Blob'ing NetBSD

Creation:10-05-2013 | Update:28-07-2014


Scanned folders: sys/* libexec/*
RED: #16, important
ORANGE: #3, not very important
GREEN: #19, solved

# 01 SYS/ARCH/
0x01 FALSE POSITIVE|UNINITIALIZED VARIABLE: acorn26/acorn26/cpu.c rev1.28
     At l.156, if (setjmp(&undef_jmp) != 0), 'id' is not initialized at l.166.
0x02 FIXED-rev1.10|LEAK: alpha/eisa/eisa_machdep.c rev1.9
     At l.267, 'ecuio' is leaked in the loop.
0x03 FIXED-rev1.4|UNINITIALIZED VARIABLE: ia64/stand/common/fileload.c rev1.3
     At l.96, 'error' may not be initialized.
0x04 FIXED-rev1.9|LEAK: mipsco/stand/installboot/installboot.c rev1.8
     At l.185, 'boot_code' is never freed.
OxO5 FIXED-rev1.19|LEAK: sgimips/stand/sgivol/sgivol.c rev1.18
     At l.532, 'fp' is leaked.
0x06 FIXED-rev1.26|OVERLAP: prep/prep/autoconf.c rev1.25
     At lines 168, 175, 189, 191, 197, 200, using sprintf() with the same src
     and dest can result in an undefined behavior.

# 02 SYS/DEV/
0x01 FIXED-rev1.27|UNINITIALIZED VARIABLE: hpc/hpf1275a_tty.c rev1.26
     At l.332, 'sc' is not initialized, and does not even seem to be used.
0x02 FIXED-rev1.49|UNINITIALIZED VARIABLE: ic/mfi.c rev1.48
     At l.373, if (sc->sc_ioptype != MFI_IOP_TBOLT), 'io_req_base_phys' is not
     initialized at l.417.
0x03 FIXED-rev1.49|UNINITIALIZED VARIABLE: ic/mfi.c rev1.48
     At l.373, if (sc->sc_ioptype != MFI_IOP_TBOLT), 'io_req_base' is not
     initialized at l.415.
0x04 FIXED-rev1.40|OVERLAP: ic/opl.c rev1.39
     At l.161, using snprintf() with the same src and dest can result in an
     undefined behavior.
0x05 FIXED-rev1.22|UNINITIALIZED VARIABLE: pci/pm2fb.c rev1.21
     From l.1351 to l.1356, 'n' is not initialized.

# 03 SYS/FS/ - with optimization rules
0x01 FIXED-rev1.3|LEAK: v7fs/v7fs_io.c rev1.2
     At l.99, 'buf' is leaked.
0x02 FIXED-rev1.50|USELESS INITIALIZATION: ntfs/ntfs_subr.c rev1.49
     At l.1789, it's useless to assign a value to the variable 'off' as it is
     reassigned at l.1811.

# 04 SYS/KERN/ - with optimization rules
     At l.1737, if (newp == NULL), 'dnode' is not initialized at l.1875.
0x02 FIXED-rev1.464|UNINITIALIZED VARIABLE: vfs_syscalls.c rev1.463
     At l.3188, if (vp->v_type != VLNK), 'auio' is not initialized at l.3204.
     It has already been fixed in OpenBSD, so you should have a look here.
0x03 FIXED-rev1.227|USELESS INITIALIZATION: subr_autoconf.c rev1.226
     At l.244, it's useless to assign a value to the variable 'i' as it is
     reassigned at l.246.
0x04 FIXED-rev1.245|USELESS INITIALIZATION: vfs_bio.c rev1.244
     At l.1439, it's useless to assign a value to the variable 'size' as it is
     reassigned at l.1448.

# 05 SYS/NFS/
     At l.741, 'mb' is used whereas it is not initialized. It looks like you
     will have to revert the lines 741 and 742.

0x01 FIXED-rev1.47|PTR DEREFERENCE: sys_term.c rev1.46
     At l.703, 'nargv' is not null-checked. It seems that someone mistakenly
     put 'argv' instead of 'nargv' at l.705. It can cause crashes.

~ 2014

0x01 FIXED-rev1.4|DEAD CODE: sys/dev/acpi/tpm_acpi.c rev1.3
     At l.190, some {} are missing. The function always jumps to 'out1'.
0x02 FIXED-rev1.21|UNINITIALIZED VARIABLE: sys/arch/arm/ep93xx/epclk.c rev1.20
     At l.157, 'first_run' may not be initialized.
0x03 FIXED-rev1.156|LEAK: sys/netinet/if_arp.c rev1.155
     At l.1477, 'm' is leaked.


Scanned folders: Here and there...
RED: #20, important
ORANGE: #6, not very important

0x01 LEAK: sys/altq/altq_jobs.c rev1.6
     Leak of 'result' with malloc() at l.1161.
0x02 LEAK: sys/altq/altq_jobs.c rev1.6
     Leak of 'result', 'c', 'n', 'k' with malloc() from l.1286 to l.1299.

# 02 SYS/DEV
0x01 LEAK: sys/dev/ic/oosiop.c rev1.13
     Leak of 'cb' with malloc() at l.272.
0x02 LEAK: sys/dev/rasops/rasops.c rev1.71
     Leak of 'f' with malloc() at l.1357.
0x03 LEAK: sys/dev/if_ndis/if_ndis_pci.c rev1.19
     Leak of 'rl' with malloc() at l.237.
0x04 LEAK: sys/dev/dm/dm_target_snapshot.c rev1.16
     Leak of 'tsc' with kmem_alloc() at l.236.
0x05 LEAK: sys/dev/dm/dm_target_stripe.c rev1.19
     Leak of 'tsc' and 'tlc' with kmem_alloc() at l.160.
0x06 LEAK: sys/dev/dm/dm_target_stripe.c rev1.19
     Leak of 'params' with kmem_alloc() at l.187.
0x07 LEAK: sys/dev/qbus/if_qe.c rev1.72
     Leak of 'ring' with malloc() at l.165.
0x08 PARSER BUG: sys/dev/vme/if_ie_vme.c rev1.30
     My code scanner bugged when parsing the line 427:
          sizeof(sizeof(struct ievme))
     Even from a human point of view, what does it mean?

# 03 SYS/NET*
0x01 LEAK: sys/net/if_gre.c rev1.157
     Leak of 'sc' with malloc() at l.307.
0x02 LEAK: sys/netinet6/ip6_output.c rev1.157
     Leak of 'optbuf' with malloc() at l.1602. Triggerable from root:
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main() {
    int sock, ret;
    struct in6_pktinfo pktinfo;
    if ((sock = socket(AF_INET6, SOCK_RAW, 0)) == -1)
        return -1;
    while (1)
        setsockopt(sock, IPPROTO_IPV6, IPV6_PKTINFO, &pktinfo, sizeof(pktinfo) + 1);
    /* The kernel runs out of memory */

# 04 SYS/{FS/UFS}
0x01 UNINITIALIZED VAR: sys/fs/smbfs/smbfs_smb.c rev1.44
     Uninitialized var 'rqp' at l.781.
0x02 UNUSED MACRO: sys/ufs/ext2fs/ext2fs_readwrite.c rev1.64
     Unused macros 'doclusterread' and 'doclusterwrite'.
0x03 LEAK: sys/ufs/chfs/chfs_scan.c rev1.4
     Leak of 'buf' with kmem_alloc() at l.447.
0x04 LEAK: sys/ufs/chfs/ebh.c rev1.3
     Leak of 'peb' with kmem_alloc() at l.832 and l.860.
0x05 LEAK: sys/ufs/chfs/chfs_readinode.c rev1.8
     Leak of 'buf' with kmem_alloc() at l.805.
0x06 LEAK: sys/ufs/chfs/chfs_vnode.c rev1.10
     Leak of 'buf' with kmem_alloc() at l.98.
0x07 LEAK: sys/ufs/chfs/chfs_gc.c rev1.5
     Leak of 'data' with kmem_alloc() at l.729.

0x01 POINTLESS CAST: sys/kern/kern_ctf.c rev1.3
     Pointless cast of 'ctfaddr' to 'uint8_t' at l.207.
0x02 POINTLESS CAST: sys/kern/kgdb_stub.c rev1.27
     Pointless cast of 'len' to 'size_t' at l.468 and l.499.
0x03 POINTLESS CAST: sys/kern/sys_process.c rev1.163
     Pointless cast of 'kl' to 'size_t' at l.1014.
0x04 POINTLESS CAST: sys/kern/kern_descrip.c rev1.225
     Pointless cast of 'lastfile' to 'int' at l.1460.
0x05 POINTLESS CAST: sys/kern/kern_ktrace.c rev1.164
     Pointless cast of 'user_dta' to 'void' at l.933.

0x01 EMPTY COMPILER BLOCK: sys/compat/svr4/svr4_stat.c rev1.69
     Empty compiler block at l.480.

0x01 LEAK: sys/rump/librump/rumpvfs/rumpfs.c rev1.129
     Leak of 'rfsmp' with kmem_alloc() at l.1744.