Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
86 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
235 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 86 defect(s)
** CID 710492: Null pointer dereferences (REVERSE_INULL)
/sys/external/bsd/drm2/dist/drm/via/via_mm.c: 82 in via_final_context()
________________________________________________________________________________________________________
*** CID 710492: Null pointer dereferences (REVERSE_INULL)
/sys/external/bsd/drm2/dist/drm/via/via_mm.c: 82 in via_final_context()
76 drm_via_private_t *dev_priv = (drm_via_private_t *) dev->dev_private;
77
78 via_release_futex(dev_priv, context);
79
80 /* Linux specific until context tracking code gets ported to BSD */
81 /* Last context, perform cleanup */
>>> CID 710492: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "dev->dev_private" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
82 if (list_is_singular(&dev->ctxlist) && dev->dev_private) {
83 DRM_DEBUG("Last Context\n");
84 drm_irq_uninstall(dev);
85 via_cleanup_futex(dev_priv);
86 via_do_cleanup_map(dev);
87 }
** CID 976986: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 1565 in test20()
________________________________________________________________________________________________________
*** CID 976986: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 1565 in test20()
1559 FAILED(buf[2] != 60, "test20 case 2 failed\n");
1560 FAILED(buf[3] != 17, "test20 case 3 failed\n");
1561 FAILED(buf[4] != 7, "test20 case 4 failed\n");
1562
1563 sljit_free_code(code.code);
1564
>>> CID 976986: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "compiler" = null return value from "sljit_create_compiler(void)".
1565 compiler = sljit_create_compiler();
1566 sljit_emit_enter(compiler, 0, 3, 0, SLJIT_MAX_LOCAL_SIZE);
1567
1568 sljit_get_local_base(compiler, SLJIT_SCRATCH_REG1, 0, SLJIT_MAX_LOCAL_SIZE - sizeof(sljit_sw));
1569 sljit_get_local_base(compiler, SLJIT_SCRATCH_REG2, 0, -(sljit_sw)sizeof(sljit_sw));
1570 sljit_emit_op1(compiler, SLJIT_MOV, SLJIT_SCRATCH_REG3, 0, SLJIT_IMM, -1);
** CID 1009289: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpcbind/rpcbind.c: 121 in main()
________________________________________________________________________________________________________
*** CID 1009289: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpcbind/rpcbind.c: 121 in main()
115 void *nc_handle; /* Net config handle */
116 struct rlimit rl;
117 int maxrec = RPC_MAXDATASIZE;
118
119 parseargs(argc, argv);
120
>>> CID 1009289: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
121 getrlimit(RLIMIT_NOFILE, &rl);
122 if (rl.rlim_cur < 128) {
123 if (rl.rlim_max <= 128)
124 rl.rlim_cur = rl.rlim_max;
125 else
126 rl.rlim_cur = 128;
** CID 1225077: (CHECKED_RETURN)
/bin/ksh/c_ulimit.c: 206 in c_ulimit()
/bin/ksh/c_ulimit.c: 235 in c_ulimit()
________________________________________________________________________________________________________
*** CID 1225077: (CHECKED_RETURN)
/bin/ksh/c_ulimit.c: 206 in c_ulimit()
200 }
201 }
202 if (all) {
203 for (l = limits; l->name; l++) {
204 #ifdef HAVE_SETRLIMIT
205 if (l->which == RLIMIT) {
>>> CID 1225077: (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(l->gcmd, &limit)".
206 getrlimit(l->gcmd, &limit);
207 if (how & SOFT)
208 val = limit.rlim_cur;
209 else if (how & HARD)
210 val = limit.rlim_max;
211 } else
/bin/ksh/c_ulimit.c: 235 in c_ulimit()
229 }
230 }
231 return 0;
232 }
233 #ifdef HAVE_SETRLIMIT
234 if (l->which == RLIMIT) {
>>> CID 1225077: (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(l->gcmd, &limit)".
235 getrlimit(l->gcmd, &limit);
236 if (set) {
237 if (how & SOFT)
238 limit.rlim_cur = val;
239 if (how & HARD)
240 limit.rlim_max = val;
** CID 1225078: Error handling issues (CHECKED_RETURN)
/bin/sh/miscbltin.c: 430 in ulimitcmd()
________________________________________________________________________________________________________
*** CID 1225078: Error handling issues (CHECKED_RETURN)
/bin/sh/miscbltin.c: 430 in ulimitcmd()
424 #endif
425 }
426 }
427 return 0;
428 }
429
>>> CID 1225078: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(l->cmd, &limit)".
430 getrlimit(l->cmd, &limit);
431 if (set) {
432 if (how & HARD)
433 limit.rlim_max = val;
434 if (how & SOFT)
435 limit.rlim_cur = val;
** CID 1225079: Error handling issues (CHECKED_RETURN)
/gnu/lib/libmalloc/mem-limits.h: 124 in get_lim_data()
________________________________________________________________________________________________________
*** CID 1225079: Error handling issues (CHECKED_RETURN)
/gnu/lib/libmalloc/mem-limits.h: 124 in get_lim_data()
118
119 static void
120 get_lim_data ()
121 {
122 struct rlimit XXrlimit;
123
>>> CID 1225079: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(2, &XXrlimit)".
124 getrlimit (RLIMIT_DATA, &XXrlimit);
125 #ifdef RLIM_INFINITY
126 lim_data = XXrlimit.rlim_cur & RLIM_INFINITY; /* soft limit */
127 #else
128 lim_data = XXrlimit.rlim_cur; /* soft limit */
129 #endif
130 }
131 #endif /* BSD4_2 */
** CID 1225080: Error handling issues (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xorg-server/dist/os/utils.c: 658 in ProcessCommandLine()
________________________________________________________________________________________________________
*** CID 1225080: Error handling issues (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xorg-server/dist/os/utils.c: 658 in ProcessCommandLine()
652 UseMsg();
653 }
654 else if ( strcmp( argv[i], "-core") == 0)
655 {
656 #if !defined(WIN32) || !defined(__MINGW32__)
657 struct rlimit core_limit;
>>> CID 1225080: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(4, &core_limit)".
658 getrlimit (RLIMIT_CORE, &core_limit);
659 core_limit.rlim_cur = core_limit.rlim_max;
660 setrlimit (RLIMIT_CORE, &core_limit);
661 #endif
662 CoreDump = TRUE;
663 }
** CID 1225081: Error handling issues (CHECKED_RETURN)
/tests/fs/nfs/nfsservice/rpcbind/rpcbind.c: 135 in rpcbind_main()
________________________________________________________________________________________________________
*** CID 1225081: Error handling issues (CHECKED_RETURN)
/tests/fs/nfs/nfsservice/rpcbind/rpcbind.c: 135 in rpcbind_main()
129 #if 0
130 parseargs(argc, argv);
131 #endif
132
133 alloc_fdset();
134
>>> CID 1225081: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
135 getrlimit(RLIMIT_NOFILE, &rl);
136 if (rl.rlim_cur < 128) {
137 if (rl.rlim_max <= 128)
138 rl.rlim_cur = rl.rlim_max;
139 else
140 rl.rlim_cur = 128;
** CID 1225082: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 76 in closedown()
________________________________________________________________________________________________________
*** CID 1225082: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 76 in closedown()
70 if (_rpcfdtype == SOCK_DGRAM)
71 exit(0);
72 if (size == 0) {
73 struct rlimit rl;
74
75 rl.rlim_max = 0;
>>> CID 1225082: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
76 getrlimit(RLIMIT_NOFILE, &rl);
77 if ((size = rl.rlim_max) == 0)
78 return;
79 }
80 for (i = 0, openfd = 0; i < size && openfd < 2; i++)
81 if (FD_ISSET(i, &svc_fdset))
** CID 1225083: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 329 in mymain()
________________________________________________________________________________________________________
*** CID 1225083: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 329 in mymain()
323 perror("cannot fork");
324 exit(1);
325 }
326 if (pid)
327 exit(0);
328 rl.rlim_max = 0;
>>> CID 1225083: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
329 getrlimit(RLIMIT_NOFILE, &rl);
330 if ((size = rl.rlim_max) == 0)
331 exit(1);
332 for (i = 0; i < size; i++)
333 (void) close(i);
334 i = open("/dev/console", 2);
** CID 1256502: Control flow issues (MISSING_BREAK)
/sys/external/bsd/acpica/dist/disassembler/dmwalk.c: 316 in AcpiDmBlockType()
________________________________________________________________________________________________________
*** CID 1256502: Control flow issues (MISSING_BREAK)
/sys/external/bsd/acpica/dist/disassembler/dmwalk.c: 316 in AcpiDmBlockType()
310 {
311 /* This is a reference to a method, not an invocation */
312
313 return (BLOCK_NONE);
314 }
315
>>> CID 1256502: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
316 default:
317
318 OpInfo = AcpiPsGetOpcodeInfo (Op->Common.AmlOpcode);
319 if (OpInfo->Flags & AML_HAS_ARGS)
320 {
321 return (BLOCK_PAREN);
** CID 1256503: Resource leaks (RESOURCE_LEAK)
/sys/external/bsd/acpica/dist/compiler/aslopcodes.c: 1361 in OpcDoPld()
________________________________________________________________________________________________________
*** CID 1256503: Resource leaks (RESOURCE_LEAK)
/sys/external/bsd/acpica/dist/compiler/aslopcodes.c: 1361 in OpcDoPld()
1355 break;
1356 }
1357
1358 Node = Node->Asl.Next;
1359 }
1360
>>> CID 1256503: Resource leaks (RESOURCE_LEAK)
>>> Overwriting "Buffer" in "Buffer = OpcEncodePldBuffer(&PldInfo)" leaks the storage that "Buffer" points to.
1361 Buffer = OpcEncodePldBuffer(&PldInfo);
1362
1363 /* Change Op to a Buffer */
1364
1365 Op->Asl.ParseOpcode = PARSEOP_BUFFER;
1366 Op->Common.AmlOpcode = AML_BUFFER_OP;
** CID 1268629: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/xz/dist/src/xz/args.c: 83 in parse_block_list()
________________________________________________________________________________________________________
*** CID 1268629: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/xz/dist/src/xz/args.c: 83 in parse_block_list()
77 // If --block-list was specified already, its value is forgotten.
78 free(opt_block_list);
79 opt_block_list = xmalloc((count + 1) * sizeof(uint64_t));
80
81 for (size_t i = 0; i < count; ++i) {
82 // Locate the next comma and replace it with \0.
>>> CID 1268629: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "str" to function "strchr(char const *, int)", which dereferences it.
83 char *p = strchr(str, ',');
84 if (p != NULL)
85 *p = '\0';
86
87 if (str[0] == '\0') {
88 // There is no string, that is, a comma follows
** CID 1292510: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/acpica/dist/dispatcher/dsutils.c: 608 in AcpiDsCreateOperand()
________________________________________________________________________________________________________
*** CID 1292510: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/acpica/dist/dispatcher/dsutils.c: 608 in AcpiDsCreateOperand()
602 else if (ParentOp->Common.AmlOpcode == AML_EXTERNAL_OP)
603 {
604 /* TBD: May only be temporary */
605
606 ObjDesc = AcpiUtCreateStringObject ((ACPI_SIZE) NameLength);
607
>>> CID 1292510: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "ObjDesc".
608 ACPI_STRNCPY (ObjDesc->String.Pointer, NameString, NameLength);
609 Status = AE_OK;
610 }
611 else
612 {
613 /*
** CID 1292512: Memory - corruptions (BAD_FREE)
________________________________________________________________________________________________________
*** CID 1292512: Memory - corruptions (BAD_FREE)
/sys/external/bsd/acpica/dist/tables/tbinstal.c: 517 in AcpiTbUninstallTable()
511
512 AcpiTbInvalidateTable (TableDesc);
513
514 if ((TableDesc->Flags & ACPI_TABLE_ORIGIN_MASK) ==
515 ACPI_TABLE_ORIGIN_INTERNAL_VIRTUAL)
516 {
>>> CID 1292512: Memory - corruptions (BAD_FREE)
>>> "AcpiOsFree(void *)" frees address offset from "NULL".
