Re: [boinc_dev] Fwd: New Defects reported by Coverity Scan for BOINC/boinc

[Oliver Bock]

On 14/10/15 0:49 , David Anderson wrote:
> FYI.  I'm not sure how to fix these, or if they matter.

See below...

> *** CID 117636:  Insecure data handling  (TAINTED_SCALAR)
> /sched/size_regulator.cpp: 85 in main()
> 79                 hi = atoi(argv[++i]);
> 80             } else if (!strcmp(argv[i], "-d")) {
> 81                 log_messages.set_debug_level(atoi(argv[++i]));
> 82             } else if (!strcmp(argv[i], "--debug_leveld")) {
> 83                 log_messages.set_debug_level(atoi(argv[++i]));
> 84             } else if (!strcmp(argv[i], "--sleep_time")) {
>>>>     CID 117636:  Insecure data handling  (TAINTED_SCALAR)
>>>>     Assigning: "sleep_time" = "atoi", which taints "sleep_time".
> 85                 sleep_time = atoi(argv[++i]);

Don't use atoi() as it's inherently insecure (causing undefined
behavior, no error check possible). Use strtol(), check the pointers for
errors and do range checks. Finally, cast to int if in range. Ergo:
write a function to do all this. Use C++ stringstreams to improve on that.

> *** CID 117635:  Null pointer dereferences  (REVERSE_INULL)
> /client/cs_platforms.cpp: 123 in CLIENT_STATE::detect_platforms()()
> 117         // find the 'uname' executable
> 118         do {
> 119             if (boinc_file_exists(uname[eno])) break;
> 120         } while (uname[++eno] != 0);
> 121
> 122         // run it and check the kernel machine architecture.
>>>>     CID 117635:  Null pointer dereferences  (REVERSE_INULL)
>>>>     Null-checking "uname[eno]" suggests that it may be null, but it
>>>> has already been dereferenced on all paths leading to the check.
> 123         if ( uname[eno] != 0 ) {

The description sounds clear to me. You do a check here but the value
checked (a pointer) was already dereferenced earlier, without any check
- which can cause a segfault.

> *** CID 117633:  Null pointer dereferences  (REVERSE_INULL)
> /clientgui/AdvancedFrame.cpp: 1156 in
> CAdvancedFrame::OnWizardAttachProject(wxCommandEvent &)()
> 1150
> 1151             CWizardAttach* pWizard = new CWizardAttach(this);
> 1152
> 1153             wxString strURL = wxEmptyString;
> 1154             pWizard->Run(strURL, false);
> 1155
>>>>     CID 117633:  Null pointer dereferences  (REVERSE_INULL)
>>>>     Null-checking "pWizard" suggests that it may be null, but it has
>>>> already been dereferenced on all paths leading to the check.
> 1156             if (pWizard) {
> 1157                 pWizard->Destroy();
> 1158             }

Here's a very obvious example. The check for NULL is done right after
dereferencing the pointer!? Useless...


HTH,
Oliver

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
boinc_dev mailing list
boinc_dev@ssl.berkeley.edu
http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev
To unsubscribe, visit the above URL and
(near bottom of page) enter your email address.