Hi,
Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.
23 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 23 defect(s)
** CID 487180: Memory - corruptions (BUFFER_SIZE)
/sftp.cpp: 1388 in sftp_readdir(sftp_string *, void *)()
________________________________________________________________________________________________________
*** CID 487180: Memory - corruptions (BUFFER_SIZE)
/sftp.cpp: 1388 in sftp_readdir(sftp_string *, void *)()
1382 return generic_dot_entry(sbbs, dir, tmppath, &dd->info.rootdir.idx);
1383 }
1384 if (dd->info.rootdir.idx == dotdot) {
1385 if (pm->sftp_patt[1]) {
1386 char *dir = const_cast("..");
1387 snprintf(tmppath, sizeof(tmppath) - 2 /* for dir */, pm->sftp_patt, sbbs->useron.alias);
>>> CID 487180: Memory - corruptions (BUFFER_SIZE)
>>> Buffer "tmppath" has a size of 4097 characters, and its string length (null character not included) is 4095 characters, leaving an available space of 2 characters. Appending "dir", whose string length (null character not included) is 2 characters, plus the null character overruns "tmppath".
1388 strcat(tmppath, dir);
1389 return generic_dot_realpath_entry(sbbs, dir, tmppath, &dd->info.rootdir.idx);
1390 }
1391 else
1392 dd->info.rootdir.idx++;
1393 }
** CID 487179: (MISSING_LOCK)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function()
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function()
________________________________________________________________________________________________________
*** CID 487179: (MISSING_LOCK)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function()
57 }
58
59 static bool
60 exit_function(SFTP_STATIC_TYPE state, bool retval)
61 {
62 assert(state->running > 0);
>>> CID 487179: (MISSING_LOCK)
>>> Accessing "state->running" without holding lock "sftp_client_state.mtx". Elsewhere, "sftp_client_state.running" is written to with "sftp_client_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).
63 state->running--;
64 pthread_mutex_unlock(&state->mtx);
65 return retval;
66 }
67
68 static bool
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_static.h: 63 in exit_function()
57 }
58
59 static bool
60 exit_function(SFTP_STATIC_TYPE state, bool retval)
61 {
62 assert(state->running > 0);
>>> CID 487179: (MISSING_LOCK)
>>> Accessing "state->running" without holding lock "sftp_server_state.mtx". Elsewhere, "sftp_server_state.running" is written to with "sftp_server_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).
63 state->running--;
64 pthread_mutex_unlock(&state->mtx);
65 return retval;
66 }
67
68 static bool
** CID 487178: (RESOURCE_LEAK)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 78 in s_open()
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 72 in s_open()
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 82 in s_open()
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 68 in s_open()
________________________________________________________________________________________________________
*** CID 487178: (RESOURCE_LEAK)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 78 in s_open()
72 return true;
73 }
74 }
75 if (!(flags & SSH_FXF_CREAT)) {
76 if (flags & SSH_FXF_TRUNC) {
77 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't truncate unless creating");
>>> CID 487178: (RESOURCE_LEAK)
>>> Variable "fname" going out of scope leaks the storage it points to.
78 return true;
79 }
80 if (flags & SSH_FXF_EXCL) {
81 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't open exclisive unless creating");
82 return true;
83 }
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 72 in s_open()
66 if (flags & SSH_FXF_CREAT) {
67 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't create unless writing");
68 return true;
69 }
70 if (flags & SSH_FXF_APPEND) {
71 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't append unless writing");
>>> CID 487178: (RESOURCE_LEAK)
>>> Variable "fname" going out of scope leaks the storage it points to.
72 return true;
73 }
74 }
75 if (!(flags & SSH_FXF_CREAT)) {
76 if (flags & SSH_FXF_TRUNC) {
77 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't truncate unless creating");
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 82 in s_open()
76 if (flags & SSH_FXF_TRUNC) {
77 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't truncate unless creating");
78 return true;
79 }
80 if (flags & SSH_FXF_EXCL) {
81 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't open exclisive unless creating");
>>> CID 487178: (RESOURCE_LEAK)
>>> Variable "fname" going out of scope leaks the storage it points to.
