tach
also called it. Eventually this will double free assorted bus resources.
NULL pointer dereference
File: usr/home/tedu/src/sys/pci/if_ti.c
Function: ti_setmulti
malloc return at 1628 is not checked against NULL.
--
Ted Unangst www.coverity.com
can somebody please review/commit this to freebsd? it is most of the
differences to permit openbsd to use the code. it should not change the
code in any functional way.
Index: ufs_dirhash.c
===
RCS file: /home/ncvs/src/sys/ufs/uf
while on the subject, there's a piece of code something like this in
freebsd:
/*
* We hash the name and then some other bit of data that is
* invariant over the dirhash's lifetime. Otherwise names
* differing only in the last byte are placed close to one
* a
On Wed, 14 Jan 2004, Steve Watt wrote:
> I'm trying to see if there's a way to get that information into the
> loader (or the driver) in some way that doesn't require rewriting a file
> in the flash every reboot, to avoid flash write cycles.
>
> I know there's some amount of NVRAM in PCs, but didn
Hi. These are some bugs found by Coverity in a static analysis run on the
FreeBSD kernel. All these are use after free bugs.
# New errors.
#
-
[UNINSPECTED]
X [BUG]
X [FALSE]
X
These are some more bugs from Coverity. Most look like typos.
# New errors.
#
-
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/cam/cam_xpt.c|1885|xpt
Some more. There are bugs where the code checks for NULL after using the
pointer. Usually means the check should be earlier, or is unnecessary.
# New errors.
#
-
[UNINSPECTED]
X [
A few final bugs from Coverity. Most of these are off by one, the RF bug
is malloc'ing the wrong type.
Thanks for looking.
# New errors.
#
-
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNK
On Fri, 9 Apr 2004, Brandon Erhart wrote:
> Are there any debuggers out there for BSD that will detect the heap/stack
> corruption!?
[standard disclaimer and note about self-promotion goes here :)]
valgrind and electric fence are very good suggestions. my own personal
pet project was adding gua
On Fri, 5 Mar 2004, Michael Bushkov wrote:
> Some time ago there was a discussion concerning in-process vs. IPC
> nsswitch implementation. We agreed that we should develop an example of
> IPC implementation and ask for a discussion. We are glad to present you
> sample implementation of the IPC nss
the following code, around line 562 in sys/rpc/rpcclnt.c, exceeds the
bounds of the array. each array is only four bytes, the [4] is too much.
/* Initialize other non-zero congestion variables */
rpc->rc_srtt[0] = rpc->rc_srtt[1] = rpc->rc_srtt[2] = rpc->rc_srtt[3] =
if lapic_create is passed the value 16, it will use it as index into
lapics, with potentially bad results. the check should be if (apic_id >=
MAX_APICID).
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To uns
in freebsd 4.10 nfs/nfs_vfsops.c:nfs_mountroot, the handling of swap_mp
is incorrect. the code at line 498 appears useless, and furthermore
uses swap_mp without initialization.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinf
Bugs found with Coverity's automated analysis. In each case, either the
NULL check is unnecessary, or it's too late because the variable was
already deref'd.
dev/firewire/fwohci.c:dump_db (debugging function)
pp can not be null (crash if it is)
dev/mpt/mpt_pci.c:mpt_detach
a null mpt won't surv
Andre Oppermann wrote:
Did you run your entire tool on the FreeBSD tree or is this subset of the
available tests and checks?
It's a small sample of the larger whole. The whole thing isn't as
interesting to look at yet, but I'm working on it.
___
[EMAIL
these are results from running Coverity's analysis over Freebsd 4.10 kernel.
two improper loops:
if_ef.c:566 and atapi-all.c
ng_socket.c: possible double free of resp 815 and 870, depending on
caller context. is this possible?
if_bfe.c: double call to bfe_release_resources will free lots of stu
Found during analysis with Coverity's tools. FreeBSD 4.10
atapi-cd.c, everywhere. I understand there was some question of not
being to deal with failure gracefully in ata, but many of these are in
functions like ioctl which can easily report errors.
igmp.c:find_rti
mii.c:mii_phy_probe. device_
errors in freebsd 4.10 found by Coverity's analysis.
awi_wep.c:awi_wep_setalgo, algo == sizeof
svr4_signal.c:SVR4_NSIG one larger than TBLSIZ
linprocfs_misc.c:linprocfs_doprocstatus, p_stat == sizeof
ibcs2_msg.c:ibcs2_poll, fd == FD_SETSIZE
if_ray.c:ray_rx_mgt_info, len == NWID_LEN
ciss.c:ciss_cam_
M. Warner Losh wrote:
In message: <[EMAIL PROTECTED]>
Ted Unangst <[EMAIL PROTECTED]> writes:
: aha_isa.c: aha_isa_attach: aha_free free "aha", can't use it
: afterwards, lots of examples.
aha_free doesn't actually free the aha, it just tears down
Julian Elischer wrote:
Ted Unangst wrote:
these are results from running Coverity's analysis over Freebsd 4.10
kernel.
two improper loops:
if_ef.c:566 and atapi-all.c
ng_socket.c: possible double free of resp 815 and 870, depending on
caller context. is this possible?
I'm not seein
your handling of -i at least is incorrect. after patching, i get very
wrong results. results vary depending on length of string.
reuelos:/tmp/grep-0.16> ./grep -i fastgrep *
grep.c:fastgrep_t *fg_pattern;
reuelos:/tmp/grep-0.16> ./grep fastgrep *
grep.c:fastgrep_t *fg_pattern;
grep.
My advisor Dawson Engler has written a deadlock detector, and we'd like
some verification. They look like bugs, unless there is some other reason
why two call chains cannot happen at the same time.
deadlock between ktrace_mtx and sema_mtx. is it possible to call
sema_timewait on ktrace_sema? cal
one more. This falls into the very improbable category. Ordinarily, I
don't think this is possible because FreeBSD doesn't support hotplug PCI,
so sk attachment can't be raced.
However, assuming I had some hot plug sk card, it seems like running
ifconfig sk0 at just the wrong point during sk1 at
On Fri, 8 Aug 2003, David Schultz wrote:
> On Wed, Aug 06, 2003, Ted Unangst wrote:
> > My advisor Dawson Engler has written a deadlock detector, and we'd like
> > some verification. They look like bugs, unless there is some other reason
> > why two call chains cann
On Mon, 11 Aug 2003, John Baldwin wrote:
> You can't ifconfig sk0 until after it attaches. sk0 and sk1 don't
> share locks, so you don't have to worry about the interaction there.
I believe they do share a lock. Each port of a dual port sk appears as an
individual interface, but they share the
On Thu, 7 Aug 2003, Robert Watson wrote:
> Neat -- sounds like two good catches given the responses so far. Can we
> expect more such reports forthcoming? This kind of help will be
> invaluable in finishing up the fine-grained locking work. Alternatively,
> do you plan to post the software? Is
On Fri, 24 Oct 2003, Michel TALON wrote:
> What is more interesting is to look at the actual benchmark results in
> http://bulk.fefe.de/scalability/
> in particular the section about mmap benchmarks, the only one where
> OpenBSD shines. However as soon as touching pages is benchmarked
> OpenBSD fa
On Sat, 25 Oct 2003, Terry Lambert wrote:
> Why does the benchmark need to be "fixed" for OpenBSD and not
> for any other platform?
openbsd does not have a unified cache between file system (pread) and vm
(mmap) interfaces. in the real world, it's unusual to find an application
that uses both in
28 matches
Mail list logo
