New Defects reported by Coverity Scan for sbabic/swupdate
12 views
Skip to first unread message
scan-...@coverity.com
Jul 1, 2024, 4:15:05 AM (3 days ago) Jul 1
to swup...@googlegroups.com
Hi,
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
20 new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 20 defect(s)
** CID 498876: (INTEGER_OVERFLOW)
/corelib/multipart_parser.c: 266 in multipart_parser_execute()
/corelib/multipart_parser.c: 257 in multipart_parser_execute()
/corelib/multipart_parser.c: 314 in multipart_parser_execute()
________________________________________________________________________________________________________
*** CID 498876: (INTEGER_OVERFLOW)
/corelib/multipart_parser.c: 266 in multipart_parser_execute()
260 case s_part_data_boundary:
261 multipart_log("s_part_data_boundary");
262 if (p->multipart_boundary[p->index] != c) {
263 EMIT_DATA_CB(part_data, p->lookbehind,
264 2 + p->index);
265 p->state = s_part_data;
>>> CID 498876: (INTEGER_OVERFLOW)
>>> Expression "i--", which is equal to 18446744073709551615, where "i" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
266 mark = i--;
267 break;
268 }
269 p->lookbehind[2 + p->index] = c;
270 if ((++p->index) == p->boundary_length) {
271 NOTIFY_CB(part_data_end);
/corelib/multipart_parser.c: 257 in multipart_parser_execute()
251 p->lookbehind[1] = LF;
252 p->index = 0;
253 break;
254 }
255 EMIT_DATA_CB(part_data, p->lookbehind, 1);
256 p->state = s_part_data;
>>> CID 498876: (INTEGER_OVERFLOW)
>>> Expression "i--", which is equal to 18446744073709551615, where "i" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
257 mark = i--;
258 break;
259
260 case s_part_data_boundary:
261 multipart_log("s_part_data_boundary");
262 if (p->multipart_boundary[p->index] != c) {
/corelib/multipart_parser.c: 314 in multipart_parser_execute()
308 break;
309
310 default:
311 multipart_log("Multipart parser unrecoverable error");
312 return 0;
313 }
>>> CID 498876: (INTEGER_OVERFLOW)
>>> Expression "++i", which is equal to 0, where "i" is known to be equal to 18446744073709551615, overflows the type that receives it, an unsigned integer 64 bits wide.
314 ++i;
315 }
316
317 return len;
** CID 498875: (INTEGER_OVERFLOW)
/core/cpio_utils.c: 70 in _fill_buffer()
/core/cpio_utils.c: 92 in _fill_buffer()
________________________________________________________________________________________________________
*** CID 498875: (INTEGER_OVERFLOW)
/core/cpio_utils.c: 70 in _fill_buffer()
64 {
65 ssize_t len;
66 unsigned long count = 0;
67 int i;
68
69 while (nbytes > 0) {
>>> CID 498875: (INTEGER_OVERFLOW)
>>> "nbytes", which might have underflowed, is passed to "read(fd, buf, nbytes)".
70 len = read(fd, buf, nbytes);
71 if (len < 0) {
72 ERROR("Failure in stream %d: %s", fd, strerror(errno));
73 return -EFAULT;
74 }
75 if (len == 0) {
/core/cpio_utils.c: 92 in _fill_buffer()
86 buf += len;
87 count += len;
88 nbytes -= len;
89 *offs += len;
90 }
91
>>> CID 498875: (INTEGER_OVERFLOW)
>>> "count", which might have underflowed, is returned from the function.
92 return count;
93 }
94
95
96 int fill_buffer(int fd, unsigned char *buf, unsigned int nbytes)
97 {
** CID 498874: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1126 in server_process_update_artifact()
________________________________________________________________________________________________________
*** CID 498874: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1126 in server_process_update_artifact()
1120 for (int json_data_artifact_count = 0;
1121 json_data_artifact_count < json_data_artifact_max;
1122 json_data_artifact_count++) {
1123 int thread_ret = -1;
1124 json_data_artifact_item = array_list_get_idx(
1125 json_data_artifact_array, json_data_artifact_count);
>>> CID 498874: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
1126 TRACE("Iterating over JSON, key=%s",
1127 json_object_to_json_string(json_data_artifact_item));
1128 json_object *json_data_artifact_filename =
1129 json_get_path_key(json_data_artifact_item,
1130 (const char *[]){"filename", NULL});
1131 json_object *json_data_artifact_sha1hash =
** CID 498873: Control flow issues (UNREACHABLE)
/handlers/delta_handler.c: 807 in copy_network_chunks()
________________________________________________________________________________________________________
*** CID 498873: Control flow issues (UNREACHABLE)
/handlers/delta_handler.c: 807 in copy_network_chunks()
801 priv->dwlstate = NOTRUNNING;
802 *dstChunk = priv->chunk;
803 return !priv->error_in_parser;
804 }
805 }
806
>>> CID 498873: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "return !priv->error_in_parser;".