82 return true;
83 }
84 }
85 attrs = sftp_getfattr(state->rxp);
86 if (attrs == NULL) {
87 free_sftp_str(fname);
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 68 in s_open()
62 if (fname == NULL)
63 return false;
64 flags = get32(state);
65 if (!(flags & SSH_FXF_WRITE)) {
66 if (flags & SSH_FXF_CREAT) {
67 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't create unless writing");
>>> CID 487178: (RESOURCE_LEAK)
>>> Variable "fname" going out of scope leaks the storage it points to.
68 return true;
69 }
70 if (flags & SSH_FXF_APPEND) {
71 sftps_send_error(state, SSH_FX_OP_UNSUPPORTED, "Can't append unless writing");
72 return true;
73 }
** CID 487177: (Y2K38_SAFETY)
/sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)()
/sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)()
________________________________________________________________________________________________________
*** CID 487177: (Y2K38_SAFETY)
/sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)()
427 if (attr == nullptr)
428 return nullptr;
429 sftp_fattr_set_permissions(attr, S_IFREG | S_IRWXU | S_IRUSR | S_IWUSR);
430 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid);
431 sftp_fattr_set_size(attr, flength(path));
432 time_t fd = fdate(path);
>>> CID 487177: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t".
433 sftp_fattr_set_times(attr, fd, fd);
434 return attr;
435 }
436
437 static sftp_file_attr_t
438 sshkeys_attrs(sbbs_t *sbbs, const char *path)
/sftp.cpp: 433 in homefile_attrs(sbbs_t *, const char *)()
427 if (attr == nullptr)
428 return nullptr;
429 sftp_fattr_set_permissions(attr, S_IFREG | S_IRWXU | S_IRUSR | S_IWUSR);
430 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid);
431 sftp_fattr_set_size(attr, flength(path));
432 time_t fd = fdate(path);
>>> CID 487177: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t".
433 sftp_fattr_set_times(attr, fd, fd);
434 return attr;
435 }
436
437 static sftp_file_attr_t
438 sshkeys_attrs(sbbs_t *sbbs, const char *path)
** CID 487176: (RESOURCE_LEAK)
/sftp.cpp: 741 in find_lib(sbbs_t *, const char *)()
/sftp.cpp: 741 in find_lib(sbbs_t *, const char *)()
________________________________________________________________________________________________________
*** CID 487176: (RESOURCE_LEAK)
/sftp.cpp: 741 in find_lib(sbbs_t *, const char *)()
735 *c = 0;
736 for (l = 0; l cfg.total_libs; l++) {
737 if (!can_user_access_lib(&sbbs->cfg, l, &sbbs->useron, &sbbs->client))
738 continue;
739 exp = expand_slash(sbbs->cfg.lib[l]->lname);
740 if (exp == nullptr)
>>> CID 487176: (RESOURCE_LEAK)
>>> Variable "p" going out of scope leaks the storage it points to.
741 return -1;
742 if (strcmp(p, exp)) {
743 free(exp);
744 continue;
745 }
746 free(exp);
/sftp.cpp: 741 in find_lib(sbbs_t *, const char *)()
735 *c = 0;
736 for (l = 0; l cfg.total_libs; l++) {
737 if (!can_user_access_lib(&sbbs->cfg, l, &sbbs->useron, &sbbs->client))
738 continue;
739 exp = expand_slash(sbbs->cfg.lib[l]->lname);
740 if (exp == nullptr)
>>> CID 487176: (RESOURCE_LEAK)
>>> Variable "p" going out of scope leaks the storage it points to.
741 return -1;
742 if (strcmp(p, exp)) {
743 free(exp);
744 continue;
745 }
746 free(exp);
** CID 487175: Resource leaks (RESOURCE_LEAK)
/sftp.cpp: 1517 in sftp_readdir(sftp_string *, void *)()
________________________________________________________________________________________________________
*** CID 487175: Resource leaks (RESOURCE_LEAK)
/sftp.cpp: 1517 in sftp_readdir(sftp_string *, void *)()
1511 }
1512 attr = get_dir_attrs(sbbs, dd->info.filebase.idx);
1513 if (attr == nullptr)
1514 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Attributes allocation failure");
1515 ename = expand_slash(sbbs->cfg.dir[dd->info.filebase.idx]->lname);
1516 if (ename == nullptr)
>>> CID 487175: Resource leaks (RESOURCE_LEAK)
>>> Variable "attr" going out of scope leaks the storage it points to.
1517 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "EName allocation failure");
1518 lname = get_longname(sbbs, ename, nullptr, attr);
1519 if (lname == nullptr) {
1520 free(ename);
1521 sftp_fattr_free(attr);
1522 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Longname allocation failure");
** CID 487174: Code maintainability issues (UNUSED_VALUE)
/main.cpp: 1993 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
________________________________________________________________________________________________________
*** CID 487174: Code maintainability issues (UNUSED_VALUE)
/main.cpp: 1993 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
1987
1988 if (cid != sbbs->sftp_channel && cid != sbbs->session_channel) {
1989 lprintf(LOG_WARNING, "Node %d SSH WARNING: attempt to use channel '%s' (%d != %d or %d)"
1990 , sbbs->cfg.node_num, cname ? cname : "", cid, sbbs->session_channel, sbbs->sftp_channel);
1991 if (cname) {
1992 free_crypt_attrstr(cname);
>>> CID 487174: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "NULL" to "cname" here, but that stored value is overwritten before it can be used.
1993 cname = nullptr;
1994 }
1995 if (ssname) {
1996 free_crypt_attrstr(ssname);
1997 ssname = nullptr;
1998 }
** CID 487173: Program hangs (LOCK)
/sftp.cpp: 987 in sftp_send(unsigned char *, unsigned long, void *)()
________________________________________________________________________________________________________
*** CID 487173: Program hangs (LOCK)
/sftp.cpp: 987 in sftp_send(unsigned char *, unsigned long, void *)()
981 if (sbbs->sftp_channel == -1)
982 return false;
983 while (sent < len) {
984 pthread_mutex_lock(&sbbs->ssh_mutex);
985 status = cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL, sbbs->sftp_channel);
986 if (cryptStatusError(status))
>>> CID 487173: Program hangs (LOCK)
>>> Returning without unlocking "sbbs->ssh_mutex".
987 return false;
988 size_t sendbytes = len - sent;
989 #define SENDBYTES_MAX 0x2000
990 if (sendbytes > SENDBYTES_MAX)
991 sendbytes = SENDBYTES_MAX;
992 status = cryptSetAttribute(sbbs->ssh_session, CRYPT_OPTION_NET_WRITETIMEOUT, 5);
** CID 487172: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/sftp.cpp: 171 in path_map::path_map(sbbs_t *, const unsigned char *, map_path_mode)()
________________________________________________________________________________________________________
*** CID 487172: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/sftp.cpp: 171 in path_map::path_map(sbbs_t *, const unsigned char *, map_path_mode)()
165 return;
166 }
167 this->is_static_ = false;
168 this->info.filebase.dir = -1;
169 this->info.filebase.lib = -1;
170 this->info.filebase.idx = dot;
>>> CID 487172: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
>>> The expression "this->sftp_path[6UL /* files_path_len */] == 0 || this->sftp_path[6UL /* files_path_len */] == 0" does not accomplish anything because it evaluates to either of its identical operands, "this->sftp_path[6UL /* files_path_len */] == 0".
171 if (this->sftp_path[files_path_len] == 0 || this->sftp_path[files_path_len] == 0) {
172 // Root...
173 result_ = MAP_TO_DIR;
174 return;
175 }
176 const char *lib = &this->sftp_path[files_path_len + 1];
** CID 487171: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_attr.c: 324 in sftp_getfattr()
________________________________________________________________________________________________________
*** CID 487171: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_attr.c: 324 in sftp_getfattr()
318 ret->atime = sftp_get32(pkt);
319 ret->mtime = sftp_get32(pkt);
320 }
321 if (ret->flags & SSH_FILEXFER_ATTR_EXTENDED) {
322 uint32_t extcnt = sftp_get32(pkt);
323 uint32_t ext;
>>> CID 487171: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "extcnt" as a loop boundary.
324 for (ext = 0; ext < extcnt; ext++) {
325 sftp_str_t type = sftp_getstring(pkt);
326 if (type == NULL)
327 break;
328 sftp_str_t data = sftp_getstring(pkt);
329 if (data == NULL) {
** CID 487170: Security best practices violations (TOCTOU)
/sftp.cpp: 1147 in sftp_open(sftp_string *, unsigned int, sftp_file_attributes *, void *)()
________________________________________________________________________________________________________
*** CID 487170: Security best practices violations (TOCTOU)
/sftp.cpp: 1147 in sftp_open(sftp_string *, unsigned int, sftp_file_attributes *, void *)()
1141 sbbs->sftp_filedes[fdidx]->dir = -1;
1142 else {
1143 sbbs->sftp_filedes[fdidx]->dir = pmap.info.filebase.dir;
1144 sbbs->sftp_filedes[fdidx]->idx_offset = pmap.info.filebase.offset;
1145 sbbs->sftp_filedes[fdidx]->idx_number = pmap.info.filebase.idx;
1146 }
>>> CID 487170: Security best practices violations (TOCTOU)
>>> Calling function "access" to perform check on "pmap.local_path".
1147 if (access(pmap.local_path, F_OK) != 0) {
1148 // File did not exist, and we're creating
1149 if (oflags & O_CREAT) {
1150 sbbs->sftp_filedes[fdidx]->created = true;
1151 }
1152 }
** CID 487169: Error handling issues (CHECKED_RETURN)
/sftp.cpp: 1044 in sftp_cleanup_callback(void *)()
________________________________________________________________________________________________________
*** CID 487169: Error handling issues (CHECKED_RETURN)
/sftp.cpp: 1044 in sftp_cleanup_callback(void *)()
1038
1039 for (unsigned i = 0; i < nfdes; i++) {
1040 if (sbbs->sftp_filedes[i] != nullptr) {
1041 close(sbbs->sftp_filedes[i]->fd);
1042 if (sbbs->sftp_filedes[i]->created && sbbs->sftp_filedes[i]->local_path) {
1043 // If we were uploading, delete the incomplete file
>>> CID 487169: Error handling issues (CHECKED_RETURN)
>>> Calling "remove(sbbs->sftp_filedes[i]->local_path)" without checking return value. This library function may fail and return an error code.
1044 remove(sbbs->sftp_filedes[i]->local_path);
1045 }
1046 free(sbbs->sftp_filedes[i]->local_path);
1047 free(sbbs->sftp_filedes[i]);
1048 sbbs->sftp_filedes[i] = nullptr;
1049 }
** CID 487168: (UNUSED_VALUE)
/tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 679 in processChannelRequest()
/tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 691 in processChannelRequest()
________________________________________________________________________________________________________
*** CID 487168: (UNUSED_VALUE)
/tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 679 in processChannelRequest()
673 setChannelAttribute(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_WIDTH, status);
674 status = readUint32(stream);
675 if (status > 0)
676 setChannelAttribute(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT, status);
677 break;
678 case REQUEST_SHELL:
>>> CID 487168: (UNUSED_VALUE)
>>> Assigning value from "setChannelAttributeS(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_TYPE, "shell", 5)" to "status" here, but that stored value is overwritten before it can be used.
679 status = setChannelAttributeS( sessionInfoPtr,
680 CRYPT_SESSINFO_SSH_CHANNEL_TYPE,
681 "shell", 5 );
682 break;
683 case REQUEST_NOOP:
684 /* Generic requests containing extra information that we're not
/tmp/sbbs-Feb-28-2024/3rdp/src/cl/session/ssh2_msgsvr.c: 691 in processChannelRequest()
685 interested in */
686 break;
687
688 #ifdef USE_SSH_EXTENDED
689 case REQUEST_EXEC:
690 /* A further generic request that we're not interested in */
>>> CID 487168: (UNUSED_VALUE)
>>> Assigning value from "setChannelAttributeS(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_TYPE, "exec", 4)" to "status" here, but that stored value is overwritten before it can be used.
691 status = setChannelAttributeS( sessionInfoPtr,
692 CRYPT_SESSINFO_SSH_CHANNEL_TYPE,
693 "exec", 4 );
694 break;
695
696 case REQUEST_SUBSYSTEM:
** CID 487167: Program hangs (LOCK)
/main.cpp: 2048 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
________________________________________________________________________________________________________
*** CID 487167: Program hangs (LOCK)
/main.cpp: 2048 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
2042 if (closed && sbbs->sftp_channel == -1 && sbbs->session_channel == -1)
2043 return CRYPT_ERROR_COMPLETE;
2044 }
2045 }
2046 if (ret == CRYPT_ENVELOPE_RESOURCE)
2047 return CRYPT_ERROR_TIMEOUT;
>>> CID 487167: Program hangs (LOCK)
>>> Returning without unlocking "sbbs->sftp_state->mtx".
