Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-i386-user



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.

58 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
34 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 58 defect(s)


** CID 980287:  Control flow issues  (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 956 in ipf_send_icmp_err()


________________________________________________________________________________________________________
*** CID 980287:  Control flow issues  (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 956 in ipf_send_icmp_err()
950     		if (type == ICMP6_DST_UNREACH)
951     			code = icmptoicmp6unreach[code];
952     
953     		if (iclen + max_linkhdr + fin->fin_plen > avail) {
954     			MCLGET(m, M_DONTWAIT);
955     			if (m == NULL)
>>>     CID 980287:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return -1;".
956     				return -1;
957     			if ((m->m_flags & M_EXT) == 0) {
958     				FREE_MB_T(m);
959     				return -1;
960     			}
961     			avail = MCLBYTES;

** CID 980288:  Control flow issues  (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 735 in ipf_send_reset()


________________________________________________________________________________________________________
*** CID 980288:  Control flow issues  (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 735 in ipf_send_reset()
729     #endif
730     	if (m == NULL)
731     		return -1;
732     	if (sizeof(*tcp2) + hlen > MHLEN) {
733     		MCLGET(m, M_DONTWAIT);
734     		if (m == NULL)
>>>     CID 980288:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return -1;".
735     			return -1;
736     		if ((m->m_flags & M_EXT) == 0) {
737     			FREE_MB_T(m);
738     			return -1;
739     		}
740     	}

** CID 980289:  Control flow issues  (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_irc_pxy.c: 287 in ipf_p_irc_send()


________________________________________________________________________________________________________
*** CID 980289:  Control flow issues  (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_irc_pxy.c: 287 in ipf_p_irc_send()
281     #endif
282     	if (dlen <= 0)
283     		return 0;
284     	COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf);
285     
286     	if (dlen <= 0)
>>>     CID 980289:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return 0;".
287     		return 0;
288     	ctcpbuf[sizeof(ctcpbuf) - 1] = '\0';
289     	*newbuf = '\0';
290     
291     	irc = nat->nat_aps->aps_data;
292     	if (ipf_p_irc_complete(irc, ctcpbuf, dlen) == 0)

** CID 980360:  Incorrect expression  (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2335 in friostat_4_1_0_to_current()


________________________________________________________________________________________________________
*** CID 980360:  Incorrect expression  (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2335 in friostat_4_1_0_to_current()
2329     	fiop->f_ipf[1][0] = old->f_ipf[1][0];
2330     	fiop->f_ipf[1][1] = old->f_ipf[1][1];
2331     	fiop->f_acct[0][0] = old->f_acct[0][0];
2332     	fiop->f_acct[0][1] = old->f_acct[0][1];
2333     	fiop->f_acct[1][0] = old->f_acct[1][0];
2334     	fiop->f_acct[1][1] = old->f_acct[1][1];
>>>     CID 980360:  Incorrect expression  (NO_EFFECT)
>>>     Assignment operation "fiop->f_auth = fiop->f_auth" has no effect.
2335     	fiop->f_auth = fiop->f_auth;
2336     	bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups));
2337     	bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute));
2338     	fiop->f_ticks = old->f_ticks;
2339     	bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks));
2340     	fiop->f_defpass = old->f_defpass;

** CID 980361:  Incorrect expression  (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2305 in friostat_4_1_33_to_current()


________________________________________________________________________________________________________
*** CID 980361:  Incorrect expression  (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2305 in friostat_4_1_33_to_current()
2299     	fiop->f_ipf[1][0] = old->f_ipf[1][0];
2300     	fiop->f_ipf[1][1] = old->f_ipf[1][1];
2301     	fiop->f_acct[0][0] = old->f_acct[0][0];
2302     	fiop->f_acct[0][1] = old->f_acct[0][1];
2303     	fiop->f_acct[1][0] = old->f_acct[1][0];
2304     	fiop->f_acct[1][1] = old->f_acct[1][1];
>>>     CID 980361:  Incorrect expression  (NO_EFFECT)
>>>     Assignment operation "fiop->f_auth = fiop->f_auth" has no effect.
2305     	fiop->f_auth = fiop->f_auth;
2306     	bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups));
2307     	bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute));
2308     	fiop->f_ticks = old->f_ticks;
2309     	bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks));
2310     	fiop->f_defpass = old->f_defpass;

** CID 980424:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980424:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/fil.c: 7812 in ipf_genericiter()
7806     ipf_genericiter(ipf_main_softc_t *softc, void *data, int uid, void *ctx)
7807     {
7808     	ipftoken_t *token;
7809     	ipfgeniter_t iter;
7810     	int error;
7811     
>>>     CID 980424:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type ipfgeniter_t of 12 bytes by passing it to a function which accesses it at byte offset 435.
7812     	error = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_GENITER);
7813     	if (error != 0)
7814     		return error;
7815     
7816     	token = ipf_token_find(softc, iter.igi_type, uid, ctx);
7817     	if (token != NULL) {

** CID 980425:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980425:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/fil.c: 7000 in ipf_ipftune()
6994     {
6995     	ipftuneable_t *ta;
6996     	ipftune_t tu;
6997     	void *cookie;
6998     	int error;
6999     
>>>     CID 980425:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type ipftune_t of 104 bytes by passing it to a function which accesses it at byte offset 435.
7000     	error = ipf_inobj(softc, data, NULL, &tu, IPFOBJ_TUNEABLE);
7001     	if (error != 0)
7002     		return error;
7003     
7004     	tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
7005     	cookie = tu.ipft_cookie;

** CID 980426:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980426:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1157 in ipf_auth_reply()
1151     	int error, i;
1152     #ifdef _KERNEL
1153     	mb_t *m;
1154     #endif
1155     	SPL_INT(s);
1156     
>>>     CID 980426:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type frauth_t of 228 bytes by passing it to a function which accesses it at byte offset 435.
1157     	error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1158     	if (error != 0)
1159     		return error;
1160     
1161     	SPL_NET(s);
1162     	WRITE_ENTER(&softa->ipf_authlk);

** CID 980427:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1021 in ipf_auth_wait()


________________________________________________________________________________________________________
*** CID 980427:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1021 in ipf_auth_wait()
1015     /* If there are no packets present in the queue (ipf_auth_pkts) then we go  */
1016     /* to sleep.                                                                */
1017     /* ------------------------------------------------------------------------ */
1018     static int
1019     ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data)
1020     {
>>>     CID 980427:  Memory - corruptions  (OVERRUN)
>>>     Assigning: "au" = "&auth". "au" now points to element 0 of "auth" (which consists of 1 228-byte elements).
1021     	frauth_t auth, *au = &auth;
1022     	int error, len, i;
1023     	mb_t *m;
1024     	char *t;
1025     	SPL_INT(s);
1026     

** CID 980428:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 1013 in ipf_send_icmp_err()


________________________________________________________________________________________________________
*** CID 980428:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 1013 in ipf_send_icmp_err()
1007     		} else {	/* make up a number... */
1008     			icmp->icmp_nextmtu = htons(fin->fin_plen - 20);
1009     		}
1010     	}
1011     #endif
1012     
>>>     CID 980428:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type ip of 20 bytes by passing it to a function which accesses it at byte offset 39 using argument "ohlen" (which evaluates to 40).
1013     	bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
1014     
1015     #if defined(M_CSUM_IPv4)
1016     	/*
1017     	 * Clear any in-bound checksum flags for this packet.
1018     	 */

** CID 980429:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980429:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_lookup.c: 691 in ipf_lookup_iterate()
685     	ipf_lookup_softc_t *softl = softc->ipf_lookup_soft;
686     	ipflookupiter_t iter;
687     	ipftoken_t *token;
688     	int err, i;
689     	SPL_INT(s);
690     
>>>     CID 980429:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type ipflookupiter_t of 28 bytes by passing it to a function which accesses it at byte offset 435.
691     	err = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_LOOKUPITER);
692     	if (err != 0)
693     		return err;
694     
695     	if (iter.ili_unit < IPL_LOGALL && iter.ili_unit > IPL_LOGMAX) {
696     		IPFERROR(50038);

** CID 980430:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980430:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_nat.c: 7811 in ipf_nat_gettable()
7805     static int
7806     ipf_nat_gettable(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, char *data)
7807     {
7808     	ipftable_t table;
7809     	int error;
7810     
>>>     CID 980430:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type ipftable_t of 8 bytes by passing it to a function which accesses it at byte offset 435.
7811     	error = ipf_inobj(softc, data, NULL, &table, IPFOBJ_GTABLE);
7812     	if (error != 0)
7813     		return error;
7814     
7815     	switch (table.ita_type)
7816     	{

** CID 980431:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980431:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_nat.c: 1219 in ipf_nat_ioctl()
1213     	    }
1214     
1215     	case SIOCGNATL :
1216     	    {
1217     		natlookup_t nl;
1218     
>>>     CID 980431:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type natlookup_t of 64 bytes by passing it to a function which accesses it at byte offset 435.
1219     		error = ipf_inobj(softc, data, NULL, &nl, IPFOBJ_NATLOOKUP);
1220     		if (error == 0) {
1221     			void *ptr;
1222     
1223     			if (getlock) {
1224     				READ_ENTER(&softc->ipf_nat);

** CID 980432:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980432:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_proxy.c: 720 in ipf_proxy_ioctl()
714     
715     	mode = mode;	/* LINT */
716     
717     	switch (cmd)
718     	{
719     	case SIOCPROXY :
>>>     CID 980432:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type ap_ctl_t of 52 bytes by passing it to a function which accesses it at byte offset 435.
720     		error = ipf_inobj(softc, data, NULL, &ctl, IPFOBJ_PROXYCTL);
721     		if (error != 0) {
722     			return error;
723     		}
724     		ptr = NULL;
725     

** CID 980433:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 980433:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_state.c: 4819 in ipf_state_gettable()
4813     ipf_state_gettable(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
4814         char *data)
4815     {
4816     	ipftable_t table;
4817     	int error;
4818     
>>>     CID 980433:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type ipftable_t of 8 bytes by passing it to a function which accesses it at byte offset 435.
4819     	error = ipf_inobj(softc, data, NULL, &table, IPFOBJ_GTABLE);
4820     	if (error != 0)
4821     		return error;
4822     
4823     	if (table.ita_type != IPFTABLE_BUCKETS) {
4824     		IPFERROR(100031);

** CID 980513:    (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 4352 in frrequest()


________________________________________________________________________________________________________
*** CID 980513:    (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 4347 in frrequest()
4341     			return error;
4342     		}
4343     		if ((fp->fr_type & FR_T_BUILTIN) != 0) {
4344     			IPFERROR(6);
4345     			return EINVAL;
4346     		}
>>>     CID 980513:    (TAINTED_SCALAR)
>>>     Passing tainted variable "fp->fr_size" to a tainted sink.
4347     		KMALLOCS(f, frentry_t *, fp->fr_size);
4348     		if (f == NULL) {
4349     			IPFERROR(131);
4350     			return ENOMEM;
4351     		}
4352     		bzero(f, fp->fr_size);
/sys/external/bsd/ipf/netinet/fil.c: 4352 in frrequest()
4346     		}
4347     		KMALLOCS(f, frentry_t *, fp->fr_size);
4348     		if (f == NULL) {
4349     			IPFERROR(131);
4350     			return ENOMEM;
4351     		}
>>>     CID 980513:    (TAINTED_SCALAR)
>>>     Passing tainted variable "fp->fr_size" to a tainted sink.
4352     		bzero(f, fp->fr_size);
4353     		error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY,
4354     				    fp->fr_size);
4355     		if (error) {
4356     			KFREES(f, fp->fr_size);
4357     			return error;
/sys/external/bsd/ipf/netinet/fil.c: 4353 in frrequest()
4347     		KMALLOCS(f, frentry_t *, fp->fr_size);
4348     		if (f == NULL) {
4349     			IPFERROR(131);
4350     			return ENOMEM;
4351     		}
4352     		bzero(f, fp->fr_size);
>>>     CID 980513:    (TAINTED_SCALAR)
>>>     Passing tainted variable "fp->fr_size" to a tainted sink.
4353     		error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY,
4354     				    fp->fr_size);
4355     		if (error) {
4356     			KFREES(f, fp->fr_size);
4357     			return error;
4358     		}

