Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Wed Feb 28 2024 13:40:48 Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 23 new defect(s) introduced to Synchronet found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 23 defect(s) ** CID 487180: Memory - corruptions (BUFFER_SIZE) /sftp.cpp: 1388 in sftp_readdir(sftp_string *, void *)() ________________________________________________________________________________________________________ *** CID 487180: Memory - corruptions (BUFFER_SIZE) /sftp.cpp: 1388 in sftp_readdir(sftp_string *, void *)() 1382 return generic_dot_entry(sbbs, dir, tmppath, &dd->info.rootdir.idx); 1383 } 1384 if (dd->info.rootdir.idx == dotdot) { 1385 if (pm->sftp_patt[1]) { 1386 char *dir = const_cast(".."); 1387 snprintf(tmppath, sizeof(tmppath) - 2 /* for dir */, pm->sftp_patt, sbbs->useron.alias); >>> CID 487180: Memory - corruptions (BUFFER_SIZE) >>> Buffer "tmppath" has a size of 4097 characters, and its string length (null character not included) is 4095 characters, leaving an available space of 2 characters. Appending "dir", whose string length (null character not included) is 2 characters, plus the null character overruns "tmppath". 1388 strcat(tmppath, dir); 1389 return generic_dot_realpath_entry(sbbs, dir, tmppath, &dd->info.rootdir.idx); 1390 } 1391 else 1392 dd->info.rootdir.idx++; 1393 } ** CID 487179: (MISSING_LOCK) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function() /tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function() ________________________________________________________________________________________________________ *** CID 487179: (MISSING_LOCK) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function() 57 } 58 59 static bool 60 exit_function(SFTP_STATIC_TYPE state, bool retval) 61 { 62 assert(state->running > 0); >>> CID 487179: (MISSING_LOCK) >>> Accessing "state->running" without holding lock "sftp_client_state.mtx". Elsewhere, "sftp_client_state.running" is written to with "sftp_client_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary). 63 state->running--; 64 pthread_mutex_unlock(&state->mtx); 65 return retval; 66 } 67 68 static bool /tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function() 57 } 58 59 static bool 60 exit_function(SFTP_STATIC_TYPE state, bool retval) 61 { 62 assert(state->running > 0); >>> CID 487179: (MISSING_LOCK) >>> Accessing "state->running" without holding lock "sftp_server_state.mtx". Elsewhere, "sftp_server_state.running" is written to with "sftp_server_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary). 63 state->running--; 64 pthread_mutex_unlock(&state->mtx); 65 return retval; 66 } 67 68 static bool ** CID 487178: (RESOURCE_LEAK) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 78 in s_open() /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 72 in s_open() /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 82 in s_open() /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 68 in s_open() ________________________________________________________________________________________________________ *** CID 487178: (RESOURCE_LEAK) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 78 in s_open() 72 return true; 73 } 74 } 75 if (!(flags & SSH_FXF_CREAT)) { 76 if (flags & SSH_FXF_TRUNC) { 77 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't truncate unless creating"); >>> CID 487178: (RESOURCE_LEAK) >>> Variable "fname" going out of scope leaks the storage it points to. 78 return true; 79 } 80 if (flags & SSH_FXF_EXCL) { 81 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't open exclisive unless creating"); 82 return true; 83 } /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 72 in s_open() 66 if (flags & SSH_FXF_CREAT) { 67 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't create unless writing"); 68 return true; 69 } 70 if (flags & SSH_FXF_APPEND) { 71 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't append unless writing"); >>> CID 487178: (RESOURCE_LEAK) >>> Variable "fname" going out of scope leaks the storage it points to. 72 return true; 73 } 74 } 75 if (!(flags & SSH_FXF_CREAT)) { 76 if (flags & SSH_FXF_TRUNC) { 77 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't truncate unless creating"); /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 82 in s_open() 76 if (flags & SSH_FXF_TRUNC) { 77 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't truncate unless creating"); 78 return true; 79 } 80 if (flags & SSH_FXF_EXCL) { 81 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't open exclisive unless creating"); >>> CID 487178: (RESOURCE_LEAK) >>> Variable "fname" going out of scope leaks the storage it points to. 82 return true; 83 } 84 } 85 attrs = sftp_getfattr(state->rxp); 86 if (attrs == NULL) { 87 free_sftp_str(fname); /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 68 in s_open() 62 if (fname == NULL) 63 return false; 64 flags = get32(state); 65 if (!(flags & SSH_FXF_WRITE)) { 66 if (flags & SSH_FXF_CREAT) { 67 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't create unless writing"); >>> CID 487178: (RESOURCE_LEAK) >>> Variable "fname" going out of scope leaks the storage it points to. 68 return true; 69 } 70 if (flags & SSH_FXF_APPEND) { 71 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't append unless writing"); 72 return true; 73 } ** CID 487177: (Y2K38_SAFETY) /sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)() /sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)() ________________________________________________________________________________________________________ *** CID 487177: (Y2K38_SAFETY) /sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)() 427 if (attr == nullptr) 428 return nullptr; 429 sftp_fattr_set_permissions(attr, S_IFREG | S_IRWXU | S_IRUSR | S_IWUSR); 430 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid); 431 sftp_fattr_set_size(attr, flength(path)); 432 time_t fd = fdate(path); >>> CID 487177: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t". 433 sftp_fattr_set_times(attr, fd, fd); 434 return attr; 435 } 436 437 static sftp_file_attr_t 438 sshkeys_attrs(sbbs_t *sbbs, const char *path) /sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)() 427 if (attr == nullptr) 428 return nullptr; 429 sftp_fattr_set_permissions(attr, S_IFREG | S_IRWXU | S_IRUSR | S_IWUSR); 430 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid); 431 sftp_fattr_set_size(attr, flength(path)); 432 time_t fd = fdate(path); >>> CID 487177: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t". 433 sftp_fattr_set_times(attr, fd, fd); 434 return attr; 435 } 436 437 static sftp_file_attr_t 438 sshkeys_attrs(sbbs_t *sbbs, const char *path) ** CID 487176: (RESOURCE_LEAK) /sftp.cpp: 741 in find_lib(sbbs_t *, const char *)() /sftp.cpp: 741 in find_lib(sbbs_t *, const char *)() ________________________________________________________________________________________________________ *** CID 487176: (RESOURCE_LEAK) /sftp.cpp: 741 in find_lib(sbbs_t *, const char *)() 735 *c = 0; 736 for (l = 0; l < sbbs->cfg.total_libs; l++) { 737 if (!can_user_access_lib(&sbbs->cfg, l, &sbbs->useron, &sbbs->client)) 738 continue; 739 exp = expand_slash(sbbs->cfg.lib[l]->lname); 740 if (exp == nullptr) >>> CID 487176: (RESOURCE_LEAK) >>> Variable "p" going out of scope leaks the storage it points to. 741 return -1; 742 if (strcmp(p, exp)) { 743 free(exp); 744 continue; 745 } 746 free(exp); /sftp.cpp: 741 in find_lib(sbbs_t *, const char *)() 735 *c = 0; 736 for (l = 0; l < sbbs->cfg.total_libs; l++) { 737 if (!can_user_access_lib(&sbbs->cfg, l, &sbbs->useron, &sbbs->client)) 738 continue; 739 exp = expand_slash(sbbs->cfg.lib[l]->lname); 740 if (exp == nullptr) >>> CID 487176: (RESOURCE_LEAK) >>> Variable "p" going out of scope leaks the storage it points to. 741 return -1; 742 if (strcmp(p, exp)) { 743 free(exp); 744 continue; 745 } 746 free(exp); ** CID 487175: Resource leaks (RESOURCE_LEAK) /sftp.cpp: 1517 in sftp_readdir(sftp_string *, void *)() ________________________________________________________________________________________________________ *** CID 487175: Resource leaks (RESOURCE_LEAK) /sftp.cpp: 1517 in sftp_readdir(sftp_string *, void *)() 1511 } 1512 attr = get_dir_attrs(sbbs, dd->info.filebase.idx); 1513 if (attr == nullptr) 1514 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Attributes allocation failure"); 1515 ename = expand_slash(sbbs->cfg.dir[dd->info.filebase.idx]->lname); 1516 if (ename == nullptr) >>> CID 487175: Resource leaks (RESOURCE_LEAK) >>> Variable "attr" going out of scope leaks the storage it points to. 1517 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "EName allocation failure"); 1518 lname = get_longname(sbbs, ename, nullptr, attr); 1519 if (lname == nullptr) { 1520 free(ename); 1521 sftp_fattr_free(attr); 1522 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Longname allocation failure"); ** CID 487174: Code maintainability issues (UNUSED_VALUE) /main.cpp: 1993 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() ________________________________________________________________________________________________________ *** CID 487174: Code maintainability issues (UNUSED_VALUE) /main.cpp: 1993 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() 1987 1988 if (cid != sbbs->sftp_channel && cid != sbbs->session_channel) { 1989 lprintf(LOG_WARNING, "Node %d SSH WARNING: attempt to use channel '%s' (%d != %d or %d)" 1990 , sbbs->cfg.node_num, cname ? cname : "", cid, sbbs->session_channel, sbbs->sftp_channel); 1991 if (cname) { 1992 free_crypt_attrstr(cname); >>> CID 487174: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "NULL" to "cname" here, but that stored value is overwritten before it can be used. 1993 cname = nullptr; 1994 } 1995 if (ssname) { 1996 free_crypt_attrstr(ssname); 1997 ssname = nullptr; 1998 } ** CID 487173: Program hangs (LOCK) /sftp.cpp: 987 in sftp_send(unsigned char *, unsigned long, void *)() ________________________________________________________________________________________________________ *** CID 487173: Program hangs (LOCK) /sftp.cpp: 987 in sftp_send(unsigned char *, unsigned long, void *)() 981 if (sbbs->sftp_channel == -1) 982 return false; 983 while (sent < len) { 984 pthread_mutex_lock(&sbbs->ssh_mutex); 985 status = cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL, sbbs->sftp_channel); 986 if (cryptStatusError(status)) >>> CID 487173: Program hangs (LOCK) >>> Returning without unlocking "sbbs->ssh_mutex". 987 return false; 988 size_t sendbytes = len - sent; 989 #define SENDBYTES_MAX 0x2000 990 if (sendbytes > SENDBYTES_MAX) 991 sendbytes = SENDBYTES_MAX; 992 status = cryptSetAttribute(sbbs->ssh_session, CRYPT_OPTION_NET_WRITETIMEOUT, 5); ** CID 487172: Incorrect expression (CONSTANT_EXPRESSION_RESULT) /sftp.cpp: 171 in path_map::path_map(sbbs_t *, const unsigned char *, map_path_mode)() ________________________________________________________________________________________________________ *** CID 487172: Incorrect expression (CONSTANT_EXPRESSION_RESULT) /sftp.cpp: 171 in path_map::path_map(sbbs_t *, const unsigned char *, map_path_mode)() 165 return; 166 } 167 this->is_static_ = false; 168 this->info.filebase.dir = -1; 169 this->info.filebase.lib = -1; 170 this->info.filebase.idx = dot; >>> CID 487172: Incorrect expression (CONSTANT_EXPRESSION_RESULT) >>> The expression "this->sftp_path[6UL /* files_path_len */] == 0 || this->sftp_path[6UL /* files_path_len */] == 0" does not accomplish anything because it evaluates to either of its identical operands, "this->sftp_path[6UL /* files_path_len */] == 0". 171 if (this->sftp_path[files_path_len] == 0 || this->sftp_path[files_path_len] == 0) { 172 // Root... 173 result_ = MAP_TO_DIR; 174 return; 175 } 176 const char *lib = &this->sftp_path[files_path_len + 1]; ** CID 487171: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_attr.c: 324 in sftp_getfattr() ________________________________________________________________________________________________________ *** CID 487171: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_attr.c: 324 in sftp_getfattr() 318 ret->atime = sftp_get32(pkt); 319 ret->mtime = sftp_get32(pkt); 320 } 321 if (ret->flags & SSH_FILEXFER_ATTR_EXTENDED) { 322 uint32_t extcnt = sftp_get32(pkt); 323 uint32_t ext; >>> CID 487171: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "extcnt" as a loop boundary. 