Bug 203943 - makefs: Coverity CID 977469: False positive
Summary: makefs: Coverity CID 977469: False positive
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-21 20:04 UTC by scdbackup
Modified: 2017-11-05 20:47 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description scdbackup 2015-10-21 20:04:16 UTC
usr.sbin/makefs/cd9660/cd9660_debug.c

CID 977469: Out-of-bounds access (OVERRUN)
   1. overrun-buffer-val: Overrunning array pttemp->parent_number
   of 2 bytes by passing it to a function which accesses it at
   byte offset 3.

186        printf("<parent_number>%i</parent_number>\n",
187            debug_get_encoded_number(pttemp->parent_number,mode));

--------------- Source analysis:

The problem is with debug_get_encoded_number() which depending
on iparameter "mode" reads more or less bytes.

The complained call is in function debug_dump_to_xml_ptentry(),
which gets called only by function debug_dump_to_xml_path_table().
It gets the "mode" value as parameter.
This function gets called at two occasions in debug_dump_to_xml():

        debug_dump_to_xml_path_table(fd, t, t2, 721);

        debug_dump_to_xml_path_table(fd, t, t2, 722);

The modes 721 and 722 select 2-byte reading in debug_get_encoded_number().
So the size of pttemp->parent_number is sufficient.

--------------- Remedy proposal:

In Coverity classify CID 977469 as "False positive" and set its Action
to "Ignore".
Comment 1 Enji Cooper freebsd_committer 2015-10-25 22:12:58 UTC
Bulk taking makefs bugs.
Comment 2 Enji Cooper freebsd_committer 2017-11-05 20:47:21 UTC
Releasing bugs back to the pool.