Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Thu Nov 10 2022 01:38 pm Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 89 new defect(s) introduced to Synchronet found with Coverity Scan. 14 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 89 defect(s) ** CID 376409: (SLEEP) ________________________________________________________________________________________________________ *** CID 376409: (SLEEP) /tmp/sbbs-Nov-10-2022/src/conio/sdl_con.c: 674 in sdl_add_key() 668 setup_surfaces(); 669 return; 670 } 671 if(keyval <= 0xffff) { 672 pthread_mutex_lock(&sdl_keylock); 673 if(sdl_keynext+1==sdl_key) { >>> CID 376409: (SLEEP) >>> Call to "ciolib_beep" might sleep while holding lock "sdl_keylock". 674 beep(); 675 pthread_mutex_unlock(&sdl_keylock); 676 return; 677 } 678 if((sdl_keynext+2==sdl_key) && keyval > 0xff) { 679 if(keyval==CIO_KEY_MOUSE) /tmp/sbbs-Nov-10-2022/src/conio/sdl_con.c: 682 in sdl_add_key() 676 return; 677 } 678 if((sdl_keynext+2==sdl_key) && keyval > 0xff) { 679 if(keyval==CIO_KEY_MOUSE) 680 sdl_pending_mousekeys+=2; 681 else >>> CID 376409: (SLEEP) >>> Call to "ciolib_beep" might sleep while holding lock "sdl_keylock". 682 beep(); 683 pthread_mutex_unlock(&sdl_keylock); 684 return; 685 } 686 sdl_keybuf[sdl_keynext++]=keyval & 0xff; 687 sem_post(&sdl_key_pending); ** CID 376408: High impact quality (Y2K38_SAFETY) /con_out.cpp: 1141 in sbbs_t::ctrl_a(char)() ________________________________________________________________________________________________________ *** CID 376408: High impact quality (Y2K38_SAFETY) /con_out.cpp: 1141 in sbbs_t::ctrl_a(char)() 1135 ,tm.tm_hour==0 ? 12 1136 : tm.tm_hour>12 ? tm.tm_hour-12 1137 : tm.tm_hour, tm.tm_min, tm.tm_hour>11 ? "pm":"am"); 1138 break; 1139 case 'D': /* Date */ 1140 now=time(NULL); >>> CID 376408: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "this->now" is cast to "time32_t". 1141 bputs(unixtodstr(&cfg,(time32_t)now,tmp1)); 1142 break; 1143 case ',': /* Delay 1/10 sec */ 1144 mswait(100); 1145 break; 1146 case ';': /* Delay 1/2 sec */ ** CID 376407: High impact quality (Y2K38_SAFETY) /str.cpp: 841 in sbbs_t::timestr(long)() ________________________________________________________________________________________________________ *** CID 376407: High impact quality (Y2K38_SAFETY) /str.cpp: 841 in sbbs_t::timestr(long)() 835 } 836 return(result); 837 } 838 839 char* sbbs_t::timestr(time_t intime) 840 { >>> CID 376407: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "intime" is cast to "time32_t". 841 return(::timestr(&cfg,(time32_t)intime,timestr_output)); 842 } 843 844 char* sbbs_t::datestr(time_t t) 845 { 846 return unixtodstr(&cfg, (time32_t)t, datestr_output); ** CID 376406: High impact quality (Y2K38_SAFETY) /websrvr.c: 1606 in http_logon() ________________________________________________________________________________________________________ *** CID 376406: High impact quality (Y2K38_SAFETY) /websrvr.c: 1606 in http_logon() 1600 else { 1601 SAFECOPY(session->username,session->user.alias); 1602 /* Adjust Connect and host */ 1603 SAFECOPY(session->user.modem, session->client.protocol); 1604 SAFECOPY(session->user.comp, session->host_name); 1605 SAFECOPY(session->user.ipaddr, session->host_ip); >>> CID 376406: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "session->logon_time" is cast to "time32_t". 1606 session->user.logontime = (time32_t)session->logon_time; 1607 putuserdat(&scfg, &session->user); 1608 } 1609 session->client.user=session->username; 1610 session->client.usernum = session->user.number; 1611 client_on(session->socket, &session->client, /* update existing client record? */TRUE); ** CID 376405: High impact quality (Y2K38_SAFETY) /js_global.c: 827 in js_time() ________________________________________________________________________________________________________ *** CID 376405: High impact quality (Y2K38_SAFETY) /js_global.c: 827 in js_time() 821 return(JS_TRUE); 822 } 823 824 static JSBool 825 js_time(JSContext *cx, uintN argc, jsval *arglist) 826 { >>> CID 376405: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "uint32_t". 827 JS_SET_RVAL(cx, arglist,UINT_TO_JSVAL((uint32_t)time(NULL))); 828 return(JS_TRUE); 829 } 830 831 832 static JSBool ** CID 376404: High impact quality (Y2K38_SAFETY) /sbbs_status.c: 638 in status_thread() ________________________________________________________________________________________________________ *** CID 376404: High impact quality (Y2K38_SAFETY) /sbbs_status.c: 638 in status_thread() 632 closesocket(*csock); 633 free(csock); 634 lprintf(LOG_WARNING, "Invalid syspass: '%s'", p); 635 pthread_mutex_lock(&status_thread_mutex); 636 continue; 637 } >>> CID 376404: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "time32_t". 638 client.time = time(NULL); 639 listLock(&status_sock); 640 listPushNode(&status_sock, csock); 641 for (i=0; icheckAttributeFunction ) ) 413 { >>> CID 376403: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "sessionInfoPtr->checkAttributeFunction.fnPtr" inside this statement: "checkAttributeFunction = (S...". 414 const SES_CHECKATTRIBUTE_FUNCTION checkAttributeFunction = \ 415 ( SES_CHECKATTRIBUTE_FUNCTION ) \ 416 FNPTR_GET( sessionInfoPtr->checkAttributeFunction ); 417 418 REQUIRES( checkAttributeFunction != NULL ); 419 ** CID 376402: Program hangs (SLEEP) /tmp/sbbs-Nov-10-2022/src/conio/sdl_con.c: 235 in sdl_user_func() ________________________________________________________________________________________________________ *** CID 376402: Program hangs (SLEEP) /tmp/sbbs-Nov-10-2022/src/conio/sdl_con.c: 235 in sdl_user_func() 229 default: 230 va_end(argptr); 231 return; 232 } 233 va_end(argptr); 234 while((rv = sdl.PeepEvents(&ev, 1, SDL_ADDEVENT, SDL_FIRSTEVENT, SDL_LASTEVENT))!=1) >>> CID 376402: Program hangs (SLEEP) >>> Call to "nanosleep" might sleep while holding lock "sdl_ufunc_mtx". 235 YIELD(); 236 break; 237 } 238 pthread_mutex_unlock(&sdl_ufunc_mtx); 239 } 240 ** CID 376401: (OVERRUN) ________________________________________________________________________________________________________ *** CID 376401: (OVERRUN) /tmp/sbbs-Nov-10-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsobj.cpp: 4811 in js_DefineNativeProperty(JSContext *, JSObject *, long, const js::Value &, int (*)(JSContext *, JSObject *, long, js::Value *), int (*)(JSContext *, JSObject *, long, int, js::Value *), unsigned int, unsigned int, int, JSProperty **, unsigned int)() 4805 4806 /* Store valueCopy before calling addProperty, in case the latter GC's. */ 4807 if (obj->containsSlot(shape->slot)) 4808 obj->nativeSetSlot(shape->slot, valueCopy); 4809 4810 /* XXXbe called with lock held */ >>> CID 376401: (OVERRUN) >>> Calling "CallAddPropertyHook" with "obj->slots" and "shape->slot" is suspicious because of the very large index, 4294967295. The index may be due to a negative parameter being interpreted as unsigned. 