Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Fri Jun 09 2023 12:40:16 Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 14 new defect(s) introduced to Synchronet found with Coverity Scan. 28 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 14 of 14 defect(s) ** CID 462300: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3525 in do_ansi() ________________________________________________________________________________________________________ *** CID 462300: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3525 in do_ansi() 3519 case 'e': /* Line Position Forward */ 3520 seq_default(seq, 0, 1); 3521 if (seq->param_int[0] < 1) 3522 break; 3523 adjust_currpos(cterm, 0, seq->param_int[0], 0); 3524 break; >>> CID 462300: Control flow issues (MISSING_BREAK) >>> The case for value "'a'" is not terminated by a "break" statement. 3525 case 'a': /* Character Position Forward */ 3526 clear_lcf(cterm); 3527 case 'C': /* Cursor Right */ 3528 seq_default(seq, 0, 1); 3529 if (seq->param_int[0] < 1) 3530 break; ** CID 462299: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3533 in do_ansi() ________________________________________________________________________________________________________ *** CID 462299: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3533 in do_ansi() 3527 case 'C': /* Cursor Right */ 3528 seq_default(seq, 0, 1); 3529 if (seq->param_int[0] < 1) 3530 break; 3531 adjust_currpos(cterm, seq->param_int[0], 0, 0); 3532 break; >>> CID 462299: Control flow issues (MISSING_BREAK) >>> The case for value "'j'" is not terminated by a "break" statement. 3533 case 'j': /* Character Position Backward */ 3534 clear_lcf(cterm); 3535 case 'D': /* Cursor Left */ 3536 seq_default(seq, 0, 1); 3537 if (seq->param_int[0] < 1) 3538 break; ** CID 462298: (NEGATIVE_RETURNS) ________________________________________________________________________________________________________ *** CID 462298: (NEGATIVE_RETURNS) /exec.cpp: 1892 in sbbs_t::exec(csi_t *)() 1886 } 1887 else 1888 csi->logic=LOGIC_FALSE; 1889 return(0); 1890 1891 case CS_SELECT_EDITOR: >>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1892 csi->logic=select_editor() ? LOGIC_TRUE:LOGIC_FALSE; 1893 return(0); 1894 case CS_SET_EDITOR: 1895 csi->logic=LOGIC_TRUE; 1896 for(i=0;istr,cfg.xedit[i]->code) /exec.cpp: 1880 in sbbs_t::exec(csi_t *)() 1874 case CS_SELECT_SHELL: 1875 csi->logic=select_shell() ? LOGIC_TRUE:LOGIC_FALSE; 1876 return(0); 1877 case CS_SET_SHELL: 1878 csi->logic=LOGIC_TRUE; 1879 for(i=0;i>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1880 if(!stricmp(csi->str,cfg.shell[i]->code) 1881 && chk_ar(cfg.shell[i]->ar,&useron,&client)) 1882 break; 1883 if(icode); /exec.cpp: 1181 in sbbs_t::exec(csi_t *)() 1175 now=time(NULL); 1176 1177 if(csi->ip>=csi->cs+csi->length) 1178 return(1); 1179 1180 if(*csi->ip>=CS_FUNCTIONS) >>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1181 return(exec_function(csi)); 1182 1183 /**********************************************/ 1184 /* Miscellaneous variable length instructions */ 1185 /**********************************************/ 1186 /exec.cpp: 1499 in sbbs_t::exec(csi_t *)() 1493 1494 if(*csi->ip>=CS_TWO_BYTE) { 1495 switch(*(csi->ip++)) { 1496 case CS_TWO_MORE_BYTES: 1497 switch(*(csi->ip++)) { 1498 case CS_USER_EVENT: >>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1499 user_event((user_event_t)*(csi->ip++)); 1500 return(0); 1501 } 1502 errormsg(WHERE,ERR_CHK,"shell instruction",*(csi->ip-1)); 1503 return(0); 1504 case CS_SETLOGIC: /exec.cpp: 1181 in sbbs_t::exec(csi_t *)() 1175 now=time(NULL); 1176 1177 if(csi->ip>=csi->cs+csi->length) 1178 return(1); 1179 1180 if(*csi->ip>=CS_FUNCTIONS) >>> CID 462298: (NEGATIVE_RETURNS) >>> "this->cursubnum" is passed to a parameter that cannot be negative. 1181 return(exec_function(csi)); 1182 1183 /**********************************************/ 1184 /* Miscellaneous variable length instructions */ 1185 /**********************************************/ 1186 /exec.cpp: 1761 in sbbs_t::exec(csi_t *)() 1755 if(logon()) 1756 csi->logic=LOGIC_TRUE; 1757 else 1758 csi->logic=LOGIC_FALSE; 1759 return(0); 1760 case CS_LOGOUT: >>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1761 logout(); 1762 return(0); 1763 case CS_EXIT: 1764 return(1); 1765 case CS_LOOP_BEGIN: 1766 if(csi->loopsip++; 1533 putnodedat(cfg.node_num,&thisnode); 1534 } else 1535 csi->ip++; 1536 return(0); 1537 case CS_MULTINODE_CHAT: >>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1538 multinodechat(*csi->ip++); 1539 return(0); 1540 case CS_GETSTR: 1541 csi->logic=LOGIC_TRUE; 1542 getstr(csi->str,*csi->ip++,0); 1543 if(sys_status&SS_ABORT) { /exec.cpp: 1875 in sbbs_t::exec(csi_t *)() 1869 saveline(); 1870 return(0); 1871 case CS_RESTORELINE: 1872 restoreline(); 1873 return(0); 1874 case CS_SELECT_SHELL: >>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1875 csi->logic=select_shell() ? LOGIC_TRUE:LOGIC_FALSE; 1876 return(0); 1877 case CS_SET_SHELL: 1878 csi->logic=LOGIC_TRUE; 1879 for(i=0;istr,cfg.shell[i]->code) /exec.cpp: 1897 in sbbs_t::exec(csi_t *)() 1891 case CS_SELECT_EDITOR: 1892 csi->logic=select_editor() ? LOGIC_TRUE:LOGIC_FALSE; 1893 return(0); 1894 case CS_SET_EDITOR: 1895 csi->logic=LOGIC_TRUE; 1896 for(i=0;i>> CID 462298: (NEGATIVE_RETURNS) >>> "this->curdirnum" is passed to a parameter that cannot be negative. 1897 if(!stricmp(csi->str,cfg.xedit[i]->code) 1898 && chk_ar(cfg.xedit[i]->ar,&useron,&client)) 1899 break; 1900 if(icode); ** CID 462297: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 462297: Uninitialized variables (UNINIT) /readmsgs.cpp: 218 in sbbs_t::loadposts(unsigned int *, int, unsigned int, int, unsigned int *, unsigned int *)() 212 if(idx.to!=namecrc && idx.from!=namecrc 213 && idx.to!=aliascrc && idx.from!=aliascrc 214 && (useron.number!=1 || idx.to!=sysop)) 215 continue; 216 msg.idx=idx; 217 if(!smb_lockmsghdr(&smb,&msg)) { >>> CID 462297: Uninitialized variables (UNINIT) >>> Using uninitialized value "msg.idx_offset" when calling "smb_getmsghdr". 218 if(!smb_getmsghdr(&smb,&msg)) { 219 if(stricmp(msg.to,useron.alias) 220 && stricmp(msg.from,useron.alias) 221 && stricmp(msg.to,useron.name) 222 && stricmp(msg.from,useron.name) 223 && (useron.number!=1 || stricmp(msg.to,"sysop") ** CID 462296: Integer handling issues (SIGN_EXTENSION) /writemsg.cpp: 296 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)() ________________________________________________________________________________________________________ *** CID 462296: Integer handling issues (SIGN_EXTENSION) /writemsg.cpp: 296 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)() 290 291 useron_level=useron.level; 292 293 if(editor!=NULL) 294 *editor=NULL; 295 >>> CID 462296: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "this->cfg.level_linespermsg[useron_level]" with type "uint16_t" (16 bits, unsigned) is promoted in "this->cfg.level_linespermsg[useron_level] * (this->cols - 1 + 2) + 1" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "this->cfg.level_linespermsg[useron_level] * (this->cols - 1 + 2) + 1" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 296 if((buf=(char*)malloc((cfg.level_linespermsg[useron_level]*MAX_LINE_LEN) + 1)) 297 ==NULL) { 298 errormsg(WHERE,ERR_ALLOC,fname 299 ,(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN) +1); 300 return(false); 301 } ** CID 462295: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3509 in do_ansi() ________________________________________________________________________________________________________ *** CID 462295: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3509 in do_ansi() 3503 seq->param_int[0] = cterm->width - j; 3504 MOVETEXT(col, row, max_col - seq->param_int[0], row, col + seq->param_int[0], row); 3505 for(l=0; l < seq->param_int[0]; l++) 3506 PUTCH(' '); 3507 cterm_gotoxy(cterm, i, j); 3508 break; >>> CID 462295: Control flow issues (MISSING_BREAK) >>> The case for value "'A'" is not terminated by a "break" statement. 