From owner-freebsd-hackers@FreeBSD.ORG Tue Mar 15 13:41:41 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BDFB16A4CE for ; Tue, 15 Mar 2005 13:41:41 +0000 (GMT) Received: from mxsf31.cluster1.charter.net (mxsf31.cluster1.charter.net [209.225.28.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0A3543D31 for ; Tue, 15 Mar 2005 13:41:40 +0000 (GMT) (envelope-from c0ldbyte@myrealbox.com) Received: from mxip09.cluster1.charter.net (mxip09a.cluster1.charter.net [209.225.28.139])j2FDfdKm005035 for ; Tue, 15 Mar 2005 08:41:39 -0500 Received: from 24.247.253.134.gha.mi.chartermi.net (HELO eleanor.us1.wmi.uvac.net) (24.247.253.134) by mxip09.cluster1.charter.net with ESMTP; 15 Mar 2005 08:41:39 -0500 X-Ironport-AV: i="3.90,164,1107752400"; d="scan'208"; a="663488538:sNHT13629194" Date: Tue, 15 Mar 2005 08:41:33 -0500 (EST) From: c0ldbyte To: Ted Unangst In-Reply-To: <42360141.3080104@coverity.com> Message-ID: <20050315084106.U3949@eleanor.us1.wmi.uvac.net> References: <42360141.3080104@coverity.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: hackers@freebsd.org Subject: Re: some bugs in the kernel X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2005 13:41:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 14 Mar 2005, Ted Unangst wrote: > These bugs were found using the Coverity Prevent static analysis tool. > > Memory Leak > File: usr/home/tedu/src/sys/geom/geom_bsd.c > Function: g_bsd_ioctl > Returning at line 378 leaks the just allocated 'label'. > > Buffer Overrun > File: usr/home/tedu/src/sys/dev/hptmv/gui_lib.c > Function: hpt_default_ioctl > At line 1262, the loop bound of MAX_ARRAY_PER_VBUS is defined to be twice the > size of pVDevice (MAX_VDEVICE_PER_VBUS). > > Buffer Overrun > File: usr/home/tedu/src/sys/dev/hptmv/entry.c > Function: SetInquiryData > At line 2660, loop bound of 20 is greater than size of VendorID. > > Memory Leak > File: usr/home/tedu/src/sys/dev/pci/pci.c > Function: pci_suspend > If bus_generic_suspend fails at line 1061, 'devlist' is leaked. > > Use After Free, Memory Corruption > File: usr/home/tedu/src/sys/dev/mlx/mlx_pci.c > Function: mlx_pci_attach > Calling mlx_free on error at line 218 is dangerous, since mlx_attach also > called it. Eventually this will double free assorted bus resources. > > NULL pointer dereference > File: usr/home/tedu/src/sys/pci/if_ti.c > Function: ti_setmulti > malloc return at 1628 is not checked against NULL. > > > -- > Ted Unangst www.coverity.com Coverity, Inc. Pretty cool, thanks.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF7DF979F iD8DBQFCNuYQsmFQuvffl58RAqkEAJ41uvoxxZOLoclnAO15d+rlewIXOACeOyRg PJ48VXqgInEjY3FDOv42Aco= =RkCW -----END PGP SIGNATURE-----