iotivity/iotivity-lite

Coverity issues

Opened this issue · 0 comments

Danielius1922 commented

Coverity issues reported by https://scan.coverity.com/projects/iotivity-iotivity-lite?tab=overview (or by other developers running custom coverity scans):

Internal nightly scan

Impact: High

Version: b2b66ef

  • Out-of-bounds write (321043, storage.c:120)

Version: 9415446

  • Resource leak (319261, security/oc_roles.c:152)
  • Resource leak (319258, security/oc_obt.c:2097)
  • Resource leak (319254, api/cloud/oc_cloud_deregister.c:307)
  • Resource leak (319252, messaging/coap/separate.c:160)
  • Resource leak (319251, security/oc_oscore_context.c:147)
  • Resource leak (319246, security/oc_obt.c:1335)
  • Resource leak (319244, messaging/coap/oscore.c:64)
  • Out-of-bounds access (319243, observe.c:508)
  • Destination buffer too small (319240, apps/cloud_proxy.c:1360)
  • Out-of-bounds access (319239, security/oc_obt.c:1113)
  • Resource leak (319234, apps/cloud_proxy.c:1366)
  • Out-of-bounds access (319233, messaging/coap/oscore.c:305)
  • Resource leak (319232, security/oc_obt.c:1609)
  • Resource leak (319231, security/oc_obt.c:1171)
  • Out-of-bounds access (319229, security/oc_obt.c:1296)
  • Uninitialized scalar variable (319228, security/oc_obt.c:488)
  • Out-of-bounds access (319227, security/oc_obt.c:1057)
  • Out-of-bounds access (319225, messaging/coap/oscore.c:288)
  • Resource leak (319222, security/oc_obt.c:2630)
  • Copy of overlapping memory (319221, security/oc_tls.c:2786)
  • Out-of-bounds access (319217, security/oc_cred.c:996)
  • Resource leak (319216, security/oc_obt.c:903)
  • Resource leak (319214, python/oc_python.c:1442)
  • Uninitialized scalar variable (319210, security/oc_oscore_engine.c:256)
  • Resource leak (319207, security/oc_obt.c:2043)
  • String not null terminated (319205, apps/cloud_server.c:902)
  • Resource leak (319204, messaging/coap/engine.c:133)
  • Resource leak (319203, security/oc_obt.c:2258)

Impact: Medium

  • Logically dead code (319262, port/linux/ipadapter.c:897)
  • Truncated stdio return value (319256, apps/server_rules.c)
  • Unchecked return value from library (319255, apps/simpleserver-resourcedefaults.c:1191)
  • Argument cannot be negative (319253, apps/server_certification_tests.c:576)
  • Logically dead code (319248, security/oc_tls.c:2341)
  • Unchecked return value (319247, apps/simpleserver_pki.c:436)
  • Unchecked return value (319242, api/cloud/oc_cloud_resource.c:127)
  • Unchecked return value (319236, api/cloud/oc_cloud_resource.c:176)
  • Untrusted loop bound (319224, onboarding_tool/obtmain.c:1626)
  • Dereference after null check (319218, apps/cloud_proxy.c:1598)
  • Untrusted loop bound (319215, port/linux/ipadapter.c:896)
  • Untrusted loop bound (319213, port/linux/tcpsession.c:441)
  • Constant expression result (319212, security/oc_tls.c:2339)
  • Dereference before null check (319211, api/oc_collection.c:914)
  • Unchecked return value from library (319209, apps/smart_home_server_linux.c:72)
  • Unchecked return value (319206 , apps/simpleserver_pki.c:438)

Impact: Low

  • Copy into fixed size buffer (319263, apps/cloud_proxy.c:1138)
  • 'Constant' variable guards dead code (319260, apps/simpleserver-resourcedefaults.c:475)
  • 'Constant' variable guards dead code (319257, apps/cloud_proxy.c:564)
  • Copy into fixed size buffer (319250, security/oc_obt.c:2270)
  • Copy into fixed size buffer (319241, apps/server_rules.c:704)
  • 'Constant' variable guards dead code (319237, apps/server_certification_tests.c:1298)
  • Copy into fixed size buffer (319235, apps/cloud_proxy.c:1238)
  • Calling risky function (319230, apps/client_certification_tests.c:835)
  • Copy into fixed size buffer (319226, apps/cloud_proxy.c:1061)
  • Copy into fixed size buffer (319223, python/oc_python.c:1926)
  • Copy into fixed size buffer (319220, apps/push_configurator_multithread_linux.c:342)
  • Copy into fixed size buffer (319219, apps/server_rules.c:667)

