New Defects reported by Coverity Scan for NetBSD-amd64-user

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-amd64-user
From: scan-admin%coverity.com@localhost
Date: Tue, 10 Nov 2015 19:34:15 -0800
Hi,

Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.

12 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)


** CID 980463:  Null pointer dereferences  (REVERSE_INULL)
/sys/net/if_gif.c: 748 in gif_set_tunnel()


________________________________________________________________________________________________________
*** CID 980463:  Null pointer dereferences  (REVERSE_INULL)
/sys/net/if_gif.c: 748 in gif_set_tunnel()
742     
743     	if (osrc)
744     		sockaddr_free(osrc);
745     	if (odst)
746     		sockaddr_free(odst);
747     
>>>     CID 980463:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "sc->gif_psrc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
748     	if (sc->gif_psrc && sc->gif_pdst)
749     		ifp->if_flags |= IFF_RUNNING;
750     	else
751     		ifp->if_flags &= ~IFF_RUNNING;
752     	splx(s);
753     

** CID 1175322:  Concurrent data access violations  (MISSING_LOCK)
/home/phil/cov/xsrc/external/mit/MesaLib/dist/src/gallium/drivers/nouveau/nouveau_screen.c: 151 in nouveau_screen_init()


________________________________________________________________________________________________________
*** CID 1175322:  Concurrent data access violations  (MISSING_LOCK)
/home/phil/cov/xsrc/external/mit/MesaLib/dist/src/gallium/drivers/nouveau/nouveau_screen.c: 151 in nouveau_screen_init()
145     	   nouveau_mesa_debug = atoi(nv_dbg);
146     
147     	/*
148     	 * this is initialized to 1 in nouveau_drm_screen_create after screen
149     	 * is fully constructed and added to the global screen list.
150     	 */
>>>     CID 1175322:  Concurrent data access violations  (MISSING_LOCK)
>>>     Accessing "screen->refcount" without holding lock "nouveau_screen_mutex". Elsewhere, "nouveau_screen.refcount" is accessed with "nouveau_screen_mutex" held 3 out of 4 times (1 of these accesses strongly imply that it is necessary).
151     	screen->refcount = -1;
152     
153     	if (dev->chipset < 0xc0) {
154     		data = &nv04_data;
155     		size = sizeof(nv04_data);
156     	} else {

** CID 1338512:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/uplcom.c: 538 in uplcom_pl2303x_init()


________________________________________________________________________________________________________
*** CID 1338512:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/uplcom.c: 538 in uplcom_pl2303x_init()
532     		USETW(req.wValue, pl2303x[i].value);
533     		USETW(req.wIndex, pl2303x[i].index);
534     		if (UT_GET_DIR(req.bmRequestType) == UT_READ) {
535     			b = buf;
536     			USETW(req.wLength, sizeof(buf));
537     		} else {
>>>     CID 1338512:  Null pointer dereferences  (FORWARD_NULL)
>>>     Assigning: "b" = "NULL".
538     			b = NULL;
539     			USETW(req.wLength, 0);
540     		}
541     
542     		err = usbd_do_request(sc->sc_udev, &req, b);
543     		if (err) {

** CID 1338513:  Error handling issues  (CHECKED_RETURN)
/lib/libc/rpc/rpc_soc.c: 258 in svc_com_create()


________________________________________________________________________________________________________
*** CID 1338513:  Error handling issues  (CHECKED_RETURN)
/lib/libc/rpc/rpc_soc.c: 258 in svc_com_create()
252     		madefd = TRUE;
253     	}
254     
255     	memset(&sccsin, 0, sizeof sccsin);
256     	sccsin.sin_family = AF_INET;
257     	(void)bindresvport(fd, &sccsin);
>>>     CID 1338513:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "rump_sys_listen" without checking return value (as is done elsewhere 8 out of 9 times).
258     	listen(fd, SOMAXCONN);
259     	svc = svc_tli_create(fd, nconf, NULL, sendsize, recvsize);
260     	(void) freenetconfigent(nconf);
261     	if (svc == NULL) {
262     		if (madefd)
263     			(void) close(fd);

** CID 1338514:  Null pointer dereferences  (FORWARD_NULL)
/usr.sbin/rpcbind/rpcb_svc_com.c: 1101 in my_svc_run()


________________________________________________________________________________________________________
*** CID 1338514:  Null pointer dereferences  (FORWARD_NULL)
/usr.sbin/rpcbind/rpcb_svc_com.c: 1101 in my_svc_run()
1095     			pollfds = realloc(pollfds, npollfds * sizeof(*pollfds));
1096     		}
1097     		p = pollfds;
1098     		m = *svc_fdset_getmax();
1099     		for (n = 0; n <= m; n++) {
1100     			if (svc_fdset_isset(n)) {
>>>     CID 1338514:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "p".
1101     				p->fd = n;
1102     				p->events = MASKVAL;
1103     				p++;
1104     			}
1105     		}
1106     		nfds = p - pollfds;

** CID 1338515:  Null pointer dereferences  (FORWARD_NULL)
/lib/libc/rpc/svc_run.c: 168 in svc_run_poll()


________________________________________________________________________________________________________
*** CID 1338515:  Null pointer dereferences  (FORWARD_NULL)
/lib/libc/rpc/svc_run.c: 168 in svc_run_poll()
162     			pfd = svc_pollfd_copy(svc_pollfd_get());
163     			if (pfd == NULL) {
164     				warn("can't get pollfd");
165     				goto out;
166     			}
167     		} else
>>>     CID 1338515:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "pfd" to "memcpy", which dereferences it.
168     			memcpy(pfd, svc_pollfd_get(), *maxfd * sizeof(*pfd));
169     
170     		rwlock_unlock(&svc_fd_lock);
171     
172     		switch ((i = poll(pfd, *maxfd, 30 * 1000))) {
173     		case -1:

** CID 1338516:  Control flow issues  (MISSING_BREAK)
/tests/lib/libc/rpc/t_rpc.c: 185 in regtest()


________________________________________________________________________________________________________
*** CID 1338516:  Control flow issues  (MISSING_BREAK)
/tests/lib/libc/rpc/t_rpc.c: 185 in regtest()
179     		ERRX(EXIT_FAILURE, "Can't not create server %d", num);
180     
181     	switch ((pid = fork())) {
182     	case 0:
183     		DPRINTF("Calling svc_run\n");
184     		svc_run();
>>>     CID 1338516:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
185     	case -1:
186     		ERRX(EXIT_FAILURE, "Fork failed (%s)", strerror(errno));
187     	default:
188     		sleep(1);
189     		break;
190     	}

** CID 1338517:  Error handling issues  (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_fdset.c: 437 in svc_pollfd_copy()


________________________________________________________________________________________________________
*** CID 1338517:  Error handling issues  (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_fdset.c: 437 in svc_pollfd_copy()
431     }
432     
433     struct pollfd *
434     svc_pollfd_copy(const struct pollfd *orig)
435     {
436     	int size = svc_fdset_getsize(0);
>>>     CID 1338517:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "size" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
437     	struct pollfd *copy = calloc(size, sizeof(*orig));
438     	if (copy == NULL)
439     		return NULL;
440     	if (orig)
441     		memcpy(copy, orig, size * sizeof(*orig));
442     	return copy;

** CID 1338518:  Integer handling issues  (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_raw.c: 116 in _svc_raw_create()


________________________________________________________________________________________________________
*** CID 1338518:  Integer handling issues  (NEGATIVE_RETURNS)
/lib/libc/rpc/svc_raw.c: 116 in _svc_raw_create()
110     			__rpc_rawcombuf = malloc(UDPMSGSIZE);
111     		if (__rpc_rawcombuf == NULL)
112     			goto out;
113     		srp->raw_buf = __rpc_rawcombuf; /* Share it with the client */
114     		svc_raw_private = srp;
115     	}
>>>     CID 1338518:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     Assigning: "srp->server.xp_fd" = a negative value.
116     	srp->server.xp_fd = -1;
117     	srp->server.xp_port = 0;
118     	srp->server.xp_p3 = NULL;
119     	svc_raw_ops(&srp->server);
120     	srp->server.xp_verf.oa_base = srp->verf_body;
121     	xdrmem_create(&srp->xdr_stream, srp->raw_buf, UDPMSGSIZE, XDR_DECODE);

** CID 1338519:  Integer handling issues  (NEGATIVE_RETURNS)


________________________________________________________________________________________________________
*** CID 1338519:  Integer handling issues  (NEGATIVE_RETURNS)
/lib/libc/rpc/clnt_raw.c: 200 in clnt_raw_call()
194     	(void)XDR_GETPOS(xdrs);  /* called just to cause overhead */
195     
196     	/*
197     	 * We have to call server input routine here because this is
198     	 * all going on in one process. Yuk.
199     	 */
>>>     CID 1338519:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     Passing negative constant "-1" to a parameter that cannot be negative.
200     	svc_getreq_common(-1);
201     
202     	/*
203     	 * get results
204     	 */
205     	xdrs->x_op = XDR_DECODE;

** CID 1338520:  Null pointer dereferences  (NULL_RETURNS)
/lib/libc/rpc/svc_fdset.c: 326 in svc_fdset_zero()


________________________________________________________________________________________________________
*** CID 1338520:  Null pointer dereferences  (NULL_RETURNS)
/lib/libc/rpc/svc_fdset.c: 326 in svc_fdset_zero()
320     void
321     svc_fdset_zero(void)
322     {
323     	DPRINTF("zero");
324     
325     	struct svc_fdset *fds = svc_fdset_alloc(0);
>>>     CID 1338520:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a null pointer "fds".
326     	memset(fds->fdset, 0, fds->fdsize);
327     	fds->fdmax = -1;
328     
329     	free(fds->fdp);
330     	fds->fdp = NULL;
331     	fds->fdnum = fds->fdused = 0;

** CID 1338521:  Resource leaks  (RESOURCE_LEAK)
/lib/libc/rpc/svc_fdset.c: 218 in svc_pollfd_add()


________________________________________________________________________________________________________
*** CID 1338521:  Resource leaks  (RESOURCE_LEAK)
/lib/libc/rpc/svc_fdset.c: 218 in svc_pollfd_add()
212     
213     	svc_pollfd_init(pfd + fds->fdnum, FD_SETSIZE);
214     	pfd[fds->fdnum].fd = fd;
215     	fds->fdused = fds->fdnum + 1;
216     	DPRINTF("add fd=%d slot=%d fdused=%d", fd, fds->fdnum, fds->fdused);
217     	fds->fdnum += FD_SETSIZE;
>>>     CID 1338521:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "pfd" going out of scope leaks the storage it points to.
218     	return fds;
219     }
220     
221     static struct svc_fdset *
222     svc_pollfd_del(int fd, struct svc_fdset *fds)
223     {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Prev by Date: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Next by Date: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-amd64-user
Next by Thread: New Defects reported by Coverity Scan for NetBSD-amd64-user
Indexes:
Home | Main Index | Thread Index | Old Index