Date: Wed, 16 Mar 2005 09:08:48 -0800 (PST) From: Will Froning <wfroning@angui.sh> To: Ted Unangst <tedu@coverity.com> Cc: hackers@freebsd.org Subject: Re: some bugs in the kernel Message-ID: <20050316090727.X45818@angui.sh> In-Reply-To: <42360141.3080104@coverity.com> References: <42360141.3080104@coverity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 14 Mar 2005, Ted Unangst wrote: =>These bugs were found using the Coverity Prevent static analysis tool. => =>Memory Leak =>File: usr/home/tedu/src/sys/geom/geom_bsd.c =>Function: g_bsd_ioctl =>Returning at line 378 leaks the just allocated 'label'. => =>Buffer Overrun =>File: usr/home/tedu/src/sys/dev/hptmv/gui_lib.c =>Function: hpt_default_ioctl =>At line 1262, the loop bound of MAX_ARRAY_PER_VBUS is defined to be =>twice the size of pVDevice (MAX_VDEVICE_PER_VBUS). => =>Buffer Overrun =>File: usr/home/tedu/src/sys/dev/hptmv/entry.c =>Function: SetInquiryData =>At line 2660, loop bound of 20 is greater than size of VendorID. => =>Memory Leak =>File: usr/home/tedu/src/sys/dev/pci/pci.c =>Function: pci_suspend =>If bus_generic_suspend fails at line 1061, 'devlist' is leaked. => =>Use After Free, Memory Corruption =>File: usr/home/tedu/src/sys/dev/mlx/mlx_pci.c =>Function: mlx_pci_attach =>Calling mlx_free on error at line 218 is dangerous, since mlx_attach =>also called it. Eventually this will double free assorted bus resources. => =>NULL pointer dereference =>File: usr/home/tedu/src/sys/pci/if_ti.c =>Function: ti_setmulti =>malloc return at 1628 is not checked against NULL. Just to make sure it is said again. Thanks! Will -- Will Froning Unix Sys. Admin. wfroning@angui.sh
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050316090727.X45818>