324 for (ext = 0; ext < extcnt; ext++) { 325 sftp_str_t type = sftp_getstring(pkt); 326 if (type == NULL) 327 break; 328 sftp_str_t data = sftp_getstring(pkt); 329 if (data == NULL) { ** CID 487170: Security best practices violations (TOCTOU) /sftp.cpp: 1147 in sftp_open(sftp_string *, unsigned int, sftp_file_attributes *, void *)() ________________________________________________________________________________________________________ *** CID 487170: Security best practices violations (TOCTOU) /sftp.cpp: 1147 in sftp_open(sftp_string *, unsigned int, sftp_file_attributes *, void *)() 1141 sbbs->sftp_filedes[fdidx]->dir = -1; 1142 else { 1143 sbbs->sftp_filedes[fdidx]->dir = pmap.info.filebase.dir; 1144 sbbs->sftp_filedes[fdidx]->idx_offset = pmap.info.filebase.offset; 1145 sbbs->sftp_filedes[fdidx]->idx_number = pmap.info.filebase.idx; 1146 } >>> CID 487170: Security best practices violations (TOCTOU) >>> Calling function "access" to perform check on "pmap.local_path". 1147 if (access(pmap.local_path, F_OK) != 0) { 1148 // File did not exist, and we're creating 1149 if (oflags & O_CREAT) { 1150 sbbs->sftp_filedes[fdidx]->created = true; 1151 } 1152 } ** CID 487169: Error handling issues (CHECKED_RETURN) /sftp.cpp: 1044 in sftp_cleanup_callback(void *)() ________________________________________________________________________________________________________ *** CID 487169: Error handling issues (CHECKED_RETURN) /sftp.cpp: 1044 in sftp_cleanup_callback(void *)() 1038 1039 for (unsigned i = 0; i < nfdes; i++) { 1040 if (sbbs->sftp_filedes[i] != nullptr) { 1041 close(sbbs->sftp_filedes[i]->fd); 1042 if (sbbs->sftp_filedes[i]->created && sbbs->sftp_filedes[i]->local_path) { 1043 // If we were uploading, delete the incomplete file >>> CID 487169: Error handling issues (CHECKED_RETURN) >>> Calling "remove(sbbs->sftp_filedes[i]->local_path)" without checking return value. This library function may fail and return an error code. 1044 remove(sbbs->sftp_filedes[i]->local_path); 1045 } 1046 free(sbbs->sftp_filedes[i]->local_path); 1047 free(sbbs->sftp_filedes[i]); 1048 sbbs->sftp_filedes[i] = nullptr; 1049 } ** CID 487168: (UNUSED_VALUE) /tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 679 in processChannelRequest() /tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 691 in processChannelRequest() ________________________________________________________________________________________________________ *** CID 487168: (UNUSED_VALUE) /tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 679 in processChannelRequest() 673 setChannelAttribute(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_WIDTH, status); 674 status = readUint32(stream); 675 if (status > 0) 676 setChannelAttribute(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT, status); 677 break; 678 case REQUEST_SHELL: >>> CID 487168: (UNUSED_VALUE) >>> Assigning value from "setChannelAttributeS(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_TYPE, "shell", 5)" to "status" here, but that stored value is overwritten before it can be used. 679 status = setChannelAttributeS( sessionInfoPtr, 680 CRYPT_SESSINFO_SSH_CHANNEL_TYPE, 681 "shell", 5 ); 682 break; 683 case REQUEST_NOOP: 684 /* Generic requests containing extra information that we're not /tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 691 in processChannelRequest() 685 interested in */ 686 break; 687 688 #ifdef USE_SSH_EXTENDED 689 case REQUEST_EXEC: 690 /* A further generic request that we're not interested in */ >>> CID 487168: (UNUSED_VALUE) >>> Assigning value from "setChannelAttributeS(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_TYPE, "exec", 4)" to "status" here, but that stored value is overwritten before it can be used. 691 status = setChannelAttributeS( sessionInfoPtr, 692 CRYPT_SESSINFO_SSH_CHANNEL_TYPE, 693 "exec", 4 ); 694 break; 695 696 case REQUEST_SUBSYSTEM: ** CID 487167: Program hangs (LOCK) /main.cpp: 2048 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() ________________________________________________________________________________________________________ *** CID 487167: Program hangs (LOCK) /main.cpp: 2048 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() 2042 if (closed && sbbs->sftp_channel == -1 && sbbs->session_channel == -1) 2043 return CRYPT_ERROR_COMPLETE; 2044 } 2045 } 2046 if (ret == CRYPT_ENVELOPE_RESOURCE) 2047 return CRYPT_ERROR_TIMEOUT; >>> CID 487167: Program hangs (LOCK) >>> Returning without unlocking "sbbs->sftp_state->mtx". 2048 return ret; 2049 } 2050 return CRYPT_ERROR_TIMEOUT; 2051 } 2052 2053 void input_thread(void *arg) ** CID 487166: (CHECKED_RETURN) /main.cpp: 2036 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() /main.cpp: 2028 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() ________________________________________________________________________________________________________ *** CID 487166: (CHECKED_RETURN) /main.cpp: 2036 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() 2030 closed = true; 2031 } 2032 } 2033 if (sbbs->session_channel != -1) { 2034 if (!channel_open(sbbs, sbbs->session_channel)) { 2035 if (cryptStatusOK(cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL, sbbs->session_channel))) >>> CID 487166: (CHECKED_RETURN) >>> Calling "cryptSetAttribute" without checking return value (as is done elsewhere 50 out of 61 times). 2036 cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE, 0); 2037 sbbs->session_channel = -1; 2038 closed = true; 2039 } 2040 } 2041 // All channels are now closed. /main.cpp: 2028 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() 2022 if (status != CRYPT_ERROR_NOTFOUND) 2023 sbbs->log_crypt_error_status_sock(status, "getting channel id"); 2024 closing_channel = -1; 2025 if (sbbs->sftp_channel != -1) { 2026 if (!channel_open(sbbs, sbbs->sftp_channel)) { 2027 if (cryptStatusOK(cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL, sbbs->sftp_channel))) >>> CID 487166: (CHECKED_RETURN) >>> Calling "cryptSetAttribute" without checking return value (as is done elsewhere 50 out of 61 times). 2028 cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE, 0); 2029 sbbs->sftp_channel = -1; 2030 closed = true; 2031 } 2032 } 2033 if (sbbs->session_channel != -1) { ** CID 487165: (REVERSE_INULL) /main.cpp: 1984 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() /main.cpp: 1975 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() ________________________________________________________________________________________________________ *** CID 487165: (REVERSE_INULL) /main.cpp: 1984 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() 1978 if (!sftps_recv(sbbs->sftp_state, reinterpret_cast(inbuf), tgot)) 1979 sbbs->sftp_end(); 1980 } 1981 sbbs->sftp_channel = cid; 1982 } 1983 } >>> CID 487165: (REVERSE_INULL) >>> Null-checking "cname" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1984 if (cname && sbbs->session_channel == -1 && strcmp(cname, "shell") == 0) { 1985 sbbs->session_channel = cid; 1986 } 1987 1988 if (cid != sbbs->sftp_channel && cid != sbbs->session_channel) { 1989 lprintf(LOG_WARNING, "Node %d SSH WARNING: attempt to use channel '%s' (%d != %d or %d)" /main.cpp: 1975 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)() 1969 return status; 1970 } 1971 cname = get_crypt_attribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_TYPE); 1972 if (strcmp(cname, "subsystem") == 0) { 1973 ssname = get_crypt_attribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ARG1); 1974 } >>> CID 487165: (REVERSE_INULL) >>> Null-checking "cname" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1975 if (((startup->options & (BBS_OPT_ALLOW_SFTP | BBS_OPT_SSH_ANYAUTH)) == BBS_OPT_ALLOW_SFTP) && ssname && cname && sbbs->sftp_channel == -1 && strcmp(ssname, "sftp") == 0) { 1976 if (sbbs->init_sftp(cid)) { 1977 if (tgot > 0) { 1978 if (!sftps_recv(sbbs->sftp_state, reinterpret_cast(inbuf), tgot)) 1979 sbbs->sftp_end(); 1980 } ** CID 487164: Resource leaks (RESOURCE_LEAK) /sftp.cpp: 1424 in sftp_readdir(sftp_string *, void *)() ________________________________________________________________________________________________________ *** CID 487164: Resource leaks (RESOURCE_LEAK) /sftp.cpp: 1424 in sftp_readdir(sftp_string *, void *)() 1418 continue; 1419 } 1420 sprintf(tmppath, static_files[dd->info.rootdir.idx].sftp_patt, sbbs->useron.alias); 1421 remove_trailing_slash(tmppath); 1422 attr = get_attrs(sbbs, tmppath, &link); 1423 if (attr == nullptr) >>> CID 487164: Resource leaks (RESOURCE_LEAK) >>> Variable "link" going out of scope leaks the storage it points to. 1424 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Attributes allocation failure"); 1425 lname = get_longname(sbbs, tmppath, link, attr); 1426 if (lname == nullptr) { 1427 sftp_fattr_free(attr); 1428 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Longname allocation failure"); 1429 } ** CID 487163: Program hangs (LOCK) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 373 in sftps_recv() ________________________________________________________________________________________________________ *** CID 487163: Program hangs (LOCK) /tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 373 in sftps_recv() 367 if (!sftp_rx_pkt_append(&state->rxp, buf, sz)) 368 return exit_function(state, false); 369 if (sftp_have_pkt_sz(state->rxp)) { 370 uint32_t psz = sftp_pkt_sz(state->rxp); 371 if (psz > SFTP_MAX_PACKET_SIZE) { 372 state->lprintf(state->cb_data, "Packet too large (%" PRIu32 " bytes)", psz); >>> CID 487163: Program hangs (LOCK) >>> Returning without unlocking "state->mtx". 373 return false; 374 } 375 } 376 while (sftp_have_full_pkt(state->rxp)) { 377 bool handled = false; 378 ** CID 487162: Control flow issues (DEADCODE) /sftp.cpp: 871 in get_attrs(sbbs_t *, const char *, char **)() ________________________________________________________________________________________________________ *** CID 487162: Control flow issues (DEADCODE) /sftp.cpp: 871 in get_attrs(sbbs_t *, const char *, char **)() 865 else 866 ppath[0] = 0; 867 ret = pm->get_attrs(sbbs, ppath); 868 if (link && pm->link_patt) { 869 asprintf(link, pm->link_patt, sbbs->useron.alias); 870 if (link == nullptr) { >>> CID 487162: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "sftp_fattr_free(ret);". 871 sftp_fattr_free(ret); 872 ret = nullptr; 873 } 874 } 875 return ret; 876 } ** CID 487161: (Y2K38_SAFETY) /sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)() /sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)() ________________________________________________________________________________________________________ *** CID 487161: (Y2K38_SAFETY) /sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)() 442 if (attr == nullptr) 443 return nullptr; 444 sftp_fattr_set_permissions(attr, S_IFLNK | S_IRWXU | S_IRUSR | S_IWUSR); 445 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid); 446 sftp_fattr_set_size(attr, flength(path)); 447 time_t fd = fdate(path); >>> CID 487161: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t". 448 sftp_fattr_set_times(attr, fd, fd); 449 return attr; 450 } 451 452 void 453 remove_trailing_slash(char *str) /sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)() 442 if (attr == nullptr) 443 return nullptr; 444 sftp_fattr_set_permissions(attr, S_IFLNK | S_IRWXU | S_IRUSR | S_IWUSR); 445 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid); 446 sftp_fattr_set_size(attr, flength(path)); 447 time_t fd = fdate(path); >>> CID 487161: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t". 448 sftp_fattr_set_times(attr, fd, fd); 449 return attr; 450 } 451 452 void 453 remove_trailing_slash(char *str) ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3D4ieG_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZz6Lg2xx1dh6E9z4lSXKW4n9yiZaua5LbXznpVF4MIwbp178psQJ2n-2Fpok7ErzI9IlNJTrPj-2F83NUNTOEjSUjSMYrpz0XVq0IKvzP47fjT8ZUoPS4k4FQsPlqiTS940mDZqL8H0V26aTBOs1jlgpdGUT2g7d1Ei-2FiSNIWvXxdCeA-3D-3D --- SBBSecho 3.20-Linux * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .