Date: Thu, 19 Feb 2004 17:48:55 -0800 (PST) From: "Ted Unangst" <tedu@coverity.com> To: hackers@freebsd.org Subject: size bugs Message-ID: <19389.66.93.171.98.1077241735.spork@webmail.coverity.com>
next in thread | raw e-mail | index | archive | help
------=_20040219174855_55981 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit A few final bugs from Coverity. Most of these are off by one, the RF bug is malloc'ing the wrong type. Thanks for looking. ------=_20040219174855_55981 Content-Type: text/plain; name="report-size" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="report-size" ############################################################ # New errors. # --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/twe/twe.c|279|twe_del_unit|ERROR|SIMPLE_BUFFER| 279|279|Accessing buffer "(*sc).twe_drive" of size "16" at position "16" with index variable "unit" from line 276 [PATH= "unit > 16" on line 276 is false => "unit < 0" on line 276 is false] int error; if (unit < 0 || unit > TWE_MAX_UNITS) return (ENXIO); Error ---> if (sc->twe_drive[unit].td_disk == NULL) return (ENXIO); error = twe_detach_drive(sc, unit); return (error); } --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/netinet6/in6.c|1858|in6_prefixlen2mask|ERROR|SIMPLE_BUFFER| 1858|1858|Accessing buffer "((*maskp).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1853 [PATH= "bitlen != 0" on line 1857 is true => "i < bytelen" on line 1855 is false => "i < bytelen" on line 1855 is true] bytelen = len / 8; bitlen = len % 8; for (i = 0; i < bytelen; i++) maskp->s6_addr[i] = 0xff; if (bitlen) Error ---> maskp->s6_addr[bytelen] = maskarray[bitlen - 1]; } /* * return the best address out of the same scope. if no address was * found, return the first valid address from designated IF. --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/netinet6/in6.c|1830|in6_are_prefix_equal|ERROR|SIMPLE_BUFFER| 1830|1830|Accessing buffer "((*p1).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1825 [PATH= "bcmp != 0" on line 1828 is false] bytelen = len / 8; bitlen = len % 8; if (bcmp(&p1->s6_addr, &p2->s6_addr, bytelen)) return (0); Error ---> if (p1->s6_addr[bytelen] >> (8 - bitlen) != p2->s6_addr[bytelen] >> (8 - bitlen)) return (0); return (1); } --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/ata/atapi-cd.c|1633|acd_report_key|ERROR|SIMPLE_BUFFER| 1632|1633|Accessing buffer "d" of size "0" at position "0" [PATH=] ccb[5] = lba & 0xff; ccb[8] = (length >> 8) & 0xff; ccb[9] = length & 0xff; ccb[10] = (ai->agid << 6) | ai->format; Start ---> d = malloc(length, M_ACD, M_NOWAIT | M_ZERO); Error ---> d->length = htons(length - 2); error = ata_atapicmd(cdp->device, ccb, (caddr_t)d, length, ai->format == DVD_INVALIDATE_AGID ? 0 : ATA_R_READ,10); if (error) { free(d, M_ACD); ############################################################ # New errors. # --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/raidframe/rf_diskqueue.c|160|init_dqd|ERROR|SIZE_CHECK| 160|160| (*dqd).bp = "malloc"(4 bytes), need 136 static int init_dqd(dqd) RF_DiskQueueData_t *dqd; { Error ---> dqd->bp = (RF_Buf_t) malloc(sizeof(RF_Buf_t), M_RAIDFRAME, M_NOWAIT); if (dqd->bp == NULL) { return (ENOMEM); } memset(dqd->bp, 0, sizeof(RF_Buf_t)); /* if you don't do it, nobody * else will.. */ ------=_20040219174855_55981--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19389.66.93.171.98.1077241735.spork>