New Defects reported by Coverity Scan for sbabic/swupdate
92 views
Skip to first unread message
scan-...@coverity.com
Feb 15, 2022, 10:57:53 AM2/15/22
to swup...@googlegroups.com
Hi,
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
18 new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)
** CID 349328: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3186 in iolog()
________________________________________________________________________________________________________
*** CID 349328: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3186 in iolog()
3180 char t1[50] = "", t2[50] = "";
3181 socklen_t slen = sizeof(usa.sin);
3182 char *s = mg_hexdump(buf, (size_t) n);
3183 struct mg_addr a;
3184 memset(&usa, 0, sizeof(usa));
3185 memset(&a, 0, sizeof(a));
>>> CID 349328: Error handling issues (CHECKED_RETURN)
>>> Calling "getsockname((SOCKET)(size_t)c->fd, __SOCKADDR_ARG({.__sockaddr__ = &usa.sa}), &slen)" without checking return value. This library function may fail and return an error code.
3186 getsockname(FD(c), &usa.sa, &slen);
3187 tomgaddr(&usa, &a, c->peer.is_ip6);
3188 LOG(LL_INFO, ("\n-- %lu %s %s %s %s %ld\n%s", c->id,
3189 mg_straddr(&a, t1, sizeof(t1)), r ? "<-" : "->",
3190 mg_straddr(&c->peer, t2, sizeof(t2)), c->label, n, s));
3191 free(s);
** CID 349327: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 349327: Uninitialized variables (UNINIT)
/parser/parse_external.c: 131 in parse_external()
125 LUAstackDump(L);
126 ERROR("ERROR preparing Parser in Lua %d", ret);
127
128 return 1;
129 }
130
>>> CID 349327: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "hardware.boardname" when calling "get_hw_revision".
131 if (-1 == get_hw_revision(&hardware))
132 {
133 ERROR("ERROR getting hw revision");
134 return 1;
135 }
136
** CID 349326: Resource leaks (RESOURCE_LEAK)
/core/network_thread.c: 114 in is_selection_allowed()
________________________________________________________________________________________________________
*** CID 349326: Resource leaks (RESOURCE_LEAK)
/core/network_thread.c: 114 in is_selection_allowed()
108
109 if (allowed) {
110 INFO("Accepted selection %s,%s", software_set, running_mode);
111 }else
112 ERROR("Selection %s,%s is not allowed, rejected !",
113 software_set, running_mode);
>>> CID 349326: Resource leaks (RESOURCE_LEAK)
>>> Variable "swset" going out of scope leaks the storage it points to.
114 return allowed;
115 }
116
117 static void clean_msg(char *msg, char drop)
118 {
119 char *lfpos;
** CID 349325: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
________________________________________________________________________________________________________
*** CID 349325: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
548 channel_curl->header, "charsets: utf-8")) == NULL) {
549 ERROR("Set channel charset header failed.");
550 result = CHANNEL_EINIT;
551 }
552 }
553
>>> CID 349325: Resource leaks (RESOURCE_LEAK)
>>> Variable "contenttype" going out of scope leaks the storage it points to.
554 return result;
555 }
556
557 channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_data)
558 {
559 if (channel_data->low_speed_timeout == 0) {
** CID 349324: (RESOURCE_LEAK)
/handlers/rdiff_handler.c: 435 in apply_rdiff_patch()
/handlers/rdiff_handler.c: 272 in apply_rdiff_patch()
________________________________________________________________________________________________________
*** CID 349324: (RESOURCE_LEAK)
/handlers/rdiff_handler.c: 435 in apply_rdiff_patch()
429 dest_file_filename, strerror(errno));
430 }
431 if (use_mount == true) {
432 swupdate_umount(mountpoint);
433 }
434 }
>>> CID 349324: (RESOURCE_LEAK)
>>> Variable "dest_file_filename" going out of scope leaks the storage it points to.
435 return ret;
436 }
437
438 __attribute__((constructor))
439 void rdiff_image_handler(void)
440 {
/handlers/rdiff_handler.c: 272 in apply_rdiff_patch()
266 ERROR("Cannot allocate memory for temporary filename creation.");
267 return -1;
268 }
269 if ((fd = mkstemp(dest_file_filename)) == -1) {
270 ERROR("Cannot create temporary file %s: %s", dest_file_filename,
271 strerror(errno));
>>> CID 349324: (RESOURCE_LEAK)
>>> Variable "dest_file_filename" going out of scope leaks the storage it points to.
272 return -1;
273 }
274
275 if ((rdiff_state.dest_file = fdopen(fd, "wb+")) == NULL) {
276 (void)close(fd);
277 ERROR("%s cannot be opened for writing: %s", dest_file_filename,
** CID 349323: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
________________________________________________________________________________________________________
*** CID 349323: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
548 channel_curl->header, "charsets: utf-8")) == NULL) {
549 ERROR("Set channel charset header failed.");
550 result = CHANNEL_EINIT;
551 }
552 }
553
>>> CID 349323: Resource leaks (RESOURCE_LEAK)
>>> Variable "accept" going out of scope leaks the storage it points to.
554 return result;
555 }
556
557 channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_data)
558 {
559 if (channel_data->low_speed_timeout == 0) {
** CID 340736: (CHECKED_RETURN)
/mongoose/mongoose.c: 3386 in setsockopts()
/mongoose/mongoose.c: 3392 in setsockopts()
/mongoose/mongoose.c: 3382 in setsockopts()
/mongoose/mongoose.c: 3380 in setsockopts()
/mongoose/mongoose.c: 3391 in setsockopts()
/mongoose/mongoose.c: 3378 in setsockopts()
________________________________________________________________________________________________________
*** CID 340736: (CHECKED_RETURN)
/mongoose/mongoose.c: 3386 in setsockopts()
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 4, &idle, 4U)" without checking return value. This library function may fail and return an error code.
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
/mongoose/mongoose.c: 3392 in setsockopts()
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 5, &intvl, 4U)" without checking return value. This library function may fail and return an error code.
3392 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPINTVL, &intvl, sizeof(intvl));
3393 }
3394 #endif
3395 #endif
3396 }
3397
/mongoose/mongoose.c: 3382 in setsockopts()
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 1, 9, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
/mongoose/mongoose.c: 3380 in setsockopts()
3374 int on = 1;
3375 #if !defined(SOL_TCP)
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 6, 12, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
/mongoose/mongoose.c: 3391 in setsockopts()
3385 int idle = 60;
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 6, &cnt, 4U)" without checking return value. This library function may fail and return an error code.
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
3392 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPINTVL, &intvl, sizeof(intvl));
3393 }
3394 #endif
3395 #endif
3396 }
/mongoose/mongoose.c: 3378 in setsockopts()
3372 (void) c;
3373 #else
3374 int on = 1;
3375 #if !defined(SOL_TCP)
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 6, 1, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
** CID 340734: (TAINTED_SCALAR)
/mongoose/mongoose.c: 218 in mg_dns_parse()
/mongoose/mongoose.c: 223 in mg_dns_parse()
________________________________________________________________________________________________________
*** CID 340734: (TAINTED_SCALAR)
/mongoose/mongoose.c: 218 in mg_dns_parse()
212
213 if (len < sizeof(*h)) return 0; // Too small, headers dont fit
214 if (mg_ntohs(h->num_questions) > 1) return 0; // Sanity
215 if (mg_ntohs(h->num_answers) > 10) return 0; // Sanity
216 dm->txnid = mg_ntohs(h->txnid);
217
>>> CID 340734: (TAINTED_SCALAR)
>>> Using tainted variable "mg_ntohs(h->num_questions)" as a loop boundary.
218 for (i = 0; i < mg_ntohs(h->num_questions); i++) {
219 if ((n = mg_dns_parse_rr(buf, len, ofs, true, &rr)) == 0) return false;
220 // LOG(LL_INFO, ("Q %zu %zu", ofs, n));
221 ofs += n;
222 }
223 for (i = 0; i < mg_ntohs(h->num_answers); i++) {
/mongoose/mongoose.c: 223 in mg_dns_parse()
217
218 for (i = 0; i < mg_ntohs(h->num_questions); i++) {
219 if ((n = mg_dns_parse_rr(buf, len, ofs, true, &rr)) == 0) return false;
220 // LOG(LL_INFO, ("Q %zu %zu", ofs, n));
221 ofs += n;
222 }
>>> CID 340734: (TAINTED_SCALAR)
>>> Using tainted variable "mg_ntohs(h->num_answers)" as a loop boundary.
223 for (i = 0; i < mg_ntohs(h->num_answers); i++) {
224 // LOG(LL_INFO, ("A -- %zu %zu %s", ofs, n, dm->name));
225 if ((n = mg_dns_parse_rr(buf, len, ofs, false, &rr)) == 0) return false;
226 mg_dns_parse_name(buf, len, ofs, dm->name, sizeof(dm->name));
227 ofs += n;
228
** CID 340733: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 891 in p_seek()
________________________________________________________________________________________________________
*** CID 340733: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 891 in p_seek()
885 }
886
887 static size_t p_seek(void *fp, size_t offset) {
888 #if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || \
889 (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \
890 (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600)
>>> CID 340733: Error handling issues (CHECKED_RETURN)
>>> Calling "fseeko((FILE *)fp, (off_t)offset, 0)" without checking return value. This library function may fail and return an error code.
