Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 02 Aug 2016 21:40:21 +0300
From:      "Andriy Voskoboinyk" <s3erios@gmail.com>
To:        freebsd-wireless@freebsd.org, "Conrad Meyer" <cem@freebsd.org>
Subject:   Re: Fwd: New Defects reported by Coverity Scan for FreeBSD
Message-ID:  <op.ylkzhjcdiew4ia@localhost>
In-Reply-To: <CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com>
References:  <57a0d7544a594_2113b7d3383446f@ss1435.mail> <CAG6CVpVEoNym=gEFjmVoFYruQdJCSnQEFC48Tq6raV8MuX3BKg@mail.gmail.com> <CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Some of them (1361062, 1361063) are fixed in
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211519 attachment
(I will commit it after testing).

> Hi all,
>
> Coverity noticed a few issues in iwm(4) recently.  Adrian suggested I
> forward them to this list.  I've trimmed it down to just the relevant
> iwm(4) bits.  Hope it helps, anyway.
>
> Cheers,
> Conrad
>
>
> ---------- Forwarded message ----------
> From: <scan-admin@coverity.com>
> Date: Tue, Aug 2, 2016 at 10:24 AM
> Subject: New Defects reported by Coverity Scan for FreeBSD
> To: cem@freebsd.org
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to FreeBSD
> found with Coverity Scan.
>
> 23 new defect(s) introduced to FreeBSD found with Coverity Scan. 11
> defect(s), reported by Coverity Scan earlier, were marked fixed in the=

> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan Showing 20 of 23 defect(s)
>
> ...
>
> ______________________________________________________________________=
________________________________
> * CID 1361062: (DEADCODE) /sys/dev/iwm/if_iwm_scan.c: 702 in
> iwm_mvm_lmac_scan() 696 req->tx_cmd[1].rate_n_flags =3D 697
> iwm_mvm_scan_rate_n_flags(sc, IEEE80211_CHAN_5GHZ, 1/*XXX*/); 698
> req->tx_cmd[1].sta_id =3D sc->sc_aux_sta.sta_id; 699 700 /* Check if
> we're doing an active directed scan. */ 701 if (ssid_len !=3D 0) {
>
> CID 1361062: (DEADCODE) Execution cannot reach this statement:
> =E2=80=9Creq->direct_scan[0].id =3D IE=E2=80=A6=E2=80=9D.
>
> 702 req->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 703
> req->direct_scan[0].len =3D ssid_len; 704
> memcpy(req->direct_scan[0].ssid, ssid, ssid_len); 705 } 706 707
> req->n_channels =3D iwm_mvm_lmac_scan_fill_channels(sc,
> /sys/dev/iwm/if_iwm_scan.c: 674 in iwm_mvm_lmac_scan() 668
> req->scan_flags =3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASS_ALL | 669
> IWM_MVM_LMAC_SCAN_FLAG_ITER_COMPLETE | 670
> IWM_MVM_LMAC_SCAN_FLAG_EXTENDED_DWELL); 671 if (ssid_len =3D=3D 0) 672=

> req->scan_flags |=3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASSIVE); 673 else=

>
> CID 1361062: (DEADCODE) Execution cannot reach this statement:
> =E2=80=9Creq->scan_flags |=3D 4U;=E2=80=9D.
>
> 674 req->scan_flags |=3D 675
> htole32(IWM_MVM_LMAC_SCAN_FLAG_PRE_CONNECTION); 676 if
> (isset(sc->sc_enabled_capa, 677
> IWM_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT)) 678 req->scan_flags |=3D
> htole32(IWM_MVM_LMAC_SCAN_FLAGS_RRM_ENABLED); 679
>
> ** CID 1361063: Possible Control flow issues (DEADCODE)
> /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan()
>
> ______________________________________________________________________=
________________________________
> * CID 1361063: Possible Control flow issues (DEADCODE)
> /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() 587 tail =3D
> (void )((char *)&req->data + 588 sizeof(struct
> iwm_scan_channel_cfg_umac) * 589 sc->sc_capa_n_scan_channels); 590 591=

> / Check if we're doing an active directed scan. */ 592 if (ssid_len !=3D=

> 0) {
>
> CID 1361063: Possible Control flow issues (DEADCODE) Execution cannot
> reach this statement: =E2=80=9Ctail->direct_scan[0].id =3D I=E2=80=A6=E2=
=80=9D.
>
> 593 tail->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 594
> tail->direct_scan[0].len =3D ssid_len; 595
> memcpy(tail->direct_scan[0].ssid, ssid, ssid_len); 596
> req->general_flags |=3D 597
> htole32(IWM_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT); 598 } else {
>
> ** CID 1361064: Null pointer dereferences (FORWARD_NULL)
> /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd()
>
> ______________________________________________________________________=
________________________________
> * CID 1361064: Null pointer dereferences (FORWARD_NULL)
> /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() 4437 if
> (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data; 4439 mcc =3D
> mcc_resp->mcc; 4440 n_channels =3D le32toh(mcc_resp->n_channels); 4441=
 }
> else { 4442 mcc_resp_v1 =3D (void *)pkt->data;
>
> CID 1361064: Null pointer dereferences (FORWARD_NULL) Dereferencing
> null pointer =E2=80=9Cmcc_resp_v1=E2=80=9D.
>
> 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D
> le32toh(mcc_resp_v1->n_channels); 4445 } 4446 4447 /* W/A for a FW/NVM=

> issue =E2=80=93 returns 0=C3=9700 for the world domain */ 4448 if (mcc=
 =3D=3D 0)
>
> ** CID 1361065: Null pointer dereferences (FORWARD_NULL)
> /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd()
>
> ______________________________________________________________________=
________________________________
> * CID 1361065: Null pointer dereferences (FORWARD_NULL)
> /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() 4433 #ifdef
> IWM_DEBUG 4434 pkt =3D hcmd.resp_pkt; 4435 4436 /* Extract MCC respons=
e
> */ 4437 if (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data;
>
> CID 1361065: Null pointer dereferences (FORWARD_NULL) Dereferencing
> null pointer =E2=80=9Cmcc_resp=E2=80=9D.
>
> 4439 mcc =3D mcc_resp->mcc; 4440 n_channels =3D
> le32toh(mcc_resp->n_channels); 4441 } else { 4442 mcc_resp_v1 =3D (voi=
d
> *)pkt->data; 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D
> le32toh(mcc_resp_v1->n_channels);
>
> ...
>
> ** CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if=
_iwm.c:
> 749 in iwm_read_firmware()
>
> ______________________________________________________________________=
________________________________
> * CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if_=
iwm.c:
> 749 in iwm_read_firmware() 743 =E2=80=9Cunsupported API index %d\n=E2=80=
=9D, idx); 744
> goto parse_out; 745 } 746 for (i =3D 0; i < 32; i++) { 747 if
> ((le32toh(capa->api_capa) & (1U << i)) =3D=3D 0) 748 continue;
>
> CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) Overrunning array =
of 16
> bytes at byte offset 19 by dereferencing pointer =E2=80=9C(unsigned ch=
ar
> *)sc->sc_enabled_capa + (i + 32 * idx) / 8=E2=80=9D.
>
> 749 setbit(sc->sc_enabled_capa, i + (32 * idx)); 750 } 751 break; 752
> } 753 754 case 48: /* undocumented TLV */
>
> ...
>
> ______________________________________________________________________=
________________________________
> To view the defects in Coverity Scan visit,
> https://scan.coverity.com/projects/freebsd?tab=3Doverview
> _______________________________________________
> freebsd-wireless@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
> To unsubscribe, send any mail to  =

> "freebsd-wireless-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.ylkzhjcdiew4ia>