Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Sun Apr 04 2021 13:12:49 Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 53 new defect(s) introduced to Synchronet found with Coverity Scan. 67 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 53 defect(s) ** CID 330997: Error handling issues (CHECKED_RETURN) /ftpsrvr.c: 926 in receive_thread() ________________________________________________________________________________________________________ *** CID 330997: Error handling issues (CHECKED_RETURN) /ftpsrvr.c: 926 in receive_thread() 920 921 *xfer.aborted=FALSE; 922 if(xfer.filepos || startup->options&FTP_OPT_DEBUG_DATA) 923 lprintf(LOG_DEBUG,"%04d <%s> DATA socket %d receiving %s from offset %"PRIdOFF 924 ,xfer.ctrl_sock,xfer.user->alias, *xfer.data_sock,xfer.filename,xfer.filepos); 925 >>> CID 330997: Error handling issues (CHECKED_RETURN) >>> Calling "fseeko(fp, xfer.filepos, 0)" without checking return value. This library function may fail and return an error code. 926 fseeko(fp,xfer.filepos,SEEK_SET); 927 last_report=start=time(NULL); 928 while(1) { 929 930 now=time(NULL); 931 ** CID 330996: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 330996: (TAINTED_SCALAR) /js_msgbase.c: 2257 in js_remove_msg() 2251 rc=JS_SUSPENDREQUEST(cx); 2252 if((p->smb_result=smb_getmsgidx(&(p->smb), &msg))==SMB_SUCCESS 2253 && (p->smb_result=smb_getmsghdr(&(p->smb), &msg))==SMB_SUCCESS) { 2254 2255 msg.hdr.attr|=MSG_DELETE; 2256 >>> CID 330996: (TAINTED_SCALAR) >>> Passing tainted expression "msg.hdr" to "smb_updatemsg", which uses it as a loop boundary. 2257 if((p->smb_result=smb_updatemsg(&(p->smb), &msg))==SMB_SUCCESS) 2258 JS_SET_RVAL(cx, arglist, JSVAL_TRUE); 2259 } 2260 2261 smb_freemsgmem(&msg); 2262 JS_RESUMEREQUEST(cx, rc); /js_msgbase.c: 2257 in js_remove_msg() 2251 rc=JS_SUSPENDREQUEST(cx); 2252 if((p->smb_result=smb_getmsgidx(&(p->smb), &msg))==SMB_SUCCESS 2253 && (p->smb_result=smb_getmsghdr(&(p->smb), &msg))==SMB_SUCCESS) { 2254 2255 msg.hdr.attr|=MSG_DELETE; 2256 >>> CID 330996: (TAINTED_SCALAR) >>> Passing tainted expression "*msg.hfield" to "smb_updatemsg", which uses it as an offset. 2257 if((p->smb_result=smb_updatemsg(&(p->smb), &msg))==SMB_SUCCESS) 2258 JS_SET_RVAL(cx, arglist, JSVAL_TRUE); 2259 } 2260 2261 smb_freemsgmem(&msg); 2262 JS_RESUMEREQUEST(cx, rc); ** CID 330995: Error handling issues (CHECKED_RETURN) /upgrade_to_v319.c: 471 in fgetextdesc() ________________________________________________________________________________________________________ *** CID 330995: Error handling issues (CHECKED_RETURN) /upgrade_to_v319.c: 471 in fgetextdesc() 465 } 466 467 // fast (operates on open .exb file) 468 void fgetextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext, int file) 469 { 470 lseek(file,(datoffset/F_LEN)*F_EXBSIZE,SEEK_SET); >>> CID 330995: Error handling issues (CHECKED_RETURN) >>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored. 471 read(file,ext,F_EXBSIZE); 472 } 473 474 void putextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext) 475 { 476 char str[MAX_PATH+1],nulbuf[F_EXBSIZE]; ** CID 330994: (CHECKED_RETURN) /ftpsrvr.c: 713 in send_thread() /ftpsrvr.c: 676 in send_thread() ________________________________________________________________________________________________________ *** CID 330994: (CHECKED_RETURN) /ftpsrvr.c: 713 in send_thread() 707 } 708 709 /* Check socket for writability */ 710 if (!socket_writable(*xfer.data_sock, 1000)) 711 continue; 712 >>> CID 330994: (CHECKED_RETURN) >>> Calling "fseeko(fp, xfer.filepos + total, 0)" without checking return value. This library function may fail and return an error code. 713 fseeko(fp,xfer.filepos+total,SEEK_SET); 714 rd=fread(buf,sizeof(char),sizeof(buf),fp); 715 if(rd<1) /* EOF or READ error */ 716 break; 717 718 #ifdef SOCKET_DEBUG_SEND /ftpsrvr.c: 676 in send_thread() 670 if(xfer.filepos < 0) 671 xfer.filepos = 0; 672 if(startup->options&FTP_OPT_DEBUG_DATA || xfer.filepos) 673 lprintf(LOG_DEBUG,"%04d <%s> DATA socket %d sending %s from offset %"PRIdOFF 674 ,xfer.ctrl_sock, xfer.user->alias, *xfer.data_sock,xfer.filename,xfer.filepos); 675 >>> CID 330994: (CHECKED_RETURN) >>> Calling "fseeko(fp, xfer.filepos, 0)" without checking return value. This library function may fail and return an error code. 676 fseeko(fp,xfer.filepos,SEEK_SET); 677 last_report=start=time(NULL); 678 while((xfer.filepos+total)>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 805 safe_snprintf(error, maxerrlen, "archive_read_data_block returned %d: %s" 806 ,result, archive_error_string(ar)); 807 break; 808 } 809 if(fwrite(buff, 1, size, fp) != size) 810 break; /filedat.c: 731 in extract_files_from_archive() 725 safe_snprintf(error, maxerrlen, "archive_read_new returned NULL"); 726 return -1; 727 } 728 archive_read_support_filter_all(ar); 729 archive_read_support_format_all(ar); 730 if((result = archive_read_open_filename(ar, archive, 10240)) != ARCHIVE_OK) { >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 731 safe_snprintf(error, maxerrlen, "archive_read_open_filename returned %d: %s" 732 ,result, archive_error_string(ar)); 733 archive_read_free(ar); 734 return result >= 0 ? -1 : result; 735 } 736 while(1) { /filedat.c: 760 in extract_files_from_archive() 754 } 755 SAFECOPY(fpath, outdir); 756 backslash(fpath); 757 SAFECAT(fpath, pathname); 758 if(mkpath(fpath) != 0) { 759 char err[256]; >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 760 safe_snprintf(error, maxerrlen, "%d (%s) creating path '%s'", errno, safe_strerror(errno, err, sizeof(err)), fpath); 761 break; 762 } 763 continue; 764 } 765 if(filetype != AE_IFREG) /filedat.c: 740 in extract_files_from_archive() 734 return result >= 0 ? -1 : result; 735 } 736 while(1) { 737 result = archive_read_next_header(ar, &entry); 738 if(result != ARCHIVE_OK) { 739 if(result != ARCHIVE_EOF) >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 740 safe_snprintf(error, maxerrlen, "archive_read_next_header returned %d: %s" 741 ,result, archive_error_string(ar)); 742 break; 743 } 744 const char* pathname = archive_entry_pathname(entry); 745 if(pathname == NULL) /filedat.c: 771 in extract_files_from_archive() 765 if(filetype != AE_IFREG) 766 continue; 767 char* filename = getfname(pathname); 768 if(allowed_filename_chars != NULL 769 && *allowed_filename_chars != '\0' 770 && strspn(filename, allowed_filename_chars) != strlen(filename)) { >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 771 safe_snprintf(error, maxerrlen, "disallowed filename '%s'", pathname); 772 break; 773 } 774 if(!with_path) 775 pathname = filename; 776 if(file_list != NULL) { /filedat.c: 752 in extract_files_from_archive() 746 continue; 747 int filetype = archive_entry_filetype(entry); 748 if(filetype == AE_IFDIR) { 749 if(!with_path) 750 continue; 751 if(strstr(pathname, "..") != NULL) { >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 752 safe_snprintf(error, maxerrlen, "Illegal double-dots in path '%s'", pathname); 753 break; 754 } 755 SAFECOPY(fpath, outdir); 756 backslash(fpath); 757 SAFECAT(fpath, pathname); /filedat.c: 790 in extract_files_from_archive() 784 SAFECOPY(fpath, outdir); 