807 return !priv->error_in_parser;
808 }
809
810 /*
811 * This writes a chunk from an existing copy on the source path
812 * The chunk to be copied is retrieved via zck_get_src_chunk()
** CID 498872: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 2107 in server_activation_ipc()
________________________________________________________________________________________________________
*** CID 498872: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 2107 in server_activation_ipc()
2101 if (result == SERVER_UPDATE_CANCELED) {
2102 DEBUG("Acknowledging cancelled update.");
2103 (void)server_send_cancel_reply(server_hawkbit.channel, server_action_id);
2104 }
2105
2106 if (action_id != server_action_id) {
>>> CID 498872: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
2107 TRACE("Deployment changed on server: our id %d, on server %d",
2108 action_id, server_action_id);
2109 } else {
2110 response = handle_feedback(action_id, result, update_state, reply_result,
2111 reply_execution,
2112 numdetails == 0 ? 1 : numdetails, details);
** CID 498871: Memory - illegal accesses (INTEGER_OVERFLOW)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
________________________________________________________________________________________________________
*** CID 498871: Memory - illegal accesses (INTEGER_OVERFLOW)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
194 channel_data.url = req->data;
195 channel_data.noipc = true;
196 channel_data.method = CHANNEL_GET;
197 channel_data.content_type = "*";
198 channel_data.headers = delta_callback_headers;
199 channel_data.dwlwrdata = wrdata_callback;
>>> CID 498871: Memory - illegal accesses (INTEGER_OVERFLOW)
>>> "req->urllen + 1UL", which might have overflowed, is used in a pointer index in "req->data[req->urllen + 1UL]".
200 channel_data.range = &req->data[req->urllen + 1];
201 channel_data.user = &priv;
202
203 swupdate_cfg_handle handle;
204 swupdate_cfg_init(&handle);
205
** CID 498870: Insecure data handling (INTEGER_OVERFLOW)
/handlers/flash_handler.c: 206 in flash_write_nand()
________________________________________________________________________________________________________
*** CID 498870: Insecure data handling (INTEGER_OVERFLOW)
/handlers/flash_handler.c: 206 in flash_write_nand()
200 size_t readlen = mtd->min_io_size;
201 size_t alreadyread = (filebuf + filebuf_len) - writebuf;
202 size_t tinycnt = alreadyread;
203 ssize_t cnt = 0;
204
205 while (tinycnt < readlen) {
>>> CID 498870: Insecure data handling (INTEGER_OVERFLOW)
>>> "readlen - tinycnt", which might have underflowed, is passed to "read(ifd, writebuf + tinycnt, readlen - tinycnt)".
206 cnt = read(ifd, writebuf + tinycnt, readlen - tinycnt);
207 if (cnt == 0) { /* EOF */
208 break;
209 } else if (cnt < 0) {
210 ERROR("File I/O error on input");
211 goto closeall;
** CID 498869: Incorrect expression (COPY_PASTE_ERROR)
/parser/parser.c: 1154 in parse_json()
________________________________________________________________________________________________________
*** CID 498869: Incorrect expression (COPY_PASTE_ERROR)
/parser/parser.c: 1154 in parse_json()
1148 if (ret < 0) {
1149 ret = -errno;
1150 free(string);
1151 return ret;
1152 }
1153 if (ret != size) {
>>> CID 498869: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
1154 ERROR("partial read of %s, proceeding anyway", filename);
1155 }
1156 string[ret] = '\0';
1157
1158 cfg = json_tokener_parse(string);
1159 if (!cfg) {
** CID 498868: Insecure data handling (INTEGER_OVERFLOW)
/handlers/diskpart_handler.c: 984 in read_partition()
________________________________________________________________________________________________________
*** CID 498868: Insecure data handling (INTEGER_OVERFLOW)
/handlers/diskpart_handler.c: 984 in read_partition()
978
979 close(fd);
980
981 out:
982 free(path);
983 free(data);
>>> CID 498868: Insecure data handling (INTEGER_OVERFLOW)
>>> "partition", which might have overflowed, is returned from the function.
984 return partition;
985 }
986
987 static int set_partition(char *buf, int bufsize, char *device, int partno)
988 {
989 char *device1 = strdup(device);
** CID 498867: Integer handling issues (INTEGER_OVERFLOW)
/core/parsing_library.c: 264 in set_find_path()
________________________________________________________________________________________________________
*** CID 498867: Integer handling issues (INTEGER_OVERFLOW)
/core/parsing_library.c: 264 in set_find_path()
258 /*
259 * Count is surely > 0, decrementing is safe
260 * Do not consider the last leaf with "ref"
261 * This means that "#./link" is searched
262 * starting from the parent of "ref"
263 */
>>> CID 498867: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "count--", which is equal to 4294967295, where "count" is known to be equal to 0, underflows the type that receives it, an unsigned integer 32 bits wide.
264 count--;
265
266 ref = strdup(newpath);
267 if (!ref) {
268 ERROR("No memory: failed for %zu bytes",
269 strlen(newpath) + 1);
** CID 498866: Incorrect expression (COPY_PASTE_ERROR)
/core/swupdate.c: 244 in parse_image_selector()
________________________________________________________________________________________________________
*** CID 498866: Incorrect expression (COPY_PASTE_ERROR)
/core/swupdate.c: 244 in parse_image_selector()
238 {
239 char *pos;
240
241 DEBUG("Parsing selector: %s", selector);
242 pos = strchr(selector, ',');
243 if (pos == NULL) {
>>> CID 498866: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
244 ERROR("Incorrect select option format: %s", selector);
245 return -EINVAL;
246 }
247
248 *pos = '\0';
249
** CID 498865: Incorrect expression (COPY_PASTE_ERROR)
/handlers/delta_handler.c: 694 in search_boundary_in_body()
________________________________________________________________________________________________________
*** CID 498865: Incorrect expression (COPY_PASTE_ERROR)
/handlers/delta_handler.c: 694 in search_boundary_in_body()
688 {
689 char *s;
690 range_answer_t *answer = priv->answer;
691 size_t i;
692
693 if (priv->range_type == NONE_RANGE) {
>>> CID 498865: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
694 ERROR("Malformed body, no boundary found");
695 return false;
696 }
697
698 if (priv->range_type == SINGLE_RANGE) {
699 /* Body contains just one range, it is data, do nothing */
** CID 498864: Insecure data handling (INTEGER_OVERFLOW)
/corelib/channel_curl.c: 256 in resume_cache_file()
________________________________________________________________________________________________________
*** CID 498864: Insecure data handling (INTEGER_OVERFLOW)
/corelib/channel_curl.c: 256 in resume_cache_file()
250 * Cache file is used just once: after it is read, it is
251 * dropped automatically to avoid to reuse it again
252 * for next update
253 */
254 unlink(fname);
255
>>> CID 498864: Insecure data handling (INTEGER_OVERFLOW)
>>> "processed", which might have overflowed, is returned from the function.
256 return processed;
257 }
258
259 size_t channel_callback_membuffer(void *streamdata, size_t size, size_t nmemb,
260 write_callback_t *data)
261 {
** CID 498863: Insecure data handling (INTEGER_OVERFLOW)
/handlers/delta_handler.c: 491 in create_zckindex()
________________________________________________________________________________________________________
*** CID 498863: Insecure data handling (INTEGER_OVERFLOW)
/handlers/delta_handler.c: 491 in create_zckindex()
485 bool rstatus = true;
486
487 if (!buf) {
488 ERROR("OOM creating temporary buffer");
489 return false;
490 }
>>> CID 498863: Insecure data handling (INTEGER_OVERFLOW)
>>> "bufsize", which might have underflowed, is passed to "read(fd, buf, bufsize)".
491 while ((n = read(fd, buf, bufsize)) > 0) {
492 if (zck_write(zck, buf, n) < 0) {
493 ERROR("ZCK returns %s", zck_get_error(zck));
494 free(buf);
495 return false;
496 }
** CID 498862: Incorrect expression (COPY_PASTE_ERROR)
/handlers/ucfw_handler.c: 582 in prepare_update()
________________________________________________________________________________________________________
*** CID 498862: Incorrect expression (COPY_PASTE_ERROR)
/handlers/ucfw_handler.c: 582 in prepare_update()
576
577 DEBUG("Using %s", img->device);
578
579 priv->fduart = open(img->device, O_RDWR);
580
581 if (priv->fduart < 0) {
>>> CID 498862: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
582 ERROR("Cannot open UART %s", img->device);
583 return -ENODEV;
584 }
585
586 set_uart(priv->fduart);
587
** CID 498861: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 960 in server_handle_initial_state()
________________________________________________________________________________________________________
*** CID 498861: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 960 in server_handle_initial_state()
954 swupdate_vars_set("action_id", NULL, NULL);
955
956 /* NOTE (Re-)setting STATE_KEY=STATE_OK == '0' instead of deleting it
957 * as it may be required for the switchback/recovery U-Boot logics.
958 */
959 if ((result = save_state(STATE_OK)) != SERVER_OK) {
>>> CID 498861: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
960 ERROR("Error while resetting update state on persistent "
961 "storage.\n");
962 return result;
963 }
964 return SERVER_OK;
965 }
** CID 498860: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1475 in server_install_update()
________________________________________________________________________________________________________
*** CID 498860: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1475 in server_install_update()
1469 (void)server_send_cancel_reply(server_hawkbit.channel, action_id);
1470 /* Inform the installer that a CANCEL was received */
1471 } else {
1472 /* TODO handle partial installations and rollback if
1473 * more than one artifact is available on hawkBit.
1474 */
>>> CID 498860: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
1475 ERROR("Error processing update chunk named '%s', "
1476 "version %s, part %s\n",
1477 json_object_get_string(json_data_chunk_name),
1478 json_object_get_string(json_data_chunk_version),
1479 json_object_get_string(json_data_chunk_part));
1480 (void)server_send_deployment_reply(
** CID 498859: Insecure data handling (TAINTED_SCALAR)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
________________________________________________________________________________________________________
*** CID 498859: Insecure data handling (TAINTED_SCALAR)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
194 channel_data.url = req->data;
195 channel_data.noipc = true;
196 channel_data.method = CHANNEL_GET;
197 channel_data.content_type = "*";
198 channel_data.headers = delta_callback_headers;
199 channel_data.dwlwrdata = wrdata_callback;
>>> CID 498859: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "req->urllen + 1UL" as an index into an array "req->data".
200 channel_data.range = &req->data[req->urllen + 1];
201 channel_data.user = &priv;
202
203 swupdate_cfg_handle handle;
204 swupdate_cfg_init(&handle);
205
** CID 498858: Control flow issues (UNREACHABLE)
/handlers/delta_downloader.c: 229 in start_delta_downloader()
________________________________________________________________________________________________________
*** CID 498858: Control flow issues (UNREACHABLE)
/handlers/delta_downloader.c: 229 in start_delta_downloader()
223 ERROR("Answer cannot be sent back, maybe deadlock !!");
224 }
225
226 (void)channel->close(channel);
227 }
228
>>> CID 498858: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "exit(0);".
229 exit (EXIT_SUCCESS);
** CID 498857: Control flow issues (UNREACHABLE)
/core/stream_interface.c: 774 in network_initializer()
________________________________________________________________________________________________________
*** CID 498857: Control flow issues (UNREACHABLE)
/core/stream_interface.c: 774 in network_initializer()
768 ipc_send_cmd(&msg);
769 }
770
771
772 }
773
>>> CID 498857: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "pthread_exit(NULL);".
774 pthread_exit((void *)0);
775 }
776
777 /*
778 * Accessors to get information about an update, they are the interface
779 * to the "inst" structure.
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu65nXIJrHp2jR3J4yh8NEbAPMkKtgYZif-2BEFd6Nb3kFPG5nbPv-2Fhl8Nd0gx6B1H-2F8E-3DvD7v_PTDf-2Bg-2BDIlrKzonRGeH9EpBIbsdgRp0-2B4Xvala695-2BOKRPR12MgrC4GJrlbX8KOiry6nlUgWxFk7qMVs0h1NyVtfgTZ4XlktH5298BwNTBwMDMBDv432Oa-2Fr4VJhk7wrxpAHzByRpU9S00F3uCzjrCLHi9xD583ZslGJx4W-2FhaA-2Fb-2Fty5-2FzzYEXbkALU5-2BOIsqnP349J6aBkTvEPdgh0Zw-3D-3D
Please find the latest report on new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
20 new defect(s) introduced to sbabic/swupdate found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 20 defect(s)
** CID 498876: (INTEGER_OVERFLOW)
/corelib/multipart_parser.c: 266 in multipart_parser_execute()
/corelib/multipart_parser.c: 257 in multipart_parser_execute()
/corelib/multipart_parser.c: 314 in multipart_parser_execute()
________________________________________________________________________________________________________
*** CID 498876: (INTEGER_OVERFLOW)
/corelib/multipart_parser.c: 266 in multipart_parser_execute()
260 case s_part_data_boundary:
261 multipart_log("s_part_data_boundary");
262 if (p->multipart_boundary[p->index] != c) {
263 EMIT_DATA_CB(part_data, p->lookbehind,
264 2 + p->index);
265 p->state = s_part_data;
>>> CID 498876: (INTEGER_OVERFLOW)
>>> Expression "i--", which is equal to 18446744073709551615, where "i" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
266 mark = i--;
267 break;
268 }
269 p->lookbehind[2 + p->index] = c;
270 if ((++p->index) == p->boundary_length) {
271 NOTIFY_CB(part_data_end);
/corelib/multipart_parser.c: 257 in multipart_parser_execute()
251 p->lookbehind[1] = LF;
252 p->index = 0;
253 break;
254 }
255 EMIT_DATA_CB(part_data, p->lookbehind, 1);
256 p->state = s_part_data;
>>> CID 498876: (INTEGER_OVERFLOW)
>>> Expression "i--", which is equal to 18446744073709551615, where "i" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
257 mark = i--;
258 break;
259
260 case s_part_data_boundary:
261 multipart_log("s_part_data_boundary");
262 if (p->multipart_boundary[p->index] != c) {
/corelib/multipart_parser.c: 314 in multipart_parser_execute()
308 break;
309
310 default:
311 multipart_log("Multipart parser unrecoverable error");
312 return 0;
313 }
>>> CID 498876: (INTEGER_OVERFLOW)
>>> Expression "++i", which is equal to 0, where "i" is known to be equal to 18446744073709551615, overflows the type that receives it, an unsigned integer 64 bits wide.
314 ++i;
315 }
316
317 return len;
** CID 498875: (INTEGER_OVERFLOW)
/core/cpio_utils.c: 70 in _fill_buffer()
/core/cpio_utils.c: 92 in _fill_buffer()
________________________________________________________________________________________________________
*** CID 498875: (INTEGER_OVERFLOW)
/core/cpio_utils.c: 70 in _fill_buffer()
64 {
65 ssize_t len;
66 unsigned long count = 0;
67 int i;
68
69 while (nbytes > 0) {
>>> CID 498875: (INTEGER_OVERFLOW)
>>> "nbytes", which might have underflowed, is passed to "read(fd, buf, nbytes)".
70 len = read(fd, buf, nbytes);
71 if (len < 0) {
72 ERROR("Failure in stream %d: %s", fd, strerror(errno));
73 return -EFAULT;
74 }
75 if (len == 0) {
/core/cpio_utils.c: 92 in _fill_buffer()
86 buf += len;
87 count += len;
88 nbytes -= len;
89 *offs += len;
90 }
91
>>> CID 498875: (INTEGER_OVERFLOW)
>>> "count", which might have underflowed, is returned from the function.
92 return count;
93 }
94
95
96 int fill_buffer(int fd, unsigned char *buf, unsigned int nbytes)
97 {
** CID 498874: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1126 in server_process_update_artifact()
________________________________________________________________________________________________________
*** CID 498874: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1126 in server_process_update_artifact()
1120 for (int json_data_artifact_count = 0;
1121 json_data_artifact_count < json_data_artifact_max;
1122 json_data_artifact_count++) {
1123 int thread_ret = -1;
1124 json_data_artifact_item = array_list_get_idx(
1125 json_data_artifact_array, json_data_artifact_count);
>>> CID 498874: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
1126 TRACE("Iterating over JSON, key=%s",
1127 json_object_to_json_string(json_data_artifact_item));
1128 json_object *json_data_artifact_filename =
1129 json_get_path_key(json_data_artifact_item,
1130 (const char *[]){"filename", NULL});
1131 json_object *json_data_artifact_sha1hash =
** CID 498873: Control flow issues (UNREACHABLE)
/handlers/delta_handler.c: 807 in copy_network_chunks()
________________________________________________________________________________________________________
*** CID 498873: Control flow issues (UNREACHABLE)
/handlers/delta_handler.c: 807 in copy_network_chunks()
801 priv->dwlstate = NOTRUNNING;
802 *dstChunk = priv->chunk;
803 return !priv->error_in_parser;
804 }
805 }
806
>>> CID 498873: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "return !priv->error_in_parser;".
807 return !priv->error_in_parser;
808 }
809
810 /*
811 * This writes a chunk from an existing copy on the source path
812 * The chunk to be copied is retrieved via zck_get_src_chunk()
** CID 498872: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 2107 in server_activation_ipc()
________________________________________________________________________________________________________
*** CID 498872: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 2107 in server_activation_ipc()
2101 if (result == SERVER_UPDATE_CANCELED) {
2102 DEBUG("Acknowledging cancelled update.");
2103 (void)server_send_cancel_reply(server_hawkbit.channel, server_action_id);
2104 }
2105
2106 if (action_id != server_action_id) {
>>> CID 498872: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
2107 TRACE("Deployment changed on server: our id %d, on server %d",
2108 action_id, server_action_id);
2109 } else {
2110 response = handle_feedback(action_id, result, update_state, reply_result,
2111 reply_execution,
2112 numdetails == 0 ? 1 : numdetails, details);
** CID 498871: Memory - illegal accesses (INTEGER_OVERFLOW)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
________________________________________________________________________________________________________
*** CID 498871: Memory - illegal accesses (INTEGER_OVERFLOW)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
194 channel_data.url = req->data;
195 channel_data.noipc = true;
196 channel_data.method = CHANNEL_GET;
197 channel_data.content_type = "*";
198 channel_data.headers = delta_callback_headers;
199 channel_data.dwlwrdata = wrdata_callback;
>>> CID 498871: Memory - illegal accesses (INTEGER_OVERFLOW)
>>> "req->urllen + 1UL", which might have overflowed, is used in a pointer index in "req->data[req->urllen + 1UL]".
200 channel_data.range = &req->data[req->urllen + 1];
201 channel_data.user = &priv;
202
203 swupdate_cfg_handle handle;
204 swupdate_cfg_init(&handle);
205
** CID 498870: Insecure data handling (INTEGER_OVERFLOW)
/handlers/flash_handler.c: 206 in flash_write_nand()
________________________________________________________________________________________________________
*** CID 498870: Insecure data handling (INTEGER_OVERFLOW)
/handlers/flash_handler.c: 206 in flash_write_nand()
200 size_t readlen = mtd->min_io_size;
201 size_t alreadyread = (filebuf + filebuf_len) - writebuf;
202 size_t tinycnt = alreadyread;
203 ssize_t cnt = 0;
204
205 while (tinycnt < readlen) {
>>> CID 498870: Insecure data handling (INTEGER_OVERFLOW)
>>> "readlen - tinycnt", which might have underflowed, is passed to "read(ifd, writebuf + tinycnt, readlen - tinycnt)".
206 cnt = read(ifd, writebuf + tinycnt, readlen - tinycnt);
207 if (cnt == 0) { /* EOF */
208 break;
209 } else if (cnt < 0) {
210 ERROR("File I/O error on input");
211 goto closeall;
** CID 498869: Incorrect expression (COPY_PASTE_ERROR)
/parser/parser.c: 1154 in parse_json()
________________________________________________________________________________________________________
*** CID 498869: Incorrect expression (COPY_PASTE_ERROR)
/parser/parser.c: 1154 in parse_json()
1148 if (ret < 0) {
1149 ret = -errno;
1150 free(string);
1151 return ret;
1152 }
1153 if (ret != size) {
>>> CID 498869: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
1154 ERROR("partial read of %s, proceeding anyway", filename);
1155 }
1156 string[ret] = '\0';
1157
1158 cfg = json_tokener_parse(string);
1159 if (!cfg) {
** CID 498868: Insecure data handling (INTEGER_OVERFLOW)
/handlers/diskpart_handler.c: 984 in read_partition()
________________________________________________________________________________________________________
*** CID 498868: Insecure data handling (INTEGER_OVERFLOW)
/handlers/diskpart_handler.c: 984 in read_partition()
978
979 close(fd);
980
981 out:
982 free(path);
983 free(data);
>>> CID 498868: Insecure data handling (INTEGER_OVERFLOW)
>>> "partition", which might have overflowed, is returned from the function.
984 return partition;
985 }
986
987 static int set_partition(char *buf, int bufsize, char *device, int partno)
988 {
989 char *device1 = strdup(device);
** CID 498867: Integer handling issues (INTEGER_OVERFLOW)
/core/parsing_library.c: 264 in set_find_path()
________________________________________________________________________________________________________
*** CID 498867: Integer handling issues (INTEGER_OVERFLOW)
/core/parsing_library.c: 264 in set_find_path()
258 /*
259 * Count is surely > 0, decrementing is safe
260 * Do not consider the last leaf with "ref"
261 * This means that "#./link" is searched
262 * starting from the parent of "ref"
263 */
>>> CID 498867: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "count--", which is equal to 4294967295, where "count" is known to be equal to 0, underflows the type that receives it, an unsigned integer 32 bits wide.
264 count--;
265
266 ref = strdup(newpath);
267 if (!ref) {
268 ERROR("No memory: failed for %zu bytes",
269 strlen(newpath) + 1);
** CID 498866: Incorrect expression (COPY_PASTE_ERROR)
/core/swupdate.c: 244 in parse_image_selector()
________________________________________________________________________________________________________
*** CID 498866: Incorrect expression (COPY_PASTE_ERROR)
/core/swupdate.c: 244 in parse_image_selector()
238 {
239 char *pos;
240
241 DEBUG("Parsing selector: %s", selector);
242 pos = strchr(selector, ',');
243 if (pos == NULL) {
>>> CID 498866: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
244 ERROR("Incorrect select option format: %s", selector);
245 return -EINVAL;
246 }
247
248 *pos = '\0';
249
** CID 498865: Incorrect expression (COPY_PASTE_ERROR)
/handlers/delta_handler.c: 694 in search_boundary_in_body()
________________________________________________________________________________________________________
*** CID 498865: Incorrect expression (COPY_PASTE_ERROR)
/handlers/delta_handler.c: 694 in search_boundary_in_body()
688 {
689 char *s;
690 range_answer_t *answer = priv->answer;
691 size_t i;
692
693 if (priv->range_type == NONE_RANGE) {
>>> CID 498865: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
694 ERROR("Malformed body, no boundary found");
695 return false;
696 }
697
698 if (priv->range_type == SINGLE_RANGE) {
699 /* Body contains just one range, it is data, do nothing */
** CID 498864: Insecure data handling (INTEGER_OVERFLOW)
/corelib/channel_curl.c: 256 in resume_cache_file()
________________________________________________________________________________________________________
*** CID 498864: Insecure data handling (INTEGER_OVERFLOW)
/corelib/channel_curl.c: 256 in resume_cache_file()
250 * Cache file is used just once: after it is read, it is
251 * dropped automatically to avoid to reuse it again
252 * for next update
253 */
254 unlink(fname);
255
>>> CID 498864: Insecure data handling (INTEGER_OVERFLOW)
>>> "processed", which might have overflowed, is returned from the function.
256 return processed;
257 }
258
259 size_t channel_callback_membuffer(void *streamdata, size_t size, size_t nmemb,
260 write_callback_t *data)
261 {
** CID 498863: Insecure data handling (INTEGER_OVERFLOW)
/handlers/delta_handler.c: 491 in create_zckindex()
________________________________________________________________________________________________________
*** CID 498863: Insecure data handling (INTEGER_OVERFLOW)
/handlers/delta_handler.c: 491 in create_zckindex()
485 bool rstatus = true;
486
487 if (!buf) {
488 ERROR("OOM creating temporary buffer");
489 return false;
490 }
>>> CID 498863: Insecure data handling (INTEGER_OVERFLOW)
>>> "bufsize", which might have underflowed, is passed to "read(fd, buf, bufsize)".
491 while ((n = read(fd, buf, bufsize)) > 0) {
492 if (zck_write(zck, buf, n) < 0) {
493 ERROR("ZCK returns %s", zck_get_error(zck));
494 free(buf);
495 return false;
496 }
** CID 498862: Incorrect expression (COPY_PASTE_ERROR)
/handlers/ucfw_handler.c: 582 in prepare_update()
________________________________________________________________________________________________________
*** CID 498862: Incorrect expression (COPY_PASTE_ERROR)
/handlers/ucfw_handler.c: 582 in prepare_update()
576
577 DEBUG("Using %s", img->device);
578
579 priv->fduart = open(img->device, O_RDWR);
580
581 if (priv->fduart < 0) {
>>> CID 498862: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
582 ERROR("Cannot open UART %s", img->device);
583 return -ENODEV;
584 }
585
586 set_uart(priv->fduart);
587
** CID 498861: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 960 in server_handle_initial_state()
________________________________________________________________________________________________________
*** CID 498861: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 960 in server_handle_initial_state()
954 swupdate_vars_set("action_id", NULL, NULL);
955
956 /* NOTE (Re-)setting STATE_KEY=STATE_OK == '0' instead of deleting it
957 * as it may be required for the switchback/recovery U-Boot logics.
958 */
959 if ((result = save_state(STATE_OK)) != SERVER_OK) {
>>> CID 498861: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
960 ERROR("Error while resetting update state on persistent "
961 "storage.\n");
962 return result;
963 }
964 return SERVER_OK;
965 }
** CID 498860: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1475 in server_install_update()
________________________________________________________________________________________________________
*** CID 498860: Incorrect expression (COPY_PASTE_ERROR)
/suricatta/server_hawkbit.c: 1475 in server_install_update()
1469 (void)server_send_cancel_reply(server_hawkbit.channel, action_id);
1470 /* Inform the installer that a CANCEL was received */
1471 } else {
1472 /* TODO handle partial installations and rollback if
1473 * more than one artifact is available on hawkBit.
1474 */
>>> CID 498860: Incorrect expression (COPY_PASTE_ERROR)
>>> "DEBUGLEVEL" looks like a copy-paste error.
1475 ERROR("Error processing update chunk named '%s', "
1476 "version %s, part %s\n",
1477 json_object_get_string(json_data_chunk_name),
1478 json_object_get_string(json_data_chunk_version),
1479 json_object_get_string(json_data_chunk_part));
1480 (void)server_send_deployment_reply(
** CID 498859: Insecure data handling (TAINTED_SCALAR)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
________________________________________________________________________________________________________
*** CID 498859: Insecure data handling (TAINTED_SCALAR)
/handlers/delta_downloader.c: 200 in start_delta_downloader()
194 channel_data.url = req->data;
195 channel_data.noipc = true;
196 channel_data.method = CHANNEL_GET;
197 channel_data.content_type = "*";
198 channel_data.headers = delta_callback_headers;
199 channel_data.dwlwrdata = wrdata_callback;
>>> CID 498859: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "req->urllen + 1UL" as an index into an array "req->data".
200 channel_data.range = &req->data[req->urllen + 1];
201 channel_data.user = &priv;
202
203 swupdate_cfg_handle handle;
204 swupdate_cfg_init(&handle);
205
** CID 498858: Control flow issues (UNREACHABLE)
/handlers/delta_downloader.c: 229 in start_delta_downloader()
________________________________________________________________________________________________________
*** CID 498858: Control flow issues (UNREACHABLE)
/handlers/delta_downloader.c: 229 in start_delta_downloader()
223 ERROR("Answer cannot be sent back, maybe deadlock !!");
224 }
225
226 (void)channel->close(channel);
227 }
228
>>> CID 498858: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "exit(0);".
229 exit (EXIT_SUCCESS);
** CID 498857: Control flow issues (UNREACHABLE)
/core/stream_interface.c: 774 in network_initializer()
________________________________________________________________________________________________________
*** CID 498857: Control flow issues (UNREACHABLE)
/core/stream_interface.c: 774 in network_initializer()
768 ipc_send_cmd(&msg);
769 }
770
771
772 }
773
>>> CID 498857: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "pthread_exit(NULL);".
774 pthread_exit((void *)0);
775 }
776
777 /*
778 * Accessors to get information about an update, they are the interface
779 * to the "inst" structure.
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu65nXIJrHp2jR3J4yh8NEbAPMkKtgYZif-2BEFd6Nb3kFPG5nbPv-2Fhl8Nd0gx6B1H-2F8E-3DvD7v_PTDf-2Bg-2BDIlrKzonRGeH9EpBIbsdgRp0-2B4Xvala695-2BOKRPR12MgrC4GJrlbX8KOiry6nlUgWxFk7qMVs0h1NyVtfgTZ4XlktH5298BwNTBwMDMBDv432Oa-2Fr4VJhk7wrxpAHzByRpU9S00F3uCzjrCLHi9xD583ZslGJx4W-2FhaA-2Fb-2Fty5-2FzzYEXbkALU5-2BOIsqnP349J6aBkTvEPdgh0Zw-3D-3D
Reply all
Reply to author
Forward
0 new messages