Subj : New Defects reported by Coverity Scan for Synchronet To : All From : scan-admin@coverity.com Date : Sun Dec 14 2025 01:48 pm ----==_mimepart_693ec0347df67_815e22c07a52839ac105f0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 89 new defect(s) introduced to Synchronet found with Coverity Scan. 88 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 89 defect(s) ** CID 639949: Error handling issues (CHECKED_RETURN) /websrvr.cpp: 2047 in check_ars(http_session_t *)() _____________________________________________________________________________________________ *** CID 639949: Error handling issues (CHECKED_RETURN) /websrvr.cpp: 2047 in check_ars(http_session_t *)() 2041 else 2042 lprintf(LOG_NOTICE, "%04d !UNKNOWN USER: '%s'" 2043 , session->socket, session->req.auth.username); 2044 return false; 2045 } 2046 thisuser.number = i; >>> CID 639949: Error handling issues (CHECKED_RETURN) >>> Calling "getuserdat" without checking return value (as is done elsewhere 90 out of 103 times). 2047 getuserdat(&scfg, &thisuser); 2048 switch (session->req.auth.type) { 2049 case AUTHENTICATION_TLS_PSK: 2050 if ((auth_allowed & (1 << AUTHENTICATION_TLS_PSK)) == 0) 2051 return false; 2052 if (session->last_user_num != 0) { ** CID 639948: Program hangs (SLEEP) /services.cpp: 1619 in native_service_thread(void *)() _____________________________________________________________________________________________ *** CID 639948: Program hangs (SLEEP) /services.cpp: 1619 in native_service_thread(void *)() 1613 client_on(socket, &client, false /* update */); 1614 1615 if (startup->login_attempt.throttle 1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) { 1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)" 1618 , socket, service->protocol, client.addr, login_attempts); >>> CID 639948: Program hangs (SLEEP) >>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex". 1619 mswait(login_attempts * startup->login_attempt.throttle); 1620 } 1621 1622 /* RUN SCRIPT */ 1623 if (strpbrk(service->cmd, "/\\") == NULL) 1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd); ** CID 639947: Control flow issues (DEADCODE) /websrvr.cpp: 6533 in read_post_data(http_session_t *)() _____________________________________________________________________________________________ *** CID 639947: Control flow issues (DEADCODE) /websrvr.cpp: 6533 in read_post_data(http_session_t *)() 6527 if (ch_len == 0) 6528 break; 6529 /* Check size */ 6530 s += ch_len; 6531 if (s > MAX_POST_LEN) { 6532 if (s > SIZE_MAX) { >>> CID 639947: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "send_error(session, 6533U, ...". 6533 send_error(session, __LINE__, "413 Request entity too large"); 6534 FCLOSE_OPEN_FILE(fp); 6535 return false; 6536 } 6537 if (fp == NULL) { 6538 fp = open_post_file(session); ** CID 639946: (CHECKED_RETURN) /js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)() /js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639946: (CHECKED_RETURN) /js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)() 1406 1407 if ((p = (js_socket_private_t*)js_GetClassPrivate(cx, obj, &js_socket_class)) == NULL) { 1408 return JS_FALSE; 1409 } 1410 1411 if (argc && argv[0] != JSVAL_VOID) { >>> CID 639946: (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times). 1412 JS_ValueToInt32(cx, argv[0], &len); 1413 1414 if (argc > 1 && argv[1] != JSVAL_VOID) { 1415 JS_ValueToInt32(cx, argv[1], &timeout); 1416 } 1417 } /js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)() 1409 } 1410 1411 if (argc && argv[0] != JSVAL_VOID) { 1412 JS_ValueToInt32(cx, argv[0], &len); 1413 1414 if (argc > 1 && argv[1] != JSVAL_VOID) { >>> CID 639946: (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times). 1415 JS_ValueToInt32(cx, argv[1], &timeout); 1416 } 1417 } 1418 1419 if ((buf = (char*)malloc(len + 1)) == NULL) { 1420 JS_ReportError(cx, "Error allocating %u bytes", len + 1); ** CID 639945: (CHECKED_RETURN) /js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)() /js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639945: (CHECKED_RETURN) /js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)() 996 if ((js_str = JS_ValueToString(cx, argv[1])) == NULL) 997 return JS_FALSE; 998 999 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum])) 1000 JS_ValueToBoolean(cx, argv[argnum++], &match_del); 1001 if (argnum < argc && JSVAL_IS_NUMBER(argv[argnum])) >>> CID 639945: (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times). 1002 JS_ValueToInt32(cx, argv[argnum++], &usernumber); 1003 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum])) 1004 JS_ValueToBoolean(cx, argv[argnum++], &match_next); 1005 1006 JSSTRING_TO_ASTRING(cx, js_str, p, 128, NULL); 1007 if (p == NULL) /js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)() 981 return JS_TRUE; 982 } 983 js_system_private_t* sys; 984 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL) 985 return JS_FALSE; 986 >>> CID 639945: (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times). 987 JS_ValueToInt32(cx, argv[0], &field); 988 rc = JS_SUSPENDREQUEST(cx); 989 len = user_field_len(static_cast(field)); 990 JS_RESUMEREQUEST(cx, rc); 991 if (len < 1) { 992 JS_ReportError(cx, "Invalid user field: %d", field); ** CID 639944: Uninitialized variables (UNINIT) _____________________________________________________________________________________________ *** CID 639944: Uninitialized variables (UNINIT) /js_system.cpp: 2108 in js_chkpassword(JSContext *, unsigned int, unsigned long *)() 2102 2103 js_system_private_t* sys; 2104 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL) 2105 return JS_FALSE; 2106 2107 rc = JS_SUSPENDREQUEST(cx); >>> CID 639944: Uninitialized variables (UNINIT) >>> Using uninitialized value "*str" when calling "check_pass". 2108 bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL); 2109 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result)); 2110 JS_RESUMEREQUEST(cx, rc); 2111 2112 return JS_TRUE; 2113 } ** CID 639943: (Y2K38_SAFETY) /js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)() /js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)() _____________________________________________________________________________________________ *** CID 639943: (Y2K38_SAFETY) /js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)() 1585 rc = JS_SUSPENDREQUEST(cx); 1586 smb_getstatus(&(p->smb)); 1587 JS_RESUMEREQUEST(cx, rc); 1588 *vp = UINT_TO_JSVAL(p->smb.status.total_files); 1589 break; 1590 case FB_PROP_UPDATE_TIME: >>> CID 639943: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "newfiletime(&p->smb)" is cast to "uint32_t". 1591 *vp = UINT_TO_JSVAL((uint32_t)newfiletime(&p->smb)); 1592 break; 1593 case FB_PROP_MAX_FILES: 1594 *vp = UINT_TO_JSVAL(p->smb.status.max_files); 1595 break; 1596 case FB_PROP_MAX_AGE: /js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)() 1575 smb_getstatus(&(p->smb)); 1576 JS_RESUMEREQUEST(cx, rc); 1577 *vp = UINT_TO_JSVAL(p->smb.status.last_file); 1578 break; 1579 case FB_PROP_LAST_FILE_TIME: 1580 rc = JS_SUSPENDREQUEST(cx); >>> CID 639943: (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "lastfiletime(&p->smb)" is cast to "uint32_t". 1581 *vp = UINT_TO_JSVAL((uint32_t)lastfiletime(&p->smb)); 1582 JS_RESUMEREQUEST(cx, rc); 1583 break; 1584 case FB_PROP_FILES: 1585 rc = JS_SUSPENDREQUEST(cx); 1586 smb_getstatus(&(p->smb)); ** CID 639942: Error handling issues (CHECKED_RETURN) /js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639942: Error handling issues (CHECKED_RETURN) /js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)() 3618 return JS_TRUE; 3619 } 3620 } 3621 3622 for (; i < argc; i++) { 3623 if (JSVAL_IS_NUMBER(argv[i])) { >>> CID 639942: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times). 3624 JS_ValueToInt32(cx, argv[i], &type); 3625 } 3626 else if (JSVAL_IS_BOOLEAN(argv[i])) { 3627 if (argv[i] == JSVAL_TRUE) 3628 domain = AF_INET6; 3629 } ** CID 639941: Error handling issues (CHECKED_RETURN) /websrvr.cpp: 6856 in http_session_thread(void *)() _____________________________________________________________________________________________ *** CID 639941: Error handling issues (CHECKED_RETURN) /websrvr.cpp: 6856 in http_session_thread(void *)() 6850 session.tls_sess = -1; 6851 close_session_no_rb(&session); 6852 thread_down(); 6853 return; 6854 } 6855 bool nodelay = true; >>> CID 639941: Error handling issues (CHECKED_RETURN) >>> Calling "setsockopt(session.socket, IPPROTO_TCP, 1, (char *)&nodelay, 1U)" without checking return value. This library function may fail and return an error code. 6856 setsockopt(session.socket, IPPROTO_TCP, TCP_NODELAY, (char*)&nodelay, sizeof(nodelay)); 6857 6858 if (looking_good) 6859 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_MINVER_TLS12), &session, "setting TLS minver to 1.2"); 6860 if (looking_good) 6861 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, session.socket), &session, "setting network socket"); ** CID 639940: High impact quality (Y2K38_SAFETY) /js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639940: High impact quality (Y2K38_SAFETY) /js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)() 695 if (size == -1) 696 JS_ReportError(cx, "File does not exist: %s", path); 697 else { 698 smb_setfilesize(&file.idx, size); 699 if ((p->smb_result = smb_hashfile(path, size, &file.file_idx.hash.data)) > 0) { 700 file.file_idx.hash.flags = p->smb_result; >>> CID 639940: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fdate(path)" is cast to "uint32_t". 701 file.hdr.when_written.time = (uint32_t)fdate(path); 702 JSObject* fobj; 703 if ((fobj = JS_NewObject(cx, NULL, NULL, obj)) == NULL) 704 JS_ReportError(cx, "object allocation failure, line %d", __LINE__); 705 else { 706 set_file_properties(cx, fobj, &file, detail); ** CID 639939: Memory - corruptions (REVERSE_NEGATIVE) /websrvr.cpp: 7033 in http_session_thread(void *)() _____________________________________________________________________________________________ *** CID 639939: Memory - corruptions (REVERSE_NEGATIVE) /websrvr.cpp: 7033 in http_session_thread(void *)() 7027 memset(session.req.ld, 0, sizeof(struct log_data)); 7028 /* FREE()d in http_logging_thread */ 7029 session.req.ld->hostname = strdup(session.host_name); 7030 } 7031 while ((redirp == NULL || session.req.send_location >= MOVED_TEMP) 7032 && !session.finished && !session.req.finished >>> CID 639939: Memory - corruptions (REVERSE_NEGATIVE) >>> You might be using variable "session.socket" before verifying that it is >= 0. 7033 && session.socket != INVALID_SOCKET) { 7034 SAFECOPY(session.req.status, "200 OK"); 7035 session.req.send_location = NO_LOCATION; 7036 if (session.req.headers == NULL) { 7037 /* FREE()d in close_request() */ 7038 if ((session.req.headers = strListInit()) == NULL) { ** CID 639938: (CHECKED_RETURN) /js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)() /js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)() _____________________________________________________________________________________________ *** CID 639938: (CHECKED_RETURN) /js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)() 3031 smb_getstatus(&(p->smb)); 3032 JS_RESUMEREQUEST(cx, rc); 3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break; 3035 case SMB_PROP_TOTAL_MSGS: 3036 rc = JS_SUSPENDREQUEST(cx); >>> CID 639938: (CHECKED_RETURN) >>> Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times). 3037 smb_getstatus(&(p->smb)); 3038 JS_RESUMEREQUEST(cx, rc); 3039 *vp = UINT_TO_JSVAL(p->smb.status.total_msgs); 3040 break; 3041 case SMB_PROP_MAX_CRCS: 3042 *vp = UINT_TO_JSVAL(p->smb.status.max_crcs); /js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)() 3025 } else { 3026 *vp = UINT_TO_JSVAL(p->first_msg); 3027 } 3028 break; 3029 case SMB_PROP_LAST_MSG: 3030 rc = JS_SUSPENDREQUEST(cx); >>> CID 639938: (CHECKED_RETURN) >>> Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times). 3031 smb_getstatus(&(p->smb)); 3032 JS_RESUMEREQUEST(cx, rc); 3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break; 3035 case SMB_PROP_TOTAL_MSGS: 3036 rc = JS_SUSPENDREQUEST(cx); ** CID 639937: Incorrect expression (PRECEDENCE_ERROR) /js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639937: Incorrect expression (PRECEDENCE_ERROR) /js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)() 1248 1249 memset(&hints, 0, sizeof(hints)); 1250 hints.ai_socktype = p->type; 1251 hints.ai_flags = AI_ADDRCONFIG; 1252 dbprintf(false, p, "resolving hostname: %s", p->hostname); 1253 >>> CID 639937: Incorrect expression (PRECEDENCE_ERROR) >>> Evaluates as: "result = (getaddrinfo(p->hostname, NULL, &hints, &res) != 0)", because "!=" has higher operator precedence than "=". The context suggests that this might be in error. 1254 if ((result = getaddrinfo(p->hostname, NULL, &hints, &res) != 0)) { 1255 store_socket_error(p, result, gai_strerror(result)); 1256 dbprintf(TRUE, p, "getaddrinfo(%s) failed with error %d", p->hostname, result); 1257 JS_SET_RVAL(cx, arglist, JSVAL_FALSE); 1258 free(cp); 1259 JS_RESUMEREQUEST(cx, rc); ** CID 639936: Error handling issues (CHECKED_RETURN) /js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639936: Error handling issues (CHECKED_RETURN) /js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)() 2357 2358 if (ssl_sync(scfg, lprintf)) { 2359 if ((ret = cryptCreateSession(&p->session, CRYPT_UNUSED, tiny == SOCK_PROP_SSL_SESSION ? CRYPT_SESSION_TLS: CRYPT_SESSION_TLS_SERVER)) == CRYPT_OK) { 2360 ulong nb = 0; 2361 ioctlsocket(p->sock, FIONBIO, &nb); 2362 nb = 1; >>> CID 639936: Error handling issues (CHECKED_RETURN) >>> Calling "setsockopt(p->sock, IPPROTO_TCP, 1, (char *)&nb, 8U)" without checking return value. This library function may fail and return an error code. 2363 setsockopt(p->sock, IPPROTO_TCP, TCP_NODELAY, (char*)&nb, sizeof(nb)); 2364 if ((ret = do_cryptAttribute(p->session, CRYPT_SESSINFO_NETWORKSOCKET, p->sock)) == CRYPT_OK) { 2365 int minver = CRYPT_TLSOPTION_MINVER_TLS12; 2366 if (p->tls_minver == 100) 2367 minver = CRYPT_TLSOPTION_MINVER_TLS10; 2368 else if (p->tls_minver == 101) ** CID 639935: (INTEGER_OVERFLOW) /websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)() /websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)() _____________________________________________________________________________________________ *** CID 639935: (INTEGER_OVERFLOW) /websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)() 719 else if (SOCKET_ERRNO == EPIPE) 720 lprintf(LOG_NOTICE, "%04d %-5s [%s] Unable to send to peer", session->socket, session->client.protocol, session->host_ip); 721 #endif 722 else if (session->socket != INVALID_SOCKET) 723 lprintf(LOG_WARNING, "%04d %-5s [%s] !ERROR %d sending on socket", session->socket, session->client.protocol, session->host_ip, SOCKET_ERRNO); 724 *failed = true; >>> CID 639935: (INTEGER_OVERFLOW) >>> "sent", which might have underflowed, is returned from the function. 725 return sent; 726 } 727 } 728 } 729 else { 730 lprintf(LOG_WARNING, "%04d %-5s [%s] Timeout waiting for socket to become writable", session->socket, session->client.protocol, session->host_ip); /websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)() 706 } 707 else 708 *failed = true; 709 result = tls_sent; 710 } 711 else { >>> CID 639935: (INTEGER_OVERFLOW) >>> "len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)". 712 result = sendsocket(session->socket, buf + sent, len - sent); 713 if (result == SOCKET_ERROR) { 714 if (SOCKET_ERRNO == ECONNRESET) 715 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection reset by peer on send", session->socket, session->client.protocol, session->host_ip); 716 else if (SOCKET_ERRNO == ECONNABORTED) 717 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection aborted by peer on send", session->socket, session->client.protocol, session->host_ip); ** CID 639934: Uninitialized variables (UNINIT) /js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639934: Uninitialized variables (UNINIT) /js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)() 1273 1274 uintN argn = 0; 1275 if (argc > argn && JSVAL_IS_STRING(argv[argn])) { 1276 char *p; 1277 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), p, LEN_EXTCODE + 2, NULL); 1278 for (dirnum = 0; dirnum < scfg->total_dirs; dirnum++) >>> CID 639934: Uninitialized variables (UNINIT) >>> Using uninitialized value "*p" when calling "strcasecmp". 1279 if (!stricmp(scfg->dir[dirnum]->code, p)) 1280 break; 1281 argn++; 1282 } 1283 if (argc > argn && JSVAL_IS_STRING(argv[argn])) { 1284 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), fname, MAX_PATH + 1, NULL); ** CID 639933: Error handling issues (CHECKED_RETURN) /js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639933: Error handling issues (CHECKED_RETURN) /js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)() 1475 js_system_private_t* sys; 1476 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL) 1477 return JS_FALSE; 1478 1479 for (i = 0; i < argc && fname == NULL; i++) { 1480 if (JSVAL_IS_NUMBER(argv[i])) { >>> CID 639933: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times). 1481 JS_ValueToInt32(cx, argv[i], &duration); 1482 continue; 1483 } 1484 if (!JSVAL_IS_STRING(argv[i])) 1485 continue; 1486 JSVALUE_TO_MSTRING(cx, argv[i], p, NULL); ** CID 639932: Error handling issues (CHECKED_RETURN) /websrvr.cpp: 1188 in close_request(http_session_t *)() _____________________________________________________________________________________________ *** CID 639932: Error handling issues (CHECKED_RETURN) /websrvr.cpp: 1188 in close_request(http_session_t *)() 1182 FCLOSE_OPEN_FILE(session->req.fp); 1183 1184 for (i = 0; i < MAX_CLEANUPS; i++) { 1185 if (session->req.cleanup_file[i] != NULL) { 1186 if (i != CLEANUP_SSJS_TMP_FILE 1187 || !(startup->options & WEB_OPT_DEBUG_SSJS)) >>> CID 639932: Error handling issues (CHECKED_RETURN) >>> Calling "remove(session->req.cleanup_file[i])" without checking return value. This library function may fail and return an error code. 1188 remove(session->req.cleanup_file[i]); 1189 free(session->req.cleanup_file[i]); 1190 } 1191 } 1192 1193 smb_freefilemem(&session->file); ** CID 639931: Memory - illegal accesses (OVERRUN) /mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)() _____________________________________________________________________________________________ *** CID 639931: Memory - illegal accesses (OVERRUN) /mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)() 895 np = "\r\n"; // Send at least one line of message text (issue #822) 896 else 897 np = msgtxt; 898 long bytes = 0; 899 while (*np && lines < maxlines) { 900 len = 0; >>> CID 639931: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 3 bytes at byte offset 997 by dereferencing pointer "np + len". 901 while (len < RFC822_MAX_LINE_LEN && *(np + len) != 0 && *(np + len) != '\n') 902 len++; 903 904 tlen = len; 905 while (tlen && *(np + (tlen - 1)) <= ' ') /* Takes care of '\r' or spaces */ 906 tlen--; ** CID 639930: Error handling issues (CHECKED_RETURN) /js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)() _____________________________________________________________________________________________ *** CID 639930: Error handling issues (CHECKED_RETURN) /js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)() 1634 return JS_FALSE; 1635 1636 js_system_private_t* sys; 1637 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL) 1638 return JS_FALSE; 1639 >>> CID 639930: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times). 1640 JS_ValueToInt32(cx, argv[0], &node); 1641 if (node < 1) 1642 node = 1; 1643 1644 if ((js_msg = JS_ValueToString(cx, argv[1])) == NULL) 1645 return JS_FALSE; ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview ----==_mimepart_693ec0347df67_815e22c07a52839ac105f0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit New Defects Reported - Synchronet

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

Defect Details

** CID 639949:       Error handling issues  (CHECKED_RETURN)
/websrvr.cpp: 2047           in check_ars(http_session_t *)()


_____________________________________________________________________________________________
*** CID 639949:         Error handling issues  (CHECKED_RETURN)
/websrvr.cpp: 2047             in check_ars(http_session_t *)()
2041     		else
2042     			lprintf(LOG_NOTICE, "%04d !UNKNOWN USER: '%s'"
2043     			        , session->socket, session->req.auth.username);
2044     		return false;
2045     	}
2046     	thisuser.number = i;
>>>     CID 639949:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "getuserdat" without checking return value (as is done elsewhere 90 out of 103 times).
2047     	getuserdat(&scfg, &thisuser);
2048     	switch (session->req.auth.type) {
2049     		case AUTHENTICATION_TLS_PSK:
2050     			if ((auth_allowed & (1 << AUTHENTICATION_TLS_PSK)) == 0)
2051     				return false;
2052     			if (session->last_user_num != 0) {

** CID 639948:       Program hangs  (SLEEP)
/services.cpp: 1619           in native_service_thread(void *)()


_____________________________________________________________________________________________
*** CID 639948:         Program hangs  (SLEEP)
/services.cpp: 1619             in native_service_thread(void *)()
1613     	client_on(socket, &client, false /* update */);
1614
1615     	if (startup->login_attempt.throttle
1616     	    && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617     		lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618     		        , socket, service->protocol, client.addr, login_attempts);
>>>     CID 639948:         Program hangs  (SLEEP)
>>>     Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619     		mswait(login_attempts * startup->login_attempt.throttle);
1620     	}
1621
1622     	/* RUN SCRIPT */
1623     	if (strpbrk(service->cmd, "/\\") == NULL)
1624     		SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 639947:       Control flow issues  (DEADCODE)
/websrvr.cpp: 6533           in read_post_data(http_session_t *)()


_____________________________________________________________________________________________
*** CID 639947:         Control flow issues  (DEADCODE)
/websrvr.cpp: 6533             in read_post_data(http_session_t *)()
6527     				if (ch_len == 0)
6528     					break;
6529     				/* Check size */
6530     				s += ch_len;
6531     				if (s > MAX_POST_LEN) {
6532     					if (s > SIZE_MAX) {
>>>     CID 639947:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "send_error(session, 6533U, ...".
6533     						send_error(session, __LINE__, "413 Request entity too large");
6534     						FCLOSE_OPEN_FILE(fp);
6535     						return false;
6536     					}
6537     					if (fp == NULL) {
6538     						fp = open_post_file(session);

** CID 639946:         (CHECKED_RETURN)
/js_socket.cpp: 1412           in js_recv(JSContext *, unsigned int, unsigned long *)()
/js_socket.cpp: 1415           in js_recv(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639946:           (CHECKED_RETURN)
/js_socket.cpp: 1412             in js_recv(JSContext *, unsigned int, unsigned long *)()
1406
1407     	if ((p = (js_socket_private_t*)js_GetClassPrivate(cx, obj, &js_socket_class)) == NULL) {
1408     		return JS_FALSE;
1409     	}
1410
1411     	if (argc && argv[0] != JSVAL_VOID) {
>>>     CID 639946:           (CHECKED_RETURN)
>>>     Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1412     		JS_ValueToInt32(cx, argv[0], &len);
1413
1414     		if (argc > 1 && argv[1] != JSVAL_VOID) {
1415     			JS_ValueToInt32(cx, argv[1], &timeout);
1416     		}
1417     	}
/js_socket.cpp: 1415             in js_recv(JSContext *, unsigned int, unsigned long *)()
1409     	}
1410
1411     	if (argc && argv[0] != JSVAL_VOID) {
1412     		JS_ValueToInt32(cx, argv[0], &len);
1413
1414     		if (argc > 1 && argv[1] != JSVAL_VOID) {
>>>     CID 639946:           (CHECKED_RETURN)
>>>     Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1415     			JS_ValueToInt32(cx, argv[1], &timeout);
1416     		}
1417     	}
1418
1419     	if ((buf = (char*)malloc(len + 1)) == NULL) {
1420     		JS_ReportError(cx, "Error allocating %u bytes", len + 1);

** CID 639945:         (CHECKED_RETURN)
/js_system.cpp: 1002           in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
/js_system.cpp: 987           in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639945:           (CHECKED_RETURN)
/js_system.cpp: 1002             in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
996     	if ((js_str = JS_ValueToString(cx, argv[1])) == NULL)
997     		return JS_FALSE;
998
999     	if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum]))
1000     		JS_ValueToBoolean(cx, argv[argnum++], &match_del);
1001     	if (argnum < argc && JSVAL_IS_NUMBER(argv[argnum]))
>>>     CID 639945:           (CHECKED_RETURN)
>>>     Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1002     		JS_ValueToInt32(cx, argv[argnum++], &usernumber);
1003     	if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum]))
1004     		JS_ValueToBoolean(cx, argv[argnum++], &match_next);
1005
1006     	JSSTRING_TO_ASTRING(cx, js_str, p, 128, NULL);
1007     	if (p == NULL)
/js_system.cpp: 987             in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
981     		return JS_TRUE;
982     	}
983     	js_system_private_t* sys;
984     	if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
985     		return JS_FALSE;
986
>>>     CID 639945:           (CHECKED_RETURN)
>>>     Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
987     	JS_ValueToInt32(cx, argv[0], &field);
988     	rc = JS_SUSPENDREQUEST(cx);
989     	len = user_field_len(static_cast<user_field>(field));
990     	JS_RESUMEREQUEST(cx, rc);
991     	if (len < 1) {
992     		JS_ReportError(cx, "Invalid user field: %d", field);

** CID 639944:       Uninitialized variables  (UNINIT)


_____________________________________________________________________________________________
*** CID 639944:         Uninitialized variables  (UNINIT)
/js_system.cpp: 2108             in js_chkpassword(JSContext *, unsigned int, unsigned long *)()
2102
2103     	js_system_private_t* sys;
2104     	if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
2105     		return JS_FALSE;
2106
2107     	rc = JS_SUSPENDREQUEST(cx);
>>>     CID 639944:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "*str" when calling "check_pass".
2108     	bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL);
2109     	JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result));
2110     	JS_RESUMEREQUEST(cx, rc);
2111
2112     	return JS_TRUE;
2113     }

** CID 639943:         (Y2K38_SAFETY)
/js_filebase.cpp: 1591           in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_filebase.cpp: 1581           in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639943:           (Y2K38_SAFETY)
/js_filebase.cpp: 1591             in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1585     			rc = JS_SUSPENDREQUEST(cx);
1586     			smb_getstatus(&(p->smb));
1587     			JS_RESUMEREQUEST(cx, rc);
1588     			*vp = UINT_TO_JSVAL(p->smb.status.total_files);
1589     			break;
1590     		case FB_PROP_UPDATE_TIME:
>>>     CID 639943:           (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to accommodate it.  The expression "newfiletime(&p->smb)" is cast to "uint32_t".
1591     			*vp = UINT_TO_JSVAL((uint32_t)newfiletime(&p->smb));
1592     			break;
1593     		case FB_PROP_MAX_FILES:
1594     			*vp = UINT_TO_JSVAL(p->smb.status.max_files);
1595     			break;
1596     		case FB_PROP_MAX_AGE:
/js_filebase.cpp: 1581             in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1575     			smb_getstatus(&(p->smb));
1576     			JS_RESUMEREQUEST(cx, rc);
1577     			*vp = UINT_TO_JSVAL(p->smb.status.last_file);
1578     			break;
1579     		case FB_PROP_LAST_FILE_TIME:
1580     			rc = JS_SUSPENDREQUEST(cx);
>>>     CID 639943:           (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to accommodate it.  The expression "lastfiletime(&p->smb)" is cast to "uint32_t".
1581     			*vp = UINT_TO_JSVAL((uint32_t)lastfiletime(&p->smb));
1582     			JS_RESUMEREQUEST(cx, rc);
1583     			break;
1584     		case FB_PROP_FILES:
1585     			rc = JS_SUSPENDREQUEST(cx);
1586     			smb_getstatus(&(p->smb));

** CID 639942:       Error handling issues  (CHECKED_RETURN)
/js_socket.cpp: 3624           in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639942:         Error handling issues  (CHECKED_RETURN)
/js_socket.cpp: 3624             in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()
3618     			return JS_TRUE;
3619     		}
3620     	}
3621
3622     	for (; i < argc; i++) {
3623     		if (JSVAL_IS_NUMBER(argv[i])) {
>>>     CID 639942:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
3624     			JS_ValueToInt32(cx, argv[i], &type);
3625     		}
3626     		else if (JSVAL_IS_BOOLEAN(argv[i])) {
3627     			if (argv[i] == JSVAL_TRUE)
3628     				domain = AF_INET6;
3629     		}

** CID 639941:       Error handling issues  (CHECKED_RETURN)
/websrvr.cpp: 6856           in http_session_thread(void *)()


_____________________________________________________________________________________________
*** CID 639941:         Error handling issues  (CHECKED_RETURN)
/websrvr.cpp: 6856             in http_session_thread(void *)()
6850     			session.tls_sess = -1;
6851     			close_session_no_rb(&session);
6852     			thread_down();
6853     			return;
6854     		}
6855     		bool nodelay = true;
>>>     CID 639941:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "setsockopt(session.socket, IPPROTO_TCP, 1, (char *)&nodelay, 1U)" without checking return value. This library function may fail and return an error code.
6856     		setsockopt(session.socket, IPPROTO_TCP, TCP_NODELAY, (char*)&nodelay, sizeof(nodelay));
6857
6858     		if (looking_good)
6859     			looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_MINVER_TLS12), &session, "setting TLS minver to 1.2");
6860     		if (looking_good)
6861     			looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, session.socket), &session, "setting network socket");

** CID 639940:       High impact quality  (Y2K38_SAFETY)
/js_filebase.cpp: 701           in js_hash_file(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639940:         High impact quality  (Y2K38_SAFETY)
/js_filebase.cpp: 701             in js_hash_file(JSContext *, unsigned int, unsigned long *)()
695     	if (size == -1)
696     		JS_ReportError(cx, "File does not exist: %s", path);
697     	else {
698     		smb_setfilesize(&file.idx, size);
699     		if ((p->smb_result = smb_hashfile(path, size, &file.file_idx.hash.data)) > 0) {
700     			file.file_idx.hash.flags = p->smb_result;
>>>     CID 639940:         High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to accommodate it.  The expression "fdate(path)" is cast to "uint32_t".
701     			file.hdr.when_written.time = (uint32_t)fdate(path);
702     			JSObject* fobj;
703     			if ((fobj = JS_NewObject(cx, NULL, NULL, obj)) == NULL)
704     				JS_ReportError(cx, "object allocation failure, line %d", __LINE__);
705     			else {
706     				set_file_properties(cx, fobj, &file, detail);

** CID 639939:       Memory - corruptions  (REVERSE_NEGATIVE)
/websrvr.cpp: 7033           in http_session_thread(void *)()


_____________________________________________________________________________________________
*** CID 639939:         Memory - corruptions  (REVERSE_NEGATIVE)
/websrvr.cpp: 7033             in http_session_thread(void *)()
7027     			memset(session.req.ld, 0, sizeof(struct log_data));
7028     			/* FREE()d in http_logging_thread */
7029     			session.req.ld->hostname = strdup(session.host_name);
7030     		}
7031     		while ((redirp == NULL || session.req.send_location >= MOVED_TEMP)
7032     		       && !session.finished && !session.req.finished
>>>     CID 639939:         Memory - corruptions  (REVERSE_NEGATIVE)
>>>     You might be using variable "session.socket" before verifying that it is >= 0.
7033     		       && session.socket != INVALID_SOCKET) {
7034     			SAFECOPY(session.req.status, "200 OK");
7035     			session.req.send_location = NO_LOCATION;
7036     			if (session.req.headers == NULL) {
7037     				/* FREE()d in close_request() */
7038     				if ((session.req.headers = strListInit()) == NULL) {

** CID 639938:         (CHECKED_RETURN)
/js_msgbase.cpp: 3037           in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_msgbase.cpp: 3031           in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639938:           (CHECKED_RETURN)
/js_msgbase.cpp: 3037             in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3031     			smb_getstatus(&(p->smb));
3032     			JS_RESUMEREQUEST(cx, rc);
3033     			*vp = UINT_TO_JSVAL(p->smb.status.last_msg);
3034     			break;
3035     		case SMB_PROP_TOTAL_MSGS:
3036     			rc = JS_SUSPENDREQUEST(cx);
>>>     CID 639938:           (CHECKED_RETURN)
>>>     Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3037     			smb_getstatus(&(p->smb));
3038     			JS_RESUMEREQUEST(cx, rc);
3039     			*vp = UINT_TO_JSVAL(p->smb.status.total_msgs);
3040     			break;
3041     		case SMB_PROP_MAX_CRCS:
3042     			*vp = UINT_TO_JSVAL(p->smb.status.max_crcs);
/js_msgbase.cpp: 3031             in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3025     			} else {
3026     				*vp = UINT_TO_JSVAL(p->first_msg);
3027     			}
3028     			break;
3029     		case SMB_PROP_LAST_MSG:
3030     			rc = JS_SUSPENDREQUEST(cx);
>>>     CID 639938:           (CHECKED_RETURN)
>>>     Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3031     			smb_getstatus(&(p->smb));
3032     			JS_RESUMEREQUEST(cx, rc);
3033     			*vp = UINT_TO_JSVAL(p->smb.status.last_msg);
3034     			break;
3035     		case SMB_PROP_TOTAL_MSGS:
3036     			rc = JS_SUSPENDREQUEST(cx);

** CID 639937:       Incorrect expression  (PRECEDENCE_ERROR)
/js_socket.cpp: 1254           in js_sendto(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639937:         Incorrect expression  (PRECEDENCE_ERROR)
/js_socket.cpp: 1254             in js_sendto(JSContext *, unsigned int, unsigned long *)()
1248
1249     	memset(&hints, 0, sizeof(hints));
1250     	hints.ai_socktype = p->type;
1251     	hints.ai_flags = AI_ADDRCONFIG;
1252     	dbprintf(false, p, "resolving hostname: %s", p->hostname);
1253
>>>     CID 639937:         Incorrect expression  (PRECEDENCE_ERROR)
>>>     Evaluates as: "result = (getaddrinfo(p->hostname, NULL, &hints, &res) != 0)", because "!=" has higher operator precedence than "=". The context suggests that this might be in error.
1254     	if ((result = getaddrinfo(p->hostname, NULL, &hints, &res) != 0)) {
1255     		store_socket_error(p, result, gai_strerror(result));
1256     		dbprintf(TRUE, p, "getaddrinfo(%s) failed with error %d", p->hostname, result);
1257     		JS_SET_RVAL(cx, arglist, JSVAL_FALSE);
1258     		free(cp);
1259     		JS_RESUMEREQUEST(cx, rc);

** CID 639936:       Error handling issues  (CHECKED_RETURN)
/js_socket.cpp: 2363           in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639936:         Error handling issues  (CHECKED_RETURN)
/js_socket.cpp: 2363             in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()
2357
2358     					if (ssl_sync(scfg, lprintf)) {
2359     						if ((ret = cryptCreateSession(&p->session, CRYPT_UNUSED, tiny == SOCK_PROP_SSL_SESSION ? CRYPT_SESSION_TLS: CRYPT_SESSION_TLS_SERVER)) == CRYPT_OK) {
2360     							ulong nb = 0;
2361     							ioctlsocket(p->sock, FIONBIO, &nb);
2362     							nb = 1;
>>>     CID 639936:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "setsockopt(p->sock, IPPROTO_TCP, 1, (char *)&nb, 8U)" without checking return value. This library function may fail and return an error code.
2363     							setsockopt(p->sock, IPPROTO_TCP, TCP_NODELAY, (char*)&nb, sizeof(nb));
2364     							if ((ret = do_cryptAttribute(p->session, CRYPT_SESSINFO_NETWORKSOCKET, p->sock)) == CRYPT_OK) {
2365     								int minver = CRYPT_TLSOPTION_MINVER_TLS12;
2366     								if (p->tls_minver == 100)
2367     									minver = CRYPT_TLSOPTION_MINVER_TLS10;
2368     								else if (p->tls_minver == 101)

** CID 639935:         (INTEGER_OVERFLOW)
/websrvr.cpp: 725           in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
/websrvr.cpp: 712           in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()


