Fwd: New Defects reported by Coverity Scan for Das U-Boot

Tom Rini trini at konsulko.com
Tue Jul 7 20:58:21 CEST 2026


Hey all,

Here's the report now that next has been merged to master. And part of
this looks like backend updates finding new issues in existing code.

---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Tue, Jul 7, 2026 at 12:39 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 35
   - 10 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 20 of 35 defect(s)

Defect Details

** CID 648967:       Null pointer dereferences  (NULL_RETURNS)
/api/api.c: 545           in API_env_enum()


_____________________________________________________________________________________________
*** CID 648967:         Null pointer dereferences  (NULL_RETURNS)
/api/api.c: 545             in API_env_enum()
539     	/* match the next entry after i */
540     	i = hmatch_r("", i, &match, &env_htab);
541     	if (i == 0)
542     		goto done;
543     	buflen = strlen(match->key) + strlen(match->data) + 2;
544     	var = realloc(var, buflen);
>>>     CID 648967:         Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "var" when calling "snprintf". [Note: The source code implementation of the function has been overridden by a builtin model.]
545     	snprintf(var, buflen, "%s=%s", match->key, match->data);
546     	*next = var;
547     	return 0;
548
549     done:
550     	free(var);

** CID 648966:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648966:         Memory - illegal accesses  (STRING_NULL)
/boot/vbe_request.c: 204             in bootmeth_vbe_ft_fixup()
198     				    ofnode_get_name(dest), ret);
199     			if (*result.err_str) {
200     				char *msg = strdup(result.err_str);
201
202     				if (!msg)
203     					return log_msg_ret("msg", -ENOMEM);
>>>     CID 648966:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "msg" to "ofnode_write_string", which expects a null-terminated string.
204     				ret = ofnode_write_string(dest, "vbe,error",
205     							  msg);
206     				if (ret) {
207     					free(msg);
208     					return log_msg_ret("str", -ENOMEM);
209     				}

** CID 648965:         (TOCTOU)
/tools/image-host.c: 923           in fit_image_process_verity()
/tools/image-host.c: 923           in fit_image_process_verity()


_____________________________________________________________________________________________
*** CID 648965:           (TOCTOU)
/tools/image-host.c: 923             in fit_image_process_verity()
917     		fprintf(stderr, "Invalid hex in veritysetup output for '%s'\n",
918     			image_name);
919     		ret = -EINVAL;
920     		goto err_unlink;
921     	}
922
>>>     CID 648965:           (TOCTOU)
>>>     Calling function "stat" to perform check on "tmpfile".
923     	if (stat(tmpfile, &st)) {
924     		fprintf(stderr, "Can't stat temp file: %s\n",
925     			strerror(errno));
926     		ret = -EIO;
927     		goto err_unlink;
928     	}
/tools/image-host.c: 923             in fit_image_process_verity()
917     		fprintf(stderr, "Invalid hex in veritysetup output for '%s'\n",
918     			image_name);
919     		ret = -EINVAL;
920     		goto err_unlink;
921     	}
922
>>>     CID 648965:           (TOCTOU)
>>>     Calling function "stat" to perform check on "tmpfile".
923     	if (stat(tmpfile, &st)) {
924     		fprintf(stderr, "Can't stat temp file: %s\n",
925     			strerror(errno));
926     		ret = -EIO;
927     		goto err_unlink;
928     	}

** CID 648964:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648964:         Memory - illegal accesses  (STRING_NULL)
/fs/fat/fat_write.c: 1489             in file_fat_write_at()
1483     	debug("writing %s\n", filename);
1484
1485     	filename_copy = strdup(filename);
1486     	if (!filename_copy)
1487     		return -ENOMEM;
1488
>>>     CID 648964:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "filename_copy" to "split_filename", which expects a null-terminated string.
1489     	split_filename(filename_copy, &parent, &basename);
1490     	if (!strlen(basename)) {
1491     		ret = -EINVAL;
1492     		goto exit;
1493     	}
1494

** CID 648963:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648963:         Memory - illegal accesses  (STRING_NULL)
/boot/bootmeth_extlinux.c: 164             in extlinux_read_bootflow()
158     		ret = bootmeth_try_file(bflow, desc, prefix, EXTLINUX_FNAME);
159     	} while (ret && prefixes && prefixes[++i]);
160     	if (ret)
161     		return log_msg_ret("try", ret);
162     	size = bflow->size;
163
>>>     CID 648963:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", which expects a null-terminated string.
164     	ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN,
165     				  BFI_EXTLINUX_CFG);
166     	if (ret)
167     		return log_msg_ret("read", ret);
168
169     	ret = extlinux_fill_info(bflow);

** CID 648962:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648962:           (STRING_NULL)
/drivers/dfu/dfu.c: 183             in dfu_init_env_entities()
177     		pr_err("\"dfu_alt_info\" env variable not defined!\n");
178     		return -EINVAL;
179     	}
180
181     	env_bkp = strdup(str_env);
182     	if (!interface && !devstr)
>>>     CID 648962:           (STRING_NULL)
>>>     Passing unterminated string "env_bkp" to "dfu_config_interfaces", which expects a null-terminated string.
183     		ret = dfu_config_interfaces(env_bkp);
184     	else
185     		ret = dfu_config_entities(env_bkp, interface, devstr);
186
187     	if (ret) {
188     		pr_err("DFU entities configuration failed: %d\n", ret);
/drivers/dfu/dfu.c: 185             in dfu_init_env_entities()
179     	}
180
181     	env_bkp = strdup(str_env);
182     	if (!interface && !devstr)
183     		ret = dfu_config_interfaces(env_bkp);
184     	else
>>>     CID 648962:           (STRING_NULL)
>>>     Passing unterminated string "env_bkp" to "dfu_config_entities", which expects a null-terminated string.
185     		ret = dfu_config_entities(env_bkp, interface, devstr);
186
187     	if (ret) {
188     		pr_err("DFU entities configuration failed: %d\n", ret);
189     		pr_err("(partition table does not match dfu_alt_info?)\n");
190     		goto done;

** CID 648961:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648961:           (STRING_NULL)
/fs/squashfs/sqfs.c: 1243             in sqfs_split_path()
1237     		}
1238     		tmp_path[0] = '/';
1239     		strcpy(tmp_path + 1, path);
1240     	}
1241
1242     	/* String duplicates */
>>>     CID 648961:           (STRING_NULL)
>>>     Passing unterminated string "tmp_path" to "sandbox_strdup", which expects a null-terminated string.
1243     	dirc = strdup(tmp_path);
1244     	if (!dirc) {
1245     		ret = -ENOMEM;
1246     		goto out;
1247     	}
1248
/fs/squashfs/sqfs.c: 1255             in sqfs_split_path()
1249     	basec = strdup(tmp_path);
1250     	if (!basec) {
1251     		ret = -ENOMEM;
1252     		goto out;
1253     	}
1254
>>>     CID 648961:           (STRING_NULL)
>>>     Passing unterminated string "dirc" to "sqfs_dirname", which expects a null-terminated string.
1255     	dname = sqfs_dirname(dirc);
1256     	bname = sqfs_basename(basec);
1257
1258     	*file = strdup(bname);
1259
1260     	if (!*file) {
/fs/squashfs/sqfs.c: 1256             in sqfs_split_path()
1250     	if (!basec) {
1251     		ret = -ENOMEM;
1252     		goto out;
1253     	}
1254
1255     	dname = sqfs_dirname(dirc);
>>>     CID 648961:           (STRING_NULL)
>>>     Passing unterminated string "basec" to "sqfs_basename", which expects a null-terminated string.
1256     	bname = sqfs_basename(basec);
1257
1258     	*file = strdup(bname);
1259
1260     	if (!*file) {
1261     		ret = -ENOMEM;

** CID 648944:       Memory - illegal accesses  (STRING_NULL)
/cmd/gpt.c: 60           in extract_env()


_____________________________________________________________________________________________
*** CID 648944:         Memory - illegal accesses  (STRING_NULL)
/cmd/gpt.c: 60             in extract_env()
54     		return -1;
55
56     	s = strdup(str);
57     	if (s == NULL)
58     		return -1;
59
>>>     CID 648944:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "s" to "strlen", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
60     	memset(s + strlen(s) - 1, '\0', 1);
61     	memmove(s, s + 2, strlen(s) - 1);
62
63     	e = env_get(s);
64     	if (e == NULL) {
65     #ifdef CONFIG_RANDOM_UUID

** CID 648943:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648943:           (STRING_NULL)
/fs/fat/fat_write.c: 2013             in fat_rename()
2007     	if (!old_path_copy || !new_path_copy || !old_itr || !new_itr) {
2008     		log_debug("Error: out of memory\n");
2009     		ret = -ENOMEM;
2010     		goto exit;
2011     	}
2012     	split_filename(old_path_copy, &old_dirname, &old_basename);
>>>     CID 648943:           (STRING_NULL)
>>>     Passing unterminated string "new_path_copy" to "split_filename", which expects a null-terminated string.
2013     	split_filename(new_path_copy, &new_dirname, &new_basename);
2014
2015     	if (normalize_longname(l_new_basename, new_basename)) {
2016     		log_debug("FAT: illegal filename (%s)\n", new_basename);
2017     		ret = -EINVAL;
2018     		goto exit;
/fs/fat/fat_write.c: 2012             in fat_rename()
2006     	new_itr = malloc_cache_aligned(sizeof(fat_itr));
2007     	if (!old_path_copy || !new_path_copy || !old_itr || !new_itr) {
2008     		log_debug("Error: out of memory\n");
2009     		ret = -ENOMEM;
2010     		goto exit;
2011     	}
>>>     CID 648943:           (STRING_NULL)
>>>     Passing unterminated string "old_path_copy" to "split_filename", which expects a null-terminated string.
2012     	split_filename(old_path_copy, &old_dirname, &old_basename);
2013     	split_filename(new_path_copy, &new_dirname, &new_basename);
2014
2015     	if (normalize_longname(l_new_basename, new_basename)) {
2016     		log_debug("FAT: illegal filename (%s)\n", new_basename);
2017     		ret = -EINVAL;

** CID 648942:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648942:         Memory - illegal accesses  (STRING_NULL)
/boot/bootmeth_android.c: 414             in avb_append_commandline()
408     static int avb_append_commandline(struct bootflow *bflow, char *cmdline)
409     {
410     	char *arg = strsep(&cmdline, " ");
411     	int ret;
412
413     	while (arg) {
>>>     CID 648942:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "bflow->cmdline" to "avb_append_commandline_arg", which expects a null-terminated string.
414     		ret = avb_append_commandline_arg(bflow, arg);
415     		if (ret < 0)
416     			return ret;
417
418     		arg = strsep(&cmdline, " ");
419     	}

** CID 648941:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648941:         Memory - illegal accesses  (STRING_NULL)
/fs/fat/fat_write.c: 1738             in fat_unlink()
1732     	itr = malloc_cache_aligned(sizeof(fat_itr));
1733     	if (!itr || !filename_copy) {
1734     		printf("Error: out of memory\n");
1735     		ret = -ENOMEM;
1736     		goto exit;
1737     	}
>>>     CID 648941:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "filename_copy" to "split_filename", which expects a null-terminated string.
1738     	split_filename(filename_copy, &dirname, &basename);
1739
1740     	if (!strcmp(dirname, "/") && !strcmp(basename, "")) {
1741     		printf("Error: cannot remove root\n");
1742     		ret = -EINVAL;
1743     		goto exit;

** CID 648940:       Memory - illegal accesses  (STRING_NULL)
/common/cli_hush.c: 2169           in set_local_var()


_____________________________________________________________________________________________
*** CID 648940:         Memory - illegal accesses  (STRING_NULL)
/common/cli_hush.c: 2169             in set_local_var()
2163
2164     	name=strdup(s);
2165
2166     	/* Assume when we enter this function that we are already in
2167     	 * NAME=VALUE format.  So the first order of business is to
2168     	 * split 's' on the '=' into 'name' and 'value' */
>>>     CID 648940:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "name" to "strchr", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
2169     	value = strchr(name, '=');
2170     	if (!value) {
2171     		free(name);
2172     		return -1;
2173     	}
2174     	*value++ = 0;

** CID 648939:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648939:           (STRING_NULL)
/boot/bootmeth_script.c: 110             in script_read_bootflow_file()
104     		return log_msg_ret("read", ret);
105
106     	ret = script_fill_info(bflow);
107     	if (ret)
108     		return log_msg_ret("inf", ret);
109
>>>     CID 648939:           (STRING_NULL)
>>>     Passing unterminated string "bflow->subdir" to "bootmeth_alloc_other", which expects a null-terminated string.
110     	ret = bootmeth_alloc_other(bflow, "boot.bmp", BFI_LOGO,
111     				   &bflow->logo, &bflow->logo_size);
112     	/* ignore error */
113
114     	return 0;
115     }
/boot/bootmeth_script.c: 101             in script_read_bootflow_file()
95     		return log_msg_ret("try", ret);
96
97     	bflow->subdir = strdup(prefix ? prefix : "");
98     	if (!bflow->subdir)
99     		return log_msg_ret("prefix", -ENOMEM);
100
>>>     CID 648939:           (STRING_NULL)
>>>     Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", which expects a null-terminated string.
101     	ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN,
102     				  (enum bootflow_img_t)IH_TYPE_SCRIPT);
103     	if (ret)
104     		return log_msg_ret("read", ret);
105
106     	ret = script_fill_info(bflow);
/boot/bootmeth_script.c: 101             in script_read_bootflow_file()
95     		return log_msg_ret("try", ret);
96
97     	bflow->subdir = strdup(prefix ? prefix : "");
98     	if (!bflow->subdir)
99     		return log_msg_ret("prefix", -ENOMEM);
100
>>>     CID 648939:           (STRING_NULL)
>>>     Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", which expects a null-terminated string.
101     	ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN,
102     				  (enum bootflow_img_t)IH_TYPE_SCRIPT);
103     	if (ret)
104     		return log_msg_ret("read", ret);
105
106     	ret = script_fill_info(bflow);

** CID 648938:       Error handling issues  (CHECKED_RETURN)
/cmd/fastboot.c: 108           in do_fastboot_usb()


_____________________________________________________________________________________________
*** CID 648938:         Error handling issues  (CHECKED_RETURN)
/cmd/fastboot.c: 108             in do_fastboot_usb()
102
103     	while (1) {
104     		if (g_dnl_detach())
105     			break;
106     		if (IS_ENABLED(CONFIG_CMD_FASTBOOT_ABORT_KEYED)) {
107     			if (tstc()) {
>>>     CID 648938:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
108     				getchar();
109     				puts("\rOperation aborted.\n");
110     				break;
111     			}
112     		} else if (ctrlc()) {
113     			break;

** CID 648937:         (TAINTED_SCALAR)
/boot/image-fit.c: 259           in fit_image_print_dm_verity()
/boot/image-fit.c: 259           in fit_image_print_dm_verity()
/boot/image-fit.c: 268           in fit_image_print_dm_verity()
/boot/image-fit.c: 268           in fit_image_print_dm_verity()


_____________________________________________________________________________________________
*** CID 648937:           (TAINTED_SCALAR)
/boot/image-fit.c: 259             in fit_image_print_dm_verity()
253     		printf("%s  Verity algo:  %s\n", p, algo);
254
255     	bin = fdt_getprop(fit, noffset, FIT_VERITY_DIGEST_PROP,
256     			  &len);
257     	if (bin && len > 0) {
258     		printf("%s  Verity hash:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
259     		for (i = 0; i < len; i++)
260     			printf("%02x", bin[i]);
261     		printf("\n");
262     	}
263
264     	bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
/boot/image-fit.c: 259             in fit_image_print_dm_verity()
253     		printf("%s  Verity algo:  %s\n", p, algo);
254
255     	bin = fdt_getprop(fit, noffset, FIT_VERITY_DIGEST_PROP,
256     			  &len);
257     	if (bin && len > 0) {
258     		printf("%s  Verity hash:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
259     		for (i = 0; i < len; i++)
260     			printf("%02x", bin[i]);
261     		printf("\n");
262     	}
263
264     	bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
/boot/image-fit.c: 268             in fit_image_print_dm_verity()
262     	}
263
264     	bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
265     			  &len);
266     	if (bin && len > 0) {
267     		printf("%s  Verity salt:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
268     		for (i = 0; i < len; i++)
269     			printf("%02x", bin[i]);
270     		printf("\n");
271     	}
272     #endif
273     }
/boot/image-fit.c: 268             in fit_image_print_dm_verity()
262     	}
263
264     	bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
265     			  &len);
266     	if (bin && len > 0) {
267     		printf("%s  Verity salt:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
268     		for (i = 0; i < len; i++)
269     			printf("%02x", bin[i]);
270     		printf("\n");
271     	}
272     #endif
273     }

** CID 648936:         (STRING_NULL)
/fs/squashfs/sqfs.c: 1417           in sqfs_read_nest()


_____________________________________________________________________________________________
*** CID 648936:           (STRING_NULL)
/fs/squashfs/sqfs.c: 1408             in sqfs_read_nest()
1402
1403     	/*
1404     	 * sqfs_opendir_nest will uncompress inode and directory
tables, and will
1405     	 * return a pointer to the directory that contains the requested file.
1406     	 */
1407     	sqfs_split_path(&file, &dir, filename);
>>>     CID 648936:           (STRING_NULL)
>>>     Passing unterminated string "dir" to "sqfs_opendir_nest", which expects a null-terminated string.
1408     	ret = sqfs_opendir_nest(dir, &dirsp);
1409     	if (ret) {
1410     		goto out;
1411     	}
1412
1413     	dirs = (struct squashfs_dir_stream *)dirsp;
/fs/squashfs/sqfs.c: 1417             in sqfs_read_nest()
1411     	}
1412
1413     	dirs = (struct squashfs_dir_stream *)dirsp;
1414
1415     	/* For now, only regular files are able to be loaded */
1416     	while (!sqfs_readdir_nest(dirsp, &dent)) {
>>>     CID 648936:           (STRING_NULL)
>>>     Passing unterminated string "file" to "strcmp", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
1417     		ret = strcmp(dent->name, file);
1418     		if (!ret)
1419     			break;
1420
1421     		free(dirs->entry);
1422     		dirs->entry = NULL;

** CID 648935:       Integer handling issues  (INTEGER_OVERFLOW)
/test/boot/fit_verity.c: 257           in fit_verity_test_bad_blocksize()


_____________________________________________________________________________________________
*** CID 648935:         Integer handling issues  (INTEGER_OVERFLOW)
/test/boot/fit_verity.c: 257             in fit_verity_test_bad_blocksize()
251     	struct bootm_headers images;
252     	int images_node, conf_node, confs_node, img_node, verity_node;
253     	fdt32_t val;
254     	int ret;
255
256     	ret = fdt_create_empty_tree(buf, FIT_BUF_SIZE);
>>>     CID 648935:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "_val2", where "ret" is known to be equal to -18, overflows the type of "_val2", which is type "unsigned int".
257     	ut_assertok(ret);
258
259     	images_node = fdt_add_subnode(buf, 0, "images");
260     	ut_assert(images_node >= 0);
261
262     	img_node = fdt_add_subnode(buf, images_node, "rootfs");

** CID 648934:       Memory - illegal accesses  (STRING_NULL)
/common/iomux.c: 58           in iomux_doenv()


_____________________________________________________________________________________________
*** CID 648934:         Memory - illegal accesses  (STRING_NULL)
/common/iomux.c: 58             in iomux_doenv()
52     	i = 0;
53     	temp = console_args;
54     	for (;;) {
55     		/* There's always one entry more than the number of commas. */
56     		i++;
57
>>>     CID 648934:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "temp" to "strchr", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
58     		temp = strchr(temp, ',');
59     		if (temp == NULL)
60     			break;
61
62     		temp++;
63     	}

** CID 648933:       Memory - illegal accesses  (STRING_NULL)
/fs/squashfs/sqfs.c: 316           in sqfs_tokenize()


_____________________________________________________________________________________________
*** CID 648933:         Memory - illegal accesses  (STRING_NULL)
/fs/squashfs/sqfs.c: 316             in sqfs_tokenize()
310     	char *aux, *strc;
311
312     	strc = strdup(str);
313     	if (!strc)
314     		return -ENOMEM;
315
>>>     CID 648933:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "strc" to "strcmp", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
316     	if (!strcmp(strc, "/")) {
317     		tokens[0] = strdup(strc);
318     		if (!tokens[0]) {
319     			ret = -ENOMEM;
320     			goto free_strc;
321     		}

** CID 648960:         (TAINTED_SCALAR)
/test/boot/image_fdt.c: 53           in test_boot_fdt_add_mem_rsv_regions()


_____________________________________________________________________________________________
*** CID 648960:           (TAINTED_SCALAR)
/test/boot/image_fdt.c: 80             in test_boot_fdt_add_mem_rsv_regions()
74
75     	/* Cleanup */
76     switch_fdt:
77     	boot_fdt_add_mem_rsv_regions(old_blob);
78     	gd->fdt_blob = old_blob;
79     free_blob:
>>>     CID 648960:           (TAINTED_SCALAR)
>>>     Passing tainted expression "*new_blob" to "dlfree", which uses it as an offset.
80     	free(new_blob);
81     	return ret;
82     }
/test/boot/image_fdt.c: 53             in test_boot_fdt_add_mem_rsv_regions()
47     	ut_assert_console_end();
48
49     	/* Loading a new_blob device tree should be allowed */
50     	fdt_sz = fdt_totalsize(gd->fdt_blob);
51     	new_blob = malloc(fdt_sz);
52     	ut_assertnonnull(new_blob);
>>>     CID 648960:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdt_sz" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
53     	memcpy(new_blob, gd->fdt_blob, fdt_sz);
54
55     	nodeoffset = fdt_path_offset(new_blob, "/reserved-memory");
56     	if (nodeoffset < 0)
57     		goto free_blob;
58



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260707/a7fb9cf1/attachment.sig>


More information about the U-Boot mailing list