203943 – makefs: Coverity CID 977469: False positive

Bug 203943 - makefs: Coverity CID 977469: False positive

Summary: makefs: Coverity CID 977469: False positive

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-10-21 20:04 UTC by scdbackup
Modified:	2017-11-05 20:47 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description scdbackup 2015-10-21 20:04:16 UTC

usr.sbin/makefs/cd9660/cd9660_debug.c

CID 977469: Out-of-bounds access (OVERRUN)
   1. overrun-buffer-val: Overrunning array pttemp->parent_number
   of 2 bytes by passing it to a function which accesses it at
   byte offset 3.

186        printf("<parent_number>%i</parent_number>\n",
187            debug_get_encoded_number(pttemp->parent_number,mode));

--------------- Source analysis:

The problem is with debug_get_encoded_number() which depending
on iparameter "mode" reads more or less bytes.

The complained call is in function debug_dump_to_xml_ptentry(),
which gets called only by function debug_dump_to_xml_path_table().
It gets the "mode" value as parameter.
This function gets called at two occasions in debug_dump_to_xml():

        debug_dump_to_xml_path_table(fd, t, t2, 721);

        debug_dump_to_xml_path_table(fd, t, t2, 722);

The modes 721 and 722 select 2-byte reading in debug_get_encoded_number().
So the size of pttemp->parent_number is sufficient.

--------------- Remedy proposal:

In Coverity classify CID 977469 as "False positive" and set its Action
to "Ignore".

Comment 1 Enji Cooper freebsd_committer

2015-10-25 22:12:58 UTC

Bulk taking makefs bugs.

Comment 2 Enji Cooper freebsd_committer

2017-11-05 20:47:21 UTC

Releasing bugs back to the pool.