New Defects reported by Coverity Scan for NetBSD-i386-kernel

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-i386-kernel
From: scan-admin%coverity.com@localhost
Date: 2016年5月31日 12:21:11 -0700
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
22 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
42 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 22 defect(s)
** CID 1125822: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/xhci.c: 2400 in xhci_new_device()
________________________________________________________________________________________________________
*** CID 1125822: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/xhci.c: 2400 in xhci_new_device()
2394 				 dd->bMaxPacketSize);
2395 				dd->bMaxPacketSize = 9;
2396 			}
2397 			USETW(dev->ud_ep0desc.wMaxPacketSize,
2398 			 (1 << dd->bMaxPacketSize));
2399 		} else
>>> CID 1125822: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "dd->bMaxPacketSize >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2400 			USETW(dev->ud_ep0desc.wMaxPacketSize,
2401 			 dd->bMaxPacketSize);
2402 		DPRINTFN(4, "bMaxPacketSize %u", dd->bMaxPacketSize, 0, 0, 0);
2403 		xhci_update_ep0_mps(sc, xs,
2404 		 UGETW(dev->ud_ep0desc.wMaxPacketSize));
2405 		err = usbd_reload_device_desc(dev);
** CID 1362401: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/if_wm.c: 11441 in wm_smbustopci()
________________________________________________________________________________________________________
*** CID 1362401: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/if_wm.c: 11441 in wm_smbustopci()
11435 	uint32_t fwsm, reg;
11436 
11437 	/* Gate automatic PHY configuration by hardware on non-managed 82579 */
11438 	wm_gate_hw_phy_config_ich8lan(sc, true);
11439 
11440 	/* Acquire semaphore */
>>> CID 1362401: Error handling issues (CHECKED_RETURN)
>>> Calling "wm_get_swfwhw_semaphore" without checking return value (as is done elsewhere 8 out of 10 times).
11441 	wm_get_swfwhw_semaphore(sc);
11442 
11443 	fwsm = CSR_READ(sc, WMREG_FWSM);
11444 	if (((fwsm & FWSM_FW_VALID) == 0)
11445 	 && ((wm_phy_resetisblocked(sc) == false))) {
11446 		if (sc->sc_type >= WM_T_PCH_LPT) {
** CID 1362402: Error handling issues (CHECKED_RETURN)
/sys/dev/usb/uaudio.c: 2734 in uaudio_chan_abort()
________________________________________________________________________________________________________
*** CID 1362402: Error handling issues (CHECKED_RETURN)
/sys/dev/usb/uaudio.c: 2734 in uaudio_chan_abort()
2728 
2729 	as = &sc->sc_alts[ch->altidx];
2730 	as->sc_busy = 0;
2731 	AUFMT_VALIDATE(as->aformat);
2732 	if (sc->sc_nullalt >= 0) {
2733 		DPRINTF("set null alt=%d\n", sc->sc_nullalt);
>>> CID 1362402: Error handling issues (CHECKED_RETURN)
>>> Calling "usbd_set_interface" without checking return value (as is done elsewhere 17 out of 19 times).
2734 		usbd_set_interface(as->ifaceh, sc->sc_nullalt);
2735 	}
2736 	pipe = ch->pipe;
2737 	if (pipe) {
2738 		usbd_abort_pipe(pipe);
2739 	}
** CID 1362403: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ohci.c: 2454 in ohci_roothub_ctrl()
________________________________________________________________________________________________________
*** CID 1362403: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ohci.c: 2454 in ohci_roothub_ctrl()
2448 
2449 		totlen = min(buflen, sizeof(hubd));
2450 		memcpy(&hubd, buf, totlen);
2451 
2452 		v = OREAD4(sc, OHCI_RH_DESCRIPTOR_A);
2453 		hubd.bNbrPorts = sc->sc_noport;
>>> CID 1362403: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "((v & 512) ? 2 : ((v & 256) ? 0 : 1)) >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2454 		USETW(hubd.wHubCharacteristics,
2455 		 (v & OHCI_NPS ? UHD_PWR_NO_SWITCH :
2456 		 v & OHCI_PSM ? UHD_PWR_GANGED : UHD_PWR_INDIVIDUAL)
2457 		 /* XXX overcurrent */
2458 		 );
2459 		hubd.bPwrOn2PwrGood = OHCI_GET_POTPGT(v);
** CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
________________________________________________________________________________________________________
*** CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
812 		kmem_free(endpoints, nendpt * sizeof(struct usbd_endpoint));
813 	}
814 	KASSERT(iface->ui_idesc != NULL);
815 
816 	req.bmRequestType = UT_WRITE_INTERFACE;
817 	req.bRequest = UR_SET_INTERFACE;
>>> CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bAlternateSetting >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
818 	USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
819 	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820 	USETW(req.wLength, 0);
821 	return usbd_do_request(iface->ui_dev, &req, 0);
822 }
823 
** CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
________________________________________________________________________________________________________
*** CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
813 	}
814 	KASSERT(iface->ui_idesc != NULL);
815 
816 	req.bmRequestType = UT_WRITE_INTERFACE;
817 	req.bRequest = UR_SET_INTERFACE;
818 	USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
>>> CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
819 	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820 	USETW(req.wLength, 0);
821 	return usbd_do_request(iface->ui_dev, &req, 0);
822 }
823 
824 int
** CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
________________________________________________________________________________________________________
*** CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
689 	 */
690 	pipe->up_methods->upm_cleartoggle(pipe);
691 
692 	req.bmRequestType = UT_WRITE_ENDPOINT;
693 	req.bRequest = UR_CLEAR_FEATURE;
694 	USETW(req.wValue, UF_ENDPOINT_HALT);
>>> CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
695 	USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
696 	USETW(req.wLength, 0);
697 	err = usbd_do_request(dev, &req, 0);
698 #if 0
699 XXX should we do this?
700 	if (!err) {
** CID 1362407: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2922 in ehci_reset_sqtd_chain()
________________________________________________________________________________________________________
*** CID 1362407: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2922 in ehci_reset_sqtd_chain()
2916 		size_t pageoffs = EHCI_PAGE(curoffs);
2917 		for (size_t i = 0; i < pages; i++) {
2918 			paddr_t a = DMAADDR(dma,
2919 			 pageoffs + i * EHCI_PAGE_SIZE);
2920 			sqtd->qtd.qtd_buffer[i] = htole32(EHCI_PAGE(a));
2921 			/* Cast up to avoid compiler warnings */
>>> CID 1362407: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "(__uint64_t)a >> 32" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2922 			sqtd->qtd.qtd_buffer_hi[i] = htole32((uint64_t)a >> 32);
2923 			DPRINTF(" buffer[%d/%d] 0x%08x 0x%08x", i, pages,
2924 			 le32toh(sqtd->qtd.qtd_buffer_hi[i]),
2925 			 le32toh(sqtd->qtd.qtd_buffer[i]));
2926 		}
2927 		/* First buffer pointer requires a page offset to start at */
** CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
________________________________________________________________________________________________________
*** CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
714 
715 	pipe->up_methods->upm_cleartoggle(pipe);
716 
717 	req.bmRequestType = UT_WRITE_ENDPOINT;
718 	req.bRequest = UR_CLEAR_FEATURE;
719 	USETW(req.wValue, UF_ENDPOINT_HALT);
>>> CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
720 	USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
721 	USETW(req.wLength, 0);
722 	(void)usbd_do_request(dev, &req, 0);
723 }
724 
725 void
** CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
________________________________________________________________________________________________________
*** CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
850 {
851 	usb_device_request_t req;
852 
853 	req.bmRequestType = UT_READ_INTERFACE;
854 	req.bRequest = UR_GET_INTERFACE;
855 	USETW(req.wValue, 0);
>>> CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
856 	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
857 	USETW(req.wLength, 1);
858 	return usbd_do_request(iface->ui_dev, &req, aiface);
859 }
860 
861 /*** Internal routines ***/
** CID 1362410: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
________________________________________________________________________________________________________
*** CID 1362410: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
2405 			return -1;
2406 		}
2407 		totlen = min(buflen, sizeof(hubd));
2408 		memcpy(&hubd, buf, totlen);
2409 		hubd.bNbrPorts = sc->sc_noport;
2410 		v = EOREAD4(sc, EHCI_HCSPARAMS);
>>> CID 1362410: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "2 | (bus_space_read_4(sc->iot, sc->ioh, 4) & 65536)" is always true regardless of the values of its operands. This occurs as the logical first operand of '?:'.
2411 		USETW(hubd.wHubCharacteristics,
2412 		 EHCI_HCS_PPC(v) ? UHD_PWR_INDIVIDUAL : UHD_PWR_NO_SWITCH |
2413 		 EHCI_HCS_P_INDICATOR(EREAD4(sc, EHCI_HCSPARAMS))
2414 			? UHD_PORT_IND : 0);
2415 		hubd.bPwrOn2PwrGood = 200; /* XXX can't find out? */
2416 		for (i = 0, l = sc->sc_noport; l > 0; i++, l -= 8, v >>= 8)
** CID 1362411: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
________________________________________________________________________________________________________
*** CID 1362411: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/ehci.c: 2411 in ehci_roothub_ctrl()
2405 			return -1;
2406 		}
2407 		totlen = min(buflen, sizeof(hubd));
2408 		memcpy(&hubd, buf, totlen);
2409 		hubd.bNbrPorts = sc->sc_noport;
2410 		v = EOREAD4(sc, EHCI_HCSPARAMS);
>>> CID 1362411: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "((v & 16) ? 1 : ((2 | (bus_space_read_4(sc->iot, sc->ioh, 4) & 65536)) ? 128 : 0)) >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
2411 		USETW(hubd.wHubCharacteristics,
2412 		 EHCI_HCS_PPC(v) ? UHD_PWR_INDIVIDUAL : UHD_PWR_NO_SWITCH |
2413 		 EHCI_HCS_P_INDICATOR(EREAD4(sc, EHCI_HCSPARAMS))
2414 			? UHD_PORT_IND : 0);
2415 		hubd.bPwrOn2PwrGood = 200; /* XXX can't find out? */
2416 		for (i = 0, l = sc->sc_noport; l > 0; i++, l -= 8, v >>= 8)
** CID 1362412: Control flow issues (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
________________________________________________________________________________________________________
*** CID 1362412: Control flow issues (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
340 /* Any string left? Check that '0x' is not followed by white space. */
341 
342 if (!(*String) || isspace ((int) *String) || *String == '\t')
343 {
344 if (Base == ACPI_ANY_BASE)
345 {
>>> CID 1362412: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "goto ErrorExit;".
346 goto ErrorExit;
347 }
348 else
349 {
350 goto AllDone;
351 }
** CID 1362413: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/ohci.c: 3128 in ohci_device_intr_fini()
________________________________________________________________________________________________________
*** CID 1362413: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/ohci.c: 3128 in ohci_device_intr_fini()
3122 	OHCIHIST_FUNC(); OHCIHIST_CALLED();
3123 	DPRINTFN(8, "xfer %p nstd %d", xfer, ox->ox_nstd, 0, 0);
3124 
3125 	mutex_enter(&sc->sc_lock);
3126 	for (size_t i = 0; i < ox->ox_nstd; i++) {
3127 		ohci_soft_td_t *std = ox->ox_stds[i];
>>> CID 1362413: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "std" to null implies that "std" might be null.
3128 		if (std != NULL)
3129 			break;
3130 		if (std != opipe->tail.td)
3131 			ohci_free_std_locked(sc, std);
3132 	}
3133 	mutex_exit(&sc->sc_lock);
** CID 1362414: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362414: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
372 			/* Default to error */
373 			buflen = -1;
374 		}
375 		break;
376 	case C(UR_GET_DESCRIPTOR, UT_READ_CLASS_DEVICE):
377 		buflen = min(len, sizeof(usbroothub_hubd));
>>> CID 1362414: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "buf" to "memcpy", which dereferences it.
378 		memcpy(buf, &usbroothub_hubd, buflen);
379 		break;
380 	case C(UR_GET_INTERFACE, UT_READ_INTERFACE):
381 		/* Get Interface, 9.4.4 */
382 		if (len > 0) {
383 			uint8_t *out = buf;
** CID 1362415: Control flow issues (MISSING_BREAK)
/sys/dev/usb/usb.c: 776 in usbioctl()
________________________________________________________________________________________________________
*** CID 1362415: Control flow issues (MISSING_BREAK)
/sys/dev/usb/usb.c: 776 in usbioctl()
770 		if (ptr) {
771 			len = UGETW(ur->ucr_request.wLength);
772 			kmem_free(ptr, len);
773 		}
774 	}
775 
>>> CID 1362415: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
776 	case USB_DEVICEINFO:
777 	{
778 		struct usbd_device *dev;
779 		struct usb_device_info *di = (void *)data;
780 		int addr = di->udi_addr;
781 
** CID 1362416: Incorrect expression (SIZEOF_MISMATCH)
/sys/dev/usb/xhci.c: 2168 in xhci_allocx()
________________________________________________________________________________________________________
*** CID 1362416: Incorrect expression (SIZEOF_MISMATCH)
/sys/dev/usb/xhci.c: 2168 in xhci_allocx()
2162 	struct usbd_xfer *xfer;
2163 
2164 	XHCIHIST_FUNC(); XHCIHIST_CALLED();
2165 
2166 	xfer = pool_cache_get(sc->sc_xferpool, PR_NOWAIT);
2167 	if (xfer != NULL) {
>>> CID 1362416: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "xfer" of type "struct usbd_xfer *" and argument "512U" ("sizeof (struct xhci_xfer)") to function "memset" is suspicious because a multiple of "sizeof (struct usbd_xfer)" /*160*/ is expected.
2168 		memset(xfer, 0, sizeof(struct xhci_xfer));
2169 #ifdef DIAGNOSTIC
2170 		xfer->ux_state = XFER_BUSY;
2171 #endif
2172 	}
2173 
** CID 1362417: (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
________________________________________________________________________________________________________
*** CID 1362417: (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 		if (rlen + l > blen) {
2269 			if (debug)
2270 				addlog(" [overflow]");
2271 			continue;
2272 		}
2273 		/* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 		memcpy(r, p, l);
2275 		r += l;
2276 		rlen += l;
2277 	}
2278 	if (rlen) {
2279 		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 		if (rlen + l > blen) {
2269 			if (debug)
2270 				addlog(" [overflow]");
2271 			continue;
2272 		}
2273 		/* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 		memcpy(r, p, l);
2275 		r += l;
2276 		rlen += l;
2277 	}
2278 	if (rlen) {
2279 		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 		if (rlen + l > blen) {
2269 			if (debug)
2270 				addlog(" [overflow]");
2271 			continue;
2272 		}
2273 		/* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 		memcpy(r, p, l);
2275 		r += l;
2276 		rlen += l;
2277 	}
2278 	if (rlen) {
2279 		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 		if (rlen + l > blen) {
2269 			if (debug)
2270 				addlog(" [overflow]");
2271 			continue;
2272 		}
2273 		/* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 		memcpy(r, p, l);
2275 		r += l;
2276 		rlen += l;
2277 	}
2278 	if (rlen) {
2279 		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
** CID 1362418: (TAINTED_SCALAR)
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362418: (TAINTED_SCALAR)
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
2703 	if (sc->sc_dying)
2704 		return USBD_IOERROR;
2705 
2706 	KASSERT(xfer->ux_rqflags & URQ_REQUEST);
2707 
2708 	isread = req->bmRequestType & UT_READ;
>>> CID 1362418: (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
2709 	len = UGETW(req->wLength);
2710 
2711 	DPRINTF("xfer=%p len=%d, addr=%d, endpt=%d", xfer, len, dev->ud_addr,
2712 	 opipe->pipe.up_endpoint->ue_edesc->bEndpointAddress);
2713 	DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
2714 	 req->bmRequestType, req->bRequest, UGETW(req->wValue),
/sys/dev/usb/ohci.c: 2709 in ohci_device_ctrl_start()
2703 	if (sc->sc_dying)
2704 		return USBD_IOERROR;
2705 
2706 	KASSERT(xfer->ux_rqflags & URQ_REQUEST);
2707 
2708 	isread = req->bmRequestType & UT_READ;
>>> CID 1362418: (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
2709 	len = UGETW(req->wLength);
2710 
2711 	DPRINTF("xfer=%p len=%d, addr=%d, endpt=%d", xfer, len, dev->ud_addr,
2712 	 opipe->pipe.up_endpoint->ue_edesc->bEndpointAddress);
2713 	DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
2714 	 req->bmRequestType, req->bRequest, UGETW(req->wValue),
** CID 1362419: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/ehci.c: 3534 in ehci_device_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362419: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/ehci.c: 3534 in ehci_device_ctrl_start()
3528 	KASSERT(xfer->ux_rqflags & URQ_REQUEST);
3529 
3530 	if (sc->sc_dying)
3531 		return USBD_IOERROR;
3532 
3533 	const int isread = req->bmRequestType & UT_READ;
>>> CID 1362419: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "len" = "req->wLength[0] | (req->wLength[1] << 8)". Both are now tainted.
3534 	const int len = UGETW(req->wLength);
3535 
3536 	DPRINTF("type=0x%02x, request=0x%02x, wValue=0x%04x, wIndex=0x%04x",
3537 	 req->bmRequestType, req->bRequest, UGETW(req->wValue),
3538 	 UGETW(req->wIndex));
3539 	DPRINTF("len=%d, addr=%d, endpt=%d", len, epipe->pipe.up_dev->ud_addr,
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-kernel?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Prev by Date: New Defects reported by Coverity Scan for NetBSD-amd64-user
Next by Date: New Defects reported by Coverity Scan for NetBSD-i386-user
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Next by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Indexes:
Home | Main Index | Thread Index | Old Index