2048 return ret;
2049 }
2050 return CRYPT_ERROR_TIMEOUT;
2051 }
2052
2053 void input_thread(void *arg)
** CID 487166: (CHECKED_RETURN)
/main.cpp: 2036 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
/main.cpp: 2028 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
________________________________________________________________________________________________________
*** CID 487166: (CHECKED_RETURN)
/main.cpp: 2036 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
2030 closed = true;
2031 }
2032 }
2033 if (sbbs->session_channel != -1) {
2034 if (!channel_open(sbbs, sbbs->session_channel)) {
2035 if (cryptStatusOK(cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL, sbbs->session_channel)))
>>> CID 487166: (CHECKED_RETURN)
>>> Calling "cryptSetAttribute" without checking return value (as is done elsewhere 50 out of 61 times).
2036 cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE, 0);
2037 sbbs->session_channel = -1;
2038 closed = true;
2039 }
2040 }
2041 // All channels are now closed.
/main.cpp: 2028 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
2022 if (status != CRYPT_ERROR_NOTFOUND)
2023 sbbs->log_crypt_error_status_sock(status, "getting channel id");
2024 closing_channel = -1;
2025 if (sbbs->sftp_channel != -1) {
2026 if (!channel_open(sbbs, sbbs->sftp_channel)) {
2027 if (cryptStatusOK(cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL, sbbs->sftp_channel)))
>>> CID 487166: (CHECKED_RETURN)
>>> Calling "cryptSetAttribute" without checking return value (as is done elsewhere 50 out of 61 times).
2028 cryptSetAttribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE, 0);
2029 sbbs->sftp_channel = -1;
2030 closed = true;
2031 }
2032 }
2033 if (sbbs->session_channel != -1) {
** CID 487165: (REVERSE_INULL)
/main.cpp: 1984 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
/main.cpp: 1975 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
________________________________________________________________________________________________________
*** CID 487165: (REVERSE_INULL)
/main.cpp: 1984 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
1978 if (!sftps_recv(sbbs->sftp_state, reinterpret_cast(inbuf), tgot))
1979 sbbs->sftp_end();
1980 }
1981 sbbs->sftp_channel = cid;
1982 }
1983 }
>>> CID 487165: (REVERSE_INULL)
>>> Null-checking "cname" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1984 if (cname && sbbs->session_channel == -1 && strcmp(cname, "shell") == 0) {
1985 sbbs->session_channel = cid;
1986 }
1987
1988 if (cid != sbbs->sftp_channel && cid != sbbs->session_channel) {
1989 lprintf(LOG_WARNING, "Node %d SSH WARNING: attempt to use channel '%s' (%d != %d or %d)"
/main.cpp: 1975 in crypt_pop_channel_data(sbbs_t *, char *, int, int *)()
1969 return status;
1970 }
1971 cname = get_crypt_attribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_TYPE);
1972 if (strcmp(cname, "subsystem") == 0) {
1973 ssname = get_crypt_attribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ARG1);
1974 }
>>> CID 487165: (REVERSE_INULL)
>>> Null-checking "cname" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1975 if (((startup->options & (BBS_OPT_ALLOW_SFTP | BBS_OPT_SSH_ANYAUTH)) == BBS_OPT_ALLOW_SFTP) && ssname && cname && sbbs->sftp_channel == -1 && strcmp(ssname, "sftp") == 0) {
1976 if (sbbs->init_sftp(cid)) {
1977 if (tgot > 0) {
1978 if (!sftps_recv(sbbs->sftp_state, reinterpret_cast(inbuf), tgot))
1979 sbbs->sftp_end();
1980 }
** CID 487164: Resource leaks (RESOURCE_LEAK)
/sftp.cpp: 1424 in sftp_readdir(sftp_string *, void *)()
________________________________________________________________________________________________________
*** CID 487164: Resource leaks (RESOURCE_LEAK)
/sftp.cpp: 1424 in sftp_readdir(sftp_string *, void *)()
1418 continue;
1419 }
1420 sprintf(tmppath, static_files[dd->info.rootdir.idx].sftp_patt, sbbs->useron.alias);
1421 remove_trailing_slash(tmppath);
1422 attr = get_attrs(sbbs, tmppath, &link);
1423 if (attr == nullptr)
>>> CID 487164: Resource leaks (RESOURCE_LEAK)
>>> Variable "link" going out of scope leaks the storage it points to.
