Menu

#1251 Bugs found by static analysis (Coverity 6.5.1) of NET-SNMP 5.7.2

backport-needed
open
nobody
None
5
2013-06-22
2013-03-05
Tomas Hozza
No

Hi.

I scanned NET-SNMP 5.7.2 with Coverity (6.5.1). I'm attaching archive with scan logs and patches I prepared for some errors. I also added comments to most of errors if it is false positive/I created patch/not sure how to fix. I also compared my scan with last NET-SNMP 5.7.1 scan (http://net-snmp.sourceforge.net/wiki/index.php/5.7.1_Coverity_scan).

Here is a summary of found errors (if_checked/no_of_errors/type_of_error/no_of_patches):

DONE 2 ARRAY_VS_SINGLETON -> ---
DONE 4 BAD_COMPARE -> 2 patches
DONE 1 BAD_FREE -> 1 patch
DONE 11 CHECKED_RETURN -> 3 patches
DONE 5 CONSTANT_EXPRESSION_RESULT -> ---
DONE 4 COPY_PASTE_ERROR -> 2 patches
DONE 38 DEADCODE -> 2 patches
DONE 22 FORWARD_NULL -> 6 patches
DONE 1 NEGATIVE_RETURNS -> 1 patch
SKIPPED 34 NO_EFFECT -> ---
DONE 13 OVERRUN -> 2 patches
DONE 31 RESOURCE_LEAK -> 10 patches
DONE 2 RETURN_LOCAL -> ---
DONE 17 REVERSE_INULL -> 8 patches
DONE 4 SIZECHECK -> ---
DONE 3 SIZEOF_MISMATCH -> ---
DONE 1 STRING_NULL -> 1 patch
DONE 2 STRING_OVERFLOW -> ---
DONE 9 STRING_SIZE -> ---
SKIPPED 7 TAINTED_SCALAR -> ---
SKIPPED 33 TAINTED_STRING -> ---
SKIPPED 9 TOCTOU -> ---
DONE 22 UNINIT -> 1 patch
DONE 6 UNREACHABLE -> ---
SKIPPED 75 UNUSED_VALUE -> ---
DONE 3 USE_AFTER_FREE -> 2 patches

Hope it helps.

Regards,
Tomas Hozza

1 Attachments
net-snmp-5.7.2_coverity_scan.tar.xz

Discussion

  • Bill Fenner

    Bill Fenner - 2013-04-19

    In patch [PATCH 13/41] UNINIT (CWE-457), you presumably mean to use sprintf() instead of spritf().

    In patch [PATCH 19/41] FORWARD_NULL (CWE-476), you add a check before an SNMP_FREE(), but SNMP_FREE() already checks for NULL.

    In patch [PATCH 36/41] REVERSE_INULL (CWE-476), you change the loop from "start at buf and get to the string terminator" to "start at buf and loop around through all of memory until cp gets to be 0".

     

  • Bart Van Assche

    Bart Van Assche - 2013-06-22

    Checked in fixes for several issues reported by Coverity. Note: in one of the Coverity reports Coverity seems to conclude that calloc(1, olen ? olen : 1) allocates exactly one byte. That looks like a bug in Coverity to me. Any chance to report this information back to the Coverity authors ?

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.