891 fseeko((FILE *) fp, (off_t) offset, SEEK_SET);
892 #else
893 fseek((FILE *) fp, (long) offset, SEEK_SET);
894 #endif
895 return (size_t) ftell((FILE *) fp);
896 }
** CID 340731: Insecure data handling (TAINTED_SCALAR)
/mongoose/mongoose.c: 2470 in mg_mqtt_next_topic()
________________________________________________________________________________________________________
*** CID 340731: Insecure data handling (TAINTED_SCALAR)
/mongoose/mongoose.c: 2470 in mg_mqtt_next_topic()
2464 if (pos >= msg->dgram.len) return 0;
2465
2466 topic->len = (size_t) (((unsigned) buf[0]) << 8 | buf[1]);
2467 topic->ptr = (char *) buf + 2;
2468 new_pos = pos + 2 + topic->len + (qos == NULL ? 0 : 1);
2469 if ((size_t) new_pos > msg->dgram.len) return 0;
>>> CID 340731: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "2UL + topic->len" as an index to pointer "buf".
2470 if (qos != NULL) *qos = buf[2 + topic->len];
2471 return new_pos;
2472 }
2473
2474 size_t mg_mqtt_next_sub(struct mg_mqtt_message *msg, struct mg_str *topic,
2475 uint8_t *qos, size_t pos) {
** CID 340729: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340729: (TAINTED_SCALAR)
/mongoose/mongoose.c: 4862 in mg_ws_cb()
4856 break;
4857 }
4858
4859 // Handle fragmented frames: strip header, keep in c->recv
4860 if (final == 0 || op == 0) {
4861 if (op) ofs++, len--, msg.header_len--; // First frame
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "c->recv.len" to "mg_iobuf_del", which uses it as an offset.
4862 mg_iobuf_del(&c->recv, ofs, msg.header_len); // Strip header
4863 len -= msg.header_len;
4864 ofs += len;
4865 c->pfn_data = (void *) ofs;
4866 // LOG(LL_INFO, ("FRAG %d [%.*s]", (int) ofs, (int) ofs, c->recv.buf));
4867 }
/mongoose/mongoose.c: 4838 in mg_ws_cb()
4832 switch (op) {
4833 case WEBSOCKET_OP_CONTINUE:
4834 mg_call(c, MG_EV_WS_CTL, &m);
4835 break;
4836 case WEBSOCKET_OP_PING:
4837 LOG(LL_DEBUG, ("%s", "WS PONG"));
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "msg.data_len" to "mg_ws_send", which uses it as an offset.
4838 mg_ws_send(c, s, msg.data_len, WEBSOCKET_OP_PONG);
4839 mg_call(c, MG_EV_WS_CTL, &m);
4840 break;
4841 case WEBSOCKET_OP_PONG:
4842 mg_call(c, MG_EV_WS_CTL, &m);
4843 break;
/mongoose/mongoose.c: 4838 in mg_ws_cb()
4832 switch (op) {
4833 case WEBSOCKET_OP_CONTINUE:
4834 mg_call(c, MG_EV_WS_CTL, &m);
4835 break;
4836 case WEBSOCKET_OP_PING:
4837 LOG(LL_DEBUG, ("%s", "WS PONG"));
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "msg.data_len" to "mg_ws_send", which uses it as an offset.
4838 mg_ws_send(c, s, msg.data_len, WEBSOCKET_OP_PONG);
4839 mg_call(c, MG_EV_WS_CTL, &m);
4840 break;
4841 case WEBSOCKET_OP_PONG:
4842 mg_call(c, MG_EV_WS_CTL, &m);
4843 break;
/mongoose/mongoose.c: 4869 in mg_ws_cb()
4863 len -= msg.header_len;
4864 ofs += len;
4865 c->pfn_data = (void *) ofs;
4866 // LOG(LL_INFO, ("FRAG %d [%.*s]", (int) ofs, (int) ofs, c->recv.buf));
4867 }
4868 // Remove non-fragmented frame
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "c->recv.len" to "mg_iobuf_del", which uses it as an offset.
4869 if (final && op) mg_iobuf_del(&c->recv, ofs, len);
4870 // Last chunk of the fragmented frame
4871 if (final && !op) {
4872 m.flags = c->recv.buf[0];
4873 m.data = mg_str_n((char *) &c->recv.buf[1], (size_t) (ofs - 1));
4874 mg_call(c, MG_EV_WS_MSG, &m);
** CID 340728: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
________________________________________________________________________________________________________
*** CID 340728: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
3507
3508 return result;
3509 }
3510
3511 void mg_mgr_wakeup(struct mg_connection *c, const void *buf, size_t len) {
3512 if (buf == NULL || len == 0) buf = (void *) "", len = 1;
>>> CID 340728: Error handling issues (CHECKED_RETURN)
>>> Calling "send((SOCKET)(size_t)c->pfn_data, (char const *)buf, len, 0)" without checking return value. This library function may fail and return an error code.
3513 send((SOCKET) (size_t) c->pfn_data, (const char *) buf, len, MSG_NONBLOCKING);
3514 }
3515
3516 static void pf1(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
3517 if (ev == MG_EV_READ) {
3518 mg_iobuf_free(&c->recv);
** CID 340727: (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 340727: (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 348 in multipart_upload_handler()
342 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
346 nc->pfn = fn;
347 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
>>> CID 340727: (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_begin".
348 mg_http_multipart_begin(nc, hm);
349 mg_http_multipart_continue(nc);
350 return;
351 }
352 }
/mongoose/mongoose_multipart.c: 349 in multipart_upload_handler()
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
346 nc->pfn = fn;
347 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
348 mg_http_multipart_begin(nc, hm);
>>> CID 340727: (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_continue".
349 mg_http_multipart_continue(nc);
350 return;
351 }
352 }
** CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 4414 in mg_random()
________________________________________________________________________________________________________
*** CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 4414 in mg_random()
4408 if (fp != NULL) {
4409 if (fread(buf, 1, len, fp) == len) done = true;
4410 fclose(fp);
4411 }
4412 #endif
4413 // If everything above did not work, fallback to a pseudo random generator
>>> CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
4414 while (!done && len--) *p++ = (unsigned char) (rand() & 255);
4415 }
4416 #endif
4417
4418 bool mg_globmatch(const char *s1, size_t n1, const char *s2, size_t n2) {
4419 size_t i = 0, j = 0, ni = 0, nj = 0;
** CID 340724: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 342 in multipart_upload_handler()
________________________________________________________________________________________________________
*** CID 340724: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 342 in multipart_upload_handler()
336 return;
337 }
338 }
339
340 if (hm->chunk.len >= 0 && ev == MG_EV_HTTP_CHUNK) {
341 s = mg_http_get_header(hm, "Content-Type");
>>> CID 340724: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "s", which is known to be "NULL".
342 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
346 nc->pfn = fn;
347 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
** CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 465 in mg_file_write()
________________________________________________________________________________________________________
*** CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 465 in mg_file_write()
459
460 bool mg_file_write(struct mg_fs *fs, const char *path, const void *buf,
461 size_t len) {
462 bool result = false;
463 struct mg_fd *fd;
464 char tmp[MG_PATH_MAX];
>>> CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
465 snprintf(tmp, sizeof(tmp), "%s..%d", path, rand());
466 if ((fd = mg_fs_open(fs, tmp, MG_FS_WRITE)) != NULL) {
467 result = fs->write(fd->fd, buf, len) == len;
468 mg_fs_close(fd);
469 if (result) {
470 fs->remove(path);
** CID 340722: Control flow issues (NO_EFFECT)
/mongoose/mongoose_multipart.c: 340 in multipart_upload_handler()
________________________________________________________________________________________________________
*** CID 340722: Control flow issues (NO_EFFECT)
/mongoose/mongoose_multipart.c: 340 in multipart_upload_handler()
334 mg_call(nc, MG_EV_HTTP_MULTIPART_REQUEST_END, &mp);
335 mp_stream->state = MPS_FINISHED;
336 return;
337 }
338 }
339
>>> CID 340722: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "hm->chunk.len >= 0UL".
340 if (hm->chunk.len >= 0 && ev == MG_EV_HTTP_CHUNK) {
341 s = mg_http_get_header(hm, "Content-Type");
342 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
** CID 340721: (OVERRUN)
/mongoose/mongoose.c: 4485 in mg_hexdump()
/mongoose/mongoose.c: 4485 in mg_hexdump()
________________________________________________________________________________________________________
*** CID 340721: (OVERRUN)
/mongoose/mongoose.c: 4485 in mg_hexdump()
4479 if (i > 0 && dlen > n)
4480 n += (size_t) snprintf(dst + n, dlen - n, " %s\n", ascii);
4481 if (dlen > n)
4482 n += (size_t) snprintf(dst + n, dlen - n, "%04x ", (int) (i + ofs));
4483 }
4484 if (dlen < n) break;
>>> CID 340721: (OVERRUN)
>>> Overrunning dynamic array "dst" at offset corresponding to index variable "n" through dereference in call to "snprintf".
