From 905a4031a282286b9f262f72233dccf5264d07e1 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Thu, 6 Dec 2012 15:26:00 +0100 Subject: [PATCH 01/15] NEGATIVE_RETURNS (CWE-394) Coverity output: openobex-1.5.0-Source/ircp/ircp_client.c:281: cond_false: Condition "!(cli != NULL)", taking false branch openobex-1.5.0-Source/ircp/ircp_client.c:281: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_client.c:285: negative_return_fn: Function "open(localname, 0, 0)" returns a negative number. openobex-1.5.0-Source/ircp/ircp_client.c:285: var_assign: Assigning: signed variable "cli->fd" = "open(char const *, int, ...)". openobex-1.5.0-Source/ircp/ircp_client.c:286: cond_true: Condition "cli->fd < 0", taking true branch openobex-1.5.0-Source/ircp/ircp_client.c:287: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/ircp/ircp_client.c:289: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_client.c:291: negative_returns: "cli->fd" is passed to a parameter that cannot be negative. --- ircp/ircp_client.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ircp/ircp_client.c b/ircp/ircp_client.c index 1211275..140a0a6 100644 --- a/ircp/ircp_client.c +++ b/ircp/ircp_client.c @@ -283,12 +283,13 @@ static int ircp_put_file(ircp_client_t *cli, char *localname, char *remotename) object = build_object_from_file(cli->obexhandle, localname, remotename); cli->fd = open(localname, O_RDONLY, 0); - if(cli->fd < 0) + if(cli->fd < 0) { ret = -1; - else + } + else { ret = cli_sync_request(cli, object); - - close(cli->fd); + close(cli->fd); + } if(ret < 0) cli->infocb(IRCP_EV_ERR, localname); -- 1.7.11.7 From 6fe0d32d9730ff75c36c8cfc47b64b0c45b2d261 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Thu, 6 Dec 2012 15:42:00 +0100 Subject: [PATCH 02/15] OVERRUN Coverity output: openobex-1.5.0-Source/apps/obex_test.c:118: cond_true: Condition "(inaddr = inet_addr(name)) != 4294967295UL /* (unsigned long)4294967295U */", taking true branch openobex-1.5.0-Source/apps/obex_test.c:119: overrun-buffer-arg: Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 7 using argument "8UL". --- apps/obex_test.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/apps/obex_test.c b/apps/obex_test.c index 82af2c4..c04aa5d 100644 --- a/apps/obex_test.c +++ b/apps/obex_test.c @@ -40,17 +40,15 @@ #include #include #include -#endif +#else +#define in_addr_t unsigned long +#endif /* _WIN32 */ #include #include #include #include -#ifndef in_addr_t -#define in_addr_t unsigned long -#endif - #define TRUE 1 #define FALSE 0 -- 1.7.11.7 From bda5c4a1f05cb891a092a19d07e9ffeff4125296 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Thu, 6 Dec 2012 15:47:12 +0100 Subject: [PATCH 03/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/lib/databuffer.c:108: cond_false: Condition "!p", taking false branch openobex-1.5.0-Source/lib/databuffer.c:109: if_end: End of if statement openobex-1.5.0-Source/lib/databuffer.c:111: cond_true: Condition "new_size < bSize", taking true branch openobex-1.5.0-Source/lib/databuffer.c:113: cond_true: Condition "itRem > p->data_avail", taking true branch openobex-1.5.0-Source/lib/databuffer.c:116: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/lib/databuffer.c:119: if_end: End of if statement openobex-1.5.0-Source/lib/databuffer.c:120: cond_true: Condition "itRem > p->tail_avail", taking true branch openobex-1.5.0-Source/lib/databuffer.c:123: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/lib/databuffer.c:126: if_end: End of if statement openobex-1.5.0-Source/lib/databuffer.c:130: cond_true: Condition "itRem > p->head_avail", taking true branch openobex-1.5.0-Source/lib/databuffer.c:134: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/lib/databuffer.c:138: if_end: End of if statement openobex-1.5.0-Source/lib/databuffer.c:139: cond_true: Condition "itRem > p->data_size", taking true branch openobex-1.5.0-Source/lib/databuffer.c:141: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/lib/databuffer.c:143: if_end: End of if statement openobex-1.5.0-Source/lib/databuffer.c:145: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/lib/databuffer.c:146: if_end: End of if statement openobex-1.5.0-Source/lib/databuffer.c:147: alloc_fn: Storage is returned from allocation function "realloc(void *, size_t)". openobex-1.5.0-Source/lib/databuffer.c:147: var_assign: Assigning: "tmp" = storage returned from "realloc(p->buffer, new_size)". openobex-1.5.0-Source/lib/databuffer.c:148: cond_true: Condition "!new_size", taking true branch openobex-1.5.0-Source/lib/databuffer.c:155: leaked_storage: Variable "tmp" going out of scope leaks the storage it points to. --- lib/databuffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/databuffer.c b/lib/databuffer.c index 7b71fdf..e3934f4 100644 --- a/lib/databuffer.c +++ b/lib/databuffer.c @@ -144,7 +144,6 @@ void buf_resize(buf_t *p, size_t new_size) bSize = 0; } else bSize = new_size - bSize; - tmp = realloc(p->buffer, new_size); if (!new_size) { p->buffer = NULL; p->data = NULL; @@ -154,6 +153,7 @@ void buf_resize(buf_t *p, size_t new_size) p->data_size = 0; return; } + tmp = realloc(p->buffer, new_size); if (!tmp) return; p->data_avail += bSize; -- 1.7.11.7 From c6f7cf9d6bcf458d95d29101c4b5602bbef2e0cc Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Thu, 6 Dec 2012 16:00:43 +0100 Subject: [PATCH 04/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/ircp/ircp_client.c:281: cond_false: Condition "!(cli != NULL)", taking false branch openobex-1.5.0-Source/ircp/ircp_client.c:281: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_client.c:283: alloc_fn: Storage is returned from allocation function "build_object_from_file(obex_t *, char const *, char const *)". openobex-1.5.0-Source/ircp/ircp_io.c:72:2: alloc_fn: Storage is returned from allocation function "OBEX_ObjectNew(obex_t *, uint8_t)". openobex-1.5.0-Source/lib/obex.c:626:2: cond_false: Condition "!(self != NULL)", taking false branch openobex-1.5.0-Source/lib/obex.c:626:2: if_end: End of if statement openobex-1.5.0-Source/lib/obex.c:628:2: alloc_fn: Storage is returned from allocation function "obex_object_new(void)". openobex-1.5.0-Source/lib/obex_object.c:46:2: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/lib/obex_object.c:46:2: var_assign: Assigning: "object" = "malloc(120UL)". openobex-1.5.0-Source/lib/obex_object.c:47:2: cond_false: Condition "object == NULL", taking false branch openobex-1.5.0-Source/lib/obex_object.c:48:3: if_end: End of if statement openobex-1.5.0-Source/lib/obex_object.c:50:2: noescape: Resource "object" is not freed or pointed-to in function "memset(void *, int, size_t)". openobex-1.5.0-Source/lib/obex_object.c:52:2: noescape: Resource "object" is not freed or pointed-to in function "obex_object_setrsp(obex_object_t *, uint8_t, uint8_t)". openobex-1.5.0-Source/lib/obex_object.c:128:39: noescape: "obex_object_setrsp(obex_object_t *, uint8_t, uint8_t)" does not free or save its pointer parameter "object". openobex-1.5.0-Source/lib/obex_object.c:54:2: return_alloc: Returning allocated memory "object". openobex-1.5.0-Source/lib/obex.c:628:2: var_assign: Assigning: "object" = "obex_object_new()". openobex-1.5.0-Source/lib/obex.c:629:2: cond_false: Condition "object == NULL", taking false branch openobex-1.5.0-Source/lib/obex.c:630:3: if_end: End of if statement openobex-1.5.0-Source/lib/obex.c:632:2: noescape: Resource "object" is not freed or pointed-to in function "obex_object_setcmd(obex_object_t *, uint8_t, uint8_t)". openobex-1.5.0-Source/lib/obex_object.c:113:39: noescape: "obex_object_setcmd(obex_object_t *, uint8_t, uint8_t)" does not free or save its pointer parameter "object". openobex-1.5.0-Source/lib/obex.c:634:2: cond_true: Condition "cmd == 0", taking true branch openobex-1.5.0-Source/lib/obex.c:635:3: noescape: Resource "object" is not freed or pointed-to in function "obex_insert_connectframe(obex_t *, obex_object_t *)". openobex-1.5.0-Source/lib/obex_connect.c:42:59: noescape: "obex_insert_connectframe(obex_t *, obex_object_t *)" does not free or save its pointer parameter "object". openobex-1.5.0-Source/lib/obex.c:635:3: cond_false: Condition "obex_insert_connectframe(self, object) < 0", taking false branch openobex-1.5.0-Source/lib/obex.c:638:3: if_end: End of if statement openobex-1.5.0-Source/lib/obex.c:641:2: return_alloc: Returning allocated memory "object". openobex-1.5.0-Source/ircp/ircp_io.c:72:2: var_assign: Assigning: "object" = "OBEX_ObjectNew(handle, 2)". openobex-1.5.0-Source/ircp/ircp_io.c:73:2: cond_false: Condition "object == NULL", taking false branch openobex-1.5.0-Source/ircp/ircp_io.c:74:3: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_io.c:78:2: cond_false: Condition "ucname == NULL", taking false branch openobex-1.5.0-Source/ircp/ircp_io.c:79:3: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_io.c:84:2: noescape: Resource "object" is not freed or pointed-to in function "OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)". openobex-1.5.0-Source/lib/obex.c:713:63: noescape: "OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)" does not free or save its pointer parameter "object". openobex-1.5.0-Source/ircp/ircp_io.c:88:2: noescape: Resource "object" is not freed or pointed-to in function "OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)". openobex-1.5.0-Source/lib/obex.c:713:63: noescape: "OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)" does not free or save its pointer parameter "object". openobex-1.5.0-Source/ircp/ircp_io.c:98:2: noescape: Resource "object" is not freed or pointed-to in function "OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)". openobex-1.5.0-Source/lib/obex.c:713:63: noescape: "OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)" does not free or save its pointer parameter "object". openobex-1.5.0-Source/ircp/ircp_io.c:102:2: return_alloc: Returning allocated memory "object". openobex-1.5.0-Source/ircp/ircp_client.c:283: var_assign: Assigning: "object" = storage returned from "build_object_from_file(cli->obexhandle, localname, remotename)". openobex-1.5.0-Source/ircp/ircp_client.c:286: cond_true: Condition "cli->fd < 0", taking true branch openobex-1.5.0-Source/ircp/ircp_client.c:287: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/ircp/ircp_client.c:289: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_client.c:293: cond_true: Condition "ret < 0", taking true branch openobex-1.5.0-Source/ircp/ircp_client.c:294: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/ircp/ircp_client.c:296: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_client.c:298: leaked_storage: Variable "object" going out of scope leaks the storage it points to. --- ircp/ircp_client.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ircp/ircp_client.c b/ircp/ircp_client.c index 140a0a6..5f5162d 100644 --- a/ircp/ircp_client.c +++ b/ircp/ircp_client.c @@ -285,6 +285,7 @@ static int ircp_put_file(ircp_client_t *cli, char *localname, char *remotename) cli->fd = open(localname, O_RDONLY, 0); if(cli->fd < 0) { ret = -1; + OBEX_ObjectDelete(cli->obexhandle, object); } else { ret = cli_sync_request(cli, object); -- 1.7.11.7 From d90babe60ffcaf4cab419940b7df259784707216 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 08:32:15 +0100 Subject: [PATCH 05/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/apps/obex_io.c:89: open_fn: Returning handle opened by function "open(char const *, int, ...)". openobex-1.5.0-Source/apps/obex_io.c:89: var_assign: Assigning: "fd" = handle returned from "open(filename, 0, 0)". openobex-1.5.0-Source/apps/obex_io.c:92: cond_false: Condition "fd == -1", taking false branch openobex-1.5.0-Source/apps/obex_io.c:94: if_end: End of if statement openobex-1.5.0-Source/apps/obex_io.c:96: cond_true: Condition "!(buf = malloc(*file_size))", taking true branch openobex-1.5.0-Source/apps/obex_io.c:97: leaked_handle: Handle variable "fd" going out of scope leaks the handle. --- apps/obex_io.c | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/obex_io.c b/apps/obex_io.c index 3642fee..2152bb4 100644 --- a/apps/obex_io.c +++ b/apps/obex_io.c @@ -98,6 +98,7 @@ uint8_t* easy_readfile(const char *filename, int *file_size) } if(! (buf = malloc(*file_size)) ) { + close(fd); return NULL; } -- 1.7.11.7 From 4446bac377186eaad0245b0b4c445d13f2a1541f Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 08:53:13 +0100 Subject: [PATCH 06/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/ircp/ircp_server.c:224: cond_true: Condition "OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/ircp/ircp_server.c:225: switch: Switch case value "1" openobex-1.5.0-Source/ircp/ircp_server.c:226: switch_case: Reached case "1" openobex-1.5.0-Source/ircp/ircp_server.c:227: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/ircp/ircp_server.c:227: var_assign: Assigning: "name" = storage returned from "malloc(hlen / 2U)". openobex-1.5.0-Source/ircp/ircp_server.c:227: cond_true: Condition "name = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/ircp/ircp_server.c:228: noescape: Resource "(uint8_t *)name" is not freed or pointed-to in function "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)". openobex-1.5.0-Source/lib/obex.c:899:41: noescape: "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or save its pointer parameter "c". openobex-1.5.0-Source/ircp/ircp_server.c:230: break: Breaking from switch openobex-1.5.0-Source/ircp/ircp_server.c:233: switch_end: Reached end of switch openobex-1.5.0-Source/ircp/ircp_server.c:234: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/ircp/ircp_server.c:224: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/ircp/ircp_server.c:224: cond_true: Condition "OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/ircp/ircp_server.c:225: switch: Switch case value "1" openobex-1.5.0-Source/ircp/ircp_server.c:226: switch_case: Reached case "1" openobex-1.5.0-Source/ircp/ircp_server.c:227: overwrite_var: Overwriting "name" in "name = malloc(hlen / 2U)" leaks the storage that "name" points to. --- ircp/ircp_server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ircp/ircp_server.c b/ircp/ircp_server.c index 5545780..123b80c 100644 --- a/ircp/ircp_server.c +++ b/ircp/ircp_server.c @@ -222,13 +222,13 @@ static int new_file(ircp_server_t *srv, obex_object_t *object) /* First iterate through recieved header to find name */ while (OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)) { - switch(hi) { - case OBEX_HDR_NAME: + if(hi == OBEX_HDR_NAME) { if( (name = malloc(hlen / 2))) { OBEX_UnicodeToChar((uint8_t *) name, hv.bs, hlen); } break; - default: + } + else { DEBUG(4, "Skipped header %02x\n", hi); } } -- 1.7.11.7 From 379ede0a12e22c49770b9ab81ae3432f8d470036 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 08:57:14 +0100 Subject: [PATCH 07/15] RESOURCE_LEAK (CWE-404) Coverity output: enobex-1.5.0-Source/ircp/ircp_server.c:152: cond_false: Condition "nonhdr_data_len != 2", taking false branch openobex-1.5.0-Source/ircp/ircp_server.c:155: if_end: End of if statement openobex-1.5.0-Source/ircp/ircp_server.c:157: cond_true: Condition "OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/ircp/ircp_server.c:158: switch: Switch case value "1" openobex-1.5.0-Source/ircp/ircp_server.c:159: switch_case: Reached case "1" openobex-1.5.0-Source/ircp/ircp_server.c:160: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/ircp/ircp_server.c:160: var_assign: Assigning: "name" = storage returned from "malloc(hlen / 2U)". openobex-1.5.0-Source/ircp/ircp_server.c:160: cond_true: Condition "name = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/ircp/ircp_server.c:161: noescape: Resource "(uint8_t *)name" is not freed or pointed-to in function "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)". openobex-1.5.0-Source/lib/obex.c:899:41: noescape: "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or save its pointer parameter "c". openobex-1.5.0-Source/ircp/ircp_server.c:163: break: Breaking from switch openobex-1.5.0-Source/ircp/ircp_server.c:166: switch_end: Reached end of switch openobex-1.5.0-Source/ircp/ircp_server.c:167: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/ircp/ircp_server.c:157: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/ircp/ircp_server.c:157: cond_true: Condition "OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/ircp/ircp_server.c:158: switch: Switch case value "1" openobex-1.5.0-Source/ircp/ircp_server.c:159: switch_case: Reached case "1" openobex-1.5.0-Source/ircp/ircp_server.c:160: overwrite_var: Overwriting "name" in "name = malloc(hlen / 2U)" leaks the storage that "name" points to. --- ircp/ircp_server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ircp/ircp_server.c b/ircp/ircp_server.c index 123b80c..8f9a6b4 100644 --- a/ircp/ircp_server.c +++ b/ircp/ircp_server.c @@ -155,13 +155,13 @@ int ircp_srv_setpath(ircp_server_t *srv, obex_object_t *object) } while (OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)) { - switch(hi) { - case OBEX_HDR_NAME: + if (hi == OBEX_HDR_NAME) { if( (name = malloc(hlen / 2))) { OBEX_UnicodeToChar((uint8_t *) name, hv.bs, hlen); } break; - default: + } + else { DEBUG(2, "Skipped header %02x\n", hi); } } -- 1.7.11.7 From 6b0886d3e547d289e56f40a99eec6b81242fb8d8 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 09:00:39 +0100 Subject: [PATCH 08/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/apps/obex_put_common.c:59: cond_true: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/apps/obex_put_common.c:60: switch: Switch case value "1" openobex-1.5.0-Source/apps/obex_put_common.c:65: switch_case: Reached case "1" openobex-1.5.0-Source/apps/obex_put_common.c:66: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/apps/obex_put_common.c:66: var_assign: Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)". openobex-1.5.0-Source/apps/obex_put_common.c:66: cond_true: Condition "namebuf = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/apps/obex_put_common.c:67: noescape: Resource "(uint8_t *)namebuf" is not freed or pointed-to in function "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)". openobex-1.5.0-Source/lib/obex.c:899:41: noescape: "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or save its pointer parameter "c". openobex-1.5.0-Source/apps/obex_put_common.c:68: var_assign: Assigning: "name" = "namebuf". openobex-1.5.0-Source/apps/obex_put_common.c:70: break: Breaking from switch openobex-1.5.0-Source/apps/obex_put_common.c:82: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_put_common.c:83: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_put_common.c:59: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_put_common.c:59: cond_false: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking false branch openobex-1.5.0-Source/apps/obex_put_common.c:83: loop_end: Reached end of loop openobex-1.5.0-Source/apps/obex_put_common.c:84: cond_true: Condition "!body", taking true branch openobex-1.5.0-Source/apps/obex_put_common.c:86: leaked_storage: Variable "namebuf" going out of scope leaks the storage it points to. openobex-1.5.0-Source/apps/obex_put_common.c:86: leaked_storage: Variable "name" going out of scope leaks the storage it points to. --- apps/obex_put_common.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/obex_put_common.c b/apps/obex_put_common.c index 856f993..66da6d4 100644 --- a/apps/obex_put_common.c +++ b/apps/obex_put_common.c @@ -63,6 +63,10 @@ void put_done(obex_object_t *object) body_len = hlen; break; case OBEX_HDR_NAME: + if (namebuf) { + free(namebuf); + name = namebuf = NULL; + } if( (namebuf = malloc(hlen / 2))) { OBEX_UnicodeToChar((uint8_t *) namebuf, hv.bs, hlen); name = namebuf; -- 1.7.11.7 From 636c06da96c73867499acbc3d5b6a0811c5bdb66 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 09:03:26 +0100 Subject: [PATCH 09/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch case value "1" openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case: Reached case "1" openobex-1.5.0-Source/apps/obex_test_server.c:110: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/apps/obex_test_server.c:110: var_assign: Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)". openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true: Condition "namebuf = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:111: noescape: Resource "(uint8_t *)namebuf" is not freed or pointed-to in function "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)". openobex-1.5.0-Source/lib/obex.c:899:41: noescape: "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or save its pointer parameter "c". openobex-1.5.0-Source/apps/obex_test_server.c:112: var_assign: Assigning: "name" = "namebuf". openobex-1.5.0-Source/apps/obex_test_server.c:114: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test_server.c:118: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test_server.c:119: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test_server.c:106: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch case value "1" openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case: Reached case "1" openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true: Condition "namebuf = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:112: overwrite_var: Overwriting "name" in "name = namebuf" leaks the storage that "name" points to. --- apps/obex_test_server.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apps/obex_test_server.c b/apps/obex_test_server.c index 7b9d16a..4d82293 100644 --- a/apps/obex_test_server.c +++ b/apps/obex_test_server.c @@ -104,16 +104,15 @@ void get_server(obex_t *handle, obex_object_t *object) printf("%s()\n", __FUNCTION__); while (OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)) { - switch(hi) { - case OBEX_HDR_NAME: + if (hi == OBEX_HDR_NAME) { printf("%s() Found name\n", __FUNCTION__); if( (namebuf = malloc(hlen / 2))) { OBEX_UnicodeToChar((uint8_t *) namebuf, hv.bs, hlen); name = namebuf; } break; - - default: + } + else { printf("%s() Skipped header %02x\n", __FUNCTION__, hi); } } -- 1.7.11.7 From 6d40c4b847696d97507e22c5ab0e3f18cf14051d Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 09:11:55 +0100 Subject: [PATCH 10/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch case value "1" openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case: Reached case "1" openobex-1.5.0-Source/apps/obex_test_server.c:110: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/apps/obex_test_server.c:110: var_assign: Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)". openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true: Condition "namebuf = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:111: noescape: Resource "(uint8_t *)namebuf" is not freed or pointed-to in function "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)". openobex-1.5.0-Source/lib/obex.c:899:41: noescape: "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or save its pointer parameter "c". openobex-1.5.0-Source/apps/obex_test_server.c:112: var_assign: Assigning: "name" = "namebuf". openobex-1.5.0-Source/apps/obex_test_server.c:114: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test_server.c:118: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test_server.c:119: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test_server.c:106: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_false: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking false branch openobex-1.5.0-Source/apps/obex_test_server.c:119: loop_end: Reached end of loop openobex-1.5.0-Source/apps/obex_test_server.c:121: cond_false: Condition "!name", taking false branch openobex-1.5.0-Source/apps/obex_test_server.c:125: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test_server.c:126: noescape: Resource "name" is not freed or pointed-to in function "printf(char const * restrict, ...)". openobex-1.5.0-Source/apps/obex_test_server.c:128: noescape: Resource "name" is not freed or pointed-to in function "easy_readfile(char const *, int *)". openobex-1.5.0-Source/apps/obex_io.c:77:36: noescape: "easy_readfile(char const *, int *)" does not free or save its pointer parameter "filename". openobex-1.5.0-Source/apps/obex_test_server.c:129: cond_true: Condition "buf == NULL", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:130: noescape: Resource "name" is not freed or pointed-to in function "printf(char const * restrict, ...)". openobex-1.5.0-Source/apps/obex_test_server.c:132: leaked_storage: Variable "namebuf" going out of scope leaks the storage it points to. openobex-1.5.0-Source/apps/obex_test_server.c:132: leaked_storage: Variable "name" going out of scope leaks the storage it points to. openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch case value "1" openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case: Reached case "1" openobex-1.5.0-Source/apps/obex_test_server.c:110: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/apps/obex_test_server.c:110: var_assign: Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)". openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true: Condition "namebuf = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:111: noescape: Resource "(uint8_t *)namebuf" is not freed or pointed-to in function "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)". openobex-1.5.0-Source/lib/obex.c:899:41: noescape: "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or save its pointer parameter "c". openobex-1.5.0-Source/apps/obex_test_server.c:112: var_assign: Assigning: "name" = "namebuf". openobex-1.5.0-Source/apps/obex_test_server.c:114: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test_server.c:118: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test_server.c:119: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test_server.c:106: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_false: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking false branch openobex-1.5.0-Source/apps/obex_test_server.c:119: loop_end: Reached end of loop openobex-1.5.0-Source/apps/obex_test_server.c:121: cond_false: Condition "!name", taking false branch openobex-1.5.0-Source/apps/obex_test_server.c:125: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test_server.c:126: noescape: Resource "name" is not freed or pointed-to in function "printf(char const * restrict, ...)". openobex-1.5.0-Source/apps/obex_test_server.c:128: noescape: Resource "name" is not freed or pointed-to in function "easy_readfile(char const *, int *)". openobex-1.5.0-Source/apps/obex_io.c:77:36: noescape: "easy_readfile(char const *, int *)" does not free or save its pointer parameter "filename". openobex-1.5.0-Source/apps/obex_test_server.c:129: cond_false: Condition "buf == NULL", taking false branch openobex-1.5.0-Source/apps/obex_test_server.c:133: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test_server.c:141: leaked_storage: Variable "namebuf" going out of scope leaks the storage it points to. openobex-1.5.0-Source/apps/obex_test_server.c:141: leaked_storage: Variable "name" going out of scope leaks the storage it points to. --- apps/obex_test_server.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/obex_test_server.c b/apps/obex_test_server.c index 4d82293..9ce0228 100644 --- a/apps/obex_test_server.c +++ b/apps/obex_test_server.c @@ -128,6 +128,7 @@ void get_server(obex_t *handle, obex_object_t *object) if(buf == NULL) { printf("Can't find file %s\n", name); OBEX_ObjectSetRsp(object, OBEX_RSP_NOT_FOUND, OBEX_RSP_NOT_FOUND); + free(namebuf); return; } @@ -136,6 +137,7 @@ void get_server(obex_t *handle, obex_object_t *object) OBEX_ObjectAddHeader(handle, object, OBEX_HDR_BODY, hv, file_size, 0); hv.bq4 = file_size; OBEX_ObjectAddHeader(handle, object, OBEX_HDR_LENGTH, hv, sizeof(uint32_t), 0); + free(namebuf); free(buf); return; } -- 1.7.11.7 From 7722733e86b5378b30dc076dc78acc51c8ae5fd7 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 09:25:37 +0100 Subject: [PATCH 11/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/apps/obex_test_server.c:57: cond_true: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:58: switch: Switch case value "1" openobex-1.5.0-Source/apps/obex_test_server.c:64: switch_case: Reached case "1" openobex-1.5.0-Source/apps/obex_test_server.c:66: alloc_fn: Storage is returned from allocation function "malloc(size_t)". openobex-1.5.0-Source/apps/obex_test_server.c:66: var_assign: Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)". openobex-1.5.0-Source/apps/obex_test_server.c:66: cond_true: Condition "namebuf = malloc(hlen / 2)", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:67: noescape: Resource "(uint8_t *)namebuf" is not freed or pointed-to in function "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)". openobex-1.5.0-Source/lib/obex.c:899:41: noescape: "OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or save its pointer parameter "c". openobex-1.5.0-Source/apps/obex_test_server.c:68: var_assign: Assigning: "name" = "namebuf". openobex-1.5.0-Source/apps/obex_test_server.c:70: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test_server.c:74: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test_server.c:75: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test_server.c:57: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test_server.c:57: cond_false: Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking false branch openobex-1.5.0-Source/apps/obex_test_server.c:75: loop_end: Reached end of loop openobex-1.5.0-Source/apps/obex_test_server.c:76: cond_true: Condition "!body", taking true branch openobex-1.5.0-Source/apps/obex_test_server.c:78: leaked_storage: Variable "namebuf" going out of scope leaks the storage it points to. openobex-1.5.0-Source/apps/obex_test_server.c:78: leaked_storage: Variable "name" going out of scope leaks the storage it points to. --- apps/obex_test_server.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apps/obex_test_server.c b/apps/obex_test_server.c index 9ce0228..e9163ad 100644 --- a/apps/obex_test_server.c +++ b/apps/obex_test_server.c @@ -63,6 +63,10 @@ void put_server(obex_t *handle, obex_object_t *object) break; case OBEX_HDR_NAME: printf("%s() Found name\n", __FUNCTION__); + if (namebuf) { + free(namebuf); + name = namebuf = NULL; + } if( (namebuf = malloc(hlen / 2))) { OBEX_UnicodeToChar((uint8_t *) namebuf, hv.bs, hlen); name = namebuf; @@ -75,6 +79,7 @@ void put_server(obex_t *handle, obex_object_t *object) } if(!body) { printf("Got a PUT without a body\n"); + free(namebuf); return; } if(!name) { -- 1.7.11.7 From 4bd762e35d5467ba76c20ce0fedab2d677d03c09 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 09:31:36 +0100 Subject: [PATCH 12/15] RESOURCE_LEAK (CWE-404) Coverity output: openobex-1.5.0-Source/ircp/dirtraverse.c:37: alloc_fn: Storage is returned from allocation function "opendir(char const *)". openobex-1.5.0-Source/ircp/dirtraverse.c:37: var_assign: Assigning: "dir" = storage returned from "opendir(path)". openobex-1.5.0-Source/ircp/dirtraverse.c:38: cond_false: Condition "dir == NULL", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:40: if_end: End of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:41: noescape: Resource "dir" is not freed or pointed-to in function "readdir(DIR *)". openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition "dirent != NULL", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_false: Condition "__coverity_strcmp(".", dirent->d_name) == 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:45: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:45: cond_false: Condition "__coverity_strcmp("..", dirent->d_name) == 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:47: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:49: cond_false: Condition "lstat(t, &statbuf) < 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:52: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:52: cond_true: Condition "(statbuf.st_mode & 61440) == 32768", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:54: cond_false: Condition "ret < 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:55: if_end: End of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:56: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:74: if_end: End of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:76: noescape: Resource "dir" is not freed or pointed-to in function "readdir(DIR *)". openobex-1.5.0-Source/ircp/dirtraverse.c:77: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/ircp/dirtraverse.c:42: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition "dirent != NULL", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_false: Condition "__coverity_strcmp(".", dirent->d_name) == 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:45: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:45: cond_false: Condition "__coverity_strcmp("..", dirent->d_name) == 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:47: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:49: cond_true: Condition "lstat(t, &statbuf) < 0", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:50: leaked_storage: Variable "dir" going out of scope leaks the storage it points to. openobex-1.5.0-Source/ircp/dirtraverse.c:37: alloc_fn: Storage is returned from allocation function "opendir(char const *)". openobex-1.5.0-Source/ircp/dirtraverse.c:37: var_assign: Assigning: "dir" = storage returned from "opendir(path)". openobex-1.5.0-Source/ircp/dirtraverse.c:38: cond_false: Condition "dir == NULL", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:40: if_end: End of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:41: noescape: Resource "dir" is not freed or pointed-to in function "readdir(DIR *)". openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition "dirent != NULL", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_true: Condition "__coverity_strcmp(".", dirent->d_name) == 0", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:44: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:75: if_end: End of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:76: noescape: Resource "dir" is not freed or pointed-to in function "readdir(DIR *)". openobex-1.5.0-Source/ircp/dirtraverse.c:77: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/ircp/dirtraverse.c:42: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_false: Condition "dirent != NULL", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:77: loop_end: Reached end of loop openobex-1.5.0-Source/ircp/dirtraverse.c:80: leaked_storage: Variable "dir" going out of scope leaks the storage it points to. openobex-1.5.0-Source/ircp/dirtraverse.c:37: alloc_fn: Storage is returned from allocation function "opendir(char const *)". openobex-1.5.0-Source/ircp/dirtraverse.c:37: var_assign: Assigning: "dir" = storage returned from "opendir(path)". openobex-1.5.0-Source/ircp/dirtraverse.c:38: cond_false: Condition "dir == NULL", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:40: if_end: End of if statement openobex-1.5.0-Source/ircp/dirtraverse.c:41: noescape: Resource "dir" is not freed or pointed-to in function "readdir(DIR *)". openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition "dirent != NULL", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_false: Condition "__coverity_strcmp(".", dirent->d_name) == 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:45: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:45: cond_false: Condition "__coverity_strcmp("..", dirent->d_name) == 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:47: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:49: cond_false: Condition "lstat(t, &statbuf) < 0", taking false branch openobex-1.5.0-Source/ircp/dirtraverse.c:52: else_branch: Reached else branch openobex-1.5.0-Source/ircp/dirtraverse.c:52: cond_true: Condition "(statbuf.st_mode & 61440) == 32768", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:54: cond_true: Condition "ret < 0", taking true branch openobex-1.5.0-Source/ircp/dirtraverse.c:55: goto: Jumping to label "out" openobex-1.5.0-Source/ircp/dirtraverse.c:79: label: Reached label "out" openobex-1.5.0-Source/ircp/dirtraverse.c:80: leaked_storage: Variable "dir" going out of scope leaks the storage it points to. --- ircp/dirtraverse.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ircp/dirtraverse.c b/ircp/dirtraverse.c index f6c1cf3..7864891 100644 --- a/ircp/dirtraverse.c +++ b/ircp/dirtraverse.c @@ -47,6 +47,7 @@ int visit_dir(char *path, visit_cb cb, void *userdata) else { snprintf(t, MAXPATHLEN, "%s/%s", path, dirent->d_name); if(lstat(t, &statbuf) < 0) { + closedir(dir); return -1; } else if(S_ISREG(statbuf.st_mode)) { @@ -77,6 +78,7 @@ int visit_dir(char *path, visit_cb cb, void *userdata) } out: + closedir(dir); return ret; #else -- 1.7.11.7 From 30a3f1a333bc36d4e1a59e19cc353f455174af20 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 09:49:42 +0100 Subject: [PATCH 13/15] SECURE_CODING (CWE-676) Coverity output: openobex-1.5.0-Source/lib/irobex.c:90: secure_coding: [VERY RISKY]. Using "strcpy" can cause a buffer overflow when done incorrectly. If the destination string of a strcpy() is not large enough then anything might happen. Use strncpy() instead. openobex-1.5.0-Source/lib/irobex.c:279: secure_coding: [VERY RISKY]. Using "strcpy" can cause a buffer overflow when done incorrectly. If the destination string of a strcpy() is not large enough then anything might happen. Use strncpy() instead. openobex-1.5.0-Source/lib/irobex.c:281: secure_coding: [VERY RISKY]. Using "strcpy" can cause a buffer overflow when done incorrectly. If the destination string of a strcpy() is not large enough then anything might happen. Use strncpy() instead. --- lib/irobex.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/irobex.c b/lib/irobex.c index df01b22..c5939f6 100644 --- a/lib/irobex.c +++ b/lib/irobex.c @@ -87,7 +87,7 @@ void irobex_prepare_connect(obex_t *self, const char *service) if (service) strncpy(self->trans.peer.irda.sir_name, service, 25); else - strcpy(self->trans.peer.irda.sir_name, "OBEX"); + strncpy(self->trans.peer.irda.sir_name, "OBEX", 25); } /* @@ -276,10 +276,10 @@ static int irobex_discover_devices(obex_t *self) /* Ask if the requested service exist on this device */ len = sizeof(ias_query); ias_query.daddr = list->dev[i].daddr; - strcpy(ias_query.irda_class_name, - self->trans.peer.irda.sir_name); - strcpy(ias_query.irda_attrib_name, - "IrDA:TinyTP:LsapSel"); + strncpy(ias_query.irda_class_name, + self->trans.peer.irda.sir_name, IAS_MAX_CLASSNAME); + strncpy(ias_query.irda_attrib_name, + "IrDA:TinyTP:LsapSel", IAS_MAX_ATTRIBNAME); err = getsockopt(self->fd, SOL_IRLMP, IRLMP_IAS_QUERY, &ias_query, &len); /* Check if we failed */ -- 1.7.11.7 From 1c46847f432d2f64dae842fb998310ba159e40fb Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 10:09:15 +0100 Subject: [PATCH 14/15] UNINIT (CWE-457) Coverity output: openobex-1.5.0-Source/apps/obex_test.c:160: var_decl: Declaring variable "obex_intf" without initializer. openobex-1.5.0-Source/apps/obex_test.c:170: cond_true: Condition "argc == 2", taking true branch openobex-1.5.0-Source/apps/obex_test.c:170: cond_true: Condition "__coverity_strcmp(argv[1], "-s") == 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:172: cond_true: Condition "argc == 2", taking true branch openobex-1.5.0-Source/apps/obex_test.c:172: cond_true: Condition "__coverity_strcmp(argv[1], "-r") == 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:178: cond_true: Condition "argc == 2", taking true branch openobex-1.5.0-Source/apps/obex_test.c:178: cond_true: Condition "__coverity_strcmp(argv[1], "-i") == 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:180: cond_true: Condition "argc >= 2", taking true branch openobex-1.5.0-Source/apps/obex_test.c:180: cond_true: Condition "__coverity_strcmp(argv[1], "-b") == 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:182: cond_true: Condition "argc >= 2", taking true branch openobex-1.5.0-Source/apps/obex_test.c:182: cond_true: Condition "__coverity_strcmp(argv[1], "-u") == 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:185: cond_true: Condition "cobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:187: cond_false: Condition "argc == 3", taking false branch openobex-1.5.0-Source/apps/obex_test.c:190: else_branch: Reached else branch openobex-1.5.0-Source/apps/obex_test.c:192: cond_true: Condition "r320", taking true branch openobex-1.5.0-Source/apps/obex_test.c:193: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/apps/obex_test.c:195: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:199: cond_false: Condition "custfunc.customdata == NULL", taking false branch openobex-1.5.0-Source/apps/obex_test.c:202: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:204: cond_false: Condition "!(handle = OBEX_Init(3, obex_event(obex_t *, obex_object_t *, int, int, int, int), 0))", taking false branch openobex-1.5.0-Source/apps/obex_test.c:207: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:215: cond_false: Condition "OBEX_RegisterCTransport(handle, &custfunc) < 0", taking false branch openobex-1.5.0-Source/apps/obex_test.c:217: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:221: if_fallthrough: Falling through to end of if statement openobex-1.5.0-Source/apps/obex_test.c:315: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition "!end", taking true branch openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case value "103" openobex-1.5.0-Source/apps/obex_test.c:328: switch_case: Reached case "103" openobex-1.5.0-Source/apps/obex_test.c:330: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test.c:428: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test.c:429: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition "!end", taking true branch openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case value "99" openobex-1.5.0-Source/apps/obex_test.c:340: switch_case: Reached case "99" openobex-1.5.0-Source/apps/obex_test.c:342: cond_true: Condition "tcpobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:343: cond_true: Condition "TcpOBEX_TransportConnect(handle, NULL, 0) < 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:345: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test.c:428: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test.c:429: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition "!end", taking true branch openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case value "99" openobex-1.5.0-Source/apps/obex_test.c:340: switch_case: Reached case "99" openobex-1.5.0-Source/apps/obex_test.c:342: cond_true: Condition "tcpobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:343: cond_true: Condition "TcpOBEX_TransportConnect(handle, NULL, 0) < 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:345: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test.c:428: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test.c:429: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition "!end", taking true branch openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case value "99" openobex-1.5.0-Source/apps/obex_test.c:340: switch_case: Reached case "99" openobex-1.5.0-Source/apps/obex_test.c:342: cond_true: Condition "tcpobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:343: cond_false: Condition "TcpOBEX_TransportConnect(handle, NULL, 0) < 0", taking false branch openobex-1.5.0-Source/apps/obex_test.c:346: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:348: cond_true: Condition "cobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:349: cond_false: Condition "OBEX_TransportConnect(handle, (struct sockaddr *)0x1, 0) < 0", taking false branch openobex-1.5.0-Source/apps/obex_test.c:352: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:354: cond_true: Condition "btobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:356: cond_true: Condition "bacmp(&bdaddr, &bdaddr_t({{0, 0, 0, 0, 0, 0}})) == 0", taking true branch openobex-1.5.0-Source/apps/obex_test.c:358: break: Breaking from switch openobex-1.5.0-Source/apps/obex_test.c:428: switch_end: Reached end of switch openobex-1.5.0-Source/apps/obex_test.c:429: loop: Jumping back to the beginning of the loop openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin: Jumped back to beginning of loop openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition "!end", taking true branch openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case value "99" openobex-1.5.0-Source/apps/obex_test.c:340: switch_case: Reached case "99" openobex-1.5.0-Source/apps/obex_test.c:342: cond_true: Condition "tcpobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:343: cond_false: Condition "TcpOBEX_TransportConnect(handle, NULL, 0) < 0", taking false branch openobex-1.5.0-Source/apps/obex_test.c:346: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:348: cond_true: Condition "cobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:349: cond_false: Condition "OBEX_TransportConnect(handle, (struct sockaddr *)0x1, 0) < 0", taking false branch openobex-1.5.0-Source/apps/obex_test.c:352: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:354: cond_true: Condition "btobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:356: cond_false: Condition "bacmp(&bdaddr, &bdaddr_t({{0, 0, 0, 0, 0, 0}})) == 0", taking false branch openobex-1.5.0-Source/apps/obex_test.c:359: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:360: cond_false: Condition "BtOBEX_TransportConnect(handle, &bdaddr_t({{0, 0, 0, 0, 0, 0}}), &bdaddr, channel) < 0", taking false branch openobex-1.5.0-Source/apps/obex_test.c:363: if_end: End of if statement openobex-1.5.0-Source/apps/obex_test.c:368: cond_true: Condition "usbobex", taking true branch openobex-1.5.0-Source/apps/obex_test.c:370: uninit_use_in_call: Using uninitialized value "obex_intf" when calling "OBEX_InterfaceConnect(obex_t *, obex_interface_t *)". openobex-1.5.0-Source/lib/obex.c:1272:2: cond_false: Condition "!(self != NULL)", taking false branch openobex-1.5.0-Source/lib/obex.c:1272:2: if_end: End of if statement openobex-1.5.0-Source/lib/obex.c:1274:2: cond_false: Condition "self->object", taking false branch openobex-1.5.0-Source/lib/obex.c:1277:2: if_end: End of if statement openobex-1.5.0-Source/lib/obex.c:1279:2: read_parm: Reading a parameter value. --- apps/obex_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/obex_test.c b/apps/obex_test.c index c04aa5d..aef0b54 100644 --- a/apps/obex_test.c +++ b/apps/obex_test.c @@ -155,7 +155,7 @@ int main (int argc, char *argv[]) #endif #ifdef HAVE_USB - obex_interface_t *obex_intf; + obex_interface_t *obex_intf = NULL; #endif struct context global_context = {0,}; -- 1.7.11.7 From 8e2446b58d88f01969661728fa5f4cdad43908a7 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 7 Dec 2012 12:08:48 +0100 Subject: [PATCH 15/15] NEGATIVE_RETURNS (CWE-394) Coverity output: openobex-1.5.0-Source/apps/obex_io.c:87: negative_return_fn: Function "get_filesize(filename)" returns a negative number. openobex-1.5.0-Source/apps/obex_io.c:68:2: cond_true: Condition "stat(filename, &stats) == -1", taking true branch openobex-1.5.0-Source/apps/obex_io.c:70:3: return_negative_constant: Explicitly returning negative value "-1". openobex-1.5.0-Source/apps/obex_io.c:87: var_assign: Assigning: signed variable "*file_size" = "get_filesize(char const *)". openobex-1.5.0-Source/apps/obex_io.c:96: cond_false: Condition "fd == -1", taking false branch openobex-1.5.0-Source/apps/obex_io.c:98: if_end: End of if statement openobex-1.5.0-Source/apps/obex_io.c:100: negative_returns: "*file_size" is passed to a parameter that cannot be negative. --- apps/obex_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/obex_io.c b/apps/obex_io.c index 2152bb4..91d6b0b 100644 --- a/apps/obex_io.c +++ b/apps/obex_io.c @@ -97,7 +97,7 @@ uint8_t* easy_readfile(const char *filename, int *file_size) return NULL; } - if(! (buf = malloc(*file_size)) ) { + if( *file_size < 0 || !(buf = malloc(*file_size)) ) { close(fd); return NULL; } -- 1.7.11.7