4811 if (!CallAddPropertyHook(cx, clasp, obj, shape, &valueCopy)) { 4812 obj->removeProperty(cx, id); 4813 return false; 4814 } 4815 4816 if (defineHow & JSDNP_CACHE_RESULT) { /tmp/sbbs-Nov-10-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsobj.cpp: 4808 in js_DefineNativeProperty(JSContext *, JSObject *, long, const js::Value &, int (*)(JSContext *, JSObject *, long, js::Value *), int (*)(JSContext *, JSObject *, long, int, js::Value *), unsigned int, unsigned int, int, JSProperty **, unsigned int)() 4802 JS_ASSERT(newshape == shape); 4803 } 4804 } 4805 4806 /* Store valueCopy before calling addProperty, in case the latter GC's. */ 4807 if (obj->containsSlot(shape->slot)) >>> CID 376401: (OVERRUN) >>> Calling "nativeSetSlot" with "obj->slots" and "shape->slot" is suspicious because of the very large index, 4294967295. The index may be due to a negative parameter being interpreted as unsigned. 4808 obj->nativeSetSlot(shape->slot, valueCopy); 4809 4810 /* XXXbe called with lock held */ 4811 if (!CallAddPropertyHook(cx, clasp, obj, shape, &valueCopy)) { 4812 obj->removeProperty(cx, id); 4813 return false; ** CID 376400: Control flow issues (DEADCODE) /tmp/sbbs-Nov-10-2022/3rdp/src/cl/session/sess_attr.c: 332 in addCredential() ________________________________________________________________________________________________________ *** CID 376400: Control flow issues (DEADCODE) /tmp/sbbs-Nov-10-2022/3rdp/src/cl/session/sess_attr.c: 332 in addCredential() 326 } 327 #endif /* USE_BASE64ID */ 328 329 /* Perform any protocol-specific additional checks if necessary */ 330 if( FNPTR_ISSET( sessionInfoPtr->checkAttributeFunction ) ) 331 { >>> CID 376400: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "sessionInfoPtr->checkAttributeFunction.fnPtr" inside this statement: "checkAttributeFunction = (S...". 332 const SES_CHECKATTRIBUTE_FUNCTION checkAttributeFunction = \ 333 ( SES_CHECKATTRIBUTE_FUNCTION ) \ 334 FNPTR_GET( sessionInfoPtr->checkAttributeFunction ); 335 MESSAGE_DATA msgData; 336 337 REQUIRES( checkAttributeFunction != NULL ); ** CID 376399: High impact quality (Y2K38_SAFETY) /smbutil.c: 246 in postmsg() ________________________________________________________________________________________________________ *** CID 376399: High impact quality (Y2K38_SAFETY) /smbutil.c: 246 in postmsg() 240 charset = FIDO_CHARSET_ASCII; 241 else 242 charset = FIDO_CHARSET_CP437; 243 } 244 245 memset(&msg,0,sizeof(smbmsg_t)); >>> CID 376399: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "uint32_t". 246 msg.hdr.when_written.time=(uint32_t)time(NULL); 247 msg.hdr.when_written.zone=tzone; 248 msg.hdr.when_imported=msg.hdr.when_written; 249 250 if((to==NULL || stricmp(to,"All")==0) && to_address!=NULL) 251 to=to_address; ** CID 376398: Memory - illegal accesses (USE_AFTER_FREE) /tmp/sbbs-Nov-10-2022/3rdp/src/mozjs/js-1.8.5/js/src/dtoa.c: 1944 in _strtod(DtoaState *, const char *, char **)() ________________________________________________________________________________________________________ *** CID 376398: Memory - illegal accesses (USE_AFTER_FREE) /tmp/sbbs-Nov-10-2022/3rdp/src/mozjs/js-1.8.5/js/src/dtoa.c: 1944 in _strtod(DtoaState *, const char *, char **)() 1938 bs2 -= i; 1939 } 1940 if (bb5 > 0) { 1941 bs = pow5mult(PASS_STATE bs, bb5); 1942 bb1 = mult(PASS_STATE bs, bb); 1943 Bfree(PASS_STATE bb); >>> CID 376398: Memory - illegal accesses (USE_AFTER_FREE) >>> Using freed pointer "bb1". 1944 bb = bb1; 1945 } 1946 if (bb2 > 0) 1947 bb = lshift(PASS_STATE bb, bb2); 1948 if (bd5 > 0) 1949 bd = pow5mult(PASS_STATE bd, bd5); ** CID 376397: High impact quality (Y2K38_SAFETY) /qwk.cpp: 193 in sbbs_t::update_qwkroute(char *)() ________________________________________________________________________________________________________ *** CID 376397: High impact quality (Y2K38_SAFETY) /qwk.cpp: 193 in sbbs_t::update_qwkroute(char *)() 187 if((stream=fnopen(&file,str,O_WRONLY|O_CREAT|O_TRUNC))!=NULL) { 188 t=time(NULL); 189 t-=(90L*24L*60L*60L); 190 for(i=0;it) 192 fprintf(stream,"%s %s:%s\r\n" >>> CID 376397: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "this->qwknode[i].time" is cast to "time32_t". 193 ,unixtodstr(&cfg,(time32_t)qwknode[i].time,str),qwknode[i].id,qwknode[i].path); 194 fclose(stream); 195 } 196 else 197 errormsg(WHERE,ERR_OPEN,str,O_WRONLY|O_CREAT|O_TRUNC); 198 FREE_AND_NULL(qwknode); ** CID 376396: Memory - corruptions (OVERRUN) /chat.cpp: 230 in sbbs_t::multinodechat(int)() ________________________________________________________________________________________________________ *** CID 376396: Memory - corruptions (OVERRUN) /chat.cpp: 230 in sbbs_t::multinodechat(int)() 224 if((gurubuf=(char *)malloc((size_t)filelength(file)+1))==NULL) { 225 close(file); 226 errormsg(WHERE,ERR_ALLOC,str 227 ,(size_t)filelength(file)+1); 228 break; 229 } >>> CID 376396: Memory - corruptions (OVERRUN) >>> Calling "read" with "gurubuf" and "(size_t)filelength(file)" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.] 230 (void)read(file,gurubuf,(size_t)filelength(file)); 231 gurubuf[filelength(file)]=0; 232 close(file); 233 } 234 preusrs=usrs; 235 if(gurubuf) ** CID 376395: High impact quality (Y2K38_SAFETY) /str.cpp: 566 in sbbs_t::inputnstime32(int *)() ________________________________________________________________________________________________________ *** CID 376395: High impact quality (Y2K38_SAFETY) /str.cpp: 566 in sbbs_t::inputnstime32(int *)() 560 bool sbbs_t::inputnstime32(time32_t *dt) 561 { 562 bool retval; 563 time_t tmptime=*dt; 564 565 retval=inputnstime(&tmptime); >>> CID 376395: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "tmptime" is cast to "time32_t". 566 *dt=(time32_t)tmptime; 567 return(retval); 568 } 569 570 bool sbbs_t::inputnstime(time_t *dt) 571 { ** CID 376394: High impact quality (Y2K38_SAFETY) /qwk.cpp: 1046 in sbbs_t::qwk_vote(char **, const char *, unsigned short, const char *, unsigned int, int)() ________________________________________________________________________________________________________ *** CID 376394: High impact quality (Y2K38_SAFETY) /qwk.cpp: 1046 in sbbs_t::qwk_vote(char **, const char *, unsigned short, const char *, unsigned int, int)() 1040 smbmsg_t msg; 1041 ZERO_VAR(msg); 1042 1043 if((p=iniGetString(ini, section, "WhenWritten", NULL, NULL)) != NULL) { 1044 char zone[32]; 1045 xpDateTime_t dt=isoDateTimeStr_parse(p); >>> CID 376394: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "xpDateTime_to_localtime(dt)" is cast to "uint32_t". 1046 msg.hdr.when_written.time=(uint32_t)xpDateTime_to_localtime(dt); 1047 msg.hdr.when_written.zone=dt.zone; 1048 sscanf(p,"%*s %s",zone); 1049 if(zone[0]) 1050 msg.hdr.when_written.zone=(ushort)strtoul(zone,NULL,16); 1051 } ** CID 376393: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 376393: Memory - corruptions (OVERRUN) /tmp/sbbs-Nov-10-2022/src/smblib/smbfile.c: 367 in smb_addfile_withlist() 361 362 if(list != NULL && *list != NULL) { 363 size_t size = strListCount(list) * 1024; 364 metadata = calloc(1, size); 365 if(metadata == NULL) 366 return SMB_ERR_MEM; >>> CID 376393: Memory - corruptions (OVERRUN) >>> Calling "strListCombine" with "metadata" and "size - 1UL" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. 367 strListCombine(list, metadata, size - 1, "\r\n"); 368 } 369 result = smb_addfile(smb, file, storage, extdesc, metadata, path); 370 free(metadata); 371 return result; 372 } ** CID 376392: Memory - corruptions (OVERRUN) /unbaja.c: 298 in bruteforce() ________________________________________________________________________________________________________ *** CID 376392: Memory - corruptions (OVERRUN) /unbaja.c: 298 in bruteforce() 292 for(i=1;brute_buf[i];i++) 293 brute_crc_buf[i]=ucrc32(brute_buf[i],brute_crc_buf[i-1]); 294 /* String is pre-filled with zeros so no need to terminate */ 295 goto LOOP_END; 296 } 297 *pos=first_char_table[*pos]; >>> CID 376392: Memory - corruptions (OVERRUN) >>> Calling "memset" with "brute_buf + 1" and "l - 1UL" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.] 298 memset(brute_buf+1,'_',l-1); 299 brute_crc_buf[0]=ucrc32(brute_buf[0],~0UL); 300 for(i=1;brute_buf[i];i++) 301 brute_crc_buf[i]=ucrc32(brute_buf[i],brute_crc_buf[i-1]); 302 303 LOOP_END: ** CID 376391: High impact quality (Y2K38_SAFETY) /js_filebase.c: 1128 in js_get_file_time() ________________________________________________________________________________________________________ *** CID 376391: High impact quality (Y2K38_SAFETY) /js_filebase.c: 1128 in js_get_file_time() 1122 return JS_TRUE; 1123 1124 rc=JS_SUSPENDREQUEST(cx); 1125 if((p->smb_result = smb_loadfile(&p->smb, filename, &file, file_detail_index)) == SMB_SUCCESS) { 1126 char path[MAX_PATH + 1]; 1127 getfilepath(scfg, &file, path); >>> CID 376391: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "getfiletime(scfg, &file)" is cast to "uint32". 1128 JS_SET_RVAL(cx, arglist, UINT_TO_JSVAL((uint32)getfiletime(scfg, &file))); 1129 smb_freefilemem(&file); 1130 } 1131 JS_RESUMEREQUEST(cx, rc); 1132 free(filename); 1133 ** CID 376390: High impact quality (Y2K38_SAFETY) /uedit/uedit.c: 1565 in edit_personal() ________________________________________________________________________________________________________ *** CID 376390: High impact quality (Y2K38_SAFETY) /uedit/uedit.c: 1565 in edit_personal() 1559 case 13: 1560 /* Password */ 1561 GETUSERDAT(cfg,user); 1562 uifc.input(WIN_MID|WIN_ACT|WIN_SAV,0,0,"Password",user->pass,LEN_PASS,K_EDIT); 1563 if(uifc.changes) { 1564 putuserrec(cfg,user->number,U_PASS,LEN_PASS,user->pass); >>> CID 376390: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "time32_t". 1565 user->pwmod=time(NULL); 1566 putuserrec(cfg,user->number,U_PWMOD,8,ultoa(user->pwmod,str,16)); 1567 } 1568 break; 1569 case 14: 1570 /* Note */ ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4BbWTBf-2B-2Fi5ZUVF-2Fo-2B6flxo-3Dekk9_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrA-2FwrhvsG-2BKheEMIte-2BKd9q2NQrRsaYgrC6kE4ewG7zSvttqnkDy-2BfltPE-2BoKdxDwGPeGgGc5fd6dRrhHAE1C1roBc0jOwtt-2F2r-2Fg12OSY18uqKQlJCAX-2BL8Tt7el7tobW8yQHa-2F74XHXpTGt3tv85aMrQZOmKFDgwH-2B0n46xFPxw-3D-3D .