785 backslash(fpath); 786 SAFECAT(fpath, pathname); 787 FILE* fp = fopen(fpath, "wb"); 788 if(fp == NULL) { 789 char err[256]; >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 790 safe_snprintf(error, maxerrlen, "%d (%s) opening/creating '%s'", errno, safe_strerror(errno, err, sizeof(err)), fpath); 791 break; 792 } 793 794 const void *buff; 795 size_t size; /filedat.c: 725 in extract_files_from_archive() 719 long extracted = 0; 720 char fpath[MAX_PATH + 1]; 721 722 if(error != NULL && maxerrlen >= 1) 723 *error = '\0'; 724 if((ar = archive_read_new()) == NULL) { >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 725 safe_snprintf(error, maxerrlen, "archive_read_new returned NULL"); 726 return -1; 727 } 728 archive_read_support_filter_all(ar); 729 archive_read_support_format_all(ar); 730 if((result = archive_read_open_filename(ar, archive, 10240)) != ARCHIVE_OK) { /filedat.c: 816 in extract_files_from_archive() 810 break; 811 } 812 fclose(fp); 813 if(result != ARCHIVE_EOF) 814 (void)remove(fpath); 815 if(max_files && extracted >= max_files) { >>> CID 330993: (FORWARD_NULL) >>> Passing null pointer "error" to "safe_snprintf", which dereferences it. 816 safe_snprintf(error, maxerrlen, "maximum number of files (%lu) extracted", max_files); 817 break; 818 } 819 } 820 archive_read_free(ar); 821 return extracted; ** CID 330992: Error handling issues (NEGATIVE_RETURNS) /upgrade_to_v319.c: 583 in upgrade_file_bases() ________________________________________________________________________________________________________ *** CID 330992: Error handling issues (NEGATIVE_RETURNS) /upgrade_to_v319.c: 583 in upgrade_file_bases() 577 if(!l) { 578 close(file); 579 smb_close(&smb); 580 continue; 581 } 582 uchar* ixbbuf; >>> CID 330992: Error handling issues (NEGATIVE_RETURNS) >>> "l" is passed to a parameter that cannot be negative. 583 if((ixbbuf=(uchar *)malloc(l))==NULL) { 584 close(file); 585 printf("\7ERR_ALLOC %s %lu\n",str,l); 586 smb_close(&smb); 587 continue; 588 } ** CID 330991: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 330991: (TAINTED_SCALAR) /js_filebase.c: 1049 in js_update_file() 1043 result = JS_FALSE; 1044 p->smb_result = SMB_ERR_RENAME; 1045 } else { 1046 if(file.extdesc != NULL) 1047 truncsp(file.extdesc); 1048 if(strcmp(extdesc ? extdesc : "", file.extdesc ? file.extdesc : "") == 0) >>> CID 330991: (TAINTED_SCALAR) >>> Passing tainted expression "file.hdr" to "smb_putfile", which uses it as a loop boundary. 1049 p->smb_result = smb_putfile(&p->smb, &file); 1050 else { 1051 if((p->smb_result = smb_removefile(&p->smb, &file)) == SMB_SUCCESS) 1052 p->smb_result = smb_addfile(&p->smb, &file, SMB_SELFPACK, extdesc, newfname); 1053 } 1054 } /js_filebase.c: 1051 in js_update_file() 1045 } else { 1046 if(file.extdesc != NULL) 1047 truncsp(file.extdesc); 1048 if(strcmp(extdesc ? extdesc : "", file.extdesc ? file.extdesc : "") == 0) 1049 p->smb_result = smb_putfile(&p->smb, &file); 1050 else { >>> CID 330991: (TAINTED_SCALAR) >>> Passing tainted expression "file.hdr" to "smb_removefile", which uses it as a loop boundary. 1051 if((p->smb_result = smb_removefile(&p->smb, &file)) == SMB_SUCCESS) 1052 p->smb_result = smb_addfile(&p->smb, &file, SMB_SELFPACK, extdesc, newfname); 1053 } 1054 } 1055 } 1056 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(p->smb_result == SMB_SUCCESS)); /js_filebase.c: 1049 in js_update_file() 1043 result = JS_FALSE; 1044 p->smb_result = SMB_ERR_RENAME; 1045 } else { 1046 if(file.extdesc != NULL) 1047 truncsp(file.extdesc); 1048 if(strcmp(extdesc ? extdesc : "", file.extdesc ? file.extdesc : "") == 0) >>> CID 330991: (TAINTED_SCALAR) >>> Passing tainted expression "*file.hfield" to "smb_putfile", which uses it as an offset. 1049 p->smb_result = smb_putfile(&p->smb, &file); 1050 else { 1051 if((p->smb_result = smb_removefile(&p->smb, &file)) == SMB_SUCCESS) 1052 p->smb_result = smb_addfile(&p->smb, &file, SMB_SELFPACK, extdesc, newfname); 1053 } 1054 } /js_filebase.c: 1051 in js_update_file() 1045 } else { 1046 if(file.extdesc != NULL) 1047 truncsp(file.extdesc); 1048 if(strcmp(extdesc ? extdesc : "", file.extdesc ? file.extdesc : "") == 0) 1049 p->smb_result = smb_putfile(&p->smb, &file); 1050 else { >>> CID 330991: (TAINTED_SCALAR) >>> Passing tainted expression "*file.hfield" to "smb_removefile", which uses it as an offset. 1051 if((p->smb_result = smb_removefile(&p->smb, &file)) == SMB_SUCCESS) 1052 p->smb_result = smb_addfile(&p->smb, &file, SMB_SELFPACK, extdesc, newfname); 1053 } 1054 } 1055 } 1056 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(p->smb_result == SMB_SUCCESS)); ** CID 330990: Control flow issues (NO_EFFECT) /js_filebase.c: 1533 in js_filebase_constructor() ________________________________________________________________________________________________________ *** CID 330990: Control flow issues (NO_EFFECT) /js_filebase.c: 1533 in js_filebase_constructor() 1527 "where code is a directory internal code." 1528 ); 1529 js_CreateArrayOfStrings(cx, obj, "_property_desc_list", filebase_prop_desc, JSPROP_READONLY); 1530 #endif 1531 1532 p->smb.dirnum = getdirnum(scfg, base); >>> CID 330990: Control flow issues (NO_EFFECT) >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "p->smb.dirnum >= 0U". 1533 if(p->smb.dirnum >= 0 && p->smb.dirnum < scfg->total_dirs) { 1534 safe_snprintf(p->smb.file, sizeof(p->smb.file), "%s%s" 1535 ,scfg->dir[p->smb.dirnum]->data_dir, scfg->dir[p->smb.dirnum]->code); 1536 } else { /* unknown code */ 1537 SAFECOPY(p->smb.file, base); 1538 } ** CID 330989: (SIZEOF_MISMATCH) /execmisc.cpp: 217 in sbbs_t::exec_misc(csi_t *, const char *)() /execmisc.cpp: 156 in sbbs_t::exec_misc(csi_t *, const char *)() /execmisc.cpp: 186 in sbbs_t::exec_misc(csi_t *, const char *)() /execmisc.cpp: 126 in sbbs_t::exec_misc(csi_t *, const char *)() ________________________________________________________________________________________________________ *** CID 330989: (SIZEOF_MISMATCH) /execmisc.cpp: 217 in sbbs_t::exec_misc(csi_t *, const char *)() 211 global_int_var=(int32_t *)realloc(global_int_var 212 ,sizeof(char *)*global_int_vars); 213 global_int_var_name=(uint32_t *)realloc(global_int_var_name 214 ,sizeof(int32_t)*global_int_vars); 215 if(global_int_var==NULL 216 || global_int_var_name==NULL) { /* REALLOC failed */ >>> CID 330989: (SIZEOF_MISMATCH) >>> Passing argument "getfname("execmisc.cpp")" of type "char *" and argument "8UL /* sizeof (char *) */ * this->global_int_vars" to function "errormsg" is suspicious. 217 errormsg(WHERE,ERR_ALLOC,"local int var" 218 ,sizeof(char *)*global_int_vars); 219 if(global_int_var_name) { 220 free(global_int_var_name); 221 global_int_var_name=0; 222 } /execmisc.cpp: 156 in sbbs_t::exec_misc(csi_t *, const char *)() 150 csi->int_var=(int32_t *)realloc(csi->int_var 151 ,sizeof(char *)*csi->int_vars); 152 csi->int_var_name=(uint32_t *)realloc(csi->int_var_name 153 ,sizeof(int32_t)*csi->int_vars); 154 if(csi->int_var==NULL 155 || csi->int_var_name==NULL) { /* REALLOC failed */ >>> CID 330989: (SIZEOF_MISMATCH) >>> Passing argument "getfname("execmisc.cpp")" of type "char *" and argument "8UL /* sizeof (char *) */ * csi->int_vars" to function "errormsg" is suspicious. 