Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-i386-kernel



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.

22 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
42 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 22 defect(s)


** CID 1125822:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/xhci.c: 2400 in xhci_new_device()


________________________________________________________________________________________________________
*** CID 1125822:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/xhci.c: 2400 in xhci_new_device()
2394     				    dd->bMaxPacketSize);
2395     				dd->bMaxPacketSize = 9;
2396     			}
2397     			USETW(dev->ud_ep0desc.wMaxPacketSize,
2398     			    (1 << dd->bMaxPacketSize));
2399     		} else
>>>     CID 1125822:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "dd->bMaxPacketSize >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2400     			USETW(dev->ud_ep0desc.wMaxPacketSize,
2401     			    dd->bMaxPacketSize);
2402     		DPRINTFN(4, "bMaxPacketSize %u", dd->bMaxPacketSize, 0, 0, 0);
2403     		xhci_update_ep0_mps(sc, xs,
2404     		    UGETW(dev->ud_ep0desc.wMaxPacketSize));
2405     		err = usbd_reload_device_desc(dev);

** CID 1362401:  Error handling issues  (CHECKED_RETURN)
/sys/dev/pci/if_wm.c: 11441 in wm_smbustopci()


________________________________________________________________________________________________________
*** CID 1362401:  Error handling issues  (CHECKED_RETURN)
/sys/dev/pci/if_wm.c: 11441 in wm_smbustopci()
11435     	uint32_t fwsm, reg;
11436     
11437     	/* Gate automatic PHY configuration by hardware on non-managed 82579 */
11438     	wm_gate_hw_phy_config_ich8lan(sc, true);
11439     
11440     	/* Acquire semaphore */
>>>     CID 1362401:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "wm_get_swfwhw_semaphore" without checking return value (as is done elsewhere 8 out of 10 times).
11441     	wm_get_swfwhw_semaphore(sc);
11442     
11443     	fwsm = CSR_READ(sc, WMREG_FWSM);
11444     	if (((fwsm & FWSM_FW_VALID) == 0)
11445     	    && ((wm_phy_resetisblocked(sc) == false))) {
11446     		if (sc->sc_type >= WM_T_PCH_LPT) {

** CID 1362402:  Error handling issues  (CHECKED_RETURN)
/sys/dev/usb/uaudio.c: 2734 in uaudio_chan_abort()


________________________________________________________________________________________________________
*** CID 1362402:  Error handling issues  (CHECKED_RETURN)
/sys/dev/usb/uaudio.c: 2734 in uaudio_chan_abort()
2728     
2729     	as = &sc->sc_alts[ch->altidx];
2730     	as->sc_busy = 0;
2731     	AUFMT_VALIDATE(as->aformat);
2732     	if (sc->sc_nullalt >= 0) {
2733     		DPRINTF("set null alt=%d\n", sc->sc_nullalt);
>>>     CID 1362402:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "usbd_set_interface" without checking return value (as is done elsewhere 17 out of 19 times).
2734     		usbd_set_interface(as->ifaceh, sc->sc_nullalt);
2735     	}
2736     	pipe = ch->pipe;
2737     	if (pipe) {
2738     		usbd_abort_pipe(pipe);
2739     	}

** CID 1362403:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ohci.c: 2454 in ohci_roothub_ctrl()


________________________________________________________________________________________________________
*** CID 1362403:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ohci.c: 2454 in ohci_roothub_ctrl()
2448     
2449     		totlen = min(buflen, sizeof(hubd));
2450     		memcpy(&hubd, buf, totlen);
2451     
2452     		v = OREAD4(sc, OHCI_RH_DESCRIPTOR_A);
2453     		hubd.bNbrPorts = sc->sc_noport;
>>>     CID 1362403:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "((v & 512) ? 2 : ((v & 256) ? 0 : 1)) >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2454     		USETW(hubd.wHubCharacteristics,
2455     		      (v & OHCI_NPS ? UHD_PWR_NO_SWITCH :
2456     		       v & OHCI_PSM ? UHD_PWR_GANGED : UHD_PWR_INDIVIDUAL)
2457     		      /* XXX overcurrent */
2458     		      );
2459     		hubd.bPwrOn2PwrGood = OHCI_GET_POTPGT(v);

** CID 1362404:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()


________________________________________________________________________________________________________
*** CID 1362404:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
812     		kmem_free(endpoints, nendpt * sizeof(struct usbd_endpoint));
813     	}
814     	KASSERT(iface->ui_idesc != NULL);
815     
816     	req.bmRequestType = UT_WRITE_INTERFACE;
817     	req.bRequest = UR_SET_INTERFACE;
>>>     CID 1362404:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "iface->ui_idesc->bAlternateSetting >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
818     	USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
819     	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820     	USETW(req.wLength, 0);
821     	return usbd_do_request(iface->ui_dev, &req, 0);
822     }
823     

** CID 1362405:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()


________________________________________________________________________________________________________
*** CID 1362405:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
813     	}
814     	KASSERT(iface->ui_idesc != NULL);
815     
816     	req.bmRequestType = UT_WRITE_INTERFACE;
817     	req.bRequest = UR_SET_INTERFACE;
818     	USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
>>>     CID 1362405:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
819     	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820     	USETW(req.wLength, 0);
821     	return usbd_do_request(iface->ui_dev, &req, 0);
822     }
823     
824     int

** CID 1362406:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()


________________________________________________________________________________________________________
*** CID 1362406:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
689     	 */
690     	pipe->up_methods->upm_cleartoggle(pipe);
691     
692     	req.bmRequestType = UT_WRITE_ENDPOINT;
693     	req.bRequest = UR_CLEAR_FEATURE;
694     	USETW(req.wValue, UF_ENDPOINT_HALT);
>>>     CID 1362406:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
695     	USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
696     	USETW(req.wLength, 0);
697     	err = usbd_do_request(dev, &req, 0);
698     #if 0
699     XXX should we do this?
700     	if (!err) {

** CID 1362407:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2922 in ehci_reset_sqtd_chain()


________________________________________________________________________________________________________
*** CID 1362407:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2922 in ehci_reset_sqtd_chain()
2916     		size_t pageoffs = EHCI_PAGE(curoffs);
2917     		for (size_t i = 0; i < pages; i++) {
2918     			paddr_t a = DMAADDR(dma,
2919     			    pageoffs + i * EHCI_PAGE_SIZE);
2920     			sqtd->qtd.qtd_buffer[i] = htole32(EHCI_PAGE(a));
2921     			/* Cast up to avoid compiler warnings */
>>>     CID 1362407:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "(__uint64_t)a >> 32" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2922     			sqtd->qtd.qtd_buffer_hi[i] = htole32((uint64_t)a >> 32);
2923     			DPRINTF("      buffer[%d/%d] 0x%08x 0x%08x", i, pages,
2924     			    le32toh(sqtd->qtd.qtd_buffer_hi[i]),
2925     			    le32toh(sqtd->qtd.qtd_buffer[i]));
2926     		}
2927     		/* First buffer pointer requires a page offset to start at */

** CID 1362408:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()


________________________________________________________________________________________________________
*** CID 1362408:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
714     
715     	pipe->up_methods->upm_cleartoggle(pipe);
716     
717     	req.bmRequestType = UT_WRITE_ENDPOINT;
718     	req.bRequest = UR_CLEAR_FEATURE;
719     	USETW(req.wValue, UF_ENDPOINT_HALT);
>>>     CID 1362408:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
720     	USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
721     	USETW(req.wLength, 0);
722     	(void)usbd_do_request(dev, &req, 0);
723     }
724     
725     void

** CID 1362409:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()


________________________________________________________________________________________________________
*** CID 1362409:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
850     {
851     	usb_device_request_t req;
852     
853     	req.bmRequestType = UT_READ_INTERFACE;
854     	req.bRequest = UR_GET_INTERFACE;
855     	USETW(req.wValue, 0);
>>>     CID 1362409:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
856     	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
857     	USETW(req.wLength, 1);
858     	return usbd_do_request(iface->ui_dev, &req, aiface);
859     }
860     
861     /*** Internal routines ***/

** CID 1362410:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()


________________________________________________________________________________________________________
*** CID 1362410:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
2405     			return -1;
2406     		}
2407     		totlen = min(buflen, sizeof(hubd));
2408     		memcpy(&hubd, buf, totlen);
2409     		hubd.bNbrPorts = sc->sc_noport;
2410     		v = EOREAD4(sc, EHCI_HCSPARAMS);
>>>     CID 1362410:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "2 | (bus_space_read_4(sc->iot, sc->ioh, 4) & 65536)" is always true regardless of the values of its operands. This occurs as the logical first operand of '?:'.
2411     		USETW(hubd.wHubCharacteristics,
2412     		    EHCI_HCS_PPC(v) ? UHD_PWR_INDIVIDUAL : UHD_PWR_NO_SWITCH |
2413     		    EHCI_HCS_P_INDICATOR(EREAD4(sc, EHCI_HCSPARAMS))
2414     			? UHD_PORT_IND : 0);
2415     		hubd.bPwrOn2PwrGood = 200; /* XXX can't find out? */
2416     		for (i = 0, l = sc->sc_noport; l > 0; i++, l -= 8, v >>= 8)

** CID 1362411:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()


________________________________________________________________________________________________________
*** CID 1362411:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
2405     			return -1;
2406     		}
2407     		totlen = min(buflen, sizeof(hubd));
2408     		memcpy(&hubd, buf, totlen);
2409     		hubd.bNbrPorts = sc->sc_noport;
2410     		v = EOREAD4(sc, EHCI_HCSPARAMS);
>>>     CID 1362411:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "((v & 16) ? 1 : ((2 | (bus_space_read_4(sc->iot, sc->ioh, 4) & 65536)) ? 128 : 0)) >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2411     		USETW(hubd.wHubCharacteristics,
2412     		    EHCI_HCS_PPC(v) ? UHD_PWR_INDIVIDUAL : UHD_PWR_NO_SWITCH |
2413     		    EHCI_HCS_P_INDICATOR(EREAD4(sc, EHCI_HCSPARAMS))
2414     			? UHD_PORT_IND : 0);
2415     		hubd.bPwrOn2PwrGood = 200; /* XXX can't find out? */
2416     		for (i = 0, l = sc->sc_noport; l > 0; i++, l -= 8, v >>= 8)

** CID 1362412:  Control flow issues  (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()


________________________________________________________________________________________________________
*** CID 1362412:  Control flow issues  (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
340         /* Any string left? Check that '0x' is not followed by white space. */
341     
342         if (!(*String) || isspace ((int) *String) || *String == '\t')
343         {
344             if (Base == ACPI_ANY_BASE)
345             {
>>>     CID 1362412:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto ErrorExit;".
346                 goto ErrorExit;
347             }
348             else
349             {
350                 goto AllDone;
351             }

** CID 1362413:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/ohci.c: 3128 in ohci_device_intr_fini()


________________________________________________________________________________________________________
*** CID 1362413:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/ohci.c: 3128 in ohci_device_intr_fini()
3122     	OHCIHIST_FUNC(); OHCIHIST_CALLED();
3123     	DPRINTFN(8, "xfer %p nstd %d", xfer, ox->ox_nstd, 0, 0);
3124     
3125     	mutex_enter(&sc->sc_lock);
3126     	for (size_t i = 0; i < ox->ox_nstd; i++) {
3127     		ohci_soft_td_t *std = ox->ox_stds[i];
>>>     CID 1362413:  Null pointer dereferences  (FORWARD_NULL)
>>>     Comparing "std" to null implies that "std" might be null.
3128     		if (std != NULL)
3129     			break;
3130     		if (std != opipe->tail.td)
3131     			ohci_free_std_locked(sc, std);
3132     	}
3133     	mutex_exit(&sc->sc_lock);

** CID 1362414:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()


________________________________________________________________________________________________________
*** CID 1362414:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
372     			/* Default to error */
373     			buflen = -1;
374     		}
375     		break;
376     	case C(UR_GET_DESCRIPTOR, UT_READ_CLASS_DEVICE):
377     		buflen = min(len, sizeof(usbroothub_hubd));
>>>     CID 1362414:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "buf" to "memcpy", which dereferences it.
378     		memcpy(buf, &usbroothub_hubd, buflen);
379     		break;
380     	case C(UR_GET_INTERFACE, UT_READ_INTERFACE):
381     		/* Get Interface, 9.4.4 */
382     		if (len > 0) {
383     			uint8_t *out = buf;

** CID 1362415:  Control flow issues  (MISSING_BREAK)
/sys/dev/usb/usb.c: 776 in usbioctl()


________________________________________________________________________________________________________
*** CID 1362415:  Control flow issues  (MISSING_BREAK)
/sys/dev/usb/usb.c: 776 in usbioctl()
770     		if (ptr) {
771     			len = UGETW(ur->ucr_request.wLength);
772     			kmem_free(ptr, len);
773     		}
774     	}
775     
>>>     CID 1362415:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
776     	case USB_DEVICEINFO:
777     	{
778     		struct usbd_device *dev;
779     		struct usb_device_info *di = (void *)data;
780     		int addr = di->udi_addr;
781     

** CID 1362416:  Incorrect expression  (SIZEOF_MISMATCH)
/sys/dev/usb/xhci.c: 2168 in xhci_allocx()


________________________________________________________________________________________________________
*** CID 1362416:  Incorrect expression  (SIZEOF_MISMATCH)
/sys/dev/usb/xhci.c: 2168 in xhci_allocx()
2162     	struct usbd_xfer *xfer;
2163     
2164     	XHCIHIST_FUNC(); XHCIHIST_CALLED();
2165     
2166     	xfer = pool_cache_get(sc->sc_xferpool, PR_NOWAIT);
2167     	if (xfer != NULL) {
>>>     CID 1362416:  Incorrect expression  (SIZEOF_MISMATCH)
>>>     Passing argument "xfer" of type "struct usbd_xfer *" and argument "512U" ("sizeof (struct xhci_xfer)") to function "memset" is suspicious because a multiple of "sizeof (struct usbd_xfer)" /*160*/ is expected.
2168     		memset(xfer, 0, sizeof(struct xhci_xfer));
2169     #ifdef DIAGNOSTIC
2170     		xfer->ux_state = XFER_BUSY;
2171     #endif
2172     	}
2173     

** CID 1362417:    (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()


________________________________________________________________________________________________________
*** CID 1362417:    (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {

** CID 1362418:    (TAINTED_SCALAR)
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()


________________________________________________________________________________________________________
*** CID 1362418:    (TAINTED_SCALAR)
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
2703     	if (sc->sc_dying)
2704     		return USBD_IOERROR;
2705     
2706     	KASSERT(xfer->ux_rqflags & URQ_REQUEST);
2707     
2708     	isread = req->bmRequestType & UT_READ;
>>>     CID 1362418:    (TAINTED_SCALAR)
>>>     Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
2709     	len = UGETW(req->wLength);
2710     
2711     	DPRINTF("xfer=%p len=%d, addr=%d, endpt=%d", xfer, len, dev->ud_addr,
2712     	    opipe->pipe.up_endpoint->ue_edesc->bEndpointAddress);
2713     	DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
2714     	    req->bmRequestType, req->bRequest, UGETW(req->wValue),
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
2703     	if (sc->sc_dying)
2704     		return USBD_IOERROR;
2705     
2706     	KASSERT(xfer->ux_rqflags & URQ_REQUEST);
2707     
2708     	isread = req->bmRequestType & UT_READ;
>>>     CID 1362418:    (TAINTED_SCALAR)
>>>     Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
2709     	len = UGETW(req->wLength);
2710     
2711     	DPRINTF("xfer=%p len=%d, addr=%d, endpt=%d", xfer, len, dev->ud_addr,
2712     	    opipe->pipe.up_endpoint->ue_edesc->bEndpointAddress);
2713     	DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
2714     	    req->bmRequestType, req->bRequest, UGETW(req->wValue),

** CID 1362419:  Insecure data handling  (TAINTED_SCALAR)
/sys/dev/usb/ehci.c: 3534 in ehci_device_ctrl_start()


________________________________________________________________________________________________________
*** CID 1362419:  Insecure data handling  (TAINTED_SCALAR)
/sys/dev/usb/ehci.c: 3534 in ehci_device_ctrl_start()
3528     	KASSERT(xfer->ux_rqflags & URQ_REQUEST);
3529     
3530     	if (sc->sc_dying)
3531     		return USBD_IOERROR;
3532     
3533     	const int isread = req->bmRequestType & UT_READ;
>>>     CID 1362419:  Insecure data handling  (TAINTED_SCALAR)
>>>     Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
3534     	const int len = UGETW(req->wLength);
3535     
3536     	DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
3537     	    req->bmRequestType, req->bRequest, UGETW(req->wValue),
3538     	    UGETW(req->wIndex));
3539     	DPRINTF("len=%d, addr=%d, endpt=%d", len, epipe->pipe.up_dev->ud_addr,


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-kernel?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782



Home | Main Index | Thread Index | Old Index