Date: Tue, 2 Aug 2016 11:20:06 -0700 From: Conrad Meyer <cem@freebsd.org> To: freebsd-wireless@freebsd.org Subject: Fwd: New Defects reported by Coverity Scan for FreeBSD Message-ID: <CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com> In-Reply-To: <CAG6CVpVEoNym=gEFjmVoFYruQdJCSnQEFC48Tq6raV8MuX3BKg@mail.gmail.com> References: <57a0d7544a594_2113b7d3383446f@ss1435.mail> <CAG6CVpVEoNym=gEFjmVoFYruQdJCSnQEFC48Tq6raV8MuX3BKg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all,
Coverity noticed a few issues in iwm(4) recently. Adrian suggested I
forward them to this list. I've trimmed it down to just the relevant
iwm(4) bits. Hope it helps, anyway.
Cheers,
Conrad
---------- Forwarded message ----------
From: <scan-admin@coverity.com>
Date: Tue, Aug 2, 2016 at 10:24 AM
Subject: New Defects reported by Coverity Scan for FreeBSD
To: cem@freebsd.org
Hi,
Please find the latest report on new defect(s) introduced to FreeBSD
found with Coverity Scan.
23 new defect(s) introduced to FreeBSD found with Coverity Scan. 11
defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 23 defect(s)
...
___________________________________________________________________________=
___________________________
* CID 1361062: (DEADCODE) /sys/dev/iwm/if_iwm_scan.c: 702 in
iwm_mvm_lmac_scan() 696 req->tx_cmd[1].rate_n_flags =3D 697
iwm_mvm_scan_rate_n_flags(sc, IEEE80211_CHAN_5GHZ, 1/*XXX*/); 698
req->tx_cmd[1].sta_id =3D sc->sc_aux_sta.sta_id; 699 700 /* Check if
we're doing an active directed scan. */ 701 if (ssid_len !=3D 0) {
CID 1361062: (DEADCODE) Execution cannot reach this statement:
=E2=80=9Creq->direct_scan[0].id =3D IE=E2=80=A6=E2=80=9D.
702 req->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 703
req->direct_scan[0].len =3D ssid_len; 704
memcpy(req->direct_scan[0].ssid, ssid, ssid_len); 705 } 706 707
req->n_channels =3D iwm_mvm_lmac_scan_fill_channels(sc,
/sys/dev/iwm/if_iwm_scan.c: 674 in iwm_mvm_lmac_scan() 668
req->scan_flags =3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASS_ALL | 669
IWM_MVM_LMAC_SCAN_FLAG_ITER_COMPLETE | 670
IWM_MVM_LMAC_SCAN_FLAG_EXTENDED_DWELL); 671 if (ssid_len =3D=3D 0) 672
req->scan_flags |=3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASSIVE); 673 else
CID 1361062: (DEADCODE) Execution cannot reach this statement:
=E2=80=9Creq->scan_flags |=3D 4U;=E2=80=9D.
674 req->scan_flags |=3D 675
htole32(IWM_MVM_LMAC_SCAN_FLAG_PRE_CONNECTION); 676 if
(isset(sc->sc_enabled_capa, 677
IWM_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT)) 678 req->scan_flags |=3D
htole32(IWM_MVM_LMAC_SCAN_FLAGS_RRM_ENABLED); 679
** CID 1361063: Possible Control flow issues (DEADCODE)
/sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan()
___________________________________________________________________________=
___________________________
* CID 1361063: Possible Control flow issues (DEADCODE)
/sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() 587 tail =3D
(void )((char *)&req->data + 588 sizeof(struct
iwm_scan_channel_cfg_umac) * 589 sc->sc_capa_n_scan_channels); 590 591
/ Check if we're doing an active directed scan. */ 592 if (ssid_len !=3D
0) {
CID 1361063: Possible Control flow issues (DEADCODE) Execution cannot
reach this statement: =E2=80=9Ctail->direct_scan[0].id =3D I=E2=80=A6=E2=80=
=9D.
593 tail->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 594
tail->direct_scan[0].len =3D ssid_len; 595
memcpy(tail->direct_scan[0].ssid, ssid, ssid_len); 596
req->general_flags |=3D 597
htole32(IWM_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT); 598 } else {
** CID 1361064: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd()
___________________________________________________________________________=
___________________________
* CID 1361064: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() 4437 if
(resp_v2) { 4438 mcc_resp =3D (void *)pkt->data; 4439 mcc =3D
mcc_resp->mcc; 4440 n_channels =3D le32toh(mcc_resp->n_channels); 4441 }
else { 4442 mcc_resp_v1 =3D (void *)pkt->data;
CID 1361064: Null pointer dereferences (FORWARD_NULL) Dereferencing
null pointer =E2=80=9Cmcc_resp_v1=E2=80=9D.
4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D
le32toh(mcc_resp_v1->n_channels); 4445 } 4446 4447 /* W/A for a FW/NVM
issue =E2=80=93 returns 0=C3=9700 for the world domain */ 4448 if (mcc =3D=
=3D 0)
** CID 1361065: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd()
___________________________________________________________________________=
___________________________
* CID 1361065: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() 4433 #ifdef
IWM_DEBUG 4434 pkt =3D hcmd.resp_pkt; 4435 4436 /* Extract MCC response
*/ 4437 if (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data;
CID 1361065: Null pointer dereferences (FORWARD_NULL) Dereferencing
null pointer =E2=80=9Cmcc_resp=E2=80=9D.
4439 mcc =3D mcc_resp->mcc; 4440 n_channels =3D
le32toh(mcc_resp->n_channels); 4441 } else { 4442 mcc_resp_v1 =3D (void
*)pkt->data; 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D
le32toh(mcc_resp_v1->n_channels);
...
** CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if_iwm.=
c:
749 in iwm_read_firmware()
___________________________________________________________________________=
___________________________
* CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if_iwm.c=
:
749 in iwm_read_firmware() 743 =E2=80=9Cunsupported API index %d\n=E2=80=9D=
, idx); 744
goto parse_out; 745 } 746 for (i =3D 0; i < 32; i++) { 747 if
((le32toh(capa->api_capa) & (1U << i)) =3D=3D 0) 748 continue;
CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) Overrunning array of 16
bytes at byte offset 19 by dereferencing pointer =E2=80=9C(unsigned char
*)sc->sc_enabled_capa + (i + 32 * idx) / 8=E2=80=9D.
749 setbit(sc->sc_enabled_capa, i + (32 * idx)); 750 } 751 break; 752
} 753 754 case 48: /* undocumented TLV */
...
___________________________________________________________________________=
___________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/freebsd?tab=3Doverview
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ>