New Defects reported by Coverity Scan for Zephyr


Nashif, Anas
 



Regards,
Anas Nashif 

Begin forwarded message:

From: <scan-admin@...>
Date: October 26, 2017 at 14:29:08 GMT+2
To: <anas.nashif@...>
Subject: New Defects reported by Coverity Scan for Zephyr


Hi,

Please find the latest report on new defect(s) introduced to Zephyr found with Coverity Scan.

17 new defect(s) introduced to Zephyr found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 17 of 17 defect(s)


** CID 178249:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 44 in ()


________________________________________________________________________________________________________
*** CID 178249:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 44 in ()
38         &app0_parts0,
39         &app0_parts1
40     };
41     
42     K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf),
43                    K_MEM_PARTITION_P_RW_U_RW);
   CID 178249:  Parse warnings  (PARSE_ERROR)
   expression must be an integral constant expression
44     K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf),
45                    K_MEM_PARTITION_P_RW_U_RO);
46     
47     struct k_mem_partition *app1_parts[] = {
48         &app1_parts0,
49         &app1_parts1

** CID 178248:  Null pointer dereferences  (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()


________________________________________________________________________________________________________
*** CID 178248:  Null pointer dereferences  (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()
1227         u16_t coap_pkt_len;
1228     
1229         frag = NULL;
1230         *offset = 0xffff;
1231         *len = 0;
1232     
   CID 178248:  Null pointer dereferences  (REVERSE_INULL)
   Null-checking "offset" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1233         if (!cpkt || !cpkt->pkt || !offset || !len) {
1234             return NULL;
1235         }
1236     
1237         coap_pkt_len = get_coap_packet_len(cpkt->pkt);
1238     

** CID 178247:  Error handling issues  (CHECKED_RETURN)
/subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb()


________________________________________________________________________________________________________
*** CID 178247:  Error handling issues  (CHECKED_RETURN)
/subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb()
105     
106     static void zsock_accepted_cb(struct net_context *new_ctx,
107                       struct sockaddr *addr, socklen_t addrlen,
108                       int status, void *user_data) {
109         struct net_context *parent = user_data;
110     
   CID 178247:  Error handling issues  (CHECKED_RETURN)
   Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times).
111         net_context_recv(new_ctx, zsock_received_cb, K_NO_WAIT, NULL);
112         k_fifo_init(&new_ctx->recv_q);
113     
114         NET_DBG("parent=%p, ctx=%p, st=%d", parent, new_ctx, status);
115     
116         k_fifo_put(&parent->accept_q, new_ctx);

** CID 178246:  Error handling issues  (CHECKED_RETURN)
/subsys/net/lib/app/client.c: 479 in _app_connected()


________________________________________________________________________________________________________
*** CID 178246:  Error handling issues  (CHECKED_RETURN)
/subsys/net/lib/app/client.c: 479 in _app_connected()
473     #if defined(CONFIG_NET_APP_TLS) || defined(CONFIG_NET_APP_DTLS)
474         if (ctx->is_tls) {
475             k_sem_give(&ctx->client.connect_wait);
476         }
477     #endif
478     
   CID 178246:  Error handling issues  (CHECKED_RETURN)
   Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times).
479         net_context_recv(net_ctx, ctx->recv_cb, K_NO_WAIT, ctx);
480     
481     #if defined(CONFIG_NET_APP_TLS) || defined(CONFIG_NET_APP_DTLS)
482         if (ctx->is_tls) {
483             /* If we have TLS connection, the connect cb is called
484              * after TLS handshakes are done.

