Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Sun Feb 19 2023 13:37:56 Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 21 new defect(s) introduced to Synchronet found with Coverity Scan. 16 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 21 defect(s) ** CID 436320: (SIGN_EXTENSION) /writemsg.cpp: 679 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() /writemsg.cpp: 680 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() /writemsg.cpp: 657 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() /writemsg.cpp: 294 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() /writemsg.cpp: 656 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() ________________________________________________________________________________________________________ *** CID 436320: (SIGN_EXTENSION) /writemsg.cpp: 679 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() 673 *editor = "Synchronet msgeditor " GIT_BRANCH "/" GIT_HASH; 674 675 buf[0]=0; 676 if(linesquoted || draft_restored) { 677 if((file=nopen(msgtmp,O_RDONLY))!=-1) { 678 length=(long)filelength(file); >>> CID 436320: (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "this->cfg.level_linespermsg[useron_level]" with type "uint16_t" (16 bits, unsigned) is promoted in "this->cfg.level_linespermsg[useron_level] * (this->cols - 1) - 1" to type "int" (32 bits, signed), then sign-extended to type "long" (64 bits, signed). If "this->cfg.level_linespermsg[useron_level] * (this->cols - 1) - 1" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 679 l=length>(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-1 680 ? (cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-1 : length; 681 lread(file,buf,l); 682 buf[l]=0; 683 close(file); 684 // remove(msgtmp); /writemsg.cpp: 680 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() 674 675 buf[0]=0; 676 if(linesquoted || draft_restored) { 677 if((file=nopen(msgtmp,O_RDONLY))!=-1) { 678 length=(long)filelength(file); 679 l=length>(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-1 >>> CID 436320: (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "this->cfg.level_linespermsg[useron_level]" with type "uint16_t" (16 bits, unsigned) is promoted in "this->cfg.level_linespermsg[useron_level] * (this->cols - 1) - 1" to type "int" (32 bits, signed), then sign-extended to type "long" (64 bits, signed). If "this->cfg.level_linespermsg[useron_level] * (this->cols - 1) - 1" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 680 ? (cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-1 : length; 681 lread(file,buf,l); 682 buf[l]=0; 683 close(file); 684 // remove(msgtmp); 685 } /writemsg.cpp: 657 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() 651 free(buf); 652 return false; 653 } 654 l=strlen((char *)buf); /* reserve space for top and terminating null */ 655 /* truncate if too big */ 656 if(length>(long)((cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-(l+1))) { >>> CID 436320: (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "this->cfg.level_linespermsg[useron_level]" with type "uint16_t" (16 bits, unsigned) is promoted in "this->cfg.level_linespermsg[useron_level] * (this->cols - 1)" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "this->cfg.level_linespermsg[useron_level] * (this->cols - 1)" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 657 length=(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-(l+1); 658 bputs(text[OutOfBytes]); 659 } 660 long rd = read(file,buf+l,length); 661 close(file); 662 if(rd != length) { /writemsg.cpp: 294 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() 288 289 useron_level=useron.level; 290 291 if(editor!=NULL) 292 *editor=NULL; 293 >>> CID 436320: (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "this->cfg.level_linespermsg[useron_level]" with type "uint16_t" (16 bits, unsigned) is promoted in "this->cfg.level_linespermsg[useron_level] * (this->cols - 1) + 1" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "this->cfg.level_linespermsg[useron_level] * (this->cols - 1) + 1" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 294 if((buf=(char*)malloc((cfg.level_linespermsg[useron_level]*MAX_LINE_LEN) + 1)) 295 ==NULL) { 296 errormsg(WHERE,ERR_ALLOC,fname 297 ,(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN) +1); 298 return(false); 299 } /writemsg.cpp: 656 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() 650 errormsg(WHERE, ERR_LEN, msgtmp, length); 651 free(buf); 652 return false; 653 } 654 l=strlen((char *)buf); /* reserve space for top and terminating null */ 655 /* truncate if too big */ >>> CID 436320: (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "this->cfg.level_linespermsg[useron_level]" with type "uint16_t" (16 bits, unsigned) is promoted in "this->cfg.level_linespermsg[useron_level] * (this->cols - 1)" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "this->cfg.level_linespermsg[useron_level] * (this->cols - 1)" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 656 if(length>(long)((cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-(l+1))) { 657 length=(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-(l+1); 658 bputs(text[OutOfBytes]); 659 } 660 long rd = read(file,buf+l,length); 661 close(file); ** CID 436319: High impact quality (Y2K38_SAFETY) /qwktomsg.cpp: 49 in qwk_parse_header_list(sbbs_t *, unsigned int, smbmsg_t *, char ***, bool, bool)() ________________________________________________________________________________________________________ *** CID 436319: High impact quality (Y2K38_SAFETY) /qwktomsg.cpp: 49 in qwk_parse_header_list(sbbs_t *, unsigned int, smbmsg_t *, char ***, bool, bool)() 43 msg->hdr.auxattr |= MSG_HFIELDS_UTF8; 44 } 45 46 if((p=iniPopKey(headers,ROOT_SECTION,"WhenWritten",value))!=NULL) { 47 xpDateTime_t dt=isoDateTimeStr_parse(p); 48 >>> CID 436319: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "xpDateTime_to_localtime(dt)" is cast to "uint32_t". 49 msg->hdr.when_written.time=(uint32_t)xpDateTime_to_localtime(dt); 50 msg->hdr.when_written.zone=dt.zone; 51 sscanf(p,"%*s %s",zone); 52 if(zone[0]) 53 msg->hdr.when_written.zone=(ushort)strtoul(zone,NULL,16); 54 } ** CID 436318: Error handling issues (CHECKED_RETURN) /tmp_xfer.cpp: 88 in sbbs_t::create_filelist(const char *, int)() ________________________________________________________________________________________________________ *** CID 436318: Error handling issues (CHECKED_RETURN) /tmp_xfer.cpp: 88 in sbbs_t::create_filelist(const char *, int)() 82 if(k) 83 bprintf(text[CreatedFileList],name); 84 else { 85 if(online == ON_REMOTE) 86 bputs(text[NoFiles]); 87 SAFEPRINTF2(str,"%s%s",cfg.temp_dir,name); >>> CID 436318: Error handling issues (CHECKED_RETURN) >>> Calling "remove(str)" without checking return value. This library function may fail and return an error code. 88 remove(str); 89 } 90 return(k); 91 } 92 93 /****************************************************************************/ ** CID 436317: High impact quality (Y2K38_SAFETY) /qwktomsg.cpp: 198 in sbbs_t::qwk_new_msg(unsigned int, smbmsg_t *, char *, int, char **, bool)() ________________________________________________________________________________________________________ *** CID 436317: High impact quality (Y2K38_SAFETY) /qwktomsg.cpp: 198 in sbbs_t::qwk_new_msg(unsigned int, smbmsg_t *, char *, int, char **, bool)() 192 tm.tm_year=((hdrblk[14]&0xf)*10)+(hdrblk[15]&0xf); 193 if(tm.tm_year>> CID 436317: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "sane_mktime(&tm)" is cast to "uint32_t". 198 msg->hdr.when_written.time=(uint32_t)sane_mktime(&tm); 199 } 200 201 if(msg->to==NULL) 202 smb_hfield_str(msg,RECIPIENT,strip_ctrl(to, to)); 203 ** CID 436316: Error handling issues (CHECKED_RETURN) /netmail.cpp: 1382 in sbbs_t::qnetmail(const char *, const char *, int, smb_t *, smbmsg_t *)() ________________________________________________________________________________________________________ *** CID 436316: Error handling issues (CHECKED_RETURN) /netmail.cpp: 1382 in sbbs_t::qnetmail(const char *, const char *, int, smb_t *, smbmsg_t *)() 1376 smb_close(&smb); 1377 smb_stack(&smb,SMB_STACK_POP); 1378 errormsg(WHERE,ERR_OPEN,msgpath,O_RDONLY|O_BINARY); 1379 return(false); 1380 } 1381 >>> CID 436316: Error handling issues (CHECKED_RETURN) >>> Calling "fseeko(this->smb.sdt_fp, offset, 0)" without checking return value. This library function may fail and return an error code. 1382 fseeko(smb.sdt_fp,offset,SEEK_SET); 1383 xlat=XLAT_NONE; 1384 fwrite(&xlat,2,1,smb.sdt_fp); 1385 x=SDT_BLOCK_LEN-2; /* Don't read/write more than 255 */ 1386 while(!feof(instream)) { 1387 memset(buf,0,x); ** CID 436315: Code maintainability issues (UNUSED_VALUE) /str.cpp: 406 in sbbs_t::sof(char *, char *, int)() ________________________________________________________________________________________________________ *** CID 436315: Code maintainability issues (UNUSED_VALUE) /str.cpp: 406 in sbbs_t::sof(char *, char *, int)() 400 max=max*10+(buf[++m]&0xf); 401 } 402 if(buf[m+1]=='.' && IS_DIGIT(buf[m+2])) { 403 m++; 404 min=buf[++m]&0xf; 405 if(IS_DIGIT(buf[m+1])) >>> CID 436315: Code maintainability issues (UNUSED_VALUE) >>> Assigning value from "min * 10 + (buf[++m] & 0xf)" to "min" here, but that stored value is overwritten before it can be used. 406 min=min*10+(buf[++m]&0xf); 407 } 408 if(buf[m+1]=='"') { 409 max=0; 410 m++; 411 while(buf[++m]!='"' && max<80) ** CID 436314: (RESOURCE_LEAK) /xtrn.cpp: 1692 in sbbs_t::external(const char *, int, const char *)() /xtrn.cpp: 1692 in sbbs_t::external(const char *, int, const char *)() ________________________________________________________________________________________________________ *** CID 436314: (RESOURCE_LEAK) /xtrn.cpp: 1692 in sbbs_t::external(const char *, int, const char *)() 1686 dup2(fd, STDOUT_FILENO); 1687 if(!(mode&EX_NOLOG)) 1688 dup2(fd, STDERR_FILENO); 1689 if (fd > 2) 1690 close(fd); 1691 } >>> CID 436314: (RESOURCE_LEAK) >>> Handle variable "fd" going out of scope leaks the handle. 1692 } 1693 1694 if(mode&EX_BG) /* background execution, detach child */ 1695 { 1696 lprintf(LOG_INFO,"Detaching external process"); 1697 daemon(TRUE,FALSE); /xtrn.cpp: 1692 in sbbs_t::external(const char *, int, const char *)() 1686 dup2(fd, STDOUT_FILENO); 1687 if(!(mode&EX_NOLOG)) 1688 dup2(fd, STDERR_FILENO); 1689 if (fd > 2) 1690 close(fd); 1691 } >>> CID 436314: (RESOURCE_LEAK) >>> Handle variable "fd" going out of scope leaks the handle. 