517 ACPI_FREE (ACPI_PHYSADDR_TO_PTR (TableDesc->Address));
518 }
519
520 TableDesc->Address = ACPI_PTR_TO_PHYSADDR (NULL);
521 return_VOID;
** CID 1294266: Error handling issues (CHECKED_RETURN)
/sys/external/bsd/acpica/dist/common/dmtbdump.c: 2541 in AcpiDmDumpSlic()
________________________________________________________________________________________________________
*** CID 1294266: Error handling issues (CHECKED_RETURN)
/sys/external/bsd/acpica/dist/common/dmtbdump.c: 2541 in AcpiDmDumpSlic()
2535 ******************************************************************************/
2536
2537 void
2538 AcpiDmDumpSlic (
2539 ACPI_TABLE_HEADER *Table)
2540 {
>>> CID 1294266: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "AcpiDmDumpTable(Table->Length, 36U, Table, Table->Length - 36U, AcpiDmTableInfoSlic)".
2541 AcpiDmDumpTable (Table->Length, sizeof (ACPI_TABLE_HEADER), Table,
2542 Table->Length - sizeof (*Table), AcpiDmTableInfoSlic);
2543 }
2544
2545
2546 /*******************************************************************************
** CID 1297229: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/dev/dksubr.c: 85 in dk_init()
________________________________________________________________________________________________________
*** CID 1297229: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/dev/dksubr.c: 85 in dk_init()
79 {
80
81 memset(dksc, 0x0, sizeof(*dksc));
82 dksc->sc_dtype = dtype;
83 dksc->sc_dev = dev;
84
>>> CID 1297229: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 8 bytes on destination array "dksc->sc_xname" of size 8 bytes might leave the destination string unterminated.
85 strncpy(dksc->sc_xname, device_xname(dev), DK_XNAME_SIZE);
86 dksc->sc_dkdev.dk_name = dksc->sc_xname;
87 }
88
89 void
90 dk_attach(struct dk_softc *dksc)
** CID 1297237: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 156 in drm_mm_add_space_to_tail()
________________________________________________________________________________________________________
*** CID 1297237: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 156 in drm_mm_add_space_to_tail()
150 int drm_mm_add_space_to_tail(struct drm_mm *mm, unsigned long size, int atomic)
151 {
152 struct list_head *tail_node;
153 struct drm_mm_node *entry;
154
155 tail_node = mm->ml_entry.prev;
>>> CID 1297237: Incorrect expression (BAD_SIZEOF)
>>> Taking the size of arithmetic expression "tail_node - &((struct drm_mm_node *)((char *)tail_node - 8U))->ml_entry" is suspicious.
156 entry = list_entry(tail_node, struct drm_mm_node, ml_entry);
157 if (!entry->free) {
158 return drm_mm_create_tail_node(mm, entry->start + entry->size,
159 size, atomic);
160 }
161 entry->size += size;
** CID 1297238: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 248 in drm_mm_put_block()
________________________________________________________________________________________________________
*** CID 1297238: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 248 in drm_mm_put_block()
242 if (prev_node->free) {
243 prev_node->size += cur->size;
244 merged = 1;
245 }
246 }
247 if (cur_head->next != root_head) {
>>> CID 1297238: Incorrect expression (BAD_SIZEOF)
>>> Taking the size of arithmetic expression "cur_head->next - &((struct drm_mm_node *)((char *)cur_head->next - 8U))->ml_entry" is suspicious.
248 next_node =
249 list_entry(cur_head->next, struct drm_mm_node, ml_entry);
250 if (next_node->free) {
251 if (merged) {
252 prev_node->size += next_node->size;
253 list_del(&next_node->ml_entry);
** CID 1297239: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 71 in drm_mm_remove_space_from_tail()
________________________________________________________________________________________________________
*** CID 1297239: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 71 in drm_mm_remove_space_from_tail()
65 int drm_mm_remove_space_from_tail(struct drm_mm *mm, unsigned long size)
66 {
67 struct list_head *tail_node;
68 struct drm_mm_node *entry;
69
70 tail_node = mm->ml_entry.prev;
>>> CID 1297239: Incorrect expression (BAD_SIZEOF)
>>> Taking the size of arithmetic expression "tail_node - &((struct drm_mm_node *)((char *)tail_node - 8U))->ml_entry" is suspicious.
71 entry = list_entry(tail_node, struct drm_mm_node, ml_entry);
72 if (!entry->free)
73 return -ENOMEM;
74
75 if (entry->size <= size)
76 return -ENOMEM;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1448?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .
Home |
Main Index |
Thread Index |
Old Index