Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Feb 2004 17:48:55 -0800 (PST)
From:      "Ted Unangst" <tedu@coverity.com>
To:        hackers@freebsd.org
Subject:   size bugs
Message-ID:  <19389.66.93.171.98.1077241735.spork@webmail.coverity.com>

next in thread | raw e-mail | index | archive | help
------=_20040219174855_55981
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

A few final bugs from Coverity.  Most of these are off by one, the RF bug
is malloc'ing the wrong type.

Thanks for looking.
------=_20040219174855_55981
Content-Type: text/plain; name="report-size"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="report-size"



############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/twe/twe.c|279|twe_del_unit|ERROR|SIMPLE_BUFFER| 279|279|Accessing buffer "(*sc).twe_drive" of size "16" at position "16" with index variable "unit" from line 276 [PATH= "unit > 16" on line 276 is false => "unit < 0" on line 276 is false] 

    int error;

    if (unit < 0 || unit > TWE_MAX_UNITS)
	return (ENXIO);


Error --->
    if (sc->twe_drive[unit].td_disk == NULL)
	return (ENXIO);

    error = twe_detach_drive(sc, unit);
    return (error);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netinet6/in6.c|1858|in6_prefixlen2mask|ERROR|SIMPLE_BUFFER| 1858|1858|Accessing buffer "((*maskp).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1853 [PATH= "bitlen != 0" on line 1857 is true => "i < bytelen" on line 1855 is false => "i < bytelen" on line 1855 is true] 

	bytelen = len / 8;
	bitlen = len % 8;
	for (i = 0; i < bytelen; i++)
		maskp->s6_addr[i] = 0xff;
	if (bitlen)

Error --->
		maskp->s6_addr[bytelen] = maskarray[bitlen - 1];
}

/*
 * return the best address out of the same scope. if no address was
 * found, return the first valid address from designated IF.
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netinet6/in6.c|1830|in6_are_prefix_equal|ERROR|SIMPLE_BUFFER| 1830|1830|Accessing buffer "((*p1).__u6_addr).__u6_addr8" of size "16" at position "16" with index variable "bytelen" from line 1825 [PATH= "bcmp != 0" on line 1828 is false] 

	bytelen = len / 8;
	bitlen = len % 8;

	if (bcmp(&p1->s6_addr, &p2->s6_addr, bytelen))
		return (0);

Error --->
	if (p1->s6_addr[bytelen] >> (8 - bitlen) !=
	    p2->s6_addr[bytelen] >> (8 - bitlen))
		return (0);

	return (1);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/ata/atapi-cd.c|1633|acd_report_key|ERROR|SIMPLE_BUFFER| 1632|1633|Accessing buffer "d" of size "0" at position "0" [PATH=] 

    ccb[5] = lba & 0xff;
    ccb[8] = (length >> 8) & 0xff;
    ccb[9] = length & 0xff;
    ccb[10] = (ai->agid << 6) | ai->format;

Start --->
    d = malloc(length, M_ACD, M_NOWAIT | M_ZERO);
Error --->
    d->length = htons(length - 2);

    error = ata_atapicmd(cdp->device, ccb, (caddr_t)d, length,
			 ai->format == DVD_INVALIDATE_AGID ? 0 : ATA_R_READ,10);
    if (error) {
	free(d, M_ACD);


############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/raidframe/rf_diskqueue.c|160|init_dqd|ERROR|SIZE_CHECK| 160|160| (*dqd).bp = "malloc"(4 bytes), need 136

static int 
init_dqd(dqd)
	RF_DiskQueueData_t *dqd;
{


Error --->
	dqd->bp = (RF_Buf_t) malloc(sizeof(RF_Buf_t), M_RAIDFRAME, M_NOWAIT);
	if (dqd->bp == NULL) {
		return (ENOMEM);
	}
	memset(dqd->bp, 0, sizeof(RF_Buf_t));	/* if you don't do it, nobody
						 * else will.. */
------=_20040219174855_55981--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19389.66.93.171.98.1077241735.spork>