** CID 178245:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 42 in ()


________________________________________________________________________________________________________
*** CID 178245:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 42 in ()
36     
37     struct k_mem_partition *app0_parts[] = {
38         &app0_parts0,
39         &app0_parts1
40     };
41     
   CID 178245:  Parse warnings  (PARSE_ERROR)
   expression must be an integral constant expression
42     K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf),
43                    K_MEM_PARTITION_P_RW_U_RW);
44     K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf),
45                    K_MEM_PARTITION_P_RW_U_RO);
46     
47     struct k_mem_partition *app1_parts[] = {

** CID 178244:  Error handling issues  (CHECKED_RETURN)
/subsys/net/lib/http/http_server.c: 800 in accept_cb()


________________________________________________________________________________________________________
*** CID 178244:  Error handling issues  (CHECKED_RETURN)
/subsys/net/lib/http/http_server.c: 800 in accept_cb()
794         }
795     
796         http_ctx->req.net_ctx = net_ctx;
797     
798         new_client(http_ctx, net_ctx, addr);
799     
   CID 178244:  Error handling issues  (CHECKED_RETURN)
   Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times).
800         net_context_recv(net_ctx, http_ctx->recv_cb, K_NO_WAIT, http_ctx);
801     }
802     
803     static int set_net_ctx(struct http_server_ctx *http_ctx,
804                    struct net_context *ctx,
805                    struct sockaddr *addr,

** CID 178243:  Error handling issues  (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg()


________________________________________________________________________________________________________
*** CID 178243:  Error handling issues  (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg()
82             tx_size = 3;
83         }
84     
85         tx_buf[0] = ENC28J60_SPI_RCR | (reg_addr & 0xFF);
86         tx_buf[1] = 0x0;
87     
   CID 178243:  Error handling issues  (CHECKED_RETURN)
   Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
88         spi_transceive(context->spi, tx_buf, tx_size, tx_buf, tx_size);
89     
90         *value = tx_buf[tx_size - 1];
91     
92         k_sem_give(&context->spi_sem);
93     }

** CID 178242:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 34 in ()


________________________________________________________________________________________________________
*** CID 178242:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 34 in ()
28     /* the start address of the MPU region needs to align with its size */
29     u8_t __aligned(32) app0_buf[32];
30     u8_t __aligned(32) app1_buf[32];
31     
32     K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf),
33                    K_MEM_PARTITION_P_RW_U_RW);
   CID 178242:  Parse warnings  (PARSE_ERROR)
   expression must be an integral constant expression
34     K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf),
35                    K_MEM_PARTITION_P_RW_U_RO);
36     
37     struct k_mem_partition *app0_parts[] = {
38         &app0_parts0,
39         &app0_parts1

** CID 178241:    (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem()
/drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem()


________________________________________________________________________________________________________
*** CID 178241:    (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem()
168     
169         k_sem_take(&context->spi_sem, K_FOREVER);
170     
171         for (int i = 0; i < num_segments;
172              ++i, data_buffer += MAX_BUFFER_LENGTH) {
173             context->mem_buf[0] = ENC28J60_SPI_RBM;
   CID 178241:    (CHECKED_RETURN)
   Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
174             spi_transceive(context->spi,
175                        context->mem_buf, MAX_BUFFER_LENGTH + 1,
176                        context->mem_buf, MAX_BUFFER_LENGTH + 1);
177             if (data_buffer) {
178                 memcpy(data_buffer, context->mem_buf + 1,
179                        MAX_BUFFER_LENGTH);
/drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem()
179                        MAX_BUFFER_LENGTH);
180             }
181         }
182     
183         if (num_remaining > 0) {
184             context->mem_buf[0] = ENC28J60_SPI_RBM;
   CID 178241:    (CHECKED_RETURN)
   Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
185             spi_transceive(context->spi,
186                        context->mem_buf, num_remaining + 1,
187                        context->mem_buf, num_remaining + 1);
188             if (data_buffer) {
189                 memcpy(data_buffer, context->mem_buf + 1,
190                        num_remaining);

