[openobex/f18] Fixed errors found by Coverity scan.
Tomas Hozza
thozza at fedoraproject.org
Fri Dec 7 12:51:23 UTC 2012
commit 9ab36a825635c4005aff4f92d5bf52cf38be8bac
Author: Tomas Hozza <thozza at redhat.com>
Date: Fri Dec 7 13:14:31 2012 +0100
Fixed errors found by Coverity scan.
Signed-off-by: Tomas Hozza <thozza at redhat.com>
openobex-1.3-ipv6.patch | 278 --------
openobex-1.3-ircp.patch | 30 -
openobex-1.3-utf.patch | 103 ---
openobex-1.5-coverity-errors.patch | 1304 ++++++++++++++++++++++++++++++++++++
openobex-apps-1.0.0-push.patch | 237 -------
openobex.spec | 10 +-
6 files changed, 1313 insertions(+), 649 deletions(-)
---
diff --git a/openobex-1.5-coverity-errors.patch b/openobex-1.5-coverity-errors.patch
new file mode 100644
index 0000000..b083452
--- /dev/null
+++ b/openobex-1.5-coverity-errors.patch
@@ -0,0 +1,1304 @@
+From 905a4031a282286b9f262f72233dccf5264d07e1 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Thu, 6 Dec 2012 15:26:00 +0100
+Subject: [PATCH 01/15] NEGATIVE_RETURNS (CWE-394)
+
+Coverity output:
+openobex-1.5.0-Source/ircp/ircp_client.c:281: cond_false: Condition
+"!(cli != NULL)", taking false branch
+openobex-1.5.0-Source/ircp/ircp_client.c:281: if_end: End of if
+statement
+openobex-1.5.0-Source/ircp/ircp_client.c:285: negative_return_fn:
+Function "open(localname, 0, 0)" returns a negative number.
+openobex-1.5.0-Source/ircp/ircp_client.c:285: var_assign: Assigning:
+signed variable "cli->fd" = "open(char const *, int, ...)".
+openobex-1.5.0-Source/ircp/ircp_client.c:286: cond_true: Condition
+"cli->fd < 0", taking true branch
+openobex-1.5.0-Source/ircp/ircp_client.c:287: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/ircp/ircp_client.c:289: if_end: End of if
+statement
+openobex-1.5.0-Source/ircp/ircp_client.c:291: negative_returns:
+"cli->fd" is passed to a parameter that cannot be negative.
+---
+ ircp/ircp_client.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/ircp/ircp_client.c b/ircp/ircp_client.c
+index 1211275..140a0a6 100644
+--- a/ircp/ircp_client.c
++++ b/ircp/ircp_client.c
+@@ -283,12 +283,13 @@ static int ircp_put_file(ircp_client_t *cli, char *localname, char *remotename)
+ object = build_object_from_file(cli->obexhandle, localname, remotename);
+
+ cli->fd = open(localname, O_RDONLY, 0);
+- if(cli->fd < 0)
++ if(cli->fd < 0) {
+ ret = -1;
+- else
++ }
++ else {
+ ret = cli_sync_request(cli, object);
+-
+- close(cli->fd);
++ close(cli->fd);
++ }
+
+ if(ret < 0)
+ cli->infocb(IRCP_EV_ERR, localname);
+--
+1.7.11.7
+
+
+From 6fe0d32d9730ff75c36c8cfc47b64b0c45b2d261 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Thu, 6 Dec 2012 15:42:00 +0100
+Subject: [PATCH 02/15] OVERRUN
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_test.c:118: cond_true: Condition
+"(inaddr = inet_addr(name)) != 4294967295UL /* (unsigned
+long)4294967295U */", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:119: overrun-buffer-arg:
+Overrunning struct type in_addr of 4 bytes by passing it to a function
+which accesses it at byte offset 7 using argument "8UL".
+---
+ apps/obex_test.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/apps/obex_test.c b/apps/obex_test.c
+index 82af2c4..c04aa5d 100644
+--- a/apps/obex_test.c
++++ b/apps/obex_test.c
+@@ -40,17 +40,15 @@
+ #include <arpa/inet.h>
+ #include <netdb.h>
+ #include <netinet/in.h>
+-#endif
++#else
++#define in_addr_t unsigned long
++#endif /* _WIN32 */
+
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+-#ifndef in_addr_t
+-#define in_addr_t unsigned long
+-#endif
+-
+ #define TRUE 1
+ #define FALSE 0
+
+--
+1.7.11.7
+
+
+From bda5c4a1f05cb891a092a19d07e9ffeff4125296 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Thu, 6 Dec 2012 15:47:12 +0100
+Subject: [PATCH 03/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/lib/databuffer.c:108: cond_false: Condition "!p",
+taking false branch
+openobex-1.5.0-Source/lib/databuffer.c:109: if_end: End of if statement
+openobex-1.5.0-Source/lib/databuffer.c:111: cond_true: Condition
+"new_size < bSize", taking true branch
+openobex-1.5.0-Source/lib/databuffer.c:113: cond_true: Condition "itRem
+> p->data_avail", taking true branch
+openobex-1.5.0-Source/lib/databuffer.c:116: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/lib/databuffer.c:119: if_end: End of if statement
+openobex-1.5.0-Source/lib/databuffer.c:120: cond_true: Condition "itRem
+> p->tail_avail", taking true branch
+openobex-1.5.0-Source/lib/databuffer.c:123: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/lib/databuffer.c:126: if_end: End of if statement
+openobex-1.5.0-Source/lib/databuffer.c:130: cond_true: Condition "itRem
+> p->head_avail", taking true branch
+openobex-1.5.0-Source/lib/databuffer.c:134: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/lib/databuffer.c:138: if_end: End of if statement
+openobex-1.5.0-Source/lib/databuffer.c:139: cond_true: Condition "itRem
+> p->data_size", taking true branch
+openobex-1.5.0-Source/lib/databuffer.c:141: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/lib/databuffer.c:143: if_end: End of if statement
+openobex-1.5.0-Source/lib/databuffer.c:145: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/lib/databuffer.c:146: if_end: End of if statement
+openobex-1.5.0-Source/lib/databuffer.c:147: alloc_fn: Storage is
+returned from allocation function "realloc(void *, size_t)".
+openobex-1.5.0-Source/lib/databuffer.c:147: var_assign: Assigning: "tmp"
+= storage returned from "realloc(p->buffer, new_size)".
+openobex-1.5.0-Source/lib/databuffer.c:148: cond_true: Condition
+"!new_size", taking true branch
+openobex-1.5.0-Source/lib/databuffer.c:155: leaked_storage: Variable
+"tmp" going out of scope leaks the storage it points to.
+---
+ lib/databuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/databuffer.c b/lib/databuffer.c
+index 7b71fdf..e3934f4 100644
+--- a/lib/databuffer.c
++++ b/lib/databuffer.c
+@@ -144,7 +144,6 @@ void buf_resize(buf_t *p, size_t new_size)
+ bSize = 0;
+ } else
+ bSize = new_size - bSize;
+- tmp = realloc(p->buffer, new_size);
+ if (!new_size) {
+ p->buffer = NULL;
+ p->data = NULL;
+@@ -154,6 +153,7 @@ void buf_resize(buf_t *p, size_t new_size)
+ p->data_size = 0;
+ return;
+ }
++ tmp = realloc(p->buffer, new_size);
+ if (!tmp)
+ return;
+ p->data_avail += bSize;
+--
+1.7.11.7
+
+
+From c6f7cf9d6bcf458d95d29101c4b5602bbef2e0cc Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Thu, 6 Dec 2012 16:00:43 +0100
+Subject: [PATCH 04/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/ircp/ircp_client.c:281: cond_false: Condition
+"!(cli != NULL)", taking false branch
+openobex-1.5.0-Source/ircp/ircp_client.c:281: if_end: End of if
+statement
+openobex-1.5.0-Source/ircp/ircp_client.c:283: alloc_fn: Storage is
+returned from allocation function "build_object_from_file(obex_t *, char
+const *, char const *)".
+openobex-1.5.0-Source/ircp/ircp_io.c:72:2: alloc_fn: Storage is returned
+from allocation function "OBEX_ObjectNew(obex_t *, uint8_t)".
+openobex-1.5.0-Source/lib/obex.c:626:2: cond_false: Condition "!(self !=
+NULL)", taking false branch
+openobex-1.5.0-Source/lib/obex.c:626:2: if_end: End of if statement
+openobex-1.5.0-Source/lib/obex.c:628:2: alloc_fn: Storage is returned
+from allocation function "obex_object_new(void)".
+openobex-1.5.0-Source/lib/obex_object.c:46:2: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/lib/obex_object.c:46:2: var_assign: Assigning:
+"object" = "malloc(120UL)".
+openobex-1.5.0-Source/lib/obex_object.c:47:2: cond_false: Condition
+"object == NULL", taking false branch
+openobex-1.5.0-Source/lib/obex_object.c:48:3: if_end: End of if
+statement
+openobex-1.5.0-Source/lib/obex_object.c:50:2: noescape: Resource
+"object" is not freed or pointed-to in function "memset(void *, int,
+size_t)".
+openobex-1.5.0-Source/lib/obex_object.c:52:2: noescape: Resource
+"object" is not freed or pointed-to in function
+"obex_object_setrsp(obex_object_t *, uint8_t, uint8_t)".
+openobex-1.5.0-Source/lib/obex_object.c:128:39: noescape:
+"obex_object_setrsp(obex_object_t *, uint8_t, uint8_t)" does not free or
+save its pointer parameter "object".
+openobex-1.5.0-Source/lib/obex_object.c:54:2: return_alloc: Returning
+allocated memory "object".
+openobex-1.5.0-Source/lib/obex.c:628:2: var_assign: Assigning: "object"
+= "obex_object_new()".
+openobex-1.5.0-Source/lib/obex.c:629:2: cond_false: Condition "object ==
+NULL", taking false branch
+openobex-1.5.0-Source/lib/obex.c:630:3: if_end: End of if statement
+openobex-1.5.0-Source/lib/obex.c:632:2: noescape: Resource "object" is
+not freed or pointed-to in function "obex_object_setcmd(obex_object_t *,
+uint8_t, uint8_t)".
+openobex-1.5.0-Source/lib/obex_object.c:113:39: noescape:
+"obex_object_setcmd(obex_object_t *, uint8_t, uint8_t)" does not free or
+save its pointer parameter "object".
+openobex-1.5.0-Source/lib/obex.c:634:2: cond_true: Condition "cmd == 0",
+taking true branch
+openobex-1.5.0-Source/lib/obex.c:635:3: noescape: Resource "object" is
+not freed or pointed-to in function "obex_insert_connectframe(obex_t *,
+obex_object_t *)".
+openobex-1.5.0-Source/lib/obex_connect.c:42:59: noescape:
+"obex_insert_connectframe(obex_t *, obex_object_t *)" does not free or
+save its pointer parameter "object".
+openobex-1.5.0-Source/lib/obex.c:635:3: cond_false: Condition
+"obex_insert_connectframe(self, object) < 0", taking false branch
+openobex-1.5.0-Source/lib/obex.c:638:3: if_end: End of if statement
+openobex-1.5.0-Source/lib/obex.c:641:2: return_alloc: Returning
+allocated memory "object".
+openobex-1.5.0-Source/ircp/ircp_io.c:72:2: var_assign: Assigning:
+"object" = "OBEX_ObjectNew(handle, 2)".
+openobex-1.5.0-Source/ircp/ircp_io.c:73:2: cond_false: Condition "object
+== NULL", taking false branch
+openobex-1.5.0-Source/ircp/ircp_io.c:74:3: if_end: End of if statement
+openobex-1.5.0-Source/ircp/ircp_io.c:78:2: cond_false: Condition "ucname
+== NULL", taking false branch
+openobex-1.5.0-Source/ircp/ircp_io.c:79:3: if_end: End of if statement
+openobex-1.5.0-Source/ircp/ircp_io.c:84:2: noescape: Resource "object"
+is not freed or pointed-to in function "OBEX_ObjectAddHeader(obex_t *,
+obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)".
+openobex-1.5.0-Source/lib/obex.c:713:63: noescape:
+"OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t,
+obex_headerdata_t, uint32_t, unsigned int)" does not free or save its
+pointer parameter "object".
+openobex-1.5.0-Source/ircp/ircp_io.c:88:2: noescape: Resource "object"
+is not freed or pointed-to in function "OBEX_ObjectAddHeader(obex_t *,
+obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)".
+openobex-1.5.0-Source/lib/obex.c:713:63: noescape:
+"OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t,
+obex_headerdata_t, uint32_t, unsigned int)" does not free or save its
+pointer parameter "object".
+openobex-1.5.0-Source/ircp/ircp_io.c:98:2: noescape: Resource "object"
+is not freed or pointed-to in function "OBEX_ObjectAddHeader(obex_t *,
+obex_object_t *, uint8_t, obex_headerdata_t, uint32_t, unsigned int)".
+openobex-1.5.0-Source/lib/obex.c:713:63: noescape:
+"OBEX_ObjectAddHeader(obex_t *, obex_object_t *, uint8_t,
+obex_headerdata_t, uint32_t, unsigned int)" does not free or save its
+pointer parameter "object".
+openobex-1.5.0-Source/ircp/ircp_io.c:102:2: return_alloc: Returning
+allocated memory "object".
+openobex-1.5.0-Source/ircp/ircp_client.c:283: var_assign: Assigning:
+"object" = storage returned from
+"build_object_from_file(cli->obexhandle, localname, remotename)".
+openobex-1.5.0-Source/ircp/ircp_client.c:286: cond_true: Condition
+"cli->fd < 0", taking true branch
+openobex-1.5.0-Source/ircp/ircp_client.c:287: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/ircp/ircp_client.c:289: if_end: End of if
+statement
+openobex-1.5.0-Source/ircp/ircp_client.c:293: cond_true: Condition "ret
+< 0", taking true branch
+openobex-1.5.0-Source/ircp/ircp_client.c:294: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/ircp/ircp_client.c:296: if_end: End of if
+statement
+openobex-1.5.0-Source/ircp/ircp_client.c:298: leaked_storage: Variable
+"object" going out of scope leaks the storage it points to.
+---
+ ircp/ircp_client.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ircp/ircp_client.c b/ircp/ircp_client.c
+index 140a0a6..5f5162d 100644
+--- a/ircp/ircp_client.c
++++ b/ircp/ircp_client.c
+@@ -285,6 +285,7 @@ static int ircp_put_file(ircp_client_t *cli, char *localname, char *remotename)
+ cli->fd = open(localname, O_RDONLY, 0);
+ if(cli->fd < 0) {
+ ret = -1;
++ OBEX_ObjectDelete(cli->obexhandle, object);
+ }
+ else {
+ ret = cli_sync_request(cli, object);
+--
+1.7.11.7
+
+
+From d90babe60ffcaf4cab419940b7df259784707216 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 08:32:15 +0100
+Subject: [PATCH 05/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_io.c:89: open_fn: Returning handle
+opened by function "open(char const *, int, ...)".
+openobex-1.5.0-Source/apps/obex_io.c:89: var_assign: Assigning: "fd" =
+handle returned from "open(filename, 0, 0)".
+openobex-1.5.0-Source/apps/obex_io.c:92: cond_false: Condition "fd ==
+-1", taking false branch
+openobex-1.5.0-Source/apps/obex_io.c:94: if_end: End of if statement
+openobex-1.5.0-Source/apps/obex_io.c:96: cond_true: Condition "!(buf =
+malloc(*file_size))", taking true branch
+openobex-1.5.0-Source/apps/obex_io.c:97: leaked_handle: Handle variable
+"fd" going out of scope leaks the handle.
+---
+ apps/obex_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apps/obex_io.c b/apps/obex_io.c
+index 3642fee..2152bb4 100644
+--- a/apps/obex_io.c
++++ b/apps/obex_io.c
+@@ -98,6 +98,7 @@ uint8_t* easy_readfile(const char *filename, int *file_size)
+ }
+
+ if(! (buf = malloc(*file_size)) ) {
++ close(fd);
+ return NULL;
+ }
+
+--
+1.7.11.7
+
+
+From 4446bac377186eaad0245b0b4c445d13f2a1541f Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 08:53:13 +0100
+Subject: [PATCH 06/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/ircp/ircp_server.c:224: cond_true: Condition
+"OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)",
+taking true branch
+openobex-1.5.0-Source/ircp/ircp_server.c:225: switch: Switch case value
+"1"
+openobex-1.5.0-Source/ircp/ircp_server.c:226: switch_case: Reached case
+"1"
+openobex-1.5.0-Source/ircp/ircp_server.c:227: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/ircp/ircp_server.c:227: var_assign: Assigning:
+"name" = storage returned from "malloc(hlen / 2U)".
+openobex-1.5.0-Source/ircp/ircp_server.c:227: cond_true: Condition "name
+= malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/ircp/ircp_server.c:228: noescape: Resource
+"(uint8_t *)name" is not freed or pointed-to in function
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)".
+openobex-1.5.0-Source/lib/obex.c:899:41: noescape:
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or
+save its pointer parameter "c".
+openobex-1.5.0-Source/ircp/ircp_server.c:230: break: Breaking from
+switch
+openobex-1.5.0-Source/ircp/ircp_server.c:233: switch_end: Reached
+end of switch
+openobex-1.5.0-Source/ircp/ircp_server.c:234: loop: Jumping back to
+the beginning of the loop
+openobex-1.5.0-Source/ircp/ircp_server.c:224: loop_begin: Jumped
+back to beginning of loop
+openobex-1.5.0-Source/ircp/ircp_server.c:224: cond_true: Condition
+"OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv,
+&hlen)", taking true branch
+openobex-1.5.0-Source/ircp/ircp_server.c:225: switch: Switch case
+value "1"
+openobex-1.5.0-Source/ircp/ircp_server.c:226: switch_case: Reached
+case "1"
+openobex-1.5.0-Source/ircp/ircp_server.c:227: overwrite_var:
+Overwriting "name" in "name = malloc(hlen / 2U)" leaks the storage
+that "name" points to.
+---
+ ircp/ircp_server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ircp/ircp_server.c b/ircp/ircp_server.c
+index 5545780..123b80c 100644
+--- a/ircp/ircp_server.c
++++ b/ircp/ircp_server.c
+@@ -222,13 +222,13 @@ static int new_file(ircp_server_t *srv, obex_object_t *object)
+
+ /* First iterate through recieved header to find name */
+ while (OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)) {
+- switch(hi) {
+- case OBEX_HDR_NAME:
++ if(hi == OBEX_HDR_NAME) {
+ if( (name = malloc(hlen / 2))) {
+ OBEX_UnicodeToChar((uint8_t *) name, hv.bs, hlen);
+ }
+ break;
+- default:
++ }
++ else {
+ DEBUG(4, "Skipped header %02x\n", hi);
+ }
+ }
+--
+1.7.11.7
+
+
+From 379ede0a12e22c49770b9ab81ae3432f8d470036 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 08:57:14 +0100
+Subject: [PATCH 07/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+enobex-1.5.0-Source/ircp/ircp_server.c:152: cond_false: Condition
+"nonhdr_data_len != 2", taking false branch
+openobex-1.5.0-Source/ircp/ircp_server.c:155: if_end: End of if
+statement
+openobex-1.5.0-Source/ircp/ircp_server.c:157: cond_true: Condition
+"OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)",
+taking true branch
+openobex-1.5.0-Source/ircp/ircp_server.c:158: switch: Switch case value
+"1"
+openobex-1.5.0-Source/ircp/ircp_server.c:159: switch_case: Reached case
+"1"
+openobex-1.5.0-Source/ircp/ircp_server.c:160: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/ircp/ircp_server.c:160: var_assign: Assigning:
+"name" = storage returned from "malloc(hlen / 2U)".
+openobex-1.5.0-Source/ircp/ircp_server.c:160: cond_true: Condition "name
+= malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/ircp/ircp_server.c:161: noescape: Resource
+"(uint8_t *)name" is not freed or pointed-to in function
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)".
+openobex-1.5.0-Source/lib/obex.c:899:41: noescape:
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or
+save its pointer parameter "c".
+openobex-1.5.0-Source/ircp/ircp_server.c:163: break: Breaking from
+switch
+openobex-1.5.0-Source/ircp/ircp_server.c:166: switch_end: Reached
+end of switch
+openobex-1.5.0-Source/ircp/ircp_server.c:167: loop: Jumping back to
+the beginning of the loop
+openobex-1.5.0-Source/ircp/ircp_server.c:157: loop_begin: Jumped
+back to beginning of loop
+openobex-1.5.0-Source/ircp/ircp_server.c:157: cond_true: Condition
+"OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv,
+&hlen)", taking true branch
+openobex-1.5.0-Source/ircp/ircp_server.c:158: switch: Switch case
+value "1"
+openobex-1.5.0-Source/ircp/ircp_server.c:159: switch_case: Reached
+case "1"
+openobex-1.5.0-Source/ircp/ircp_server.c:160: overwrite_var:
+Overwriting "name" in "name = malloc(hlen / 2U)" leaks the storage
+that "name" points to.
+---
+ ircp/ircp_server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ircp/ircp_server.c b/ircp/ircp_server.c
+index 123b80c..8f9a6b4 100644
+--- a/ircp/ircp_server.c
++++ b/ircp/ircp_server.c
+@@ -155,13 +155,13 @@ int ircp_srv_setpath(ircp_server_t *srv, obex_object_t *object)
+ }
+
+ while (OBEX_ObjectGetNextHeader(srv->obexhandle, object, &hi, &hv, &hlen)) {
+- switch(hi) {
+- case OBEX_HDR_NAME:
++ if (hi == OBEX_HDR_NAME) {
+ if( (name = malloc(hlen / 2))) {
+ OBEX_UnicodeToChar((uint8_t *) name, hv.bs, hlen);
+ }
+ break;
+- default:
++ }
++ else {
+ DEBUG(2, "Skipped header %02x\n", hi);
+ }
+ }
+--
+1.7.11.7
+
+
+From 6b0886d3e547d289e56f40a99eec6b81242fb8d8 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 09:00:39 +0100
+Subject: [PATCH 08/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_put_common.c:59: cond_true: Condition
+"OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true
+branch
+openobex-1.5.0-Source/apps/obex_put_common.c:60: switch: Switch case
+value "1"
+openobex-1.5.0-Source/apps/obex_put_common.c:65: switch_case: Reached
+case "1"
+openobex-1.5.0-Source/apps/obex_put_common.c:66: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/apps/obex_put_common.c:66: var_assign: Assigning:
+"namebuf" = storage returned from "malloc(hlen / 2U)".
+openobex-1.5.0-Source/apps/obex_put_common.c:66: cond_true: Condition
+"namebuf = malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/apps/obex_put_common.c:67: noescape: Resource
+"(uint8_t *)namebuf" is not freed or pointed-to in function
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)".
+openobex-1.5.0-Source/lib/obex.c:899:41: noescape:
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or
+save its pointer parameter "c".
+openobex-1.5.0-Source/apps/obex_put_common.c:68: var_assign: Assigning:
+"name" = "namebuf".
+openobex-1.5.0-Source/apps/obex_put_common.c:70: break: Breaking from
+switch
+openobex-1.5.0-Source/apps/obex_put_common.c:82: switch_end: Reached
+end of switch
+openobex-1.5.0-Source/apps/obex_put_common.c:83: loop: Jumping back
+to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_put_common.c:59: loop_begin: Jumped
+back to beginning of loop
+openobex-1.5.0-Source/apps/obex_put_common.c:59: cond_false:
+Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv,
+&hlen)", taking false branch
+openobex-1.5.0-Source/apps/obex_put_common.c:83: loop_end: Reached
+end of loop
+openobex-1.5.0-Source/apps/obex_put_common.c:84: cond_true:
+Condition "!body", taking true branch
+openobex-1.5.0-Source/apps/obex_put_common.c:86: leaked_storage:
+Variable "namebuf" going out of scope leaks the storage it points
+to.
+openobex-1.5.0-Source/apps/obex_put_common.c:86: leaked_storage:
+Variable "name" going out of scope leaks the storage it points to.
+---
+ apps/obex_put_common.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/apps/obex_put_common.c b/apps/obex_put_common.c
+index 856f993..66da6d4 100644
+--- a/apps/obex_put_common.c
++++ b/apps/obex_put_common.c
+@@ -63,6 +63,10 @@ void put_done(obex_object_t *object)
+ body_len = hlen;
+ break;
+ case OBEX_HDR_NAME:
++ if (namebuf) {
++ free(namebuf);
++ name = namebuf = NULL;
++ }
+ if( (namebuf = malloc(hlen / 2))) {
+ OBEX_UnicodeToChar((uint8_t *) namebuf, hv.bs, hlen);
+ name = namebuf;
+--
+1.7.11.7
+
+
+From 636c06da96c73867499acbc3d5b6a0811c5bdb66 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 09:03:26 +0100
+Subject: [PATCH 09/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true: Condition
+"OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true
+branch
+openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch case
+value "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case: Reached
+case "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:110: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/apps/obex_test_server.c:110: var_assign:
+Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)".
+openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true: Condition
+"namebuf = malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:111: noescape: Resource
+"(uint8_t *)namebuf" is not freed or pointed-to in function
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)".
+openobex-1.5.0-Source/lib/obex.c:899:41: noescape:
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or
+save its pointer parameter "c".
+openobex-1.5.0-Source/apps/obex_test_server.c:112: var_assign:
+Assigning: "name" = "namebuf".
+openobex-1.5.0-Source/apps/obex_test_server.c:114: break: Breaking from
+switch
+openobex-1.5.0-Source/apps/obex_test_server.c:118: switch_end:
+Reached end of switch
+openobex-1.5.0-Source/apps/obex_test_server.c:119: loop: Jumping
+back to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test_server.c:106: loop_begin:
+Jumped back to beginning of loop
+openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true:
+Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv,
+&hlen)", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch
+case value "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case:
+Reached case "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true:
+Condition "namebuf = malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:112: overwrite_var:
+Overwriting "name" in "name = namebuf" leaks the storage that "name"
+points to.
+---
+ apps/obex_test_server.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/apps/obex_test_server.c b/apps/obex_test_server.c
+index 7b9d16a..4d82293 100644
+--- a/apps/obex_test_server.c
++++ b/apps/obex_test_server.c
+@@ -104,16 +104,15 @@ void get_server(obex_t *handle, obex_object_t *object)
+ printf("%s()\n", __FUNCTION__);
+
+ while (OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)) {
+- switch(hi) {
+- case OBEX_HDR_NAME:
++ if (hi == OBEX_HDR_NAME) {
+ printf("%s() Found name\n", __FUNCTION__);
+ if( (namebuf = malloc(hlen / 2))) {
+ OBEX_UnicodeToChar((uint8_t *) namebuf, hv.bs, hlen);
+ name = namebuf;
+ }
+ break;
+-
+- default:
++ }
++ else {
+ printf("%s() Skipped header %02x\n", __FUNCTION__, hi);
+ }
+ }
+--
+1.7.11.7
+
+
+From 6d40c4b847696d97507e22c5ab0e3f18cf14051d Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 09:11:55 +0100
+Subject: [PATCH 10/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true: Condition
+"OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true
+branch
+openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch case
+value "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case: Reached
+case "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:110: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/apps/obex_test_server.c:110: var_assign:
+Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)".
+openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true: Condition
+"namebuf = malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:111: noescape: Resource
+"(uint8_t *)namebuf" is not freed or pointed-to in function
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)".
+openobex-1.5.0-Source/lib/obex.c:899:41: noescape:
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or
+save its pointer parameter "c".
+openobex-1.5.0-Source/apps/obex_test_server.c:112: var_assign:
+Assigning: "name" = "namebuf".
+openobex-1.5.0-Source/apps/obex_test_server.c:114: break: Breaking from
+switch
+openobex-1.5.0-Source/apps/obex_test_server.c:118: switch_end:
+Reached end of switch
+openobex-1.5.0-Source/apps/obex_test_server.c:119: loop: Jumping
+back to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test_server.c:106: loop_begin:
+Jumped back to beginning of loop
+openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_false:
+Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv,
+&hlen)", taking false branch
+openobex-1.5.0-Source/apps/obex_test_server.c:119: loop_end: Reached
+end of loop
+openobex-1.5.0-Source/apps/obex_test_server.c:121: cond_false:
+Condition "!name", taking false branch
+openobex-1.5.0-Source/apps/obex_test_server.c:125: if_end: End of if
+statement
+openobex-1.5.0-Source/apps/obex_test_server.c:126: noescape:
+Resource "name" is not freed or pointed-to in function "printf(char
+const * restrict, ...)".
+openobex-1.5.0-Source/apps/obex_test_server.c:128: noescape:
+Resource "name" is not freed or pointed-to in function
+"easy_readfile(char const *, int *)".
+openobex-1.5.0-Source/apps/obex_io.c:77:36: noescape:
+"easy_readfile(char const *, int *)" does not free or save its
+pointer parameter "filename".
+openobex-1.5.0-Source/apps/obex_test_server.c:129: cond_true:
+Condition "buf == NULL", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:130: noescape:
+Resource "name" is not freed or pointed-to in function "printf(char
+const * restrict, ...)".
+openobex-1.5.0-Source/apps/obex_test_server.c:132: leaked_storage:
+Variable "namebuf" going out of scope leaks the storage it points
+to.
+openobex-1.5.0-Source/apps/obex_test_server.c:132: leaked_storage:
+Variable "name" going out of scope leaks the storage it points to.
+
+openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_true: Condition
+"OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true
+branch
+openobex-1.5.0-Source/apps/obex_test_server.c:107: switch: Switch case
+value "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:108: switch_case: Reached
+case "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:110: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/apps/obex_test_server.c:110: var_assign:
+Assigning: "namebuf" = storage returned from "malloc(hlen / 2U)".
+openobex-1.5.0-Source/apps/obex_test_server.c:110: cond_true: Condition
+"namebuf = malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:111: noescape: Resource
+"(uint8_t *)namebuf" is not freed or pointed-to in function
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)".
+openobex-1.5.0-Source/lib/obex.c:899:41: noescape:
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or
+save its pointer parameter "c".
+openobex-1.5.0-Source/apps/obex_test_server.c:112: var_assign:
+Assigning: "name" = "namebuf".
+openobex-1.5.0-Source/apps/obex_test_server.c:114: break: Breaking from
+switch
+openobex-1.5.0-Source/apps/obex_test_server.c:118: switch_end:
+Reached end of switch
+openobex-1.5.0-Source/apps/obex_test_server.c:119: loop: Jumping
+back to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test_server.c:106: loop_begin:
+Jumped back to beginning of loop
+openobex-1.5.0-Source/apps/obex_test_server.c:106: cond_false:
+Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv,
+&hlen)", taking false branch
+openobex-1.5.0-Source/apps/obex_test_server.c:119: loop_end: Reached
+end of loop
+openobex-1.5.0-Source/apps/obex_test_server.c:121: cond_false:
+Condition "!name", taking false branch
+openobex-1.5.0-Source/apps/obex_test_server.c:125: if_end: End of if
+statement
+openobex-1.5.0-Source/apps/obex_test_server.c:126: noescape:
+Resource "name" is not freed or pointed-to in function "printf(char
+const * restrict, ...)".
+openobex-1.5.0-Source/apps/obex_test_server.c:128: noescape:
+Resource "name" is not freed or pointed-to in function
+"easy_readfile(char const *, int *)".
+openobex-1.5.0-Source/apps/obex_io.c:77:36: noescape:
+"easy_readfile(char const *, int *)" does not free or save its
+pointer parameter "filename".
+openobex-1.5.0-Source/apps/obex_test_server.c:129: cond_false:
+Condition "buf == NULL", taking false branch
+openobex-1.5.0-Source/apps/obex_test_server.c:133: if_end: End of if
+statement
+openobex-1.5.0-Source/apps/obex_test_server.c:141: leaked_storage:
+Variable "namebuf" going out of scope leaks the storage it points
+to.
+openobex-1.5.0-Source/apps/obex_test_server.c:141: leaked_storage:
+Variable "name" going out of scope leaks the storage it points to.
+---
+ apps/obex_test_server.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/apps/obex_test_server.c b/apps/obex_test_server.c
+index 4d82293..9ce0228 100644
+--- a/apps/obex_test_server.c
++++ b/apps/obex_test_server.c
+@@ -128,6 +128,7 @@ void get_server(obex_t *handle, obex_object_t *object)
+ if(buf == NULL) {
+ printf("Can't find file %s\n", name);
+ OBEX_ObjectSetRsp(object, OBEX_RSP_NOT_FOUND, OBEX_RSP_NOT_FOUND);
++ free(namebuf);
+ return;
+ }
+
+@@ -136,6 +137,7 @@ void get_server(obex_t *handle, obex_object_t *object)
+ OBEX_ObjectAddHeader(handle, object, OBEX_HDR_BODY, hv, file_size, 0);
+ hv.bq4 = file_size;
+ OBEX_ObjectAddHeader(handle, object, OBEX_HDR_LENGTH, hv, sizeof(uint32_t), 0);
++ free(namebuf);
+ free(buf);
+ return;
+ }
+--
+1.7.11.7
+
+
+From 7722733e86b5378b30dc076dc78acc51c8ae5fd7 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 09:25:37 +0100
+Subject: [PATCH 11/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_test_server.c:57: cond_true: Condition
+"OBEX_ObjectGetNextHeader(handle, object, &hi, &hv, &hlen)", taking true
+branch
+openobex-1.5.0-Source/apps/obex_test_server.c:58: switch: Switch case
+value "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:64: switch_case: Reached
+case "1"
+openobex-1.5.0-Source/apps/obex_test_server.c:66: alloc_fn: Storage is
+returned from allocation function "malloc(size_t)".
+openobex-1.5.0-Source/apps/obex_test_server.c:66: var_assign: Assigning:
+"namebuf" = storage returned from "malloc(hlen / 2U)".
+openobex-1.5.0-Source/apps/obex_test_server.c:66: cond_true: Condition
+"namebuf = malloc(hlen / 2)", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:67: noescape: Resource
+"(uint8_t *)namebuf" is not freed or pointed-to in function
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)".
+openobex-1.5.0-Source/lib/obex.c:899:41: noescape:
+"OBEX_UnicodeToChar(uint8_t *, uint8_t const *, int)" does not free or
+save its pointer parameter "c".
+openobex-1.5.0-Source/apps/obex_test_server.c:68: var_assign: Assigning:
+"name" = "namebuf".
+openobex-1.5.0-Source/apps/obex_test_server.c:70: break: Breaking from
+switch
+openobex-1.5.0-Source/apps/obex_test_server.c:74: switch_end:
+Reached end of switch
+openobex-1.5.0-Source/apps/obex_test_server.c:75: loop: Jumping back
+to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test_server.c:57: loop_begin: Jumped
+back to beginning of loop
+openobex-1.5.0-Source/apps/obex_test_server.c:57: cond_false:
+Condition "OBEX_ObjectGetNextHeader(handle, object, &hi, &hv,
+&hlen)", taking false branch
+openobex-1.5.0-Source/apps/obex_test_server.c:75: loop_end: Reached
+end of loop
+openobex-1.5.0-Source/apps/obex_test_server.c:76: cond_true:
+Condition "!body", taking true branch
+openobex-1.5.0-Source/apps/obex_test_server.c:78: leaked_storage:
+Variable "namebuf" going out of scope leaks the storage it points
+to.
+openobex-1.5.0-Source/apps/obex_test_server.c:78: leaked_storage:
+Variable "name" going out of scope leaks the storage it points to.
+---
+ apps/obex_test_server.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/apps/obex_test_server.c b/apps/obex_test_server.c
+index 9ce0228..e9163ad 100644
+--- a/apps/obex_test_server.c
++++ b/apps/obex_test_server.c
+@@ -63,6 +63,10 @@ void put_server(obex_t *handle, obex_object_t *object)
+ break;
+ case OBEX_HDR_NAME:
+ printf("%s() Found name\n", __FUNCTION__);
++ if (namebuf) {
++ free(namebuf);
++ name = namebuf = NULL;
++ }
+ if( (namebuf = malloc(hlen / 2))) {
+ OBEX_UnicodeToChar((uint8_t *) namebuf, hv.bs, hlen);
+ name = namebuf;
+@@ -75,6 +79,7 @@ void put_server(obex_t *handle, obex_object_t *object)
+ }
+ if(!body) {
+ printf("Got a PUT without a body\n");
++ free(namebuf);
+ return;
+ }
+ if(!name) {
+--
+1.7.11.7
+
+
+From 4bd762e35d5467ba76c20ce0fedab2d677d03c09 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 09:31:36 +0100
+Subject: [PATCH 12/15] RESOURCE_LEAK (CWE-404)
+
+Coverity output:
+openobex-1.5.0-Source/ircp/dirtraverse.c:37: alloc_fn: Storage is
+returned from allocation function "opendir(char const *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:37: var_assign: Assigning:
+"dir" = storage returned from "opendir(path)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:38: cond_false: Condition "dir
+== NULL", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:40: if_end: End of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:41: noescape: Resource "dir" is
+not freed or pointed-to in function "readdir(DIR *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition
+"dirent != NULL", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_false: Condition
+"__coverity_strcmp(".", dirent->d_name) == 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:45: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:45: cond_false: Condition
+"__coverity_strcmp("..", dirent->d_name) == 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:47: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:49: cond_false: Condition
+"lstat(t, &statbuf) < 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:52: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:52: cond_true: Condition
+"(statbuf.st_mode & 61440) == 32768", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:54: cond_false: Condition "ret
+< 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:55: if_end: End of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:56: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:74: if_end: End of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:76: noescape: Resource "dir" is
+not freed or pointed-to in function "readdir(DIR *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:77: loop: Jumping back to the
+beginning of the loop
+openobex-1.5.0-Source/ircp/dirtraverse.c:42: loop_begin: Jumped back to
+beginning of loop
+openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition
+"dirent != NULL", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_false: Condition
+"__coverity_strcmp(".", dirent->d_name) == 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:45: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:45: cond_false: Condition
+"__coverity_strcmp("..", dirent->d_name) == 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:47: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:49: cond_true: Condition
+"lstat(t, &statbuf) < 0", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:50: leaked_storage: Variable
+"dir" going out of scope leaks the storage it points to.
+
+openobex-1.5.0-Source/ircp/dirtraverse.c:37: alloc_fn: Storage is
+returned from allocation function "opendir(char const *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:37: var_assign: Assigning:
+"dir" = storage returned from "opendir(path)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:38: cond_false: Condition "dir
+== NULL", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:40: if_end: End of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:41: noescape: Resource "dir" is
+not freed or pointed-to in function "readdir(DIR *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition
+"dirent != NULL", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_true: Condition
+"__coverity_strcmp(".", dirent->d_name) == 0", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:44: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:75: if_end: End of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:76: noescape: Resource "dir" is
+not freed or pointed-to in function "readdir(DIR *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:77: loop: Jumping back to the
+beginning of the loop
+openobex-1.5.0-Source/ircp/dirtraverse.c:42: loop_begin: Jumped back to
+beginning of loop
+openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_false: Condition
+"dirent != NULL", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:77: loop_end: Reached end of
+loop
+openobex-1.5.0-Source/ircp/dirtraverse.c:80: leaked_storage: Variable
+"dir" going out of scope leaks the storage it points to.
+
+openobex-1.5.0-Source/ircp/dirtraverse.c:37: alloc_fn: Storage is
+returned from allocation function "opendir(char const *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:37: var_assign: Assigning:
+"dir" = storage returned from "opendir(path)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:38: cond_false: Condition "dir
+== NULL", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:40: if_end: End of if statement
+openobex-1.5.0-Source/ircp/dirtraverse.c:41: noescape: Resource "dir" is
+not freed or pointed-to in function "readdir(DIR *)".
+openobex-1.5.0-Source/ircp/dirtraverse.c:42: cond_true: Condition
+"dirent != NULL", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:43: cond_false: Condition
+"__coverity_strcmp(".", dirent->d_name) == 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:45: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:45: cond_false: Condition
+"__coverity_strcmp("..", dirent->d_name) == 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:47: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:49: cond_false: Condition
+"lstat(t, &statbuf) < 0", taking false branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:52: else_branch: Reached else
+branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:52: cond_true: Condition
+"(statbuf.st_mode & 61440) == 32768", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:54: cond_true: Condition "ret <
+0", taking true branch
+openobex-1.5.0-Source/ircp/dirtraverse.c:55: goto: Jumping to label
+"out"
+openobex-1.5.0-Source/ircp/dirtraverse.c:79: label: Reached label "out"
+openobex-1.5.0-Source/ircp/dirtraverse.c:80: leaked_storage: Variable
+"dir" going out of scope leaks the storage it points to.
+---
+ ircp/dirtraverse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ircp/dirtraverse.c b/ircp/dirtraverse.c
+index f6c1cf3..7864891 100644
+--- a/ircp/dirtraverse.c
++++ b/ircp/dirtraverse.c
+@@ -47,6 +47,7 @@ int visit_dir(char *path, visit_cb cb, void *userdata)
+ else {
+ snprintf(t, MAXPATHLEN, "%s/%s", path, dirent->d_name);
+ if(lstat(t, &statbuf) < 0) {
++ closedir(dir);
+ return -1;
+ }
+ else if(S_ISREG(statbuf.st_mode)) {
+@@ -77,6 +78,7 @@ int visit_dir(char *path, visit_cb cb, void *userdata)
+ }
+
+ out:
++ closedir(dir);
+ return ret;
+
+ #else
+--
+1.7.11.7
+
+
+From 30a3f1a333bc36d4e1a59e19cc353f455174af20 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 09:49:42 +0100
+Subject: [PATCH 13/15] SECURE_CODING (CWE-676)
+
+Coverity output:
+openobex-1.5.0-Source/lib/irobex.c:90: secure_coding: [VERY RISKY].
+Using "strcpy" can cause a buffer overflow when done incorrectly. If
+the destination string of a strcpy() is not large enough then anything
+might happen. Use strncpy() instead.
+
+openobex-1.5.0-Source/lib/irobex.c:279: secure_coding: [VERY RISKY].
+Using "strcpy" can cause a buffer overflow when done incorrectly. If
+the destination string of a strcpy() is not large enough then anything
+might happen. Use strncpy() instead.
+openobex-1.5.0-Source/lib/irobex.c:281: secure_coding: [VERY RISKY].
+Using "strcpy" can cause a buffer overflow when done incorrectly. If
+the destination string of a strcpy() is not large enough then anything
+might happen. Use strncpy() instead.
+---
+ lib/irobex.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lib/irobex.c b/lib/irobex.c
+index df01b22..c5939f6 100644
+--- a/lib/irobex.c
++++ b/lib/irobex.c
+@@ -87,7 +87,7 @@ void irobex_prepare_connect(obex_t *self, const char *service)
+ if (service)
+ strncpy(self->trans.peer.irda.sir_name, service, 25);
+ else
+- strcpy(self->trans.peer.irda.sir_name, "OBEX");
++ strncpy(self->trans.peer.irda.sir_name, "OBEX", 25);
+ }
+
+ /*
+@@ -276,10 +276,10 @@ static int irobex_discover_devices(obex_t *self)
+ /* Ask if the requested service exist on this device */
+ len = sizeof(ias_query);
+ ias_query.daddr = list->dev[i].daddr;
+- strcpy(ias_query.irda_class_name,
+- self->trans.peer.irda.sir_name);
+- strcpy(ias_query.irda_attrib_name,
+- "IrDA:TinyTP:LsapSel");
++ strncpy(ias_query.irda_class_name,
++ self->trans.peer.irda.sir_name, IAS_MAX_CLASSNAME);
++ strncpy(ias_query.irda_attrib_name,
++ "IrDA:TinyTP:LsapSel", IAS_MAX_ATTRIBNAME);
+ err = getsockopt(self->fd, SOL_IRLMP, IRLMP_IAS_QUERY,
+ &ias_query, &len);
+ /* Check if we failed */
+--
+1.7.11.7
+
+
+From 1c46847f432d2f64dae842fb998310ba159e40fb Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 10:09:15 +0100
+Subject: [PATCH 14/15] UNINIT (CWE-457)
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_test.c:160: var_decl: Declaring variable
+"obex_intf" without initializer.
+openobex-1.5.0-Source/apps/obex_test.c:170: cond_true: Condition "argc
+== 2", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:170: cond_true: Condition
+"__coverity_strcmp(argv[1], "-s") == 0", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:172: cond_true: Condition "argc
+== 2", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:172: cond_true: Condition
+"__coverity_strcmp(argv[1], "-r") == 0", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:178: cond_true: Condition "argc
+== 2", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:178: cond_true: Condition
+"__coverity_strcmp(argv[1], "-i") == 0", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:180: cond_true: Condition "argc
+>= 2", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:180: cond_true: Condition
+"__coverity_strcmp(argv[1], "-b") == 0", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:182: cond_true: Condition "argc
+>= 2", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:182: cond_true: Condition
+"__coverity_strcmp(argv[1], "-u") == 0", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:185: cond_true: Condition
+"cobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:187: cond_false: Condition "argc
+== 3", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:190: else_branch: Reached else
+branch
+openobex-1.5.0-Source/apps/obex_test.c:192: cond_true: Condition "r320",
+taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:193: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/apps/obex_test.c:195: if_end: End of if statement
+openobex-1.5.0-Source/apps/obex_test.c:199: cond_false: Condition
+"custfunc.customdata == NULL", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:202: if_end: End of if statement
+openobex-1.5.0-Source/apps/obex_test.c:204: cond_false: Condition
+"!(handle = OBEX_Init(3, obex_event(obex_t *, obex_object_t *, int, int,
+int, int), 0))", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:207: if_end: End of if statement
+openobex-1.5.0-Source/apps/obex_test.c:215: cond_false: Condition
+"OBEX_RegisterCTransport(handle, &custfunc) < 0", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:217: if_end: End of if statement
+openobex-1.5.0-Source/apps/obex_test.c:221: if_fallthrough: Falling
+through to end of if statement
+openobex-1.5.0-Source/apps/obex_test.c:315: if_end: End of if statement
+openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition "!end",
+taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case value
+"103"
+openobex-1.5.0-Source/apps/obex_test.c:328: switch_case: Reached case
+"103"
+openobex-1.5.0-Source/apps/obex_test.c:330: break: Breaking from switch
+openobex-1.5.0-Source/apps/obex_test.c:428: switch_end: Reached end of
+switch
+openobex-1.5.0-Source/apps/obex_test.c:429: loop: Jumping back to
+the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin: Jumped back
+to beginning of loop
+openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition
+"!end", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case
+value "99"
+openobex-1.5.0-Source/apps/obex_test.c:340: switch_case: Reached
+case "99"
+openobex-1.5.0-Source/apps/obex_test.c:342: cond_true: Condition
+"tcpobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:343: cond_true: Condition
+"TcpOBEX_TransportConnect(handle, NULL, 0) < 0", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:345: break: Breaking from
+switch
+openobex-1.5.0-Source/apps/obex_test.c:428: switch_end: Reached
+end of switch
+openobex-1.5.0-Source/apps/obex_test.c:429: loop: Jumping back
+to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin: Jumped
+back to beginning of loop
+openobex-1.5.0-Source/apps/obex_test.c:321: cond_true: Condition
+"!end", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch case
+value "99"
+openobex-1.5.0-Source/apps/obex_test.c:340: switch_case: Reached
+case "99"
+openobex-1.5.0-Source/apps/obex_test.c:342: cond_true: Condition
+"tcpobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:343: cond_true: Condition
+"TcpOBEX_TransportConnect(handle, NULL, 0) < 0", taking true
+branch
+openobex-1.5.0-Source/apps/obex_test.c:345: break: Breaking from
+switch
+openobex-1.5.0-Source/apps/obex_test.c:428: switch_end:
+Reached end of switch
+openobex-1.5.0-Source/apps/obex_test.c:429: loop: Jumping
+back to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin:
+Jumped back to beginning of loop
+openobex-1.5.0-Source/apps/obex_test.c:321: cond_true:
