Fw: New Defects reported by Coverity Scan for ntpsec

2023-02-05 Thread Hal Murray via devel 
1439 default: {
1440/* There should be a way for the compiler to check this. */
1441 bool once =3D false;
>>> CID 435753:  Possible Control flow issues  (DEADCODE)
>>> Execution cannot reach this statement: "return;". =20
1442 if (once) return;  /* Avoid log file DDoS */

That's some of my new code.

In this case, I'm switching on a enum and have handled all the cases so the 
default "can't happen".

How do I get the compiler to tell me if I missed an option on a switch 
statement?

Of course, the data might get mashed, so the other question is:
  How do I get coverty to not complain about this code?



-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel

Re: Fw: New Defects reported by Coverity Scan for ntpsec

2022-03-16 Thread Hal Murray via devel 


I don't know my way around coverty.

Does this have a meaning?
> ** CID 349664:  Uninitialized variables  (UNINIT)

Can I poke that number into a web form or something like that?


I think I have a fix.  How do I test it?


-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel

Fw: New Defects reported by Coverity Scan for ntpsec

2022-03-16 Thread Gary E. Miller via devel 
Yo All!

New coverity found defect in NTPsec.

See below.


RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin


Begin forwarded message:

Please find the latest report on new defect(s) introduced to ntpsec
found with Coverity Scan.

1 new defect(s) introduced to ntpsec found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 349664:  Uninitialized variables  (UNINIT)



*** CID 349664:  Uninitialized variables  (UNINIT)
/tests/ntpd/nts_client.c: 122 in
TEST_nts_client_nts_client_process_response_core_() 116
0x80, nts_new_cookie, 0, 8, 1, 2, 3, 4, 5, 6, 7, 8, 117
/* server_negotiation skipped due to getaddrinfo()
containment breach */ 118   0x80,
nts_port_negotiation, 0, 2, 0, 3, 119   0x80,
nts_end_of_message, 0, 0 120}; 121  /* run */
>>> CID 349664:  Uninitialized variables  (UNINIT)
>>> Using uninitialized value "peer.srcadr" when calling
>>> "nts_client_process_response_core".  
122 success = nts_client_process_response_core(buf0,
sizeof(buf0), ); 123   /* check */
124 TEST_ASSERT_EQUAL(true, success);
125 TEST_ASSERT_EQUAL_INT16(AEAD_AES_SIV_CMAC_256,
peer.nts_state.aead); 126   TEST_ASSERT_EQUAL_INT32(8,
peer.nts_state.cookielen); 127  TEST_ASSERT_EQUAL_INT8(1,
peer.nts_state.cookies[0][0]);



To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp8Ldxo61EGGRiTZ6U-2Bjg3sA07-2BBpfNSmUdAWFIW4-2FfVHYSy8cV7mYfZsABp8TO5F4-3DjMwg_V4vXdTh-2BxT-2BxCKbyFfrSoP7IYJKibTqYyKHgATb-2BpYZS-2FWAmCwblwmm8OcEIl6rwptgxCXQw8DeLi3jMzJ0Ec2uQGrvTHiyT6WJjvJ8OvJIHuVm4WHhe-2BcrRqlFkHWXlMqEgTM-2BeF7kt9bKBa-2FIvADI1y13fvqPKbRdFIZSeVcua8J3HFm7RKgR-2FfDsa3H-2FOV5xPhCsZTT6emXTwZ-2B5jog-3D-3D

  To manage Coverity Scan email notifications for "g...@rellim.com",
  click
  
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx7Tfqjjbls0cEjccfNLTtXEyJGZ4VdMsA5BAyVQQG3-2BhiayktbDtQ9xydmCGCqXM-2FiCfaecVOZTo8suXWaB1cwto7f0wTnlZytc1QYkzBIo8-3DjF1g_V4vXdTh-2BxT-2BxCKbyFfrSoP7IYJKibTqYyKHgATb-2BpYZS-2FWAmCwblwmm8OcEIl6rwXXxfomDL5d4K9aapJ8FcOsqqb5zd2yMSNgtK221QuiXgR7tmqseRzvquUgRSaY3Qb17dEjt-2F8P1VYncR0LVXUkkvoGxsL5JZuNZOkz-2BPwjB46Boo1leo3ugTdcZUwzKANXYyje31ZbO0eRLHnHYJSg-3D-3D




RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin


pgp395n1jIaaZ.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel

Re: Fw: New Defects reported by Coverity Scan for ntpsec

2021-01-27 Thread Matthew Selsky via devel 
On Mon, Jan 25, 2021 at 03:21:10PM -0800, James Browning via devel wrote:

>Someone twisted a knob somewhere

A new client for Coverity was released and it's more picky than the old client 
apparently.

See https://scan.coverity.com/ "Coverity Upgrade to 2020.09"


Thanks,
-Matt
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: Fw: New Defects reported by Coverity Scan for ntpsec

2021-01-25 Thread James Browning via devel 
On Mon, Jan 25, 2021 at 12:03 PM Gary E. Miller via devel 
wrote:

> Yo All!
>
> New coverity defects in ntpd.  See below.



> Date: Sun, 24 Jan 2021 07:29:27 + (UTC)
> From: scan-ad...@coverity.com
> To: g...@rellim.com
> Subject: New Defects reported by Coverity Scan for ntpsec
>


> 4 new defect(s) introduced to ntpsec found with Coverity Scan.



> ** CID 316495:  Insecure data handling  (TAINTED_SCALAR)
> /ntpd/ntp_scanner.c: 185 in lex_getch()
>

last touched 'Tue Jun 16 08:26:12 2020 -0400'


> *** CID 316494:  Insecure data handling  (TAINTED_SCALAR)
> /tests/common/tests_main.c: 96 in main()
>

last touched 'Thu Apr 9 03:08:24 2020 -0700'


> *** CID 316493:  Uninitialized variables  (UNINIT)
> /ntpd/refclock_generic.c: 2865 in parse_start()


last touched 'Fri Feb 14 21:49:45 2020 -0800'


> *** CID 316492:  Uninitialized variables  (UNINIT)
> /ntpd/refclock_oncore.c: 1887 in oncore_get_timestamp()


last touched 'Mon Aug 19 20:00:55 2019 -0400'

Someone twisted a knob somewhere and needs a wedgie. Also, the bugs need
adjusting as well.

I think some of those knobs should be turned down. The worst raft of errors
comes from ESlint for javascript that should be voted out of the tree and
then the next tier for C strings existing.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Fw: New Defects reported by Coverity Scan for ntpsec

2021-01-25 Thread Gary E. Miller via devel 
Yo All!

New coverity defects in ntpd.  See below.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin


Begin forwarded message:

Date: Sun, 24 Jan 2021 07:29:27 + (UTC)
From: scan-ad...@coverity.com
To: g...@rellim.com
Subject: New Defects reported by Coverity Scan for ntpsec


Hi,

Please find the latest report on new defect(s) introduced to ntpsec
found with Coverity Scan.

4 new defect(s) introduced to ntpsec found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 316495:  Insecure data handling  (TAINTED_SCALAR)
/ntpd/ntp_scanner.c: 185 in lex_getch()



*** CID 316495:  Insecure data handling  (TAINTED_SCALAR)
/ntpd/ntp_scanner.c: 185 in lex_getch()
179 ch = stream->backch;
180 stream->backch = EOF;
181 if (stream->fpi)
182 conf_file_sum += (unsigned int)ch;
183 } else if (stream->fpi) {
184 /* fetch next 7-bit ASCII char (or EOF) from
file */
>>> CID 316495:  Insecure data handling  (TAINTED_SCALAR)
>>> Using tainted variable "ch" as a loop boundary.  
185 while ((ch = fgetc(stream->fpi)) != EOF && ch >
SCHAR_MAX) { 186stream->curpos.ncol++;
187 }
188 if (EOF != ch) {
189 conf_file_sum += (unsigned int)ch;
190 stream->curpos.ncol++;

** CID 316494:  Insecure data handling  (TAINTED_SCALAR)



*** CID 316494:  Insecure data handling  (TAINTED_SCALAR)
/tests/common/tests_main.c: 96 in main()
90  auth_init();
91  init_network();
92 
93  args_argc = argc;
94  args_argv = argv;
95 
>>> CID 316494:  Insecure data handling  (TAINTED_SCALAR)
>>> Passing tainted expression "**argv" to "UnityMain", which uses
>>> it as a loop boundary.  
96  return UnityMain(argc, argv, RunAllTests);

** CID 316493:  Uninitialized variables  (UNINIT)



*** CID 316493:  Uninitialized variables  (UNINIT)
/ntpd/refclock_generic.c: 2865 in parse_start()
2859/*
2860 * print out configuration
2861 */
2862NLOG(NLOG_CLOCKINFO)
2863{
2864/* conditional if clause for
conditional syslog */
>>> CID 316493:  Uninitialized variables  (UNINIT)
>>> Using uninitialized value "*parsedev" as argument to "%s" when
>>> calling "msyslog".  
2865msyslog(LOG_INFO, "REFCLOCK: PARSE
receiver #%d: reference clock \"%s\" (I/O device %s, PPS device %s)
added", 2866
parse->peer->procptr->refclkunit, 2867
parse->parse_type->cl_description, parsedev, 2868
(parse->ppsfd != parse->generic->io.fd) ?
parseppsdev : parsedev); 2869 2870
msyslog(LOG_INFO, "REFCLOCK: PARSE receiver #%d: Stratum %d, trust time
%s, precision %d",

** CID 316492:  Uninitialized variables  (UNINIT)



*** CID 316492:  Uninitialized variables  (UNINIT)
/ntpd/refclock_oncore.c: 1887 in oncore_get_timestamp()
1881if (!refclock_process(instance->pp)) {
1882refclock_report(instance->peer, CEVNT_BADTIME);
1883peer->cfg.flags &= ~FLAG_PPS;   /*
problem - clear PPS FLAG */ 1884return;
1885}
1886 
>>> CID 316492:  Uninitialized variables  (UNINIT)
>>> Using uninitialized value "*Msg" when calling "oncore_log".  
1887oncore_log(instance, LOG_INFO, Msg); /* this
is long message above */ 1888   instance->pollcnt = 2;
1889 
1890if (instance->polled) {
1891instance->polled = 0;
1892 /* instance->pp->dispersion = instance->pp->skew
= 0;*/



To view the defects in Coverity Scan visit,