I have just submitted a coverity scan of the latest OSv scan and here are some of the findings with the link to view full report:
Cheers, Waldek PS. Looking to automate the submission through Travis (by following this guide - https://scan.coverity.com/travis_ci). But somehow the "Configure Travis CI" button does no show up). Any ideas would help. "Please find the latest report on new defect(s) introduced to OSv found with Coverity Scan. 300 new defect(s) introduced to OSv found with Coverity Scan. 213 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 300 defect(s) ** CID 1499387: Memory - illegal accesses (UNINIT) /fs/vfs/vfs_lookup.cc: 351 in lookup() ________________________________________________________________________________________________________ *** CID 1499387: Memory - illegal accesses (UNINIT) /fs/vfs/vfs_lookup.cc: 351 in lookup() 345 /* 346 * Get the vnode for directory 347 */ 348 if ((error = namei(dir, &dp)) != 0) { 349 return error; 350 } >>> CID 1499387: Memory - illegal accesses (UNINIT) >>> Using uninitialized value "dp". 351 if (dp->d_vnode->v_type != VDIR) { 352 drele(dp); 353 return ENOTDIR; 354 } 355 356 *dpp = dp; ** CID 1499386: Memory - illegal accesses (UNINIT) /fs/vfs/vfs_syscalls.cc: 907 in sys_link() ________________________________________________________________________________________________________ *** CID 1499386: Memory - illegal accesses (UNINIT) /fs/vfs/vfs_syscalls.cc: 907 in sys_link() 901 oldpath, newpath)); 902 903 /* File from oldpath must exist */ 904 if ((error = namei(oldpath, &olddp)) != 0) 905 return error; 906 >>> CID 1499386: Memory - illegal accesses (UNINIT) >>> Using uninitialized value "olddp". 907 vp = olddp->d_vnode; 908 vn_lock(vp); 909 910 if (vp->v_type == VDIR) { 911 error = EPERM; 912 goto out; ** CID 1499385: (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)14, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)17, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)20, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)11, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() ________________________________________________________________________________________________________ *** CID 1499385: (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)14, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499385: (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)17, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499385: (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)20, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499385: (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)11, std::tuple<long> (long), (&identity_assign<long>)>::operator ()(long)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499385: (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); ** CID 1499384: Uninitialized members (UNINIT_CTOR) /drivers/virtio-pci-device.cc: 63 in virtio::virtio_legacy_pci_device::virtio_legacy_pci_device(pci::device *)() ________________________________________________________________________________________________________ *** CID 1499384: Uninitialized members (UNINIT_CTOR) /drivers/virtio-pci-device.cc: 63 in virtio::virtio_legacy_pci_device::virtio_legacy_pci_device(pci::device *)() 57 #endif 58 } 59 60 virtio_legacy_pci_device::virtio_legacy_pci_device(pci::device *dev) 61 : virtio_pci_device(dev) 62 { >>> CID 1499384: Uninitialized members (UNINIT_CTOR) >>> Non-static class member "_bar1" is not initialized in this constructor nor in any functions that it calls. 63 } 64 65 void virtio_legacy_pci_device::kick_queue(int queue) 66 { 67 virtio_conf_writew(VIRTIO_PCI_QUEUE_NOTIFY, queue); 68 } ** CID 1499383: Memory - illegal accesses (UNINIT) /fs/vfs/vfs_syscalls.cc: 1468 in sys_chmod() ________________________________________________________________________________________________________ *** CID 1499383: Memory - illegal accesses (UNINIT) /fs/vfs/vfs_syscalls.cc: 1468 in sys_chmod() 1462 int error; 1463 struct dentry *dp; 1464 DPRINTF(VFSDB_SYSCALL, ("sys_chmod: path=%s\n", path)); 1465 error = namei(path, &dp); 1466 if (error) 1467 return error; >>> CID 1499383: Memory - illegal accesses (UNINIT) >>> Using uninitialized value "dp". 1468 if (dp->d_mount->m_flags & MNT_RDONLY) { 1469 error = EROFS; 1470 } else { 1471 error = vn_setmode(dp->d_vnode, mode); 1472 } 1473 drele(dp); ** CID 1499382: Control flow issues (DEADCODE) /bsd/sys/netinet/raw_ip.cc: 730 in rip_attach(socket *, int, thread *)() ________________________________________________________________________________________________________ *** CID 1499382: Control flow issues (DEADCODE) /bsd/sys/netinet/raw_ip.cc: 730 in rip_attach(socket *, int, thread *)() 724 725 inp = sotoinpcb(so); 726 KASSERT(inp == NULL, ("rip_attach: inp != NULL")); 727 728 error = priv_check(td, PRIV_NETINET_RAW); 729 if (error) >>> CID 1499382: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return error;". 730 return (error); 731 if (proto >= IPPROTO_MAX || proto < 0) 732 return EPROTONOSUPPORT; 733 error = soreserve_internal(so, rip_sendspace, rip_recvspace); 734 if (error) 735 return (error); ** CID 1499381: API usage errors (PRINTF_ARGS) ________________________________________________________________________________________________________ *** CID 1499381: API usage errors (PRINTF_ARGS) /runtime.cc: 98 in print_backtrace()() 92 void *addr = addrs[i] - INSTR_SIZE_MIN; 93 osv::lookup_name_demangled(addr, name, sizeof(name)); 94 if (strncmp(name, "abort+", 6) == 0) { 95 // Skip abort() (which called abort(const char*) already skipped 96 continue; 97 } >>> CID 1499381: API usage errors (PRINTF_ARGS) >>> Argument "addr" to format specifier "%016lx" was expected to have type "unsigned long" but has type "void *". 98 debug_ll("0x%016lx <%s>\n", addr, name); 99 } 100 } 101 102 static std::atomic<bool> aborting { false }; 103 ** CID 1499380: Uninitialized members (UNINIT_CTOR) /core/app.cc: 227 in osv::application::application(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, const std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> &, bool, const std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::allocator<std::pair<const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>> *, const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::function<void ()>)() ________________________________________________________________________________________________________ *** CID 1499380: Uninitialized members (UNINIT_CTOR) /core/app.cc: 227 in osv::application::application(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, const std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> &, bool, const std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::allocator<std::pair<const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>> *, const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::function<void ()>)() 221 if (!_main) { 222 _entry_point = reinterpret_cast<void(*)()>(_lib->entry_point()); 223 } 224 if (!_entry_point && !_main) { 225 throw launch_error("Failed looking up main"); 226 } >>> CID 1499380: Uninitialized members (UNINIT_CTOR) >>> Non-static class member "_return_code" is not initialized in this constructor nor in any functions that it calls. 227 } 228 229 void application::start() 230 { 231 // FIXME: we cannot create the thread inside the constructor because 232 // the thread would attempt to call shared_from_this() before object ** CID 1499379: Code maintainability issues (UNUSED_VALUE) /external/x64/acpica/source/components/events/evgpeblk.c: 175 in AcpiEvInstallGpeBlock() ________________________________________________________________________________________________________ *** CID 1499379: Code maintainability issues (UNUSED_VALUE) /external/x64/acpica/source/components/events/evgpeblk.c: 175 in AcpiEvInstallGpeBlock() 169 return_ACPI_STATUS (Status); 170 } 171 172 GpeXruptBlock = AcpiEvGetGpeXruptBlock (InterruptNumber); 173 if (!GpeXruptBlock) 174 { >>> CID 1499379: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "4U" to "Status" here, but that stored value is overwritten before it can be used. 175 Status = AE_NO_MEMORY; 176 goto UnlockAndExit; 177 } 178 179 /* Install the new block at the end of the list with lock */ 180 ** CID 1499378: Control flow issues (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)9, std::tuple<async::async_worker *> (async::async_worker *), (&identity_assign<async::async_worker *>)>::operator ()(async::async_worker *)() ________________________________________________________________________________________________________ *** CID 1499378: Control flow issues (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)9, std::tuple<async::async_worker *> (async::async_worker *), (&identity_assign<async::async_worker *>)>::operator ()(async::async_worker *)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499378: Control flow issues (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); ** CID 1499377: (RESOURCE_LEAK) /fs/pseudofs/pseudofs.cc: 82 in pseudofs::readlink(vnode *, uio *)() /fs/pseudofs/pseudofs.cc: 84 in pseudofs::readlink(vnode *, uio *)() ________________________________________________________________________________________________________ *** CID 1499377: (RESOURCE_LEAK) /fs/pseudofs/pseudofs.cc: 82 in pseudofs::readlink(vnode *, uio *)() 76 if (vp->v_type != VLNK) 77 return EINVAL; 78 79 auto *np = to_symlink_node(vp); 80 auto *target_path = np->target_path(); 81 if (uio->uio_offset >= (off_t) target_path->size()) >>> CID 1499377: (RESOURCE_LEAK) >>> Variable "target_path" going out of scope leaks the storage it points to. 82 return 0; 83 84 return uiomove(const_cast<char *>(target_path->data()) + uio->uio_offset, target_path->size(), uio); 85 } 86 87 int write(vnode *vp, uio *uio, int ioflags) { /fs/pseudofs/pseudofs.cc: 84 in pseudofs::readlink(vnode *, uio *)() 78 79 auto *np = to_symlink_node(vp); 80 auto *target_path = np->target_path(); 81 if (uio->uio_offset >= (off_t) target_path->size()) 82 return 0; 83 >>> CID 1499377: (RESOURCE_LEAK) >>> Variable "target_path" going out of scope leaks the storage it points to. 84 return uiomove(const_cast<char *>(target_path->data()) + uio->uio_offset, target_path->size(), uio); 85 } 86 87 int write(vnode *vp, uio *uio, int ioflags) { 88 return EINVAL; 89 } ** CID 1499376: Control flow issues (NO_EFFECT) /arch/x64/xen.cc: 182 in xen::xen_init(processor::features_type &, unsigned int)() ________________________________________________________________________________________________________ *** CID 1499376: Control flow issues (NO_EFFECT) /arch/x64/xen.cc: 182 in xen::xen_init(processor::features_type &, unsigned int)() 176 processor::wrmsr(x.b, cast_pointer(&hypercall_page) - OSV_KERNEL_VM_SHIFT); 177 178 struct xen_feature_info info; 179 // To fill up the array used by C code 180 for (int i = 0; i < XENFEAT_NR_SUBMAPS; i++) { 181 info.submap_idx = i; >>> CID 1499376: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. "xen::version_hypercall(6U, &info) < 0UL". 182 if (version_hypercall(XENVER_get_features, &info) < 0) 183 assert(0); 184 for (int j = 0; j < 32; j++) 185 xen_features[i * 32 + j] = !!(info.submap & 1<<j); 186 } 187 features.xen_clocksource = xen_features[9] & 1; ** CID 1499375: (RESOURCE_LEAK) /bsd/sys/sys/mbuf.h: 620 in m_clget(mbuf *, int)() /bsd/sys/sys/mbuf.h: 627 in m_clget(mbuf *, int)() ________________________________________________________________________________________________________ *** CID 1499375: (RESOURCE_LEAK) /bsd/sys/sys/mbuf.h: 620 in m_clget(mbuf *, int)() 614 m_clget(struct mbuf *m, int how) 615 { 616 617 if (m->m_hdr.mh_flags & M_EXT) 618 printf("%s: %p mbuf already has cluster\n", __func__, m); 619 m->M_dat.MH.MH_dat.MH_ext.ext_buf = (char *)NULL; >>> CID 1499375: (RESOURCE_LEAK) >>> Ignoring storage allocated by "uma_zalloc_arg(zone_clust, m, how)" leaks it. 620 uma_zalloc_arg(zone_clust, m, how); 621 /* 622 * On a cluster allocation failure, drain the packet zone and retry, 623 * we might be able to loosen a few clusters up on the drain. 624 */ 625 if ((how & M_NOWAIT) && (m->M_dat.MH.MH_dat.MH_ext.ext_buf == NULL)) { /bsd/sys/sys/mbuf.h: 627 in m_clget(mbuf *, int)() 621 /* 622 * On a cluster allocation failure, drain the packet zone and retry, 623 * we might be able to loosen a few clusters up on the drain. 624 */ 625 if ((how & M_NOWAIT) && (m->M_dat.MH.MH_dat.MH_ext.ext_buf == NULL)) { 626 zone_drain(zone_pack); >>> CID 1499375: (RESOURCE_LEAK) >>> Ignoring storage allocated by "uma_zalloc_arg(zone_clust, m, how)" leaks it. 627 uma_zalloc_arg(zone_clust, m, how); 628 } 629 } 630 631 /* 632 * m_cljget() is different from m_clget() as it can allocate clusters without ** CID 1499374: API usage errors (LOCK) ________________________________________________________________________________________________________ *** CID 1499374: API usage errors (LOCK) /bsd/sys/net/route.cc: 560 in rtredirect_fib() 554 RT_LOCK(rt); 555 if (rt0 != NULL) 556 EVENTHANDLER_INVOKE(route_redirect_event, rt0, rt, dst); 557 flags = rt->rt_flags; 558 } 559 if (rt0 != NULL) >>> CID 1499374: API usage errors (LOCK) >>> "rtfree" destroys "rt0->rt_mtx" while it is locked. 560 RTFREE(rt0); 561 562 stat = &V_rtstat.rts_dynamic; 563 } else { 564 struct rtentry *gwrt; 565 ** CID 1499373: (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)3, std::tuple<inpcb *> (inpcb *), (&identity_assign<inpcb *>)>::operator ()(inpcb *)() /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)2, std::tuple<inpcb *> (inpcb *), (&identity_assign<inpcb *>)>::operator ()(inpcb *)() /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)1, std::tuple<inpcb *> (inpcb *), (&identity_assign<inpcb *>)>::operator ()(inpcb *)() ________________________________________________________________________________________________________ *** CID 1499373: (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)3, std::tuple<inpcb *> (inpcb *), (&identity_assign<inpcb *>)>::operator ()(inpcb *)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499373: (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)2, std::tuple<inpcb *> (inpcb *), (&identity_assign<inpcb *>)>::operator ()(inpcb *)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499373: (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)1, std::tuple<inpcb *> (inpcb *), (&identity_assign<inpcb *>)>::operator ()(inpcb *)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499373: (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); ** CID 1499372: (TAINTED_SCALAR) /bsd/sys/netinet/ip_icmp.cc: 872 in icmp_reflect(mbuf *)() /bsd/sys/netinet/ip_icmp.cc: 823 in icmp_reflect(mbuf *)() ________________________________________________________________________________________________________ *** CID 1499372: (TAINTED_SCALAR) /bsd/sys/netinet/ip_icmp.cc: 872 in icmp_reflect(mbuf *)() 866 ip->ip_v = IPVERSION; 867 ip->ip_hl = 5; 868 m->m_hdr.mh_len -= optlen; 869 if (m->m_hdr.mh_flags & M_PKTHDR) 870 m->M_dat.MH.MH_pkthdr.len -= optlen; 871 optlen += sizeof(struct ip); >>> CID 1499372: (TAINTED_SCALAR) >>> Passing tainted expression "m->m_hdr.mh_len - 20UL" to "memcpy", which uses it as an offset. 872 bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1), 873 (unsigned)(m->m_hdr.mh_len - sizeof(struct ip))); 874 } 875 m_tag_delete_nonpersistent(m); 876 m->m_hdr.mh_flags &= ~(M_BCAST|M_MCAST); 877 icmp_send(m, opts); /bsd/sys/netinet/ip_icmp.cc: 823 in icmp_reflect(mbuf *)() 817 if (opts) { 818 #ifdef ICMPPRINTFS 819 if (icmpprintfs) 820 printf("icmp_reflect optlen %d rt %d => ", 821 optlen, opts->m_hdr.mh_len); 822 #endif >>> CID 1499372: (TAINTED_SCALAR) >>> Using tainted variable "cnt" as a loop boundary. 823 for (cnt = optlen; cnt > 0; cnt -= len, cp += len) { 824 opt = cp[IPOPT_OPTVAL]; 825 if (opt == IPOPT_EOL) 826 break; 827 if (opt == IPOPT_NOP) 828 len = 1; ** CID 1499371: (TAINTED_SCALAR) /bsd/sys/netinet/tcp_lro.cc: 275 in tcp_lro_flush() /bsd/sys/netinet/tcp_lro.cc: 239 in tcp_lro_flush() ________________________________________________________________________________________________________ *** CID 1499371: (TAINTED_SCALAR) /bsd/sys/netinet/tcp_lro.cc: 275 in tcp_lro_flush() 269 ts_ptr[2] = le->tsecr; 270 } 271 #ifdef TCP_LRO_UPDATE_CSUM 272 /* Update the TCP header checksum. */ 273 le->ulp_csum += p_len; 274 le->ulp_csum += tcp_lro_csum_th(th); >>> CID 1499371: (TAINTED_SCALAR) >>> Using tainted variable "le->ulp_csum" as a loop boundary. 275 while (le->ulp_csum > 0xffff) 276 le->ulp_csum = (le->ulp_csum >> 16) + 277 (le->ulp_csum & 0xffff); 278 th->th_sum = (le->ulp_csum & 0xffff); 279 th->th_sum = ~th->th_sum; 280 #else /bsd/sys/netinet/tcp_lro.cc: 239 in tcp_lro_flush() 233 #ifdef TCP_LRO_UPDATE_CSUM 234 /* Fix IP header checksum for new length. */ 235 c = ~ip4->ip_sum; 236 cl = c; 237 c = ~ip4->ip_len; 238 cl += c + p_len; >>> CID 1499371: (TAINTED_SCALAR) >>> Using tainted variable "cl" as a loop boundary. 239 while (cl > 0xffff) 240 cl = (cl >> 16) + (cl & 0xffff); 241 c = cl; 242 ip4->ip_sum = ~c; 243 #else 244 ip4->ip_sum = TCP_LRO_INVALID_CSUM; ** CID 1499370: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1499370: Insecure data handling (TAINTED_SCALAR) /bsd/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu.c: 746 in dmu_free_range() 740 dnode_t *dn; 741 int err = dnode_hold(os, object, FTAG, &dn); 742 if (err) 743 return (err); 744 ASSERT(offset < UINT64_MAX); 745 ASSERT(size == -1ULL || size <= UINT64_MAX - offset); >>> CID 1499370: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "dn->dn_phys" to "dnode_free_range", which uses it as a loop boundary. 746 dnode_free_range(dn, offset, size, tx); 747 dnode_rele(dn, FTAG); 748 return (0); 749 } 750 751 int ** CID 1499369: API usage errors (LOCK) ________________________________________________________________________________________________________ *** CID 1499369: API usage errors (LOCK) /bsd/sys/net/routecache.hh: 182 in route_cache::lookup(bsd_sockaddr_in *, unsigned int, rtentry *)() 176 in_rtalloc_ign(&ro, 0, fibnum); 177 if (!ro.ro_rt) { 178 RO_RTFREE(&ro); 179 return false; 180 } 181 memcpy(ret, ro.ro_rt, sizeof(*ret)); >>> CID 1499369: API usage errors (LOCK) >>> "rtfree" destroys "ro.ro_rt->rt_mtx" while it is locked. 182 RO_RTFREE(&ro); 183 ret->rt_refcnt = -1; // try to catch some monkey-business 184 #if 0 185 mutex_init(&ret->rt_mtx._mutex); // try to catch some monkey-business? 186 #endif 187 // Add the result to the cache ** CID 1499368: Control flow issues (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)16, std::tuple<void *, void *, unsigned int> (void *, void *, unsigned int), (&identity_assign<void *, void *, unsigned int>)>::operator ()(void *, void *, unsigned int)() ________________________________________________________________________________________________________ *** CID 1499368: Control flow issues (UNREACHABLE) /arch/x64/arch-trace.hh: 28 in <unnamed>::tracepointv<(unsigned int)16, std::tuple<void *, void *, unsigned int> (void *, void *, unsigned int), (&identity_assign<void *, void *, unsigned int>)>::operator ()(void *, void *, unsigned int)() 22 ".quad %c[type] \n\t" 23 ".quad 1b \n\t" 24 ".quad %l[slow_path] \n\t" 25 ".popsection" 26 : : [type]"i"(&typeid(*this)), [id]"i"(_id) : : slow_path); 27 return; >>> CID 1499368: Control flow issues (UNREACHABLE) >>> This code cannot be reached: "slow_path: auto data = ((st...". 28 slow_path: 29 // We don't want register shuffling and function calls here, so pretend 30 // to the compiler that the slow path just stores some data into local 31 // memory and executes an instruction that clobbers just a few registers 32 // (instead of lots of registers and all of memory): 33 auto data = assign(as...); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp3Xv76OLI2r3eDgyXuMpMdufT-2FPqJfnC-2FOtmvsTOlOQQ-3D-3Dqs4D_yOjI0W7E-2FbIV2LQaLHHdzysXzxlBp7vNU0cV8qeQtlBbx2ScohoZhOCaZ59shCAW43H-2By8IALtLkgcl0ymAoQxsXejz0rc8R45ZcIiZaKlYy7-2BEl522DO-2FEPb3NhU-2FvLQxdi6RK1Pv5Pfk-2BoJEp9uqyA6fn5ZCUVkPEWfa9J7MnJY18ynbz9kSHeZ46nmMIaNozN6Ix2kLs-2Bhz9QWDU6ew-3D-3D -- You received this message because you are subscribed to the Google Groups "OSv Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to osv-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/osv-dev/b9ef7167-f4ac-4746-b597-910b1c5ee2den%40googlegroups.com.
