From owner-freebsd-hackers@FreeBSD.ORG Mon Mar 14 21:25:26 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D8C616A4D1 for ; Mon, 14 Mar 2005 21:25:23 +0000 (GMT) Received: from coverity.dreamhost.com (coverity.dreamhost.com [66.33.192.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12E2443D54 for ; Mon, 14 Mar 2005 21:25:23 +0000 (GMT) (envelope-from tedu@coverity.com) Received: from [10.0.0.66] (64-173-147-27.ded.pacbell.net [64.173.147.27]) by coverity.dreamhost.com (Postfix) with ESMTP id AE8449089D for ; Mon, 14 Mar 2005 13:25:22 -0800 (PST) Message-ID: <42360141.3080104@coverity.com> Date: Mon, 14 Mar 2005 13:25:21 -0800 From: Ted Unangst User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.3) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: hackers@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 15 Mar 2005 13:24:20 +0000 Subject: some bugs in the kernel X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Mar 2005 21:25:26 -0000 These bugs were found using the Coverity Prevent static analysis tool. Memory Leak File: usr/home/tedu/src/sys/geom/geom_bsd.c Function: g_bsd_ioctl Returning at line 378 leaks the just allocated 'label'. Buffer Overrun File: usr/home/tedu/src/sys/dev/hptmv/gui_lib.c Function: hpt_default_ioctl At line 1262, the loop bound of MAX_ARRAY_PER_VBUS is defined to be twice the size of pVDevice (MAX_VDEVICE_PER_VBUS). Buffer Overrun File: usr/home/tedu/src/sys/dev/hptmv/entry.c Function: SetInquiryData At line 2660, loop bound of 20 is greater than size of VendorID. Memory Leak File: usr/home/tedu/src/sys/dev/pci/pci.c Function: pci_suspend If bus_generic_suspend fails at line 1061, 'devlist' is leaked. Use After Free, Memory Corruption File: usr/home/tedu/src/sys/dev/mlx/mlx_pci.c Function: mlx_pci_attach Calling mlx_free on error at line 218 is dangerous, since mlx_attach also called it. Eventually this will double free assorted bus resources. NULL pointer dereference File: usr/home/tedu/src/sys/pci/if_ti.c Function: ti_setmulti malloc return at 1628 is not checked against NULL. -- Ted Unangst www.coverity.com Coverity, Inc.