3509 case 'A': /* Cursor Up */ 3510 clear_lcf(cterm); 3511 case 'k': /* Line Position Backward */ 3512 seq_default(seq, 0, 1); 3513 if (seq->param_int[0] < 1) 3514 break; ** CID 462294: Integer handling issues (NEGATIVE_RETURNS) ________________________________________________________________________________________________________ *** CID 462294: Integer handling issues (NEGATIVE_RETURNS) /netmail.cpp: 1038 in sbbs_t::inetmail(const char *, const char *, int, smb_t *, smbmsg_t *, char **)() 1032 if(remsg != NULL && resmb != NULL && !(mode&WM_QUOTE)) { 1033 if(quotemsg(resmb, remsg, /* include tails: */true)) 1034 mode |= WM_QUOTE; 1035 } 1036 1037 SAFEPRINTF(msgpath,"%snetmail.msg",cfg.node_dir); >>> CID 462294: Integer handling issues (NEGATIVE_RETURNS) >>> A negative constant "-1" is passed as an argument to a parameter that cannot be negative. 1038 if(!writemsg(msgpath,nulstr,title,WM_NETMAIL|mode,INVALID_SUB, to_list, /* from: */your_addr, &editor, &charset)) { 1039 strListFree(&rcpt_list); 1040 bputs(text[Aborted]); 1041 return(false); 1042 } 1043 ** CID 462293: Integer handling issues (NEGATIVE_RETURNS) ________________________________________________________________________________________________________ *** CID 462293: Integer handling issues (NEGATIVE_RETURNS) /netmail.cpp: 200 in sbbs_t::netmail(const char *, const char *, int, smb_t *, smbmsg_t *, char **)() 194 if(remsg != NULL && resmb != NULL && !(mode&WM_QUOTE)) { 195 if(quotemsg(resmb, remsg, /* include tails: */true)) 196 mode |= WM_QUOTE; 197 } 198 199 msg_tmp_fname(useron.xedit, msgpath, sizeof(msgpath)); >>> CID 462293: Integer handling issues (NEGATIVE_RETURNS) >>> A negative constant "-1" is passed as an argument to a parameter that cannot be negative. 200 if(!writemsg(msgpath,nulstr,subj,WM_NETMAIL|mode,INVALID_SUB, to, from, &editor, &charset)) { 201 bputs(text[Aborted]); 202 return(false); 203 } 204 205 if(mode&WM_FILE) { ** CID 462292: (NULL_RETURNS) /execmisc.cpp: 526 in sbbs_t::exec_misc(csi_t *, const char *)() /execmisc.cpp: 526 in sbbs_t::exec_misc(csi_t *, const char *)() ________________________________________________________________________________________________________ *** CID 462292: (NULL_RETURNS) /execmisc.cpp: 526 in sbbs_t::exec_misc(csi_t *, const char *)() 520 if(*pp1!=csi->str && (!*pp1 || i==MAX_SYSVARS)) { 521 if(*pp1) 522 *pp1=(char *)realloc(*pp1,strlen(*pp1)+strlen(*pp2)+1); 523 else 524 *pp1=(char *)realloc(*pp1,strlen(*pp2)+1); 525 } >>> CID 462292: (NULL_RETURNS) >>> Dereferencing a pointer that might be "nullptr" "*pp1" when calling "strcat". [Note: The source code implementation of the function has been overridden by a builtin model.] 526 strcat(*pp1,*pp2); 527 return(0); 528 case FORMAT_STR_VAR: 529 pp=getstrvar(csi,*(int32_t *)csi->ip); 530 csi->ip+=4; /* Skip variable name */ 531 p=format_string(this, csi); /execmisc.cpp: 526 in sbbs_t::exec_misc(csi_t *, const char *)() 520 if(*pp1!=csi->str && (!*pp1 || i==MAX_SYSVARS)) { 521 if(*pp1) 522 *pp1=(char *)realloc(*pp1,strlen(*pp1)+strlen(*pp2)+1); 523 else 524 *pp1=(char *)realloc(*pp1,strlen(*pp2)+1); 525 } >>> CID 462292: (NULL_RETURNS) >>> Dereferencing a pointer that might be "nullptr" "*pp1" when calling "strcat". [Note: The source code implementation of the function has been overridden by a builtin model.] 526 strcat(*pp1,*pp2); 527 return(0); 528 case FORMAT_STR_VAR: 529 pp=getstrvar(csi,*(int32_t *)csi->ip); 530 csi->ip+=4; /* Skip variable name */ 531 p=format_string(this, csi); ** CID 462291: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3517 in do_ansi() ________________________________________________________________________________________________________ *** CID 462291: Control flow issues (MISSING_BREAK) /tmp/sbbs-Jun-09-2023/src/conio/cterm.c: 3517 in do_ansi() 3511 case 'k': /* Line Position Backward */ 3512 seq_default(seq, 0, 1); 3513 if (seq->param_int[0] < 1) 3514 break; 3515 adjust_currpos(cterm, 0, 0 - seq->param_int[0], 0); 3516 break; >>> CID 462291: Control flow issues (MISSING_BREAK) >>> The case for value "'B'" is not terminated by a "break" statement. 3517 case 'B': /* Cursor Down */ 3518 clear_lcf(cterm); 3519 case 'e': /* Line Position Forward */ 3520 seq_default(seq, 0, 1); 3521 if (seq->param_int[0] < 1) 3522 break; ** CID 462290: Integer handling issues (NEGATIVE_RETURNS) ________________________________________________________________________________________________________ *** CID 462290: Integer handling issues (NEGATIVE_RETURNS) /netmail.cpp: 1316 in sbbs_t::qnetmail(const char *, const char *, int, smb_t *, smbmsg_t *)() 1310 if(remsg != NULL && resmb != NULL && !(mode&WM_QUOTE)) { 1311 if(quotemsg(resmb, remsg, /* include tails: */true)) 1312 mode |= WM_QUOTE; 1313 } 1314 1315 SAFEPRINTF(msgpath,"%snetmail.msg",cfg.node_dir); >>> CID 462290: Integer handling issues (NEGATIVE_RETURNS) >>> A negative constant "-1" is passed as an argument to a parameter that cannot be negative. 1316 if(!writemsg(msgpath,nulstr,title, (mode|WM_QWKNET|WM_NETMAIL) ,INVALID_SUB,to,/* from: */useron.alias, &editor, &charset)) { 1317 bputs(text[Aborted]); 1318 return(false); 1319 } 1320 1321 if((i=smb_stack(&smb,SMB_STACK_PUSH))!=SMB_SUCCESS) { ** CID 462289: Integer handling issues (NEGATIVE_RETURNS) ________________________________________________________________________________________________________ *** CID 462289: Integer handling issues (NEGATIVE_RETURNS) /bulkmail.cpp: 53 in sbbs_t::bulkmail(unsigned char *)() 47 && !noyes(text[AnonymousQ])) { 48 msg.hdr.attr|=MSG_ANONYMOUS; 49 wm_mode|=WM_ANON; 50 } 51 52 msg_tmp_fname(useron.xedit, msgpath, sizeof(msgpath)); >>> CID 462289: Integer handling issues (NEGATIVE_RETURNS) >>> A negative constant "-1" is passed as an argument to a parameter that cannot be negative. 53 if(!writemsg(msgpath,nulstr,title,wm_mode,INVALID_SUB,"Bulk Mailing" 54 ,/* From: */useron.alias 55 ,&editor 56 ,&charset)) { 57 bputs(text[Aborted]); 58 return(false); ** CID 462288: High impact quality (Y2K38_SAFETY) /upload.cpp: 351 in sbbs_t::upload(int)() ________________________________________________________________________________________________________ *** CID 462288: High impact quality (Y2K38_SAFETY) /upload.cpp: 351 in sbbs_t::upload(int)() 345 SAFEPRINTF(descbeg,text[Rated],toupper(ch)); 346 } 347 if(cfg.dir[dirnum]->misc&DIR_ULDATE) { 348 now=time(NULL); 349 if(descbeg[0]) 350 strcat(descbeg," "); >>> CID 462288: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "this->now" is cast to "time32_t". 351 SAFEPRINTF(str,"%s ",unixtodstr(&cfg,(time32_t)now,tmp)); 352 strcat(descbeg,str); 353 } 354 if(cfg.dir[dirnum]->misc&DIR_MULT) { 355 sync(); 356 if(!noyes(text[MultipleDiskQ])) { ** CID 462287: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 462287: Insecure data handling (TAINTED_SCALAR) /writemsg.cpp: 762 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)() 756 while(!feof(tag)) { 757 if(!fgets(str,sizeof(str),tag)) 758 break; 759 truncsp(str); 760 if(utf8) { 761 char buf[sizeof(str)*4]; >>> CID 462287: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "str" to "cp437_to_utf8_str", which uses it as an offset. 762 cp437_to_utf8_str(str, buf, sizeof(buf) - 1, /* minval: */'\x02'); 763 l+=fprintf(stream,"%s\r\n", buf); 764 } else 765 l+=fprintf(stream,"%s\r\n",str); 766 lines++; /* line counter */ 767 } ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4BbWTBf-2B-2Fi5ZUVF-2Fo-2B6flxo-3DtLKg_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrAqovISQpoxJCpfGf5WxBSwicKqoI1-2FF-2FaRmTPl-2BdVuGdSUZJZL-2FtmrL2VG6EaSuRynvnKTam4RxYwMKuXCyGzW07U-2FihjT83mqDNq6SOIYF1Sr-2FPyTE6vlrslg0L6d5zkvnLZ7buAIgjMdQW0NPYYLOxV54tcIwBqmxUNrcgSYSA-3D-3D --- SBBSecho 3.20-Linux * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .