Date: Thu, 19 Feb 2004 17:48:55 -0800 (PST) From: "Ted Unangst" <tedu@coverity.com> To: hackers@freebsd.org Subject: size bugs Message-ID: <19389.66.93.171.98.1077241735.spork@webmail.coverity.com>
next in thread | raw e-mail | index | archive | help
------=_20040219174855_55981
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
A few final bugs from Coverity. Most of these are off by one, the RF bug
is malloc'ing the wrong type.
Thanks for looking.
------=_20040219174855_55981
Content-Type: text/plain; name="report-size"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="report-size"
############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/twe/twe.c|279|twe_del_unit|ERROR|SIMPLE_BUFFER| 279|279|Accessing buffer "(*sc).twe_drive" of size "16" at position "16" with index variable "unit" from line 276 [PATH= "unit > 16" on line 276 is false => "unit < 0" on line 276 is false]
int error;
if (unit < 0 || unit > TWE_MAX_UNITS)
return (ENXIO);
Error --->
if (sc->twe_drive[unit].td_disk == NULL)
return (ENXIO);
error = twe_detach_drive(sc, unit);
return (error);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netinet6/in6.c|1858|in6_prefixlen2mask|ERROR|SIMPLE_BUFFER| 1858|1858|Accessing buffer "((*maskp).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1853 [PATH= "bitlen != 0" on line 1857 is true => "i < bytelen" on line 1855 is false => "i < bytelen" on line 1855 is true]
bytelen = len / 8;
bitlen = len % 8;
for (i = 0; i < bytelen; i++)
maskp->s6_addr[i] = 0xff;
if (bitlen)
Error --->
maskp->s6_addr[bytelen] = maskarray[bitlen - 1];
}
/*
* return the best address out of the same scope. if no address was
* found, return the first valid address from designated IF.
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netinet6/in6.c|1830|in6_are_prefix_equal|ERROR|SIMPLE_BUFFER| 1830|1830|Accessing buffer "((*p1).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1825 [PATH= "bcmp != 0" on line 1828 is false]
bytelen = len / 8;
bitlen = len % 8;
if (bcmp(&p1->s6_addr, &p2->s6_addr, bytelen))
return (0);
Error --->
if (p1->s6_addr[bytelen] >> (8 - bitlen) !=
p2->s6_addr[bytelen] >> (8 - bitlen))
return (0);
return (1);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/ata/atapi-cd.c|1633|acd_report_key|ERROR|SIMPLE_BUFFER| 1632|1633|Accessing buffer "d" of size "0" at position "0" [PATH=]
ccb[5] = lba & 0xff;
ccb[8] = (length >> 8) & 0xff;
ccb[9] = length & 0xff;
ccb[10] = (ai->agid << 6) | ai->format;
Start --->
d = malloc(length, M_ACD, M_NOWAIT | M_ZERO);
Error --->
d->length = htons(length - 2);
error = ata_atapicmd(cdp->device, ccb, (caddr_t)d, length,
ai->format == DVD_INVALIDATE_AGID ? 0 : ATA_R_READ,10);
if (error) {
free(d, M_ACD);
############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/raidframe/rf_diskqueue.c|160|init_dqd|ERROR|SIZE_CHECK| 160|160| (*dqd).bp = "malloc"(4 bytes), need 136
static int
init_dqd(dqd)
RF_DiskQueueData_t *dqd;
{
Error --->
dqd->bp = (RF_Buf_t) malloc(sizeof(RF_Buf_t), M_RAIDFRAME, M_NOWAIT);
if (dqd->bp == NULL) {
return (ENOMEM);
}
memset(dqd->bp, 0, sizeof(RF_Buf_t)); /* if you don't do it, nobody
* else will.. */
------=_20040219174855_55981--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19389.66.93.171.98.1077241735.spork>