156 errormsg(WHERE,ERR_ALLOC,"local int var" 157 ,sizeof(char *)*csi->int_vars); 158 if(csi->int_var_name) { 159 free(csi->int_var_name); 160 csi->int_var_name=0; 161 } /execmisc.cpp: 186 in sbbs_t::exec_misc(csi_t *, const char *)() 180 global_str_var=(char **)realloc(global_str_var 181 ,sizeof(char *)*global_str_vars); 182 global_str_var_name=(uint32_t *)realloc(global_str_var_name 183 ,sizeof(int32_t)*global_str_vars); 184 if(global_str_var==NULL 185 || global_str_var_name==NULL) { /* REALLOC failed */ >>> CID 330989: (SIZEOF_MISMATCH) >>> Passing argument "getfname("execmisc.cpp")" of type "char *" and argument "8UL /* sizeof (char *) */ * this->global_str_vars" to function "errormsg" is suspicious. 186 errormsg(WHERE,ERR_ALLOC,"global str var" 187 ,sizeof(char *)*global_str_vars); 188 if(global_str_var_name) { 189 free(global_str_var_name); 190 global_str_var_name=0; 191 } /execmisc.cpp: 126 in sbbs_t::exec_misc(csi_t *, const char *)() 120 csi->str_var=(char **)realloc(csi->str_var 121 ,sizeof(char *)*csi->str_vars); 122 csi->str_var_name=(uint32_t *)realloc(csi->str_var_name 123 ,sizeof(int32_t)*csi->str_vars); 124 if(csi->str_var==NULL 125 || csi->str_var_name==NULL) { /* REALLOC failed */ >>> CID 330989: (SIZEOF_MISMATCH) >>> Passing argument "getfname("execmisc.cpp")" of type "char *" and argument "8UL /* sizeof (char *) */ * csi->str_vars" to function "errormsg" is suspicious. 126 errormsg(WHERE,ERR_ALLOC,"local str var" 127 ,sizeof(char *)*csi->str_vars); 128 if(csi->str_var_name) { 129 free(csi->str_var_name); 130 csi->str_var_name=0; 131 } ** CID 330988: Error handling issues (CHECKED_RETURN) /filedat.c: 199 in loadfiles() ________________________________________________________________________________________________________ *** CID 330988: Error handling issues (CHECKED_RETURN) /filedat.c: 199 in loadfiles() 193 } 194 195 file_t* file_list = calloc(smb->status.total_files, sizeof(file_t)); 196 if(file_list == NULL) 197 return NULL; 198 >>> CID 330988: Error handling issues (CHECKED_RETURN) >>> Calling "fseek(smb->sid_fp, start * 128UL, 0)" without checking return value. This library function may fail and return an error code. 199 fseek(smb->sid_fp, start * sizeof(fileidxrec_t), SEEK_SET); 200 long offset = start; 201 while(!feof(smb->sid_fp)) { 202 file_t* f = &file_list[*count]; 203 204 if(smb_fread(smb, &f->file_idx, sizeof(f->file_idx), smb->sid_fp) != sizeof(f->file_idx)) ** CID 330987: (RESOURCE_LEAK) /js_filebase.c: 289 in parse_file_index_properties() /js_filebase.c: 279 in parse_file_index_properties() ________________________________________________________________________________________________________ *** CID 330987: (RESOURCE_LEAK) /js_filebase.c: 289 in parse_file_index_properties() 283 idx->hash.data.crc16 = JSVAL_TO_INT(val); 284 idx->hash.flags |= SMB_HASH_CRC16; 285 } 286 if(JS_GetProperty(cx, obj, prop_name = "crc32", &val) && !JSVAL_NULL_OR_VOID(val)) { 287 if(!JS_ValueToECMAUint32(cx, val, &idx->hash.data.crc32)) { 288 JS_ReportError(cx, "Error converting adding '%s' property to Uint32", prop_name); >>> CID 330987: (RESOURCE_LEAK) >>> Variable "cp" going out of scope leaks the storage it points to. 289 return FALSE; 290 } 291 idx->hash.flags |= SMB_HASH_CRC32; 292 } 293 if(JS_GetProperty(cx, obj, prop_name = "md5", &val) && !JSVAL_NULL_OR_VOID(val)) { 294 JSVALUE_TO_RASTRING(cx, val, cp, &cp_sz, NULL); /js_filebase.c: 279 in parse_file_index_properties() 273 } 274 SAFECOPY(idx->name, cp); 275 } 276 