4485 n += (size_t) snprintf(dst + n, dlen - n, " %02x", p[i]);
4486 ascii[idx] = (char) (p[i] < 0x20 || p[i] > 0x7e ? '.' : p[i]);
4487 ascii[idx + 1] = '\0';
4488 }
4489 while (i++ % 16) {
4490 if (n < dlen) n += (size_t) snprintf(dst + n, dlen - n, "%s", " ");
/mongoose/mongoose.c: 4485 in mg_hexdump()
4479 if (i > 0 && dlen > n)
4480 n += (size_t) snprintf(dst + n, dlen - n, " %s\n", ascii);
4481 if (dlen > n)
4482 n += (size_t) snprintf(dst + n, dlen - n, "%04x ", (int) (i + ofs));
4483 }
4484 if (dlen < n) break;
>>> CID 340721: (OVERRUN)
>>> Overrunning dynamic array "dst" at offset corresponding to index variable "n" through dereference in call to "snprintf".
4485 n += (size_t) snprintf(dst + n, dlen - n, " %02x", p[i]);
4486 ascii[idx] = (char) (p[i] < 0x20 || p[i] > 0x7e ? '.' : p[i]);
4487 ascii[idx + 1] = '\0';
4488 }
4489 while (i++ % 16) {
4490 if (n < dlen) n += (size_t) snprintf(dst + n, dlen - n, "%s", " ");
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrffGusdB2gY411RFCZULj23zVH-2FYjULe-2FZVatHaTNOtXGWK7d76ThnungrCH2R2Ak-3DjzLt_U-2BcIo0IeFG9EIIQe7AiEg4oWkKw9GoOEX2k5mfx97s-2FPQPxsZuy-2BARJF5MeN7Ri3kL8qf2wn4BDqL-2Bt9ZpNPti6s-2FroCNaqEbnR8nLxN-2FnwIpMn9STukcqZ3W4ghEKS0bswRadqBN3mQVrkUQZ1N-2B0szsSqPC6bHzDwf0Zotg1EYKeTSdrijf4MxdO-2BdUF4g30P8SjDUr56SFOPgtmPDXpBw6ZAj2ya9ekwu5JbwY8E-3D
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
18 new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)
** CID 349328: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3186 in iolog()
________________________________________________________________________________________________________
*** CID 349328: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3186 in iolog()
3180 char t1[50] = "", t2[50] = "";
3181 socklen_t slen = sizeof(usa.sin);
3182 char *s = mg_hexdump(buf, (size_t) n);
3183 struct mg_addr a;
3184 memset(&usa, 0, sizeof(usa));
3185 memset(&a, 0, sizeof(a));
>>> CID 349328: Error handling issues (CHECKED_RETURN)
>>> Calling "getsockname((SOCKET)(size_t)c->fd, __SOCKADDR_ARG({.__sockaddr__ = &usa.sa}), &slen)" without checking return value. This library function may fail and return an error code.
3186 getsockname(FD(c), &usa.sa, &slen);
3187 tomgaddr(&usa, &a, c->peer.is_ip6);
3188 LOG(LL_INFO, ("\n-- %lu %s %s %s %s %ld\n%s", c->id,
3189 mg_straddr(&a, t1, sizeof(t1)), r ? "<-" : "->",
3190 mg_straddr(&c->peer, t2, sizeof(t2)), c->label, n, s));
3191 free(s);
** CID 349327: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 349327: Uninitialized variables (UNINIT)
/parser/parse_external.c: 131 in parse_external()
125 LUAstackDump(L);
126 ERROR("ERROR preparing Parser in Lua %d", ret);
127
128 return 1;
129 }
130
>>> CID 349327: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "hardware.boardname" when calling "get_hw_revision".
131 if (-1 == get_hw_revision(&hardware))
132 {
133 ERROR("ERROR getting hw revision");
134 return 1;
135 }
136
** CID 349326: Resource leaks (RESOURCE_LEAK)
/core/network_thread.c: 114 in is_selection_allowed()
________________________________________________________________________________________________________
*** CID 349326: Resource leaks (RESOURCE_LEAK)
/core/network_thread.c: 114 in is_selection_allowed()
108
109 if (allowed) {
110 INFO("Accepted selection %s,%s", software_set, running_mode);
111 }else
112 ERROR("Selection %s,%s is not allowed, rejected !",
113 software_set, running_mode);
>>> CID 349326: Resource leaks (RESOURCE_LEAK)
>>> Variable "swset" going out of scope leaks the storage it points to.
114 return allowed;
115 }
116
117 static void clean_msg(char *msg, char drop)
118 {
119 char *lfpos;
** CID 349325: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
________________________________________________________________________________________________________
*** CID 349325: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
548 channel_curl->header, "charsets: utf-8")) == NULL) {
549 ERROR("Set channel charset header failed.");
550 result = CHANNEL_EINIT;
551 }
552 }
553
>>> CID 349325: Resource leaks (RESOURCE_LEAK)
>>> Variable "contenttype" going out of scope leaks the storage it points to.
554 return result;
555 }
556
557 channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_data)
558 {
559 if (channel_data->low_speed_timeout == 0) {
** CID 349324: (RESOURCE_LEAK)
/handlers/rdiff_handler.c: 435 in apply_rdiff_patch()
/handlers/rdiff_handler.c: 272 in apply_rdiff_patch()
________________________________________________________________________________________________________
*** CID 349324: (RESOURCE_LEAK)
/handlers/rdiff_handler.c: 435 in apply_rdiff_patch()
429 dest_file_filename, strerror(errno));
430 }
431 if (use_mount == true) {
432 swupdate_umount(mountpoint);
433 }
434 }
>>> CID 349324: (RESOURCE_LEAK)
>>> Variable "dest_file_filename" going out of scope leaks the storage it points to.
435 return ret;
436 }
437
438 __attribute__((constructor))
439 void rdiff_image_handler(void)
440 {
/handlers/rdiff_handler.c: 272 in apply_rdiff_patch()
266 ERROR("Cannot allocate memory for temporary filename creation.");
267 return -1;
268 }
269 if ((fd = mkstemp(dest_file_filename)) == -1) {
270 ERROR("Cannot create temporary file %s: %s", dest_file_filename,
271 strerror(errno));
>>> CID 349324: (RESOURCE_LEAK)
>>> Variable "dest_file_filename" going out of scope leaks the storage it points to.
272 return -1;
273 }
274
275 if ((rdiff_state.dest_file = fdopen(fd, "wb+")) == NULL) {
276 (void)close(fd);
277 ERROR("%s cannot be opened for writing: %s", dest_file_filename,
** CID 349323: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
________________________________________________________________________________________________________
*** CID 349323: Resource leaks (RESOURCE_LEAK)
/corelib/channel_curl.c: 554 in channel_set_content_type()
548 channel_curl->header, "charsets: utf-8")) == NULL) {
549 ERROR("Set channel charset header failed.");
550 result = CHANNEL_EINIT;
551 }
552 }
553
>>> CID 349323: Resource leaks (RESOURCE_LEAK)
>>> Variable "accept" going out of scope leaks the storage it points to.
554 return result;
555 }
556
557 channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_data)
558 {
559 if (channel_data->low_speed_timeout == 0) {
** CID 340736: (CHECKED_RETURN)
/mongoose/mongoose.c: 3386 in setsockopts()
/mongoose/mongoose.c: 3392 in setsockopts()
/mongoose/mongoose.c: 3382 in setsockopts()
/mongoose/mongoose.c: 3380 in setsockopts()
/mongoose/mongoose.c: 3391 in setsockopts()
/mongoose/mongoose.c: 3378 in setsockopts()
________________________________________________________________________________________________________
*** CID 340736: (CHECKED_RETURN)
/mongoose/mongoose.c: 3386 in setsockopts()
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 4, &idle, 4U)" without checking return value. This library function may fail and return an error code.
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
/mongoose/mongoose.c: 3392 in setsockopts()
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 5, &intvl, 4U)" without checking return value. This library function may fail and return an error code.
3392 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPINTVL, &intvl, sizeof(intvl));
3393 }
3394 #endif
3395 #endif
3396 }
3397
/mongoose/mongoose.c: 3382 in setsockopts()
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 1, 9, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
/mongoose/mongoose.c: 3380 in setsockopts()
3374 int on = 1;
3375 #if !defined(SOL_TCP)
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 6, 12, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
/mongoose/mongoose.c: 3391 in setsockopts()
3385 int idle = 60;
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 6, &cnt, 4U)" without checking return value. This library function may fail and return an error code.
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
3392 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPINTVL, &intvl, sizeof(intvl));
3393 }
3394 #endif
3395 #endif
3396 }
/mongoose/mongoose.c: 3378 in setsockopts()
3372 (void) c;
3373 #else
3374 int on = 1;
3375 #if !defined(SOL_TCP)
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 6, 1, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
** CID 340734: (TAINTED_SCALAR)
/mongoose/mongoose.c: 218 in mg_dns_parse()
/mongoose/mongoose.c: 223 in mg_dns_parse()
________________________________________________________________________________________________________
*** CID 340734: (TAINTED_SCALAR)
/mongoose/mongoose.c: 218 in mg_dns_parse()
212
213 if (len < sizeof(*h)) return 0; // Too small, headers dont fit
214 if (mg_ntohs(h->num_questions) > 1) return 0; // Sanity
215 if (mg_ntohs(h->num_answers) > 10) return 0; // Sanity
216 dm->txnid = mg_ntohs(h->txnid);
217
>>> CID 340734: (TAINTED_SCALAR)
>>> Using tainted variable "mg_ntohs(h->num_questions)" as a loop boundary.