1424 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Attributes allocation failure");
1425 lname = get_longname(sbbs, tmppath, link, attr);
1426 if (lname == nullptr) {
1427 sftp_fattr_free(attr);
1428 return sftps_send_error(sbbs->sftp_state, SSH_FX_FAILURE, "Longname allocation failure");
1429 }
** CID 487163: Program hangs (LOCK)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 373 in sftps_recv()
________________________________________________________________________________________________________
*** CID 487163: Program hangs (LOCK)
/tmp/sbbs-Feb-28-2024/src/sftp/sftp_server.c: 373 in sftps_recv()
367 if (!sftp_rx_pkt_append(&state->rxp, buf, sz))
368 return exit_function(state, false);
369 if (sftp_have_pkt_sz(state->rxp)) {
370 uint32_t psz = sftp_pkt_sz(state->rxp);
371 if (psz > SFTP_MAX_PACKET_SIZE) {
372 state->lprintf(state->cb_data, "Packet too large (%" PRIu32 " bytes)", psz);
>>> CID 487163: Program hangs (LOCK)
>>> Returning without unlocking "state->mtx".
373 return false;
374 }
375 }
376 while (sftp_have_full_pkt(state->rxp)) {
377 bool handled = false;
378
** CID 487162: Control flow issues (DEADCODE)
/sftp.cpp: 871 in get_attrs(sbbs_t *, const char *, char **)()
________________________________________________________________________________________________________
*** CID 487162: Control flow issues (DEADCODE)
/sftp.cpp: 871 in get_attrs(sbbs_t *, const char *, char **)()
865 else
866 ppath[0] = 0;
867 ret = pm->get_attrs(sbbs, ppath);
868 if (link && pm->link_patt) {
869 asprintf(link, pm->link_patt, sbbs->useron.alias);
870 if (link == nullptr) {
>>> CID 487162: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "sftp_fattr_free(ret);".
871 sftp_fattr_free(ret);
872 ret = nullptr;
873 }
874 }
875 return ret;
876 }
** CID 487161: (Y2K38_SAFETY)
/sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)()
/sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)()
________________________________________________________________________________________________________
*** CID 487161: (Y2K38_SAFETY)
/sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)()
442 if (attr == nullptr)
443 return nullptr;
444 sftp_fattr_set_permissions(attr, S_IFLNK | S_IRWXU | S_IRUSR | S_IWUSR);
445 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid);
446 sftp_fattr_set_size(attr, flength(path));
447 time_t fd = fdate(path);
>>> CID 487161: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t".
448 sftp_fattr_set_times(attr, fd, fd);
449 return attr;
450 }
451
452 void
453 remove_trailing_slash(char *str)
/sftp.cpp: 448 in sshkeys_attrs(sbbs_t *, const char *)()
442 if (attr == nullptr)
443 return nullptr;
444 sftp_fattr_set_permissions(attr, S_IFLNK | S_IRWXU | S_IRUSR | S_IWUSR);
445 sftp_fattr_set_uid_gid(attr, sbbs->useron.number, users_gid);
446 sftp_fattr_set_size(attr, flength(path));
447 time_t fd = fdate(path);
>>> CID 487161: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fd" is cast to "uint32_t".
448 sftp_fattr_set_times(attr, fd, fd);
449 return attr;
450 }
451
452 void
453 remove_trailing_slash(char *str)
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3D4ieG_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZz6Lg2xx1dh6E9z4lSXKW4n9yiZaua5LbXznpVF4MIwbp178psQJ2n-2Fpok7ErzI9IlNJTrPj-2F83NUNTOEjSUjSMYrpz0XVq0IKvzP47fjT8ZUoPS4k4FQsPlqiTS940mDZqL8H0V26aTBOs1jlgpdGUT2g7d1Ei-2FiSNIWvXxdCeA-3D-3D
--- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
|