[tom.rini at gmail.com: Fwd: New Defects reported by Coverity Scan for Das U-Boot]

Tom Rini trini at konsulko.com
Tue Dec 6 15:51:55 CET 2022 

Here's the latest report

---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Dec 5, 2022, 3:35 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 430977:  Null pointer dereferences  (FORWARD_NULL)
/net/ndisc.c: 268 in ndisc_receive()


________________________________________________________________________________________________________
*** CID 430977:  Null pointer dereferences  (FORWARD_NULL)
/net/ndisc.c: 268 in ndisc_receive()
262                                 sizeof(struct in6_addr)) == 0) &&
263                         ndisc_has_option(ip6, ND_OPT_TARGET_LL_ADDR)) {
264                             ndisc_extract_enetaddr(ndisc,
neigh_eth_addr);
265
266                             /* save address for later use */
267                             if (!net_nd_packet_mac)
>>>     CID 430977:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "net_nd_packet_mac" to "memcpy", which
dereferences it. [Note: The source code implementation of the function has
been overridden by a builtin model.]
268                                     memcpy(net_nd_packet_mac,
neigh_eth_addr, 7);
269
270                             /* modify header, and transmit it */
271                             memcpy(((struct ethernet_hdr
*)net_nd_tx_packet)->et_dest,
272                                    neigh_eth_addr, 6);
273

** CID 430976:  Control flow issues  (DEADCODE)
/net/tftp.c: 744 in sanitize_tftp_block_size_option()


________________________________________________________________________________________________________
*** CID 430976:  Control flow issues  (DEADCODE)
/net/tftp.c: 744 in sanitize_tftp_block_size_option()
738                     }
739                     /*
740                      * If not CONFIG_IP_DEFRAG, cap at the same value as
741                      * for tftp put, namely normal MTU minus protocol
742                      * overhead.
743                      */
>>>     CID 430976:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "[[fallthrough]];".
744                     fallthrough;
745             case TFTPPUT:
746             default:
747                     /*
748                      * U-Boot does not support IP fragmentation on TX,
so
749                      * this must be small enough that it fits normal MTU

** CID 430975:  Control flow issues  (MISSING_BREAK)
/net/net.c: 1270 in net_process_received_packet()


________________________________________________________________________________________________________
*** CID 430975:  Control flow issues  (MISSING_BREAK)
/net/net.c: 1270 in net_process_received_packet()
1264     #ifdef CONFIG_CMD_RARP
1265            case PROT_RARP:
1266                    rarp_receive(ip, len);
1267                    break;
1268     #endif
1269     #if IS_ENABLED(CONFIG_IPV6)
>>>     CID 430975:  Control flow issues  (MISSING_BREAK)
>>>     The case for value "34525" is not terminated by a "break" statement.
1270            case PROT_IP6:
1271                    net_ip6_handler(et, (struct ip6_hdr *)ip, len);
1272     #endif
1273            case PROT_IP:
1274                    debug_cond(DEBUG_NET_PKT, "Got IP\n");
1275                    /* Before we start poking the header, make sure it
is there */

** CID 430974:  Memory - corruptions  (OVERRUN)
/net/ndisc.c: 268 in ndisc_receive()


________________________________________________________________________________________________________
*** CID 430974:  Memory - corruptions  (OVERRUN)
/net/ndisc.c: 268 in ndisc_receive()
262                                 sizeof(struct in6_addr)) == 0) &&
263                         ndisc_has_option(ip6, ND_OPT_TARGET_LL_ADDR)) {
264                             ndisc_extract_enetaddr(ndisc,
neigh_eth_addr);
265
266                             /* save address for later use */
267                             if (!net_nd_packet_mac)
>>>     CID 430974:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "neigh_eth_addr" of 6 bytes by passing it to a
function which accesses it at byte offset 6 using argument "7UL". [Note:
The source code implementation of the function has been overridden by a
builtin model.]
268                                     memcpy(net_nd_packet_mac,
neigh_eth_addr, 7);
269
270                             /* modify header, and transmit it */
271                             memcpy(((struct ethernet_hdr
*)net_nd_tx_packet)->et_dest,
272                                    neigh_eth_addr, 6);
273


-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20221206/361a6702/attachment.sig>

More information about the U-Boot mailing list