_____________________________________________________________________________________________
*** CID 639935:           (INTEGER_OVERFLOW)
/websrvr.cpp: 725             in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
719     					else if (SOCKET_ERRNO == EPIPE)
720     						lprintf(LOG_NOTICE, "%04d %-5s [%s] Unable to send to peer", session->socket, session->client.protocol, session->host_ip);
721     #endif
722     					else if (session->socket != INVALID_SOCKET)
723     						lprintf(LOG_WARNING, "%04d %-5s [%s] !ERROR %d sending on socket", session->socket, session->client.protocol, session->host_ip, SOCKET_ERRNO);
724     					*failed = true;
>>>     CID 639935:           (INTEGER_OVERFLOW)
>>>     "sent", which might have underflowed, is returned from the function.
725     					return sent;
726     				}
727     			}
728     		}
729     		else {
730     			lprintf(LOG_WARNING, "%04d %-5s [%s] Timeout waiting for socket to become writable", session->socket, session->client.protocol, session->host_ip);
/websrvr.cpp: 712             in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
706     				}
707     				else
708     					*failed = true;
709     				result = tls_sent;
710     			}
711     			else {
>>>     CID 639935:           (INTEGER_OVERFLOW)
>>>     "len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)".
712     				result = sendsocket(session->socket, buf + sent, len - sent);
713     				if (result == SOCKET_ERROR) {
714     					if (SOCKET_ERRNO == ECONNRESET)
715     						lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection reset by peer on send", session->socket, session->client.protocol, session->host_ip);
716     					else if (SOCKET_ERRNO == ECONNABORTED)
717     						lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection aborted by peer on send", session->socket, session->client.protocol, session->host_ip);

** CID 639934:       Uninitialized variables  (UNINIT)
/js_user.cpp: 1279           in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639934:         Uninitialized variables  (UNINIT)
/js_user.cpp: 1279             in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()
1273
1274     	uintN argn = 0;
1275     	if (argc > argn && JSVAL_IS_STRING(argv[argn])) {
1276     		char *p;
1277     		JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), p, LEN_EXTCODE + 2, NULL);
1278     		for (dirnum = 0; dirnum < scfg->total_dirs; dirnum++)
>>>     CID 639934:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "*p" when calling "strcasecmp".
1279     			if (!stricmp(scfg->dir[dirnum]->code, p))
1280     				break;
1281     		argn++;
1282     	}
1283     	if (argc > argn && JSVAL_IS_STRING(argv[argn])) {
1284     		JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), fname, MAX_PATH + 1, NULL);

** CID 639933:       Error handling issues  (CHECKED_RETURN)
/js_system.cpp: 1481           in js_filter_ip(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639933:         Error handling issues  (CHECKED_RETURN)
/js_system.cpp: 1481             in js_filter_ip(JSContext *, unsigned int, unsigned long *)()
1475     	js_system_private_t* sys;
1476     	if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1477     		return JS_FALSE;
1478
1479     	for (i = 0; i < argc && fname == NULL; i++) {
1480     		if (JSVAL_IS_NUMBER(argv[i])) {
>>>     CID 639933:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1481     			JS_ValueToInt32(cx, argv[i], &duration);
1482     			continue;
1483     		}
1484     		if (!JSVAL_IS_STRING(argv[i]))
1485     			continue;
1486     		JSVALUE_TO_MSTRING(cx, argv[i], p, NULL);

** CID 639932:       Error handling issues  (CHECKED_RETURN)
/websrvr.cpp: 1188           in close_request(http_session_t *)()


_____________________________________________________________________________________________
*** CID 639932:         Error handling issues  (CHECKED_RETURN)
/websrvr.cpp: 1188             in close_request(http_session_t *)()
1182     	FCLOSE_OPEN_FILE(session->req.fp);
1183
1184     	for (i = 0; i < MAX_CLEANUPS; i++) {
1185     		if (session->req.cleanup_file[i] != NULL) {
1186     			if (i != CLEANUP_SSJS_TMP_FILE
1187     			    || !(startup->options & WEB_OPT_DEBUG_SSJS))
>>>     CID 639932:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "remove(session->req.cleanup_file[i])" without checking return value. This library function may fail and return an error code.
1188     				remove(session->req.cleanup_file[i]);
1189     			free(session->req.cleanup_file[i]);
1190     		}
1191     	}
1192
1193     	smb_freefilemem(&session->file);

** CID 639931:       Memory - illegal accesses  (OVERRUN)
/mailsrvr.cpp: 901           in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()


_____________________________________________________________________________________________
*** CID 639931:         Memory - illegal accesses  (OVERRUN)
/mailsrvr.cpp: 901             in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()
895     		np = "\r\n"; // Send at least one line of message text (issue #822)
896     	else
897     		np = msgtxt;
898     	long bytes = 0;
899     	while (*np && lines < maxlines) {
900     		len = 0;
>>>     CID 639931:         Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 3 bytes at byte offset 997 by dereferencing pointer "np + len".
901     		while (len < RFC822_MAX_LINE_LEN && *(np + len) != 0 && *(np + len) != '\n')
902     			len++;
903
904     		tlen = len;
905     		while (tlen && *(np + (tlen - 1)) <= ' ') /* Takes care of '\r' or spaces */
906     			tlen--;

** CID 639930:       Error handling issues  (CHECKED_RETURN)
/js_system.cpp: 1640           in js_put_node_message(JSContext *, unsigned int, unsigned long *)()


_____________________________________________________________________________________________
*** CID 639930:         Error handling issues  (CHECKED_RETURN)
/js_system.cpp: 1640             in js_put_node_message(JSContext *, unsigned int, unsigned long *)()
1634     		return JS_FALSE;
1635
1636     	js_system_private_t* sys;
1637     	if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1638     		return JS_FALSE;
1639
>>>     CID 639930:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1640     	JS_ValueToInt32(cx, argv[0], &node);
1641     	if (node < 1)
1642     		node = 1;
1643
1644     	if ((js_msg = JS_ValueToString(cx, argv[1])) == NULL)
1645     		return JS_FALSE;

View Defects in Coverity Scan

Best regards,

The Coverity Scan Admin Team

----==_mimepart_693ec0347df67_815e22c07a52839ac105f0-- .