1692 } 1693 1694 if(mode&EX_BG) /* background execution, detach child */ 1695 { 1696 lprintf(LOG_INFO,"Detaching external process"); 1697 daemon(TRUE,FALSE); ** CID 436313: (OVERRUN) /main.cpp: 4367 in node_thread(void *)() ________________________________________________________________________________________________________ *** CID 436313: (OVERRUN) /main.cpp: 4383 in node_thread(void *)() 4377 4378 curshell=sbbs->useron.shell; 4379 sbbs->main_csi.ip=sbbs->main_csi.cs; 4380 sbbs->menu_dir[0]=0; 4381 sbbs->menu_file[0]=0; 4382 } >>> CID 436313: (OVERRUN) >>> Calling "exec" with "sbbs->main_csi.cs" and "sbbs->main_csi.length" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. 4383 if(sbbs->exec(&sbbs->main_csi)) 4384 break; 4385 } 4386 listRemoveTaggedNode(¤t_logins, sbbs->cfg.node_num, /* free_data */TRUE); 4387 } 4388 /main.cpp: 4367 in node_thread(void *)() 4361 close(file); 4362 sbbs->errormsg(WHERE,ERR_ALLOC,str,sbbs->main_csi.length); 4363 sbbs->hangup(); 4364 break; 4365 } 4366 >>> CID 436313: (OVERRUN) >>> Calling "read" with "sbbs->main_csi.cs" and "sbbs->main_csi.length" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.] 4367 if(lread(file,sbbs->main_csi.cs,sbbs->main_csi.length) 4368 !=(int)sbbs->main_csi.length) { 4369 sbbs->errormsg(WHERE,ERR_READ,str,sbbs->main_csi.length); 4370 close(file); 4371 free(sbbs->main_csi.cs); 4372 sbbs->main_csi.cs=NULL; ** CID 436312: Error handling issues (CHECKED_RETURN) /xtrn.cpp: 1750 in sbbs_t::external(const char *, int, const char *)() ________________________________________________________________________________________________________ *** CID 436312: Error handling issues (CHECKED_RETURN) /xtrn.cpp: 1750 in sbbs_t::external(const char *, int, const char *)() 1744 write(in_pipe[1],buf,wr); 1745 } 1746 1747 bp=buf; 1748 i=0; 1749 if(mode&EX_NOLOG) >>> CID 436312: Error handling issues (CHECKED_RETURN) >>> Calling "poll(fds, 1UL, 1)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] 1750 poll(fds, 1, 1); 1751 else { 1752 while (poll(fds, 2, 1) > 0 && (fds[1].revents) 1753 && (i < (int)sizeof(buf) - 1)) { 1754 if((rd=read(err_pipe[0],bp,1))>0) { 1755 i+=rd; ** CID 436311: (OVERRUN) /exec.cpp: 812 in sbbs_t::exec_bin(const char *, csi_t *, const char *)() ________________________________________________________________________________________________________ *** CID 436311: (OVERRUN) /exec.cpp: 812 in sbbs_t::exec_bin(const char *, csi_t *, const char *)() 806 } 807 if((bin.cs=(uchar *)malloc(bin.length))==NULL) { 808 close(file); 809 errormsg(WHERE,ERR_ALLOC,str,bin.length); 810 return(-1); 811 } >>> CID 436311: (OVERRUN) >>> Calling "read" with "bin.cs" and "bin.length" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.] 812 if(lread(file,bin.cs,bin.length)!=(ssize_t)bin.length) { 813 close(file); 814 errormsg(WHERE,ERR_READ,str,bin.length); 815 free(bin.cs); 816 return(-1); 817 } /exec.cpp: 825 in sbbs_t::exec_bin(const char *, csi_t *, const char *)() 819 820 bin.ip=bin.cs; 821 bin.rets=0; 822 bin.cmdrets=0; 823 bin.misc=0; 824 >>> CID 436311: (OVERRUN) >>> Calling "exec" with "bin.cs" and "bin.length" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. 825 while(exec(&bin)==0) 826 if(!(bin.misc&CS_OFFLINE_EXEC)) { 827 checkline(); 828 if(!online) 829 break; 830 } ** CID 436310: High impact quality (Y2K38_SAFETY) /xtrn_sec.cpp: 1114 in sbbs_t::moduserdat(unsigned int)() ________________________________________________________________________________________________________ *** CID 436310: High impact quality (Y2K38_SAFETY) /xtrn_sec.cpp: 1114 in sbbs_t::moduserdat(unsigned int)() 1108 useron.level=(uint8_t)i; 1109 putuserdec32(useron.number, USER_LEVEL, useron.level); 1110 } 1111 lseek(file,75,SEEK_CUR); /* read in expiration date */ 1112 read(file,&i,2); /* convert from julian to unix */ 1113 i = LE_INT(i); >>> CID 436310: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "juliantounix(i)" is cast to "time32_t". 1114 useron.expire=(time32_t)juliantounix(i); 1115 putuserdatetime(useron.number, USER_EXPIRE, useron.expire); 1116 } 1117 close(file); 1118 } 1119 return; ** CID 436309: Error handling issues (CHECKED_RETURN) /qwk.cpp: 294 in sbbs_t::qwk_success(unsigned int, char, char)() ________________________________________________________________________________________________________ *** CID 436309: Error handling issues (CHECKED_RETURN) /qwk.cpp: 294 in sbbs_t::qwk_success(unsigned int, char, char)() 288 SAFECOPY(str, "downloaded QWK packet"); 289 logline("D-",str); 290 posts_read+=msgcnt; 291 292 sprintf(str,"%sfile/%04u.qwk",cfg.data_dir,useron.number); 293 if(fexistcase(str)) >>> CID 436309: Error handling issues (CHECKED_RETURN) >>> Calling "remove(str)" without checking return value. This library function may fail and return an error code. 294 remove(str); 295 296 if(!bi) { 297 batch_download(-1); 298 delfiles(cfg.temp_dir,ALLFILES); 299 } ** CID 436308: (CHECKED_RETURN) /pack_qwk.cpp: 619 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() /pack_qwk.cpp: 745 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() /pack_qwk.cpp: 733 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() ________________________________________________________________________________________________________ *** CID 436308: (CHECKED_RETURN) /pack_qwk.cpp: 619 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 613 fclose(voting); 614 } 615 if(personal) { 616 fclose(personal); /* close PERSONAL.NDX */ 617 SAFEPRINTF(str,"%sPERSONAL.NDX",cfg.temp_dir); 618 if(!flength(str)) >>> CID 436308: (CHECKED_RETURN) >>> Calling "remove(str)" without checking return value. This library function may fail and return an error code. 619 remove(str); 620 } 621 CRLF; 622 623 if(!prepack && online!=ON_LOCAL && ((sys_status&SS_ABORT) || !online)) { 624 bputs(text[Aborted]); /pack_qwk.cpp: 745 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 739 if(file_count < 0) 740 lprintf(LOG_ERR, "libarchive error (%s) creating %s", error, packet); 741 else 742 lprintf(LOG_INFO, "libarchive created %s from %d files", packet, file_count); 743 } 744 if(flength(packet) < 1) { >>> CID 436308: (CHECKED_RETURN) >>> Calling "remove(packet)" without checking return value. This library function may fail and return an error code. 745 remove(packet); 746 if((i = external(cmdstr(temp_cmd(),packet,path,NULL), ex|EX_WILDCARD)) != 0) 747 errormsg(WHERE,ERR_EXEC,cmdstr(temp_cmd(),packet,path,NULL),i); 748 if(flength(packet) < 1) { 749 bputs(text[QWKCompressionFailed]); 750 return(false); /pack_qwk.cpp: 733 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 727 } 728 } 729 730 /*******************/ 731 /* Compress Packet */ 732 /*******************/ >>> CID 436308: (CHECKED_RETURN) >>> Calling "remove(packet)" without checking return value. This library function may fail and return an error code. 733 remove(packet); 734 SAFEPRINTF2(path,"%s%s",cfg.temp_dir,ALLFILES); 735 if(strListFind((str_list_t)supported_archive_formats, useron.tmpext, /* case_sensitive */FALSE) >= 0) { 736 str_list_t file_list = directory(path); 737 int file_count = create_archive(packet, useron.tmpext, /* with_path: */false, file_list, error, sizeof(error)); 738 strListFree(&file_list); ** CID 436307: High impact quality (Y2K38_SAFETY) /main.cpp: 4407 in node_thread(void *)() ________________________________________________________________________________________________________ *** CID 436307: High impact quality (Y2K38_SAFETY) /main.cpp: 4407 in node_thread(void *)() 4401 time_t now = time(NULL); 4402 SAFEPRINTF(str, "%sclient.ini", sbbs->cfg.node_dir); 4403 FILE* fp = fopen(str, "at"); 4404 if(fp != NULL) { 4405 fprintf(fp, "user=%u\n", sbbs->useron.number); 4406 fprintf(fp, "name=%s\n", sbbs->useron.alias); >>> CID 436307: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "now" is cast to "uint". 4407 fprintf(fp, "done=%u\n", (uint)now); 4408 fclose(fp); 4409 } 4410 4411 if(sbbs->sys_status&SS_DAILY) { // New day, run daily events/maintenance 4412 sbbs->daily_maint(); ** CID 436306: High impact quality (Y2K38_SAFETY) /atcodes.cpp: 1235 in sbbs_t::atcode(char *, char *, unsigned long, int *, bool, JSObject *)() ________________________________________________________________________________________________________ *** CID 436306: High impact quality (Y2K38_SAFETY) /atcodes.cpp: 1235 in sbbs_t::atcode(char *, char *, unsigned long, int *, bool, JSObject *)() 1229 f = (float)useron.dls / useron.uls; 1230 safe_snprintf(str, maxlen, "%u", f ? (uint)(100 / f) : 0); 1231 return str; 1232 } 1233 1234 if(!strcmp(sp,"LASTNEW")) >>> CID 436306: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "this->ns_time" is cast to "time32_t". 1235 return(unixtodstr(&cfg,(time32_t)ns_time,str)); 1236 1237 if(strncmp(sp, "LASTNEW:", 8) == 0) { 1238 sp += 8; 1239 c_unescape_str(sp); 1240 memset(&tm, 0, sizeof(tm)); ** CID 436305: (Y2K38_SAFETY) /pack_qwk.cpp: 128 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() /pack_qwk.cpp: 598 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() /pack_qwk.cpp: 603 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() ________________________________________________________________________________________________________ *** CID 436305: (Y2K38_SAFETY) /pack_qwk.cpp: 128 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 122 errormsg(WHERE,ERR_OPEN,str,0); 123 return(false); 124 } 125 126 now=time(NULL); 127 if(localtime_r(&now,&tm)==NULL) { >>> CID 436305: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "this->now" is cast to "uint". 128 errormsg(WHERE, ERR_CHK, "time", (uint)now); 129 return(false); 130 } 131 132 fprintf(stream,"%s\r\n%s\r\n%s\r\n%s, Sysop\r\n0000,%s\r\n" 133 "%02u-%02u-%u,%02u:%02u:%02u\r\n" /pack_qwk.cpp: 598 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 592 byte_estimate_to_str(ftell(qwk), tmp, sizeof(tmp), 1024, 1); 593 if(online == ON_REMOTE) 594 bprintf("\r\n\r\n\1n\1hPacked %u messages (%s bytes) in %u seconds " 595 "(%lu messages/second)." 596 ,(*msgcnt)+mailmsgs 597 ,tmp >>> CID 436305: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "elapsed" is cast to "uint". 598 ,(uint)elapsed 599 ,((*msgcnt)+mailmsgs) / elapsed); 600 lprintf(LOG_INFO, "packed %u messages (%s bytes) in %u seconds (%u msgs/sec)" 601 ,(*msgcnt)+mailmsgs 602 ,tmp 603 ,(uint)elapsed /pack_qwk.cpp: 603 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 597 ,tmp 598 ,(uint)elapsed 599 ,((*msgcnt)+mailmsgs) / elapsed); 600 lprintf(LOG_INFO, "packed %u messages (%s bytes) in %u seconds (%u msgs/sec)" 601 ,(*msgcnt)+mailmsgs 602 ,tmp >>> CID 436305: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "elapsed" is cast to "uint". 