if(JS_GetProperty(cx, obj, prop_name = "size", &val) && !JSVAL_NULL_OR_VOID(val)) { 277 if(!JS_ValueToECMAUint32(cx, val, &idx->idx.size)) { 278 JS_ReportError(cx, "Error converting adding '%s' property to Uint32", prop_name); >>> CID 330987: (RESOURCE_LEAK) >>> Variable "cp" going out of scope leaks the storage it points to. 279 return FALSE; 280 } 281 } 282 if(JS_GetProperty(cx, obj, prop_name = "crc16", &val) && !JSVAL_NULL_OR_VOID(val)) { 283 idx->hash.data.crc16 = JSVAL_TO_INT(val); 284 idx->hash.flags |= SMB_HASH_CRC16; ** CID 330986: Error handling issues (CHECKED_RETURN) /netmail.cpp: 1389 in sbbs_t::qnetmail(const char *, const char *, long, smb_t *, smbmsg_t *)() ________________________________________________________________________________________________________ *** CID 330986: Error handling issues (CHECKED_RETURN) /netmail.cpp: 1389 in sbbs_t::qnetmail(const char *, const char *, long, smb_t *, smbmsg_t *)() 1383 smb_stack(&smb,SMB_STACK_POP); 1384 errormsg(WHERE,ERR_OPEN,msgpath,O_RDONLY|O_BINARY); 1385 return(false); 1386 } 1387 1388 setvbuf(instream,NULL,_IOFBF,2*1024); >>> CID 330986: Error handling issues (CHECKED_RETURN) >>> Calling "fseeko(this->smb.sdt_fp, offset, 0)" without checking return value. This library function may fail and return an error code. 1389 fseeko(smb.sdt_fp,offset,SEEK_SET); 1390 xlat=XLAT_NONE; 1391 fwrite(&xlat,2,1,smb.sdt_fp); 1392 x=SDT_BLOCK_LEN-2; /* Don't read/write more than 255 */ 1393 while(!feof(instream)) { 1394 memset(buf,0,x); ** CID 330985: Memory - illegal accesses (OVERRUN) /upgrade_to_v319.c: 615 in upgrade_file_bases() ________________________________________________________________________________________________________ *** CID 330985: Memory - illegal accesses (OVERRUN) /upgrade_to_v319.c: 615 in upgrade_file_bases() 609 for(j=0;j<12 && mname[j]=ixbbuf[m]>' ' ? '.' : ' '; 612 else 613 f->name[j]=ixbbuf[m++]; /* Turns FILENAMEEXT into FILENAME.EXT */ 614 f->name[j]=0; >>> CID 330985: Memory - illegal accesses (OVERRUN) >>> Overrunning dynamic array "ixbbuf" at offset corresponding to index variable "m". 615 f->datoffset=ixbbuf[m]|((long)ixbbuf[m+1]<<8)|((long)ixbbuf[m+2]<<16); 616 f->dateuled=(ixbbuf[m+3]|((long)ixbbuf[m+4]<<8)|((long)ixbbuf[m+5]<<16) 617 |((long)ixbbuf[m+6]<<24)); 618 f->datedled =(ixbbuf[m+7]|((long)ixbbuf[m+8]<<8)|((long)ixbbuf[m+9]<<16) 619 |((long)ixbbuf[m+10]<<24)); 620 m+=11; ** CID 330984: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 330984: Memory - corruptions (OVERRUN) /qwk.cpp: 587 in sbbs_t::qwk_sec()() 581 remove(str); 582 continue; 583 } 584 585 off_t l=flength(str); 586 bprintf(text[FiFilename], getfname(str)); >>> CID 330984: Memory - corruptions (OVERRUN) >>> Overrunning array "tmp2" of 256 bytes by passing it to a function which accesses it at byte offset 511 using argument "512UL". 587 bprintf(text[FiFileSize], ultoac((ulong)l,tmp) 588 , byte_estimate_to_str(l, tmp2, sizeof(tmp), /* units: */1024, /* precision: */1)); 589 590 if(l>0L && cur_cps) 591 i=(uint)(l/(ulong)cur_cps); 592 else ** CID 330983: (RESOURCE_LEAK) /js_filebase.c: 407 in parse_file_properties() /js_filebase.c: 384 in parse_file_properties() ________________________________________________________________________________________________________ *** CID 330983: (RESOURCE_LEAK) /js_filebase.c: 407 in parse_file_properties() 401 } 402 prop_name = "cost"; 403 if(JS_GetProperty(cx, obj, prop_name, &val) && !JSVAL_NULL_OR_VOID(val)) { 404 uint32_t cost = 0; 405 if(!JS_ValueToECMAUint32(cx, val, &cost)) { 406 JS_ReportError(cx, "Error converting adding '%s' property to Uint32", prop_name); >>> CID 330983: (RESOURCE_LEAK) >>> Variable "cp" going out of scope leaks the storage it points to. 407 return SMB_FAILURE; 408 } 409 if((result = smb_new_hfield(file, SMB_COST, sizeof(cost), &cost)) != SMB_SUCCESS) { 410 free(cp); 411 JS_ReportError(cx, "Error %d adding '%s' property to file object", result, prop_name); 412 return result; /js_filebase.c: 384 in parse_file_properties() 378 if(extdesc != NULL && JS_GetProperty(cx, obj, prop_name, &val) && !JSVAL_NULL_OR_VOID(val)) { 379 FREE_AND_NULL(*extdesc); 380 JSVALUE_TO_MSTRING(cx, val, *extdesc, NULL); 381 HANDLE_PENDING(cx, *extdesc); 382 if(*extdesc == NULL) { 383 JS_ReportError(cx, "Invalid '%s' string in file object", prop_name); >>> CID 330983: (RESOURCE_LEAK) >>> Variable "cp" going out of scope leaks the storage it points to. 384 return SMB_ERR_MEM; 385 } 386 truncsp(*extdesc); 387 } 388 prop_name = "tags"; 389 if(JS_GetProperty(cx, obj, prop_name, &val) && !JSVAL_NULL_OR_VOID(val)) { ** CID 330982: Error handling issues (CHECKED_RETURN) /js_file.c: 2648 in js_file_get() ________________________________________________________________________________________________________ *** CID 330982: Error handling issues (CHECKED_RETURN) /js_file.c: 2648 in js_file_get() 2642 else 2643 b64_encode(str,sizeof(str)-1,(char *)digest,sizeof(digest)); 2644 js_str=JS_NewStringCopyZ(cx, str); 2645 break; 2646 } 2647 rc=JS_SUSPENDREQUEST(cx); >>> CID 330982: Error handling issues (CHECKED_RETURN) >>> Calling "fseeko(p->fp, offset, 0)" without checking return value. This library function may fail and return an error code. 2648 fseeko(p->fp,offset,SEEK_SET); /* restore saved file position */ 2649 JS_RESUMEREQUEST(cx, rc); 2650 if(js_str!=NULL) 2651 *vp = STRING_TO_JSVAL(js_str); 2652 break; 2653 case FILE_INI_KEY_LEN: ** CID 330981: (RESOURCE_LEAK) /upgrade_to_v319.c: 601 in upgrade_file_bases() /upgrade_to_v319.c: 580 in upgrade_file_bases() /upgrade_to_v319.c: 574 in upgrade_file_bases() ________________________________________________________________________________________________________ *** CID 330981: (RESOURCE_LEAK) /upgrade_to_v319.c: 601 in upgrade_file_bases() 595 } 596 close(file); 597 size_t file_count = l / F_IXBSIZE; 598 oldfile_t* filelist = malloc(sizeof(*filelist) * file_count); 599 if(filelist == NULL) { 600 printf("malloc failure"); >>> CID 330981: (RESOURCE_LEAK) >>> Handle variable "extfile" going out of scope leaks the handle. 601 return false; 602 } 603 memset(filelist, 0, sizeof(*filelist) * file_count); 604 oldfile_t* f = filelist; 605 long m=0L; 606 while(m + F_IXBSIZE <= l) { /upgrade_to_v319.c: 580 in upgrade_file_bases() 574 continue; 575 } 576 long l=(long)filelength(file); 577 if(!l) { 578 close(file); 579 smb_close(&smb); >>> CID 330981: (RESOURCE_LEAK) >>> Handle variable "extfile" going out of scope leaks the handle. 580 continue; 581 } 582 uchar* ixbbuf; 583 if((ixbbuf=(uchar *)malloc(l))==NULL) { 584 close(file); 585 printf("\7ERR_ALLOC %s %lu\n",str,l); /upgrade_to_v319.c: 574 in upgrade_file_bases() 568 int file; 569 int extfile = openextdesc(&scfg, i); 570 571 sprintf(str,"%s%s.ixb",scfg.dir[i]->data_dir,scfg.dir[i]->code); 572 if((file=open(str,O_RDONLY|O_BINARY))==-1) { 573 smb_close(&smb); >>> CID 330981: (RESOURCE_LEAK) >>> Handle variable "extfile" going out of scope leaks the handle. 