Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
- To: undisclosed-recipients:;
- Subject: New Defects reported by Coverity Scan for NetBSD-i386-user
- From: scan-admin%coverity.com@localhost
- Date: Fri, 24 Jan 2014 09:18:35 -0800
Hi,
Please find the latest report on new defect(s) introduced to NetBSD found with
Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 1164169: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/usr.bin/vndcompress/vndcompress.c: 601 in compress_restart()
** CID 980393: Out-of-bounds read (OVERRUN)
/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: 331 in
nist_ctr_drbg_block_cipher_df()
** CID 1164170: Resource leak (RESOURCE_LEAK)
/lib/libc/net/gethnamaddr.c: 264 in getanswer()
/lib/libc/net/gethnamaddr.c: 272 in getanswer()
** CID 1164171: Resource leak (RESOURCE_LEAK)
/lib/libc/net/gethnamaddr.c: 299 in getanswer()
/lib/libc/net/gethnamaddr.c: 306 in getanswer()
** CID 1164054: Uninitialized scalar variable (UNINIT)
/sys/netinet6/nd6.c: 826 in nd6_lookup1()
** CID 1164172: Double free (USE_AFTER_FREE)
/lib/libc/net/gethnamaddr.c: 517 in getanswer()
________________________________________________________________________________________________________
*** CID 1164169: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/usr.bin/vndcompress/vndcompress.c: 601 in compress_restart()
595 /* Read in the partial offset table. */
596 if (!offtab_reset_read(&S->offtab, &warn, &warnx))
597 return false;
598 if (!offtab_prepare_get(&S->offtab, 0))
599 return false;
600 const uint64_t first_offset = offtab_get(&S->offtab, 0);
>>> CID 1164169: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "S->n_offsets * 8U" with type
>>> "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic
>>> before being used in a context which expects an expression of type
>>> "__uint64_t const" (64 bits, unsigned). To avoid overflow, cast either
>>> operand to "__uint64_t const" before performing the multiplication.
601 if (first_offset != (sizeof(struct cloop2_header) +
602 (S->n_offsets * sizeof(uint64_t)))) {
603 warnx("first offset is not 0x%"PRIx64": 0x%"PRIx64,
604 ((uint64_t)S->n_offsets * sizeof(uint64_t)),
605 first_offset);
606 return false;
________________________________________________________________________________________________________
*** CID 980393: Out-of-bounds read (OVERRUN)
/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: 331 in
nist_ctr_drbg_block_cipher_df()
325 temp = output_buffer;
326
327 /* [13] While len(temp) < number_of_bits_to_return, do */
328 blocks = (int)(N / NIST_BLOCK_OUTLEN_BYTES);
329 if (N & (NIST_BLOCK_OUTLEN_BYTES - 1))
330 ++blocks;
>>> CID 980393: Out-of-bounds read (OVERRUN)
>>> In this loop, counter "j" goes from 0 up to 4, executing the loop body
>>> 4 times before the final iteration. The loop also increments "temp" by 4
>>> in each iteration, so that it points to element index 16 before the final
>>> iteration.
331 for (j = 0; j < blocks; ++j) {
332 /* [13.1] X = Block_Encrypt(K, X) */
333 Block_Encrypt(&ctx, X, temp);
334 X = temp;
335 temp += NIST_BLOCK_OUTLEN_INTS;
336 }
________________________________________________________________________________________________________
*** CID 1164170: Resource leak (RESOURCE_LEAK)
/lib/libc/net/gethnamaddr.c: 264 in getanswer()
258 hp = &answer->hdr;
259 ancount = ntohs(hp->ancount);
260 qdcount = ntohs(hp->qdcount);
261 bp = buf;
262 ep = buf + buflen;
263 cp = answer->buf;
>>> CID 1164170: Resource leak (RESOURCE_LEAK)
>>> Variable "aliases" going out of scope leaks the storage it points to.
264 BOUNDED_INCR(HFIXEDSZ);
265 if (qdcount != 1)
266 goto no_recovery;
267
268 n = dn_expand(answer->buf, eom, cp, bp, (int)(ep - bp));
269 if ((n < 0) || !maybe_ok(res, bp, name_ok))
/lib/libc/net/gethnamaddr.c: 272 in getanswer()
266 goto no_recovery;
267
268 n = dn_expand(answer->buf, eom, cp, bp, (int)(ep - bp));
269 if ((n < 0) || !maybe_ok(res, bp, name_ok))
270 goto no_recovery;
271
>>> CID 1164170: Resource leak (RESOURCE_LEAK)
>>> Variable "aliases" going out of scope leaks the storage it points to.
272 BOUNDED_INCR(n + QFIXEDSZ);
273 if (qtype == T_A || qtype == T_AAAA) {
274 /* res_send() has already verified that the query name
is the
275 * same as the one we sent; this just gets the expanded
name
276 * (i.e., with the succeeding search-domain tacked on).
277 */
________________________________________________________________________________________________________
*** CID 1164171: Resource leak (RESOURCE_LEAK)
/lib/libc/net/gethnamaddr.c: 299 in getanswer()
293 n = dn_expand(answer->buf, eom, cp, bp, (int)(ep - bp));
294 if ((n < 0) || !maybe_ok(res, bp, name_ok)) {
295 had_error++;
296 continue;
297 }
298 cp += n; /* name */
>>> CID 1164171: Resource leak (RESOURCE_LEAK)
>>> Variable "ap" going out of scope leaks the storage it points to.
299 BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
300 type = _getshort(cp);
301 cp += INT16SZ; /* type */
302 class = _getshort(cp);
303 cp += INT16SZ + INT32SZ; /* class, TTL */
304 n = _getshort(cp);
/lib/libc/net/gethnamaddr.c: 306 in getanswer()
300 type = _getshort(cp);
301 cp += INT16SZ; /* type */
302 class = _getshort(cp);
303 cp += INT16SZ + INT32SZ; /* class, TTL */
304 n = _getshort(cp);
305 cp += INT16SZ; /* len */
>>> CID 1164171: Resource leak (RESOURCE_LEAK)
>>> Variable "ap" going out of scope leaks the storage it points to.
306 BOUNDS_CHECK(cp, n);
307 erdata = cp + n;
308 if (class != C_IN) {
309 /* XXX - debug? syslog? */
310 cp += n;
311 continue; /* XXX - had_error++ ?
*/
________________________________________________________________________________________________________
*** CID 1164054: Uninitialized scalar variable (UNINIT)
/sys/netinet6/nd6.c: 826 in nd6_lookup1()
820
821 static struct rtentry *
822 nd6_lookup1(const struct in6_addr *addr6, int create, struct ifnet *ifp,
823 int cloning)
824 {
825 struct rtentry *rt;
>>> CID 1164054: Uninitialized scalar variable (UNINIT)
>>> Declaring variable "sin6" without initializer.
826 struct sockaddr_in6 sin6;
827
828 sockaddr_in6_init(&sin6, addr6, 0, 0, 0);
829 rt = rtalloc1((struct sockaddr *)&sin6, create);
830 if (rt != NULL && (rt->rt_flags & RTF_LLINFO) == 0) {
831 /*
________________________________________________________________________________________________________
*** CID 1164172: Double free (USE_AFTER_FREE)
/lib/libc/net/gethnamaddr.c: 517 in getanswer()
511 goto nospc;
512 hent->h_addr_list = (void *)bp;
513 memcpy(bp, addr_ptrs, qlen);
514 *he = NETDB_SUCCESS;
515 return hent;
516 nospc:
>>> CID 1164172: Double free (USE_AFTER_FREE)
>>> Calling "free(void *)" frees pointer "aliases" which has already been
>>> freed.
517 free(aliases);
518 errno = ENOSPC;
519 *he = NETDB_INTERNAL;
520 return NULL;
521 }
522
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/156?tab=Overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index