Hey all,

Here's the report now that next has been merged to master. And part of
this looks like backend updates finding new issues in existing code.

---------- Forwarded message ---------
From: <[email protected]>
Date: Tue, Jul 7, 2026 at 12:39 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <[email protected]>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 35
   - 10 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 20 of 35 defect(s)

Defect Details

** CID 648967:       Null pointer dereferences  (NULL_RETURNS)
/api/api.c: 545           in API_env_enum()


_____________________________________________________________________________________________
*** CID 648967:         Null pointer dereferences  (NULL_RETURNS)
/api/api.c: 545             in API_env_enum()
539             /* match the next entry after i */
540             i = hmatch_r("", i, &match, &env_htab);
541             if (i == 0)
542                     goto done;
543             buflen = strlen(match->key) + strlen(match->data) + 2;
544             var = realloc(var, buflen);
>>>     CID 648967:         Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "var" when calling 
>>> "snprintf". [Note: The source code implementation of the function has been 
>>> overridden by a builtin model.]
545             snprintf(var, buflen, "%s=%s", match->key, match->data);
546             *next = var;
547             return 0;
548
549     done:
550             free(var);

** CID 648966:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648966:         Memory - illegal accesses  (STRING_NULL)
/boot/vbe_request.c: 204             in bootmeth_vbe_ft_fixup()
198                                         ofnode_get_name(dest), ret);
199                             if (*result.err_str) {
200                                     char *msg = strdup(result.err_str);
201
202                                     if (!msg)
203                                             return log_msg_ret("msg", 
-ENOMEM);
>>>     CID 648966:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "msg" to "ofnode_write_string", which 
>>> expects a null-terminated string.
204                                     ret = ofnode_write_string(dest, 
"vbe,error",
205                                                               msg);
206                                     if (ret) {
207                                             free(msg);
208                                             return log_msg_ret("str", 
-ENOMEM);
209                                     }

** CID 648965:         (TOCTOU)
/tools/image-host.c: 923           in fit_image_process_verity()
/tools/image-host.c: 923           in fit_image_process_verity()


_____________________________________________________________________________________________
*** CID 648965:           (TOCTOU)
/tools/image-host.c: 923             in fit_image_process_verity()
917                     fprintf(stderr, "Invalid hex in veritysetup output for 
'%s'\n",
918                             image_name);
919                     ret = -EINVAL;
920                     goto err_unlink;
921             }
922
>>>     CID 648965:           (TOCTOU)
>>>     Calling function "stat" to perform check on "tmpfile".
923             if (stat(tmpfile, &st)) {
924                     fprintf(stderr, "Can't stat temp file: %s\n",
925                             strerror(errno));
926                     ret = -EIO;
927                     goto err_unlink;
928             }
/tools/image-host.c: 923             in fit_image_process_verity()
917                     fprintf(stderr, "Invalid hex in veritysetup output for 
'%s'\n",
918                             image_name);
919                     ret = -EINVAL;
920                     goto err_unlink;
921             }
922
>>>     CID 648965:           (TOCTOU)
>>>     Calling function "stat" to perform check on "tmpfile".
923             if (stat(tmpfile, &st)) {
924                     fprintf(stderr, "Can't stat temp file: %s\n",
925                             strerror(errno));
926                     ret = -EIO;
927                     goto err_unlink;
928             }

** CID 648964:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648964:         Memory - illegal accesses  (STRING_NULL)
/fs/fat/fat_write.c: 1489             in file_fat_write_at()
1483            debug("writing %s\n", filename);
1484
1485            filename_copy = strdup(filename);
1486            if (!filename_copy)
1487                    return -ENOMEM;
1488
>>>     CID 648964:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "filename_copy" to "split_filename", which 
>>> expects a null-terminated string.
1489            split_filename(filename_copy, &parent, &basename);
1490            if (!strlen(basename)) {
1491                    ret = -EINVAL;
1492                    goto exit;
1493            }
1494

** CID 648963:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648963:         Memory - illegal accesses  (STRING_NULL)
/boot/bootmeth_extlinux.c: 164             in extlinux_read_bootflow()
158                     ret = bootmeth_try_file(bflow, desc, prefix, 
EXTLINUX_FNAME);
159             } while (ret && prefixes && prefixes[++i]);
160             if (ret)
161                     return log_msg_ret("try", ret);
162             size = bflow->size;
163
>>>     CID 648963:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", 
>>> which expects a null-terminated string.
164             ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN,
165                                       BFI_EXTLINUX_CFG);
166             if (ret)
167                     return log_msg_ret("read", ret);
168
169             ret = extlinux_fill_info(bflow);

** CID 648962:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648962:           (STRING_NULL)
/drivers/dfu/dfu.c: 183             in dfu_init_env_entities()
177                     pr_err("\"dfu_alt_info\" env variable not defined!\n");
178                     return -EINVAL;
179             }
180
181             env_bkp = strdup(str_env);
182             if (!interface && !devstr)
>>>     CID 648962:           (STRING_NULL)
>>>     Passing unterminated string "env_bkp" to "dfu_config_interfaces", which 
>>> expects a null-terminated string.
183                     ret = dfu_config_interfaces(env_bkp);
184             else
185                     ret = dfu_config_entities(env_bkp, interface, devstr);
186
187             if (ret) {
188                     pr_err("DFU entities configuration failed: %d\n", ret);
/drivers/dfu/dfu.c: 185             in dfu_init_env_entities()
179             }
180
181             env_bkp = strdup(str_env);
182             if (!interface && !devstr)
183                     ret = dfu_config_interfaces(env_bkp);
184             else
>>>     CID 648962:           (STRING_NULL)
>>>     Passing unterminated string "env_bkp" to "dfu_config_entities", which 
>>> expects a null-terminated string.
185                     ret = dfu_config_entities(env_bkp, interface, devstr);
186
187             if (ret) {
188                     pr_err("DFU entities configuration failed: %d\n", ret);
189                     pr_err("(partition table does not match 
dfu_alt_info?)\n");
190                     goto done;

** CID 648961:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648961:           (STRING_NULL)
/fs/squashfs/sqfs.c: 1243             in sqfs_split_path()
1237                    }
1238                    tmp_path[0] = '/';
1239                    strcpy(tmp_path + 1, path);
1240            }
1241
1242            /* String duplicates */
>>>     CID 648961:           (STRING_NULL)
>>>     Passing unterminated string "tmp_path" to "sandbox_strdup", which 
>>> expects a null-terminated string.
1243            dirc = strdup(tmp_path);
1244            if (!dirc) {
1245                    ret = -ENOMEM;
1246                    goto out;
1247            }
1248
/fs/squashfs/sqfs.c: 1255             in sqfs_split_path()
1249            basec = strdup(tmp_path);
1250            if (!basec) {
1251                    ret = -ENOMEM;
1252                    goto out;
1253            }
1254
>>>     CID 648961:           (STRING_NULL)
>>>     Passing unterminated string "dirc" to "sqfs_dirname", which expects a 
>>> null-terminated string.
1255            dname = sqfs_dirname(dirc);
1256            bname = sqfs_basename(basec);
1257
1258            *file = strdup(bname);
1259
1260            if (!*file) {
/fs/squashfs/sqfs.c: 1256             in sqfs_split_path()
1250            if (!basec) {
1251                    ret = -ENOMEM;
1252                    goto out;
1253            }
1254
1255            dname = sqfs_dirname(dirc);
>>>     CID 648961:           (STRING_NULL)
>>>     Passing unterminated string "basec" to "sqfs_basename", which expects a 
>>> null-terminated string.
1256            bname = sqfs_basename(basec);
1257
1258            *file = strdup(bname);
1259
1260            if (!*file) {
1261                    ret = -ENOMEM;

** CID 648944:       Memory - illegal accesses  (STRING_NULL)
/cmd/gpt.c: 60           in extract_env()


_____________________________________________________________________________________________
*** CID 648944:         Memory - illegal accesses  (STRING_NULL)
/cmd/gpt.c: 60             in extract_env()
54              return -1;
55
56      s = strdup(str);
57      if (s == NULL)
58              return -1;
59
>>>     CID 648944:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "s" to "strlen", which expects a 
>>> null-terminated string. [Note: The source code implementation of the 
>>> function has been overridden by a builtin model.]
60      memset(s + strlen(s) - 1, '\0', 1);
61      memmove(s, s + 2, strlen(s) - 1);
62
63      e = env_get(s);
64      if (e == NULL) {
65     #ifdef CONFIG_RANDOM_UUID

** CID 648943:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648943:           (STRING_NULL)
/fs/fat/fat_write.c: 2013             in fat_rename()
2007            if (!old_path_copy || !new_path_copy || !old_itr || !new_itr) {
2008                    log_debug("Error: out of memory\n");
2009                    ret = -ENOMEM;
2010                    goto exit;
2011            }
2012            split_filename(old_path_copy, &old_dirname, &old_basename);
>>>     CID 648943:           (STRING_NULL)
>>>     Passing unterminated string "new_path_copy" to "split_filename", which 
>>> expects a null-terminated string.
2013            split_filename(new_path_copy, &new_dirname, &new_basename);
2014
2015            if (normalize_longname(l_new_basename, new_basename)) {
2016                    log_debug("FAT: illegal filename (%s)\n", new_basename);
2017                    ret = -EINVAL;
2018                    goto exit;
/fs/fat/fat_write.c: 2012             in fat_rename()
2006            new_itr = malloc_cache_aligned(sizeof(fat_itr));
2007            if (!old_path_copy || !new_path_copy || !old_itr || !new_itr) {
2008                    log_debug("Error: out of memory\n");
2009                    ret = -ENOMEM;
2010                    goto exit;
2011            }
>>>     CID 648943:           (STRING_NULL)
>>>     Passing unterminated string "old_path_copy" to "split_filename", which 
>>> expects a null-terminated string.
2012            split_filename(old_path_copy, &old_dirname, &old_basename);
2013            split_filename(new_path_copy, &new_dirname, &new_basename);
2014
2015            if (normalize_longname(l_new_basename, new_basename)) {
2016                    log_debug("FAT: illegal filename (%s)\n", new_basename);
2017                    ret = -EINVAL;

** CID 648942:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648942:         Memory - illegal accesses  (STRING_NULL)
/boot/bootmeth_android.c: 414             in avb_append_commandline()
408     static int avb_append_commandline(struct bootflow *bflow, char *cmdline)
409     {
410             char *arg = strsep(&cmdline, " ");
411             int ret;
412
413             while (arg) {
>>>     CID 648942:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "bflow->cmdline" to 
>>> "avb_append_commandline_arg", which expects a null-terminated string.
414                     ret = avb_append_commandline_arg(bflow, arg);
415                     if (ret < 0)
416                             return ret;
417
418                     arg = strsep(&cmdline, " ");
419             }

** CID 648941:       Memory - illegal accesses  (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648941:         Memory - illegal accesses  (STRING_NULL)
/fs/fat/fat_write.c: 1738             in fat_unlink()
1732            itr = malloc_cache_aligned(sizeof(fat_itr));
1733            if (!itr || !filename_copy) {
1734                    printf("Error: out of memory\n");
1735                    ret = -ENOMEM;
1736                    goto exit;
1737            }
>>>     CID 648941:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "filename_copy" to "split_filename", which 
>>> expects a null-terminated string.
1738            split_filename(filename_copy, &dirname, &basename);
1739
1740            if (!strcmp(dirname, "/") && !strcmp(basename, "")) {
1741                    printf("Error: cannot remove root\n");
1742                    ret = -EINVAL;
1743                    goto exit;

