Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 515048:  Security best practices violations  (SECURE_TEMP)
/sbbsecho.c: 1848 in add_areas_from_echolists()


________________________________________________________________________________________________________
*** CID 515048:  Security best practices violations  (SECURE_TEMP)
/sbbsecho.c: 1848 in add_areas_from_echolists()
1842     		match=0;
1843     		for(k=0; cfg.listcfg[j].keys[k] ;k++) {
1844     			if(match) break;
1845     			for(x=0; nodecfg->keys[x] ;x++) {
1846     				if(!stricmp(cfg.listcfg[j].keys[k]
1847     					,nodecfg->keys[x])) {
>>>     CID 515048:  Security best practices violations  (SECURE_TEMP)
>>>     "tmpfile" creates files with predictable names, which is unsafe.
1848     					if((fwdfile=tmpfile())==NULL) {
1849     						lprintf(LOG_ERR,"ERROR line %d opening forward temp "
1850     							"file",__LINE__);
1851     						match=1;
1852     						break;
1853     					}

** CID 515047:  Control flow issues  (NO_EFFECT)
/sbbsecho.c: 1635 in alter_areas_ini()


________________________________________________________________________________________________________
*** CID 515047:  Control flow issues  (NO_EFFECT)
/sbbsecho.c: 1635 in alter_areas_ini()
1629     				continue;
1630     			}
1631     		}
1632     		if(add_area[0] != NULL) { 				/* Check for areas to add */
1633     			bool add_all = (stricmp(add_area[0], "+ALL") == 0);
1634     			j = strListFind(add_area, echotag, /* case-sensitive */false);
>>>     CID 515047:  Control flow issues  (NO_EFFECT)
>>>     This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "j >= 0U".
1635     			if(add_all || j >= 0) {
1636     				if(j >= 0)
1637     					add_area[j][0]=0;  /* So we can check other lists */
1638     				uint areanum = find_area(echotag);
1639     				if(!area_is_valid(areanum)) {
1640     					lprintf(LOG_ERR, "Invalid area num on line %d", __LINE__);

** CID 515046:  Error handling issues  (CHECKED_RETURN)
/sbbsecho.c: 1989 in alter_areas()


________________________________________________________________________________________________________
*** CID 515046:  Error handling issues  (CHECKED_RETURN)
/sbbsecho.c: 1989 in alter_areas()
1983     			,smb_faddrtoa(&addr,NULL), (ulong)added, cfg.areafile);
1984     	if(deleted)
1985     		lprintf(LOG_DEBUG, "AreaFix (for %s) Removed links to %lu areas in %s"
1986     			,smb_faddrtoa(&addr,NULL), (ulong)deleted, cfg.areafile);
1987     	if(added || deleted) {
1988     		if(stat(cfg.areafile, &st) == 0)
>>>     CID 515046:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "chmod(outpath, st.st_mode)" without checking return value. This library function may fail and return an error code.
1989     			chmod(outpath, st.st_mode);
1990     		if(cfg.areafile_backups == 0 || !backup(cfg.areafile, cfg.areafile_backups, /* ren: */TRUE))
1991     			delfile(cfg.areafile, __LINE__);					/* Delete AREAS.BBS */
1992     		if(rename(outpath,cfg.areafile))		   /* Rename new AREAS.BBS file */
1993     			lprintf(LOG_ERR,"ERROR line %d renaming %s to %s",__LINE__,outpath,cfg.areafile);
1994     	}


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3D1jSz_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQbxEcP2FV-2FE8SZ4Zj-2B5i-2FvXMBc1u-2B9IyI73gYzjnV6pIIbqC2pGfKYB3KXIl7XZEKXLdLz8vi8-2BwsF6O91kuZqV1ShM13vaTkO37J3VV7GT6YwOX288v8WtwpdrdHMhRE2EqIozgp1HMSE07wuarfyxBLAND56oVPlNda7IFeLuFA-3D-3D


--- SBBSecho 3.23-Linux