From owner-freebsd-hackers@FreeBSD.ORG Thu Feb 19 17:48:56 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE70516A4CF for ; Thu, 19 Feb 2004 17:48:55 -0800 (PST) Received: from chococat.sd.dreamhost.com (chococat.sd.dreamhost.com [66.33.206.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB91E43D1D for ; Thu, 19 Feb 2004 17:48:55 -0800 (PST) (envelope-from tedu@coverity.com) Received: from webmail.coverity.com (localhost [127.0.0.1]) by chococat.sd.dreamhost.com (Postfix) with SMTP id B5026FAA9 for ; Thu, 19 Feb 2004 17:48:55 -0800 (PST) Received: from 66.93.171.98 (SquirrelMail authenticated user tedu@coverity.com) by webmail.coverity.com with HTTP; Thu, 19 Feb 2004 17:48:55 -0800 (PST) Message-ID: <19389.66.93.171.98.1077241735.spork@webmail.coverity.com> Date: Thu, 19 Feb 2004 17:48:55 -0800 (PST) From: "Ted Unangst" To: hackers@freebsd.org User-Agent: DreamHost Webmail MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="----=_20040219174855_55981" X-Mailman-Approved-At: Thu, 19 Feb 2004 20:39:19 -0800 Subject: size bugs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 01:48:56 -0000 ------=_20040219174855_55981 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit A few final bugs from Coverity. Most of these are off by one, the RF bug is malloc'ing the wrong type. Thanks for looking. ------=_20040219174855_55981 Content-Type: text/plain; name="report-size" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="report-size" ############################################################ # New errors. # --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/twe/twe.c|279|twe_del_unit|ERROR|SIMPLE_BUFFER| 279|279|Accessing buffer "(*sc).twe_drive" of size "16" at position "16" with index variable "unit" from line 276 [PATH= "unit > 16" on line 276 is false => "unit < 0" on line 276 is false] int error; if (unit < 0 || unit > TWE_MAX_UNITS) return (ENXIO); Error ---> if (sc->twe_drive[unit].td_disk == NULL) return (ENXIO); error = twe_detach_drive(sc, unit); return (error); } --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/netinet6/in6.c|1858|in6_prefixlen2mask|ERROR|SIMPLE_BUFFER| 1858|1858|Accessing buffer "((*maskp).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1853 [PATH= "bitlen != 0" on line 1857 is true => "i < bytelen" on line 1855 is false => "i < bytelen" on line 1855 is true] bytelen = len / 8; bitlen = len % 8; for (i = 0; i < bytelen; i++) maskp->s6_addr[i] = 0xff; if (bitlen) Error ---> maskp->s6_addr[bytelen] = maskarray[bitlen - 1]; } /* * return the best address out of the same scope. if no address was * found, return the first valid address from designated IF. --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/netinet6/in6.c|1830|in6_are_prefix_equal|ERROR|SIMPLE_BUFFER| 1830|1830|Accessing buffer "((*p1).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1825 [PATH= "bcmp != 0" on line 1828 is false] bytelen = len / 8; bitlen = len % 8; if (bcmp(&p1->s6_addr, &p2->s6_addr, bytelen)) return (0); Error ---> if (p1->s6_addr[bytelen] >> (8 - bitlen) != p2->s6_addr[bytelen] >> (8 - bitlen)) return (0); return (1); } --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/ata/atapi-cd.c|1633|acd_report_key|ERROR|SIMPLE_BUFFER| 1632|1633|Accessing buffer "d" of size "0" at position "0" [PATH=] ccb[5] = lba & 0xff; ccb[8] = (length >> 8) & 0xff; ccb[9] = length & 0xff; ccb[10] = (ai->agid << 6) | ai->format; Start ---> d = malloc(length, M_ACD, M_NOWAIT | M_ZERO); Error ---> d->length = htons(length - 2); error = ata_atapicmd(cdp->device, ccb, (caddr_t)d, length, ai->format == DVD_INVALIDATE_AGID ? 0 : ATA_R_READ,10); if (error) { free(d, M_ACD); ############################################################ # New errors. # --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/raidframe/rf_diskqueue.c|160|init_dqd|ERROR|SIZE_CHECK| 160|160| (*dqd).bp = "malloc"(4 bytes), need 136 static int init_dqd(dqd) RF_DiskQueueData_t *dqd; { Error ---> dqd->bp = (RF_Buf_t) malloc(sizeof(RF_Buf_t), M_RAIDFRAME, M_NOWAIT); if (dqd->bp == NULL) { return (ENOMEM); } memset(dqd->bp, 0, sizeof(RF_Buf_t)); /* if you don't do it, nobody * else will.. */ ------=_20040219174855_55981--