218 for (i = 0; i < mg_ntohs(h->num_questions); i++) {
219 if ((n = mg_dns_parse_rr(buf, len, ofs, true, &rr)) == 0) return false;
220 // LOG(LL_INFO, ("Q %zu %zu", ofs, n));
221 ofs += n;
222 }
223 for (i = 0; i < mg_ntohs(h->num_answers); i++) {
/mongoose/mongoose.c: 223 in mg_dns_parse()
217
218 for (i = 0; i < mg_ntohs(h->num_questions); i++) {
219 if ((n = mg_dns_parse_rr(buf, len, ofs, true, &rr)) == 0) return false;
220 // LOG(LL_INFO, ("Q %zu %zu", ofs, n));
221 ofs += n;
222 }
>>> CID 340734: (TAINTED_SCALAR)
>>> Using tainted variable "mg_ntohs(h->num_answers)" as a loop boundary.
223 for (i = 0; i < mg_ntohs(h->num_answers); i++) {
224 // LOG(LL_INFO, ("A -- %zu %zu %s", ofs, n, dm->name));
225 if ((n = mg_dns_parse_rr(buf, len, ofs, false, &rr)) == 0) return false;
226 mg_dns_parse_name(buf, len, ofs, dm->name, sizeof(dm->name));
227 ofs += n;
228
** CID 340733: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 891 in p_seek()
________________________________________________________________________________________________________
*** CID 340733: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 891 in p_seek()
885 }
886
887 static size_t p_seek(void *fp, size_t offset) {
888 #if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || \
889 (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \
890 (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600)
>>> CID 340733: Error handling issues (CHECKED_RETURN)
>>> Calling "fseeko((FILE *)fp, (off_t)offset, 0)" without checking return value. This library function may fail and return an error code.
891 fseeko((FILE *) fp, (off_t) offset, SEEK_SET);
892 #else
893 fseek((FILE *) fp, (long) offset, SEEK_SET);
894 #endif
895 return (size_t) ftell((FILE *) fp);
896 }
** CID 340731: Insecure data handling (TAINTED_SCALAR)
/mongoose/mongoose.c: 2470 in mg_mqtt_next_topic()
________________________________________________________________________________________________________
*** CID 340731: Insecure data handling (TAINTED_SCALAR)
/mongoose/mongoose.c: 2470 in mg_mqtt_next_topic()
2464 if (pos >= msg->dgram.len) return 0;
2465
2466 topic->len = (size_t) (((unsigned) buf[0]) << 8 | buf[1]);
2467 topic->ptr = (char *) buf + 2;
2468 new_pos = pos + 2 + topic->len + (qos == NULL ? 0 : 1);
2469 if ((size_t) new_pos > msg->dgram.len) return 0;
>>> CID 340731: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "2UL + topic->len" as an index to pointer "buf".
2470 if (qos != NULL) *qos = buf[2 + topic->len];
2471 return new_pos;
2472 }
2473
2474 size_t mg_mqtt_next_sub(struct mg_mqtt_message *msg, struct mg_str *topic,
2475 uint8_t *qos, size_t pos) {
** CID 340729: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340729: (TAINTED_SCALAR)
/mongoose/mongoose.c: 4862 in mg_ws_cb()
4856 break;
4857 }
4858
4859 // Handle fragmented frames: strip header, keep in c->recv
4860 if (final == 0 || op == 0) {
4861 if (op) ofs++, len--, msg.header_len--; // First frame
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "c->recv.len" to "mg_iobuf_del", which uses it as an offset.
4862 mg_iobuf_del(&c->recv, ofs, msg.header_len); // Strip header
4863 len -= msg.header_len;
4864 ofs += len;
4865 c->pfn_data = (void *) ofs;
4866 // LOG(LL_INFO, ("FRAG %d [%.*s]", (int) ofs, (int) ofs, c->recv.buf));
4867 }
/mongoose/mongoose.c: 4838 in mg_ws_cb()
4832 switch (op) {
4833 case WEBSOCKET_OP_CONTINUE:
4834 mg_call(c, MG_EV_WS_CTL, &m);
4835 break;
4836 case WEBSOCKET_OP_PING:
4837 LOG(LL_DEBUG, ("%s", "WS PONG"));
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "msg.data_len" to "mg_ws_send", which uses it as an offset.
4838 mg_ws_send(c, s, msg.data_len, WEBSOCKET_OP_PONG);
4839 mg_call(c, MG_EV_WS_CTL, &m);
4840 break;
4841 case WEBSOCKET_OP_PONG:
4842 mg_call(c, MG_EV_WS_CTL, &m);
4843 break;
/mongoose/mongoose.c: 4838 in mg_ws_cb()
4832 switch (op) {
4833 case WEBSOCKET_OP_CONTINUE:
4834 mg_call(c, MG_EV_WS_CTL, &m);
4835 break;
4836 case WEBSOCKET_OP_PING:
4837 LOG(LL_DEBUG, ("%s", "WS PONG"));
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "msg.data_len" to "mg_ws_send", which uses it as an offset.
4838 mg_ws_send(c, s, msg.data_len, WEBSOCKET_OP_PONG);
4839 mg_call(c, MG_EV_WS_CTL, &m);
4840 break;
4841 case WEBSOCKET_OP_PONG:
4842 mg_call(c, MG_EV_WS_CTL, &m);
4843 break;
/mongoose/mongoose.c: 4869 in mg_ws_cb()
4863 len -= msg.header_len;
4864 ofs += len;
4865 c->pfn_data = (void *) ofs;
4866 // LOG(LL_INFO, ("FRAG %d [%.*s]", (int) ofs, (int) ofs, c->recv.buf));
4867 }
4868 // Remove non-fragmented frame
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "c->recv.len" to "mg_iobuf_del", which uses it as an offset.
4869 if (final && op) mg_iobuf_del(&c->recv, ofs, len);
4870 // Last chunk of the fragmented frame
4871 if (final && !op) {
4872 m.flags = c->recv.buf[0];
4873 m.data = mg_str_n((char *) &c->recv.buf[1], (size_t) (ofs - 1));
4874 mg_call(c, MG_EV_WS_MSG, &m);
** CID 340728: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
________________________________________________________________________________________________________
*** CID 340728: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
3507
3508 return result;
3509 }
3510
3511 void mg_mgr_wakeup(struct mg_connection *c, const void *buf, size_t len) {
3512 if (buf == NULL || len == 0) buf = (void *) "", len = 1;
>>> CID 340728: Error handling issues (CHECKED_RETURN)
>>> Calling "send((SOCKET)(size_t)c->pfn_data, (char const *)buf, len, 0)" without checking return value. This library function may fail and return an error code.
3513 send((SOCKET) (size_t) c->pfn_data, (const char *) buf, len, MSG_NONBLOCKING);
3514 }
3515
3516 static void pf1(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
3517 if (ev == MG_EV_READ) {
3518 mg_iobuf_free(&c->recv);
** CID 340727: (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 340727: (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 348 in multipart_upload_handler()
342 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
346 nc->pfn = fn;
347 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
>>> CID 340727: (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_begin".
348 mg_http_multipart_begin(nc, hm);
349 mg_http_multipart_continue(nc);
350 return;
351 }
352 }
/mongoose/mongoose_multipart.c: 349 in multipart_upload_handler()
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
346 nc->pfn = fn;
347 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
348 mg_http_multipart_begin(nc, hm);
>>> CID 340727: (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_continue".
349 mg_http_multipart_continue(nc);
350 return;
351 }
352 }
** CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 4414 in mg_random()
________________________________________________________________________________________________________
*** CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 4414 in mg_random()
4408 if (fp != NULL) {
4409 if (fread(buf, 1, len, fp) == len) done = true;
4410 fclose(fp);
4411 }
4412 #endif
4413 // If everything above did not work, fallback to a pseudo random generator
>>> CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
4414 while (!done && len--) *p++ = (unsigned char) (rand() & 255);
4415 }
4416 #endif
4417
4418 bool mg_globmatch(const char *s1, size_t n1, const char *s2, size_t n2) {
4419 size_t i = 0, j = 0, ni = 0, nj = 0;
** CID 340724: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 342 in multipart_upload_handler()
________________________________________________________________________________________________________
*** CID 340724: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 342 in multipart_upload_handler()
336 return;
337 }
338 }
339
340 if (hm->chunk.len >= 0 && ev == MG_EV_HTTP_CHUNK) {
341 s = mg_http_get_header(hm, "Content-Type");
>>> CID 340724: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "s", which is known to be "NULL".
342 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
346 nc->pfn = fn;
347 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
** CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 465 in mg_file_write()
________________________________________________________________________________________________________
*** CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 465 in mg_file_write()
459
460 bool mg_file_write(struct mg_fs *fs, const char *path, const void *buf,
461 size_t len) {
462 bool result = false;
463 struct mg_fd *fd;
464 char tmp[MG_PATH_MAX];
>>> CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
465 snprintf(tmp, sizeof(tmp), "%s..%d", path, rand());
466 if ((fd = mg_fs_open(fs, tmp, MG_FS_WRITE)) != NULL) {
467 result = fs->write(fd->fd, buf, len) == len;
468 mg_fs_close(fd);
469 if (result) {
470 fs->remove(path);
** CID 340722: Control flow issues (NO_EFFECT)
/mongoose/mongoose_multipart.c: 340 in multipart_upload_handler()
________________________________________________________________________________________________________
*** CID 340722: Control flow issues (NO_EFFECT)
/mongoose/mongoose_multipart.c: 340 in multipart_upload_handler()
334 mg_call(nc, MG_EV_HTTP_MULTIPART_REQUEST_END, &mp);
335 mp_stream->state = MPS_FINISHED;
336 return;
337 }
338 }
339
>>> CID 340722: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "hm->chunk.len >= 0UL".
