<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">Hello Christian,</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 29, 2021 at 1:47 PM Christian MAUDERER <<a href="mailto:christian.mauderer@embedded-brains.de">christian.mauderer@embedded-brains.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Niteesh,<br>
<br>
Am 29.01.21 um 07:33 schrieb Niteesh G. S.:<br>
> Hello,<br>
> <br>
> <a href="https://lists.rtems.org/pipermail/devel/2021-January/064115.html" rel="noreferrer" target="_blank">https://lists.rtems.org/pipermail/devel/2021-January/064115.html</a> <br>
> <<a href="https://lists.rtems.org/pipermail/devel/2021-January/064115.html" rel="noreferrer" target="_blank">https://lists.rtems.org/pipermail/devel/2021-January/064115.html</a>><br>
> I have fixed defects reported in the above thread except<br>
> CID 1472595, 1472597 (ARRAY_VS_SINGLETON)<br>
> Along with the buffer we also take the size of the buffer this makes<br>
> sure that we don't read more than the buffer capacity.<br>
> But coverity reports this as an defect how can I fix this?<br>
<br>
Thanks for taking a look at these. Regarding the CID 1472595:<br>
<br>
What Coverity doesn't like is the following:<br>
<br>
You create a variable (phandle_t ref). You then pass the pointer of the <br>
variable to the rtems_ofw_get_enc_prop in the pcell_t *buf parameter. <br>
And rtems_ofw_get_enc_prop uses a buf[i] which might could be more than <br>
0 if you ask Coverity. Coverity is most likely not intelligent enough to <br>
understand the logic. I think it might be possible to suppress that <br>
message by creating the variable with<br>
<br>
phandle_t ref[1];<br>
<br>
and adapting the following uses of that variable. But please double <br>
check, that the code is correct when you do something like that. What <br>
isn't mentioned in that defect: In rtems_ofw_get_enc_prop you pass the <br>
buf to rtems_ofw_get_prop which uses a strncpy in line 201 to fill the <br>
buffer. That is _very_ odd for an integer value and might lead to wrong <br>
results.<br></blockquote><div class="gmail_default" style="font-size:small">Before passing the buffer to rtems_ofw_get_prop we also make sure it is</div><div class="gmail_default" style="font-size:small">a multiple of 4 using the assert.</div><div class="gmail_default" style="font-size:small">assert(len % 4 == 0);</div><div class="gmail_default" style="font-size:small">Is an assert the right way to make sure length is a multiple of 4, Can't they be</div><div class="gmail_default" style="font-size:small">removed during build?</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Thanks,</div><div class="gmail_default" style="font-size:small">Niteesh.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Best regards<br>
<br>
Christian<br>
<br>
> <br>
> Thanks,<br>
> Niteesh.<br>
> <br>
> On Fri, Jan 29, 2021 at 11:48 AM G S Niteesh Babu <<a href="mailto:niteesh.gs@gmail.com" target="_blank">niteesh.gs@gmail.com</a> <br>
> <mailto:<a href="mailto:niteesh.gs@gmail.com" target="_blank">niteesh.gs@gmail.com</a>>> wrote:<br>
> <br>
> Fixed use after free and null pointer dereference defects<br>
> <br>
> FIXES:<br>
> 1) CID 1472601 (NULL_RETURNS)<br>
> 2) CID 1472600 (USE_AFTER_FREE)<br>
> 3) CID 1472599 (USE_AFTER_FREE)<br>
> 4) CID 1472598 (USE_AFTER_FREE)<br>
> 5) CID 1472596 (USE_AFTER_FREE)<br>
> ---<br>
> bsps/shared/ofw/ofw.c | 10 +++++-----<br>
> 1 file changed, 5 insertions(+), 5 deletions(-)<br>
> <br>
> diff --git a/bsps/shared/ofw/ofw.c b/bsps/shared/ofw/ofw.c<br>
> index 82924b2600..fa94bfbf05 100644<br>
> --- a/bsps/shared/ofw/ofw.c<br>
> +++ b/bsps/shared/ofw/ofw.c<br>
> @@ -313,7 +313,7 @@ ssize_t rtems_ofw_get_prop_alloc(<br>
> }<br>
> <br>
> if (rtems_ofw_get_prop(node, propname, *buf, len) == -1) {<br>
> - rtems_ofw_free(buf);<br>
> + rtems_ofw_free(*buf);<br>
> *buf = NULL;<br>
> return -1;<br>
> }<br>
> @@ -344,7 +344,7 @@ ssize_t rtems_ofw_get_prop_alloc_multi(<br>
> }<br>
> <br>
> if (rtems_ofw_get_prop(node, propname, *buf, len) == -1) {<br>
> - rtems_ofw_free(buf);<br>
> + rtems_ofw_free(*buf);<br>
> *buf = NULL;<br>
> return -1;<br>
> }<br>
> @@ -373,7 +373,7 @@ ssize_t rtems_ofw_get_enc_prop_alloc(<br>
> }<br>
> <br>
> if (rtems_ofw_get_enc_prop(node, propname, *buf, len) == -1) {<br>
> - rtems_ofw_free(buf);<br>
> + rtems_ofw_free(*buf);<br>
> *buf = NULL;<br>
> return -1;<br>
> }<br>
> @@ -404,7 +404,7 @@ ssize_t rtems_ofw_get_enc_prop_alloc_multi(<br>
> }<br>
> <br>
> if (rtems_ofw_get_enc_prop(node, propname, *buf, len) == -1) {<br>
> - rtems_ofw_free(buf);<br>
> + rtems_ofw_free(*buf);<br>
> *buf = NULL;<br>
> return -1;<br>
> }<br>
> @@ -614,7 +614,7 @@ int rtems_ofw_get_reg(<br>
> offset = rtems_fdt_phandle_to_offset(parent);<br>
> ptr = fdt_getprop(fdtp, offset, "ranges", &len);<br>
> <br>
> - if (len < 0) {<br>
> + if (ptr == NULL) {<br>
> break;<br>
> }<br>
> <br>
> -- <br>
> 2.17.1<br>
> <br>
<br>
-- <br>
--------------------------------------------<br>
embedded brains GmbH<br>
Herr Christian MAUDERER<br>
Dornierstr. 4<br>
82178 Puchheim<br>
Germany<br>
email: <a href="mailto:christian.mauderer@embedded-brains.de" target="_blank">christian.mauderer@embedded-brains.de</a><br>
phone: +49-89-18 94 741 - 18<br>
fax: +49-89-18 94 741 - 08<br>
<br>
Registergericht: Amtsgericht München<br>
Registernummer: HRB 157899<br>
Vertretungsberechtigte Geschäftsführer: Peter Rasmussen, Thomas Dörfler<br>
Unsere Datenschutzerklärung finden Sie hier:<br>
<a href="https://embedded-brains.de/datenschutzerklaerung/" rel="noreferrer" target="_blank">https://embedded-brains.de/datenschutzerklaerung/</a><br>
</blockquote></div></div>