Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 20 of 48 defect(s)
** CID 1006589: Time of check time of use (TOCTOU)
/usr.bin/sed/main.c: 443 in mf_fgets()
** CID 1006930: Resource leak (RESOURCE_LEAK)
/usr.bin/sed/main.c: 430 in mf_fgets()
** CID 1008159: Missing break in switch (MISSING_BREAK)
/usr.sbin/services_mkdb/uniq.c: 99 in uniq()
** CID 1008179: Missing break in switch (MISSING_BREAK)
/usr.sbin/btpand/btpand.c: 217 in main()
** CID 1008187: Missing break in switch (MISSING_BREAK)
/usr.bin/rpcgen/rpc_main.c: 395 in open_input()
** CID 1084311: Unchecked return value (CHECKED_RETURN)
/external/zlib/pigz/dist/pigz.c: 2784 in cat()
** CID 1084312: Explicit null dereferenced (FORWARD_NULL)
/external/zlib/pigz/dist/zopfli/squeeze.c: 439 in LZ77OptimalRun()
** CID 1084314: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
** CID 1084315: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
** CID 1193395: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 681 in
emit_mov()
** CID 1193398: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 1217 in
emit_clz()
** CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()
** CID 1223335: Logically dead code (DEADCODE)
/sys/fs/tmpfs/tmpfs_vfsops.c: 144 in tmpfs_mount()
** CID 1223341: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_loop.c: 342 in looutput()
** CID 1223345: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/fs/cd9660/cd9660_vfsops.c: 788 in cd9660_loadvnode()
** CID 1223346: Dereference before null check (REVERSE_INULL)
/sys/fs/cd9660/cd9660_vfsops.c: 749 in cd9660_loadvnode()
/sys/fs/cd9660/cd9660_vfsops.c: 803 in cd9660_loadvnode()
** CID 1223359: Unchecked return value (CHECKED_RETURN)
/external/bsd/libarchive/dist/libarchive/archive_write_disk.c: 1262 in
_archive_write_close()
** CID 1223360: Unchecked return value (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 25719 in dotlockLock()
** CID 1223361: Unchecked return value (CHECKED_RETURN)
/usr.bin/sed/main.c: 433 in mf_fgets()
** CID 1223362: Logically dead code (DEADCODE)
/external/bsd/dhcpcd/dist/dhcp.c: 969 in make_message()
________________________________________________________________________________________________________
*** CID 1006589: Time of check time of use (TOCTOU)
/usr.bin/sed/main.c: 443 in mf_fgets()
437 resetstate();
438 }
439 } else {
440 outfile = stdout;
441 outfname = "stdout";
442 }
>>> CID 1006589: Time of check time of use (TOCTOU)
>>> Calling function "fopen(char const *, char const *)" that uses "fname"
>>> after a check function. This can cause a time-of-check, time-of-use race
>>> condition.
443 if ((infile = fopen(fname, "r")) == NULL) {
444 warn("%s", fname);
445 rval = 1;
446 continue;
447 }
448 }
________________________________________________________________________________________________________
*** CID 1006930: Resource leak (RESOURCE_LEAK)
/usr.bin/sed/main.c: 430 in mf_fgets()
424 len = (size_t)snprintf(tmpfname,
sizeof(tmpfname),
425 "%s/.!%ld!%s", dirname(d_name),
(long)getpid(),
426 basename(f_name));
427 if (len >= sizeof(tmpfname))
428 errx(1, "%s: name too long", fname);
429 unlink(tmpfname);
>>> CID 1006930: Resource leak (RESOURCE_LEAK)
>>> Overwriting "outfile" in "outfile = fopen(tmpfname, "w")" leaks the
>>> storage that "outfile" points to.
430 if ((outfile = fopen(tmpfname, "w")) == NULL)
431 err(1, "%s", fname);
432 fchown(fileno(outfile), sb.st_uid, sb.st_gid);
433 fchmod(fileno(outfile), sb.st_mode & ALLPERMS);
434 outfname = tmpfname;
435 if (!ispan) {
________________________________________________________________________________________________________
*** CID 1008159: Missing break in switch (MISSING_BREAK)
/usr.sbin/services_mkdb/uniq.c: 99 in uniq()
93 line);
94 break;
95 case 1:
96 break;
97 case -1:
98 err(1, "put");
>>> CID 1008159: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
99 default:
100 abort();
101 break;
102 }
103 }
104 (void)fflush(stdout);
________________________________________________________________________________________________________
*** CID 1008179: Missing break in switch (MISSING_BREAK)
/usr.sbin/btpand/btpand.c: 217 in main()
211 * setup is finished so we can return an error if necessary.
212 */
213 switch(fork()) {
214 case -1: /* bad */
215 err(EXIT_FAILURE, "fork() failed");
216
>>> CID 1008179: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
217 case 0: /* child */
218 openlog(getprogname(), LOG_NDELAY | LOG_PERROR |
LOG_PID, LOG_DAEMON);
219
220 channel_init();
221 event_init();
222 server_init();
________________________________________________________________________________________________________
*** CID 1008187: Missing break in switch (MISSING_BREAK)
/usr.bin/rpcgen/rpc_main.c: 395 in open_input()
389 addarg(NULL);
390 (void) close(1);
391 (void) dup2(pd[1], 1);
392 (void) close(pd[0]);
393 execvp(arglist[0], __UNCONST(arglist));
394 err(1, "$RPCGEN_CPP: %s", CPP);
>>> CID 1008187: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
395 case -1:
396 err(1, "fork");
397 }
398 (void) close(pd[1]);
399 fin = fdopen(pd[0], "r");
400 #endif
________________________________________________________________________________________________________
*** CID 1084311: Unchecked return value (CHECKED_RETURN)
/external/zlib/pigz/dist/pigz.c: 2784 in cat()
2778 bytes of input, then g.in_left is non-zero and g.in_next is
pointing to
2779 the second magic byte) */
2780 while (g.in_left) {
2781 writen(g.outd, g.in_next, g.in_left);
2782 g.out_tot += g.in_left;
2783 g.in_left = 0;
>>> CID 1084311: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "load()".
2784 load();
2785 }
2786 }
2787
2788 /* --- decompress deflate input --- */
2789
________________________________________________________________________________________________________
*** CID 1084312: Explicit null dereferenced (FORWARD_NULL)
/external/zlib/pigz/dist/zopfli/squeeze.c: 439 in LZ77OptimalRun()
433 unsigned short** path, size_t* pathsize,
434 unsigned short* length_array, CostModelFun* costmodel,
435 void* costcontext, ZopfliLZ77Store* store) {
436 double cost = GetBestLengths(
437 s, in, instart, inend, costmodel, costcontext, length_array);
438 free(*path);
>>> CID 1084312: Explicit null dereferenced (FORWARD_NULL)
>>> Assigning: "*path" = "NULL".
439 *path = 0;
440 *pathsize = 0;
441 TraceBackwards(inend - instart, length_array, path, pathsize);
442 FollowPath(s, in, instart, inend, *path, *pathsize, store);
443 assert(cost < ZOPFLI_LARGE_FLOAT);
444 return cost;
________________________________________________________________________________________________________
*** CID 1084314: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
177 repeat--;
178 }
179 }
180
181 i += count - 1;
182 } else {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0U) ? malloc(4U) :
>>> realloc(rle, rle_size * 2U * 4U))" leaks the storage that "rle" points to.
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
177 repeat--;
178 }
179 }
180
181 i += count - 1;
182 } else {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0U) ? malloc(4U) :
>>> realloc(rle, rle_size * 2U * 4U))" leaks the storage that "rle" points to.
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
177 repeat--;
178 }
179 }
180
181 i += count - 1;
182 } else {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0U) ? malloc(4U) :
>>> realloc(rle, rle_size * 2U * 4U))" leaks the storage that "rle" points to.
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
________________________________________________________________________________________________________
*** CID 1084315: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
178 }
179 }
180
181 i += count - 1;
182 } else {
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0U) ?
>>> malloc(4U) : realloc(rle_bits, rle_bits_size * 2U * 4U))" leaks the storage
>>> that "rle_bits" points to.
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
189 for (i = 0; i < 19; i++) {
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
178 }
179 }
180
181 i += count - 1;
182 } else {
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0U) ?
>>> malloc(4U) : realloc(rle_bits, rle_bits_size * 2U * 4U))" leaks the storage
>>> that "rle_bits" points to.