** CID 178240:  Error handling issues  (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank()


________________________________________________________________________________________________________
*** CID 178240:  Error handling issues  (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank()
40     
41         k_sem_take(&context->spi_sem, K_FOREVER);
42     
43         tx_buf[0] = ENC28J60_SPI_RCR | ENC28J60_REG_ECON1;
44         tx_buf[1] = 0x0;
45     
   CID 178240:  Error handling issues  (CHECKED_RETURN)
   Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
46         spi_transceive(context->spi, tx_buf, 2, tx_buf, 2);
47     
48         tx_buf[0] = ENC28J60_SPI_WCR | ENC28J60_REG_ECON1;
49         tx_buf[1] = (tx_buf[1] & 0xFC) | ((reg_addr >> 8) & 0x0F);
50     
51         spi_write(context->spi, tx_buf, 2);

** CID 178239:    (FORWARD_NULL)
/tests/net/app/src/main.c: 192 in iface_setup()
/tests/net/app/src/main.c: 202 in iface_setup()


________________________________________________________________________________________________________
*** CID 178239:    (FORWARD_NULL)
/tests/net/app/src/main.c: 192 in iface_setup()
186             DBG("Cannot add IPv6 address %s\n",
187                    net_sprint_ipv6_addr(&my_addr1));
188             zassert_not_null(ifaddr, "addr1");
189         }
190     
191         /* For testing purposes we need to set the adddresses preferred */
   CID 178239:    (FORWARD_NULL)
   Dereferencing null pointer "ifaddr".
192         ifaddr->addr_state = NET_ADDR_PREFERRED;
193     
194         ifaddr = net_if_ipv6_addr_add(iface1, &ll_addr,
195                           NET_ADDR_MANUAL, 0);
196         if (!ifaddr) {
197             DBG("Cannot add IPv6 address %s\n",
/tests/net/app/src/main.c: 202 in iface_setup()
196         if (!ifaddr) {
197             DBG("Cannot add IPv6 address %s\n",
198                    net_sprint_ipv6_addr(&ll_addr));
199             zassert_not_null(ifaddr, "ll_addr");
200         }
201     
   CID 178239:    (FORWARD_NULL)
   Dereferencing null pointer "ifaddr".
202         ifaddr->addr_state = NET_ADDR_PREFERRED;
203     
204         net_ipv6_addr_create(&in6addr_mcast, 0xff02, 0, 0, 0, 0, 0, 0, 0x0001);
205     
206         maddr = net_if_ipv6_maddr_add(iface1, &in6addr_mcast);
207         if (!maddr) {

** CID 178238:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 32 in ()


________________________________________________________________________________________________________
*** CID 178238:  Parse warnings  (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 32 in ()
26     struct k_mem_domain app_domain[2];
27     
28     /* the start address of the MPU region needs to align with its size */
29     u8_t __aligned(32) app0_buf[32];
30     u8_t __aligned(32) app1_buf[32];
31     
   CID 178238:  Parse warnings  (PARSE_ERROR)
   expression must be an integral constant expression
32     K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf),
33                    K_MEM_PARTITION_P_RW_U_RW);
34     K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf),
35                    K_MEM_PARTITION_P_RW_U_RO);
36     
37     struct k_mem_partition *app0_parts[] = {

** CID 178237:  Memory - corruptions  (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst()


________________________________________________________________________________________________________
*** CID 178237:  Memory - corruptions  (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst()
212             spi->cmd_buf[0] = MCR20A_REG_WRITE | addr;
213             memcpy(&spi->cmd_buf[1], data_buf, len);
214             len += 1;
215         } else {
216             spi->cmd_buf[0] = MCR20A_IAR_INDEX | MCR20A_REG_WRITE;
217             spi->cmd_buf[1] = addr | MCR20A_REG_WRITE;
   CID 178237:  Memory - corruptions  (OVERRUN)
   Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.]
218             memcpy(&spi->cmd_buf[2], data_buf, len);
219             len += 2;
220         }
221     
222         spi_slave_select(spi->dev, spi->slave);
223         retval = (spi_write(spi->dev, spi->cmd_buf, len) == 0);

** CID 178236:  Memory - corruptions  (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst()


________________________________________________________________________________________________________
*** CID 178236:  Memory - corruptions  (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst()
254             return 0;
255         }
256     
257         if (dreg) {
258             memcpy(data_buf, &spi->cmd_buf[1], len - 1);
259         } else {
   CID 178236:  Memory - corruptions  (OVERRUN)
   Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len - 2" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.]
260             memcpy(data_buf, &spi->cmd_buf[2], len - 2);
261         }
262     
263         k_sem_give(&spi->spi_sem);
264     
265         return 1;

** CID 178235:  Null pointer dereferences  (REVERSE_INULL)
/subsys/net/lib/dns/mdns_responder.c: 241 in send_response()


________________________________________________________________________________________________________
*** CID 178235:  Null pointer dereferences  (REVERSE_INULL)
/subsys/net/lib/dns/mdns_responder.c: 241 in send_response()
235     
236         } else {
237             /* TODO: support also service PTRs */
238             return -EINVAL;
239         }
240     
   CID 178235:  Null pointer dereferences  (REVERSE_INULL)
   Null-checking "reply" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
241         if (!reply) {
242             return -ENOMEM;
243         }
244     
245         ret = net_context_sendto(reply, &dst, dst_len, NULL, K_NO_WAIT,
246                      NULL, NULL);

** CID 178234:  Null pointer dereferences  (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()


________________________________________________________________________________________________________
*** CID 178234:  Null pointer dereferences  (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()
1227         u16_t coap_pkt_len;
1228     
1229         frag = NULL;
1230         *offset = 0xffff;
1231         *len = 0;
1232     
   CID 178234:  Null pointer dereferences  (REVERSE_INULL)
   Null-checking "len" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1233         if (!cpkt || !cpkt->pkt || !offset || !len) {
1234             return NULL;
1235         }
1236     
1237         coap_pkt_len = get_coap_packet_len(cpkt->pkt);
1238     

** CID 178233:  Null pointer dereferences  (REVERSE_INULL)
/samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data()


________________________________________________________________________________________________________
*** CID 178233:  Null pointer dereferences  (REVERSE_INULL)
/samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data()
188          * length is directly the fragment len.
189          */
190         len = frag->len - (ptr - frag->data);
191     
192         start = lorem_ipsum + received_len;
193     
   CID 178233:  Null pointer dereferences  (REVERSE_INULL)
   Null-checking "frag" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
194         while (frag) {
195             if (memcmp(ptr, start + pos, len)) {
196                 NET_DBG("Invalid data received");
197                 return false;
198             }
199     


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbO5jMuM3qcdgkQ-2B8GeSLDbY-2BGxhHXRVXXhN9J-2FGl-2FrBg-3D-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVLnYaCxQWNCEO6x0llsKktGNllYqBFTSj2s3BUW8QUrdvl233u8LuFGWpOgSu2rc-2BvqdYiOVm0hPLHncFd4V-2F9JHMSM1BZTFpzNZeXoef3wWEMVzKSvGT6UGq3Ro61uQfOZk28XrY3pDBluqFe6LAeaHu5vYnVkhOARe-2BxPHSkKM-3D

To manage Coverity Scan email notifications for "anas.nashif@...", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4QuJ4n4mXbeIpNhS8BGwxNLHj-2BTxeFwdI3SDDdsncH-2Bz9xw1m0wMt3vy-2F0hadYzJBea4I9eUVx23T6CU82-2BIxqn54S4Kugeb6uiTfRhIn290-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVJ6piO1tzXPVgJVeRiqIumtvn4xp-2FsSSqAXdL4A3zXUPunFRRDa8MYZonXqSTke1mxlt6PHAxaGm6uFhYWiI7GnJ2TrKZIQU-2Bd3wMUQD-2FpCWVJwmYlOLvhtcJ2f-2BhdG03bLQdH57Of3UzdhGrU-2B4hZzPeOMladuanpRCD-2FHbkM-2Bs-3D

Join devel@lists.zephyrproject.org to automatically receive all group messages.