Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Sat Mar 23 2024 12:40:16 Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 5 new defect(s) introduced to Synchronet found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 5 of 5 defect(s) ** CID 488309: Memory - illegal accesses (STRING_NULL) ________________________________________________________________________________________________________ *** CID 488309: Memory - illegal accesses (STRING_NULL) /str.cpp: 344 in sbbs_t::sif(char *, char *, int)() 338 m+=2; 339 for(l=m;l>> CID 488309: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "(char *)buf + m" to "getkeys", which expects a null-terminated string. 344 answers[a++]=(char)getkeys((char *)buf+m,0); 345 } 346 else { 347 answers[a]=getkey(mode); 348 outchar(answers[a++]); 349 attr(LIGHTGRAY); ** CID 488308: (STRING_NULL) ________________________________________________________________________________________________________ *** CID 488308: (STRING_NULL) /sbbsecho.c: 3666 in getzpt() 3660 faddr=atofaddr(buf+i+6); 3661 hdr->destzone=faddr.zone; 3662 hdr->destnet=faddr.net; 3663 hdr->destnode=faddr.node; 3664 i+=6; 3665 while(buf[i] && buf[i]!=' ') i++; >>> CID 488308: (STRING_NULL) >>> Passing unterminated string "buf + i + 1" to "atofaddr", which expects a null-terminated string. 3666 faddr=atofaddr(buf+i+1); 3667 hdr->origzone=faddr.zone; 3668 hdr->orignet=faddr.net; 3669 hdr->orignode=faddr.node; 3670 intl_found = true; 3671 } /sbbsecho.c: 3660 in getzpt() 3654 if((!i || cr) && buf[i]==CTRL_A) { /* kludge */ 3655 if(!strncmp(buf+i+1,"TOPT ",5)) 3656 hdr->destpoint=atoi(buf+i+6); 3657 else if(!strncmp(buf+i+1,"FMPT ",5)) 3658 hdr->origpoint=atoi(buf+i+6); 3659 else if(!strncmp(buf+i+1,"INTL ",5)) { >>> CID 488308: (STRING_NULL) >>> Passing unterminated string "buf + i + 6" to "atofaddr", which expects a null-terminated string. 3660 faddr=atofaddr(buf+i+6); 3661 hdr->destzone=faddr.zone; 3662 hdr->destnet=faddr.net; 3663 hdr->destnode=faddr.node; 3664 i+=6; 3665 while(buf[i] && buf[i]!=' ') i++; ** CID 488307: Memory - illegal accesses (STRING_NULL) ________________________________________________________________________________________________________ *** CID 488307: Memory - illegal accesses (STRING_NULL) /tmp/sbbs-Mar-23-2024/src/smblib/smblib.c: 1085 in smb_getmsghdr() 1079 !=(size_t)msg->hfield[i].length) { 1080 safe_snprintf(smb->last_error,sizeof(smb->last_error) 1081 ,"%s reading header (#%d) field data (%d bytes)", __FUNCTION__, (int)i, (int)msg->hfield[i].length); 1082 smb_freemsgmem(msg); 1083 return(SMB_ERR_READ); 1084 } >>> CID 488307: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "msg->hfield_dat[i]" to "set_convenience_ptr", which expects a null-terminated string. 1085 set_convenience_ptr(msg,msg->hfield[i].type,msg->hfield[i].length,msg->hfield_dat[i]); 1086 1087 l+=msg->hfield[i].length; 1088 } 1089 1090 /* These convenience pointers must point to something */ ** CID 488306: (STRING_NULL) /sauce.c: 60 in sauce_fread_charinfo() /sauce.c: 62 in sauce_fread_charinfo() /sauce.c: 59 in sauce_fread_charinfo() /sauce.c: 61 in sauce_fread_charinfo() ________________________________________________________________________________________________________ *** CID 488306: (STRING_NULL) /sauce.c: 60 in sauce_fread_charinfo() 54 55 if(type != NULL) 56 *type = record.filetype; 57 if(info != NULL) { 58 memset(info, 0, sizeof(*info)); 59 SAFECOPY(info->title, record.title); truncsp(info->title); >>> CID 488306: (STRING_NULL) >>> Passing unterminated string "record.author" to "strlcpy", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.] 60 SAFECOPY(info->author, record.author); truncsp(info->author); 61 SAFECOPY(info->group, record.group); truncsp(info->group); 62 SAFECOPY(info->date, record.date); truncsp(info->date); 63 info->width = record.tinfo1; 64 info->height = record.tinfo2; 65 switch(record.filetype) { /sauce.c: 62 in sauce_fread_charinfo() 56 *type = record.filetype; 57 if(info != NULL) { 58 memset(info, 0, sizeof(*info)); 59 SAFECOPY(info->title, record.title); truncsp(info->title); 60 SAFECOPY(info->author, record.author); truncsp(info->author); 61 SAFECOPY(info->group, record.group); truncsp(info->group); >>> CID 488306: (STRING_NULL) >>> Passing unterminated string "record.date" to "strlcpy", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.] 62 SAFECOPY(info->date, record.date); truncsp(info->date); 63 info->width = record.tinfo1; 64 info->height = record.tinfo2; 65 switch(record.filetype) { 66 case sauce_char_filetype_ascii: 67 case sauce_char_filetype_ansi: /sauce.c: 59 in sauce_fread_charinfo() 53 return false; 54 55 if(type != NULL) 56 *type = record.filetype; 57 if(info != NULL) { 58 memset(info, 0, sizeof(*info)); >>> CID 488306: (STRING_NULL) >>> Passing unterminated string "record.title" to "strlcpy", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.] 59 SAFECOPY(info->title, record.title); truncsp(info->title); 60 SAFECOPY(info->author, record.author); truncsp(info->author); 61 SAFECOPY(info->group, record.group); truncsp(info->group); 62 SAFECOPY(info->date, record.date); truncsp(info->date); 63 info->width = record.tinfo1; 64 info->height = record.tinfo2; /sauce.c: 61 in sauce_fread_charinfo() 55 if(type != NULL) 56 *type = record.filetype; 57 if(info != NULL) { 58 memset(info, 0, sizeof(*info)); 59 SAFECOPY(info->title, record.title); truncsp(info->title); 60 SAFECOPY(info->author, record.author); truncsp(info->author); >>> CID 488306: (STRING_NULL) >>> Passing unterminated string "record.group" to "strlcpy", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.] 61 SAFECOPY(info->group, record.group); truncsp(info->group); 62 SAFECOPY(info->date, record.date); truncsp(info->date); 63 info->width = record.tinfo1; 64 info->height = record.tinfo2; 65 switch(record.filetype) { 66 case sauce_char_filetype_ascii: ** CID 488305: Memory - corruptions (STRING_OVERFLOW) /uedit/uedit.c: 1908 in main() ________________________________________________________________________________________________________ *** CID 488305: Memory - corruptions (STRING_OVERFLOW) /uedit/uedit.c: 1908 in main() 1902 1903 sbbs_get_ini_fname(ini_file, ctrl_dir); 1904 1905 /* Initialize BBS startup structure */ 1906 memset(&bbs_startup,0,sizeof(bbs_startup)); 1907 bbs_startup.size=sizeof(bbs_startup); >>> CID 488305: Memory - corruptions (STRING_OVERFLOW) >>> You might overrun the 1024-character destination string "bbs_startup.ctrl_dir" by writing 4097 characters from "ctrl_dir". 1908 strcpy(bbs_startup.ctrl_dir,ctrl_dir); 1909 1910 /* Read .ini file here */ 1911 if(ini_file[0]!=0 && (fp=fopen(ini_file,"r"))!=NULL) { 1912 printf("Reading %s\n",ini_file); 1913 /* We call this function to set defaults, even if there's no .ini file */ ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DTnRX_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQaEw-2F35bzGVOVw-2BfAgK10nKBe2EaCuOVThBtA4zmIf-2FH6jtPrg8CF4KIxfGxqbWYZGzK5dEjEeJjcG-2FZFDV9g6z-2BKMwuy3tSgd6XVj6QkX-2FbE7goOVxulE2g8b9eGhrdwq7nNngW7QJqRO3KLACCgsN-2Bn56lb9VdBetusZbl3sfvQ-3D-3D --- SBBSecho 3.20-Linux * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .