From 88971a0a5660805f71ba8696e9291eaee822d996 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 8 Feb 2013 15:12:32 +0100
Subject: [PATCH 1/4] OVERRUN (CWE-119)
Coverity output:
bsd-finger-0.17/finger/util.c:392: cond_true: Condition "*q", taking
true branch
bsd-finger-0.17/finger/util.c:393: cond_false: Condition
"!(*__ctype_b_loc()[(int)*q] & 2048 /* (unsigned short)_ISdigit */)",
taking false branch
bsd-finger-0.17/finger/util.c:394: if_end: End of if statement
bsd-finger-0.17/finger/util.c:394: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/util.c:392: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/util.c:392: cond_false: Condition "*q", taking
false branch
bsd-finger-0.17/finger/util.c:394: loop_end: Reached end of loop
bsd-finger-0.17/finger/util.c:396: alias: Assigning: "p" = "pbuf". "p"
now points to byte 0 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:397: switch: Switch case value "11"
bsd-finger-0.17/finger/util.c:398: switch_case: Reached case "11"
bsd-finger-0.17/finger/util.c:399: ptr_incr: Incrementing "p". "p" now
points to byte 1 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:400: ptr_incr: Incrementing "p". "p" now
points to byte 2 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:401: ptr_incr: Incrementing "p". "p" now
points to byte 3 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:404: ptr_incr: Incrementing "p". "p" now
points to byte 4 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:405: ptr_incr: Incrementing "p". "p" now
points to byte 5 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:406: ptr_incr: Incrementing "p". "p" now
points to byte 6 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:407: ptr_incr: Incrementing "p". "p" now
points to byte 7 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:410: ptr_incr: Incrementing "p". "p" now
points to byte 8 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:411: ptr_incr: Incrementing "p". "p" now
points to byte 9 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:412: ptr_incr: Incrementing "p". "p" now
points to byte 10 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:413: break: Breaking from switch
bsd-finger-0.17/finger/util.c:421: switch_end: Reached end of switch
bsd-finger-0.17/finger/util.c:422: cond_true: Condition "len != 4",
taking true branch
bsd-finger-0.17/finger/util.c:423: ptr_incr: Incrementing "p". "p" now
points to byte 11 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:424: ptr_incr: Incrementing "p". "p" now
points to byte 12 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:426: ptr_incr: Incrementing "p". "p" now
points to byte 13 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:427: ptr_incr: Incrementing "p". "p" now
points to byte 14 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:428: ptr_incr: Incrementing "p". "p" now
points to byte 15 of "pbuf" (which consists of 15 bytes).
bsd-finger-0.17/finger/util.c:429: overrun-local: Overrunning array of
15 bytes at byte offset 15 by dereferencing pointer "p".
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
finger/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/finger/util.c b/finger/util.c
index a9c3b5d..ee44541 100644
--- a/finger/util.c
+++ b/finger/util.c
@@ -386,7 +386,7 @@ prphone(const char *num)
char *p;
const char *q;
int len;
- static char pbuf[15];
+ static char pbuf[16];
/* don't touch anything if the user has their own formatting */
for (q = num; *q; ++q)
--
1.8.1.2
From 93a36eb8d32b0cbe3034e3742b128eb81934875c Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 8 Feb 2013 15:19:34 +0100
Subject: [PATCH 2/4] RESOURCE_LEAK (CWE-772)
Coverity output:
bsd-finger-0.17/finger/finger.c:293: cond_false: Condition "setlocale(6,
"") != NULL", taking false branch
bsd-finger-0.17/finger/finger.c:294: if_end: End of if statement
bsd-finger-0.17/finger/finger.c:296: alloc_fn: Storage is returned from
allocation function "calloc(size_t, size_t)".
bsd-finger-0.17/finger/finger.c:296: var_assign: Assigning: "used" =
storage returned from "calloc(argc, 4UL)".
bsd-finger-0.17/finger/finger.c:297: cond_false: Condition "!used",
taking false branch
bsd-finger-0.17/finger/finger.c:300: if_end: End of if statement
bsd-finger-0.17/finger/finger.c:303: cond_true: Condition "i < argc",
taking true branch
bsd-finger-0.17/finger/finger.c:304: cond_true: Condition
"!__coverity_strchr(argv[i], 64)", taking true branch
bsd-finger-0.17/finger/finger.c:306: continue: Continuing loop
bsd-finger-0.17/finger/finger.c:313: loop: Looping back
bsd-finger-0.17/finger/finger.c:303: cond_true: Condition "i < argc",
taking true branch
bsd-finger-0.17/finger/finger.c:304: cond_true: Condition
"!__coverity_strchr(argv[i], 64)", taking true branch
bsd-finger-0.17/finger/finger.c:306: continue: Continuing loop
bsd-finger-0.17/finger/finger.c:313: loop: Looping back
bsd-finger-0.17/finger/finger.c:303: cond_false: Condition "i < argc",
taking false branch
bsd-finger-0.17/finger/finger.c:313: loop_end: Reached end of loop
bsd-finger-0.17/finger/finger.c:316: cond_true: Condition "dolocal",
taking true branch
bsd-finger-0.17/finger/finger.c:316: noescape: Resource "used" is not
freed or pointed-to in function "do_local(int, char **, int *)".
bsd-finger-0.17/finger/finger.c:251:51: noescape: "do_local(int, char
**, int *)" does not free or save its pointer parameter "used".
bsd-finger-0.17/finger/finger.c:319: cond_false: Condition "pn", taking
false branch
bsd-finger-0.17/finger/finger.c:323: loop_end: Reached end of loop
bsd-finger-0.17/finger/finger.c:325: cond_true: Condition "entries ==
0", taking true branch
bsd-finger-0.17/finger/finger.c:326: leaked_storage: Variable "used"
going out of scope leaks the storage it points to.
bsd-finger-0.17/finger/finger.c:293: cond_false: Condition "setlocale(6,
"") != NULL", taking false branch
bsd-finger-0.17/finger/finger.c:294: if_end: End of if statement
bsd-finger-0.17/finger/finger.c:296: alloc_fn: Storage is returned from
allocation function "calloc(size_t, size_t)".
bsd-finger-0.17/finger/finger.c:296: var_assign: Assigning: "used" =
storage returned from "calloc(argc, 4UL)".
bsd-finger-0.17/finger/finger.c:297: cond_false: Condition "!used",
taking false branch
bsd-finger-0.17/finger/finger.c:300: if_end: End of if statement
bsd-finger-0.17/finger/finger.c:303: cond_true: Condition "i < argc",
taking true branch
bsd-finger-0.17/finger/finger.c:304: cond_true: Condition
"!__coverity_strchr(argv[i], 64)", taking true branch
bsd-finger-0.17/finger/finger.c:306: continue: Continuing loop
bsd-finger-0.17/finger/finger.c:313: loop: Looping back
bsd-finger-0.17/finger/finger.c:303: cond_true: Condition "i < argc",
taking true branch
bsd-finger-0.17/finger/finger.c:304: cond_true: Condition
"!__coverity_strchr(argv[i], 64)", taking true branch
bsd-finger-0.17/finger/finger.c:306: continue: Continuing loop
bsd-finger-0.17/finger/finger.c:313: loop: Looping back
bsd-finger-0.17/finger/finger.c:303: cond_false: Condition "i < argc",
taking false branch
bsd-finger-0.17/finger/finger.c:313: loop_end: Reached end of loop
bsd-finger-0.17/finger/finger.c:316: cond_true: Condition "dolocal",
taking true branch
bsd-finger-0.17/finger/finger.c:316: noescape: Resource "used" is not
freed or pointed-to in function "do_local(int, char **, int *)".
bsd-finger-0.17/finger/finger.c:251:51: noescape: "do_local(int, char
**, int *)" does not free or save its pointer parameter "used".
bsd-finger-0.17/finger/finger.c:319: cond_true: Condition "pn", taking
true branch
bsd-finger-0.17/finger/finger.c:321: cond_false: Condition "pn->next",
taking false branch
bsd-finger-0.17/finger/finger.c:321: cond_true: Condition "entries",
taking true branch
bsd-finger-0.17/finger/finger.c:323: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/finger.c:319: loop_begin: Jumped back to
beginning of loop
bsd-finger-0.17/finger/finger.c:319: cond_false: Condition "pn", taking
false branch
bsd-finger-0.17/finger/finger.c:323: loop_end: Reached end of loop
bsd-finger-0.17/finger/finger.c:325: cond_false: Condition "entries ==
0", taking false branch
bsd-finger-0.17/finger/finger.c:326: if_end: End of if statement
bsd-finger-0.17/finger/finger.c:339: cond_false: Condition "(uptr =
getutent()) != NULL", taking false branch
bsd-finger-0.17/finger/finger.c:351: loop_end: Reached end of loop
bsd-finger-0.17/finger/finger.c:352: cond_true: Condition "pn != NULL",
taking true branch
bsd-finger-0.17/finger/finger.c:354: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/finger.c:352: loop_begin: Jumped back to
beginning of loop
bsd-finger-0.17/finger/finger.c:352: cond_false: Condition "pn != NULL",
taking false branch
bsd-finger-0.17/finger/finger.c:354: loop_end: Reached end of loop
bsd-finger-0.17/finger/finger.c:356: leaked_storage: Variable "used"
going out of scope leaks the storage it points to.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
finger/finger.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/finger/finger.c b/finger/finger.c
index ebf7309..6653e82 100644
--- a/finger/finger.c
+++ b/finger/finger.c
@@ -323,7 +323,10 @@ userlist(int argc, char *argv[])
}
if (entries == 0)
+ {
+ free(used);
return;
+ }
/*
* Scan thru the list of users currently logged in, saving
@@ -353,4 +356,5 @@ userlist(int argc, char *argv[])
enter_lastlog(pn);
}
endutent();
+ free(used);
}
--
1.8.1.2
From bf805902875147e582402fa736022c10edb163bc Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 8 Feb 2013 15:41:05 +0100
Subject: [PATCH 3/4] RESOURCE_LEAK (CWE-772)
Coverity output:
bsd-finger-0.17/finger/sprint.c:60: alloc_fn: Storage is returned from
allocation function "sort(void)".
bsd-finger-0.17/finger/sprint.c:142:2: alloc_fn: Storage is returned
from allocation function "malloc(size_t)".
bsd-finger-0.17/finger/sprint.c:142:2: var_assign: Assigning: "list" =
"malloc((u_int)(entries * 8UL))".
bsd-finger-0.17/finger/sprint.c:142:2: cond_false: Condition "!(list =
(PERSON **)malloc((u_int)(entries * 8UL /* sizeof (PERSON *) */)))",
taking false branch
bsd-finger-0.17/finger/sprint.c:145:2: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:146:7: var_assign: Assigning: "lp" =
"list".
bsd-finger-0.17/finger/sprint.c:146:2: cond_true: Condition "pn !=
NULL", taking true branch
bsd-finger-0.17/finger/sprint.c:147:3: loop: Jumping back to the
beginning of the loop
bsd-finger-0.17/finger/sprint.c:146:2: loop_begin: Jumped back to
beginning of loop
bsd-finger-0.17/finger/sprint.c:146:2: cond_false: Condition "pn !=
NULL", taking false branch
bsd-finger-0.17/finger/sprint.c:147:3: loop_end: Reached end of loop
bsd-finger-0.17/finger/sprint.c:148:2: noescape: Resource "list" is not
freed or pointed-to in function "qsort(void *, size_t, size_t,
__compar_fn_t)".
bsd-finger-0.17/finger/sprint.c:149:2: return_alloc: Returning allocated
memory "list".
bsd-finger-0.17/finger/sprint.c:60: var_assign: Assigning: "list" =
storage returned from "sort()".
bsd-finger-0.17/finger/sprint.c:76: cond_true: Condition "cnt <
entries", taking true branch
bsd-finger-0.17/finger/sprint.c:79: cond_true: Condition "pn->name",
taking true branch
bsd-finger-0.17/finger/sprint.c:80: cond_true: Condition "l > maxlname",
taking true branch
bsd-finger-0.17/finger/sprint.c:81: cond_true: Condition "pn->realname",
taking true branch
bsd-finger-0.17/finger/sprint.c:82: cond_true: Condition "l > maxrname",
taking true branch
bsd-finger-0.17/finger/sprint.c:83: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:76: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:76: cond_true: Condition "cnt <
entries", taking true branch
bsd-finger-0.17/finger/sprint.c:79: cond_true: Condition "pn->name",
taking true branch
bsd-finger-0.17/finger/sprint.c:80: cond_true: Condition "l > maxlname",
taking true branch
bsd-finger-0.17/finger/sprint.c:81: cond_true: Condition "pn->realname",
taking true branch
bsd-finger-0.17/finger/sprint.c:82: cond_true: Condition "l > maxrname",
taking true branch
bsd-finger-0.17/finger/sprint.c:83: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:76: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:76: cond_true: Condition "cnt <
entries", taking true branch
bsd-finger-0.17/finger/sprint.c:79: cond_true: Condition "pn->name",
taking true branch
bsd-finger-0.17/finger/sprint.c:80: cond_true: Condition "l > maxlname",
taking true branch
bsd-finger-0.17/finger/sprint.c:81: cond_true: Condition "pn->realname",
taking true branch
bsd-finger-0.17/finger/sprint.c:82: cond_false: Condition "l >
maxrname", taking false branch
bsd-finger-0.17/finger/sprint.c:82: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:83: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:76: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:76: cond_false: Condition "cnt <
entries", taking false branch
bsd-finger-0.17/finger/sprint.c:83: loop_end: Reached end of loop
bsd-finger-0.17/finger/sprint.c:86: cond_true: Condition "maxlname +
maxrname > space", taking true branch
bsd-finger-0.17/finger/sprint.c:89: cond_true: Condition "maxlname +
maxrname < space - 2", taking true branch
bsd-finger-0.17/finger/sprint.c:93: cond_true: Condition "cnt <
entries", taking true branch
bsd-finger-0.17/finger/sprint.c:95: cond_true: Condition "w != NULL",
taking true branch
bsd-finger-0.17/finger/sprint.c:96: cond_true: Condition "pn->realname",
taking true branch
bsd-finger-0.17/finger/sprint.c:99: cond_true: Condition "!w->loginat",
taking true branch
bsd-finger-0.17/finger/sprint.c:101: goto: Jumping to label "office"
bsd-finger-0.17/finger/sprint.c:120: label: Reached label "office"
bsd-finger-0.17/finger/sprint.c:121: cond_true: Condition "pn->office",
taking true branch
bsd-finger-0.17/finger/sprint.c:122: if_fallthrough: Falling through to
end of if statement
bsd-finger-0.17/finger/sprint.c:124: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:125: cond_true: Condition
"pn->officephone", taking true branch
bsd-finger-0.17/finger/sprint.c:126: if_fallthrough: Falling through to
end of if statement
bsd-finger-0.17/finger/sprint.c:129: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:131: cond_true: Condition "w->host[0] !=
0", taking true branch
bsd-finger-0.17/finger/sprint.c:134: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:95: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:95: cond_false: Condition "w != NULL",
taking false branch
bsd-finger-0.17/finger/sprint.c:134: loop_end: Reached end of loop
bsd-finger-0.17/finger/sprint.c:135: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:93: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:93: cond_true: Condition "cnt <
entries", taking true branch
bsd-finger-0.17/finger/sprint.c:95: cond_true: Condition "w != NULL",
taking true branch
bsd-finger-0.17/finger/sprint.c:96: cond_true: Condition "pn->realname",
taking true branch
bsd-finger-0.17/finger/sprint.c:99: cond_true: Condition "!w->loginat",
taking true branch
bsd-finger-0.17/finger/sprint.c:101: goto: Jumping to label "office"
bsd-finger-0.17/finger/sprint.c:120: label: Reached label "office"
bsd-finger-0.17/finger/sprint.c:121: cond_true: Condition "pn->office",
taking true branch
bsd-finger-0.17/finger/sprint.c:122: if_fallthrough: Falling through to
end of if statement
bsd-finger-0.17/finger/sprint.c:124: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:125: cond_true: Condition
"pn->officephone", taking true branch
bsd-finger-0.17/finger/sprint.c:126: if_fallthrough: Falling through to
end of if statement
bsd-finger-0.17/finger/sprint.c:129: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:131: cond_true: Condition "w->host[0] !=
0", taking true branch
bsd-finger-0.17/finger/sprint.c:134: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:95: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:95: cond_false: Condition "w != NULL",
taking false branch
bsd-finger-0.17/finger/sprint.c:134: loop_end: Reached end of loop
bsd-finger-0.17/finger/sprint.c:135: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:93: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:93: cond_true: Condition "cnt <
entries", taking true branch
bsd-finger-0.17/finger/sprint.c:95: cond_true: Condition "w != NULL",
taking true branch
bsd-finger-0.17/finger/sprint.c:96: cond_true: Condition "pn->realname",
taking true branch
bsd-finger-0.17/finger/sprint.c:99: cond_true: Condition "!w->loginat",
taking true branch
bsd-finger-0.17/finger/sprint.c:101: goto: Jumping to label "office"
bsd-finger-0.17/finger/sprint.c:120: label: Reached label "office"
bsd-finger-0.17/finger/sprint.c:121: cond_true: Condition "pn->office",
taking true branch
bsd-finger-0.17/finger/sprint.c:122: if_fallthrough: Falling through to
end of if statement
bsd-finger-0.17/finger/sprint.c:124: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:125: cond_true: Condition
"pn->officephone", taking true branch
bsd-finger-0.17/finger/sprint.c:126: if_fallthrough: Falling through to
end of if statement
bsd-finger-0.17/finger/sprint.c:129: if_end: End of if statement
bsd-finger-0.17/finger/sprint.c:131: cond_true: Condition "w->host[0] !=
0", taking true branch
bsd-finger-0.17/finger/sprint.c:134: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:95: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:95: cond_false: Condition "w != NULL",
taking false branch
bsd-finger-0.17/finger/sprint.c:134: loop_end: Reached end of loop
bsd-finger-0.17/finger/sprint.c:135: loop: Jumping back to the beginning
of the loop
bsd-finger-0.17/finger/sprint.c:93: loop_begin: Jumped back to beginning
of loop
bsd-finger-0.17/finger/sprint.c:93: cond_false: Condition "cnt <
entries", taking false branch
bsd-finger-0.17/finger/sprint.c:135: loop_end: Reached end of loop
bsd-finger-0.17/finger/sprint.c:136: leaked_storage: Variable "list"
going out of scope leaks the storage it points to.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
finger/sprint.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/finger/sprint.c b/finger/sprint.c
index 0aaa82f..c66584f 100644
--- a/finger/sprint.c
+++ b/finger/sprint.c
@@ -133,6 +133,7 @@ office:
xputc('\n');
}
}
+ free(list);
}
static PERSON **sort(void) {
--
1.8.1.2
From d8638a83edb2ab42adaa8a77f74d350095ce281f Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 8 Feb 2013 15:58:40 +0100
Subject: [PATCH 4/4] DEADCODE (CWE-561)
Coverity output:
bsd-finger-0.17/finger/net.c:173: assignment: Assigning: "ateol" = "1".
bsd-finger-0.17/finger/net.c:178: assignment: Assigning: "ateol" = "1".
bsd-finger-0.17/finger/net.c:191: const: At condition "ateol", the value
of "ateol" must be equal to 1.
bsd-finger-0.17/finger/net.c:191: dead_error_condition: The condition
"!ateol" cannot be true.
bsd-finger-0.17/finger/net.c:191: dead_error_line: Execution cannot
reach this statement "xputc(10);".
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
finger/net.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/finger/net.c b/finger/net.c
index d273432..157090f 100644
--- a/finger/net.c
+++ b/finger/net.c
@@ -183,7 +183,10 @@ void netfinger(const char *name) {
/* don't print */
}
else {
- if (c == '\n') ateol = 1;
+ if (c == '\n')
+ ateol = 1;
+ else
+ ateol = 0;
sawret = 0;
xputc(c);
}
--
1.8.1.2