Reported by other teams

Impact: High

  • Out-of-bounds access (55558, coap_remove_observer_by_resource, messaging/coap/observe.c:404)
    Trace
  • Out-of-bounds access (55593, security/oc_tls.c:2750)
    Trace
  • Uninitialized scalar variable (55709, security/oc_tls.c:488)
    Trace
    Duplicate of 319228
  • Use of 32-bit time_t (55774, port/linux/clock.c:58)
    Trace
  • Out-of-bounds access (55868, coap_remove_observer_by_resource, messaging/coap/observe.c:404)
    Trace

Impact: Medium

  • Logically dead code (55766, security/oc_tls.c:2305)
    Trace
  • Logically dead code (55687, port/linux/ipadapter.c:1088)
    Trace
  • Unintentional integer overflow (55943, port/linux/tcpsession.c:1241)
    Trace
  • Unintentional integer overflow (55938, port/linux/tcpsession.c:1241)
    Trace
  • Unintended sign extension (55942, port/linux/tcpsession.c:1249)
    Trace
  • Unintended sign extension (55937, port/linux/tcpsession.c:1171)
    Trace
  • Unintended sign extension (55910, api/oc_server_api.c:844)
    Trace
  • Overflowed return value (55864, security/oc_certs.c:103)
    Trace
  • Overflowed return value (55610, security/oc_certs.c:136)
    Trace 
          133 bool
      134 oc_sec_certs_ecp_group_id_is_allowed(mbedtls_ecp_group_id gid)
      135 {
        1. Condition gid != MBEDTLS_ECP_DP_NONE, taking false branch.
 	  2. overflow: Subtract operation overflows on operands gid and 1U.
        CID 55610 (#5 of 5): Overflowed return value (INTEGER_OVERFLOW)
        3. overflow_sink: Overflowed or truncated value (or a value computed from an overflowed or truncated value) gid !=         MBEDTLS_ECP_DP_NONE && ((1 << gid - 1U) & g_allowed_ecp_grpids_mask) != 0U used as return value.
      136   return gid != MBEDTLS_ECP_DP_NONE &&
      137          (MBEDTLS_X509_ID_FLAG(gid) & g_allowed_ecp_grpids_mask) != 0;
      138 }
  • Unchecked return value (55650, api/cloud/oc_cloud_resource.c:174)
    Trace
  • Unchecked return value (55781, security/oc_obt.c:626)
    Trace
  • Dereference before null check (55782, api/oc_collection.c:914)
    Trace
  • Explicit null dereferenced
    Trace 
          260 int
      261 oc_sec_sdi_encode(size_t device, oc_interface_mask_t iface_mask)
      262 {
      263  const oc_sec_sdi_t *sdi = oc_sec_sdi_get(device);
          1. assign_zero: Assigning: sdi_res = NULL.
      264  const oc_resource_t *sdi_res = NULL;
 	        2. Condition (iface_mask & OC_IF_BASELINE) != 0, taking false branch.
      265   if ((iface_mask & OC_IF_BASELINE) != 0) {
      266     sdi_res = oc_core_get_resource_by_index(OCF_SEC_SDI, device);
      267   }
 	        CID 57077 (#1 of 1): Explicit null dereferenced (FORWARD_NULL)
      	3. var_deref_model: Passing null pointer sdi_res to oc_sec_sdi_encode_with_resource, which dereferences it.
      268    return oc_sec_sdi_encode_with_resource(sdi, sdi_res, iface_mask);
      269  }
  • Bad comparison of floating-point expressions
    Trace 
          279  // tag-pos-rel
      280  const double *pos = resource->tag_pos_rel;  	
          CID 57076 (#1-3 of 3): Bad comparison of floating-point expressions (FLOATING_POINT_EQUALITY)
          1. floating_point_equality: Floating point expression pos[0] is compared using operator !=.
      281  if (pos[0] != 0 || pos[1] != 0 || pos[2] != 0) {
      282    oc_rep_set_key(oc_rep_object(link), "tag-pos-rel");
      283    oc_rep_start_array(oc_rep_object(link), tag_pos_rel);
      284    oc_rep_add_double(tag_pos_rel, pos[0]);
      285    oc_rep_add_double(tag_pos_rel, pos[1]);
      286    oc_rep_add_double(tag_pos_rel, pos[2]);
      287    oc_rep_end_array(oc_rep_object(link), tag_pos_rel);
      288  }