574 continue; 575 } 576 long l=(long)filelength(file); 577 if(!l) { 578 close(file); 579 smb_close(&smb); ** CID 330980: Resource leaks (RESOURCE_LEAK) /addfiles.c: 129 in get_file_diz() ________________________________________________________________________________________________________ *** CID 330980: Resource leaks (RESOURCE_LEAK) /addfiles.c: 129 in get_file_diz() 123 if(!extract_diz(&scfg, f, /* diz_fnames */NULL, diz_fpath, sizeof(diz_fpath))) { 124 printf("DIZ does not exist in: %s\n", getfilepath(&scfg, f, path)); 125 return false; 126 } 127 printf("Parsing DIZ: %s\n", diz_fpath); 128 str_list_t lines = read_diz(diz_fpath, /* max_line_len: */80); >>> CID 330980: Resource leaks (RESOURCE_LEAK) >>> Ignoring storage allocated by "format_diz(lines, ext, maxlen, false)" leaks it. 129 format_diz(lines, ext, maxlen, /* allow_ansi: */false); 130 strListFree(&lines); 131 remove(diz_fpath); 132 133 if(mode&ASCII_ONLY) 134 strip_exascii(ext, ext); ** CID 330979: (SIZEOF_MISMATCH) /addfiles.c: 210 in addlist() /addfiles.c: 219 in addlist() ________________________________________________________________________________________________________ *** CID 330979: (SIZEOF_MISMATCH) /addfiles.c: 210 in addlist() 204 205 if(mode&TODAYS_DATE) { /* put today's date in desc */ 206 time_t now = time(NULL); 207 if(datefmt) { 208 struct tm tm = {0}; 209 localtime_r(&now, &tm); >>> CID 330979: (SIZEOF_MISMATCH) >>> Passing argument "f.desc" of type "char *" and argument "8UL /* sizeof (f.desc) */" to function "strftime" is suspicious. 210 strftime(f.desc, sizeof(f.desc), datefmt, &tm); 211 } else 212 unixtodstr(&scfg, (time32_t)now, f.desc); 213 SAFECAT(fdesc," "); 214 } 215 else if(mode&FILE_DATE) { /* get the file date and put into desc */ /addfiles.c: 219 in addlist() 213 SAFECAT(fdesc," "); 214 } 215 else if(mode&FILE_DATE) { /* get the file date and put into desc */ 216 if(datefmt) { 217 struct tm tm = {0}; 218 localtime_r(&file_timestamp, &tm); >>> CID 330979: (SIZEOF_MISMATCH) >>> Passing argument "f.desc" of type "char *" and argument "8UL /* sizeof (f.desc) */" to function "strftime" is suspicious. 219 strftime(f.desc, sizeof(f.desc), datefmt, &tm); 220 } else 221 unixtodstr(&scfg,(time32_t)file_timestamp,f.desc); 222 SAFECAT(fdesc," "); 223 } 224 ** CID 330978: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 330978: (TAINTED_SCALAR) /js_msgbase.c: 2288 in get_msg_text() 2282 if((p->smb_result=smb_getmsghdr(&(p->smb), msg))!=SMB_SUCCESS) { 2283 smb_unlockmsghdr(&(p->smb), msg); 2284 return(NULL); 2285 } 2286 } 2287 >>> CID 330978: (TAINTED_SCALAR) >>> Passing tainted expression "*msg->dfield" to "smb_getmsgtxt", which uses it as an allocation size. 2288 if((buf=smb_getmsgtxt(&(p->smb), msg, mode))==NULL) { 2289 smb_unlockmsghdr(&(p->smb),msg); 2290 if(!existing) 2291 smb_freemsgmem(msg); 2292 return(NULL); 2293 } /js_msgbase.c: 2288 in get_msg_text() 2282 if((p->smb_result=smb_getmsghdr(&(p->smb), msg))!=SMB_SUCCESS) { 2283 smb_unlockmsghdr(&(p->smb), msg); 2284 return(NULL); 2285 } 2286 } 2287 >>> CID 330978: (TAINTED_SCALAR) >>> Passing tainted expression "msg->hdr" to "smb_getmsgtxt", which uses it as a loop boundary. 2288 if((buf=smb_getmsgtxt(&(p->smb), msg, mode))==NULL) { 2289 smb_unlockmsghdr(&(p->smb),msg); 2290 if(!existing) 2291 smb_freemsgmem(msg); 2292 return(NULL); 2293 } ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4BbWTBf-2B-2Fi5ZUVF-2Fo-2B6flxo-3DTmWD_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrDZBeI8Cx63AoBmF8t0BSe0V7HV2aG-2FP8lOk-2BOQ7-2ByaA7B7oViA-2BvXqjf5W0nm25ikbH-2BEMjy5p3Oohjueur-2F9UnnKADN-2Fuxb1gQx301pxC4cehQRFhCzWww6Vi6LJYYSb28T6IU8-2FfxMB8362a9CsZ7nU58OwHGunHQCOpr02Og7ymT2KV8y6LuRr5AqD9Yfk-3D --- SBBSecho 3.14-Linux * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .