PACKET_TAG_SRCROUTE, sizeof(*isr), M_NOWAIT);
1215 if (mtag == NULL)
1216 return;
1217 isr = (struct ip_srcrt *)(mtag + 1);
1218
>>> CID 1427721: Memory - corruptions (OVERRUN)
>>> Overrunning array "isr->isr_hdr" of 3 bytes by passing it to a function which accesses it at byte offset 42 using argument "olen" (which evaluates to 43).
1219 memcpy(isr->isr_hdr, option, olen);
1220 isr->isr_nhops = (olen - IPOPT_OFFSET - 1) / sizeof(struct in_addr);
1221 isr->isr_dst = dst;
1222 m_tag_prepend(m, mtag);
1223 }
1224
** CID 1427720: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/if_bwfm_usb.c: 803 in bwfm_usb_txctl()
________________________________________________________________________________________________________
*** CID 1427720: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/if_bwfm_usb.c: 803 in bwfm_usb_txctl()
797 DPRINTFN(2, ("%s: %s\n", DEVNAME(sc), __func__));
798
799 req.bmRequestType = UT_WRITE_CLASS_INTERFACE;
800 req.bRequest = 0;
801
802 USETW(req.wValue, 0);
>>> CID 1427720: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "sc->sc_ifaceno >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
803 USETW(req.wIndex, sc->sc_ifaceno);
804 USETW(req.wLength, len);
805
806 error = usbd_do_request(sc->sc_udev, &req, buf);
807 if (error != 0) {
808 printf("%s: could not read ctl packet: %s\n",
** CID 1427719: Integer handling issues (BAD_SHIFT)
/sys/dev/pci/ixgbe/ixgbe.c: 2336 in ixgbe_get_slot_info()
________________________________________________________________________________________________________
*** CID 1427719: Integer handling issues (BAD_SHIFT)
/sys/dev/pci/ixgbe/ixgbe.c: 2336 in ixgbe_get_slot_info()
2330 ixgbe_get_bus_info(hw);
2331 goto display;
2332 }
2333 /* ...and read the Link Status Register */
2334 link = pci_conf_read(adapter->osdep.pc, adapter->osdep.tag,
2335 offset + PCIE_LCSR);
>>> CID 1427719: Integer handling issues (BAD_SHIFT)
>>> In expression "link >> 16", right shifting "link" by more than 15 bits always yields zero. The shift amount is 16.
2336 ixgbe_set_pci_config_data_generic(hw, link >> 16);
2337
2338 display:
2339 device_printf(dev, "PCI Express Bus: Speed %s Width %s\n",
2340 ((hw->bus.speed == ixgbe_bus_speed_8000) ? "8.0GT/s" :
2341 (hw->bus.speed == ixgbe_bus_speed_5000) ? "5.0GT/s" :
** CID 1427717: Uninitialized variables (UNINIT)
/sys/arch/x86/x86/pmc.c: 201 in pmc_read_cpu()
________________________________________________________________________________________________________
*** CID 1427717: Uninitialized variables (UNINIT)
/sys/arch/x86/x86/pmc.c: 201 in pmc_read_cpu()
195 evtmsr = rdmsr(pmc->evtmsr);
196
197 /*
198 * Quickly disable the counter, to avoid getting an NMI after setting
199 * ctrval.
200 */
>>> CID 1427717: Uninitialized variables (UNINIT)
>>> Using uninitialized value "en".
201 wrmsr(pmc->evtmsr, evtmsr & ~en);
202
203 cpu->val[pmc->n].ctrval =
204 (rdmsr(pmc->ctrmsr) & pmc->ctrmask) - pmc->ctrinitval;
205 cpu->val[pmc->n].overfl = cpu->nmioverfl[pmc->n];
206
** CID 1427716: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/umass_isdata.c: 544 in uisdata_get_params()
________________________________________________________________________________________________________
*** CID 1427716: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/umass_isdata.c: 544 in uisdata_get_params()
538 DPRINTF(("%s\n", __func__));
539
540 memset(tb, 0, DEV_BSIZE);
541 memset(prms, 0, sizeof(struct ataparams));
542
543 xfer = ata_get_xfer(drvp->chnl_softc);
>>> CID 1427716: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "xfer" to null implies that "xfer" might be null.
544 if (!xfer) {
545 rv = CMD_AGAIN;
546 goto out;
547 }
548
549 xfer->c_ata_c.r_command = WDCC_IDENTIFY;
** CID 1427715: Incorrect expression (SIZEOF_MISMATCH)
/sys/net/if_spppsubr.c: 3733 in sppp_ipv6cp_RCR()
________________________________________________________________________________________________________
*** CID 1427715: Incorrect expression (SIZEOF_MISMATCH)
/sys/net/if_spppsubr.c: 3733 in sppp_ipv6cp_RCR()
3727 }
3728
3729 memset(&suggestaddr, 0, sizeof(suggestaddr));
3730 if (collision && nohisaddr) {
3731 /* collision, hisaddr unknown - Conf-Rej */
3732 type = CONF_REJ;
>>> CID 1427715: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "&p[2]" of type "u_char *" and argument "8U" to function "memset" is suspicious because "sizeof (u_char) /*1*/" is expected.
3733 memset(&p[2], 0, 8);
3734 } else {
3735 /*
3736 * - no collision, hisaddr unknown, or
3737 * - collision, hisaddr known
3738 * Conf-Nak, suggest hisaddr
** CID 1427713: Control flow issues (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 6010 in ixgbe_allocate_msix()
________________________________________________________________________________________________________
*** CID 1427713: Control flow issues (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 6010 in ixgbe_allocate_msix()
6004 if (error == 0)
6005 aprint_normal(", affinity to cpu %d\n", cpu_id % ncpu);
6006 else
6007 aprint_normal("\n");
6008
6009 if (adapter->feat_cap & IXGBE_FEATURE_SRIOV) {
>>> CID 1427713: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "adapter->mbx_si = softint_e...".
6010 adapter->mbx_si =
6011 softint_establish(SOFTINT_NET | IXGBE_SOFTINFT_FLAGS,
6012 ixgbe_handle_mbx, adapter);
6013 if (adapter->mbx_si == NULL) {
6014 aprint_error_dev(dev,
6015 "could not establish software interrupts\n");
** CID 1427712: Control flow issues (UNREACHABLE)
/sys/compat/linux/common/linux_socket.c: 1840 in linux_sys_recvmmsg()
________________________________________________________________________________________________________
*** CID 1427712: Control flow issues (UNREACHABLE)
/sys/compat/linux/common/linux_socket.c: 1840 in linux_sys_recvmmsg()
1834 struct linux_timespec lts;
1835 unsigned int vlen, flags, dg;
1836
1837 if (SCARG(uap, timeout)) {
1838 error = copyin(SCARG(uap, timeout), <s, sizeof(lts));
1839 return error;
>>> CID 1427712: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "ts.tv_sec = lts.tv_sec;".
1840 ts.tv_sec = lts.tv_sec;
1841 ts.tv_nsec = lts.tv_nsec;
1842 getnanotime(&now);
1843 timespecadd(&now, &ts, &ts);
1844 }
1845
** CID 1427710: Code maintainability issues (UNUSED_VALUE)
/sys/dev/usb/if_axe.c: 1023 in axe_attach()
________________________________________________________________________________________________________
*** CID 1427710: Code maintainability issues (UNUSED_VALUE)
/sys/dev/usb/if_axe.c: 1023 in axe_attach()
1017 * tagging support of AX88772B is very limited so it's
1018 * not possible to announce IFCAP_VLAN_HWTAGGING.
1019 */
1020 }
1021 u_int adv_pause;
1022 if (sc->axe_flags & (AX772A | AX772B | AX178))
>>> CID 1427710: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "256U" to "adv_pause" here, but that stored value is overwritten before it can be used.
1023 adv_pause = MIIF_DOPAUSE;
1024 else
1025 adv_pause = 0;
1026 adv_pause = 0;
1027
1028 /* Initialize MII/media info. */
** CID 1427709: (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 449 in ixgbe_initialize_rss_mapping()
/sys/dev/pci/ixgbe/ixgbe.c: 476 in ixgbe_initialize_rss_mapping()
________________________________________________________________________________________________________
*** CID 1427709: (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 449 in ixgbe_initialize_rss_mapping()
443 if (adapter->feat_en & IXGBE_FEATURE_RSS) {
444 /*
445 * Fetch the RSS bucket id for the given indirection
446 * entry. Cap it at the number of configured buckets
447 * (which is num_queues.)
448 */
>>> CID 1427709: (DEADCODE)
>>> Execution cannot reach this statement: "queue_id = 0;".
