toggle quoted message
Show quoted text
Hi,
Please find the latest report on new defect(s) introduced to Zephyr found with Coverity Scan.
17 new defect(s) introduced to Zephyr found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 17 of 17 defect(s)
** CID 178249: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 44 in ()
________________________________________________________________________________________________________
*** CID 178249: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 44 in ()
38 &app0_parts0,
39 &app0_parts1
40 };
41
42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf),
43 K_MEM_PARTITION_P_RW_U_RW);
CID 178249: Parse warnings (PARSE_ERROR)
expression must be an integral constant expression
44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf),
45 K_MEM_PARTITION_P_RW_U_RO);
46
47 struct k_mem_partition *app1_parts[] = {
48 &app1_parts0,
49 &app1_parts1
** CID 178248: Null pointer dereferences (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()
________________________________________________________________________________________________________
*** CID 178248: Null pointer dereferences (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()
1227 u16_t coap_pkt_len;
1228
1229 frag = NULL;
1230 *offset = 0xffff;
1231 *len = 0;
1232
CID 178248: Null pointer dereferences (REVERSE_INULL)
Null-checking "offset" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1233 if (!cpkt || !cpkt->pkt || !offset || !len) {
1234 return NULL;
1235 }
1236
1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt);
1238
** CID 178247: Error handling issues (CHECKED_RETURN)
/subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb()
________________________________________________________________________________________________________
*** CID 178247: Error handling issues (CHECKED_RETURN)
/subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb()
105
106 static void zsock_accepted_cb(struct net_context *new_ctx,
107 struct sockaddr *addr, socklen_t addrlen,
108 int status, void *user_data) {
109 struct net_context *parent = user_data;
110
CID 178247: Error handling issues (CHECKED_RETURN)
Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times).
111 net_context_recv(new_ctx, zsock_received_cb, K_NO_WAIT, NULL);
112 k_fifo_init(&new_ctx->recv_q);
113
114 NET_DBG("parent=%p, ctx=%p, st=%d", parent, new_ctx, status);
115
116 k_fifo_put(&parent->accept_q, new_ctx);
** CID 178246: Error handling issues (CHECKED_RETURN)
/subsys/net/lib/app/client.c: 479 in _app_connected()
________________________________________________________________________________________________________
*** CID 178246: Error handling issues (CHECKED_RETURN)
/subsys/net/lib/app/client.c: 479 in _app_connected()
473 #if defined(CONFIG_NET_APP_TLS) || defined(CONFIG_NET_APP_DTLS)
474 if (ctx->is_tls) {
475 k_sem_give(&ctx->client.connect_wait);
476 }
477 #endif
478
CID 178246: Error handling issues (CHECKED_RETURN)
Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times).
479 net_context_recv(net_ctx, ctx->recv_cb, K_NO_WAIT, ctx);
480
481 #if defined(CONFIG_NET_APP_TLS) || defined(CONFIG_NET_APP_DTLS)
482 if (ctx->is_tls) {
483 /* If we have TLS connection, the connect cb is called
484 * after TLS handshakes are done.
** CID 178245: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 42 in ()
________________________________________________________________________________________________________
*** CID 178245: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 42 in ()
36
37 struct k_mem_partition *app0_parts[] = {
38 &app0_parts0,
39 &app0_parts1
40 };
41
CID 178245: Parse warnings (PARSE_ERROR)
expression must be an integral constant expression
42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf),
43 K_MEM_PARTITION_P_RW_U_RW);
44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf),
45 K_MEM_PARTITION_P_RW_U_RO);
46
47 struct k_mem_partition *app1_parts[] = {
** CID 178244: Error handling issues (CHECKED_RETURN)
/subsys/net/lib/http/http_server.c: 800 in accept_cb()
________________________________________________________________________________________________________
*** CID 178244: Error handling issues (CHECKED_RETURN)
/subsys/net/lib/http/http_server.c: 800 in accept_cb()
794 }
795
796 http_ctx->req.net_ctx = net_ctx;
797
798 new_client(http_ctx, net_ctx, addr);
799
CID 178244: Error handling issues (CHECKED_RETURN)
Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times).
800 net_context_recv(net_ctx, http_ctx->recv_cb, K_NO_WAIT, http_ctx);
801 }
802
803 static int set_net_ctx(struct http_server_ctx *http_ctx,
804 struct net_context *ctx,
805 struct sockaddr *addr,
** CID 178243: Error handling issues (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg()
________________________________________________________________________________________________________
*** CID 178243: Error handling issues (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg()
82 tx_size = 3;
83 }
84
85 tx_buf[0] = ENC28J60_SPI_RCR | (reg_addr & 0xFF);
86 tx_buf[1] = 0x0;
87
CID 178243: Error handling issues (CHECKED_RETURN)
Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
88 spi_transceive(context->spi, tx_buf, tx_size, tx_buf, tx_size);
89
90 *value = tx_buf[tx_size - 1];
91
92 k_sem_give(&context->spi_sem);
93 }
** CID 178242: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 34 in ()
________________________________________________________________________________________________________
*** CID 178242: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 34 in ()
28 /* the start address of the MPU region needs to align with its size */
29 u8_t __aligned(32) app0_buf[32];
30 u8_t __aligned(32) app1_buf[32];
31
32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf),
33 K_MEM_PARTITION_P_RW_U_RW);
CID 178242: Parse warnings (PARSE_ERROR)
expression must be an integral constant expression
34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf),
35 K_MEM_PARTITION_P_RW_U_RO);
36
37 struct k_mem_partition *app0_parts[] = {
38 &app0_parts0,
39 &app0_parts1
** CID 178241: (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem()
/drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem()
________________________________________________________________________________________________________
*** CID 178241: (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem()
168
169 k_sem_take(&context->spi_sem, K_FOREVER);
170
171 for (int i = 0; i < num_segments;
172 ++i, data_buffer += MAX_BUFFER_LENGTH) {
173 context->mem_buf[0] = ENC28J60_SPI_RBM;
CID 178241: (CHECKED_RETURN)
Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
174 spi_transceive(context->spi,
175 context->mem_buf, MAX_BUFFER_LENGTH + 1,
176 context->mem_buf, MAX_BUFFER_LENGTH + 1);
177 if (data_buffer) {
178 memcpy(data_buffer, context->mem_buf + 1,
179 MAX_BUFFER_LENGTH);
/drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem()
179 MAX_BUFFER_LENGTH);
180 }
181 }
182
183 if (num_remaining > 0) {
184 context->mem_buf[0] = ENC28J60_SPI_RBM;
CID 178241: (CHECKED_RETURN)
Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
185 spi_transceive(context->spi,
186 context->mem_buf, num_remaining + 1,
187 context->mem_buf, num_remaining + 1);
188 if (data_buffer) {
189 memcpy(data_buffer, context->mem_buf + 1,
190 num_remaining);
** CID 178240: Error handling issues (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank()
________________________________________________________________________________________________________
*** CID 178240: Error handling issues (CHECKED_RETURN)
/drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank()
40
41 k_sem_take(&context->spi_sem, K_FOREVER);
42
43 tx_buf[0] = ENC28J60_SPI_RCR | ENC28J60_REG_ECON1;
44 tx_buf[1] = 0x0;
45
CID 178240: Error handling issues (CHECKED_RETURN)
Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times).
46 spi_transceive(context->spi, tx_buf, 2, tx_buf, 2);
47
48 tx_buf[0] = ENC28J60_SPI_WCR | ENC28J60_REG_ECON1;
49 tx_buf[1] = (tx_buf[1] & 0xFC) | ((reg_addr >> 8) & 0x0F);
50
51 spi_write(context->spi, tx_buf, 2);
** CID 178239: (FORWARD_NULL)
/tests/net/app/src/main.c: 192 in iface_setup()
/tests/net/app/src/main.c: 202 in iface_setup()
________________________________________________________________________________________________________
*** CID 178239: (FORWARD_NULL)
/tests/net/app/src/main.c: 192 in iface_setup()
186 DBG("Cannot add IPv6 address %s\n",
187 net_sprint_ipv6_addr(&my_addr1));
188 zassert_not_null(ifaddr, "addr1");
189 }
190
191 /* For testing purposes we need to set the adddresses preferred */
CID 178239: (FORWARD_NULL)
Dereferencing null pointer "ifaddr".
192 ifaddr->addr_state = NET_ADDR_PREFERRED;
193
194 ifaddr = net_if_ipv6_addr_add(iface1, &ll_addr,
195 NET_ADDR_MANUAL, 0);
196 if (!ifaddr) {
197 DBG("Cannot add IPv6 address %s\n",
/tests/net/app/src/main.c: 202 in iface_setup()
196 if (!ifaddr) {
197 DBG("Cannot add IPv6 address %s\n",
198 net_sprint_ipv6_addr(&ll_addr));
199 zassert_not_null(ifaddr, "ll_addr");
200 }
201
CID 178239: (FORWARD_NULL)
Dereferencing null pointer "ifaddr".
202 ifaddr->addr_state = NET_ADDR_PREFERRED;
203
204 net_ipv6_addr_create(&in6addr_mcast, 0xff02, 0, 0, 0, 0, 0, 0, 0x0001);
205
206 maddr = net_if_ipv6_maddr_add(iface1, &in6addr_mcast);
207 if (!maddr) {
** CID 178238: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 32 in ()
________________________________________________________________________________________________________
*** CID 178238: Parse warnings (PARSE_ERROR)
/samples/mpu/mem_domain_apis_test/src/main.c: 32 in ()
26 struct k_mem_domain app_domain[2];
27
28 /* the start address of the MPU region needs to align with its size */
29 u8_t __aligned(32) app0_buf[32];
30 u8_t __aligned(32) app1_buf[32];
31
CID 178238: Parse warnings (PARSE_ERROR)
expression must be an integral constant expression
32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf),
33 K_MEM_PARTITION_P_RW_U_RW);
34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf),
35 K_MEM_PARTITION_P_RW_U_RO);
36
37 struct k_mem_partition *app0_parts[] = {
** CID 178237: Memory - corruptions (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst()
________________________________________________________________________________________________________
*** CID 178237: Memory - corruptions (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst()
212 spi->cmd_buf[0] = MCR20A_REG_WRITE | addr;
213 memcpy(&spi->cmd_buf[1], data_buf, len);
214 len += 1;
215 } else {
216 spi->cmd_buf[0] = MCR20A_IAR_INDEX | MCR20A_REG_WRITE;
217 spi->cmd_buf[1] = addr | MCR20A_REG_WRITE;
CID 178237: Memory - corruptions (OVERRUN)
Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len" (which evaluates to 11). [Note: The source code implementation of the function
has been overridden by a builtin model.]
218 memcpy(&spi->cmd_buf[2], data_buf, len);
219 len += 2;
220 }
221
222 spi_slave_select(spi->dev, spi->slave);
223 retval = (spi_write(spi->dev, spi->cmd_buf, len) == 0);
** CID 178236: Memory - corruptions (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst()
________________________________________________________________________________________________________
*** CID 178236: Memory - corruptions (OVERRUN)
/drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst()
254 return 0;
255 }
256
257 if (dreg) {
258 memcpy(data_buf, &spi->cmd_buf[1], len - 1);
259 } else {
CID 178236: Memory - corruptions (OVERRUN)
Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len - 2" (which evaluates to 11). [Note: The source code implementation of the function
has been overridden by a builtin model.]
260 memcpy(data_buf, &spi->cmd_buf[2], len - 2);
261 }
262
263 k_sem_give(&spi->spi_sem);
264
265 return 1;
** CID 178235: Null pointer dereferences (REVERSE_INULL)
/subsys/net/lib/dns/mdns_responder.c: 241 in send_response()
________________________________________________________________________________________________________
*** CID 178235: Null pointer dereferences (REVERSE_INULL)
/subsys/net/lib/dns/mdns_responder.c: 241 in send_response()
235
236 } else {
237 /* TODO: support also service PTRs */
238 return -EINVAL;
239 }
240
CID 178235: Null pointer dereferences (REVERSE_INULL)
Null-checking "reply" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
241 if (!reply) {
242 return -ENOMEM;
243 }
244
245 ret = net_context_sendto(reply, &dst, dst_len, NULL, K_NO_WAIT,
246 NULL, NULL);
** CID 178234: Null pointer dereferences (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()
________________________________________________________________________________________________________
*** CID 178234: Null pointer dereferences (REVERSE_INULL)
/subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload()
1227 u16_t coap_pkt_len;
1228
1229 frag = NULL;
1230 *offset = 0xffff;
1231 *len = 0;
1232
CID 178234: Null pointer dereferences (REVERSE_INULL)
Null-checking "len" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1233 if (!cpkt || !cpkt->pkt || !offset || !len) {
1234 return NULL;
1235 }
1236
1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt);
1238
** CID 178233: Null pointer dereferences (REVERSE_INULL)
/samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data()
________________________________________________________________________________________________________
*** CID 178233: Null pointer dereferences (REVERSE_INULL)
/samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data()
188 * length is directly the fragment len.
189 */
190 len = frag->len - (ptr - frag->data);
191
192 start = lorem_ipsum + received_len;
193
CID 178233: Null pointer dereferences (REVERSE_INULL)
Null-checking "frag" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
194 while (frag) {
195 if (memcmp(ptr, start + pos, len)) {
196 NET_DBG("Invalid data received");
197 return false;
198 }
199
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbO5jMuM3qcdgkQ-2B8GeSLDbY-2BGxhHXRVXXhN9J-2FGl-2FrBg-3D-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVLnYaCxQWNCEO6x0llsKktGNllYqBFTSj2s3BUW8QUrdvl233u8LuFGWpOgSu2rc-2BvqdYiOVm0hPLHncFd4V-2F9JHMSM1BZTFpzNZeXoef3wWEMVzKSvGT6UGq3Ro61uQfOZk28XrY3pDBluqFe6LAeaHu5vYnVkhOARe-2BxPHSkKM-3D
To manage Coverity Scan email notifications for "anas.nashif@...", click
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4QuJ4n4mXbeIpNhS8BGwxNLHj-2BTxeFwdI3SDDdsncH-2Bz9xw1m0wMt3vy-2F0hadYzJBea4I9eUVx23T6CU82-2BIxqn54S4Kugeb6uiTfRhIn290-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVJ6piO1tzXPVgJVeRiqIumtvn4xp-2FsSSqAXdL4A3zXUPunFRRDa8MYZonXqSTke1mxlt6PHAxaGm6uFhYWiI7GnJ2TrKZIQU-2Bd3wMUQD-2FpCWVJwmYlOLvhtcJ2f-2BhdG03bLQdH57Of3UzdhGrU-2B4hZzPeOMladuanpRCD-2FHbkM-2Bs-3D
|