340 if (hm->chunk.len >= 0 && ev == MG_EV_HTTP_CHUNK) {
341 s = mg_http_get_header(hm, "Content-Type");
342 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
343 /* New request - new proto data */
344 nc->label[0] = 'M';
345
** CID 340721: (OVERRUN)
/mongoose/mongoose.c: 4485 in mg_hexdump()
/mongoose/mongoose.c: 4485 in mg_hexdump()
________________________________________________________________________________________________________
*** CID 340721: (OVERRUN)
/mongoose/mongoose.c: 4485 in mg_hexdump()
4479 if (i > 0 && dlen > n)
4480 n += (size_t) snprintf(dst + n, dlen - n, " %s\n", ascii);
4481 if (dlen > n)
4482 n += (size_t) snprintf(dst + n, dlen - n, "%04x ", (int) (i + ofs));
4483 }
4484 if (dlen < n) break;
>>> CID 340721: (OVERRUN)
>>> Overrunning dynamic array "dst" at offset corresponding to index variable "n" through dereference in call to "snprintf".
4485 n += (size_t) snprintf(dst + n, dlen - n, " %02x", p[i]);
4486 ascii[idx] = (char) (p[i] < 0x20 || p[i] > 0x7e ? '.' : p[i]);
4487 ascii[idx + 1] = '\0';
4488 }
4489 while (i++ % 16) {
4490 if (n < dlen) n += (size_t) snprintf(dst + n, dlen - n, "%s", " ");
/mongoose/mongoose.c: 4485 in mg_hexdump()
4479 if (i > 0 && dlen > n)
4480 n += (size_t) snprintf(dst + n, dlen - n, " %s\n", ascii);
4481 if (dlen > n)
4482 n += (size_t) snprintf(dst + n, dlen - n, "%04x ", (int) (i + ofs));
4483 }
4484 if (dlen < n) break;
>>> CID 340721: (OVERRUN)
>>> Overrunning dynamic array "dst" at offset corresponding to index variable "n" through dereference in call to "snprintf".
4485 n += (size_t) snprintf(dst + n, dlen - n, " %02x", p[i]);
4486 ascii[idx] = (char) (p[i] < 0x20 || p[i] > 0x7e ? '.' : p[i]);
4487 ascii[idx + 1] = '\0';
4488 }
4489 while (i++ % 16) {
4490 if (n < dlen) n += (size_t) snprintf(dst + n, dlen - n, "%s", " ");
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrffGusdB2gY411RFCZULj23zVH-2FYjULe-2FZVatHaTNOtXGWK7d76ThnungrCH2R2Ak-3DjzLt_U-2BcIo0IeFG9EIIQe7AiEg4oWkKw9GoOEX2k5mfx97s-2FPQPxsZuy-2BARJF5MeN7Ri3kL8qf2wn4BDqL-2Bt9ZpNPti6s-2FroCNaqEbnR8nLxN-2FnwIpMn9STukcqZ3W4ghEKS0bswRadqBN3mQVrkUQZ1N-2B0szsSqPC6bHzDwf0Zotg1EYKeTSdrijf4MxdO-2BdUF4g30P8SjDUr56SFOPgtmPDXpBw6ZAj2ya9ekwu5JbwY8E-3D
scan-...@coverity.com
Feb 15, 2022, 12:26:05 PM2/15/22
to swup...@googlegroups.com
Hi,
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
16 new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
13 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
** CID 318473: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose.c: 11545 in mg_send_dns_query()
________________________________________________________________________________________________________
*** CID 318473: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose.c: 11545 in mg_send_dns_query()
11539
11540 void mg_send_dns_query(struct mg_connection *nc, const char *name,
11541 int query_type) {
11542 struct mg_dns_message *msg =
11543 (struct mg_dns_message *) MG_CALLOC(1, sizeof(*msg));
11544 struct mbuf pkt;
>>> CID 318473: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "msg", which is known to be "NULL".
11545 struct mg_dns_resource_record *rr = &msg->questions[0];
11546
11547 DBG(("%s %d", name, query_type));
11548
11549 mbuf_init(&pkt, 64 /* Start small, it'll grow as needed. */);
11550
** CID 318404: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose.c: 3482 in mg_if_create_iface()
________________________________________________________________________________________________________
*** CID 318404: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose.c: 3482 in mg_if_create_iface()
3476
3477 int mg_num_ifaces = (int) (sizeof(mg_ifaces) / sizeof(mg_ifaces[0]));
3478
3479 struct mg_iface *mg_if_create_iface(const struct mg_iface_vtable *vtable,
3480 struct mg_mgr *mgr) {
3481 struct mg_iface *iface = (struct mg_iface *) MG_CALLOC(1, sizeof(*iface));
>>> CID 318404: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "iface", which is known to be "NULL".
3482 iface->mgr = mgr;
3483 iface->data = NULL;
3484 iface->vtable = vtable;
3485 return iface;
3486 }
3487
** CID 316450: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 7178 in mg_http_serve_file_internal()
________________________________________________________________________________________________________
*** CID 316450: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 7178 in mg_http_serve_file_internal()
7172 snprintf(range, sizeof(range),
7173 "Content-Range: bytes %" INT64_FMT "-%" INT64_FMT
7174 "/%" INT64_FMT "\r\n",
7175 r1, r1 + cl - 1, (int64_t) st.st_size);
7176 #if _FILE_OFFSET_BITS == 64 || _POSIX_C_SOURCE >= 200112L || \
7177 _XOPEN_SOURCE >= 600
>>> CID 316450: Error handling issues (CHECKED_RETURN)
>>> Calling "fseeko(pd->file.fp, r1, 0)" without checking return value. This library function may fail and return an error code.
7178 fseeko(pd->file.fp, r1, SEEK_SET);
7179 #else
7180 fseek(pd->file.fp, (long) r1, SEEK_SET);
7181 #endif
7182 }
7183 }
** CID 292130: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 8523 in mg_file_upload_handler()
________________________________________________________________________________________________________
*** CID 292130: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 8523 in mg_file_upload_handler()
8517 "Content-Type: text/plain\r\n"
8518 "Connection: close\r\n\r\n");
8519 mg_printf(nc, "Failed to write to %s: %d, wrote %d", mp->file_name,
8520 mg_get_errno(), (int) fus->num_recd);
8521 }
8522 fclose(fus->fp);
>>> CID 292130: Error handling issues (CHECKED_RETURN)
>>> Calling "remove(fus->lfn)" without checking return value. This library function may fail and return an error code.
8523 remove(fus->lfn);
8524 fus->fp = NULL;
8525 /* Do not close the connection just yet, discard remainder of the data.
8526 * This is because at the time of writing some browsers (Chrome) fail to
8527 * render response before all the data is sent. */
8528 return;
** CID 292127: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 10397 in mg_start_thread()
________________________________________________________________________________________________________
*** CID 292127: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 10397 in mg_start_thread()
10391 (void) pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
10392
10393 #if defined(MG_STACK_SIZE) && MG_STACK_SIZE > 1
10394 (void) pthread_attr_setstacksize(&attr, MG_STACK_SIZE);
10395 #endif
10396
>>> CID 292127: Error handling issues (CHECKED_RETURN)
>>> Calling "pthread_create" without checking return value (as is done elsewhere 5 out of 6 times).
10397 pthread_create(&thread_id, &attr, f, p);
10398 pthread_attr_destroy(&attr);
10399
10400 return (void *) thread_id;
10401 #endif
10402 }
** CID 183765: Null pointer dereferences (FORWARD_NULL)
/mongoose/mongoose.c: 7388 in mg_http_parse_header_internal()
________________________________________________________________________________________________________
*** CID 183765: Null pointer dereferences (FORWARD_NULL)
/mongoose/mongoose.c: 7388 in mg_http_parse_header_internal()
7382 const char *var_name,
7383 struct altbuf *ab) {
7384 int ch = ' ', ch1 = ',', ch2 = ';', n = strlen(var_name);
7385 const char *p, *end = hdr ? hdr->p + hdr->len : NULL, *s = NULL;
7386
7387 /* Find where variable starts */
>>> CID 183765: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "hdr".
7388 for (s = hdr->p; s != NULL && s + n < end; s++) {
7389 if ((s == hdr->p || s[-1] == ch || s[-1] == ch1 || s[-1] == ';') &&
7390 s[n] == '=' && !strncmp(s, var_name, n))
7391 break;
7392 }
7393
** CID 183763: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/mongoose/mongoose.c: 894 in cs_timegm()
________________________________________________________________________________________________________
*** CID 183763: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/mongoose/mongoose.c: 894 in cs_timegm()
888 60 *
889 (tm->tm_min /* Minute = 60 seconds */
890 +
891 60 * (tm->tm_hour /* Hour = 60 minutes */
892 +
893 24 * (month_day[month] + tm->tm_mday - 1 /* Day = 24 hours */
>>> CID 183763: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "365 * (year - 70)" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "int64_t" (64 bits, signed).
894 + 365 * (year - 70) /* Year = 365 days */
895 + (year_for_leap - 69) / 4 /* Every 4 years is leap... */
896 - (year_for_leap - 1) / 100 /* Except centuries... */
897 + (year_for_leap + 299) / 400))); /* Except 400s. */
898 return rt < 0 ? -1 : (double) rt;
899 }
** CID 183761: Null pointer dereferences (FORWARD_NULL)
/mongoose/mongoose.c: 10977 in mg_send_mqtt_handshake_opt()
________________________________________________________________________________________________________
*** CID 183761: Null pointer dereferences (FORWARD_NULL)
/mongoose/mongoose.c: 10977 in mg_send_mqtt_handshake_opt()
10971 }
10972
10973 if (opts.flags & MG_MQTT_HAS_WILL) {
10974 total_len += 2 + wt_len + 2 + wm_len;
10975 }
10976 if (opts.flags & MG_MQTT_HAS_USER_NAME) {
>>> CID 183761: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "opts.user_name" to "strlen", which dereferences it.
10977 user_len = strlen(opts.user_name);
10978 total_len += 2 + user_len;
10979 }
10980 if (opts.flags & MG_MQTT_HAS_PASSWORD) {
10981 pw_len = strlen(opts.password);
10982 total_len += 2 + pw_len;
** CID 183759: Insecure data handling (TAINTED_SCALAR)
/mongoose/mongoose.c: 11084 in mg_mqtt_next_subscribe_topic()
________________________________________________________________________________________________________
*** CID 183759: Insecure data handling (TAINTED_SCALAR)
/mongoose/mongoose.c: 11084 in mg_mqtt_next_subscribe_topic()
11078 if ((size_t) pos >= msg->payload.len) return -1;
11079
11080 topic->len = buf[0] << 8 | buf[1];
11081 topic->p = (char *) buf + 2;
11082 new_pos = pos + 2 + topic->len + 1;
11083 if ((size_t) new_pos > msg->payload.len) return -1;
>>> CID 183759: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "2UL + topic->len" as an index to pointer "buf".
11084 *qos = buf[2 + topic->len];
11085 return new_pos;
11086 }
11087
11088 void mg_mqtt_unsubscribe(struct mg_connection *nc, char **topics,
11089 size_t topics_len, uint16_t message_id) {
** CID 183757: Null pointer dereferences (FORWARD_NULL)
/mongoose/mongoose.c: 10981 in mg_send_mqtt_handshake_opt()
________________________________________________________________________________________________________
*** CID 183757: Null pointer dereferences (FORWARD_NULL)
/mongoose/mongoose.c: 10981 in mg_send_mqtt_handshake_opt()
10975 }
10976 if (opts.flags & MG_MQTT_HAS_USER_NAME) {
10977 user_len = strlen(opts.user_name);
10978 total_len += 2 + user_len;
10979 }
10980 if (opts.flags & MG_MQTT_HAS_PASSWORD) {
>>> CID 183757: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "opts.password" to "strlen", which dereferences it.
10981 pw_len = strlen(opts.password);
10982 total_len += 2 + pw_len;
10983 }
10984
10985 mg_send_mqtt_header(nc, MG_MQTT_CMD_CONNECT, 0, total_len);
10986 mg_send(nc, "\00\04MQTT\04", 7);
** CID 183756: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 183756: Integer handling issues (NEGATIVE_RETURNS)
/mongoose/mongoose.c: 7068 in mg_http_send_redirect()
7062 "Cache-Control: no-cache\r\n"
7063 "%.*s%s",
7064 (int) location.len, location.p, bl, (int) extra_headers.len,
7065 extra_headers.p, (extra_headers.len > 0 ? "\r\n" : ""));
7066 mg_send_response_line(nc, status_code, phead);
7067 if (phead != bhead) MG_FREE(phead);
>>> CID 183756: Integer handling issues (NEGATIVE_RETURNS)
>>> "bl" is passed to a parameter that cannot be negative.
7068 mg_send(nc, pbody, bl);
7069 if (pbody != bbody) MG_FREE(pbody);
7070 }
7071
7072 void mg_send_head(struct mg_connection *c, int status_code,
7073 int64_t content_length, const char *extra_headers) {
** CID 166498: (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 10026 in mg_ws_random_mask()
/mongoose/mongoose.c: 10028 in mg_ws_random_mask()
________________________________________________________________________________________________________
*** CID 166498: (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 10026 in mg_ws_random_mask()
10020 * that lacks rand().
10021 */
10022 #if MG_DISABLE_WS_RANDOM_MASK
10023 mask = 0xefbeadde; /* generated with a random number generator, I swear */
10024 #else
10025 if (sizeof(long) >= 4) {
>>> CID 166498: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
10026 mask = (uint32_t) rand();
10027 } else if (sizeof(long) == 2) {
10028 mask = (uint32_t) rand() << 16 | (uint32_t) rand();
10029 }
10030 #endif
10031 return mask;
/mongoose/mongoose.c: 10028 in mg_ws_random_mask()
10022 #if MG_DISABLE_WS_RANDOM_MASK
10023 mask = 0xefbeadde; /* generated with a random number generator, I swear */
10024 #else
10025 if (sizeof(long) >= 4) {
10026 mask = (uint32_t) rand();
10027 } else if (sizeof(long) == 2) {
>>> CID 166498: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
10028 mask = (uint32_t) rand() << 16 | (uint32_t) rand();
10029 }
10030 #endif
10031 return mask;
10032 }
10033
** CID 166497: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 9029 in mg_start_process()
________________________________________________________________________________________________________
*** CID 166497: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 9029 in mg_start_process()
9023 }
9024 snprintf(buf, sizeof(buf),
9025 "Status: 500\r\n\r\n"
9026 "500 Server Error: %s%s%s: %s",
9027 interp == NULL ? "" : interp, interp == NULL ? "" : " ", cmd,
9028 strerror(errno));
>>> CID 166497: Error handling issues (CHECKED_RETURN)
>>> Calling "send(1, buf, strlen(buf), 0)" without checking return value. This library function may fail and return an error code.
9029 send(1, buf, strlen(buf), 0);
9030 _exit(EXIT_FAILURE); /* exec call failed */
9031 }
9032
9033 return (pid != 0);
9034 }
** CID 166486: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 4179 in mg_sock_get_addr()
________________________________________________________________________________________________________
*** CID 166486: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 4179 in mg_sock_get_addr()
4173 union socket_address *sa) {
4174 socklen_t slen = sizeof(*sa);
4175 memset(sa, 0, slen);
4176 if (remote) {
4177 getpeername(sock, &sa->sa, &slen);
4178 } else {
>>> CID 166486: Error handling issues (CHECKED_RETURN)
>>> Calling "getsockname(sock, __SOCKADDR_ARG({.__sockaddr__ = &sa->sa}), &slen)" without checking return value. This library function may fail and return an error code.
4179 getsockname(sock, &sa->sa, &slen);
4180 }
4181 }
4182
4183 void mg_sock_to_str(sock_t sock, char *buf, size_t len, int flags) {
4184 union socket_address sa;
** CID 166468: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 10410 in mg_set_close_on_exec()
________________________________________________________________________________________________________
*** CID 166468: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 10410 in mg_set_close_on_exec()
10404
10405 /* Set close-on-exec bit for a given socket. */
10406 void mg_set_close_on_exec(sock_t sock) {
10407 #if defined(_WIN32) && !defined(WINCE)
10408 (void) SetHandleInformation((HANDLE) sock, HANDLE_FLAG_INHERIT, 0);
10409 #elif defined(__unix__)
>>> CID 166468: Error handling issues (CHECKED_RETURN)
>>> Calling "fcntl(sock, 2, 1)" without checking return value. This library function may fail and return an error code.
10410 fcntl(sock, F_SETFD, FD_CLOEXEC);
10411 #else
10412 (void) sock;
10413 #endif
10414 }
10415
** CID 166433: Possible Control flow issues (DEADCODE)
/mongoose/mongoose.c: 8309 in mg_send_http_file()
________________________________________________________________________________________________________
*** CID 166433: Possible Control flow issues (DEADCODE)
/mongoose/mongoose.c: 8309 in mg_send_http_file()
8303 if (path_info->len > 0 && !is_cgi) {
8304 mg_http_send_error(nc, 501, NULL);
8305 MG_FREE(index_file);
8306 return;
8307 }
8308
>>> CID 166433: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "opts->dav_document_root == NULL" inside this statement: "if (is_dav && opts->dav_doc...".
8309 if (is_dav && opts->dav_document_root == NULL) {
8310 mg_http_send_error(nc, 501, NULL);
8311 } else if (!mg_http_is_authorized(
8312 hm, mg_mk_str(path), opts->auth_domain, opts->global_auth_file,
8313 ((is_directory ? MG_AUTH_FLAG_IS_DIRECTORY : 0) |
8314 MG_AUTH_FLAG_IS_GLOBAL_PASS_FILE |
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrffGusdB2gY411RFCZULj23zVH-2FYjULe-2FZVatHaTNOtXGWK7d76ThnungrCH2R2Ak-3DJoOG_U-2BcIo0IeFG9EIIQe7AiEg4oWkKw9GoOEX2k5mfx97s8F-2BYKp8l2SoZ93qP7QY3uFR-2BKQ7Ks7ZhhJGZ5Cyg1aUwe5M3gyUwLgUXbELpdCZVVS6h81O3ZpTdJTqM4VOulYdjF-2Fzl5Lwk5tyM4bF9ACVvoaSTssBWsT0mXJCiI8KIa3ng66ogMkB9k3MXpJXVyFVglWYm5UE-2BZFneBIMubYs0-2FTU2E-2FsnGbBppgrmT3pQY-3D
scan-...@coverity.com
Feb 16, 2022, 6:57:06 AM2/16/22
to swup...@googlegroups.com
Hi,
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
15 new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
** CID 349350: (USE_AFTER_FREE)
/mongoose/mongoose_interface.c: 964 in start_mongoose()
/mongoose/mongoose_interface.c: 964 in start_mongoose()
________________________________________________________________________________________________________
*** CID 349350: (USE_AFTER_FREE)
/mongoose/mongoose_interface.c: 964 in start_mongoose()
958
959 while (s_signo == 0)
960 mg_mgr_poll(&mgr, 100);
961 mg_mgr_free(&mgr);
962 if (opts.port)
963 free(opts.port);
>>> CID 349350: (USE_AFTER_FREE)
>>> Using freed pointer "url".
964 if (url != NULL && url != s_http_port)
965 free(url);
966
967 return 0;
/mongoose/mongoose_interface.c: 964 in start_mongoose()
958
959 while (s_signo == 0)
960 mg_mgr_poll(&mgr, 100);
961 mg_mgr_free(&mgr);
962 if (opts.port)
963 free(opts.port);
>>> CID 349350: (USE_AFTER_FREE)
>>> Using freed pointer "url".
964 if (url != NULL && url != s_http_port)
965 free(url);
966
967 return 0;
** CID 349349: Null pointer dereferences (REVERSE_INULL)
/mongoose/mongoose_interface.c: 964 in start_mongoose()
________________________________________________________________________________________________________
*** CID 349349: Null pointer dereferences (REVERSE_INULL)
/mongoose/mongoose_interface.c: 964 in start_mongoose()
958
959 while (s_signo == 0)
960 mg_mgr_poll(&mgr, 100);
961 mg_mgr_free(&mgr);
962 if (opts.port)
963 free(opts.port);
>>> CID 349349: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "url" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
964 if (url != NULL && url != s_http_port)
965 free(url);
966
967 return 0;
** CID 349328: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3186 in iolog()
________________________________________________________________________________________________________
*** CID 349328: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3186 in iolog()
3180 char t1[50] = "", t2[50] = "";
3181 socklen_t slen = sizeof(usa.sin);
3182 char *s = mg_hexdump(buf, (size_t) n);
3183 struct mg_addr a;
3184 memset(&usa, 0, sizeof(usa));
3185 memset(&a, 0, sizeof(a));
>>> CID 349328: Error handling issues (CHECKED_RETURN)
>>> Calling "getsockname((SOCKET)(size_t)c->fd, __SOCKADDR_ARG({.__sockaddr__ = &usa.sa}), &slen)" without checking return value. This library function may fail and return an error code.
3186 getsockname(FD(c), &usa.sa, &slen);
3187 tomgaddr(&usa, &a, c->peer.is_ip6);
3188 LOG(LL_INFO, ("\n-- %lu %s %s %s %s %ld\n%s", c->id,
3189 mg_straddr(&a, t1, sizeof(t1)), r ? "<-" : "->",
3190 mg_straddr(&c->peer, t2, sizeof(t2)), c->label, n, s));
3191 free(s);
** CID 340736: (CHECKED_RETURN)
/mongoose/mongoose.c: 3386 in setsockopts()
/mongoose/mongoose.c: 3386 in setsockopts()
/mongoose/mongoose.c: 3380 in setsockopts()
/mongoose/mongoose.c: 3391 in setsockopts()
/mongoose/mongoose.c: 3382 in setsockopts()
/mongoose/mongoose.c: 3391 in setsockopts()
/mongoose/mongoose.c: 3378 in setsockopts()
/mongoose/mongoose.c: 3392 in setsockopts()
________________________________________________________________________________________________________
*** CID 340736: (CHECKED_RETURN)
/mongoose/mongoose.c: 3386 in setsockopts()
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 4, &idle, 4U)" without checking return value. This library function may fail and return an error code.
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
/mongoose/mongoose.c: 3382 in setsockopts()
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 1, 9, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 1, 9, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3384 defined(__linux__)
3385 int idle = 60;
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
/mongoose/mongoose.c: 3378 in setsockopts()
3372 (void) c;
3373 #else
3374 int on = 1;
3375 #if !defined(SOL_TCP)
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 6, 1, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
3372 (void) c;
3373 #else
3374 int on = 1;
3375 #if !defined(SOL_TCP)
3376 #define SOL_TCP IPPROTO_TCP
3377 #endif
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, 6, 1, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code.
3378 setsockopt(FD(c), SOL_TCP, TCP_NODELAY, (char *) &on, sizeof(on));
3379 #if defined(TCP_QUICKACK)
3380 setsockopt(FD(c), SOL_TCP, TCP_QUICKACK, (char *) &on, sizeof(on));
3381 #endif
3382 setsockopt(FD(c), SOL_SOCKET, SO_KEEPALIVE, (char *) &on, sizeof(on));
3383 #if (defined(ESP32) && ESP32) || (defined(ESP8266) && ESP8266) || \
/mongoose/mongoose.c: 3392 in setsockopts()
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 5, &intvl, 4U)" without checking return value. This library function may fail and return an error code.
3392 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPINTVL, &intvl, sizeof(intvl));
3393 }
3394 #endif
3395 #endif
3396 }
3397
** CID 340734: (TAINTED_SCALAR)
3386 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPIDLE, &idle, sizeof(idle));
3387 #endif
3388 #if !defined(_WIN32) && !defined(__QNX__)
3389 {
3390 int cnt = 3, intvl = 20;
3391 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPCNT, &cnt, sizeof(cnt));
>>> CID 340736: (CHECKED_RETURN)
>>> Calling "setsockopt((SOCKET)(size_t)c->fd, IPPROTO_TCP, 5, &intvl, 4U)" without checking return value. This library function may fail and return an error code.
3392 setsockopt(FD(c), IPPROTO_TCP, TCP_KEEPINTVL, &intvl, sizeof(intvl));
3393 }
3394 #endif
3395 #endif
3396 }
3397
/mongoose/mongoose.c: 223 in mg_dns_parse()
/mongoose/mongoose.c: 218 in mg_dns_parse()
________________________________________________________________________________________________________
*** CID 340734: (TAINTED_SCALAR)
>>> Using tainted variable "2UL + topic->len" as an index to pointer "buf".
2470 if (qos != NULL) *qos = buf[2 + topic->len];
2471 return new_pos;
2472 }
2473
2474 size_t mg_mqtt_next_sub(struct mg_mqtt_message *msg, struct mg_str *topic,
2475 uint8_t *qos, size_t pos) {
** CID 340729: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340729: (TAINTED_SCALAR)
2471 return new_pos;
2472 }
2473
2474 size_t mg_mqtt_next_sub(struct mg_mqtt_message *msg, struct mg_str *topic,
2475 uint8_t *qos, size_t pos) {
** CID 340729: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340729: (TAINTED_SCALAR)
/mongoose/mongoose.c: 4862 in mg_ws_cb()
4856 break;
4857 }
4858
4859 // Handle fragmented frames: strip header, keep in c->recv
4860 if (final == 0 || op == 0) {
4861 if (op) ofs++, len--, msg.header_len--; // First frame
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "c->recv.len" to "mg_iobuf_del", which uses it as an offset.
4862 mg_iobuf_del(&c->recv, ofs, msg.header_len); // Strip header
4863 len -= msg.header_len;
4864 ofs += len;
4865 c->pfn_data = (void *) ofs;
4866 // LOG(LL_INFO, ("FRAG %d [%.*s]", (int) ofs, (int) ofs, c->recv.buf));
4867 }
4856 break;
4857 }
4858
4859 // Handle fragmented frames: strip header, keep in c->recv
4860 if (final == 0 || op == 0) {
4861 if (op) ofs++, len--, msg.header_len--; // First frame
>>> CID 340729: (TAINTED_SCALAR)
>>> Passing tainted expression "c->recv.len" to "mg_iobuf_del", which uses it as an offset.
4862 mg_iobuf_del(&c->recv, ofs, msg.header_len); // Strip header
4863 len -= msg.header_len;
4864 ofs += len;
4865 c->pfn_data = (void *) ofs;
4866 // LOG(LL_INFO, ("FRAG %d [%.*s]", (int) ofs, (int) ofs, c->recv.buf));
4867 }
** CID 340728: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
________________________________________________________________________________________________________
*** CID 340728: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
3507
3508 return result;
3509 }
3510
3511 void mg_mgr_wakeup(struct mg_connection *c, const void *buf, size_t len) {
3512 if (buf == NULL || len == 0) buf = (void *) "", len = 1;
>>> CID 340728: Error handling issues (CHECKED_RETURN)
>>> Calling "send((SOCKET)(size_t)c->pfn_data, (char const *)buf, len, 0)" without checking return value. This library function may fail and return an error code.
