Date: Tue, 02 Aug 2016 21:40:21 +0300 From: "Andriy Voskoboinyk" <s3erios@gmail.com> To: freebsd-wireless@freebsd.org, "Conrad Meyer" <cem@freebsd.org> Subject: Re: Fwd: New Defects reported by Coverity Scan for FreeBSD Message-ID: <op.ylkzhjcdiew4ia@localhost> In-Reply-To: <CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com> References: <57a0d7544a594_2113b7d3383446f@ss1435.mail> <CAG6CVpVEoNym=gEFjmVoFYruQdJCSnQEFC48Tq6raV8MuX3BKg@mail.gmail.com> <CAG6CVpV%2Buo4BNeygNG4Y2obEc5b2RnGGMOrNNf0c=r=GbuFJbQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Some of them (1361062, 1361063) are fixed in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211519 attachment (I will commit it after testing). > Hi all, > > Coverity noticed a few issues in iwm(4) recently. Adrian suggested I > forward them to this list. I've trimmed it down to just the relevant > iwm(4) bits. Hope it helps, anyway. > > Cheers, > Conrad > > > ---------- Forwarded message ---------- > From: <scan-admin@coverity.com> > Date: Tue, Aug 2, 2016 at 10:24 AM > Subject: New Defects reported by Coverity Scan for FreeBSD > To: cem@freebsd.org > > > Hi, > > Please find the latest report on new defect(s) introduced to FreeBSD > found with Coverity Scan. > > 23 new defect(s) introduced to FreeBSD found with Coverity Scan. 11 > defect(s), reported by Coverity Scan earlier, were marked fixed in the > recent build analyzed by Coverity Scan. > > New defect(s) Reported-by: Coverity Scan Showing 20 of 23 defect(s) > > ... > > ______________________________________________________________________________________________________ > * CID 1361062: (DEADCODE) /sys/dev/iwm/if_iwm_scan.c: 702 in > iwm_mvm_lmac_scan() 696 req->tx_cmd[1].rate_n_flags = 697 > iwm_mvm_scan_rate_n_flags(sc, IEEE80211_CHAN_5GHZ, 1/*XXX*/); 698 > req->tx_cmd[1].sta_id = sc->sc_aux_sta.sta_id; 699 700 /* Check if > we're doing an active directed scan. */ 701 if (ssid_len != 0) { > > CID 1361062: (DEADCODE) Execution cannot reach this statement: > “req->direct_scan[0].id = IE…”. > > 702 req->direct_scan[0].id = IEEE80211_ELEMID_SSID; 703 > req->direct_scan[0].len = ssid_len; 704 > memcpy(req->direct_scan[0].ssid, ssid, ssid_len); 705 } 706 707 > req->n_channels = iwm_mvm_lmac_scan_fill_channels(sc, > /sys/dev/iwm/if_iwm_scan.c: 674 in iwm_mvm_lmac_scan() 668 > req->scan_flags = htole32(IWM_MVM_LMAC_SCAN_FLAG_PASS_ALL | 669 > IWM_MVM_LMAC_SCAN_FLAG_ITER_COMPLETE | 670 > IWM_MVM_LMAC_SCAN_FLAG_EXTENDED_DWELL); 671 if (ssid_len == 0) 672 > req->scan_flags |= htole32(IWM_MVM_LMAC_SCAN_FLAG_PASSIVE); 673 else > > CID 1361062: (DEADCODE) Execution cannot reach this statement: > “req->scan_flags |= 4U;”. > > 674 req->scan_flags |= 675 > htole32(IWM_MVM_LMAC_SCAN_FLAG_PRE_CONNECTION); 676 if > (isset(sc->sc_enabled_capa, 677 > IWM_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT)) 678 req->scan_flags |= > htole32(IWM_MVM_LMAC_SCAN_FLAGS_RRM_ENABLED); 679 > > ** CID 1361063: Possible Control flow issues (DEADCODE) > /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() > > ______________________________________________________________________________________________________ > * CID 1361063: Possible Control flow issues (DEADCODE) > /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() 587 tail = > (void )((char *)&req->data + 588 sizeof(struct > iwm_scan_channel_cfg_umac) * 589 sc->sc_capa_n_scan_channels); 590 591 > / Check if we're doing an active directed scan. */ 592 if (ssid_len != > 0) { > > CID 1361063: Possible Control flow issues (DEADCODE) Execution cannot > reach this statement: “tail->direct_scan[0].id = I…”. > > 593 tail->direct_scan[0].id = IEEE80211_ELEMID_SSID; 594 > tail->direct_scan[0].len = ssid_len; 595 > memcpy(tail->direct_scan[0].ssid, ssid, ssid_len); 596 > req->general_flags |= 597 > htole32(IWM_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT); 598 } else { > > ** CID 1361064: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() > > ______________________________________________________________________________________________________ > * CID 1361064: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() 4437 if > (resp_v2) { 4438 mcc_resp = (void *)pkt->data; 4439 mcc = > mcc_resp->mcc; 4440 n_channels = le32toh(mcc_resp->n_channels); 4441 } > else { 4442 mcc_resp_v1 = (void *)pkt->data; > > CID 1361064: Null pointer dereferences (FORWARD_NULL) Dereferencing > null pointer “mcc_resp_v1”. > > 4443 mcc = mcc_resp_v1->mcc; 4444 n_channels = > le32toh(mcc_resp_v1->n_channels); 4445 } 4446 4447 /* W/A for a FW/NVM > issue – returns 0×00 for the world domain */ 4448 if (mcc == 0) > > ** CID 1361065: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() > > ______________________________________________________________________________________________________ > * CID 1361065: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() 4433 #ifdef > IWM_DEBUG 4434 pkt = hcmd.resp_pkt; 4435 4436 /* Extract MCC response > */ 4437 if (resp_v2) { 4438 mcc_resp = (void *)pkt->data; > > CID 1361065: Null pointer dereferences (FORWARD_NULL) Dereferencing > null pointer “mcc_resp”. > > 4439 mcc = mcc_resp->mcc; 4440 n_channels = > le32toh(mcc_resp->n_channels); 4441 } else { 4442 mcc_resp_v1 = (void > *)pkt->data; 4443 mcc = mcc_resp_v1->mcc; 4444 n_channels = > le32toh(mcc_resp_v1->n_channels); > > ... > > ** CID 1361068: Memory – corruptions (OVERRUN) /sys/dev/iwm/if_iwm.c: > 749 in iwm_read_firmware() > > ______________________________________________________________________________________________________ > * CID 1361068: Memory – corruptions (OVERRUN) /sys/dev/iwm/if_iwm.c: > 749 in iwm_read_firmware() 743 “unsupported API index %d\n”, idx); 744 > goto parse_out; 745 } 746 for (i = 0; i < 32; i++) { 747 if > ((le32toh(capa->api_capa) & (1U << i)) == 0) 748 continue; > > CID 1361068: Memory – corruptions (OVERRUN) Overrunning array of 16 > bytes at byte offset 19 by dereferencing pointer “(unsigned char > *)sc->sc_enabled_capa + (i + 32 * idx) / 8”. > > 749 setbit(sc->sc_enabled_capa, i + (32 * idx)); 750 } 751 break; 752 > } 753 754 case 48: /* undocumented TLV */ > > ... > > ______________________________________________________________________________________________________ > To view the defects in Coverity Scan visit, > https://scan.coverity.com/projects/freebsd?tab=overview > _______________________________________________ > freebsd-wireless@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-wireless > To unsubscribe, send any mail to > "freebsd-wireless-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.ylkzhjcdiew4ia>