From owner-freebsd-wireless@freebsd.org Tue Aug 2 18:40:31 2016 Return-Path: Delivered-To: freebsd-wireless@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59276BAC7DD for ; Tue, 2 Aug 2016 18:40:31 +0000 (UTC) (envelope-from s3erios@gmail.com) Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BDAA21B7D; Tue, 2 Aug 2016 18:40:30 +0000 (UTC) (envelope-from s3erios@gmail.com) Received: by mail-lf0-x236.google.com with SMTP id l69so144707684lfg.1; Tue, 02 Aug 2016 11:40:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:subject:references:date:mime-version:content-transfer-encoding :from:message-id:in-reply-to:user-agent; bh=1SryGcH+5y7kEdCzbqau8VwrTHAPrOHy7dvOtyx8IrQ=; b=uewo8no8wy0ISpnXRaBbmBilO9ObTrwFyZxiKkNqoP27zDF1Wlx+sXDZW/7owXODkm 3ibDrJI/NV9LGjLfUvKDuZLpC1p//eb72jS6QULRXWFC13GwLyt+Z5IKcoh3RARR1WBQ 31G9ZKHF/EKPC2HdMSZ6AsbqGnF3qkgLSNXV0BO2hV+Bjl96WHzUhce/Lfoe+ZJLev1p HjL7Qywh87Az38G3HLoiFLkeyAYRgtme9tntq0PTS0PPeK50BhhgK32vbYf/GlYtqm8L DcWI2l7TuaMlmwbUOkAifN3XWjTgWqrYoyjG9vZ4B6dAXhJbVdQzpdMfXbe4YiKI7z5U l4Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:subject:references:date:mime-version :content-transfer-encoding:from:message-id:in-reply-to:user-agent; bh=1SryGcH+5y7kEdCzbqau8VwrTHAPrOHy7dvOtyx8IrQ=; b=bbH0hRigO7HtficObZVn+1yqbEACH8DN3CSD3JhFuY8g4+lPCxLDZyCGIaQUwhJz9R 11AWR257mdUm+gB5rPqk8hZajSgUOYn1B+m5wFZd4NezEQzsNUdZSISVEmYRXolGT/rm yfpGyU9d9LIkOkALeNFSfOpPvjIh1tns/0cToNulQuhohLc79XzlYlxNLGrA2HDNc5wd qzGTbwDODEVXDv7h/nx+xHS8AvoE6AjqfMVo0/hJDd0LNrHzesOrOTbgU0dguEEtlNEH dcOjlVy2xtIbXrLKCNfrrMh9dgdQGd82k1KZF2M2apVRp9zdjQJUsGlJiOfOafZYlCdI YIAQ== X-Gm-Message-State: AEkooutchxIgQS+z+C9D+J7zZa3sLf398xwh4ecntRw4ujSYE1C2pyBaqg+vLA5Hzik/dQ== X-Received: by 10.25.155.145 with SMTP id d139mr21060026lfe.120.1470163227948; Tue, 02 Aug 2016 11:40:27 -0700 (PDT) Received: from localhost (host-176-37-109-22.la.net.ua. [176.37.109.22]) by smtp.gmail.com with ESMTPSA id g3sm721345lfe.14.2016.08.02.11.40.26 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 02 Aug 2016 11:40:27 -0700 (PDT) Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-wireless@freebsd.org, "Conrad Meyer" Subject: Re: Fwd: New Defects reported by Coverity Scan for FreeBSD References: <57a0d7544a594_2113b7d3383446f@ss1435.mail> Date: Tue, 02 Aug 2016 21:40:21 +0300 MIME-Version: 1.0 Content-Transfer-Encoding: Quoted-Printable From: "Andriy Voskoboinyk" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.16 (FreeBSD) X-BeenThere: freebsd-wireless@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussions of 802.11 stack, tools device driver development." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2016 18:40:31 -0000 Some of them (1361062, 1361063) are fixed in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211519 attachment (I will commit it after testing). > Hi all, > > Coverity noticed a few issues in iwm(4) recently. Adrian suggested I > forward them to this list. I've trimmed it down to just the relevant > iwm(4) bits. Hope it helps, anyway. > > Cheers, > Conrad > > > ---------- Forwarded message ---------- > From: > Date: Tue, Aug 2, 2016 at 10:24 AM > Subject: New Defects reported by Coverity Scan for FreeBSD > To: cem@freebsd.org > > > Hi, > > Please find the latest report on new defect(s) introduced to FreeBSD > found with Coverity Scan. > > 23 new defect(s) introduced to FreeBSD found with Coverity Scan. 11 > defect(s), reported by Coverity Scan earlier, were marked fixed in the= > recent build analyzed by Coverity Scan. > > New defect(s) Reported-by: Coverity Scan Showing 20 of 23 defect(s) > > ... > > ______________________________________________________________________= ________________________________ > * CID 1361062: (DEADCODE) /sys/dev/iwm/if_iwm_scan.c: 702 in > iwm_mvm_lmac_scan() 696 req->tx_cmd[1].rate_n_flags =3D 697 > iwm_mvm_scan_rate_n_flags(sc, IEEE80211_CHAN_5GHZ, 1/*XXX*/); 698 > req->tx_cmd[1].sta_id =3D sc->sc_aux_sta.sta_id; 699 700 /* Check if > we're doing an active directed scan. */ 701 if (ssid_len !=3D 0) { > > CID 1361062: (DEADCODE) Execution cannot reach this statement: > =E2=80=9Creq->direct_scan[0].id =3D IE=E2=80=A6=E2=80=9D. > > 702 req->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 703 > req->direct_scan[0].len =3D ssid_len; 704 > memcpy(req->direct_scan[0].ssid, ssid, ssid_len); 705 } 706 707 > req->n_channels =3D iwm_mvm_lmac_scan_fill_channels(sc, > /sys/dev/iwm/if_iwm_scan.c: 674 in iwm_mvm_lmac_scan() 668 > req->scan_flags =3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASS_ALL | 669 > IWM_MVM_LMAC_SCAN_FLAG_ITER_COMPLETE | 670 > IWM_MVM_LMAC_SCAN_FLAG_EXTENDED_DWELL); 671 if (ssid_len =3D=3D 0) 672= > req->scan_flags |=3D htole32(IWM_MVM_LMAC_SCAN_FLAG_PASSIVE); 673 else= > > CID 1361062: (DEADCODE) Execution cannot reach this statement: > =E2=80=9Creq->scan_flags |=3D 4U;=E2=80=9D. > > 674 req->scan_flags |=3D 675 > htole32(IWM_MVM_LMAC_SCAN_FLAG_PRE_CONNECTION); 676 if > (isset(sc->sc_enabled_capa, 677 > IWM_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT)) 678 req->scan_flags |=3D > htole32(IWM_MVM_LMAC_SCAN_FLAGS_RRM_ENABLED); 679 > > ** CID 1361063: Possible Control flow issues (DEADCODE) > /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() > > ______________________________________________________________________= ________________________________ > * CID 1361063: Possible Control flow issues (DEADCODE) > /sys/dev/iwm/if_iwm_scan.c: 593 in iwm_mvm_umac_scan() 587 tail =3D > (void )((char *)&req->data + 588 sizeof(struct > iwm_scan_channel_cfg_umac) * 589 sc->sc_capa_n_scan_channels); 590 591= > / Check if we're doing an active directed scan. */ 592 if (ssid_len !=3D= > 0) { > > CID 1361063: Possible Control flow issues (DEADCODE) Execution cannot > reach this statement: =E2=80=9Ctail->direct_scan[0].id =3D I=E2=80=A6=E2= =80=9D. > > 593 tail->direct_scan[0].id =3D IEEE80211_ELEMID_SSID; 594 > tail->direct_scan[0].len =3D ssid_len; 595 > memcpy(tail->direct_scan[0].ssid, ssid, ssid_len); 596 > req->general_flags |=3D 597 > htole32(IWM_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT); 598 } else { > > ** CID 1361064: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() > > ______________________________________________________________________= ________________________________ > * CID 1361064: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4443 in iwm_send_update_mcc_cmd() 4437 if > (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data; 4439 mcc =3D > mcc_resp->mcc; 4440 n_channels =3D le32toh(mcc_resp->n_channels); 4441= } > else { 4442 mcc_resp_v1 =3D (void *)pkt->data; > > CID 1361064: Null pointer dereferences (FORWARD_NULL) Dereferencing > null pointer =E2=80=9Cmcc_resp_v1=E2=80=9D. > > 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D > le32toh(mcc_resp_v1->n_channels); 4445 } 4446 4447 /* W/A for a FW/NVM= > issue =E2=80=93 returns 0=C3=9700 for the world domain */ 4448 if (mcc= =3D=3D 0) > > ** CID 1361065: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() > > ______________________________________________________________________= ________________________________ > * CID 1361065: Null pointer dereferences (FORWARD_NULL) > /sys/dev/iwm/if_iwm.c: 4439 in iwm_send_update_mcc_cmd() 4433 #ifdef > IWM_DEBUG 4434 pkt =3D hcmd.resp_pkt; 4435 4436 /* Extract MCC respons= e > */ 4437 if (resp_v2) { 4438 mcc_resp =3D (void *)pkt->data; > > CID 1361065: Null pointer dereferences (FORWARD_NULL) Dereferencing > null pointer =E2=80=9Cmcc_resp=E2=80=9D. > > 4439 mcc =3D mcc_resp->mcc; 4440 n_channels =3D > le32toh(mcc_resp->n_channels); 4441 } else { 4442 mcc_resp_v1 =3D (voi= d > *)pkt->data; 4443 mcc =3D mcc_resp_v1->mcc; 4444 n_channels =3D > le32toh(mcc_resp_v1->n_channels); > > ... > > ** CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if= _iwm.c: > 749 in iwm_read_firmware() > > ______________________________________________________________________= ________________________________ > * CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) /sys/dev/iwm/if_= iwm.c: > 749 in iwm_read_firmware() 743 =E2=80=9Cunsupported API index %d\n=E2=80= =9D, idx); 744 > goto parse_out; 745 } 746 for (i =3D 0; i < 32; i++) { 747 if > ((le32toh(capa->api_capa) & (1U << i)) =3D=3D 0) 748 continue; > > CID 1361068: Memory =E2=80=93 corruptions (OVERRUN) Overrunning array = of 16 > bytes at byte offset 19 by dereferencing pointer =E2=80=9C(unsigned ch= ar > *)sc->sc_enabled_capa + (i + 32 * idx) / 8=E2=80=9D. > > 749 setbit(sc->sc_enabled_capa, i + (32 * idx)); 750 } 751 break; 752 > } 753 754 case 48: /* undocumented TLV */ > > ... > > ______________________________________________________________________= ________________________________ > To view the defects in Coverity Scan visit, > https://scan.coverity.com/projects/freebsd?tab=3Doverview > _______________________________________________ > freebsd-wireless@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-wireless > To unsubscribe, send any mail to = > "freebsd-wireless-unsubscribe@freebsd.org"