449 queue_id = rss_get_indirection_to_bucket(i);
450 queue_id = queue_id % adapter->num_queues;
451 } else
452 queue_id = (j * index_mult);
453
454 /*
/sys/dev/pci/ixgbe/ixgbe.c: 476 in ixgbe_initialize_rss_mapping()
470 /* Now fill our hash function seeds */
471 for (i = 0; i < 10; i++)
472 IXGBE_WRITE_REG(hw, IXGBE_RSSRK(i), rss_key[i]);
473
474 /* Perform hash on these packet types */
475 if (adapter->feat_en & IXGBE_FEATURE_RSS)
>>> CID 1427709: (DEADCODE)
>>> Execution cannot reach this statement: "rss_hash_config = 126U;".
476 rss_hash_config = rss_gethashconfig();
477 else {
478 /*
479 * Disable UDP - IP fragments aren't currently being handled
480 * and so we end up with a mix of 2-tuple and 4-tuple
481 * traffic.
** CID 1427708: Error handling issues (CHECKED_RETURN)
/sys/dev/i2c/ihidev.c: 584 in ihidev_reset()
________________________________________________________________________________________________________
*** CID 1427708: Error handling issues (CHECKED_RETURN)
/sys/dev/i2c/ihidev.c: 584 in ihidev_reset()
578
579 DELAY(1000);
580
581 if (ihidev_hid_command(sc, I2C_HID_CMD_RESET, 0, poll)) {
582 aprint_error_dev(sc->sc_dev, "failed to reset hardware\n");
583
>>> CID 1427708: Error handling issues (CHECKED_RETURN)
>>> Calling "ihidev_hid_command" without checking return value (as is done elsewhere 5 out of 6 times).
584 ihidev_hid_command(sc, I2C_HID_CMD_SET_POWER,
585 &I2C_HID_POWER_OFF, poll);
586
587 return (1);
588 }
589
** CID 1427707: Memory - corruptions (OVERRUN)
/sys/dev/ic/wi.c: 2374 in wi_get_cfg()
________________________________________________________________________________________________________
*** CID 1427707: Memory - corruptions (OVERRUN)
/sys/dev/ic/wi.c: 2374 in wi_get_cfg()
2368 if (len < sc->sc_nodelen + sizeof(u_int16_t)) {
2369 error = ENOSPC;
2370 break;
2371 }
2372 len = sc->sc_nodelen + sizeof(u_int16_t);
2373 wreq.wi_val[0] = htole16((sc->sc_nodelen + 1) / 2);
>>> CID 1427707: Memory - corruptions (OVERRUN)
>>> Overrunning array "sc->sc_nodename" of 32 bytes by passing it to a function which accesses it at byte offset 1021 using argument "sc->sc_nodelen" (which evaluates to 1022).
2374 memcpy(&wreq.wi_val[1], sc->sc_nodename,
2375 sc->sc_nodelen);
2376 break;
2377 default:
2378 return ieee80211_cfgget(ic, cmd, data);
2379 }
** CID 1427706: Integer handling issues (BAD_SHIFT)
/sys/external/bsd/acpica/dist/hardware/hwregs.c: 398 in AcpiHwWrite()
________________________________________________________________________________________________________
*** CID 1427706: Integer handling issues (BAD_SHIFT)
/sys/external/bsd/acpica/dist/hardware/hwregs.c: 398 in AcpiHwWrite()
392 while (BitWidth)
393 {
394 /*
395 * Use offset style bit reads because "Index * AccessWidth" is
396 * ensured to be less than 64-bits by AcpiHwValidateRegister().
397 */
>>> CID 1427706: Integer handling issues (BAD_SHIFT)
>>> In expression "Value >> Index * AccessWidth", right shifting by more than 63 bits has undefined behavior. The shift amount, "Index * AccessWidth", is 64.
398 Value64 = ACPI_GET_BITS (&Value, Index * AccessWidth,
399 ACPI_MASK_BITS_ABOVE_64 (AccessWidth));
400
401 if (BitOffset >= AccessWidth)
402 {
403 BitOffset -= AccessWidth;
** CID 1427705: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/umidi.c: 1103 in alloc_all_jacks()
________________________________________________________________________________________________________
*** CID 1427705: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/umidi.c: 1103 in alloc_all_jacks()
1097 jack->u.out.intr = NULL;
1098 jack->midiman_ppkt = NULL;
1099 if (sc->cblnums_global)
1100 jack->cable_number = i;
1101 jack++;
1102 }
>>> CID 1427705: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "sc->sc_in_jacks".
1103 jack = &sc->sc_in_jacks[0];
1104 for (i = 0; i < sc->sc_in_num_jacks; i++) {
1105 jack->opened = 0;
1106 jack->bound = 0;
1107 jack->arg = NULL;
1108 jack->u.in.intr = NULL;
** CID 1427703: Null pointer dereferences (REVERSE_INULL)
/sys/dev/pci/twa.c: 3046 in twa_describe_controller()
________________________________________________________________________________________________________
*** CID 1427703: Null pointer dereferences (REVERSE_INULL)
/sys/dev/pci/twa.c: 3046 in twa_describe_controller()
3040
3041 aprint_verbose_dev(sc->twa_dv, "port %d: %.40s %d MB\n",
3042 i, p[8]->data, dsize / 2048);
3043
3044 if (p[8])
3045 free(p[8], M_DEVBUF);
>>> CID 1427703: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "p[9]" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
3046 if (p[9])
3047 free(p[9], M_DEVBUF);
3048 }
3049 bail:
3050 if (p[0])
3051 free(p[0], M_DEVBUF);
** CID 1427702: Control flow issues (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 3200 in ixgbe_free_softint()
________________________________________________________________________________________________________
*** CID 1427702: Control flow issues (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 3200 in ixgbe_free_softint()
3194 if (adapter->fdir_si != NULL) {
3195 softint_disestablish(adapter->fdir_si);
3196 adapter->fdir_si = NULL;
3197 }
3198 }
3199 if (adapter->feat_cap & IXGBE_FEATURE_SRIOV) {
>>> CID 1427702: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "if (adapter->mbx_si != NULL...".
3200 if (adapter->mbx_si != NULL) {
3201 softint_disestablish(adapter->mbx_si);
3202 adapter->mbx_si = NULL;
3203 }
3204 }
3205 } /* ixgbe_free_softint */
** CID 1427701: Null pointer dereferences (FORWARD_NULL)
/sys/arch/x86/x86/pmap.c: 4315 in pmap_enter_ma()
________________________________________________________________________________________________________
*** CID 1427701: Null pointer dereferences (FORWARD_NULL)
/sys/arch/x86/x86/pmap.c: 4315 in pmap_enter_ma()
4309
4310 bool needpves = pmap_pp_needs_pve(new_pp);
4311 if (needpves) {
4312 new_pve = pool_cache_get(&pmap_pv_cache, PR_NOWAIT);
4313 new_sparepve = pool_cache_get(&pmap_pv_cache, PR_NOWAIT);
4314 } else {
>>> CID 1427701: Null pointer dereferences (FORWARD_NULL)
>>> Assigning: "new_pve" = "NULL".
4315 new_pve = NULL;
4316 new_sparepve = NULL;
4317 }
4318
4319 kpreempt_disable();
4320 pmap_map_ptes(pmap, &pmap2, &ptes, &pdes); /* locks pmap */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRb2JZfDAOAZcqzsy8LMBKBjEGdxS-2FDDouPkeZ4HbDca3C30UoLW748TLKQM-2BXRpGRc-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05UtWgsqR795WXXtONurg1vn2CKzHIZSBn5gY-2B3SgD7h1STWDBawX8fLOyOxMltjtWL8ilih2UqVLp0YWdPZ4Bis50bJJEMwxobFY2fQgybHsWJBZAiBMUUFtMa-2Bm53cby-2B0K-2FdSAo-2B6BRD7FjQEmxXHwKy2A9moSRIpR-2BPk-2FXp9orN2Suz25cFbBaBGCI6OWN4-3D
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4m7U7Yoel-2F6MYPxol7ToiLwYIjoNbVQOCAwEeTNJofEDwTlN0JRhKMyijhpnAObR-2FlLVG-2Fr3EBKWgiICNdX1HPA6Ws0-2F1wHBf2tG9AnMDB8g-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05UtWgsqR795WXXtONurg1vn2CKzHIZSBn5gY-2B3SgD7h1Wnol20Q69fAXOyUVaLGBub6Gea2VHHR2Y5mkq2h7SyzcIB1mWIkoflpbB7uVUHZkJYvmkyjrsjnDj1dV7gxsoAoOSk1ngo0fGjXJIqNwnfwBeVRZ9ke1pm7AkJmEnr6ASumONbZZUjh2wO2WmtVZ-2FE-3D
Home |
Main Index |
Thread Index |
Old Index