devel@lists.zephyrproject.org | New Defects reported by Coverity Scan for Zephyr

Home Messages Hashtags Subgroups

Date Date 1 - 4 of 4

New Defects reported by Coverity Scan for Zephyr

Nashif, Anas #1180 Regards, Anas Nashif Begin forwarded message: toggle quoted message Show quoted text From: <scan-admin@...> Date: October 26, 2017 at 14:29:08 GMT+2 To: <anas.nashif@...> Subject: New Defects reported by Coverity Scan for Zephyr Hi, Please find the latest report on new defect(s) introduced to Zephyr found with Coverity Scan. 17 new defect(s) introduced to Zephyr found with Coverity Scan. 6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 17 of 17 defect(s) CID 178249: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 44 in () ________________________________________________________________________________________________________ * CID 178249: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 44 in () 38 &app0_parts0, 39 &app0_parts1 40 }; 41 42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf), 43 K_MEM_PARTITION_P_RW_U_RW); CID 178249: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf), 45 K_MEM_PARTITION_P_RW_U_RO); 46 47 struct k_mem_partition app1_parts[] = { 48 &app1_parts0, 49 &app1_parts1 * CID 178248: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() ________________________________________________________________________________________________________ *** CID 178248: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() 1227 u16_t coap_pkt_len; 1228 1229 frag = NULL; 1230 offset = 0xffff; 1231 len = 0; 1232 CID 178248: Null pointer dereferences (REVERSE_INULL) Null-checking "offset" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1233 if (!cpkt \|\| !cpkt->pkt \|\| !offset \|\| !len) { 1234 return NULL; 1235 } 1236 1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt); 1238 CID 178247: Error handling issues (CHECKED_RETURN) /subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb() ________________________________________________________________________________________________________ * CID 178247: Error handling issues (CHECKED_RETURN) /subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb() 105 106 static void zsock_accepted_cb(struct net_context new_ctx, 107 struct sockaddr addr, socklen_t addrlen, 108 int status, void user_data) { 109 struct net_context parent = user_data; 110 CID 178247: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 111 net_context_recv(new_ctx, zsock_received_cb, K_NO_WAIT, NULL); 112 k_fifo_init(&new_ctx->recv_q); 113 114 NET_DBG("parent=%p, ctx=%p, st=%d", parent, new_ctx, status); 115 116 k_fifo_put(&parent->accept_q, new_ctx); CID 178246: Error handling issues (CHECKED_RETURN) /subsys/net/lib/app/client.c: 479 in _app_connected() ________________________________________________________________________________________________________ * CID 178246: Error handling issues (CHECKED_RETURN) /subsys/net/lib/app/client.c: 479 in _app_connected() 473 #if defined(CONFIG_NET_APP_TLS) \|\| defined(CONFIG_NET_APP_DTLS) 474 if (ctx->is_tls) { 475 k_sem_give(&ctx->client.connect_wait); 476 } 477 #endif 478 CID 178246: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 479 net_context_recv(net_ctx, ctx->recv_cb, K_NO_WAIT, ctx); 480 481 #if defined(CONFIG_NET_APP_TLS) \|\| defined(CONFIG_NET_APP_DTLS) 482 if (ctx->is_tls) { 483 /* If we have TLS connection, the connect cb is called 484 * after TLS handshakes are done. CID 178245: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 42 in () ________________________________________________________________________________________________________ * CID 178245: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 42 in () 36 37 struct k_mem_partition app0_parts[] = { 38 &app0_parts0, 39 &app0_parts1 40 }; 41 CID 178245: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf), 43 K_MEM_PARTITION_P_RW_U_RW); 44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf), 45 K_MEM_PARTITION_P_RW_U_RO); 46 47 struct k_mem_partition app1_parts[] = { CID 178244: Error handling issues (CHECKED_RETURN) /subsys/net/lib/http/http_server.c: 800 in accept_cb() ________________________________________________________________________________________________________ * CID 178244: Error handling issues (CHECKED_RETURN) /subsys/net/lib/http/http_server.c: 800 in accept_cb() 794 } 795 796 http_ctx->req.net_ctx = net_ctx; 797 798 new_client(http_ctx, net_ctx, addr); 799 CID 178244: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 800 net_context_recv(net_ctx, http_ctx->recv_cb, K_NO_WAIT, http_ctx); 801 } 802 803 static int set_net_ctx(struct http_server_ctx http_ctx, 804 struct net_context ctx, 805 struct sockaddr addr, * CID 178243: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg() ________________________________________________________________________________________________________ *** CID 178243: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg() 82 tx_size = 3; 83 } 84 85 tx_buf[0] = ENC28J60_SPI_RCR \| (reg_addr & 0xFF); 86 tx_buf[1] = 0x0; 87 CID 178243: Error handling issues (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 88 spi_transceive(context->spi, tx_buf, tx_size, tx_buf, tx_size); 89 90 value = tx_buf[tx_size - 1]; 91 92 k_sem_give(&context->spi_sem); 93 } * CID 178242: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 34 in () ________________________________________________________________________________________________________ *** CID 178242: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 34 in () 28 /* the start address of the MPU region needs to align with its size / 29 u8_t __aligned(32) app0_buf[32]; 30 u8_t __aligned(32) app1_buf[32]; 31 32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf), 33 K_MEM_PARTITION_P_RW_U_RW); CID 178242: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf), 35 K_MEM_PARTITION_P_RW_U_RO); 36 37 struct k_mem_partition app0_parts[] = { 38 &app0_parts0, 39 &app0_parts1 CID 178241: (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem() /drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem() ________________________________________________________________________________________________________ * CID 178241: (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem() 168 169 k_sem_take(&context->spi_sem, K_FOREVER); 170 171 for (int i = 0; i < num_segments; 172 ++i, data_buffer += MAX_BUFFER_LENGTH) { 173 context->mem_buf[0] = ENC28J60_SPI_RBM; CID 178241: (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 174 spi_transceive(context->spi, 175 context->mem_buf, MAX_BUFFER_LENGTH + 1, 176 context->mem_buf, MAX_BUFFER_LENGTH + 1); 177 if (data_buffer) { 178 memcpy(data_buffer, context->mem_buf + 1, 179 MAX_BUFFER_LENGTH); /drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem() 179 MAX_BUFFER_LENGTH); 180 } 181 } 182 183 if (num_remaining > 0) { 184 context->mem_buf[0] = ENC28J60_SPI_RBM; CID 178241: (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 185 spi_transceive(context->spi, 186 context->mem_buf, num_remaining + 1, 187 context->mem_buf, num_remaining + 1); 188 if (data_buffer) { 189 memcpy(data_buffer, context->mem_buf + 1, 190 num_remaining); CID 178240: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank() ________________________________________________________________________________________________________ * CID 178240: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank() 40 41 k_sem_take(&context->spi_sem, K_FOREVER); 42 43 tx_buf[0] = ENC28J60_SPI_RCR \| ENC28J60_REG_ECON1; 44 tx_buf[1] = 0x0; 45 CID 178240: Error handling issues (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 46 spi_transceive(context->spi, tx_buf, 2, tx_buf, 2); 47 48 tx_buf[0] = ENC28J60_SPI_WCR \| ENC28J60_REG_ECON1; 49 tx_buf[1] = (tx_buf[1] & 0xFC) \| ((reg_addr >> 8) & 0x0F); 50 51 spi_write(context->spi, tx_buf, 2); CID 178239: (FORWARD_NULL) /tests/net/app/src/main.c: 192 in iface_setup() /tests/net/app/src/main.c: 202 in iface_setup() ________________________________________________________________________________________________________ * CID 178239: (FORWARD_NULL) /tests/net/app/src/main.c: 192 in iface_setup() 186 DBG("Cannot add IPv6 address %s\n", 187 net_sprint_ipv6_addr(&my_addr1)); 188 zassert_not_null(ifaddr, "addr1"); 189 } 190 191 /* For testing purposes we need to set the adddresses preferred / CID 178239: (FORWARD_NULL) Dereferencing null pointer "ifaddr". 192 ifaddr->addr_state = NET_ADDR_PREFERRED; 193 194 ifaddr = net_if_ipv6_addr_add(iface1, &ll_addr, 195 NET_ADDR_MANUAL, 0); 196 if (!ifaddr) { 197 DBG("Cannot add IPv6 address %s\n", /tests/net/app/src/main.c: 202 in iface_setup() 196 if (!ifaddr) { 197 DBG("Cannot add IPv6 address %s\n", 198 net_sprint_ipv6_addr(&ll_addr)); 199 zassert_not_null(ifaddr, "ll_addr"); 200 } 201 CID 178239: (FORWARD_NULL) Dereferencing null pointer "ifaddr". 202 ifaddr->addr_state = NET_ADDR_PREFERRED; 203 204 net_ipv6_addr_create(&in6addr_mcast, 0xff02, 0, 0, 0, 0, 0, 0, 0x0001); 205 206 maddr = net_if_ipv6_maddr_add(iface1, &in6addr_mcast); 207 if (!maddr) { * CID 178238: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 32 in () ________________________________________________________________________________________________________ *** CID 178238: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 32 in () 26 struct k_mem_domain app_domain[2]; 27 28 /* the start address of the MPU region needs to align with its size / 29 u8_t __aligned(32) app0_buf[32]; 30 u8_t __aligned(32) app1_buf[32]; 31 CID 178238: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf), 33 K_MEM_PARTITION_P_RW_U_RW); 34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf), 35 K_MEM_PARTITION_P_RW_U_RO); 36 37 struct k_mem_partition app0_parts[] = { CID 178237: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst() ________________________________________________________________________________________________________ * CID 178237: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst() 212 spi->cmd_buf[0] = MCR20A_REG_WRITE \| addr; 213 memcpy(&spi->cmd_buf[1], data_buf, len); 214 len += 1; 215 } else { 216 spi->cmd_buf[0] = MCR20A_IAR_INDEX \| MCR20A_REG_WRITE; 217 spi->cmd_buf[1] = addr \| MCR20A_REG_WRITE; CID 178237: Memory - corruptions (OVERRUN) Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.] 218 memcpy(&spi->cmd_buf[2], data_buf, len); 219 len += 2; 220 } 221 222 spi_slave_select(spi->dev, spi->slave); 223 retval = (spi_write(spi->dev, spi->cmd_buf, len) == 0); CID 178236: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst() ________________________________________________________________________________________________________ * CID 178236: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst() 254 return 0; 255 } 256 257 if (dreg) { 258 memcpy(data_buf, &spi->cmd_buf[1], len - 1); 259 } else { CID 178236: Memory - corruptions (OVERRUN) Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len - 2" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.] 260 memcpy(data_buf, &spi->cmd_buf[2], len - 2); 261 } 262 263 k_sem_give(&spi->spi_sem); 264 265 return 1; CID 178235: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/dns/mdns_responder.c: 241 in send_response() ________________________________________________________________________________________________________ * CID 178235: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/dns/mdns_responder.c: 241 in send_response() 235 236 } else { 237 /* TODO: support also service PTRs / 238 return -EINVAL; 239 } 240 CID 178235: Null pointer dereferences (REVERSE_INULL) Null-checking "reply" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 241 if (!reply) { 242 return -ENOMEM; 243 } 244 245 ret = net_context_sendto(reply, &dst, dst_len, NULL, K_NO_WAIT, 246 NULL, NULL); * CID 178234: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() ________________________________________________________________________________________________________ *** CID 178234: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() 1227 u16_t coap_pkt_len; 1228 1229 frag = NULL; 1230 offset = 0xffff; 1231 len = 0; 1232 CID 178234: Null pointer dereferences (REVERSE_INULL) Null-checking "len" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1233 if (!cpkt \|\| !cpkt->pkt \|\| !offset \|\| !len) { 1234 return NULL; 1235 } 1236 1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt); 1238 CID 178233: Null pointer dereferences (REVERSE_INULL) /samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data() ________________________________________________________________________________________________________ * CID 178233: Null pointer dereferences (REVERSE_INULL) /samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data() 188 * length is directly the fragment len. 189 */ 190 len = frag->len - (ptr - frag->data); 191 192 start = lorem_ipsum + received_len; 193 CID 178233: Null pointer dereferences (REVERSE_INULL) Null-checking "frag" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 194 while (frag) { 195 if (memcmp(ptr, start + pos, len)) { 196 NET_DBG("Invalid data received"); 197 return false; 198 } 199 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbO5jMuM3qcdgkQ-2B8GeSLDbY-2BGxhHXRVXXhN9J-2FGl-2FrBg-3D-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVLnYaCxQWNCEO6x0llsKktGNllYqBFTSj2s3BUW8QUrdvl233u8LuFGWpOgSu2rc-2BvqdYiOVm0hPLHncFd4V-2F9JHMSM1BZTFpzNZeXoef3wWEMVzKSvGT6UGq3Ro61uQfOZk28XrY3pDBluqFe6LAeaHu5vYnVkhOARe-2BxPHSkKM-3D To manage Coverity Scan email notifications for "anas.nashif@...", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4QuJ4n4mXbeIpNhS8BGwxNLHj-2BTxeFwdI3SDDdsncH-2Bz9xw1m0wMt3vy-2F0hadYzJBea4I9eUVx23T6CU82-2BIxqn54S4Kugeb6uiTfRhIn290-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVJ6piO1tzXPVgJVeRiqIumtvn4xp-2FsSSqAXdL4A3zXUPunFRRDa8MYZonXqSTke1mxlt6PHAxaGm6uFhYWiI7GnJ2TrKZIQU-2Bd3wMUQD-2FpCWVJwmYlOLvhtcJ2f-2BhdG03bLQdH57Of3UzdhGrU-2B4hZzPeOMladuanpRCD-2FHbkM-2Bs-3D
More All Messages By This Member
David Leach #1185 Anas, If we go into Coverity and items as a “bug” will there be some sort of automation that will generate a bug ticket in the github issues? David toggle quoted message Show quoted text From: zephyr-devel-bounces@... [mailto:zephyr-devel-bounces@...] On Behalf Of Nashif, Anas Sent: Thursday, October 26, 2017 8:28 AM To: devel@... Subject: [Zephyr-devel] Fwd: New Defects reported by Coverity Scan for Zephyr Regards, Anas Nashif Begin forwarded message: From: <scan-admin@...> Date: October 26, 2017 at 14:29:08 GMT+2 To: <anas.nashif@...> Subject: New Defects reported by Coverity Scan for Zephyr Hi, Please find the latest report on new defect(s) introduced to Zephyr found with Coverity Scan. 17 new defect(s) introduced to Zephyr found with Coverity Scan. 6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 17 of 17 defect(s) CID 178249: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 44 in () ________________________________________________________________________________________________________ * CID 178249: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 44 in () 38 &app0_parts0, 39 &app0_parts1 40 }; 41 42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf), 43 K_MEM_PARTITION_P_RW_U_RW); CID 178249: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf), 45 K_MEM_PARTITION_P_RW_U_RO); 46 47 struct k_mem_partition app1_parts[] = { 48 &app1_parts0, 49 &app1_parts1 * CID 178248: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() ________________________________________________________________________________________________________ *** CID 178248: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() 1227 u16_t coap_pkt_len; 1228 1229 frag = NULL; 1230 offset = 0xffff; 1231 len = 0; 1232 CID 178248: Null pointer dereferences (REVERSE_INULL) Null-checking "offset" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1233 if (!cpkt \|\| !cpkt->pkt \|\| !offset \|\| !len) { 1234 return NULL; 1235 } 1236 1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt); 1238 CID 178247: Error handling issues (CHECKED_RETURN) /subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb() ________________________________________________________________________________________________________ * CID 178247: Error handling issues (CHECKED_RETURN) /subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb() 105 106 static void zsock_accepted_cb(struct net_context new_ctx, 107 struct sockaddr addr, socklen_t addrlen, 108 int status, void user_data) { 109 struct net_context parent = user_data; 110 CID 178247: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 111 net_context_recv(new_ctx, zsock_received_cb, K_NO_WAIT, NULL); 112 k_fifo_init(&new_ctx->recv_q); 113 114 NET_DBG("parent=%p, ctx=%p, st=%d", parent, new_ctx, status); 115 116 k_fifo_put(&parent->accept_q, new_ctx); CID 178246: Error handling issues (CHECKED_RETURN) /subsys/net/lib/app/client.c: 479 in _app_connected() ________________________________________________________________________________________________________ * CID 178246: Error handling issues (CHECKED_RETURN) /subsys/net/lib/app/client.c: 479 in _app_connected() 473 #if defined(CONFIG_NET_APP_TLS) \|\| defined(CONFIG_NET_APP_DTLS) 474 if (ctx->is_tls) { 475 k_sem_give(&ctx->client.connect_wait); 476 } 477 #endif 478 CID 178246: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 479 net_context_recv(net_ctx, ctx->recv_cb, K_NO_WAIT, ctx); 480 481 #if defined(CONFIG_NET_APP_TLS) \|\| defined(CONFIG_NET_APP_DTLS) 482 if (ctx->is_tls) { 483 /* If we have TLS connection, the connect cb is called 484 * after TLS handshakes are done. CID 178245: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 42 in () ________________________________________________________________________________________________________ * CID 178245: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 42 in () 36 37 struct k_mem_partition app0_parts[] = { 38 &app0_parts0, 39 &app0_parts1 40 }; 41 CID 178245: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf), 43 K_MEM_PARTITION_P_RW_U_RW); 44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf), 45 K_MEM_PARTITION_P_RW_U_RO); 46 47 struct k_mem_partition app1_parts[] = { CID 178244: Error handling issues (CHECKED_RETURN) /subsys/net/lib/http/http_server.c: 800 in accept_cb() ________________________________________________________________________________________________________ * CID 178244: Error handling issues (CHECKED_RETURN) /subsys/net/lib/http/http_server.c: 800 in accept_cb() 794 } 795 796 http_ctx->req.net_ctx = net_ctx; 797 798 new_client(http_ctx, net_ctx, addr); 799 CID 178244: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 800 net_context_recv(net_ctx, http_ctx->recv_cb, K_NO_WAIT, http_ctx); 801 } 802 803 static int set_net_ctx(struct http_server_ctx http_ctx, 804 struct net_context ctx, 805 struct sockaddr addr, * CID 178243: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg() ________________________________________________________________________________________________________ *** CID 178243: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg() 82 tx_size = 3; 83 } 84 85 tx_buf[0] = ENC28J60_SPI_RCR \| (reg_addr & 0xFF); 86 tx_buf[1] = 0x0; 87 CID 178243: Error handling issues (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 88 spi_transceive(context->spi, tx_buf, tx_size, tx_buf, tx_size); 89 90 value = tx_buf[tx_size - 1]; 91 92 k_sem_give(&context->spi_sem); 93 } * CID 178242: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 34 in () ________________________________________________________________________________________________________ *** CID 178242: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 34 in () 28 /* the start address of the MPU region needs to align with its size / 29 u8_t __aligned(32) app0_buf[32]; 30 u8_t __aligned(32) app1_buf[32]; 31 32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf), 33 K_MEM_PARTITION_P_RW_U_RW); CID 178242: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf), 35 K_MEM_PARTITION_P_RW_U_RO); 36 37 struct k_mem_partition app0_parts[] = { 38 &app0_parts0, 39 &app0_parts1 CID 178241: (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem() /drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem() ________________________________________________________________________________________________________ * CID 178241: (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem() 168 169 k_sem_take(&context->spi_sem, K_FOREVER); 170 171 for (int i = 0; i < num_segments; 172 ++i, data_buffer += MAX_BUFFER_LENGTH) { 173 context->mem_buf[0] = ENC28J60_SPI_RBM; CID 178241: (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 174 spi_transceive(context->spi, 175 context->mem_buf, MAX_BUFFER_LENGTH + 1, 176 context->mem_buf, MAX_BUFFER_LENGTH + 1); 177 if (data_buffer) { 178 memcpy(data_buffer, context->mem_buf + 1, 179 MAX_BUFFER_LENGTH); /drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem() 179 MAX_BUFFER_LENGTH); 180 } 181 } 182 183 if (num_remaining > 0) { 184 context->mem_buf[0] = ENC28J60_SPI_RBM; CID 178241: (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 185 spi_transceive(context->spi, 186 context->mem_buf, num_remaining + 1, 187 context->mem_buf, num_remaining + 1); 188 if (data_buffer) { 189 memcpy(data_buffer, context->mem_buf + 1, 190 num_remaining); CID 178240: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank() ________________________________________________________________________________________________________ * CID 178240: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank() 40 41 k_sem_take(&context->spi_sem, K_FOREVER); 42 43 tx_buf[0] = ENC28J60_SPI_RCR \| ENC28J60_REG_ECON1; 44 tx_buf[1] = 0x0; 45 CID 178240: Error handling issues (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 46 spi_transceive(context->spi, tx_buf, 2, tx_buf, 2); 47 48 tx_buf[0] = ENC28J60_SPI_WCR \| ENC28J60_REG_ECON1; 49 tx_buf[1] = (tx_buf[1] & 0xFC) \| ((reg_addr >> 8) & 0x0F); 50 51 spi_write(context->spi, tx_buf, 2); CID 178239: (FORWARD_NULL) /tests/net/app/src/main.c: 192 in iface_setup() /tests/net/app/src/main.c: 202 in iface_setup() ________________________________________________________________________________________________________ * CID 178239: (FORWARD_NULL) /tests/net/app/src/main.c: 192 in iface_setup() 186 DBG("Cannot add IPv6 address %s\n", 187 net_sprint_ipv6_addr(&my_addr1)); 188 zassert_not_null(ifaddr, "addr1"); 189 } 190 191 /* For testing purposes we need to set the adddresses preferred / CID 178239: (FORWARD_NULL) Dereferencing null pointer "ifaddr". 192 ifaddr->addr_state = NET_ADDR_PREFERRED; 193 194 ifaddr = net_if_ipv6_addr_add(iface1, &ll_addr, 195 NET_ADDR_MANUAL, 0); 196 if (!ifaddr) { 197 DBG("Cannot add IPv6 address %s\n", /tests/net/app/src/main.c: 202 in iface_setup() 196 if (!ifaddr) { 197 DBG("Cannot add IPv6 address %s\n", 198 net_sprint_ipv6_addr(&ll_addr)); 199 zassert_not_null(ifaddr, "ll_addr"); 200 } 201 CID 178239: (FORWARD_NULL) Dereferencing null pointer "ifaddr". 202 ifaddr->addr_state = NET_ADDR_PREFERRED; 203 204 net_ipv6_addr_create(&in6addr_mcast, 0xff02, 0, 0, 0, 0, 0, 0, 0x0001); 205 206 maddr = net_if_ipv6_maddr_add(iface1, &in6addr_mcast); 207 if (!maddr) { * CID 178238: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 32 in () ________________________________________________________________________________________________________ *** CID 178238: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 32 in () 26 struct k_mem_domain app_domain[2]; 27 28 /* the start address of the MPU region needs to align with its size / 29 u8_t __aligned(32) app0_buf[32]; 30 u8_t __aligned(32) app1_buf[32]; 31 CID 178238: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf), 33 K_MEM_PARTITION_P_RW_U_RW); 34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf), 35 K_MEM_PARTITION_P_RW_U_RO); 36 37 struct k_mem_partition app0_parts[] = { CID 178237: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst() ________________________________________________________________________________________________________ * CID 178237: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst() 212 spi->cmd_buf[0] = MCR20A_REG_WRITE \| addr; 213 memcpy(&spi->cmd_buf[1], data_buf, len); 214 len += 1; 215 } else { 216 spi->cmd_buf[0] = MCR20A_IAR_INDEX \| MCR20A_REG_WRITE; 217 spi->cmd_buf[1] = addr \| MCR20A_REG_WRITE; CID 178237: Memory - corruptions (OVERRUN) Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.] 218 memcpy(&spi->cmd_buf[2], data_buf, len); 219 len += 2; 220 } 221 222 spi_slave_select(spi->dev, spi->slave); 223 retval = (spi_write(spi->dev, spi->cmd_buf, len) == 0); CID 178236: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst() ________________________________________________________________________________________________________ * CID 178236: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst() 254 return 0; 255 } 256 257 if (dreg) { 258 memcpy(data_buf, &spi->cmd_buf[1], len - 1); 259 } else { CID 178236: Memory - corruptions (OVERRUN) Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len - 2" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.] 260 memcpy(data_buf, &spi->cmd_buf[2], len - 2); 261 } 262 263 k_sem_give(&spi->spi_sem); 264 265 return 1; CID 178235: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/dns/mdns_responder.c: 241 in send_response() ________________________________________________________________________________________________________ * CID 178235: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/dns/mdns_responder.c: 241 in send_response() 235 236 } else { 237 /* TODO: support also service PTRs / 238 return -EINVAL; 239 } 240 CID 178235: Null pointer dereferences (REVERSE_INULL) Null-checking "reply" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 241 if (!reply) { 242 return -ENOMEM; 243 } 244 245 ret = net_context_sendto(reply, &dst, dst_len, NULL, K_NO_WAIT, 246 NULL, NULL); * CID 178234: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() ________________________________________________________________________________________________________ *** CID 178234: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() 1227 u16_t coap_pkt_len; 1228 1229 frag = NULL; 1230 offset = 0xffff; 1231 len = 0; 1232 CID 178234: Null pointer dereferences (REVERSE_INULL) Null-checking "len" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1233 if (!cpkt \|\| !cpkt->pkt \|\| !offset \|\| !len) { 1234 return NULL; 1235 } 1236 1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt); 1238 CID 178233: Null pointer dereferences (REVERSE_INULL) /samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data() ________________________________________________________________________________________________________ * CID 178233: Null pointer dereferences (REVERSE_INULL) /samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data() 188 * length is directly the fragment len. 189 */ 190 len = frag->len - (ptr - frag->data); 191 192 start = lorem_ipsum + received_len; 193 CID 178233: Null pointer dereferences (REVERSE_INULL) Null-checking "frag" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 194 while (frag) { 195 if (memcmp(ptr, start + pos, len)) { 196 NET_DBG("Invalid data received"); 197 return false; 198 } 199 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbO5jMuM3qcdgkQ-2B8GeSLDbY-2BGxhHXRVXXhN9J-2FGl-2FrBg-3D-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVLnYaCxQWNCEO6x0llsKktGNllYqBFTSj2s3BUW8QUrdvl233u8LuFGWpOgSu2rc-2BvqdYiOVm0hPLHncFd4V-2F9JHMSM1BZTFpzNZeXoef3wWEMVzKSvGT6UGq3Ro61uQfOZk28XrY3pDBluqFe6LAeaHu5vYnVkhOARe-2BxPHSkKM-3D To manage Coverity Scan email notifications for "anas.nashif@...", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4QuJ4n4mXbeIpNhS8BGwxNLHj-2BTxeFwdI3SDDdsncH-2Bz9xw1m0wMt3vy-2F0hadYzJBea4I9eUVx23T6CU82-2BIxqn54S4Kugeb6uiTfRhIn290-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVJ6piO1tzXPVgJVeRiqIumtvn4xp-2FsSSqAXdL4A3zXUPunFRRDa8MYZonXqSTke1mxlt6PHAxaGm6uFhYWiI7GnJ2TrKZIQU-2Bd3wMUQD-2FpCWVJwmYlOLvhtcJ2f-2BhdG03bLQdH57Of3UzdhGrU-2B4hZzPeOMladuanpRCD-2FHbkM-2Bs-3D
More All Messages By This Member
Jammy Zhou #1276 Hi Anas, Is there some tool to do the scan locally? Regards, Jammy toggle quoted message Show quoted text On 26 October 2017 at 21:27, Nashif, Anas <anas.nashif@...> wrote: Regards, Anas Nashif Begin forwarded message: From: <scan-admin@...> Date: October 26, 2017 at 14:29:08 GMT+2 To: <anas.nashif@...> Subject: New Defects reported by Coverity Scan for Zephyr Hi, Please find the latest report on new defect(s) introduced to Zephyr found with Coverity Scan. 17 new defect(s) introduced to Zephyr found with Coverity Scan. 6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 17 of 17 defect(s) CID 178249: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 44 in () ________________________________________________________________________________________________________ * CID 178249: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 44 in () 38 &app0_parts0, 39 &app0_parts1 40 }; 41 42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf), 43 K_MEM_PARTITION_P_RW_U_RW); CID 178249: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf), 45 K_MEM_PARTITION_P_RW_U_RO); 46 47 struct k_mem_partition app1_parts[] = { 48 &app1_parts0, 49 &app1_parts1 * CID 178248: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() ________________________________________________________________________________________________________ *** CID 178248: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() 1227 u16_t coap_pkt_len; 1228 1229 frag = NULL; 1230 offset = 0xffff; 1231 len = 0; 1232 CID 178248: Null pointer dereferences (REVERSE_INULL) Null-checking "offset" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1233 if (!cpkt \|\| !cpkt->pkt \|\| !offset \|\| !len) { 1234 return NULL; 1235 } 1236 1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt); 1238 CID 178247: Error handling issues (CHECKED_RETURN) /subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb() ________________________________________________________________________________________________________ * CID 178247: Error handling issues (CHECKED_RETURN) /subsys/net/lib/sockets/sockets.c: 111 in zsock_accepted_cb() 105 106 static void zsock_accepted_cb(struct net_context new_ctx, 107 struct sockaddr addr, socklen_t addrlen, 108 int status, void user_data) { 109 struct net_context parent = user_data; 110 CID 178247: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 111 net_context_recv(new_ctx, zsock_received_cb, K_NO_WAIT, NULL); 112 k_fifo_init(&new_ctx->recv_q); 113 114 NET_DBG("parent=%p, ctx=%p, st=%d", parent, new_ctx, status); 115 116 k_fifo_put(&parent->accept_q, new_ctx); CID 178246: Error handling issues (CHECKED_RETURN) /subsys/net/lib/app/client.c: 479 in _app_connected() ________________________________________________________________________________________________________ * CID 178246: Error handling issues (CHECKED_RETURN) /subsys/net/lib/app/client.c: 479 in _app_connected() 473 #if defined(CONFIG_NET_APP_TLS) \|\| defined(CONFIG_NET_APP_DTLS) 474 if (ctx->is_tls) { 475 k_sem_give(&ctx->client.connect_wait); 476 } 477 #endif 478 CID 178246: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 479 net_context_recv(net_ctx, ctx->recv_cb, K_NO_WAIT, ctx); 480 481 #if defined(CONFIG_NET_APP_TLS) \|\| defined(CONFIG_NET_APP_DTLS) 482 if (ctx->is_tls) { 483 /* If we have TLS connection, the connect cb is called 484 * after TLS handshakes are done. CID 178245: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 42 in () ________________________________________________________________________________________________________ * CID 178245: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 42 in () 36 37 struct k_mem_partition app0_parts[] = { 38 &app0_parts0, 39 &app0_parts1 40 }; 41 CID 178245: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 42 K_MEM_PARTITION_DEFINE(app1_parts0, app1_buf, sizeof(app1_buf), 43 K_MEM_PARTITION_P_RW_U_RW); 44 K_MEM_PARTITION_DEFINE(app1_parts1, app0_buf, sizeof(app0_buf), 45 K_MEM_PARTITION_P_RW_U_RO); 46 47 struct k_mem_partition app1_parts[] = { CID 178244: Error handling issues (CHECKED_RETURN) /subsys/net/lib/http/http_server.c: 800 in accept_cb() ________________________________________________________________________________________________________ * CID 178244: Error handling issues (CHECKED_RETURN) /subsys/net/lib/http/http_server.c: 800 in accept_cb() 794 } 795 796 http_ctx->req.net_ctx = net_ctx; 797 798 new_client(http_ctx, net_ctx, addr); 799 CID 178244: Error handling issues (CHECKED_RETURN) Calling "net_context_recv" without checking return value (as is done elsewhere 21 out of 26 times). 800 net_context_recv(net_ctx, http_ctx->recv_cb, K_NO_WAIT, http_ctx); 801 } 802 803 static int set_net_ctx(struct http_server_ctx http_ctx, 804 struct net_context ctx, 805 struct sockaddr addr, * CID 178243: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg() ________________________________________________________________________________________________________ *** CID 178243: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 88 in eth_enc28j60_read_reg() 82 tx_size = 3; 83 } 84 85 tx_buf[0] = ENC28J60_SPI_RCR \| (reg_addr & 0xFF); 86 tx_buf[1] = 0x0; 87 CID 178243: Error handling issues (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 88 spi_transceive(context->spi, tx_buf, tx_size, tx_buf, tx_size); 89 90 value = tx_buf[tx_size - 1]; 91 92 k_sem_give(&context->spi_sem); 93 } * CID 178242: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 34 in () ________________________________________________________________________________________________________ *** CID 178242: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 34 in () 28 /* the start address of the MPU region needs to align with its size / 29 u8_t __aligned(32) app0_buf[32]; 30 u8_t __aligned(32) app1_buf[32]; 31 32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf), 33 K_MEM_PARTITION_P_RW_U_RW); CID 178242: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf), 35 K_MEM_PARTITION_P_RW_U_RO); 36 37 struct k_mem_partition app0_parts[] = { 38 &app0_parts0, 39 &app0_parts1 CID 178241: (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem() /drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem() ________________________________________________________________________________________________________ * CID 178241: (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 174 in eth_enc28j60_read_mem() 168 169 k_sem_take(&context->spi_sem, K_FOREVER); 170 171 for (int i = 0; i < num_segments; 172 ++i, data_buffer += MAX_BUFFER_LENGTH) { 173 context->mem_buf[0] = ENC28J60_SPI_RBM; CID 178241: (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 174 spi_transceive(context->spi, 175 context->mem_buf, MAX_BUFFER_LENGTH + 1, 176 context->mem_buf, MAX_BUFFER_LENGTH + 1); 177 if (data_buffer) { 178 memcpy(data_buffer, context->mem_buf + 1, 179 MAX_BUFFER_LENGTH); /drivers/ethernet/eth_enc28j60.c: 185 in eth_enc28j60_read_mem() 179 MAX_BUFFER_LENGTH); 180 } 181 } 182 183 if (num_remaining > 0) { 184 context->mem_buf[0] = ENC28J60_SPI_RBM; CID 178241: (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 185 spi_transceive(context->spi, 186 context->mem_buf, num_remaining + 1, 187 context->mem_buf, num_remaining + 1); 188 if (data_buffer) { 189 memcpy(data_buffer, context->mem_buf + 1, 190 num_remaining); CID 178240: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank() ________________________________________________________________________________________________________ * CID 178240: Error handling issues (CHECKED_RETURN) /drivers/ethernet/eth_enc28j60.c: 46 in eth_enc28j60_set_bank() 40 41 k_sem_take(&context->spi_sem, K_FOREVER); 42 43 tx_buf[0] = ENC28J60_SPI_RCR \| ENC28J60_REG_ECON1; 44 tx_buf[1] = 0x0; 45 CID 178240: Error handling issues (CHECKED_RETURN) Calling "spi_transceive" without checking return value (as is done elsewhere 20 out of 25 times). 46 spi_transceive(context->spi, tx_buf, 2, tx_buf, 2); 47 48 tx_buf[0] = ENC28J60_SPI_WCR \| ENC28J60_REG_ECON1; 49 tx_buf[1] = (tx_buf[1] & 0xFC) \| ((reg_addr >> 8) & 0x0F); 50 51 spi_write(context->spi, tx_buf, 2); CID 178239: (FORWARD_NULL) /tests/net/app/src/main.c: 192 in iface_setup() /tests/net/app/src/main.c: 202 in iface_setup() ________________________________________________________________________________________________________ * CID 178239: (FORWARD_NULL) /tests/net/app/src/main.c: 192 in iface_setup() 186 DBG("Cannot add IPv6 address %s\n", 187 net_sprint_ipv6_addr(&my_addr1)); 188 zassert_not_null(ifaddr, "addr1"); 189 } 190 191 /* For testing purposes we need to set the adddresses preferred / CID 178239: (FORWARD_NULL) Dereferencing null pointer "ifaddr". 192 ifaddr->addr_state = NET_ADDR_PREFERRED; 193 194 ifaddr = net_if_ipv6_addr_add(iface1, &ll_addr, 195 NET_ADDR_MANUAL, 0); 196 if (!ifaddr) { 197 DBG("Cannot add IPv6 address %s\n", /tests/net/app/src/main.c: 202 in iface_setup() 196 if (!ifaddr) { 197 DBG("Cannot add IPv6 address %s\n", 198 net_sprint_ipv6_addr(&ll_addr)); 199 zassert_not_null(ifaddr, "ll_addr"); 200 } 201 CID 178239: (FORWARD_NULL) Dereferencing null pointer "ifaddr". 202 ifaddr->addr_state = NET_ADDR_PREFERRED; 203 204 net_ipv6_addr_create(&in6addr_mcast, 0xff02, 0, 0, 0, 0, 0, 0, 0x0001); 205 206 maddr = net_if_ipv6_maddr_add(iface1, &in6addr_mcast); 207 if (!maddr) { * CID 178238: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 32 in () ________________________________________________________________________________________________________ *** CID 178238: Parse warnings (PARSE_ERROR) /samples/mpu/mem_domain_apis_test/src/main.c: 32 in () 26 struct k_mem_domain app_domain[2]; 27 28 /* the start address of the MPU region needs to align with its size / 29 u8_t __aligned(32) app0_buf[32]; 30 u8_t __aligned(32) app1_buf[32]; 31 CID 178238: Parse warnings (PARSE_ERROR) expression must be an integral constant expression 32 K_MEM_PARTITION_DEFINE(app0_parts0, app0_buf, sizeof(app0_buf), 33 K_MEM_PARTITION_P_RW_U_RW); 34 K_MEM_PARTITION_DEFINE(app0_parts1, app1_buf, sizeof(app1_buf), 35 K_MEM_PARTITION_P_RW_U_RO); 36 37 struct k_mem_partition app0_parts[] = { CID 178237: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst() ________________________________________________________________________________________________________ * CID 178237: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 218 in _mcr20a_write_burst() 212 spi->cmd_buf[0] = MCR20A_REG_WRITE \| addr; 213 memcpy(&spi->cmd_buf[1], data_buf, len); 214 len += 1; 215 } else { 216 spi->cmd_buf[0] = MCR20A_IAR_INDEX \| MCR20A_REG_WRITE; 217 spi->cmd_buf[1] = addr \| MCR20A_REG_WRITE; CID 178237: Memory - corruptions (OVERRUN) Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.] 218 memcpy(&spi->cmd_buf[2], data_buf, len); 219 len += 2; 220 } 221 222 spi_slave_select(spi->dev, spi->slave); 223 retval = (spi_write(spi->dev, spi->cmd_buf, len) == 0); CID 178236: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst() ________________________________________________________________________________________________________ * CID 178236: Memory - corruptions (OVERRUN) /drivers/ieee802154/ieee802154_mcr20a.c: 260 in _mcr20a_read_burst() 254 return 0; 255 } 256 257 if (dreg) { 258 memcpy(data_buf, &spi->cmd_buf[1], len - 1); 259 } else { CID 178236: Memory - corruptions (OVERRUN) Overrunning buffer pointed to by "&spi->cmd_buf[2]" of 12 bytes by passing it to a function which accesses it at byte offset 12 using argument "len - 2" (which evaluates to 11). [Note: The source code implementation of the function has been overridden by a builtin model.] 260 memcpy(data_buf, &spi->cmd_buf[2], len - 2); 261 } 262 263 k_sem_give(&spi->spi_sem); 264 265 return 1; CID 178235: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/dns/mdns_responder.c: 241 in send_response() ________________________________________________________________________________________________________ * CID 178235: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/dns/mdns_responder.c: 241 in send_response() 235 236 } else { 237 /* TODO: support also service PTRs / 238 return -EINVAL; 239 } 240 CID 178235: Null pointer dereferences (REVERSE_INULL) Null-checking "reply" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 241 if (!reply) { 242 return -ENOMEM; 243 } 244 245 ret = net_context_sendto(reply, &dst, dst_len, NULL, K_NO_WAIT, 246 NULL, NULL); * CID 178234: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() ________________________________________________________________________________________________________ *** CID 178234: Null pointer dereferences (REVERSE_INULL) /subsys/net/lib/coap/coap.c: 1233 in coap_packet_get_payload() 1227 u16_t coap_pkt_len; 1228 1229 frag = NULL; 1230 offset = 0xffff; 1231 len = 0; 1232 CID 178234: Null pointer dereferences (REVERSE_INULL) Null-checking "len" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 1233 if (!cpkt \|\| !cpkt->pkt \|\| !offset \|\| !len) { 1234 return NULL; 1235 } 1236 1237 coap_pkt_len = get_coap_packet_len(cpkt->pkt); 1238 CID 178233: Null pointer dereferences (REVERSE_INULL) /samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data() ________________________________________________________________________________________________________ * CID 178233: Null pointer dereferences (REVERSE_INULL) /samples/net/echo_client/src/tcp.c: 194 in compare_tcp_data() 188 * length is directly the fragment len. 189 */ 190 len = frag->len - (ptr - frag->data); 191 192 start = lorem_ipsum + received_len; 193 CID 178233: Null pointer dereferences (REVERSE_INULL) Null-checking "frag" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 194 while (frag) { 195 if (memcmp(ptr, start + pos, len)) { 196 NET_DBG("Invalid data received"); 197 return false; 198 } 199 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbO5jMuM3qcdgkQ-2B8GeSLDbY-2BGxhHXRVXXhN9J-2FGl-2FrBg-3D-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVLnYaCxQWNCEO6x0llsKktGNllYqBFTSj2s3BUW8QUrdvl233u8LuFGWpOgSu2rc-2BvqdYiOVm0hPLHncFd4V-2F9JHMSM1BZTFpzNZeXoef3wWEMVzKSvGT6UGq3Ro61uQfOZk28XrY3pDBluqFe6LAeaHu5vYnVkhOARe-2BxPHSkKM-3D To manage Coverity Scan email notifications for "anas.nashif@...", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4QuJ4n4mXbeIpNhS8BGwxNLHj-2BTxeFwdI3SDDdsncH-2Bz9xw1m0wMt3vy-2F0hadYzJBea4I9eUVx23T6CU82-2BIxqn54S4Kugeb6uiTfRhIn290-3D_qb0Uj4AheYo18oR3ufs7U2EqDpE-2BCuzW5lXxy9dw9-2BCYGJAjGVBvdMSEIXid9MGVJ6piO1tzXPVgJVeRiqIumtvn4xp-2FsSSqAXdL4A3zXUPunFRRDa8MYZonXqSTke1mxlt6PHAxaGm6uFhYWiI7GnJ2TrKZIQU-2Bd3wMUQD-2FpCWVJwmYlOLvhtcJ2f-2BhdG03bLQdH57Of3UzdhGrU-2B4hZzPeOMladuanpRCD-2FHbkM-2Bs-3D _______________________________________________ Zephyr-devel mailing list Zephyr-devel@lists.zephyrproject.org https://lists.zephyrproject.org/mailman/listinfo/zephyr-devel
More All Messages By This Member
Leandro Pereira #1292 Jammy, On 11/16/2017 06:30 PM, Jammy Zhou wrote: Is there some tool to do the scan locally? Running Coverity locally requires a license; the Zephyr project has a free license that's kindly offered for open source projects, so there are some limitations as to the frequency of code scans. Since the scans are made periodically and the whole tree is compiled while capturing data for Coverity, it's better if just one person runs it. There are alternatives to Coverity out there that might find the same bugs; some are even open source. Maybe it's possible to use Clang Static Analyzer and cppcheck. Cheers, Leandro
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms