Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD
Hi,
Please find the latest report on new defect(s) introduced to NetBSD
(NetBSD-amd64-user) found with Coverity Scan
Defect(s) Reported-by: Coverity Scan
Showing 7 of 17 defects
** CID 1107553: String not null terminated (STRING_NULL)
** CID 1107552: String not null terminated (STRING_NULL)
** CID 1107551: Wrong sizeof argument (SIZEOF_MISMATCH)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/i810_dri.c: 1120
** CID 1107550: Resource leak (RESOURCE_LEAK)
/tests/net/net/t_unix.c: 231
** CID 1107549: Resource leak (RESOURCE_LEAK)
/tests/net/net/t_unix.c: 147
** CID 1107548: Resource leak (RESOURCE_LEAK)
/tests/net/net/t_tcp.c: 156
** CID 1107547: Resource leak (RESOURCE_LEAK)
/libexec/httpd/lua-bozo.c: 257
________________________________________________________________________
CID 1107553: String not null terminated (STRING_NULL)
/libexec/httpd/lua-bozo.c: 94 ( string_null_argument)
91
92 len = luaL_checkinteger(L, -1);
93 data = bozomalloc(httpd, len + 1);
>>> CID 1107553: String not null terminated (STRING_NULL)
>>> Function "bozo_read(bozohttpd_t *, int, void *, size_t)" does not terminate
>>> string "*data".
94 bozo_read(httpd, STDIN_FILENO, data, len);
95 lua_pushstring(L, data);
96 free(data);
97 return 1;
98 }
/libexec/httpd/lua-bozo.c: 95 ( string_null)
92 len = luaL_checkinteger(L, -1);
93 data = bozomalloc(httpd, len + 1);
94 bozo_read(httpd, STDIN_FILENO, data, len);
>>> Passing unterminated string "data" to "lua_pushstring(lua_State *, char
>>> const *)", which expects a null-terminated string.
95 lua_pushstring(L, data);
96 free(data);
97 return 1;
98 }
99
________________________________________________________________________
CID 1107552: String not null terminated (STRING_NULL)
/libexec/httpd/lua-bozo.c: 410 ( string_null_argument)
407 length = atol(clen);
408 content =
bozomalloc(httpd,
409 length);
>>> CID 1107552: String not null terminated (STRING_NULL)
>>> Function "bozo_read(bozohttpd_t *, int, void *, size_t)" does not terminate
>>> string "*content".
410 bozo_read(httpd,
STDIN_FILENO,
411 content, length);
412 lua_decode_query(map->L,
413 content);
414 free(content);
/libexec/httpd/lua-bozo.c: 412 ( string_null)
409 length);
410 bozo_read(httpd,
STDIN_FILENO,
411 content, length);
>>> Passing unterminated string "content" to "lua_decode_query(lua_State *,
>>> char *)", which expects a null-terminated string.
412 lua_decode_query(map->L,
413 content);
414 free(content);
415 }
416 }
________________________________________________________________________
CID 1107551: Wrong sizeof argument (SIZEOF_MISMATCH)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/i810_dri.c: 1120 (
suspicious_sizeof)
1117 ScrnInfoPtr pScrn = xf86Screens[pScreen->myNum];
1118 I810Ptr info = I810PTR(pScrn);
1119
>>> CID 1107551: Wrong sizeof argument (SIZEOF_MISMATCH)
>>> Passing argument "sPriv" of type "I810SAREARec *" and argument "8UL /*
>>> sizeof (sPriv) */" to function "memset(void *, int, size_t)" is suspicious.
>>> Did you intend to use "sizeof(*sPriv)" instead of "sizeof (sPriv)" ?
1120 memset(sPriv, 0, sizeof(sPriv));
1121
1122 /* Have shadow run only while there is 3d active.
1123 */
1124 if (info->allowPageFlip && info->drmMinor >= 3) {
________________________________________________________________________
CID 1107550: Resource leak (RESOURCE_LEAK)
/tests/net/net/t_unix.c: 200 ( alloc_fn)
197 }
198 #endif
199
>>> Storage is returned from allocation function "calloc(size_t, size_t)".
200 if ((sock_addr = calloc(1, slen)) == NULL)
201 FAIL("calloc");
202 sock_addrlen = slen;
203 if (getsockname(srvr, (struct sockaddr *)sock_addr,
&sock_addrlen)
204 == -1)
/tests/net/net/t_unix.c: 200 ( var_assign)
197 }
198 #endif
199
>>> Assigning: "sock_addr" = storage returned from "calloc(1UL, slen)".
200 if ((sock_addr = calloc(1, slen)) == NULL)
201 FAIL("calloc");
202 sock_addrlen = slen;
203 if (getsockname(srvr, (struct sockaddr *)sock_addr,
&sock_addrlen)
204 == -1)
/tests/net/net/t_unix.c: 203 ( noescape)
200 if ((sock_addr = calloc(1, slen)) == NULL)
201 FAIL("calloc");
202 sock_addrlen = slen;
>>> Resource "(struct sockaddr *)sock_addr" is not freed or pointed-to in
>>> function "getsockname(int, struct sockaddr *, __socklen_t *)".
203 if (getsockname(srvr, (struct sockaddr *)sock_addr,
&sock_addrlen)
204 == -1)
205 FAIL("getsockname");
206 print("sock", sock_addr, sock_addrlen);
207
/tests/net/net/t_unix.c: 206 ( noescape)
203 if (getsockname(srvr, (struct sockaddr *)sock_addr,
&sock_addrlen)
204 == -1)
205 FAIL("getsockname");
>>> Resource "sock_addr" is not freed or pointed-to in function "print(char
>>> const *, struct sockaddr_un *, __socklen_t)".
206 print("sock", sock_addr, sock_addrlen);
207
208 if (sock_addr->sun_family != AF_UNIX)
209 FAIL("sock_addr->sun_family %d != AF_UNIX",
210 sock_addr->sun_family);
/tests/net/net/t_unix.c: 231 ( leaked_storage)
228 if (!closeit)
229 (void)close(clnt);
230
>>> CID 1107550: Resource leak (RESOURCE_LEAK)
>>> Variable "sock_addr" going out of scope leaks the storage it points to.
231 return 0;
232 }
233
234 #ifndef TEST
235
________________________________________________________________________
CID 1107549: Resource leak (RESOURCE_LEAK)
/tests/net/net/t_unix.c: 138 ( open_fn)
135 struct sockaddr_un *sock_addr, *sun;
136 socklen_t sock_addrlen;
137
>>> Returning handle opened by function "socket(int, int, int)".
138 srvr = socket(AF_UNIX, SOCK_STREAM, 0);
139 if (srvr == -1)
140 FAIL("socket(srvrer)");
141
142 slen = len + OF + 1;
/tests/net/net/t_unix.c: 138 ( var_assign)
135 struct sockaddr_un *sock_addr, *sun;
136 socklen_t sock_addrlen;
137
>>> Assigning: "srvr" = handle returned from "socket(1, 1, 0)".
138 srvr = socket(AF_UNIX, SOCK_STREAM, 0);
139 if (srvr == -1)
140 FAIL("socket(srvrer)");
141
142 slen = len + OF + 1;
/tests/net/net/t_unix.c: 147 ( overwrite_var)
144 if ((sun = calloc(1, slen)) == NULL)
145 FAIL("calloc");
146
>>> CID 1107549: Resource leak (RESOURCE_LEAK)
>>> Overwriting handle "srvr" in "srvr = socket(1, 1, 0)" leaks the handle.
147 srvr = socket(AF_UNIX, SOCK_STREAM, 0);
148 if (srvr == -1)
149 FAIL("socket");
150
151 memset(sun->sun_path, 'a', len);
________________________________________________________________________
CID 1107548: Resource leak (RESOURCE_LEAK)
/tests/net/net/t_tcp.c: 102 ( open_fn)
99 if (ok == -1)
100 FAIL("listen");
101
>>> Returning handle opened by function "socket(int, int, int)".
102 clnt = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
103 if (clnt == -1)
104 FAIL("socket");
105
106 /* may not connect first time */
/tests/net/net/t_tcp.c: 102 ( var_assign)
99 if (ok == -1)
100 FAIL("listen");
101
>>> Assigning: "clnt" = handle returned from "socket(2, 536870913, 0)".
102 clnt = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
103 if (clnt == -1)
104 FAIL("socket");
105
106 /* may not connect first time */
/tests/net/net/t_tcp.c: 107 ( noescape)
104 FAIL("socket");
105
106 /* may not connect first time */
>>> Resource "clnt" is not freed or pointed-to in function "connect(int, struct
>>> sockaddr const *, __socklen_t)".
107 ok = connect(clnt, (struct sockaddr *) &ba, addrlen);
108 as = paccept(srvr, NULL, NULL, NULL, pacceptblock ? 0 :
SOCK_NONBLOCK);
109 ok = connect(clnt, (struct sockaddr *) &ba, addrlen);
110 if (ok == -1 && errno != EISCONN)
111 FAIL("both connects failed");
/tests/net/net/t_tcp.c: 109 ( noescape)
106 /* may not connect first time */
107 ok = connect(clnt, (struct sockaddr *) &ba, addrlen);
108 as = paccept(srvr, NULL, NULL, NULL, pacceptblock ? 0 :
SOCK_NONBLOCK);
>>> Resource "clnt" is not freed or pointed-to in function "connect(int, struct
>>> sockaddr const *, __socklen_t)".
109 ok = connect(clnt, (struct sockaddr *) &ba, addrlen);
110 if (ok == -1 && errno != EISCONN)
111 FAIL("both connects failed");
112
113 #if 0
/tests/net/net/t_tcp.c: 156 ( leaked_handle)
153 if (n != -1 || errno != EWOULDBLOCK)
154 FAIL("read");
155 }
>>> CID 1107548: Resource leak (RESOURCE_LEAK)
>>> Handle variable "clnt" going out of scope leaks the handle.
156 }
157
158 #ifndef TEST
159
160 ATF_TC(paccept_reset_nonblock);
________________________________________________________________________
CID 1107547: Resource leak (RESOURCE_LEAK)
/libexec/httpd/lua-bozo.c: 249 ( alloc_fn)
246 if (v == NULL)
247 return;
248 *v++ = '\0';
>>> Storage is returned from allocation function "malloc(size_t)".
249 val = malloc(strlen(v) + 1);
250 if (val == NULL)
251 return;
252
253 for (p = v, q = val; *p; p++) {
/libexec/httpd/lua-bozo.c: 249 ( var_assign)
246 if (v == NULL)
247 return;
248 *v++ = '\0';
>>> Assigning: "val" = storage returned from "malloc(strlen(v) + 1UL)".
249 val = malloc(strlen(v) + 1);
250 if (val == NULL)
251 return;
252
253 for (p = v, q = val; *p; p++) {
/libexec/httpd/lua-bozo.c: 253 ( var_assign)
250 if (val == NULL)
251 return;
252
>>> Assigning: "q" = "val".
253 for (p = v, q = val; *p; p++) {
254 switch (*p) {
255 case '%':
256 if (*(p + 1) == '\0' || *(p + 2) == '\0')
257 return;
/libexec/httpd/lua-bozo.c: 257 ( leaked_storage)
254 switch (*p) {
255 case '%':
256 if (*(p + 1) == '\0' || *(p + 2) == '\0')
>>> Variable "q" going out of scope leaks the storage it points to.
257 return;
258 buf[0] = *++p;
259 buf[1] = *++p;
260 buf[2] = '\0';
261 sscanf(buf, "%2x", &c);
/libexec/httpd/lua-bozo.c: 257 ( leaked_storage)
254 switch (*p) {
255 case '%':
256 if (*(p + 1) == '\0' || *(p + 2) == '\0')
>>> CID 1107547: Resource leak (RESOURCE_LEAK)
>>> Variable "val" going out of scope leaks the storage it points to.
257 return;
258 buf[0] = *++p;
259 buf[1] = *++p;
260 buf[2] = '\0';
261 sscanf(buf, "%2x", &c);
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index