New Defects reported by Coverity Scan for NetBSD-i386-user

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-i386-user
From: scan-admin%coverity.com@localhost
Date: 2014年12月09日 09:29:43 -0800

Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
5 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 1257495: Out-of-bounds write (OVERRUN)
/sbin/ifconfig/parse.c: 257 in parse_linkaddr()
** CID 1257496: Out-of-bounds access (OVERRUN)
/sbin/routed/if.c: 779 in ifinit()
** CID 1257498: Out-of-bounds access (OVERRUN)
/usr.bin/netstat/if.c: 984 in fetchifs()
** CID 1257497: Out-of-bounds access (OVERRUN)
/usr.bin/netstat/if.c: 193 in intpr_sysctl()
** CID 1257499: Untrusted value as argument (TAINTED_SCALAR)
/tests/net/if/ifconf.c: 127 in main()
________________________________________________________________________________________________________
*** CID 1257495: Out-of-bounds write (OVERRUN)
/sbin/ifconfig/parse.c: 257 in parse_linkaddr()
251 		if (*p == '0円') {
252 			dbg_warnx("%s.%d", __func__, __LINE__);
253 			if (state != LLADDR_S_ONE_OCTET &&
254 			 state != LLADDR_S_TWO_OCTETS)
255 				return -1;
256 			dbg_warnx("%s.%d", __func__, __LINE__);
>>> CID 1257495: Out-of-bounds write (OVERRUN)
>>> Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes at byte offset 119 using index "i++" (which evaluates to 119).
257 			sdl->sdl_data[i++] = octet;
258 			sdl->sdl_len = offsetof(struct sockaddr_dl, sdl_data)
259 			 + i * sizeof(sdl->sdl_data[0]);
260 			sdl->sdl_alen = i;
261 			return 0;
262 		}
________________________________________________________________________________________________________
*** CID 1257496: Out-of-bounds access (OVERRUN)
/sbin/routed/if.c: 779 in ifinit()
773 #ifdef sgi
774 			ifs0.int_data.odrops = ifm.ifm_data.ifi_odrops;
775 #endif
776 			sdl = (const struct sockaddr_dl *)
777 				((struct if_msghdr *)ifam + 1);
778 			/* NUL-termination by memset, above. */
>>> CID 1257496: Out-of-bounds access (OVERRUN)
>>> Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes by passing it to a function which accesses it at byte offset 78 using argument "(79U < sdl->sdl_addr.dl_nlen) ? 79U : sdl->sdl_addr.dl_nlen" (which evaluates to 79).
779 			memcpy(ifs0.int_name, sdl->sdl_data,
780 				MIN(sizeof(ifs0.int_name) - 1, sdl->sdl_nlen));
781 			continue;
782 		}
783 		if (ifam->ifam_type != RTM_NEWADDR) {
784 			logbad(1,"ifinit: out of sync");
________________________________________________________________________________________________________
*** CID 1257498: Out-of-bounds access (OVERRUN)
/usr.bin/netstat/if.c: 984 in fetchifs()
978 
979 			sdl = (struct sockaddr_dl *)rti_info[RTAX_IFP];
980 			if (sdl == NULL || sdl->sdl_family != AF_LINK)
981 				continue;
982 			bzero(name, sizeof(name));
983 			if (sdl->sdl_nlen >= IFNAMSIZ)
>>> CID 1257498: Out-of-bounds access (OVERRUN)
>>> Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes by passing it to a function which accesses it at byte offset 14 using argument "15U".
984 				memcpy(name, sdl->sdl_data, IFNAMSIZ - 1);
985 			else if (sdl->sdl_nlen > 0) 
986 				memcpy(name, sdl->sdl_data, sdl->sdl_nlen);
987 
988 			if (interface != 0 && !strcmp(name, interface)) {
989 				strlcpy(ip_cur.ift_name, name,
________________________________________________________________________________________________________
*** CID 1257497: Out-of-bounds access (OVERRUN)
/usr.bin/netstat/if.c: 193 in intpr_sysctl()
187 			sdl = (struct sockaddr_dl *)rti_info[RTAX_IFP];
188 			if (sdl == NULL || sdl->sdl_family != AF_LINK) {
189 				continue;
190 			}
191 			bzero(name, sizeof(name));
192 			if (sdl->sdl_nlen >= IFNAMSIZ)
>>> CID 1257497: Out-of-bounds access (OVERRUN)
>>> Overrunning array "sdl->sdl_addr.dl_data" of 12 bytes by passing it to a function which accesses it at byte offset 14 using argument "15U".
193 				memcpy(name, sdl->sdl_data, IFNAMSIZ - 1);
194 			else if (sdl->sdl_nlen > 0) 
195 				memcpy(name, sdl->sdl_data, sdl->sdl_nlen);
196 
197 			if (interface != 0 && strcmp(name, interface) != 0)
198 				continue;
________________________________________________________________________________________________________
*** CID 1257499: Untrusted value as argument (TAINTED_SCALAR)
/tests/net/if/ifconf.c: 127 in main()
121 	if (strcmp(argv[1], "total") == 0) {
122 		show_number_of_entries();
123 	} else if (strcmp(argv[1], "list") == 0) {
124 		if (argc == 2)
125 			show_interfaces(0);
126 		else if (argc == 3)
>>> CID 1257499: Untrusted value as argument (TAINTED_SCALAR)
>>> Call to function "atoi(char const *)" with tainted argument "argv[2]" returns tainted data.
127 			show_interfaces(atoi(argv[2]));
128 		else
129 			help();
130 	} else
131 		help();
132 
133 	return EXIT_SUCCESS;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/1448?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click http://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .

Prev by Date: New Defects reported by Coverity Scan for NetBSD-amd64-user
Next by Date: New Defects reported by Coverity Scan for NetBSD-amd64-user
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-i386-user
Next by Thread: New Defects reported by Coverity Scan for NetBSD-i386-user
Indexes:

Home | Main Index | Thread Index | Old Index