+Condition "!end", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:324: switch: Switch
+case value "99"
+openobex-1.5.0-Source/apps/obex_test.c:340: switch_case:
+Reached case "99"
+openobex-1.5.0-Source/apps/obex_test.c:342: cond_true:
+Condition "tcpobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:343: cond_false:
+Condition "TcpOBEX_TransportConnect(handle, NULL, 0) < 0",
+taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:346: if_end: End of
+if statement
+openobex-1.5.0-Source/apps/obex_test.c:348: cond_true:
+Condition "cobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:349: cond_false:
+Condition "OBEX_TransportConnect(handle, (struct
+sockaddr *)0x1, 0) < 0", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:352: if_end: End
+of if statement
+openobex-1.5.0-Source/apps/obex_test.c:354: cond_true:
+Condition "btobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:356: cond_true:
+Condition "bacmp(&bdaddr, &bdaddr_t({{0, 0, 0, 0, 0,
+0}})) == 0", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:358: break:
+Breaking from switch
+openobex-1.5.0-Source/apps/obex_test.c:428: switch_end:
+Reached end of switch
+openobex-1.5.0-Source/apps/obex_test.c:429: loop:
+Jumping back to the beginning of the loop
+openobex-1.5.0-Source/apps/obex_test.c:321: loop_begin:
+Jumped back to beginning of loop
+openobex-1.5.0-Source/apps/obex_test.c:321: cond_true:
+Condition "!end", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:324: switch:
+Switch case value "99"
+openobex-1.5.0-Source/apps/obex_test.c:340: switch_case:
+Reached case "99"
+openobex-1.5.0-Source/apps/obex_test.c:342: cond_true:
+Condition "tcpobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:343: cond_false:
+Condition "TcpOBEX_TransportConnect(handle, NULL, 0) <
+0", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:346: if_end: End
+of if statement
+openobex-1.5.0-Source/apps/obex_test.c:348: cond_true:
+Condition "cobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:349: cond_false:
+Condition "OBEX_TransportConnect(handle, (struct
+sockaddr *)0x1, 0) < 0", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:352: if_end: End
+of if statement
+openobex-1.5.0-Source/apps/obex_test.c:354: cond_true:
+Condition "btobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:356: cond_false:
+Condition "bacmp(&bdaddr, &bdaddr_t({{0, 0, 0, 0, 0,
+0}})) == 0", taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:359: if_end: End
+of if statement
+openobex-1.5.0-Source/apps/obex_test.c:360: cond_false:
+Condition "BtOBEX_TransportConnect(handle,
+&bdaddr_t({{0, 0, 0, 0, 0, 0}}), &bdaddr, channel) < 0",
+taking false branch
+openobex-1.5.0-Source/apps/obex_test.c:363: if_end: End
+of if statement
+openobex-1.5.0-Source/apps/obex_test.c:368: cond_true:
+Condition "usbobex", taking true branch
+openobex-1.5.0-Source/apps/obex_test.c:370:
+uninit_use_in_call: Using uninitialized value
+"obex_intf" when calling "OBEX_InterfaceConnect(obex_t
+*, obex_interface_t *)".
+openobex-1.5.0-Source/lib/obex.c:1272:2: cond_false:
+Condition "!(self != NULL)", taking false branch
+openobex-1.5.0-Source/lib/obex.c:1272:2: if_end: End of
+if statement
+openobex-1.5.0-Source/lib/obex.c:1274:2: cond_false:
+Condition "self->object", taking false branch
+openobex-1.5.0-Source/lib/obex.c:1277:2: if_end: End
+of if statement
+openobex-1.5.0-Source/lib/obex.c:1279:2: read_parm:
+Reading a parameter value.
+---
+ apps/obex_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apps/obex_test.c b/apps/obex_test.c
+index c04aa5d..aef0b54 100644
+--- a/apps/obex_test.c
++++ b/apps/obex_test.c
+@@ -155,7 +155,7 @@ int main (int argc, char *argv[])
+ #endif
+
+ #ifdef HAVE_USB
+- obex_interface_t *obex_intf;
++ obex_interface_t *obex_intf = NULL;
+ #endif
+
+ struct context global_context = {0,};
+--
+1.7.11.7
+
+
+From 8e2446b58d88f01969661728fa5f4cdad43908a7 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza at redhat.com>
+Date: Fri, 7 Dec 2012 12:08:48 +0100
+Subject: [PATCH 15/15] NEGATIVE_RETURNS (CWE-394)
+
+Coverity output:
+openobex-1.5.0-Source/apps/obex_io.c:87: negative_return_fn: Function
+"get_filesize(filename)" returns a negative number.
+openobex-1.5.0-Source/apps/obex_io.c:68:2: cond_true: Condition
+"stat(filename, &stats) == -1", taking true branch
+openobex-1.5.0-Source/apps/obex_io.c:70:3: return_negative_constant:
+Explicitly returning negative value "-1".
+openobex-1.5.0-Source/apps/obex_io.c:87: var_assign: Assigning: signed
+variable "*file_size" = "get_filesize(char const *)".
+openobex-1.5.0-Source/apps/obex_io.c:96: cond_false: Condition "fd ==
+-1", taking false branch
+openobex-1.5.0-Source/apps/obex_io.c:98: if_end: End of if statement
+openobex-1.5.0-Source/apps/obex_io.c:100: negative_returns: "*file_size"
+is passed to a parameter that cannot be negative.
+---
+ apps/obex_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apps/obex_io.c b/apps/obex_io.c
+index 2152bb4..91d6b0b 100644
+--- a/apps/obex_io.c
++++ b/apps/obex_io.c
+@@ -97,7 +97,7 @@ uint8_t* easy_readfile(const char *filename, int *file_size)
+ return NULL;
+ }
+
+- if(! (buf = malloc(*file_size)) ) {
++ if( *file_size < 0 || !(buf = malloc(*file_size)) ) {
+ close(fd);
+ return NULL;
+ }
+--
+1.7.11.7
+
diff --git a/openobex.spec b/openobex.spec
index 5c7fad6..1115a10 100644
--- a/openobex.spec
+++ b/openobex.spec
@@ -1,7 +1,7 @@
Summary: Library for using OBEX
Name: openobex
Version: 1.5
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Libraries
URL: http://openobex.sourceforge.net
@@ -9,6 +9,8 @@ Source: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.0-Source.zip
Patch: openobex-apps-flush.patch
Patch1: openobex-1.3-push.patch
Patch2: openobex-1.3-autoconf.patch
+# Coverity Bugs Patches
+Patch3: openobex-1.5-coverity-errors.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf >= 2.57, bluez-libs-devel, sed, libusb-devel
@@ -43,6 +45,9 @@ calendar entries (vCal) and business cards (vCard) using the OBEX protocol.
%patch -p1 -b .flush
%patch1 -p1 -b .push
%patch2 -p1 -b .autoconf
+# Coverity Bugs Patches
+%patch3 -p1
+
autoreconf --install --force
%build
@@ -87,6 +92,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/obex_push.1*
%changelog
+* Fri Dec 07 2012 Tomas Hozza <thozza at redhat.com> - 1.5-7
+- Fixed errors found by Coverity scan.
+
* Thu Nov 15 2012 Tomas Hozza <thozza at redhat.com> - 1.5-6
- changing not working Source0 URL and some minor changes in %%prep
- new source archive openobex-1.5.0-Source.zip
More information about the scm-commits
mailing list