Coverity-updates archive
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index][
Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
58 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
34 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 58 defect(s)
** CID 980287: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 956 in ipf_send_icmp_err()
________________________________________________________________________________________________________
*** CID 980287: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 956 in ipf_send_icmp_err()
950 if (type == ICMP6_DST_UNREACH)
951 code = icmptoicmp6unreach[code];
952
953 if (iclen + max_linkhdr + fin->fin_plen > avail) {
954 MCLGET(m, M_DONTWAIT);
955 if (m == NULL)
>>> CID 980287: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -1;".
956 return -1;
957 if ((m->m_flags & M_EXT) == 0) {
958 FREE_MB_T(m);
959 return -1;
960 }
961 avail = MCLBYTES;
** CID 980288: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 735 in ipf_send_reset()
________________________________________________________________________________________________________
*** CID 980288: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 735 in ipf_send_reset()
729 #endif
730 if (m == NULL)
731 return -1;
732 if (sizeof(*tcp2) + hlen > MHLEN) {
733 MCLGET(m, M_DONTWAIT);
734 if (m == NULL)
>>> CID 980288: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -1;".
735 return -1;
736 if ((m->m_flags & M_EXT) == 0) {
737 FREE_MB_T(m);
738 return -1;
739 }
740 }
** CID 980289: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_irc_pxy.c: 287 in ipf_p_irc_send()
________________________________________________________________________________________________________
*** CID 980289: Control flow issues (DEADCODE)
/sys/external/bsd/ipf/netinet/ip_irc_pxy.c: 287 in ipf_p_irc_send()
281 #endif
282 if (dlen <= 0)
283 return 0;
284 COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf);
285
286 if (dlen <= 0)
>>> CID 980289: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0;".
287 return 0;
288 ctcpbuf[sizeof(ctcpbuf) - 1] = '0円';
289 *newbuf = '0円';
290
291 irc = nat->nat_aps->aps_data;
292 if (ipf_p_irc_complete(irc, ctcpbuf, dlen) == 0)
** CID 980360: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2335 in friostat_4_1_0_to_current()
________________________________________________________________________________________________________
*** CID 980360: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2335 in friostat_4_1_0_to_current()
2329 fiop->f_ipf[1][0] = old->f_ipf[1][0];
2330 fiop->f_ipf[1][1] = old->f_ipf[1][1];
2331 fiop->f_acct[0][0] = old->f_acct[0][0];
2332 fiop->f_acct[0][1] = old->f_acct[0][1];
2333 fiop->f_acct[1][0] = old->f_acct[1][0];
2334 fiop->f_acct[1][1] = old->f_acct[1][1];
>>> CID 980360: Incorrect expression (NO_EFFECT)
>>> Assignment operation "fiop->f_auth = fiop->f_auth" has no effect.
2335 fiop->f_auth = fiop->f_auth;
2336 bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups));
2337 bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute));
2338 fiop->f_ticks = old->f_ticks;
2339 bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks));
2340 fiop->f_defpass = old->f_defpass;
** CID 980361: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2305 in friostat_4_1_33_to_current()
________________________________________________________________________________________________________
*** CID 980361: Incorrect expression (NO_EFFECT)
/sys/external/bsd/ipf/netinet/ip_fil_compat.c: 2305 in friostat_4_1_33_to_current()
2299 fiop->f_ipf[1][0] = old->f_ipf[1][0];
2300 fiop->f_ipf[1][1] = old->f_ipf[1][1];
2301 fiop->f_acct[0][0] = old->f_acct[0][0];
2302 fiop->f_acct[0][1] = old->f_acct[0][1];
2303 fiop->f_acct[1][0] = old->f_acct[1][0];
2304 fiop->f_acct[1][1] = old->f_acct[1][1];
>>> CID 980361: Incorrect expression (NO_EFFECT)
>>> Assignment operation "fiop->f_auth = fiop->f_auth" has no effect.
2305 fiop->f_auth = fiop->f_auth;
2306 bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups));
2307 bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute));
2308 fiop->f_ticks = old->f_ticks;
2309 bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks));
2310 fiop->f_defpass = old->f_defpass;
** CID 980424: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980424: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/fil.c: 7812 in ipf_genericiter()
7806 ipf_genericiter(ipf_main_softc_t *softc, void *data, int uid, void *ctx)
7807 {
7808 ipftoken_t *token;
7809 ipfgeniter_t iter;
7810 int error;
7811
>>> CID 980424: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipfgeniter_t of 12 bytes by passing it to a function which accesses it at byte offset 435.
7812 error = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_GENITER);
7813 if (error != 0)
7814 return error;
7815
7816 token = ipf_token_find(softc, iter.igi_type, uid, ctx);
7817 if (token != NULL) {
** CID 980425: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980425: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/fil.c: 7000 in ipf_ipftune()
6994 {
6995 ipftuneable_t *ta;
6996 ipftune_t tu;
6997 void *cookie;
6998 int error;
6999
>>> CID 980425: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipftune_t of 104 bytes by passing it to a function which accesses it at byte offset 435.
7000 error = ipf_inobj(softc, data, NULL, &tu, IPFOBJ_TUNEABLE);
7001 if (error != 0)
7002 return error;
7003
7004 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '0円';
7005 cookie = tu.ipft_cookie;
** CID 980426: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980426: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1157 in ipf_auth_reply()
1151 int error, i;
1152 #ifdef _KERNEL
1153 mb_t *m;
1154 #endif
1155 SPL_INT(s);
1156
>>> CID 980426: Memory - corruptions (OVERRUN)
>>> Overrunning struct type frauth_t of 228 bytes by passing it to a function which accesses it at byte offset 435.
1157 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1158 if (error != 0)
1159 return error;
1160
1161 SPL_NET(s);
1162 WRITE_ENTER(&softa->ipf_authlk);
** CID 980427: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1021 in ipf_auth_wait()
________________________________________________________________________________________________________
*** CID 980427: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_auth.c: 1021 in ipf_auth_wait()
1015 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */
1016 /* to sleep. */
1017 /* ------------------------------------------------------------------------ */
1018 static int
1019 ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data)
1020 {
>>> CID 980427: Memory - corruptions (OVERRUN)
>>> Assigning: "au" = "&auth". "au" now points to element 0 of "auth" (which consists of 1 228-byte elements).
1021 frauth_t auth, *au = &auth;
1022 int error, len, i;
1023 mb_t *m;
1024 char *t;
1025 SPL_INT(s);
1026
** CID 980428: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 1013 in ipf_send_icmp_err()
________________________________________________________________________________________________________
*** CID 980428: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 1013 in ipf_send_icmp_err()
1007 } else { /* make up a number... */
1008 icmp->icmp_nextmtu = htons(fin->fin_plen - 20);
1009 }
1010 }
1011 #endif
1012
>>> CID 980428: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ip of 20 bytes by passing it to a function which accesses it at byte offset 39 using argument "ohlen" (which evaluates to 40).
1013 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
1014
1015 #if defined(M_CSUM_IPv4)
1016 /*
1017 * Clear any in-bound checksum flags for this packet.
1018 */
** CID 980429: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980429: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_lookup.c: 691 in ipf_lookup_iterate()
685 ipf_lookup_softc_t *softl = softc->ipf_lookup_soft;
686 ipflookupiter_t iter;
687 ipftoken_t *token;
688 int err, i;
689 SPL_INT(s);
690
>>> CID 980429: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipflookupiter_t of 28 bytes by passing it to a function which accesses it at byte offset 435.
691 err = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_LOOKUPITER);
692 if (err != 0)
693 return err;
694
695 if (iter.ili_unit < IPL_LOGALL && iter.ili_unit > IPL_LOGMAX) {
696 IPFERROR(50038);
** CID 980430: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980430: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_nat.c: 7811 in ipf_nat_gettable()
7805 static int
7806 ipf_nat_gettable(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, char *data)
7807 {
7808 ipftable_t table;
7809 int error;
7810
>>> CID 980430: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipftable_t of 8 bytes by passing it to a function which accesses it at byte offset 435.
7811 error = ipf_inobj(softc, data, NULL, &table, IPFOBJ_GTABLE);
7812 if (error != 0)
7813 return error;
7814
7815 switch (table.ita_type)
7816 {
** CID 980431: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980431: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_nat.c: 1219 in ipf_nat_ioctl()
1213 }
1214
1215 case SIOCGNATL :
1216 {
1217 natlookup_t nl;
1218
>>> CID 980431: Memory - corruptions (OVERRUN)
>>> Overrunning struct type natlookup_t of 64 bytes by passing it to a function which accesses it at byte offset 435.
1219 error = ipf_inobj(softc, data, NULL, &nl, IPFOBJ_NATLOOKUP);
1220 if (error == 0) {
1221 void *ptr;
1222
1223 if (getlock) {
1224 READ_ENTER(&softc->ipf_nat);
** CID 980432: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980432: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_proxy.c: 720 in ipf_proxy_ioctl()
714
715 mode = mode; /* LINT */
716
717 switch (cmd)
718 {
719 case SIOCPROXY :
>>> CID 980432: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ap_ctl_t of 52 bytes by passing it to a function which accesses it at byte offset 435.
720 error = ipf_inobj(softc, data, NULL, &ctl, IPFOBJ_PROXYCTL);
721 if (error != 0) {
722 return error;
723 }
724 ptr = NULL;
725
** CID 980433: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 980433: Memory - corruptions (OVERRUN)
/sys/external/bsd/ipf/netinet/ip_state.c: 4819 in ipf_state_gettable()
4813 ipf_state_gettable(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
4814 char *data)
4815 {
4816 ipftable_t table;
4817 int error;
4818
>>> CID 980433: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipftable_t of 8 bytes by passing it to a function which accesses it at byte offset 435.
4819 error = ipf_inobj(softc, data, NULL, &table, IPFOBJ_GTABLE);
4820 if (error != 0)
4821 return error;
4822
4823 if (table.ita_type != IPFTABLE_BUCKETS) {
4824 IPFERROR(100031);
** CID 980513: (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 4352 in frrequest()
________________________________________________________________________________________________________
*** CID 980513: (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 4347 in frrequest()
4341 return error;
4342 }
4343 if ((fp->fr_type & FR_T_BUILTIN) != 0) {
4344 IPFERROR(6);
4345 return EINVAL;
4346 }
>>> CID 980513: (TAINTED_SCALAR)
>>> Passing tainted variable "fp->fr_size" to a tainted sink.
4347 KMALLOCS(f, frentry_t *, fp->fr_size);
4348 if (f == NULL) {
4349 IPFERROR(131);
4350 return ENOMEM;
4351 }
4352 bzero(f, fp->fr_size);
/sys/external/bsd/ipf/netinet/fil.c: 4352 in frrequest()
4346 }
4347 KMALLOCS(f, frentry_t *, fp->fr_size);
4348 if (f == NULL) {
4349 IPFERROR(131);
4350 return ENOMEM;
4351 }
>>> CID 980513: (TAINTED_SCALAR)
>>> Passing tainted variable "fp->fr_size" to a tainted sink.
4352 bzero(f, fp->fr_size);
4353 error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY,
4354 fp->fr_size);
4355 if (error) {
4356 KFREES(f, fp->fr_size);
4357 return error;
/sys/external/bsd/ipf/netinet/fil.c: 4353 in frrequest()
4347 KMALLOCS(f, frentry_t *, fp->fr_size);
4348 if (f == NULL) {
4349 IPFERROR(131);
4350 return ENOMEM;
4351 }
4352 bzero(f, fp->fr_size);
>>> CID 980513: (TAINTED_SCALAR)
>>> Passing tainted variable "fp->fr_size" to a tainted sink.
4353 error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY,
4354 fp->fr_size);
4355 if (error) {
4356 KFREES(f, fp->fr_size);
4357 return error;
4358 }
** CID 980514: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 980514: Insecure data handling (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7758 in ipf_frruleiter()
7752 RWLOCK_EXIT(&softc->ipf_tokens);
7753 } else {
7754 error = ipf_inobj(softc, data, &obj, &it, IPFOBJ_IPFITER);
7755 if (error != 0)
7756 return error;
7757 it.iri_rule = NULL;
>>> CID 980514: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "it" to a tainted sink.
7758 error = ipf_outobj(softc, data, &it, IPFOBJ_IPFITER);
7759 }
7760
7761 return error;
7762 }
7763
** CID 980515: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 980515: Insecure data handling (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7978 in ipf_ipf_ioctl()
7972 case SIOCGETFS :
7973 error = ipf_inobj(softc, (void *)data, &obj, &fio,
7974 IPFOBJ_IPFSTAT);
7975 if (error != 0)
7976 break;
7977 ipf_getstat(softc, &fio, obj.ipfo_rev);
>>> CID 980515: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "fio" to a tainted sink.
7978 error = ipf_outobj(softc, (void *)data, &fio, IPFOBJ_IPFSTAT);
7979 break;
7980
7981 case SIOCFRZST :
7982 if (!(mode & FWRITE)) {
7983 IPFERROR(104);
** CID 980516: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 980516: (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7055 in ipf_ipftune()
7049 tu.ipft_max = ta->ipft_max;
7050 tu.ipft_flags = ta->ipft_flags;
7051 bcopy(ta->ipft_name, tu.ipft_name,
7052 MIN(sizeof(tu.ipft_name),
7053 strlen(ta->ipft_name) + 1));
7054 }
>>> CID 980516: (TAINTED_SCALAR)
>>> Passing tainted variable "tu" to a tainted sink.
7055 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE);
7056 break;
7057
7058 case SIOCIPFGET :
7059 case SIOCIPFSET :
7060 /*
/sys/external/bsd/ipf/netinet/fil.c: 7098 in ipf_ipftune()
7092 tu.ipft_vchar = *ta->ipft_pchar;
7093 tu.ipft_cookie = ta;
7094 tu.ipft_sz = ta->ipft_sz;
7095 tu.ipft_min = ta->ipft_min;
7096 tu.ipft_max = ta->ipft_max;
7097 tu.ipft_flags = ta->ipft_flags;
>>> CID 980516: (TAINTED_SCALAR)
>>> Passing tainted variable "tu" to a tainted sink.
7098 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE);
7099
7100 } else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
7101 /*
7102 * Set an internal parameter. The hard part here is
7103 * getting the new value safely and correctly out of
** CID 980518: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 980518: Insecure data handling (TAINTED_SCALAR)
/sys/external/bsd/ipf/netinet/fil.c: 7180 in ipf_zerostats()
7174 int error;
7175
7176 error = ipf_inobj(softc, data, &obj, &fio, IPFOBJ_IPFSTAT);
7177 if (error != 0)
7178 return error;
7179 ipf_getstat(softc, &fio, obj.ipfo_rev);
>>> CID 980518: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "fio" to a tainted sink.
7180 error = ipf_outobj(softc, data, &fio, IPFOBJ_IPFSTAT);
7181 if (error != 0)
7182 return error;
7183
7184 WRITE_ENTER(&softc->ipf_mutex);
7185 bzero(&softc->ipf_stats, sizeof(softc->ipf_stats));
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index