Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
19 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
25 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 19 of 19 defect(s)
** CID 980057: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/net/if_pppoe.c: 952 in pppoe_ioctl()
________________________________________________________________________________________________________
*** CID 980057: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/net/if_pppoe.c: 952 in pppoe_ioctl()
946 break;
947 case PPPOEGETPARMS:
948 {
949 struct pppoediscparms *parms = (struct pppoediscparms*)data;
950 memset(parms, 0, sizeof *parms);
951 if (sc->sc_eth_if)
>>> CID 980057: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 16 bytes on destination array "parms->ifname" of size 16 bytes might leave the destination string unterminated.
952 strncpy(parms->ifname, sc->sc_eth_if->if_xname, IFNAMSIZ);
953 return 0;
954 }
955 break;
956 case PPPOEGETSESSION:
957 {
** CID 980058: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/net/if_spppsubr.c: 5073 in sppp_params()
________________________________________________________________________________________________________
*** CID 980058: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/net/if_spppsubr.c: 5073 in sppp_params()
5067 struct spppauthcfg *cfg = (struct spppauthcfg *)data;
5068 int error;
5069 size_t len;
5070
5071 cfg->myauthflags = sp->myauth.flags;
5072 cfg->hisauthflags = sp->hisauth.flags;
>>> CID 980058: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 16 bytes on destination array "cfg->ifname" of size 16 bytes might leave the destination string unterminated.
5073 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ);
5074 cfg->hisauth = 0;
5075 if (sp->hisauth.proto)
5076 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP;
5077 cfg->myauth = 0;
5078 if (sp->myauth.proto)
** CID 980345: Control flow issues (MISSING_BREAK)
/sys/net/if_spppsubr.c: 5382 in sppp_auth_type_name()
________________________________________________________________________________________________________
*** CID 980345: Control flow issues (MISSING_BREAK)
/sys/net/if_spppsubr.c: 5382 in sppp_auth_type_name()
5376 switch (type) {
5377 case CHAP_CHALLENGE: return "challenge";
5378 case CHAP_RESPONSE: return "response";
5379 case CHAP_SUCCESS: return "success";
5380 case CHAP_FAILURE: return "failure";
5381 }
>>> CID 980345: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
5382 case PPP_PAP:
5383 switch (type) {
5384 case PAP_REQ: return "req";
5385 case PAP_ACK: return "ack";
5386 case PAP_NAK: return "nak";
5387 }
** CID 987984: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 562 in Format()
________________________________________________________________________________________________________
*** CID 987984: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 562 in Format()
556 XtWindow(man_globals->standby),
557 Expose, &event));
558 XtDispatchEvent(&event);
559 XFlush(XtDisplay(man_globals->standby));
560
561 strcpy(tmp, MANTEMP); /* Get a temp file. */
>>> CID 987984: Security best practices violations (SECURE_TEMP)
>>> Calling "mkstemp" without securely setting umask first.
562 fd = mkstemp(tmp);
563 if (fd >= 0) {
564 file = fdopen(fd, "r");
565 if (file == NULL) {
566 remove(tmp);
567 close(fd);
** CID 987985: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 395 in UncompressNamed()
________________________________________________________________________________________________________
*** CID 987985: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/misc.c: 395 in UncompressNamed()
389 /*
390 * Using stdin is necessary to fool zcat since we cannot guarantee
391 * the .Z extension.
392 */
393
394 strcpy(tmp, MANTEMP); /* get a temp file. */
>>> CID 987985: Security best practices violations (SECURE_TEMP)
>>> Calling "mkstemp" without securely setting umask first.
395 fd = mkstemp(tmp);
396 if (fd < 0) {
397 PopupWarning(man_globals, "Error creating a temp file");
398 return FALSE;
399 }
400 *output_file = fdopen(fd, "r");
** CID 987986: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/search.c: 183 in DoSearch()
________________________________________________________________________________________________________
*** CID 987986: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/xman/dist/search.c: 183 in DoSearch()
177 }
178
179 if (type == APROPOS) {
180 char label[BUFSIZ];
181
182 strcpy(tmp, MANTEMP); /* get a temp file. */
>>> CID 987986: Security best practices violations (SECURE_TEMP)
>>> Calling "mkstemp" without securely setting umask first.
183 fd = mkstemp(tmp);
184 if (fd < 0) {
185 PopupWarning(man_globals, "Cant create temp file");
186 return NULL;
187 }
188 mantmp = tmp;
** CID 1210544: Insecure data handling (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2925 in sppp_ipcp_RCR()
________________________________________________________________________________________________________
*** CID 1210544: Insecure data handling (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2925 in sppp_ipcp_RCR()
2919 p[3] = hisaddr >> 16;
2920 p[4] = hisaddr >> 8;
2921 p[5] = hisaddr;
2922 break;
2923 }
2924 /* Add the option to nak'ed list. */
>>> CID 1210544: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "p[1]" to a tainted sink.
2925 bcopy (p, r, p[1]);
2926 r += p[1];
2927 rlen += p[1];
2928 }
2929
2930 /*
** CID 1299086: Control flow issues (DEADCODE)
/sys/net/if_spppsubr.c: 623 in sppp_input()
________________________________________________________________________________________________________
*** CID 1299086: Control flow issues (DEADCODE)
/sys/net/if_spppsubr.c: 623 in sppp_input()
617 if (__predict_false(!pktq_enqueue(pktq, m, 0))) {
618 goto drop;
619 }
620 return;
621 }
622
>>> CID 1299086: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "s = splvm();".
623 s = splnet();
624 if (IF_QFULL(inq)) {
625 /* Queue overflow. */
626 IF_DROP(inq);
627 splx(s);
628 if (debug)
** CID 1299246: (UNUSED_VALUE)
/sys/net/if_spppsubr.c: 779 in sppp_output()
/sys/net/if_spppsubr.c: 799 in sppp_output()
________________________________________________________________________________________________________
*** CID 1299246: (UNUSED_VALUE)
/sys/net/if_spppsubr.c: 779 in sppp_output()
773 * below, we will however remember that we are
774 * not ready to carry IP packets, and return
775 * ENETDOWN, as opposed to ENOBUFS.
776 */
777 protocol = htons(PPP_IP);
778 if (sp->state[IDX_IPCP] != STATE_OPENED)
>>> CID 1299246: (UNUSED_VALUE)
>>> Assigning value "50" to "error" here, but that stored value is overwritten before it can be used.
779 error = ENETDOWN;
780 }
781 break;
782 #endif
783 #ifdef INET6
784 case AF_INET6: /* Internet Protocol version 6 */
/sys/net/if_spppsubr.c: 799 in sppp_output()
793 * below, we will however remember that we are
794 * not ready to carry IP packets, and return
795 * ENETDOWN, as opposed to ENOBUFS.
796 */
797 protocol = htons(PPP_IPV6);
798 if (sp->state[IDX_IPV6CP] != STATE_OPENED)
>>> CID 1299246: (UNUSED_VALUE)
>>> Assigning value "50" to "error" here, but that stored value is overwritten before it can be used.
799 error = ENETDOWN;
800 }
801 break;
802 #endif
803 default:
804 m_freem(m);
** CID 1358673: Control flow issues (DEADCODE)
/sys/net/if_bridge.c: 1788 in bridge_input()
________________________________________________________________________________________________________
*** CID 1358673: Control flow issues (DEADCODE)
/sys/net/if_bridge.c: 1788 in bridge_input()
1782 BRIDGE_IFLIST_READER_FOREACH(_bif, sc) {
1783 /* It is destined for us. */
1784 if (bridge_ourether(_bif, eh, 0)) {
1785 bridge_acquire_member(sc, _bif, &_psref);
1786 BRIDGE_PSZ_REXIT(s);
1787 if (_bif == NULL)
>>> CID 1358673: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "goto out;".
1788 goto out;
1789 if (_bif->bif_flags & IFBIF_LEARNING)
1790 (void) bridge_rtupdate(sc,
1791 eh->ether_shost, ifp, 0, IFBAF_DYNAMIC);
1792 _ifp = m->m_pkthdr.rcvif = _bif->bif_ifp;
1793 bridge_release_member(sc, _bif, &_psref);
** CID 1358674: Control flow issues (DEADCODE)
/lib/libedit/keymacro.c: 595 in keymacro_kprint()
________________________________________________________________________________________________________
*** CID 1358674: Control flow issues (DEADCODE)
/lib/libedit/keymacro.c: 595 in keymacro_kprint()
589 char unparsbuf[EL_BUFSIZ];
590 static const char fmt[] = "%-15s-> %s\n";
591
592 if (val != NULL)
593 switch (ntype) {
594 case XK_STR:
>>> CID 1358674: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression ""[]"" inside this statement: "(void)keymacro__decode_str(...".
595 (void) keymacro__decode_str(val->str, unparsbuf,
596 sizeof(unparsbuf),
597 ntype == XK_STR ? "\"\"" : "[]");
598 (void) fprintf(el->el_outfile, fmt,
599 ct_encode_string(key, &el->el_scratch), unparsbuf);
600 break;
** CID 1358675: (DEADCODE)
/usr.sbin/makemandb/apropos-utils.c: 340 in init_db()
/usr.sbin/makemandb/apropos-utils.c: 341 in init_db()
________________________________________________________________________________________________________
*** CID 1358675: (DEADCODE)
/usr.sbin/makemandb/apropos-utils.c: 340 in init_db()
334 /*
335 * Database exists. Check if we have the permissions
336 * to read/write the files
337 */
338 int access_mode = R_OK;
339 switch (access_mode) {
>>> CID 1358675: (DEADCODE)
>>> Execution cannot reach this statement: "case MANDB_CREATE:".
340 case MANDB_CREATE:
341 case MANDB_WRITE:
342 access_mode |= W_OK;
343 break;
344 default:
345 break;
/usr.sbin/makemandb/apropos-utils.c: 341 in init_db()
335 * Database exists. Check if we have the permissions
336 * to read/write the files
337 */
338 int access_mode = R_OK;
339 switch (access_mode) {
340 case MANDB_CREATE:
>>> CID 1358675: (DEADCODE)
>>> Execution cannot reach this statement: "case MANDB_WRITE:".
341 case MANDB_WRITE:
342 access_mode |= W_OK;
343 break;
344 default:
345 break;
346 }
** CID 1358676: Null pointer dereferences (FORWARD_NULL)
/external/bsd/dhcpcd/dist/dhcp-common.c: 215 in make_option_mask()
________________________________________________________________________________________________________
*** CID 1358676: Null pointer dereferences (FORWARD_NULL)
/external/bsd/dhcpcd/dist/dhcp-common.c: 215 in make_option_mask()
209 if (*token == '\0')
210 continue;
211 match = 0;
212 for (i = 0, opt = odopts; i < odopts_len; i++, opt++) {
213 if (opt->var == NULL && opt->option == 0)
214 continue; /* buggy dhcpcd-definitions.conf */
>>> CID 1358676: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "opt->var" to "strcmp", which dereferences it.
215 if (strcmp(opt->var, token) == 0)
216 match = 1;
217 else {
218 n = (unsigned int)strtou(token, NULL, 0,
219 0, UINT_MAX, &e);
220 if (e == 0 && opt->option == n)
** CID 1358677: Integer handling issues (NEGATIVE_RETURNS)
/external/bsd/dhcpcd/dist/eloop.c: 793 in eloop_new()
________________________________________________________________________________________________________
*** CID 1358677: Integer handling issues (NEGATIVE_RETURNS)
/external/bsd/dhcpcd/dist/eloop.c: 793 in eloop_new()
787 eloop->events_maxfd = -1;
788 TAILQ_INIT(&eloop->free_events);
789 TAILQ_INIT(&eloop->timeouts);
790 TAILQ_INIT(&eloop->free_timeouts);
791 eloop->exitcode = EXIT_FAILURE;
792 #if defined(HAVE_KQUEUE) || defined(HAVE_EPOLL)
>>> CID 1358677: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: "eloop->poll_fd" = a negative value.
793 eloop->poll_fd = -1;
794 if (eloop_open(eloop) == -1) {
795 eloop_free(eloop);
796 return NULL;
797 }
798 #endif
** CID 1358678: Error handling issues (NEGATIVE_RETURNS)
/home/phil/cov/xsrc/external/mit/xrdb/dist/xrdb.c: 1228 in Process()
________________________________________________________________________________________________________
*** CID 1358678: Error handling issues (NEGATIVE_RETURNS)
/home/phil/cov/xsrc/external/mit/xrdb/dist/xrdb.c: 1228 in Process()
1222 #ifndef HAVE_MKSTEMP
1223 (void) mktemp(template);
1224 output = fopen(template, "w");
1225 #else
1226 {
1227 int fd = mkstemp(template);
>>> CID 1358678: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
1228 output = fdopen(fd, "w");
1229 }
1230 #endif
1231 if (!output)
1232 fatal("%s: can't open temporary file '%s'\n", ProgramName, template);
1233 GetEntriesString(&newDB, xdefs);
** CID 1358679: Resource leaks (RESOURCE_LEAK)
/libexec/httpd/cgi-bozo.c: 341 in parse_search_string()
________________________________________________________________________________________________________
*** CID 1358679: Resource leaks (RESOURCE_LEAK)
/libexec/httpd/cgi-bozo.c: 341 in parse_search_string()
335
336 free (*args);
337 free (str);
338 *args = NULL;
339 *args_len = 0;
340
>>> CID 1358679: Resource leaks (RESOURCE_LEAK)
>>> Variable "args" going out of scope leaks the storage it points to.
341 return 0;
342
343 }
344
345 void
346 bozo_cgi_setbin(bozohttpd_t *httpd, const char *path)
** CID 1358680: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 862 in unique_file()
________________________________________________________________________________________________________
*** CID 1358680: Security best practices violations (SECURE_TEMP)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 862 in unique_file()
856 strcpy(template, tmp);
857 if ((mktemp(template) == NULL) || (template[0] == '\0'))
858 return NULL;
859 fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600);
860 } while ((fd == -1) && (errno == EEXIST || errno == EINTR));
861 #else
>>> CID 1358680: Security best practices violations (SECURE_TEMP)
>>> Calling "mkstemp" without securely setting umask first.
862 if ((fd = mkstemp(tmp)) == -1)
863 return NULL;
864 #endif
865 if ((fp = fdopen(fd, "wb")) == NULL)
866 close(fd);
867 *filename = strdup(template);
** CID 1358681: Uninitialized variables (UNINIT)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 867 in unique_file()
________________________________________________________________________________________________________
*** CID 1358681: Uninitialized variables (UNINIT)
/home/phil/cov/xsrc/external/mit/ctwm/dist/session.c: 867 in unique_file()
861 #else
862 if ((fd = mkstemp(tmp)) == -1)
863 return NULL;
864 #endif
865 if ((fp = fdopen(fd, "wb")) == NULL)
866 close(fd);
>>> CID 1358681: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "template" when calling "strdup". [Note: The source code implementation of the function has been overridden by a builtin model.]
867 *filename = strdup(template);
868 return fp;
869 }
870
871 /*===[ SAVE WINDOW INFORMATION ]=============================================*/
872
** CID 1358682: Error handling issues (CHECKED_RETURN)
/lib/libedit/chartype.c: 137 in ct_decode_string()
________________________________________________________________________________________________________
*** CID 1358682: Error handling issues (CHECKED_RETURN)
/lib/libedit/chartype.c: 137 in ct_decode_string()
131 return NULL;
132
133 if (conv->wsize < ++len)
134 if (ct_conv_wbuff_resize(conv, len + CT_BUFSIZ) == -1)
135 return NULL;
136
>>> CID 1358682: Error handling issues (CHECKED_RETURN)
>>> Calling "mbstowcs" without checking return value (as is done elsewhere 12 out of 15 times).
137 mbstowcs(conv->wbuff, s, conv->wsize);
138 return conv->wbuff;
139 }
140
141
142 protected wchar_t **
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index