Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD



Hi,

Please find the latest report on new defect(s) introduced to NetBSD 
(NetBSD-i386-user) found with Coverity Scan

Defect(s) Reported-by: Coverity Scan
Showing 7 of 29 defects
        
** CID 1125884: Double close (USE_AFTER_FREE)
/tests/net/net/t_unix.c: 247

** CID 1125883: Structurally dead code (UNREACHABLE)
/tests/net/net/t_tcp.c: 82

** CID 1125882: Uninitialized scalar variable (UNINIT)
/usr.sbin/lpr/common_source/common.c: 409

** CID 1125881: Uninitialized scalar variable (UNINIT)
/sys/rump/librump/rumpkern/vm.c: 983

** CID 1125880: Uninitialized scalar variable (UNINIT)
/sys/dev/tprof/tprof.c: 235

** CID 1125879: Uninitialized scalar variable (UNINIT)
/sys/dev/tprof/tprof.c: 283

** CID 1125878: Untrusted loop bound (TAINTED_SCALAR)
/sbin/gpt/migrate.c: 179


________________________________________________________________________
CID 1125884: Double close (USE_AFTER_FREE)

/tests/net/net/t_unix.c: 188 ( closed_arg)
   185                  FAIL("connect");
   186    
   187          if (closeit) {
>>> "close(int)" closes "clnt".
   188                  if (close(clnt) == -1)
   189                          FAIL("close");
   190          }
   191    
   192          acpt = acc(srvr);
  

/tests/net/net/t_unix.c: 247 ( double_close)
   244    fail:
   245          (void)close(acpt);
   246          (void)close(srvr);
>>> CID 1125884: Double close (USE_AFTER_FREE)
>>> Calling "close(int)" closes handle "clnt" which has already been closed.
   247          (void)close(clnt);
   248          free(sock_addr);
   249          free(sun);
   250          return -1;
   251    }
  
________________________________________________________________________
CID 1125883: Structurally dead code (UNREACHABLE)

/tests/net/net/t_tcp.c: 82 ( unreachable)
   79           if (srvr == -1)
   80                   FAIL("socket");
   81    
>>> CID 1125883: Structurally dead code (UNREACHABLE)
>>> This code cannot be reached: "memset(&sin, 0, 16U);".
   82           memset(&sin, 0, sizeof(sin));
   83           sin.sin_family = AF_INET;
   84    #ifdef BSD4_4
   85           sin.sin_len = sizeof(sin);
   86    #endif
  
________________________________________________________________________
CID 1125882: Uninitialized scalar variable (UNINIT)

/usr.sbin/lpr/common_source/common.c: 353 ( var_decl)
   350    const char *
   351    checkremote(void)
   352    {
>>> Declaring variable "lname" without initializer.
   353          char lname[NI_MAXHOST], rname[NI_MAXHOST];
   354          struct addrinfo hints, *res, *res0;
   355          static char errbuf[128];
   356          int error;
   357          struct ifaddrs *ifap, *ifa;
  

/usr.sbin/lpr/common_source/common.c: 409 ( uninit_use_in_call)
   406                                          continue;
   407                          }
   408    
>>> CID 1125882: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized element of array "lname" when calling "strcmp(char 
>>> const *, char const *)".
   409                          if (strcmp(rname, lname) == 0) {
   410                                  remote = 0;
   411                                  goto done;
   412                          }
   413                  }
  
________________________________________________________________________
CID 1125881: Uninitialized scalar variable (UNINIT)

/sys/rump/librump/rumpkern/vm.c: 978 ( var_decl)
   975                          mutex_exit(uobj->vmobjlock);
   976                  }
   977          } else if (*lockrunning == false && ncpu > 1) {
>>> Declaring variable "cii" without initializer.
   978                  CPU_INFO_ITERATOR cii;
   979                  struct cpu_info *ci;
   980                  struct lwp *l;
   981    
   982                  l = mutex_owner(uobj->vmobjlock);
  

/sys/rump/librump/rumpkern/vm.c: 983 ( uninit_use)
   980                  struct lwp *l;
   981    
   982                  l = mutex_owner(uobj->vmobjlock);
>>> CID 1125881: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "cii".
   983                  for (CPU_INFO_FOREACH(cii, ci)) {
   984                          if (ci->ci_curlwp == l) {
   985                                  *lockrunning = true;
   986                                  break;
   987                          }
  
________________________________________________________________________
CID 1125880: Uninitialized scalar variable (UNINIT)

/sys/dev/tprof/tprof.c: 229 ( var_decl)
   226    static void
   227    tprof_stop1(void)
   228    {
>>> Declaring variable "cii" without initializer.
   229          CPU_INFO_ITERATOR cii;
   230          struct cpu_info *ci;
   231    
   232          KASSERT(mutex_owned(&tprof_startstop_lock));
   233          KASSERT(tprof_nworker == 0);
  

/sys/dev/tprof/tprof.c: 235 ( uninit_use)
   232          KASSERT(mutex_owned(&tprof_startstop_lock));
   233          KASSERT(tprof_nworker == 0);
   234    
>>> CID 1125880: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "cii".
   235          for (CPU_INFO_FOREACH(cii, ci)) {
   236                  tprof_cpu_t * const c = tprof_cpu(ci);
   237                  tprof_buf_t *old;
   238    
   239                  old = tprof_buf_switch(c, NULL);
  
________________________________________________________________________
CID 1125879: Uninitialized scalar variable (UNINIT)

/sys/dev/tprof/tprof.c: 251 ( var_decl)
   248    static int
   249    tprof_start(const struct tprof_param *param)
   250    {
>>> Declaring variable "cii" without initializer.
   251          CPU_INFO_ITERATOR cii;
   252          struct cpu_info *ci;
   253          int error;
   254          uint64_t freq;
   255          tprof_backend_t *tb;
  

/sys/dev/tprof/tprof.c: 283 ( uninit_use)
   280                  goto done;
   281          }
   282    
>>> CID 1125879: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "cii".
   283          for (CPU_INFO_FOREACH(cii, ci)) {
   284                  tprof_cpu_t * const c = tprof_cpu(ci);
   285                  tprof_buf_t *new;
   286                  tprof_buf_t *old;
   287    
  
________________________________________________________________________
CID 1125878: Untrusted loop bound (TAINTED_SCALAR)

/sbin/gpt/migrate.c: 167 ( tainted_data_return)
   164          off_t ofs, rawofs;
   165          int i;
   166    
>>> Function "gpt_read(int, __off_t, size_t)" returns tainted data.
   167          buf = gpt_read(fd, start + LABELSECTOR, 1);
   168          dl = (void*)(buf + LABELOFFSET);
   169    
   170          if (le32toh(dl->d_magic) != DISKMAGIC ||
   171              le32toh(dl->d_magic2) != DISKMAGIC) {
  

/sbin/gpt/migrate.c: 167 ( var_assign)
   164          off_t ofs, rawofs;
   165          int i;
   166    
>>> Assigning: "buf" = "gpt_read(int, __off_t, size_t)", which taints "buf".
   167          buf = gpt_read(fd, start + LABELSECTOR, 1);
   168          dl = (void*)(buf + LABELOFFSET);
   169    
   170          if (le32toh(dl->d_magic) != DISKMAGIC ||
   171              le32toh(dl->d_magic2) != DISKMAGIC) {
  

/sbin/gpt/migrate.c: 168 ( var_assign_var)
   165          int i;
   166    
   167          buf = gpt_read(fd, start + LABELSECTOR, 1);
>>> Assigning: "dl" = "(void *)(buf + 0)". Both are now tainted.
   168          dl = (void*)(buf + LABELOFFSET);
   169    
   170          if (le32toh(dl->d_magic) != DISKMAGIC ||
   171              le32toh(dl->d_magic2) != DISKMAGIC) {
   172                  warnx("%s: warning: NetBSD slice without disklabel",
  

/sbin/gpt/migrate.c: 179 ( tainted_data)
   176    
   177          rawofs = le32toh(dl->d_partitions[RAW_PART].p_offset) *
   178              le32toh(dl->d_secsize);
>>> CID 1125878: Untrusted loop bound (TAINTED_SCALAR)
>>> Using tainted variable "dl->d_npartitions" as a loop boundary.
   179          for (i = 0; i < le16toh(dl->d_npartitions); i++) {
   180                  if (dl->d_partitions[i].p_fstype == FS_UNUSED)
   181                          continue;
   182                  ofs = le32toh(dl->d_partitions[i].p_offset) *
   183                      le32toh(dl->d_secsize);
  
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com

To unsubscribe from the email notification for new defects, 
http://scan5.coverity.com/cgi-bin/unsubscribe.py


Home | Main Index | Thread Index | Old Index