Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Wed Nov 22 2023 01:38 pm Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 39 new defect(s) introduced to Synchronet found with Coverity Scan. 12 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 39 defect(s) ** CID 469141: Data race undermines locking (LOCK_EVASION) /answer.cpp: 450 in sbbs_t::answer()() ________________________________________________________________________________________________________ *** CID 469141: Data race undermines locking (LOCK_EVASION) /answer.cpp: 450 in sbbs_t::answer()() 444 if(telnet_cols >= TERM_COLS_MIN && telnet_cols <= TERM_COLS_MAX) 445 cols = telnet_cols; 446 if(telnet_rows >= TERM_ROWS_MIN && telnet_rows <= TERM_ROWS_MAX) 447 rows = telnet_rows; 448 } else { 449 lprintf(LOG_NOTICE, "no Telnet commands received, reverting to Raw TCP mode"); >>> CID 469141: Data race undermines locking (LOCK_EVASION) >>> Thread1 sets "telnet_mode" to a new value. Now the two threads have an inconsistent view of "telnet_mode" and updates to fields correlated with "telnet_mode" may be lost. 450 telnet_mode |= TELNET_MODE_OFF; 451 client.protocol = "Raw"; 452 client_on(client_socket, &client,/* update: */true); 453 SAFECOPY(connection, client.protocol); 454 node_connection = NODE_CONNECTION_RAW; 455 } ** CID 469140: Error handling issues (CHECKED_RETURN) /mqtt.c: 521 in mqtt_message_received() ________________________________________________________________________________________________________ *** CID 469140: Error handling issues (CHECKED_RETURN) /mqtt.c: 521 in mqtt_message_received() 515 if(bbs_startup->node_inbuf != NULL && bbs_startup->node_inbuf[i - 1] != NULL) 516 RingBufWrite(bbs_startup->node_inbuf[i - 1], msg->payload, msg->payloadlen); 517 return; 518 } 519 for(int i = bbs_startup->first_node; i <= bbs_startup->last_node; i++) { 520 if(strcmp(msg->topic, mqtt_topic(mqtt, TOPIC_BBS, topic, sizeof(topic), "node/%d/msg", i)) == 0) { >>> CID 469140: Error handling issues (CHECKED_RETURN) >>> Calling "putnmsg" without checking return value (as is done elsewhere 4 out of 5 times). 521 putnmsg(mqtt->cfg, i, msg->payload); 522 return; 523 } 524 if(strcmp(msg->topic, mqtt_topic(mqtt, TOPIC_BBS, topic, sizeof(topic), "node/%d/set/status", i)) == 0) { 525 set_node_status(mqtt->cfg, i, mqtt_message_value(msg, 0)); 526 return; ** CID 469139: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1376 in JSRuntime::realloc(void *, unsigned long, unsigned long, JSContext *)() ________________________________________________________________________________________________________ *** CID 469139: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1376 in JSRuntime::realloc(void *, unsigned long, unsigned long, JSContext *)() 1370 } 1371 1372 void* realloc(void* p, size_t oldBytes, size_t newBytes, JSContext *cx = NULL) { 1373 JS_ASSERT(oldBytes < newBytes); 1374 updateMallocCounter(newBytes - oldBytes); 1375 void *p2 = ::js_realloc(p, newBytes); >>> CID 469139: Resource leaks (RESOURCE_LEAK) >>> Failing to save or free storage allocated by "this->onOutOfMemory(p, newBytes, cx)" leaks it. 1376 return JS_LIKELY(!!p2) ? p2 : onOutOfMemory(p, newBytes, cx); 1377 } 1378 1379 void* realloc(void* p, size_t bytes, JSContext *cx = NULL) { 1380 /* 1381 * For compatibility we do not account for realloc that increases ** CID 469138: Uninitialized variables (UNINIT) /getkey.cpp: 354 in sbbs_t::getkeys(const char *, unsigned int, int)() ________________________________________________________________________________________________________ *** CID 469138: Uninitialized variables (UNINIT) /getkey.cpp: 354 in sbbs_t::getkeys(const char *, unsigned int, int)() 348 attr(LIGHTGRAY); 349 CRLF; 350 } 351 lncntr=0; 352 return(-1); 353 } >>> CID 469138: Uninitialized variables (UNINIT) >>> Using uninitialized value "*str" when calling "strchr". [Note: The source code implementation of the function has been overridden by a builtin model.] 