** CID 980514:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 980514:  Insecure data handling  (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7758 in ipf_frruleiter()
7752     		RWLOCK_EXIT(&softc->ipf_tokens);
7753     	} else {
7754     		error = ipf_inobj(softc, data, &obj, &it, IPFOBJ_IPFITER);
7755     		if (error != 0)
7756     			return error;
7757     		it.iri_rule = NULL;
>>>     CID 980514:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "it" to a tainted sink.
7758     		error = ipf_outobj(softc, data, &it, IPFOBJ_IPFITER);
7759     	}
7760     
7761     	return error;
7762     }
7763     

** CID 980515:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 980515:  Insecure data handling  (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7978 in ipf_ipf_ioctl()
7972     	case SIOCGETFS :
7973     		error = ipf_inobj(softc, (void *)data, &obj, &fio,
7974     				  IPFOBJ_IPFSTAT);
7975     		if (error != 0)
7976     			break;
7977     		ipf_getstat(softc, &fio, obj.ipfo_rev);
>>>     CID 980515:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "fio" to a tainted sink.
7978     		error = ipf_outobj(softc, (void *)data, &fio, IPFOBJ_IPFSTAT);
7979     		break;
7980     
7981     	case SIOCFRZST :
7982     		if (!(mode & FWRITE)) {
7983     			IPFERROR(104);

** CID 980516:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 980516:    (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7055 in ipf_ipftune()
7049     			tu.ipft_max = ta->ipft_max;
7050     			tu.ipft_flags = ta->ipft_flags;
7051     			bcopy(ta->ipft_name, tu.ipft_name,
7052     			      MIN(sizeof(tu.ipft_name),
7053     				  strlen(ta->ipft_name) + 1));
7054     		}
>>>     CID 980516:    (TAINTED_SCALAR)
>>>     Passing tainted variable "tu" to a tainted sink.
7055     		error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE);
7056     		break;
7057     
7058     	case SIOCIPFGET :
7059     	case SIOCIPFSET :
7060     		/*
/sys/external/bsd/ipf/netinet/fil.c: 7098 in ipf_ipftune()
7092     				tu.ipft_vchar = *ta->ipft_pchar;
7093     			tu.ipft_cookie = ta;
7094     			tu.ipft_sz = ta->ipft_sz;
7095     			tu.ipft_min = ta->ipft_min;
7096     			tu.ipft_max = ta->ipft_max;
7097     			tu.ipft_flags = ta->ipft_flags;
>>>     CID 980516:    (TAINTED_SCALAR)
>>>     Passing tainted variable "tu" to a tainted sink.
7098     			error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE);
7099     
7100     		} else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
7101     			/*
7102     			 * Set an internal parameter.  The hard part here is
7103     			 * getting the new value safely and correctly out of

** CID 980518:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 980518:  Insecure data handling  (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7180 in ipf_zerostats()
7174     	int error;
7175     
7176     	error = ipf_inobj(softc, data, &obj, &fio, IPFOBJ_IPFSTAT);
7177     	if (error != 0)
7178     		return error;
7179     	ipf_getstat(softc, &fio, obj.ipfo_rev);
>>>     CID 980518:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "fio" to a tainted sink.
7180     	error = ipf_outobj(softc, data, &fio, IPFOBJ_IPFSTAT);
7181     	if (error != 0)
7182     		return error;
7183     
7184     	WRITE_ENTER(&softc->ipf_mutex);
7185     	bzero(&softc->ipf_stats, sizeof(softc->ipf_stats));


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-user?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782



Home | Main Index | Thread Index | Old Index