Hi, I just did a run with coverity again on ConnMan. Here the results.
cheers, daniel -------- Original Message -------- Subject: New Defects reported by Coverity Scan for ConnMan Date: Mon, 11 Aug 2014 01:22:44 -0700 From: [email protected] Hi, Please find the latest report on new defect(s) introduced to ConnMan found with Coverity Scan. Defect(s) Reported-by: Coverity Scan Showing 18 of 18 defect(s) ** CID 1230754: Bad bit shift operation (BAD_SHIFT) /vpn/vpn-provider.c: 692 in get_route() ** CID 1230753: Bad bit shift operation (BAD_SHIFT) /src/config.c: 405 in load_service_generic() ** CID 1230752: Bad bit shift operation (BAD_SHIFT) /plugins/vpn.c: 1085 in parse_user_route() ** CID 1230755: Unchecked return value (CHECKED_RETURN) /gdhcp/client.c: 1700 in continue_renew() ** CID 1230768: (DC.WEAK_CRYPTO) /gdhcp/common.c: 364 in dhcpv6_init_header() ** CID 1230767: (DC.WEAK_CRYPTO) /gdhcp/client.c: 508 in send_release() ** CID 1230766: (DC.WEAK_CRYPTO) /gdhcp/ipv4ll.c: 53 in ipv4ll_random_ip() ** CID 1230765: (DC.WEAK_CRYPTO) /gdhcp/ipv4ll.c: 69 in ipv4ll_random_delay_ms() ** CID 1230764: (DC.WEAK_CRYPTO) /gdhcp/client.c: 2779 in g_dhcp_client_start() ** CID 1230763: (DC.WEAK_CRYPTO) /src/dhcpv6.c: 110 in get_random() ** CID 1230762: (DC.WEAK_CRYPTO) /src/config.c: 1383 in generate_random_string() ** CID 1230761: (DC.WEAK_CRYPTO) /tools/dnsproxy-test.c: 245 in get_id() /src/dnsproxy.c: 221 in get_id() ** CID 1230760: (DC.WEAK_CRYPTO) /gdhcp/client.c: 1709 in continue_renew() ** CID 1230759: (DC.WEAK_CRYPTO) /src/dhcpv6.c: 1626 in __connman_dhcpv6_start_info() ** CID 1230758: (DC.WEAK_CRYPTO) /src/dhcpv6.c: 1941 in __connman_dhcpv6_start() ** CID 1230757: (DC.WEAK_CRYPTO) /gdhcp/client.c: 1665 in continue_rebound() ** CID 1230769: Logically dead code (DEADCODE) /gdhcp/client.c: 2328 in listener_event() ** CID 1230771: Dereference after null check (FORWARD_NULL) /src/dhcp.c: 617 in __connman_dhcp_start() ________________________________________________________________________________________________________ *** CID 1230754: Bad bit shift operation (BAD_SHIFT) /vpn/vpn-provider.c: 692 in get_route() 686 long int value = strtol(netmask, &ptr, 10); 687 if (ptr != netmask && *ptr == '\0' && 688 value <= 32) 689 prefix_len = value; 690 } 691 >>> CID 1230754: Bad bit shift operation (BAD_SHIFT) >>> In expression "0xffffffffU << 32 - prefix_len", left shifting by more >>> than 31 bits has undefined behavior. The shift amount, "32 - prefix_len", >>> is 32. 692 addr = 0xffffffff << (32 - prefix_len); 693 netmask_in.s_addr = htonl(addr); 694 netmask = inet_ntoa(netmask_in); 695 696 DBG("network %s netmask %s", network, netmask); 697 } ________________________________________________________________________________________________________ *** CID 1230753: Bad bit shift operation (BAD_SHIFT) /src/config.c: 405 in load_service_generic() 399 char *ptr; 400 long int value = strtol(mask, &ptr, 10); 401 402 if (ptr != mask && *ptr == '\0' && value <= 32) 403 prefix_len = value; 404 >>> CID 1230753: Bad bit shift operation (BAD_SHIFT) >>> In expression "0xffffffffU << 32 - prefix_len", left shifting by more >>> than 31 bits has undefined behavior. The shift amount, "32 - prefix_len", >>> is 32. 405 addr = 0xffffffff << (32 - prefix_len); 406 netmask_in.s_addr = htonl(addr); 407 service->ipv4_netmask = 408 g_strdup(inet_ntoa(netmask_in)); 409 410 g_free(mask); ________________________________________________________________________________________________________ *** CID 1230752: Bad bit shift operation (BAD_SHIFT) /plugins/vpn.c: 1085 in parse_user_route() 1079 long int value = strtol(netmask, &ptr, 10); 1080 if (ptr != netmask && *ptr == '\0' && 1081 value <= 32) 1082 prefix_len = value; 1083 } 1084 >>> CID 1230752: Bad bit shift operation (BAD_SHIFT) >>> In expression "0xffffffffU << 32 - prefix_len", left shifting by more >>> than 31 bits has undefined behavior. The shift amount, "32 - prefix_len", >>> is 32. 1085 addr = 0xffffffff << (32 - prefix_len); 1086 netmask_in.s_addr = htonl(addr); 1087 netmask = inet_ntoa(netmask_in); 1088 1089 DBG("network %s netmask %s", network, netmask); 1090 } ________________________________________________________________________________________________________ *** CID 1230755: Unchecked return value (CHECKED_RETURN) /gdhcp/client.c: 1700 in continue_renew() 1694 } 1695 1696 static gboolean continue_renew (gpointer user_data) 1697 { 1698 GDHCPClient *dhcp_client = user_data; 1699 >>> CID 1230755: Unchecked return value (CHECKED_RETURN) >>> Calling "switch_listening_mode" without checking return value (as is >>> done elsewhere 8 out of 9 times). 1700 switch_listening_mode(dhcp_client, L3); 1701 send_request(dhcp_client); 1702 1703 if (dhcp_client->t1_timeout > 0) 1704 g_source_remove(dhcp_client->t1_timeout); 1705 ________________________________________________________________________________________________________ *** CID 1230768: (DC.WEAK_CRYPTO) /gdhcp/common.c: 364 in dhcpv6_init_header() 358 int id; 359 360 memset(packet, 0, sizeof(*packet)); 361 362 packet->message = type; 363 >>> CID 1230768: (DC.WEAK_CRYPTO) >>> "random()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 364 id = random(); 365 366 packet->transaction_id[0] = (id >> 16) & 0xff; 367 packet->transaction_id[1] = (id >> 8) & 0xff; 368 packet->transaction_id[2] = id & 0xff; 369 } ________________________________________________________________________________________________________ *** CID 1230767: (DC.WEAK_CRYPTO) /gdhcp/client.c: 508 in send_release() 502 { 503 struct dhcp_packet packet; 504 505 debug(dhcp_client, "sending DHCP release request"); 506 507 init_packet(dhcp_client, &packet, DHCPRELEASE); >>> CID 1230767: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 508 packet.xid = rand(); 509 packet.ciaddr = htonl(ciaddr); 510 511 dhcp_add_option_uint32(&packet, DHCP_SERVER_ID, server); 512 513 return dhcp_send_kernel_packet(&packet, ciaddr, CLIENT_PORT, ________________________________________________________________________________________________________ *** CID 1230766: (DC.WEAK_CRYPTO) /gdhcp/ipv4ll.c: 53 in ipv4ll_random_ip() 47 else { 48 struct timeval tv; 49 gettimeofday(&tv, NULL); 50 srand(tv.tv_usec); 51 } 52 do { >>> CID 1230766: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 53 tmp = rand(); 54 tmp = tmp & IN_CLASSB_HOST; 55 } while (tmp > (IN_CLASSB_HOST - 0x0200)); 56 return ((LINKLOCAL_ADDR + 0x0100) + tmp); 57 } 58 ________________________________________________________________________________________________________ *** CID 1230765: (DC.WEAK_CRYPTO) /gdhcp/ipv4ll.c: 69 in ipv4ll_random_delay_ms() 63 { 64 struct timeval tv; 65 guint tmp; 66 67 gettimeofday(&tv, NULL); 68 srand(tv.tv_usec); >>> CID 1230765: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 69 tmp = rand(); 70 return tmp % (secs * 1000); 71 } 72 73 int ipv4ll_send_arp_packet(uint8_t* source_eth, uint32_t source_ip, 74 uint32_t target_ip, int ifindex) ________________________________________________________________________________________________________ *** CID 1230764: (DC.WEAK_CRYPTO) /gdhcp/client.c: 2779 in g_dhcp_client_start() 2773 2774 dhcp_client->state = INIT_SELECTING; 2775 re = switch_listening_mode(dhcp_client, L2); 2776 if (re != 0) 2777 return re; 2778 >>> CID 1230764: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 2779 dhcp_client->xid = rand(); 2780 dhcp_client->start = time(NULL); 2781 } 2782 2783 if (!last_address) { 2784 addr = 0; ________________________________________________________________________________________________________ *** CID 1230763: (DC.WEAK_CRYPTO) /src/dhcpv6.c: 110 in get_random() 104 dhcp->MRD = 0; 105 } 106 } 107 108 static inline float get_random(void) 109 { >>> CID 1230763: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 110 return (rand() % 200 - 100) / 1000.0; 111 } 112 113 /* Calculate a random delay, RFC 3315 chapter 14 */ 114 /* RT and MRT are milliseconds */ 115 static guint calc_delay(guint RT, guint MRT) ________________________________________________________________________________________________________ *** CID 1230762: (DC.WEAK_CRYPTO) /src/config.c: 1383 in generate_random_string() 1377 int i; 1378 1379 memset(str, '\0', length); 1380 1381 for (i = 0; i < length-1; i++) { 1382 do { >>> CID 1230762: (DC.WEAK_CRYPTO) >>> "random()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 1383 val = (uint8_t)(random() % 122); 1384 if (val < 48) 1385 val += 48; 1386 } while((val > 57 && val < 65) || (val > 90 && val < 97)); 1387 1388 str[i] = val; ________________________________________________________________________________________________________ *** CID 1230761: (DC.WEAK_CRYPTO) /tools/dnsproxy-test.c: 245 in get_id() 239 240 return 0; 241 } 242 243 static unsigned short get_id(void) 244 { >>> CID 1230761: (DC.WEAK_CRYPTO) >>> "random()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 245 return random(); 246 } 247 248 static void change_msg(unsigned char *msg, unsigned int tranid, 249 unsigned int host_loc, unsigned char host_count) 250 { /src/dnsproxy.c: 221 in get_id() 215 static GHashTable *listener_table = NULL; 216 static time_t next_refresh; 217 static GHashTable *partial_tcp_req_table; 218 219 static guint16 get_id(void) 220 { >>> CID 1230761: (DC.WEAK_CRYPTO) >>> "random()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 221 return random(); 222 } 223 224 static int protocol_offset(int protocol) 225 { 226 switch (protocol) { ________________________________________________________________________________________________________ *** CID 1230760: (DC.WEAK_CRYPTO) /gdhcp/client.c: 1709 in continue_renew() 1703 if (dhcp_client->t1_timeout > 0) 1704 g_source_remove(dhcp_client->t1_timeout); 1705 1706 dhcp_client->T1 >>= 1; 1707 1708 if (dhcp_client->T1 > 60) { >>> CID 1230760: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 1709 dhcp_client->t1_timeout = g_timeout_add_full(G_PRIORITY_HIGH, 1710 dhcp_client->T1 * 1000 + (rand() % 2000) - 1000, 1711 continue_renew, 1712 dhcp_client, 1713 NULL); 1714 } ________________________________________________________________________________________________________ *** CID 1230759: (DC.WEAK_CRYPTO) /src/dhcpv6.c: 1626 in __connman_dhcpv6_start_info() 1620 1621 DBG("replace network %p dhcp %p", network, dhcp); 1622 1623 g_hash_table_replace(network_table, network, dhcp); 1624 1625 /* Initial timeout, RFC 3315, 18.1.5 */ >>> CID 1230759: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 1626 delay = rand() % 1000; 1627 1628 dhcp->timeout = g_timeout_add(delay, start_info_req, dhcp); 1629 1630 return 0; 1631 } ________________________________________________________________________________________________________ *** CID 1230758: (DC.WEAK_CRYPTO) /src/dhcpv6.c: 1941 in __connman_dhcpv6_start() 1935 1936 DBG("replace network %p dhcp %p", network, dhcp); 1937 1938 g_hash_table_replace(network_table, network, dhcp); 1939 1940 /* Initial timeout, RFC 3315, 17.1.2 */ >>> CID 1230758: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 1941 delay = rand() % 1000; 1942 1943 ipconfig_ipv6 = __connman_service_get_ip6config(service); 1944 last_address = __connman_ipconfig_get_dhcp_address(ipconfig_ipv6); 1945 1946 if (prefixes && last_address && ________________________________________________________________________________________________________ *** CID 1230757: (DC.WEAK_CRYPTO) /gdhcp/client.c: 1665 in continue_rebound() 1659 if (dhcp_client->t2_timeout> 0) 1660 g_source_remove(dhcp_client->t2_timeout); 1661 1662 /*recalculate remaining rebind time*/ 1663 dhcp_client->T2 >>= 1; 1664 if (dhcp_client->T2 > 60) { >>> CID 1230757: (DC.WEAK_CRYPTO) >>> "rand()" should not be used for security related applications, as >>> linear congruential algorithms are too easy to break. 1665 dhcp_client->t2_timeout = 1666 g_timeout_add_full(G_PRIORITY_HIGH, 1667 dhcp_client->T2 * 1000 + (rand() % 2000) - 1000, 1668 continue_rebound, 1669 dhcp_client, 1670 NULL); ________________________________________________________________________________________________________ *** CID 1230769: Logically dead code (DEADCODE) /gdhcp/client.c: 2328 in listener_event() 2322 if (!message_type) 2323 return TRUE; 2324 } 2325 2326 if (!message_type && !client_id) 2327 /* No message type / client id option, ignore package */ >>> CID 1230769: Logically dead code (DEADCODE) >>> Execution cannot reach this statement: "return 1;". 2328 return TRUE; 2329 2330 debug(dhcp_client, "received DHCP packet xid 0x%04x " 2331 "(current state %d)", xid, dhcp_client->state); 2332 2333 switch (dhcp_client->state) { ________________________________________________________________________________________________________ *** CID 1230771: Dereference after null check (FORWARD_NULL) /src/dhcp.c: 617 in __connman_dhcp_start() 611 if (!dhcp) 612 return -ENOMEM; 613 614 dhcp->ipconfig = ipconfig; 615 __connman_ipconfig_ref(ipconfig); 616 >>> CID 1230771: Dereference after null check (FORWARD_NULL) >>> Comparing "network" to null implies that "network" might be null. 617 if (network) { 618 dhcp->network = network; 619 connman_network_ref(network); 620 } 621 622 err = dhcp_initialize(dhcp); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/754?tab=overview To unsubscribe from the email notification for new defects, http://scan5.coverity.com/cgi-bin/unsubscribe.py _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