354 if(ch && !n && ((keys == NULL && !IS_DIGIT(ch)) || (strchr(str,ch)))) { /* return character if in string */ 355 if(ch > ' ') { 356 if(!(mode&K_NOECHO)) 357 outchar(ch); 358 if(useron.misc&COLDKEYS) { 359 while(online && !(sys_status&SS_ABORT)) { ** CID 469137: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 3549 in sys_alloc() ________________________________________________________________________________________________________ *** CID 469137: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 3549 in sys_alloc() 3543 m->max_footprint = m->footprint; 3544 3545 if (!is_initialized(m)) { /* first-time initialization */ 3546 m->seg.base = m->least_addr = tbase; 3547 m->seg.size = tsize; 3548 set_segment_flags(&m->seg, mmap_flag); >>> CID 469137: Concurrent data access violations (MISSING_LOCK) >>> Accessing "mparams.magic" without holding lock "magic_init_mutex". Elsewhere, "malloc_params.magic" is written to with "magic_init_mutex" held 1 out of 1 times. 3549 m->magic = mparams.magic; 3550 init_bins(m); 3551 if (is_global(m)) 3552 init_top(m, (mchunkptr)tbase, tsize - TOP_FOOT_SIZE); 3553 else { 3554 /* Offset top by embedded malloc_state */ ** CID 469136: Program hangs (LOCK) /js_console.cpp: 2175 in js_lock_input(JSContext *, unsigned int, unsigned long *)() ________________________________________________________________________________________________________ *** CID 469136: Program hangs (LOCK) /js_console.cpp: 2175 in js_lock_input(JSContext *, unsigned int, unsigned long *)() 2169 pthread_mutex_lock(&sbbs->input_thread_mutex); 2170 } else { 2171 pthread_mutex_unlock(&sbbs->input_thread_mutex); 2172 } 2173 JS_RESUMEREQUEST(cx, rc); 2174 >>> CID 469136: Program hangs (LOCK) >>> Returning without unlocking "sbbs->input_thread_mutex". 2175 return(JS_TRUE); 2176 } 2177 2178 static JSBool 2179 js_telnet_cmd(JSContext *cx, uintN argc, jsval *arglist) 2180 { ** CID 469135: Concurrent data access violations (MISSING_LOCK) /js_rtpool.c: 35 in jsrt_GetNew() ________________________________________________________________________________________________________ *** CID 469135: Concurrent data access violations (MISSING_LOCK) /js_rtpool.c: 35 in jsrt_GetNew() 29 { 30 JSRuntime *ret; 31 32 if(!initialized) { 33 initialized=TRUE; 34 pthread_mutex_init(&jsrt_mutex, NULL); >>> CID 469135: Concurrent data access violations (MISSING_LOCK) >>> Accessing "rt_list" without holding lock "jsrt_mutex". Elsewhere, "rt_list" is written to with "jsrt_mutex" held 4 out of 5 times. 35 listInit(&rt_list, 0); 36 _beginthread(trigger_thread, TRIGGER_THREAD_STACK_SIZE, NULL); 37 } 38 pthread_mutex_lock(&jsrt_mutex); 39 ret=JS_NewRuntime(maxbytes); 40 listPushNode(&rt_list, ret); ** CID 469134: Program hangs (LOCK) /writemsg.cpp: 1274 in sbbs_t::editfile(char *, unsigned int)() ________________________________________________________________________________________________________ *** CID 469134: Program hangs (LOCK) /writemsg.cpp: 1274 in sbbs_t::editfile(char *, unsigned int)() 1268 if(cfg.xedit[useron_xedit-1]->misc&WWIVCOLOR) 1269 mode|=EX_WWIV; 1270 } 1271 CLS; 1272 rioctl(IOCM|PAUSE|ABORT); 1273 if(external(cmdstr(cfg.xedit[useron_xedit-1]->rcmd,msgtmp,nulstr,NULL,mode), mode, cfg.node_dir)!=0) >>> CID 469134: Program hangs (LOCK) >>> Returning without unlocking "this->input_thread_mutex". 1274 return false; 1275 l=process_edited_file(msgtmp, path, /* mode: */WM_EDIT, &lines,maxlines); 1276 if(l>0) { 1277 SAFEPRINTF3(str,"created or edited file: %s (%ld bytes, %u lines)" 1278 ,path, l, lines); 1279 logline(LOG_NOTICE,nulstr,str); ** CID 469133: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 469133: Memory - corruptions (OVERRUN) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/jsobjinlines.h: 952 in js::NewNativeClassInstance(JSContext *, js::Class *, JSObject *, JSObject *)() 946 } 947 948 static inline JSObject * 949 NewNativeClassInstance(JSContext *cx, Class *clasp, JSObject *proto, JSObject *parent) 950 { 951 gc::FinalizeKind kind = gc::GetGCObjectKind(JSCLASS_RESERVED_SLOTS(clasp)); >>> CID 469133: Memory - corruptions (OVERRUN) >>> Overrunning callee's array of size 11 by passing argument "kind" (which evaluates to 11) in call to "NewNativeClassInstance". 952 return NewNativeClassInstance(cx, clasp, proto, parent, kind); 953 } 954 955 bool 956 FindClassPrototype(JSContext *cx, JSObject *scope, JSProtoKey protoKey, JSObject **protop, 957 Class *clasp); ** CID 469132: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Nov-22-2023/src/conio/sdl_con.c: 692 in sdl_add_key() ________________________________________________________________________________________________________ *** CID 469132: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Nov-22-2023/src/conio/sdl_con.c: 692 in sdl_add_key() 686 static void sdl_add_key(unsigned int keyval, struct video_stats *vs) 687 { 688 if(keyval==0xa600 && vs != NULL) { 689 fullscreen=!fullscreen; 690 cio_api.mode=fullscreen?CIOLIB_MODE_SDL_FULLSCREEN:CIOLIB_MODE_SDL; 691 update_cvstat(vs); >>> CID 469132: Concurrent data access violations (MISSING_LOCK) >>> Accessing "win" without holding lock "win_mutex". Elsewhere, "win" is written to with "win_mutex" held 1 out of 1 times. 692 sdl.SetWindowFullscreen(win, fullscreen ? SDL_WINDOW_FULLSCREEN_DESKTOP : 0); 693 if (!fullscreen) { 694 int w, h; 695 696 // Get current window size 697 sdl.GetWindowSize(win, &w, &h); ** CID 469131: Concurrent data access violations (MISSING_LOCK) /exec.cpp: 848 in sbbs_t::skipto(csi_t *, unsigned char)() ________________________________________________________________________________________________________ *** CID 469131: Concurrent data access violations (MISSING_LOCK) /exec.cpp: 848 in sbbs_t::skipto(csi_t *, unsigned char)() 842 /* Skcsi->ip to a specific instruction */ 843 /****************************************************************************/ 844 void sbbs_t::skipto(csi_t *csi, uchar inst) 845 { 846 int i,j; 847 >>> CID 469131: Concurrent data access violations (MISSING_LOCK) >>> Accessing "csi->cs" without holding lock "sbbs_t.input_thread_mutex". Elsewhere, "csi_t.cs" is written to with "sbbs_t.input_thread_mutex" held 3 out of 3 times. 848 while(csi->ipcs+csi->length && ((inst&0x80) || *csi->ip!=inst)) { 849 850 if(*csi->ip==CS_IF_TRUE || *csi->ip==CS_IF_FALSE 851 || (*csi->ip>=CS_IF_GREATER && *csi->ip<=CS_IF_LESS_OR_EQUAL)) { 852 csi->ip++; 853 skipto(csi,CS_ENDIF); ** CID 469130: Program hangs (LOCK) /writemsg.cpp: 628 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)() ________________________________________________________________________________________________________ *** CID 469130: Program hangs (LOCK) /writemsg.cpp: 628 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)() 622 lprintf(LOG_ERR, "ERROR %d (%s) saving draft message: %s", errno, strerror(errno), draft); 623 } 624 625 if(result != EXIT_SUCCESS || !fexistcase(msgtmp) || !online 626 || (linesquoted && qlen==flength(msgtmp) && qtime==fdate(msgtmp))) { 627 free(buf); >>> CID 469130: Program hangs (LOCK) >>> Returning without unlocking "this->input_thread_mutex". 628 return(false); 629 } 630 SAFEPRINTF(str,"%sRESULT.ED",cfg.node_dir); 631 if(!(mode&(WM_EXTDESC|WM_FILE)) 632 && fexistcase(str)) { 633 if((fp=fopen(str,"r")) != NULL) { ** CID 469129: Data race undermines locking (LOCK_EVASION) /main.cpp: 3908 in sbbs_t::hangup()() ________________________________________________________________________________________________________ *** CID 469129: Data race undermines locking (LOCK_EVASION) /main.cpp: 3908 in sbbs_t::hangup()() 3902 if(client_socket!=INVALID_SOCKET) { 3903 mswait(1000); /* Give socket output buffer time to flush */ 3904 client_off(client_socket); 3905 if(ssh_mode) { 3906 pthread_mutex_lock(&ssh_mutex); 3907 ssh_session_destroy(client_socket, ssh_session, __LINE__); >>> CID 469129: Data race undermines locking (LOCK_EVASION) >>> Thread1 sets "ssh_mode" to a new value. Now the two threads have an inconsistent view of "ssh_mode" and updates to fields correlated with "ssh_mode" may be lost. 3908 ssh_mode = false; 3909 pthread_mutex_unlock(&ssh_mutex); 3910 } 3911 close_socket(client_socket); 3912 client_socket=INVALID_SOCKET; 3913 } ** CID 469128: Code maintainability issues (UNUSED_VALUE) /scfg/scfgchat.c: 716 in guru_cfg() ________________________________________________________________________________________________________ *** CID 469128: Code maintainability issues (UNUSED_VALUE) /scfg/scfgchat.c: 716 in guru_cfg() 710 *cfg.guru[i]=savguru; 711 uifc.changes=1; 712 continue; 713 } 714 if (msk != 0) 715 continue; >>> CID 469128: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "0" to "j" here, but that stored value is overwritten before it can be used. 716 j=0; 717 done=0; 718 while(!done) { 719 k=0; 720 snprintf(opt[k++],MAX_OPLN,"%-27.27s%s","Guru Name",cfg.guru[i]->name); 721 snprintf(opt[k++],MAX_OPLN,"%-27.27s%s","Guru Internal Code",cfg.guru[i]->code); ** CID 469127: Code maintainability issues (UNUSED_VALUE) /scfg/scfgchat.c: 873 in actsets_cfg() ________________________________________________________________________________________________________ *** CID 469127: Code maintainability issues (UNUSED_VALUE) /scfg/scfgchat.c: 873 in actsets_cfg() 867 uifc.changes=1; 868 continue; 869 } 870 if (msk != 0) 871 continue; 872 >>> CID 469127: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "0" to "j" here, but that stored value is overwritten before it can be used. 873 j=0; 874 done=0; 875 while(!done) { 876 k=0; 877 snprintf(opt[k++],MAX_OPLN,"%-27.27s%s","Action Set Name",cfg.actset[i]->name); 878 snprintf(opt[k++],MAX_OPLN,"%-27.27s","Configure Chat Actions..."); ** CID 469126: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Nov-22-2023/src/conio/sdl_con.c: 1196 in sdl_video_event_thread() ________________________________________________________________________________________________________ *** CID 469126: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Nov-22-2023/src/conio/sdl_con.c: 1196 in sdl_video_event_thread() 1190 break; 1191 case SDL_USEREVENT_INIT: 1192 if(!sdl_init_good) { 1193 if(sdl.WasInit(SDL_INIT_VIDEO)==SDL_INIT_VIDEO) { 1194 pthread_mutex_lock(&win_mutex); 1195 _beginthread(sdl_mouse_thread, 0, NULL); >>> CID 469126: Data race undermines locking (LOCK_EVASION) >>> Thread1 sets "sdl_init_good" to a new value. Now the two threads have an inconsistent view of "sdl_init_good" and updates to fields correlated with "sdl_init_good" may be lost. 1196 sdl_init_good=1; 1197 pthread_mutex_unlock(&win_mutex); 1198 } 1199 } 1200 sdl_ufunc_retval=0; 1201 sem_post(&sdl_ufunc_ret); ** CID 469125: Program hangs (LOCK) /js_console.cpp: 2149 in js_do_lock_input() ________________________________________________________________________________________________________ *** CID 469125: Program hangs (LOCK) /js_console.cpp: 2149 in js_do_lock_input() 2143 2144 if(lock) { 2145 pthread_mutex_lock(&sbbs->input_thread_mutex); 2146 } else { 2147 pthread_mutex_unlock(&sbbs->input_thread_mutex); 2148 } >>> CID 469125: Program hangs (LOCK) >>> Returning without unlocking "sbbs->input_thread_mutex". 2149 } 2150 2151 static JSBool 2152 js_lock_input(JSContext *cx, uintN argc, jsval *arglist) 2153 { 2154 jsval *argv=JS_ARGV(cx, arglist); ** CID 469124: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1387 in JSRuntime::realloc(void *, unsigned long, JSContext *)() ________________________________________________________________________________________________________ *** CID 469124: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1387 in JSRuntime::realloc(void *, unsigned long, JSContext *)() 1381 * For compatibility we do not account for realloc that increases 1382 * previously allocated memory. 1383 */ 1384 if (!p) 1385 updateMallocCounter(bytes); 1386 void *p2 = ::js_realloc(p, bytes); >>> CID 469124: Resource leaks (RESOURCE_LEAK) >>> Failing to save or free storage allocated by "this->onOutOfMemory(p, bytes, cx)" leaks it. 1387 return JS_LIKELY(!!p2) ? p2 : onOutOfMemory(p, bytes, cx); 1388 } 1389 1390 void free(void* p) { ::js_free(p); } 1391 1392 bool isGCMallocLimitReached() const { return gcMallocBytes <= 0; } ** CID 469123: Memory - corruptions (USE_AFTER_FREE) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 3642 in release_unused_segments() ________________________________________________________________________________________________________ *** CID 469123: Memory - corruptions (USE_AFTER_FREE) /tmp/sbbs-Nov-22-2023/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 3642 in release_unused_segments() 3636 m->footprint -= size; 3637 /* unlink obsoleted record */ 3638 sp = pred; 3639 sp->next = next; 3640 } 3641 else { /* back out if cannot unmap */ >>> CID 469123: Memory - corruptions (USE_AFTER_FREE) >>> Dereferencing freed pointer "tp". 3642 insert_large_chunk(m, tp, psize); 3643 } 3644 } 3645 } 3646 pred = sp; 3647 sp = next; ** CID 469122: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Nov-22-2023/src/conio/bitmap_con.c: 1945 in bitmap_drv_init() ________________________________________________________________________________________________________ *** CID 469122: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Nov-22-2023/src/conio/bitmap_con.c: 1945 in bitmap_drv_init() 1939 } 1940 pthread_mutex_unlock(&screenlock); 1941 pthread_mutex_unlock(&vstatlock); 1942 1943 callbacks.drawrect=drawrect_cb; 1944 callbacks.flush=flush_cb; >>> CID 469122: Concurrent data access violations (MISSING_LOCK) >>> Accessing "callbacks.rects" without holding lock "bitmap_callbacks.lock". Elsewhere, "bitmap_callbacks.rects" is written to with "bitmap_callbacks.lock" held 2 out of 3 times. 1945 callbacks.rects = 0; 1946 bitmap_initialized=1; 1947 _beginthread(blinker_thread,0,NULL); 1948 1949 return(0); 1950 } ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4E6fW2ok94RcmG1J20ETIf4-3DezJc_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrDT3F0wM8qs717Yj7QnFBvYyAUS7vXZd5Pzj9EaE-2FCuUUR9NEokXV0L9QGkQnwKG-2F4JnYcm1wvoWK2grpdczQI6n7wuX-2Bi09RPQD8-2Fo5FYqgA3L383Nxk-2F3tA3xct0exbA8dNWXjcBJFMBco67mM0qFopWSHsWYNweS2rfwVJx4JQ-3D-3D .