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
189 for (i = 0; i < 19; i++) {
________________________________________________________________________________________________________
*** CID 1193395: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 681 in
emit_mov()
675 *inst = MOV_rm_r;
676 return SLJIT_SUCCESS;
677 }
678 if (src & SLJIT_IMM) {
679 if (FAST_IS_REG(dst)) {
680 #if (defined SLJIT_CONFIG_X86_32 && SLJIT_CONFIG_X86_32)
>>> CID 1193395: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_map" of 13 bytes at byte offset 63 using index
>>> "dst" (which evaluates to 63).
681 return emit_do_imm(compiler, MOV_r_i32 +
reg_map[dst], srcw);
682 #else
683 if (!compiler->mode32) {
684 if (NOT_HALFWORD(srcw))
685 return
emit_load_imm64(compiler, dst, srcw);
686 }
________________________________________________________________________________________________________
*** CID 1193398: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 1217 in
emit_clz()
1211 FAIL_IF(!inst);
1212 INC_SIZE(4);
1213
1214 *inst++ = JE_i8;
1215 *inst++ = 2;
1216 *inst++ = MOV_r_rm;
>>> CID 1193398: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_map" of 13 bytes at byte offset 63 using index
>>> "dst_r" (which evaluates to 63).
1217 *inst++ = MOD_REG | (reg_map[dst_r] << 3) |
reg_map[TMP_REG1];
1218 #else
1219 inst = (sljit_ub*)ensure_buf(compiler, 1 + 5);
1220 FAIL_IF(!inst);
1221 INC_SIZE(5);
1222
________________________________________________________________________________________________________
*** CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()
137
138 /* Check for invalid uid and gid arguments */
139 if (args->ta_root_uid == VNOVAL || args->ta_root_gid == VNOVAL)
140 return EINVAL;
141
142 /* This can never happen? */
>>> CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
>>> "(args->ta_root_mode & (4095U /* ((((0x800 | 0x400) | 0x200) | 0x1c0) |
>>> 0x38) | 7 */)) == -1" is always false regardless of the values of its
>>> operands. This occurs as the logical operand of if.
143 if ((args->ta_root_mode & ALLPERMS) == VNOVAL)
144 return EINVAL;
145
146 /* Get the memory usage limit for this file-system. */
147 if (args->ta_size_max < PAGE_SIZE) {
148 memlimit = UINT64_MAX;
________________________________________________________________________________________________________
*** CID 1223335: Logically dead code (DEADCODE)
/sys/fs/tmpfs/tmpfs_vfsops.c: 144 in tmpfs_mount()
138 /* Check for invalid uid and gid arguments */
139 if (args->ta_root_uid == VNOVAL || args->ta_root_gid == VNOVAL)
140 return EINVAL;
141
142 /* This can never happen? */
143 if ((args->ta_root_mode & ALLPERMS) == VNOVAL)
>>> CID 1223335: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "return 22;".
144 return EINVAL;
145
146 /* Get the memory usage limit for this file-system. */
147 if (args->ta_size_max < PAGE_SIZE) {
148 memlimit = UINT64_MAX;
149 } else {
________________________________________________________________________________________________________
*** CID 1223341: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_loop.c: 342 in looutput()
336 m_freem(m);
337 error = ENOBUFS;
338 }
339 splx(s);
340 return error;
341 }
>>> CID 1223341: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "ifq".
342 if (IF_QFULL(ifq)) {
343 IF_DROP(ifq);
344 m_freem(m);
345 splx(s);
346 return (ENOBUFS);
347 }
________________________________________________________________________________________________________
*** CID 1223345: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/fs/cd9660/cd9660_vfsops.c: 788 in cd9660_loadvnode()
782 switch (imp->iso_ftype) {
783 default: /* ISO_FTYPE_9660 */
784 {
785 struct buf *bp2;
786 if ((imp->im_flags & ISOFSMNT_EXTATT)
787 && (off = isonum_711(isodir->ext_attr_length)))
>>> CID 1223345: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "off << imp->im_bshift" with type
>>> "int" (32 bits, signed) is evaluated using 32-bit arithmetic before being
>>> used in a context which expects an expression of type "__off_t" (64 bits,
>>> signed). To avoid overflow, cast the left operand to "__off_t" before
>>> performing the left shift.