** CID 648940:       Memory - illegal accesses  (STRING_NULL)
/common/cli_hush.c: 2169           in set_local_var()


_____________________________________________________________________________________________
*** CID 648940:         Memory - illegal accesses  (STRING_NULL)
/common/cli_hush.c: 2169             in set_local_var()
2163
2164            name=strdup(s);
2165
2166            /* Assume when we enter this function that we are already in
2167             * NAME=VALUE format.  So the first order of business is to
2168             * split 's' on the '=' into 'name' and 'value' */
>>>     CID 648940:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "name" to "strchr", which expects a 
>>> null-terminated string. [Note: The source code implementation of the 
>>> function has been overridden by a builtin model.]
2169            value = strchr(name, '=');
2170            if (!value) {
2171                    free(name);
2172                    return -1;
2173            }
2174            *value++ = 0;

** CID 648939:         (STRING_NULL)


_____________________________________________________________________________________________
*** CID 648939:           (STRING_NULL)
/boot/bootmeth_script.c: 110             in script_read_bootflow_file()
104                     return log_msg_ret("read", ret);
105
106             ret = script_fill_info(bflow);
107             if (ret)
108                     return log_msg_ret("inf", ret);
109
>>>     CID 648939:           (STRING_NULL)
>>>     Passing unterminated string "bflow->subdir" to "bootmeth_alloc_other", 
>>> which expects a null-terminated string.
110             ret = bootmeth_alloc_other(bflow, "boot.bmp", BFI_LOGO,
111                                        &bflow->logo, &bflow->logo_size);
112             /* ignore error */
113
114             return 0;
115     }
/boot/bootmeth_script.c: 101             in script_read_bootflow_file()
95              return log_msg_ret("try", ret);
96
97      bflow->subdir = strdup(prefix ? prefix : "");
98      if (!bflow->subdir)
99              return log_msg_ret("prefix", -ENOMEM);
100
>>>     CID 648939:           (STRING_NULL)
>>>     Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", 
>>> which expects a null-terminated string.
101             ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN,
102                                       (enum bootflow_img_t)IH_TYPE_SCRIPT);
103             if (ret)
104                     return log_msg_ret("read", ret);
105
106             ret = script_fill_info(bflow);
/boot/bootmeth_script.c: 101             in script_read_bootflow_file()
95              return log_msg_ret("try", ret);
96
97      bflow->subdir = strdup(prefix ? prefix : "");
98      if (!bflow->subdir)
99              return log_msg_ret("prefix", -ENOMEM);
100
>>>     CID 648939:           (STRING_NULL)
>>>     Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", 
>>> which expects a null-terminated string.
101             ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN,
102                                       (enum bootflow_img_t)IH_TYPE_SCRIPT);
103             if (ret)
104                     return log_msg_ret("read", ret);
105
106             ret = script_fill_info(bflow);

** CID 648938:       Error handling issues  (CHECKED_RETURN)
/cmd/fastboot.c: 108           in do_fastboot_usb()


_____________________________________________________________________________________________
*** CID 648938:         Error handling issues  (CHECKED_RETURN)
/cmd/fastboot.c: 108             in do_fastboot_usb()
102
103             while (1) {
104                     if (g_dnl_detach())
105                             break;
106                     if (IS_ENABLED(CONFIG_CMD_FASTBOOT_ABORT_KEYED)) {
107                             if (tstc()) {
>>>     CID 648938:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "getchar()" without checking return value. This library 
>>> function may fail and return an error code. [Note: The source code 
>>> implementation of the function has been overridden by a builtin model.]
108                                     getchar();
109                                     puts("\rOperation aborted.\n");
110                                     break;
111                             }
112                     } else if (ctrlc()) {
113                             break;

** CID 648937:         (TAINTED_SCALAR)
/boot/image-fit.c: 259           in fit_image_print_dm_verity()
/boot/image-fit.c: 259           in fit_image_print_dm_verity()
/boot/image-fit.c: 268           in fit_image_print_dm_verity()
/boot/image-fit.c: 268           in fit_image_print_dm_verity()


_____________________________________________________________________________________________
*** CID 648937:           (TAINTED_SCALAR)
/boot/image-fit.c: 259             in fit_image_print_dm_verity()
253                     printf("%s  Verity algo:  %s\n", p, algo);
254
255             bin = fdt_getprop(fit, noffset, FIT_VERITY_DIGEST_PROP,
256                               &len);
257             if (bin && len > 0) {
258                     printf("%s  Verity hash:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
259                     for (i = 0; i < len; i++)
260                             printf("%02x", bin[i]);
261                     printf("\n");
262             }
263
264             bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
/boot/image-fit.c: 259             in fit_image_print_dm_verity()
253                     printf("%s  Verity algo:  %s\n", p, algo);
254
255             bin = fdt_getprop(fit, noffset, FIT_VERITY_DIGEST_PROP,
256                               &len);
257             if (bin && len > 0) {
258                     printf("%s  Verity hash:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
259                     for (i = 0; i < len; i++)
260                             printf("%02x", bin[i]);
261                     printf("\n");
262             }
263
264             bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
/boot/image-fit.c: 268             in fit_image_print_dm_verity()
262             }
263
264             bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
265                               &len);
266             if (bin && len > 0) {
267                     printf("%s  Verity salt:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
268                     for (i = 0; i < len; i++)
269                             printf("%02x", bin[i]);
270                     printf("\n");
271             }
272     #endif
273     }
/boot/image-fit.c: 268             in fit_image_print_dm_verity()
262             }
263
264             bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP,
265                               &len);
266             if (bin && len > 0) {
267                     printf("%s  Verity salt:  ", p);
>>>     CID 648937:           (TAINTED_SCALAR)
>>>     Using tainted variable "len" as a loop boundary.
268                     for (i = 0; i < len; i++)
269                             printf("%02x", bin[i]);
270                     printf("\n");
271             }
272     #endif
273     }

** CID 648936:         (STRING_NULL)
/fs/squashfs/sqfs.c: 1417           in sqfs_read_nest()


_____________________________________________________________________________________________
*** CID 648936:           (STRING_NULL)
/fs/squashfs/sqfs.c: 1408             in sqfs_read_nest()
1402
1403            /*
1404             * sqfs_opendir_nest will uncompress inode and directory
tables, and will
1405             * return a pointer to the directory that contains the 
requested file.
1406             */
1407            sqfs_split_path(&file, &dir, filename);
>>>     CID 648936:           (STRING_NULL)
>>>     Passing unterminated string "dir" to "sqfs_opendir_nest", which expects 
>>> a null-terminated string.
1408            ret = sqfs_opendir_nest(dir, &dirsp);
1409            if (ret) {
1410                    goto out;
1411            }
1412
1413            dirs = (struct squashfs_dir_stream *)dirsp;
/fs/squashfs/sqfs.c: 1417             in sqfs_read_nest()
1411            }
1412
1413            dirs = (struct squashfs_dir_stream *)dirsp;
1414
1415            /* For now, only regular files are able to be loaded */
1416            while (!sqfs_readdir_nest(dirsp, &dent)) {
>>>     CID 648936:           (STRING_NULL)
>>>     Passing unterminated string "file" to "strcmp", which expects a 
>>> null-terminated string. [Note: The source code implementation of the 
>>> function has been overridden by a builtin model.]
1417                    ret = strcmp(dent->name, file);
1418                    if (!ret)
1419                            break;
1420
1421                    free(dirs->entry);
1422                    dirs->entry = NULL;

** CID 648935:       Integer handling issues  (INTEGER_OVERFLOW)
/test/boot/fit_verity.c: 257           in fit_verity_test_bad_blocksize()


_____________________________________________________________________________________________
*** CID 648935:         Integer handling issues  (INTEGER_OVERFLOW)
/test/boot/fit_verity.c: 257             in fit_verity_test_bad_blocksize()
251             struct bootm_headers images;
252             int images_node, conf_node, confs_node, img_node, verity_node;
253             fdt32_t val;
254             int ret;
255
256             ret = fdt_create_empty_tree(buf, FIT_BUF_SIZE);
>>>     CID 648935:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "_val2", where "ret" is known to be equal to -18, overflows 
>>> the type of "_val2", which is type "unsigned int".
257             ut_assertok(ret);
258
259             images_node = fdt_add_subnode(buf, 0, "images");
260             ut_assert(images_node >= 0);
261
262             img_node = fdt_add_subnode(buf, images_node, "rootfs");

** CID 648934:       Memory - illegal accesses  (STRING_NULL)
/common/iomux.c: 58           in iomux_doenv()


_____________________________________________________________________________________________
*** CID 648934:         Memory - illegal accesses  (STRING_NULL)
/common/iomux.c: 58             in iomux_doenv()
52      i = 0;
53      temp = console_args;
54      for (;;) {
55              /* There's always one entry more than the number of commas. */
56              i++;
57
>>>     CID 648934:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "temp" to "strchr", which expects a 
>>> null-terminated string. [Note: The source code implementation of the 
>>> function has been overridden by a builtin model.]
58              temp = strchr(temp, ',');
59              if (temp == NULL)
60                      break;
61
62              temp++;
63      }

** CID 648933:       Memory - illegal accesses  (STRING_NULL)
/fs/squashfs/sqfs.c: 316           in sqfs_tokenize()


_____________________________________________________________________________________________
*** CID 648933:         Memory - illegal accesses  (STRING_NULL)
/fs/squashfs/sqfs.c: 316             in sqfs_tokenize()
310             char *aux, *strc;
311
312             strc = strdup(str);
313             if (!strc)
314                     return -ENOMEM;
315
>>>     CID 648933:         Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "strc" to "strcmp", which expects a 
>>> null-terminated string. [Note: The source code implementation of the 
>>> function has been overridden by a builtin model.]
316             if (!strcmp(strc, "/")) {
317                     tokens[0] = strdup(strc);
318                     if (!tokens[0]) {
319                             ret = -ENOMEM;
320                             goto free_strc;
321                     }

** CID 648960:         (TAINTED_SCALAR)
/test/boot/image_fdt.c: 53           in test_boot_fdt_add_mem_rsv_regions()


_____________________________________________________________________________________________
*** CID 648960:           (TAINTED_SCALAR)
/test/boot/image_fdt.c: 80             in test_boot_fdt_add_mem_rsv_regions()
74
75      /* Cleanup */
76     switch_fdt:
77      boot_fdt_add_mem_rsv_regions(old_blob);
78      gd->fdt_blob = old_blob;
79     free_blob:
>>>     CID 648960:           (TAINTED_SCALAR)
>>>     Passing tainted expression "*new_blob" to "dlfree", which uses it as an 
>>> offset.
80      free(new_blob);
81      return ret;
82     }
/test/boot/image_fdt.c: 53             in test_boot_fdt_add_mem_rsv_regions()
47      ut_assert_console_end();
48
49      /* Loading a new_blob device tree should be allowed */
50      fdt_sz = fdt_totalsize(gd->fdt_blob);
51      new_blob = malloc(fdt_sz);
52      ut_assertnonnull(new_blob);
>>>     CID 648960:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdt_sz" to "memcpy", which uses it as an 
>>> offset. [Note: The source code implementation of the function has been 
>>> overridden by a builtin model.]
53      memcpy(new_blob, gd->fdt_blob, fdt_sz);
54
55      nodeoffset = fdt_path_offset(new_blob, "/reserved-memory");
56      if (nodeoffset < 0)
57              goto free_blob;
58



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

Attachment: signature.asc
Description: PGP signature

Reply via email to