This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Neels Hofmeyr nhofmeyr at sysmocom.deOn Thu, Oct 13, 2016 at 09:32:21AM -0700, scan-admin at coverity.com wrote:
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Osmocom found with Coverity Scan.
>
> 4 new defect(s) introduced to Osmocom found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 4 of 4 defect(s)
>
>
> ** CID 150135: Null pointer dereferences (REVERSE_INULL)
> /source-Osmocom/openggsn/ggsn/ggsn.c: 142 in delete_context()
>
>
> ________________________________________________________________________________________________________
> *** CID 150135: Null pointer dereferences (REVERSE_INULL)
> /source-Osmocom/openggsn/ggsn/ggsn.c: 142 in delete_context()
> 136 int delete_context(struct pdp_t *pdp)
> 137 {
> 138 DEBUGP(DGGSN, "Deleting PDP context\n");
> 139 struct ippoolm_t *member = pdp->peer;
> 140 char v[NAMESIZE];
> 141 snprintf(v, sizeof(v), "%" PRIu64 ",%s", pdp->imsi, inet_ntoa(member->addr));
> >>> CID 150135: Null pointer dereferences (REVERSE_INULL)
> >>> Null-checking "pdp->peer" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 142 if (pdp->peer)
> 143 ippool_freeip(ippool, (struct ippoolm_t *)pdp->peer);
> 144 else
> 145 SYS_ERR(DGGSN, LOGL_ERROR, 0, "Peer not defined!");
> 146
> 147 if (gtp_kernel_tunnel_del(pdp)) {
This one's for you, Max. (openggsn commit 727417dd28813c697b4820aef9f54f249e30c4b8)
> ** CID 150134: Null pointer dereferences (REVERSE_INULL)
> /source-Osmocom/openbsc/openbsc/src/gprs/gprs_sgsn.c: 257 in sgsn_mm_ctx_alloc_iu()
>
>
> ________________________________________________________________________________________________________
> *** CID 150134: Null pointer dereferences (REVERSE_INULL)
> /source-Osmocom/openbsc/openbsc/src/gprs/gprs_sgsn.c: 257 in sgsn_mm_ctx_alloc_iu()
> 251 ctx->auth_triplet.key_seq = GSM_KEY_SEQ_INVAL;
> 252 ctx->ctrg = rate_ctr_group_alloc(ctx, &mmctx_ctrg_desc, 0);
> 253
> 254 /* Need to get RAID from IU conn */
> 255 ctx->ra = ctx->iu.ue_ctx->ra_id;
> 256
fixed (sysmocom/iu branch).
> >>> CID 150134: Null pointer dereferences (REVERSE_INULL)
> >>> Null-checking "ctx->iu.ue_ctx" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 257 if (ctx->iu.ue_ctx)
> 258 ctx->iu.ue_ctx->rab_assign_addr_enc =
> 259 sgsn->cfg.iu.rab_assign_addr_enc;
> 260
> 261 INIT_LLIST_HEAD(&ctx->pdp_list);
> 262
>
> ** CID 150133: Memory - corruptions (OVERRUN)
> /source-Osmocom/osmo-bts/src/common/msg_utils.c: 121 in dtx_cache_payload()
>
>
> ________________________________________________________________________________________________________
> *** CID 150133: Memory - corruptions (OVERRUN)
> /source-Osmocom/osmo-bts/src/common/msg_utils.c: 121 in dtx_cache_payload()
> 115 copy_len = OSMO_MIN(length + 1, ARRAY_SIZE(lchan->tch.dtx.cache));
> 116
> 117 lchan->tch.dtx.len = copy_len + amr;
> 118 lchan->tch.dtx.fn = fn;
> 119 lchan->tch.dtx.is_update = update;
> 120
> >>> CID 150133: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "&lchan->tch.dtx.cache[amr]" of 20 bytes by passing it to a function which accesses it at byte offset 21 using argument "copy_len" (which evaluates to 20).
> 121 memcpy(lchan->tch.dtx.cache + amr, l1_payload, copy_len);
@Max, maybe 'copy_len - amr'? In any case there's potentially 'amr' too many
bytes.
> 122 }
> 123
> 124 /*! \brief Check current state of DTX DL AMR FSM and dispatch necessary events
> 125 * \param[in] lchan Logical channel on which we check scheduling
> 126 * \param[in] rtp_pl buffer with RTP data
>
> ** CID 150132: Incorrect expression (BAD_SIZEOF)
> /source-Osmocom/osmo-bts/src/common/msg_utils.c: 262 in dtx_sched_optional()
>
>
> ________________________________________________________________________________________________________
> *** CID 150132: Incorrect expression (BAD_SIZEOF)
> /source-Osmocom/osmo-bts/src/common/msg_utils.c: 262 in dtx_sched_optional()
> 256 h1[] = { 14, 16, 18, 20, 66, 68, 70, 72 };
> 257 if (lchan->tch_mode == GSM48_CMODE_SPEECH_V1) {
> 258 if (lchan->type == GSM_LCHAN_TCH_F)
> 259 return fn_chk(f, fn, ARRAY_SIZE(f));
> 260 else
> 261 return fn_chk(lchan->nr ? h1 : h0, fn,
> >>> CID 150132: Incorrect expression (BAD_SIZEOF)
> >>> The expression "sizeof (lchan->nr ? h1 : h0) / sizeof (lchan->nr ? h1 : h0[0])" is suspicious. Note that "lchan->nr ? h1 : h0" is a pointer and therefore the division will not return the number of array elements which may have been the intent.
> 262 ARRAY_SIZE(lchan->nr ? h1 : h0));
@Max, has to be
lchan-nr? ARRAY_SIZE(h1) : ARRAY_SIZE(h0)
so ARRAY_SIZE can be resolved at compile time.
> 263 }
> 264 return false;
> 265 }
> 266
> 267 /* repeat last SID if possible, returns SID length + 1 or 0 */
>
>
> ________________________________________________________________________________________________________
>
--
- Neels Hofmeyr <nhofmeyr at sysmocom.de> http://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Alt-Moabit 93
* 10559 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschäftsführer / Managing Directors: Harald Welte
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20161014/772dc55d/attachment.bin>