788 cd9660_blkatoff(vp, (off_t)-(off <<
imp->im_bshift),
789 NULL, &bp2);
790 else
791 bp2 = NULL;
792 cd9660_defattr(isodir, ip, bp2);
793 cd9660_deftstamp(isodir, ip, bp2);
________________________________________________________________________________________________________
*** CID 1223346: Dereference before null check (REVERSE_INULL)
/sys/fs/cd9660/cd9660_vfsops.c: 749 in cd9660_loadvnode()
743 return (error);
744 }
745 isodir = (struct iso_directory_record *)((char *)bp->b_data +
off);
746
747 if (off + isonum_711(isodir->length) > imp->logical_block_size)
{
748 pool_put(&cd9660_node_pool, ip);
>>> CID 1223346: Dereference before null check (REVERSE_INULL)
>>> Null-checking "bp" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
749 if (bp != 0)
750 brelse(bp, 0);
751 printf("fhtovp: directory crosses block boundary
%d[off=%d/len=%d]\n",
752 off +isonum_711(isodir->length), off,
753 isonum_711(isodir->length));
754 return (ESTALE);
/sys/fs/cd9660/cd9660_vfsops.c: 803 in cd9660_loadvnode()
797 }
798 case ISO_FTYPE_RRIP:
799 cd9660_rrip_analyze(isodir, ip, imp);
800 break;
801 }
802
>>> CID 1223346: Dereference before null check (REVERSE_INULL)
>>> Null-checking "bp" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
803 if (bp != 0)
804 brelse(bp, 0);
805
806 /*
807 * Initialize the associated vnode
808 */
________________________________________________________________________________________________________
*** CID 1223359: Unchecked return value (CHECKED_RETURN)
/external/bsd/libarchive/dist/libarchive/archive_write_disk.c: 1262 in
_archive_write_close()
1256 #ifdef HAVE_STRUCT_STAT_ST_BIRTHTIME
1257 /* if it's valid and not mtime, push the
birthtime first */
1258 if (((times[1].tv_sec = p->birthtime) <
p->mtime) &&
1259 (p->birthtime > 0))
1260 {
1261 times[1].tv_usec = p->birthtime_nanos /
1000;
>>> CID 1223359: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "utimes(p->name, times)".
1262 utimes(p->name, times);
1263 }
1264 #endif
1265 times[1].tv_sec = p->mtime;
1266 times[1].tv_usec = p->mtime_nanos / 1000;
1267 #ifdef HAVE_LUTIMES
________________________________________________________________________________________________________
*** CID 1223360: Unchecked return value (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 25719 in dotlockLock()
25713 if( pFile->eFileLock > NO_LOCK ){
25714 pFile->eFileLock = eFileLock;
25715 /* Always update the timestamp on the old file */
25716 #ifdef HAVE_UTIME
25717 utime(zLockFile, NULL);
25718 #else
>>> CID 1223360: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "utimes(zLockFile, NULL)".
25719 utimes(zLockFile, NULL);
25720 #endif
25721 return SQLITE_OK;
25722 }
25723
25724 /* grab an exclusive lock */
________________________________________________________________________________________________________
*** CID 1223361: Unchecked return value (CHECKED_RETURN)
/usr.bin/sed/main.c: 433 in mf_fgets()
427 if (len >= sizeof(tmpfname))
428 errx(1, "%s: name too long", fname);
429 unlink(tmpfname);
430 if ((outfile = fopen(tmpfname, "w")) == NULL)
431 err(1, "%s", fname);
432 fchown(fileno(outfile), sb.st_uid, sb.st_gid);
>>> CID 1223361: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "fchmod(((outfile->_file == -1) ? -1 :
>>> (int)(unsigned short)outfile->_file), sb.st_mode & 0xfffU)".
433 fchmod(fileno(outfile), sb.st_mode & ALLPERMS);
434 outfname = tmpfname;
435 if (!ispan) {
436 linenum = 0;
437 resetstate();
438 }
________________________________________________________________________________________________________
*** CID 1223362: Logically dead code (DEADCODE)
/external/bsd/dhcpcd/dist/dhcp.c: 969 in make_message()
963 goto toobig;
964 *p++ = DHO_AUTHENTICATION;
965 *p++ = (uint8_t)auth_len;
966 auth = p;
967 p += auth_len;
968 } else if ((ssize_t)auth_len == -1)
>>> CID 1223362: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "syslog(3, "%s: dhcp_auth_en...".
969 syslog(LOG_ERR, "%s: dhcp_auth_encode: %m",
970 iface->name);
971 }
972
973 *p++ = DHO_END;
974
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1448?tab=overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index