From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by dpdk.org (Postfix) with ESMTP id 9F1212C57 for ; Wed, 30 Mar 2016 21:28:29 +0200 (CEST) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga103.jf.intel.com with ESMTP; 30 Mar 2016 12:28:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,417,1455004800"; d="scan'208";a="922045544" Received: from irsmsx154.ger.corp.intel.com ([163.33.192.96]) by orsmga001.jf.intel.com with ESMTP; 30 Mar 2016 12:28:27 -0700 Received: from irsmsx156.ger.corp.intel.com (10.108.20.68) by IRSMSX154.ger.corp.intel.com (163.33.192.96) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 30 Mar 2016 20:28:26 +0100 Received: from irsmsx103.ger.corp.intel.com ([169.254.3.239]) by IRSMSX156.ger.corp.intel.com ([169.254.3.132]) with mapi id 14.03.0248.002; Wed, 30 Mar 2016 20:28:26 +0100 From: "Mcnamara, John" To: "dev@dpdk.org" Thread-Topic: New Defects reported by Coverity Scan for DPDK Data Plane Development Kit Thread-Index: AdGKucjMpRwiAUxoRU20WddfA+onSA== Date: Wed, 30 Mar 2016 19:28:24 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_IC x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZTZmOGZjMjAtYzEyOS00MWUyLTg3YmYtOTI1ZjVhODFhNDU5IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6Iis1b2JGbkhqVW1EZzIzaEt5VkN3M3hNOWNGZ2Rra0tOSXBDNVVzZDhoVjg9In0= x-originating-ip: [163.33.239.182] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [dpdk-dev] New Defects reported by Coverity Scan for DPDK Data Plane Development Kit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2016 19:28:30 -0000 Hi,=20 The following is forwarded from latest Coverity scan on the DPDK head. As u= sual, I will send out semi-automated emails to the authors of the new defec= ts. In the meantime you can then review the defects online at: http://scan.coverity.com/projects/dpdk-data-plane-development-kit You can register as "Contributor/Member" for the DPDK Coverity here: http://scan.coverity.com/users/sign_up John. Hi, Please find the latest report on new defect(s) introduced to DPDK Data Plan= e Development Kit found with Coverity Scan. 9 new defect(s) introduced to DPDK Data Plane Development Kit found with Co= verity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the re= cent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 9 of 9 defect(s) ** CID 124575: (STRING_OVERFLOW) /examples/l2fwd-crypto/main.c: 1005 in l2fwd_crypto_parse_args_long_options= () /examples/l2fwd-crypto/main.c: 982 in l2fwd_crypto_parse_args_long_options(= ) ___________________________________________________________________________= _____________________________ *** CID 124575: (STRING_OVERFLOW) /examples/l2fwd-crypto/main.c: 1005 in l2fwd_crypto_parse_args_long_options= () 999 =20 1000 /* Authentication options */ 1001 else if (strcmp(lgopts[option_index].name, "auth_algo") =3D=3D 0)= { 1002 retval =3D parse_auth_algo(&options->auth_xform.auth.algo, 1003 optarg); 1004 if (retval =3D=3D 0) >>> CID 124575: (STRING_OVERFLOW) >>> You might overrun the 32 byte fixed-size string "options->string_au= th_algo" by copying "optarg" without checking the length. 1005 strcpy(options->string_auth_algo, optarg); 1006 return retval; 1007 } 1008 =20 1009 else if (strcmp(lgopts[option_index].name, "auth_op") =3D=3D 0) 1010 return parse_auth_op(&options->auth_xform.auth.op, /examples/l2fwd-crypto/main.c: 982 in l2fwd_crypto_parse_args_long_options(= ) 976 =20 977 /* Cipher options */ 978 else if (strcmp(lgopts[option_index].name, "cipher_algo") =3D=3D 0= ) { 979 retval =3D parse_cipher_algo(&options->cipher_xform.cipher.algo, 980 optarg); 981 if (retval =3D=3D 0) >>> CID 124575: (STRING_OVERFLOW) >>> You might overrun the 32 byte fixed-size string "options->string_ci= pher_algo" by copying "optarg" without checking the length. 982 strcpy(options->string_cipher_algo, optarg); 983 return retval; 984 } 985 =20 986 else if (strcmp(lgopts[option_index].name, "cipher_op") =3D=3D 0) 987 return parse_cipher_op(&options->cipher_xform.cipher.op, ** CID 124567: Memory - corruptions (OVERRUN) /examples/ip_pipeline/init.c: 246 in app_init_eal() ___________________________________________________________________________= _____________________________ *** CID 124567: Memory - corruptions (OVERRUN) /examples/ip_pipeline/init.c: 246 in app_init_eal() 240 =20 241 if (p->socket_mem) { 242 snprintf(buffer, 243 sizeof(buffer), 244 "--socket-mem=3D%s", 245 p->socket_mem); >>> CID 124567: Memory - corruptions (OVERRUN) >>> Overrunning array "app->eal_argv" of 33 8-byte elements at element = index 33 (byte offset 264) using index "n_args++" (which evaluates to 33). 246 app->eal_argv[n_args++] =3D strdup(buffer); 247 } 248 =20 249 if (p->huge_dir) { 250 snprintf(buffer, sizeof(buffer), "--huge-dir=3D%s", p->huge_dir); 251 app->eal_argv[n_args++] =3D strdup(buffer); ** CID 124565: Null pointer dereferences (NULL_RETURNS) /lib/librte_vhost/virtio-net.c: 296 in vhost_destroy_device() ___________________________________________________________________________= _____________________________ *** CID 124565: Null pointer dereferences (NULL_RETURNS) /lib/librte_vhost/virtio-net.c: 296 in vhost_destroy_device() 290 */ 291 void 292 vhost_destroy_device(struct vhost_device_ctx ctx) 293 { 294 struct virtio_net *dev =3D get_device(ctx); 295 =20 >>> CID 124565: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing a null pointer "dev". 296 if (dev->flags & VIRTIO_DEV_RUNNING) 297 notify_ops->destroy_device(dev); 298 =20 299 cleanup_device(dev, 1); 300 free_device(dev); 301 =20 ** CID 124564: Control flow issues (MISSING_BREAK) /app/test-pmd/cmdline.c: 8219 in cmd_flow_director_filter_parsed() ___________________________________________________________________________= _____________________________ *** CID 124564: Control flow issues (MISSING_BREAK) /app/test-pmd/cmdline.c: 8219 in cmd_flow_director_filter_parsed() 8213 } 8214 =20 8215 switch (entry.input.flow_type) { 8216 case RTE_ETH_FLOW_FRAG_IPV4: 8217 case RTE_ETH_FLOW_NONFRAG_IPV4_OTHER: 8218 entry.input.flow.ip4_flow.proto =3D res->proto_value; >>> CID 124564: Control flow issues (MISSING_BREAK) >>> The above case falls through to this one. 8219 case RTE_ETH_FLOW_NONFRAG_IPV4_UDP: 8220 case RTE_ETH_FLOW_NONFRAG_IPV4_TCP: 8221 IPV4_ADDR_TO_UINT(res->ip_dst, 8222 entry.input.flow.ip4_flow.dst_ip); 8223 IPV4_ADDR_TO_UINT(res->ip_src, 8224 entry.input.flow.ip4_flow.src_ip); ** CID 124563: Null pointer dereferences (FORWARD_NULL) /drivers/net/vmxnet3/vmxnet3_rxtx.c: 734 in vmxnet3_recv_pkts() ___________________________________________________________________________= _____________________________ *** CID 124563: Null pointer dereferences (FORWARD_NULL) /drivers/net/vmxnet3/vmxnet3_rxtx.c: 734 in vmxnet3_recv_pkts() 728 } else { 729 struct rte_mbuf *start =3D rxq->start_seg; 730 =20 731 VMXNET3_ASSERT(rxd->btype =3D=3D VMXNET3_RXD_BTYPE_BODY); 732 VMXNET3_ASSERT(start !=3D NULL); 733 =20 >>> CID 124563: Null pointer dereferences (FORWARD_NULL) >>> Dereferencing null pointer "start". 734 start->pkt_len +=3D rxm->data_len; 735 start->nb_segs++; 736 =20 737 rxq->last_seg->next =3D rxm; 738 } 739 rxq->last_seg =3D rxm; ** CID 124562: Null pointer dereferences (FORWARD_NULL) /lib/librte_ether/rte_ethdev.c: 1518 in rte_eth_xstats_get() ___________________________________________________________________________= _____________________________ *** CID 124562: Null pointer dereferences (FORWARD_NULL) /lib/librte_ether/rte_ethdev.c: 1518 in rte_eth_xstats_get() 1512 =20 1513 /* global stats */ 1514 for (i =3D 0; i < RTE_NB_STATS; i++) { 1515 stats_ptr =3D RTE_PTR_ADD(ð_stats, 1516 rte_stats_strings[i].offset); 1517 val =3D *stats_ptr; >>> CID 124562: Null pointer dereferences (FORWARD_NULL) >>> Dereferencing null pointer "xstats". 1518 snprintf(xstats[count].name, sizeof(xstats[count].name), 1519 "%s", rte_stats_strings[i].name); 1520 xstats[count++].value =3D val; 1521 } 1522 =20 1523 /* per-rxq stats */ ** CID 124558: Security best practices violations (DC.WEAK_CRYPTO) /examples/ipsec-secgw/esp.c: 66 in random_iv_u64() ___________________________________________________________________________= _____________________________ *** CID 124558: Security best practices violations (DC.WEAK_CRYPTO) /examples/ipsec-secgw/esp.c: 66 in random_iv_u64() 60 IPSEC_ASSERT((n & 0x3) =3D=3D 0); 61 =20 62 for (i =3D 0; i < (n >> 3); i++) 63 buf[i] =3D rte_rand(); 64 =20 65 if (left) >>> CID 124558: Security best practices violations (DC.WEAK_CRYPTO) >>> "lrand48" should not be used for security related applications, as = linear congruential algorithms are too easy to break. 66 *((uint32_t *)&buf[i]) =3D (uint32_t)lrand48(); 67 } 68 =20 69 /* IPv4 Tunnel */ 70 int 71 esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *= sa, ** CID 124557: Error handling issues (CHECKED_RETURN) /lib/librte_ether/rte_ethdev.c: 1317 in rte_eth_tx_buffer_init() ___________________________________________________________________________= _____________________________ *** CID 124557: Error handling issues (CHECKED_RETURN) /lib/librte_ether/rte_ethdev.c: 1317 in rte_eth_tx_buffer_init() 1311 { 1312 if (buffer =3D=3D NULL) 1313 return -EINVAL; 1314 =20 1315 buffer->size =3D size; 1316 if (buffer->error_callback =3D=3D NULL) >>> CID 124557: Error handling issues (CHECKED_RETURN) >>> Calling "rte_eth_tx_buffer_set_err_callback" without checking retur= n value (as is done elsewhere 6 out of 7 times). 1317 rte_eth_tx_buffer_set_err_callback(buffer, 1318 rte_eth_tx_buffer_drop_callback, NULL); 1319 =20 1320 return 0; 1321 } 1322 =20 ** CID 124556: Memory - illegal accesses (BUFFER_SIZE_WARNING) /lib/librte_vhost/virtio-net.c: 319 in vhost_set_ifname() ___________________________________________________________________________= _____________________________ *** CID 124556: Memory - illegal accesses (BUFFER_SIZE_WARNING) /lib/librte_vhost/virtio-net.c: 319 in vhost_set_ifname() 313 if (dev =3D=3D NULL) 314 return; 315 =20 316 len =3D if_len > sizeof(dev->ifname) ? 317 sizeof(dev->ifname) : if_len; 318 =20 >>> CID 124556: Memory - illegal accesses (BUFFER_SIZE_WARNING) >>> Calling strncpy with a maximum size argument of 4096 bytes on desti= nation array "dev->ifname" of size 4096 bytes might leave the destination s= tring unterminated. 319 strncpy(dev->ifname, if_name, len); 320 } 321 =20 322 =20 323 /* 324 * Called from CUSE IOCTL: VHOST_SET_OWNER ___________________________________________________________________________= _____________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/proje= cts/dpdk-data-plane-development-kit?tab=3Doverview To manage Coverity Scan email notifications for "john.mcnamara@intel.com", = click https://scan.coverity.com/subscriptions/edit?email=3Djohn.mcnamara%40= intel.com&token=3D4b4350458ddd299564fa85d2b53fbd6c