603 ,(uint)elapsed 604 ,(uint)(((*msgcnt)+mailmsgs)/elapsed)); 605 } 606 607 BOOL voting_data = FALSE; 608 fclose(qwk); /* close MESSAGE.DAT */ ** CID 436304: Error handling issues (CHECKED_RETURN) /writemsg.cpp: 242 in sbbs_t::process_edited_file(const char *, const char *, int, unsigned int *, unsigned int)() ________________________________________________________________________________________________________ *** CID 436304: Error handling issues (CHECKED_RETURN) /writemsg.cpp: 242 in sbbs_t::process_edited_file(const char *, const char *, int, unsigned int *, unsigned int)() 236 if((fp=fopen(src,"rb"))==NULL) { 237 free(buf); 238 return -3; 239 } 240 241 memset(buf,0,len+1); >>> CID 436304: Error handling issues (CHECKED_RETURN) >>> "fread(void * restrict, size_t, size_t, FILE * restrict)" returns the number of bytes read, but it is ignored. 242 fread(buf,len,sizeof(char),fp); 243 fclose(fp); 244 245 if((fp=fopen(dest,"wb"))!=NULL) { 246 len=process_edited_text(buf, fp, mode, lines, maxlines); 247 fclose(fp); ** CID 436303: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 436303: Uninitialized variables (UNINIT) /readmsgs.cpp: 218 in sbbs_t::loadposts(unsigned int *, unsigned int, unsigned int, int, unsigned int *, unsigned int *)() 212 if(idx.to!=namecrc && idx.from!=namecrc 213 && idx.to!=aliascrc && idx.from!=aliascrc 214 && (useron.number!=1 || idx.to!=sysop)) 215 continue; 216 msg.idx=idx; 217 if(!smb_lockmsghdr(&smb,&msg)) { >>> CID 436303: Uninitialized variables (UNINIT) >>> Using uninitialized value "msg.idx_offset" when calling "smb_getmsghdr". 218 if(!smb_getmsghdr(&smb,&msg)) { 219 if(stricmp(msg.to,useron.alias) 220 && stricmp(msg.from,useron.alias) 221 && stricmp(msg.to,useron.name) 222 && stricmp(msg.from,useron.name) 223 && (useron.number!=1 || stricmp(msg.to,"sysop") ** CID 436302: Memory - illegal accesses (STRING_NULL) /telgate.cpp: 194 in sbbs_t::telnet_gate(char *, unsigned int, unsigned int, char *, char *, char *)() ________________________________________________________________________________________________________ *** CID 436302: Memory - illegal accesses (STRING_NULL) /telgate.cpp: 194 in sbbs_t::telnet_gate(char *, unsigned int, unsigned int, char *, char *, char *)() 188 l=K_CHAT; 189 if(!(mode&TG_ECHO)) 190 l|=K_NOECHO; 191 rd=getstr((char*)buf,sizeof(buf)-1,l); 192 if(!rd) 193 continue; >>> CID 436302: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "buf" to "strlen", which expects a null-terminated string. 194 SAFECAT(buf,crlf); 195 rd+=2; 196 gotline=true; 197 } 198 if((mode&TG_CRLF) && buf[rd-1]=='\r') 199 buf[rd++]='\n'; ** CID 436301: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 436301: Insecure data handling (TAINTED_SCALAR) /writemsg.cpp: 752 in sbbs_t::writemsg(const char *, const char *, char *, int, unsigned int, const char *, const char *, const char **, const char **)() 746 while(!feof(tag)) { 747 if(!fgets(str,sizeof(str),tag)) 748 break; 749 truncsp(str); 750 if(utf8) { 751 char buf[sizeof(str)*4]; >>> CID 436301: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "str" to "cp437_to_utf8_str", which uses it as an offset. 752 cp437_to_utf8_str(str, buf, sizeof(buf) - 1, /* minval: */'\x02'); 753 l+=fprintf(stream,"%s\r\n", buf); 754 } else 755 l+=fprintf(stream,"%s\r\n",str); 756 lines++; /* line counter */ 757 } ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4BbWTBf-2B-2Fi5ZUVF-2Fo-2B6flxo-3Drgn4_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrBgI3c58nn-2BM3pe4vcfOmT008rEPNCgcySL-2BxLmEpv67QM-2F5FYfBWKXdLuapzG8Uw08lzNE-2FII55Z3TUX6jcFlwAq3AECQ-2BNvq5LcItSQXmz87wTP5IweENV-2Fec52OWXZ5z-2Bkfj7gccdDWHh5Lsy5qHClX0MJc5hcJeyhGduvOrMQ-3D-3D --- SBBSecho 3.20-Linux * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .