From owner-freebsd-wireless@freebsd.org  Tue Aug  2 18:20:10 2016
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41354BAC3A6
 for <freebsd-wireless@mailman.ysv.freebsd.org>;
 Tue,  2 Aug 2016 18:20:10 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: from mail-io0-f171.google.com (mail-io0-f171.google.com
 [209.85.223.171])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 13A3311AD
 for <freebsd-wireless@freebsd.org>; Tue,  2 Aug 2016 18:20:09 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: by mail-io0-f171.google.com with SMTP id 38so220676561iol.0
 for <freebsd-wireless@freebsd.org>; Tue, 02 Aug 2016 11:20:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:reply-to:in-reply-to:references
 :from:date:message-id:subject:to:content-transfer-encoding;
 bh=3bmWDe+Jss30dRmTt1QvonD4/lX7jrft0vULeFEZ2do=;
 b=A0kpMgi+FdJrF2pSL+xOk3Y/2bAHWCIelTTQEx/WULlhTJQfhbY8GqdKlPtYhiNY+H
 V8t+v7zOERoVeZULtyGEMeXaToBizdKg8KoR7I6VUNDOqn98qv5UBcRVGA4rt7riMSd1
 06RizrnlrDUFp3T0/Ce8p43yQmF0QdeDD6r78vnjlmzthD2WLw3EieZmumk3m4zDwbM+
 UrPbHJAx3kJTxgWEhRO254CQMkDwExH6QM64DbX+bpUbTy9nrs7IOKe6jYN5uG3stPsQ
 aRtQBmkYXo7ZXn97Urd3PbL2h8XD8Nl7xfkLuMHLyzMk1o0P++7oClAWKrmSOJAjeFty
 S7NQ==
X-Gm-Message-State: AEkoouuUCQlnPYoWu1Gw8Dh0DQYouEiSn5u2xexjbn6GD/C0lfsaOzecg3Qt597Bvkwk2Q==
X-Received: by 10.107.140.17 with SMTP id o17mr60081421iod.69.1470162008666;
 Tue, 02 Aug 2016 11:20:08 -0700 (PDT)
Received: from mail-it0-f54.google.com (mail-it0-f54.google.com.
 [209.85.214.54])
 by smtp.gmail.com with ESMTPSA id h70sm1816791ith.12.2016.08.02.11.20.08
 for <freebsd-wireless@freebsd.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 02 Aug 2016 11:20:08 -0700 (PDT)
Received: by mail-it0-f54.google.com with SMTP id f6so43060075ith.0
 for <freebsd-wireless@freebsd.org>; Tue, 02 Aug 2016 11:20:08 -0700 (PDT)
X-Received: by 10.36.76.16 with SMTP id a16mr20430535itb.86.1470162007211;
 Tue, 02 Aug 2016 11:20:07 -0700 (PDT)
MIME-Version: 1.0
Reply-To: cem@freebsd.org
Received: by 10.36.233.67 with HTTP; Tue, 2 Aug 2016 11:20:06 -0700 (PDT)
In-Reply-To: <CAG6CVpVEoNym=gEFjmVoFYruQdJCSnQEFC48Tq6raV8MuX3BKg@mail.gmail.com>
References: <57a0d7544a594_2113b7d3383446f@ss1435.mail>
 <CAG6CVpVEoNym=gEFjmVoFYruQdJCSnQEFC48Tq6raV8MuX3BKg@mail.gmail.com>
From: Conrad Meyer <cem@freebsd.org>
Date: Tue, 2 Aug 2016 11:20:06 -0700
X-Gmail-Original-Message-ID: <CAG6CVpV+uo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com>
Message-ID: <CAG6CVpV+uo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com>
Subject: Fwd: New Defects reported by Coverity Scan for FreeBSD
To: freebsd-wireless@freebsd.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 18:20:10 -0000

Hi all,

Coverity noticed a few issues in iwm(4) recently.  Adrian suggested I
forward them to this list.  I've trimmed it down to just the relevant
iwm(4) bits.  Hope it helps, anyway.

Cheers,
Conrad


---------- Forwarded message ----------
From: <scan-admin@coverity.com>
Date: Tue, Aug 2, 2016 at 10:24 AM
Subject: New Defects reported by Coverity Scan for FreeBSD
To: cem@freebsd.org


Hi,

Please find the latest report on new defect(s) introduced to FreeBSD
found with Coverity Scan.

23 new defect(s) introduced to FreeBSD found with Coverity Scan. 11
defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan Showing 20 of 23 defect(s)

...

___________________________________________________________________________=
___________________________
* CID 1361062: (DEADCODE) /sys/dev/iwm/if_iwm_scan.c: 702 in
iwm_mvm_lmac_scan() 696 req->tx_cmd[1].rate_n_flags =3D 697
iwm_mvm_scan_rate_n_flags(sc, IEEE80211_CHAN_5GHZ, 1/*XXX*/); 698
req->tx_cmd[1].sta_id =3D sc->sc_aux_sta.sta_id; 699 700 /* Check if
we're doing an active directed scan. */ 701 if (ssid_len !=3D 0) {

CID 1361062: (DEADCODE) Execution cannot reach this statement:
=E2=80=9Creq->direct_scan[0].id =3D IE=E2=80=A6=E2=80=9D.

702 req->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 703
req->direct_scan[0].len =3D ssid_len; 704
memcpy(req->direct_scan[0].ssid, ssid, ssid_len); 705 } 706 707
req->n_channels =3D iwm_mvm_lmac_scan_fill_channels(sc,
/sys/dev/iwm/if_iwm_scan.c: 674 in iwm_mvm_lmac_scan() 668
req->scan_flags =3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASS_ALL | 669
IWM_MVM_LMAC_SCAN_FLAG_ITER_COMPLETE | 670
IWM_MVM_LMAC_SCAN_FLAG_EXTENDED_DWELL); 671 if (ssid_len =3D=3D 0) 672
req->scan_flags |=3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASSIVE); 673 else

CID 1361062: (DEADCODE) Execution cannot reach this statement:
=E2=80=9Creq->scan_flags |=3D 4U;=E2=80=9D.

674 req->scan_flags |=3D 675
htole32(IWM_MVM_LMAC_SCAN_FLAG_PRE_CONNECTION); 676 if
(isset(sc->sc_enabled_capa, 677
IWM_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT)) 678 req->scan_flags |=3D
htole32(IWM_MVM_LMAC_SCAN_FLAGS_RRM_ENABLED); 679

** CID 1361063: Possible Control flow issues (DEADCODE)
/sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan()

___________________________________________________________________________=
___________________________
* CID 1361063: Possible Control flow issues (DEADCODE)
/sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() 587 tail =3D
(void )((char *)&req->data + 588 sizeof(struct
iwm_scan_channel_cfg_umac) * 589 sc->sc_capa_n_scan_channels); 590 591
/ Check if we're doing an active directed scan. */ 592 if (ssid_len !=3D
0) {

CID 1361063: Possible Control flow issues (DEADCODE) Execution cannot
reach this statement: =E2=80=9Ctail->direct_scan[0].id =3D I=E2=80=A6=E2=80=
=9D.

593 tail->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 594
tail->direct_scan[0].len =3D ssid_len; 595
memcpy(tail->direct_scan[0].ssid, ssid, ssid_len); 596
req->general_flags |=3D 597
htole32(IWM_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT); 598 } else {

** CID 1361064: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd()

___________________________________________________________________________=
___________________________
* CID 1361064: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() 4437 if
(resp_v2) { 4438 mcc_resp =3D (void *)pkt->data; 4439 mcc =3D
mcc_resp->mcc; 4440 n_channels =3D le32toh(mcc_resp->n_channels); 4441 }
else { 4442 mcc_resp_v1 =3D (void *)pkt->data;

CID 1361064: Null pointer dereferences (FORWARD_NULL) Dereferencing
null pointer =E2=80=9Cmcc_resp_v1=E2=80=9D.

4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D
le32toh(mcc_resp_v1->n_channels); 4445 } 4446 4447 /* W/A for a FW/NVM
issue =E2=80=93 returns 0=C3=9700 for the world domain */ 4448 if (mcc =3D=
=3D 0)

** CID 1361065: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd()

___________________________________________________________________________=
___________________________
* CID 1361065: Null pointer dereferences (FORWARD_NULL)
/sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() 4433 #ifdef
IWM_DEBUG 4434 pkt =3D hcmd.resp_pkt; 4435 4436 /* Extract MCC response
*/ 4437 if (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data;

CID 1361065: Null pointer dereferences (FORWARD_NULL) Dereferencing
null pointer =E2=80=9Cmcc_resp=E2=80=9D.

4439 mcc =3D mcc_resp->mcc; 4440 n_channels =3D
le32toh(mcc_resp->n_channels); 4441 } else { 4442 mcc_resp_v1 =3D (void
*)pkt->data; 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D
le32toh(mcc_resp_v1->n_channels);

...

** CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if_iwm.=
c:
749 in iwm_read_firmware()

___________________________________________________________________________=
___________________________
* CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if_iwm.c=
:
749 in iwm_read_firmware() 743 =E2=80=9Cunsupported API index %d\n=E2=80=9D=
, idx); 744
goto parse_out; 745 } 746 for (i =3D 0; i < 32; i++) { 747 if
((le32toh(capa->api_capa) & (1U << i)) =3D=3D 0) 748 continue;

CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) Overrunning array of 16
bytes at byte offset 19 by dereferencing pointer =E2=80=9C(unsigned char
*)sc->sc_enabled_capa + (i + 32 * idx) / 8=E2=80=9D.

749 setbit(sc->sc_enabled_capa, i + (32 * idx)); 750 } 751 break; 752
} 753 754 case 48: /* undocumented TLV */

...

___________________________________________________________________________=
___________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/freebsd?tab=3Doverview