Subj : New Defects reported by C To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Tue Nov 19 2024 13:40:00 Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 3 new defect(s) introduced to Synchronet found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 3 of 3 defect(s) ** CID 515048: Security best practices violations (SECURE_TEMP) /sbbsecho.c: 1848 in add_areas_from_echolists() ________________________________________________________________________________________________________ *** CID 515048: Security best practices violations (SECURE_TEMP) /sbbsecho.c: 1848 in add_areas_from_echolists() 1842 match=0; 1843 for(k=0; cfg.listcfg[j].keys[k] ;k++) { 1844 if(match) break; 1845 for(x=0; nodecfg->keys[x] ;x++) { 1846 if(!stricmp(cfg.listcfg[j].keys[k] 1847 ,nodecfg->keys[x])) { >>> CID 515048: Security best practices violations (SECURE_TEMP) >>> "tmpfile" creates files with predictable names, which is unsafe. 1848 if((fwdfile=tmpfile())==NULL) { 1849 lprintf(LOG_ERR,"ERROR line %d opening forward temp " 1850 "file",__LINE__); 1851 match=1; 1852 break; 1853 } ** CID 515047: Control flow issues (NO_EFFECT) /sbbsecho.c: 1635 in alter_areas_ini() ________________________________________________________________________________________________________ *** CID 515047: Control flow issues (NO_EFFECT) /sbbsecho.c: 1635 in alter_areas_ini() 1629 continue; 1630 } 1631 } 1632 if(add_area[0] != NULL) { /* Check for areas to add */ 1633 bool add_all = (stricmp(add_area[0], "+ALL") == 0); 1634 j = strListFind(add_area, echotag, /* case-sensitive */false); >>> CID 515047: Control flow issues (NO_EFFECT) >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "j >= 0U". 1635 if(add_all || j >= 0) { 1636 if(j >= 0) 1637 add_area[j][0]=0; /* So we can check other lists */ 1638 uint areanum = find_area(echotag); 1639 if(!area_is_valid(areanum)) { 1640 lprintf(LOG_ERR, "Invalid area num on line %d", __LINE__); ** CID 515046: Error handling issues (CHECKED_RETURN) /sbbsecho.c: 1989 in alter_areas() ________________________________________________________________________________________________________ *** CID 515046: Error handling issues (CHECKED_RETURN) /sbbsecho.c: 1989 in alter_areas() 1983 ,smb_faddrtoa(&addr,NULL), (ulong)added, cfg.areafile); 1984 if(deleted) 1985 lprintf(LOG_DEBUG, "AreaFix (for %s) Removed links to %lu areas in %s" 1986 ,smb_faddrtoa(&addr,NULL), (ulong)deleted, cfg.areafile); 1987 if(added || deleted) { 1988 if(stat(cfg.areafile, &st) == 0) >>> CID 515046: Error handling issues (CHECKED_RETURN) >>> Calling "chmod(outpath, st.st_mode)" without checking return value. This library function may fail and return an error code. 1989 chmod(outpath, st.st_mode); 1990 if(cfg.areafile_backups == 0 || !backup(cfg.areafile, cfg.areafile_backups, /* ren: */TRUE)) 1991 delfile(cfg.areafile, __LINE__); /* Delete AREAS.BBS */ 1992 if(rename(outpath,cfg.areafile)) /* Rename new AREAS.BBS file */ 1993 lprintf(LOG_ERR,"ERROR line %d renaming %s to %s",__LINE__,outpath,cfg.areafile); 1994 } ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3D1jSz_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQbxEcP2FV-2FE8SZ4Zj-2B5i-2FvXMBc1u-2B9IyI73gYzjnV6pIIbqC2pGfKYB3KXIl7XZEKXLdLz8vi8-2BwsF6O91kuZqV1ShM13vaTkO37J3VV7GT6YwOX288v8WtwpdrdHMhRE2EqIozgp1HMSE07wuarfyxBLAND56oVPlNda7IFeLuFA-3D-3D --- þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net .