From owner-freebsd-hackers@FreeBSD.ORG  Wed Mar 16 17:09:07 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C06816A4CE
	for <hackers@freebsd.org>; Wed, 16 Mar 2005 17:09:07 +0000 (GMT)
Received: from angui.sh (angui.sh [216.171.167.170])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 601B943D2F
	for <hackers@freebsd.org>; Wed, 16 Mar 2005 17:09:07 +0000 (GMT)
	(envelope-from wfroning@angui.sh)
Received: from angui.sh (localhost [127.0.0.1])
	by angui.sh (8.12.9p2/8.12.8) with ESMTP id j2GH8m4Q033877
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 16 Mar 2005 09:08:48 -0800 (PST)
	(envelope-from wfroning@angui.sh)
Received: from localhost (wfroning@localhost)
	by angui.sh (8.12.9p2/8.12.8/Submit) with ESMTP id j2GH8m9r033874;
	Wed, 16 Mar 2005 09:08:48 -0800 (PST)
	(envelope-from wfroning@angui.sh)
Date: Wed, 16 Mar 2005 09:08:48 -0800 (PST)
From: Will Froning <wfroning@angui.sh>
To: Ted Unangst <tedu@coverity.com>
In-Reply-To: <42360141.3080104@coverity.com>
Message-ID: <20050316090727.X45818@angui.sh>
References: <42360141.3080104@coverity.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0 () 
X-Scanned-By: MIMEDefang 2.39
cc: hackers@freebsd.org
Subject: Re: some bugs in the kernel
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2005 17:09:07 -0000


On Mon, 14 Mar 2005, Ted Unangst wrote:

=>These bugs were found using the Coverity Prevent static analysis tool.
=>
=>Memory Leak
=>File: usr/home/tedu/src/sys/geom/geom_bsd.c
=>Function: g_bsd_ioctl
=>Returning at line 378 leaks the just allocated 'label'.
=>
=>Buffer Overrun
=>File: usr/home/tedu/src/sys/dev/hptmv/gui_lib.c
=>Function: hpt_default_ioctl
=>At line 1262, the loop bound of MAX_ARRAY_PER_VBUS is defined to be
=>twice the size of pVDevice (MAX_VDEVICE_PER_VBUS).
=>
=>Buffer Overrun
=>File: usr/home/tedu/src/sys/dev/hptmv/entry.c
=>Function: SetInquiryData
=>At line 2660, loop bound of 20 is greater than size of VendorID.
=>
=>Memory Leak
=>File: usr/home/tedu/src/sys/dev/pci/pci.c
=>Function: pci_suspend
=>If bus_generic_suspend fails at line 1061, 'devlist' is leaked.
=>
=>Use After Free, Memory Corruption
=>File: usr/home/tedu/src/sys/dev/mlx/mlx_pci.c
=>Function: mlx_pci_attach
=>Calling mlx_free on error at line 218 is dangerous, since mlx_attach
=>also called it.  Eventually this will double free assorted bus resources.
=>
=>NULL pointer dereference
=>File: usr/home/tedu/src/sys/pci/if_ti.c
=>Function: ti_setmulti
=>malloc return at 1628 is not checked against NULL.

Just to make sure it is said again.  Thanks!

Will

-- 
Will Froning
Unix Sys. Admin.
wfroning@angui.sh