3513 send((SOCKET) (size_t) c->pfn_data, (const char *) buf, len, MSG_NONBLOCKING);
3514 }
3515
3516 static void pf1(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
3517 if (ev == MG_EV_READ) {
3518 mg_iobuf_free(&c->recv);
** CID 340727: (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 340727: (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 350 in multipart_upload_handler()
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
________________________________________________________________________________________________________
*** CID 340728: Error handling issues (CHECKED_RETURN)
/mongoose/mongoose.c: 3513 in mg_mgr_wakeup()
3507
3508 return result;
3509 }
3510
3511 void mg_mgr_wakeup(struct mg_connection *c, const void *buf, size_t len) {
3512 if (buf == NULL || len == 0) buf = (void *) "", len = 1;
>>> CID 340728: Error handling issues (CHECKED_RETURN)
>>> Calling "send((SOCKET)(size_t)c->pfn_data, (char const *)buf, len, 0)" without checking return value. This library function may fail and return an error code.
3513 send((SOCKET) (size_t) c->pfn_data, (const char *) buf, len, MSG_NONBLOCKING);
3514 }
3515
3516 static void pf1(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
3517 if (ev == MG_EV_READ) {
3518 mg_iobuf_free(&c->recv);
** CID 340727: (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 340727: (NULL_RETURNS)
344 /* New request - new proto data */
345 nc->label[0] = 'M';
346
347 nc->pfn = fn;
348 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
349 mg_http_multipart_begin(nc, hm);
>>> CID 340727: (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_continue".
350 mg_http_multipart_continue(nc);
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_continue".
351 return;
352 }
353 }
/mongoose/mongoose_multipart.c: 349 in multipart_upload_handler()
343 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
344 /* New request - new proto data */
345 nc->label[0] = 'M';
346
347 nc->pfn = fn;
348 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
>>> CID 340727: (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_begin".
349 mg_http_multipart_begin(nc, hm);
>>> Dereferencing a pointer that might be "NULL" "nc->pfn_data" when calling "mg_http_multipart_begin".
350 mg_http_multipart_continue(nc);
351 return;
352 }
353 }
** CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 4414 in mg_random()
________________________________________________________________________________________________________
*** CID 340725: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 4414 in mg_random()
4408 if (fp != NULL) {
4409 if (fread(buf, 1, len, fp) == len) done = true;
4410 fclose(fp);
4411 }
4412 #endif
4413 // If everything above did not work, fallback to a pseudo random generator
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
4414 while (!done && len--) *p++ = (unsigned char) (rand() & 255);
4415 }
4416 #endif
4417
4418 bool mg_globmatch(const char *s1, size_t n1, const char *s2, size_t n2) {
4419 size_t i = 0, j = 0, ni = 0, nj = 0;
** CID 340724: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 343 in multipart_upload_handler()
4415 }
4416 #endif
4417
4418 bool mg_globmatch(const char *s1, size_t n1, const char *s2, size_t n2) {
4419 size_t i = 0, j = 0, ni = 0, nj = 0;
** CID 340724: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 340724: Null pointer dereferences (NULL_RETURNS)
337 return;
338 }
339 }
340
341 if (hm->chunk.len >= 0 && ev == MG_EV_HTTP_CHUNK) {
342 s = mg_http_get_header(hm, "Content-Type");
>>> CID 340724: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "s", which is known to be "NULL".
343 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
344 /* New request - new proto data */
345 nc->label[0] = 'M';
346
347 nc->pfn = fn;
348 nc->pfn_data = calloc(1, sizeof(struct mg_http_multipart_stream));
** CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 465 in mg_file_write()
________________________________________________________________________________________________________
*** CID 340723: Security best practices violations (DC.WEAK_CRYPTO)
/mongoose/mongoose.c: 465 in mg_file_write()
459
460 bool mg_file_write(struct mg_fs *fs, const char *path, const void *buf,
461 size_t len) {
462 bool result = false;
463 struct mg_fd *fd;
464 char tmp[MG_PATH_MAX];
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
465 snprintf(tmp, sizeof(tmp), "%s..%d", path, rand());
466 if ((fd = mg_fs_open(fs, tmp, MG_FS_WRITE)) != NULL) {
467 result = fs->write(fd->fd, buf, len) == len;
468 mg_fs_close(fd);
469 if (result) {
470 fs->remove(path);
** CID 340722: Control flow issues (NO_EFFECT)
/mongoose/mongoose_multipart.c: 341 in multipart_upload_handler()
466 if ((fd = mg_fs_open(fs, tmp, MG_FS_WRITE)) != NULL) {
467 result = fs->write(fd->fd, buf, len) == len;
468 mg_fs_close(fd);
469 if (result) {
470 fs->remove(path);
** CID 340722: Control flow issues (NO_EFFECT)
________________________________________________________________________________________________________
*** CID 340722: Control flow issues (NO_EFFECT)
335 mg_call(nc, MG_EV_HTTP_MULTIPART_REQUEST_END, &mp);
336 mp_stream->state = MPS_FINISHED;
337 return;
338 }
339 }
340
>>> CID 340722: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "hm->chunk.len >= 0UL".
341 if (hm->chunk.len >= 0 && ev == MG_EV_HTTP_CHUNK) {
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "hm->chunk.len >= 0UL".
342 s = mg_http_get_header(hm, "Content-Type");
343 if (s->len >= 9 && strncmp(s->ptr, "multipart", 9) == 0) {
344 /* New request - new proto data */
345 nc->label[0] = 'M';
346
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrffGusdB2gY411RFCZULj23zVH-2FYjULe-2FZVatHaTNOtXGWK7d76ThnungrCH2R2Ak-3D9NHc_U-2BcIo0IeFG9EIIQe7AiEg4oWkKw9GoOEX2k5mfx97s-2FLOWEFm-2FnLYpct0AdYcERTissbwAPFnjDDT1wc-2BQqXw1zBVG1fpAHaV8ngIt4nb-2FwEu8jLqi-2FdF1vmAc9IAbJrxVBIB3Erhdn7SiL-2FrPzqT6mCaDH-2FdMbxDOICLA-2F6j8hTznhH9hWNfkEVc9maOGA9PZ0ffXBqZj9NtpDHvPpn6ZO1GFFTAhUBc-2FizBuF01N0-3D
scan-...@coverity.com
Feb 17, 2022, 8:51:08 AM2/17/22
to swup...@googlegroups.com
Hi,
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
2 new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
** CID 349613: (UNINIT)
________________________________________________________________________________________________________
*** CID 349613: (UNINIT)
/mongoose/mongoose_interface.c: 942 in start_mongoose()
936 char *end;
937 errno = 0;
938 unsigned long port = strtoul(opts.port, &end, 10);
939 if (opts.port == end || errno || *end || port > 65535)
940 url = strdup(opts.port);
941 else
>>> CID 349613: (UNINIT)
>>> Using uninitialized value "url" when calling "mg_asprintf".
942 mg_asprintf(&url, 0, ":%lu", port);
943 }
944 free(opts.port);
945 } else {
946 mg_asprintf(&url, 0, ":%s", MG_PORT);
947 }
/mongoose/mongoose_interface.c: 946 in start_mongoose()
940 url = strdup(opts.port);
941 else
942 mg_asprintf(&url, 0, ":%lu", port);
943 }
944 free(opts.port);
945 } else {
>>> CID 349613: (UNINIT)
>>> Using uninitialized value "url" when calling "mg_asprintf".
946 mg_asprintf(&url, 0, ":%s", MG_PORT);
947 }
948
949 nc = mg_http_listen(&mgr, url, ev_handler, NULL);
950 if (nc == NULL) {
951 ERROR("Failed to start Mongoose.");
** CID 349612: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 86 in mg_http_multipart_begin()
________________________________________________________________________________________________________
*** CID 349612: Null pointer dereferences (NULL_RETURNS)
/mongoose/mongoose_multipart.c: 86 in mg_http_multipart_begin()
80 LOG(LL_DEBUG,("invalid request"));
81 return;
82 }
83
84 /* If we reach this place - that is multipart request */
85
>>> CID 349612: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "mp_stream", which is known to be "NULL".
86 if (mp_stream->boundary.len != 0) {
87 /*
88 * Another streaming request was in progress,
89 * looks like protocol error
90 */
91 nc->is_closing = 1;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrffGusdB2gY411RFCZULj23zVH-2FYjULe-2FZVatHaTNOtXGWK7d76ThnungrCH2R2Ak-3D9-HV_U-2BcIo0IeFG9EIIQe7AiEg4oWkKw9GoOEX2k5mfx97s-2FSOCnPnircYjyYhDT-2BJk5CvfRqkYnxGt5-2Bjy3CBDCRhWG9io2fZhoAFzKms0RUiyI4TtFk-2BD9RZ-2BlRmUJPZ-2BwdHC10jeIUDNHVesKv0mlNOcQldWeIz-2FkeYCN89ysK6onKKzQHaHeU5xWfnl466mpKKkN1M0V4ejvGb8Iq-2BSPOmRPxX-2ByUREs32dL-2BPOjLnQE-3D
Reply all
Reply to author
Forward
0 new messages