Date: Tue, 02 Aug 2016 21:40:21 +0300 From: "Andriy Voskoboinyk" <s3erios@gmail.com> To: freebsd-wireless@freebsd.org, "Conrad Meyer" <cem@freebsd.org> Subject: Re: Fwd: New Defects reported by Coverity Scan for FreeBSD Message-ID: <op.ylkzhjcdiew4ia@localhost> In-Reply-To: <CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com> References: <57a0d7544a594_2113b7d3383446f@ss1435.mail> <CAG6CVpVEoNym=gEFjmVoFYruQdJCSnQEFC48Tq6raV8MuX3BKg@mail.gmail.com> <CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Some of them (1361062, 1361063) are fixed in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211519 attachment (I will commit it after testing). > Hi all, > > Coverity noticed a few issues in iwm(4) recently. Adrian suggested I > forward them to this list. I've trimmed it down to just the relevant > iwm(4) bits. Hope it helps, anyway. > > Cheers, > Conrad > > > ---------- Forwarded message ---------- > From: <scan-admin@coverity.com> > Date: Tue, Aug 2, 2016 at 10:24 AM > Subject: New Defects reported by Coverity Scan for FreeBSD > To: cem@freebsd.org > > > Hi, > > Please find the latest report on new defect(s) introduced to FreeBSD > found with Coverity Scan. > > 23 new defect(s) introduced to FreeBSD found with Coverity Scan. 11 > defect(s), reported by Coverity Scan earlier, were marked fixed in the= > recent build analyzed by Coverity Scan. > > New defect(s) Reported-by: Coverity Scan Showing 20 of 23 defect(s) > > ... > > ______________________________________________________________________= ________________________________ > * CID 1361062: (DEADCODE) /sys/dev/iwm/if_iwm_scan.c: 702 in > iwm_mvm_lmac_scan() 696 req->tx_cmd[1].rate_n_flags =3D 697 > iwm_mvm_scan_rate_n_flags(sc, IEEE80211_CHAN_5GHZ, 1/*XXX*/); 698 > req->tx_cmd[1].sta_id =3D sc->sc_aux_sta.sta_id; 699 700 /* Check if > we're doing an active directed scan. */ 701 if (ssid_len !=3D 0) { > > CID 1361062: (DEADCODE) Execution cannot reach this statement: > =E2=80=9Creq->direct_scan[0].id =3D IE=E2=80=A6=E2=80=9D. > > 702 req->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 703 > req->direct_scan[0].len =3D ssid_len; 704 > memcpy(req->direct_scan[0].ssid, ssid, ssid_len); 705 } 706 707 > req->n_channels =3D iwm_mvm_lmac_scan_fill_channels(sc, > /sys/dev/iwm/if_iwm_scan.c: 674 in iwm_mvm_lmac_scan() 668 > req->scan_flags =3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASS_ALL | 669 > IWM_MVM_LMAC_SCAN_FLAG_ITER_COMPLETE | 670 > IWM_MVM_LMAC_SCAN_FLAG_EXTENDED_DWELL); 671 if (ssid_len =3D=3D 0) 672= > req->scan_flags |=3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASSIVE); 673 else= > > CID 1361062: (DEADCODE) Execution cannot reach this statement: > =E2=80=9Creq->scan_flags |=3D 4U;=E2=80=9D. > > 674 req->scan_flags |=3D 675 > htole32(IWM_MVM_LMAC_SCAN_FLAG_PRE_CONNECTION); 676 if > (isset(sc->sc_enabled_capa, 677 > IWM_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT)) 678 req->scan_flags |=3D > htole32(IWM_MVM_LMAC_SCAN_FLAGS_RRM_ENABLED); 679 > > ** CID 1361063: Possible Control flow issues (DEADCODE) > /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() > > ______________________________________________________________________= ________________________________ > * CID 1361063: Possible Control flow issues (DEADCODE) > /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() 587 tail =3D > (void )((char *)&req->data + 588 sizeof(struct > iwm_scan_channel_cfg_umac) * 589 sc->sc_capa_n_scan_channels); 590 591= > / Check if we're doing an active directed scan. */ 592 if (ssid_len !=3D= > 0) { > > CID 1361063: Possible Control flow issues (DEADCODE) Execution cannot > reach this statement: =E2=80=9Ctail->direct_scan[0].id =3D I=E2=80=A6=E2= =80=9D. > > 593 tail->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 594 > tail->direct_scan[0].len =3D ssid_len; 595 > memcpy(tail->direct_scan[0].ssid, ssid, ssid_len); 596 > req->general_flags |=3D 597 > htole32(IWM_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT); 598 } else { > > ** CID 1361064: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() > > ______________________________________________________________________= ________________________________ > * CID 1361064: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() 4437 if > (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data; 4439 mcc =3D > mcc_resp->mcc; 4440 n_channels =3D le32toh(mcc_resp->n_channels); 4441= } > else { 4442 mcc_resp_v1 =3D (void *)pkt->data; > > CID 1361064: Null pointer dereferences (FORWARD_NULL) Dereferencing > null pointer =E2=80=9Cmcc_resp_v1=E2=80=9D. > > 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D > le32toh(mcc_resp_v1->n_channels); 4445 } 4446 4447 /* W/A for a FW/NVM= > issue =E2=80=93 returns 0=C3=9700 for the world domain */ 4448 if (mcc= =3D=3D 0) > > ** CID 1361065: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() > > ______________________________________________________________________= ________________________________ > * CID 1361065: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() 4433 #ifdef > IWM_DEBUG 4434 pkt =3D hcmd.resp_pkt; 4435 4436 /* Extract MCC respons= e > */ 4437 if (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data; > > CID 1361065: Null pointer dereferences (FORWARD_NULL) Dereferencing > null pointer =E2=80=9Cmcc_resp=E2=80=9D. > > 4439 mcc =3D mcc_resp->mcc; 4440 n_channels =3D > le32toh(mcc_resp->n_channels); 4441 } else { 4442 mcc_resp_v1 =3D (voi= d > *)pkt->data; 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D > le32toh(mcc_resp_v1->n_channels); > > ... > > ** CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if= _iwm.c: > 749 in iwm_read_firmware() > > ______________________________________________________________________= ________________________________ > * CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if_= iwm.c: > 749 in iwm_read_firmware() 743 =E2=80=9Cunsupported API index %d\n=E2=80= =9D, idx); 744 > goto parse_out; 745 } 746 for (i =3D 0; i < 32; i++) { 747 if > ((le32toh(capa->api_capa) & (1U << i)) =3D=3D 0) 748 continue; > > CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) Overrunning array = of 16 > bytes at byte offset 19 by dereferencing pointer =E2=80=9C(unsigned ch= ar > *)sc->sc_enabled_capa + (i + 32 * idx) / 8=E2=80=9D. > > 749 setbit(sc->sc_enabled_capa, i + (32 * idx)); 750 } 751 break; 752 > } 753 754 case 48: /* undocumented TLV */ > > ... > > ______________________________________________________________________= ________________________________ > To view the defects in Coverity Scan visit, > https://scan.coverity.com/projects/freebsd?tab=3Doverview > _______________________________________________ > freebsd-wireless@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-wireless > To unsubscribe, send any mail to = > "freebsd-wireless-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.ylkzhjcdiew4ia>