Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 529876: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 457 in lzh_update() /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 458 in lzh_update()


________________________________________________________________________________________________________
*** CID 529876: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 457 in lzh_update()
451
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ)
455 huff->parent[tmp + 1] = l;
456

CID 529876: (OVERRUN)
Overrunning array "huff->child" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

457 tmp2 = huff->child[l];
458 huff->child[l] = tmp;
459
460 huff->parent[tmp2] = c;
461 if (tmp2 < LZH_TABLE_SZ)
462 huff->parent[tmp2 + 1] = c; /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 458 in lzh_update()
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ)
455 huff->parent[tmp + 1] = l;
456
457 tmp2 = huff->child[l];

CID 529876: (OVERRUN)
Overrunning array "huff->child" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

458 huff->child[l] = tmp;
459
460 huff->parent[tmp2] = c;
461 if (tmp2 < LZH_TABLE_SZ)
462 huff->parent[tmp2 + 1] = c;
463 huff->child[c] = tmp2;

** CID 529875: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 450 in lzh_update() /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 449 in lzh_update() /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 445 in lzh_update()


________________________________________________________________________________________________________
*** CID 529875: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 450 in lzh_update()
444 // If we exited before the end of table, decrement l
445 if (tmp <= huff->freq[l])
446 l--;
447
448 // Now swap nodes
449 huff->freq[c] = huff->freq[l];

CID 529875: (OVERRUN)
Overrunning array "huff->freq" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

450 huff->freq[l] = tmp;
451
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ)
455 huff->parent[tmp + 1] = l; /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 449 in lzh_update()
443
444 // If we exited before the end of table, decrement l
445 if (tmp <= huff->freq[l])
446 l--;
447
448 // Now swap nodes

CID 529875: (OVERRUN)
Overrunning array "huff->freq" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

449 huff->freq[c] = huff->freq[l];
450 huff->freq[l] = tmp;
451
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ) /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 445 in lzh_update()
439 * that has a lower frequency than our new one 440 */
441 for (l = c + 1; l <= LZH_TABLE_SZ && tmp > huff->freq[l]; l++)
442 ;
443
444 // If we exited before the end of table, decrement l

CID 529875: (OVERRUN)
Overrunning array "huff->freq" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

445 if (tmp <= huff->freq[l])
446 l--;
447
448 // Now swap nodes
449 huff->freq[c] = huff->freq[l];
450 huff->freq[l] = tmp;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DVjXG_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQYmOS4dF7bzpu1cVppVHTeUZERPDt2v2E4lCt9lCuWdNtkNglNtUqzAPEUlnwGBzZlBueizPFLO26MyF5roLbzi-2F0G80IHg4mwTrYLGZfPUf8Sg5333ueo95zQQtd4OVT7zx85Gr8TBXnJTKyUKhNeMTemzlJoM0HPQHEa-2FpXlaaw-3D-3D


--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 529977: Incorrect expression (SIZEOF_MISMATCH)
/atcodes.cpp: 2311 in sbbs_t::atcode(const char *, char *, unsigned long, int *, bool, JSObject *)()


________________________________________________________________________________________________________
*** CID 529977: Incorrect expression (SIZEOF_MISMATCH)
/atcodes.cpp: 2311 in sbbs_t::atcode(const char *, char *, unsigned long, int *, bool, JSObject *)()
2305 : (current_file->from == nullptr ? nulstr : current_file->from);
2306 if(strcmp(sp, "FILE_BYTES") == 0) {
2307 safe_snprintf(str, maxlen, "%ld", (long)current_file->size);
2308 return str;
2309 }
2310 if(strcmp(sp, "FILE_SIZE") == 0)

CID 529977: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "str" of type "char *" and argument "8UL /* sizeof (str) */" to function "byte_estimate_to_str" is suspicious.

2311 return byte_estimate_to_str(current_file->size, str, sizeof str, /* units: */1024, /* precision: */1);
2312 if(strcmp(sp, "FILE_CREDITS") == 0) {
2313 safe_snprintf(str, maxlen, "%" PRIu64, current_file->cost);
2314 return str;
2315 }
2316 if(strcmp(sp, "FILE_CRC32") == 0) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://url2497.blackduck.com/ls/click?upn=u001.Ji18sHaXCxZb7Rfw8sC51j9Suwl84vq-2FeHTSxCm409PbgTgYEdi2VnuaQNlDgcb5JjALxNeaZf2yWZEMA-2FE6JEQm092Z-2B02AUi7Sp54Z-2B6I-3DjXBk_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZ-2BccbwOBuD5ui7v9trYaUtAyk5nXDg6l2xX3MkPoD01xhpnfT-2Fkg6ap91bIfb4XqTQXNlxWOzjRjRNOVMZ2H7I9Q-2BXHowhaav-2B3SVUHs-2B21No7COFVbHUcCKKxzwKovyWxOeYInAxTYvAJs43a5sYtCMrwgWJgXbztBD8zm37Rwg-3D-3D


--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 529991: Control flow issues (DEADCODE) /tmp/sbbs-Jan-09-2025/src/xpdev/genwrap.c: 1151 in xp_fast_timer64()


________________________________________________________________________________________________________
*** CID 529991: Control flow issues (DEADCODE) /tmp/sbbs-Jan-09-2025/src/xpdev/genwrap.c: 1151 in xp_fast_timer64()
1145 if (clock_getres(CLOCK_MONOTONIC_RAW, &ts) == 0)
1146 cid = CLOCK_MONOTONIC_RAW;
1147 }
1148 cid = CLOCK_MONOTONIC_RAW;
1149 #endif
1150 if (cid == CLOCK_REALTIME)

CID 529991: Control flow issues (DEADCODE)
Execution cannot reach this statement: "cid = 1;".

1151 cid = CLOCK_MONOTONIC;
1152
1153 if (clock_gettime(cid, &ts) == 0)
1154 ret = ts.tv_sec;
1155 else
1156 ret = -1;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://url2497.blackduck.com/ls/click?upn=u001.Ji18sHaXCxZb7Rfw8sC51j9Suwl84vq-2FeHTSxCm409PbgTgYEdi2VnuaQNlDgcb5JjALxNeaZf2yWZEMA-2FE6JEQm092Z-2B02AUi7Sp54Z-2B6I-3DJzn7_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQYw9HgWY5fw-2BKTu3iNJoyd7G2ZoeBsWXuqG5dV8s2gHJJ3z7riRhQ4NsZmnjMPwb0d5EgUIDxBYRgoxCBOeIJM-2FTyx1gDXnmdIG86yJoS96pjUoxOjapj4QBWqvYthXwRmCXtEhEMTEAYvLzxwt5vpbI04EqHQ4ulGmUuTBimQnkA-3D-3D


--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 530002: (NULL_RETURNS)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1544 in bitmap_clrscr()


________________________________________________________________________________________________________
*** CID 530002: (NULL_RETURNS)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1547 in bitmap_clrscr()
1541 cols = vstat.cols;
1542 for (y = cio_textinfo.wintop - 1; y < cio_textinfo.winbottom && y < rows; y++) {
1543 for (x = cio_textinfo.winleft - 1; x < cio_textinfo.winright && x < cols; x++) {
1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg);
1545 }
1546 }

CID 530002: (NULL_RETURNS)
Dereferencing a pointer that might be "NULL" "va" when calling "bitmap_draw_vmem".

1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va);
1548 release_vmem(vmem_ptr);
1549 pthread_mutex_unlock(&vstatlock);
1550 }
1551
1552 void bitmap_getcustomcursor(int *s, int *e, int *r, int *b, int *v) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1544 in bitmap_clrscr()
1538 pthread_mutex_lock(&vstatlock);
1539 vmem_ptr = get_vmem(&vstat);
1540 rows = vstat.rows;
1541 cols = vstat.cols;
1542 for (y = cio_textinfo.wintop - 1; y < cio_textinfo.winbottom && y < rows; y++) {
1543 for (x = cio_textinfo.winleft - 1; x < cio_textinfo.winright && x < cols; x++) {

CID 530002: (NULL_RETURNS)
Dereferencing "va", which is known to be "NULL".

1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg);
1545 }
1546 }
1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va);
1548 release_vmem(vmem_ptr);
1549 pthread_mutex_unlock(&vstatlock);

** CID 530001: (EVALUATION_ORDER)
/pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() /pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)()


________________________________________________________________________________________________________
*** CID 530001: (EVALUATION_ORDER)
/pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)()
744 lprintf(LOG_ERR, "libarchive error (%s) creating %s", error, packet);
745 else
746 lprintf(LOG_INFO, "libarchive created %s from %d files", packet, file_count);
747 }
748 if(flength(packet) < 1) {
749 remove(packet);

CID 530001: (EVALUATION_ORDER)
In argument #1 of "this->external(this->cmdstr(this->temp_cmd(ex), packet, path, NULL, ex), ex | 1, NULL)", a call is made to "this->temp_cmd(ex)". In argument #1 of this function, the object "ex" is modified. This object is also used in "ex | 1", the argument #2 of the outer function call. The order in which these arguments are evaluated is not specified, and will vary between platforms.

750 if((i = external(cmdstr(temp_cmd(ex),packet,path,NULL,ex), ex|EX_WILDCARD)) != 0)
751 errormsg(WHERE, ERR_EXEC, cmdstr_output, i); 752 if(flength(packet) < 1) {
753 bputs(text[QWKCompressionFailed]);
754 return(false);
755 }
/pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)()
744 lprintf(LOG_ERR, "libarchive error (%s) creating %s", error, packet);
745 else
746 lprintf(LOG_INFO, "libarchive created %s from %d files", packet, file_count);
747 }
748 if(flength(packet) < 1) {
749 remove(packet);

CID 530001: (EVALUATION_ORDER)
In argument #1 of "this->cmdstr(this->temp_cmd(ex), packet, path, NULL, ex)", a call is made to "this->temp_cmd(ex)". In argument #1 of this function, the object "ex" is modified. This object is also used in "ex", the argument #5 of the outer function call. The order in which these arguments are evaluated is not specified, and will vary between platforms.

750 if((i = external(cmdstr(temp_cmd(ex),packet,path,NULL,ex), ex|EX_WILDCARD)) != 0)
751 errormsg(WHERE, ERR_EXEC, cmdstr_output, i); 752 if(flength(packet) < 1) {
753 bputs(text[QWKCompressionFailed]);
754 return(false);
755 }

** CID 530000: (RESOURCE_LEAK)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1550 in bitmap_clrscr() /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1536 in bitmap_clrscr()


________________________________________________________________________________________________________
*** CID 530000: (RESOURCE_LEAK) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1550 in bitmap_clrscr()
1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg);
1545 }
1546 }
1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va);
1548 release_vmem(vmem_ptr);
1549 pthread_mutex_unlock(&vstatlock);

CID 530000: (RESOURCE_LEAK)
Variable "va" going out of scope leaks the storage it points to.

1550 }
1551
1552 void bitmap_getcustomcursor(int *s, int *e, int *r, int *b, int *v) 1553 {
1554 pthread_mutex_lock(&vstatlock);
1555 if(s)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1536 in bitmap_clrscr()
1530 struct vstat_vmem *vmem_ptr;
1531 size_t c = 0;
1532 int rows, cols;
1533 struct vmem_cell *va = malloc(((cio_textinfo.winright - cio_textinfo.winleft + 1) * (cio_textinfo.winbottom - cio_textinfo.wintop + 1)) * sizeof(struct vmem_cell));
1534
1535 if(!bitmap_initialized)

CID 530000: (RESOURCE_LEAK)
Variable "va" going out of scope leaks the storage it points to.

1536 return;
1537
1538 pthread_mutex_lock(&vstatlock);
1539 vmem_ptr = get_vmem(&vstat);
1540 rows = vstat.rows;
1541 cols = vstat.cols;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

46 new defect(s) introduced to Synchronet found with Coverity Scan.
22 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 46 defect(s)


** CID 530529: Insecure data handling (INTEGER_OVERFLOW)


________________________________________________________________________________________________________
*** CID 530529: Insecure data handling (INTEGER_OVERFLOW)
/str.cpp: 420 in sbbs_t::sif(char *, char *, int)()
414 answers[a+cr]=str[cr];
415 while(cr<max)
416 answers[a+cr++]=ETX;
417 a+=max;
418 }
419 else {

CID 530529: Insecure data handling (INTEGER_OVERFLOW)
"max", which might have underflowed, is passed to "putrec(answers, a, max, str)".

420 putrec(answers,a,max,str);
421 putrec(answers,a+max,2,crlf);
422 a+=max+2;
423 }
424 }
425 }

** CID 530527: Data race undermines locking (LOCK_EVASION)
/download.cpp: 188 in sbbs_t::protocol(prot_t *, XFER_TYPE, const char *, const char *, bool, bool, long *)()


________________________________________________________________________________________________________
*** CID 530527: Data race undermines locking (LOCK_EVASION)
/download.cpp: 188 in sbbs_t::protocol(prot_t *, XFER_TYPE, const char *, const char *, bool, bool, long *)()
182 logline(LOG_DEBUG,nulstr,protlog);
183 }
184 fclose(stream);
185 }
186
187 CRLF;

CID 530527: Data race undermines locking (LOCK_EVASION)
Thread1 sets "sys_status" to a new value. Now the two threads have an inconsistent view of "sys_status" and updates to fields correlated with "sys_status" may be lost.

188 if(autohang) sys_status|=SS_PAUSEOFF; /* Pause off after download */
189 if(elapsed != nullptr) {
190 *elapsed = end - start;
191 if(*elapsed < 0)
192 *elapsed = 0;
193 }

** CID 530526: Control flow issues (UNREACHABLE)
/uedit/uedit.c: 2189 in main()


________________________________________________________________________________________________________
*** CID 530526: Control flow issues (UNREACHABLE)
/uedit/uedit.c: 2189 in main()
2183 edit_user(&cfg, atoi(opt[i]));
2184 break;
2185 }
2186 }
2187 }
2188 }

CID 530526: Control flow issues (UNREACHABLE)
This code cannot be reached: "free_opts(opt);".

2189 free_opts(opt);

** CID 530525: Insecure data handling (INTEGER_OVERFLOW)
/getmsg.cpp: 540 in sbbs_t::getmsgnum(int, long)()


________________________________________________________________________________________________________
*** CID 530525: Insecure data handling (INTEGER_OVERFLOW)
/getmsg.cpp: 540 in sbbs_t::getmsgnum(int, long)()
534 errormsg(WHERE,ERR_OPEN,smb.file,i,smb.last_error);
535 return 0;
536 }
537 int result = smb_getmsgidx_by_time(&smb, &idx, t);
538 smb_close(&smb);
539 if(result >= SMB_SUCCESS)

CID 530525: Insecure data handling (INTEGER_OVERFLOW)
"idx.number - 1U", which might have underflowed, is returned from the function.

540 return idx.number - 1;
541 return ~0;
542 }
543
544 /****************************************************************************/
545 /* Returns the time of the message number pointed to by 'ptr' */

** CID 530524: Data race undermines locking (LOCK_EVASION)
/exec.cpp: 1410 in sbbs_t::exec(csi_t *)()


________________________________________________________________________________________________________
*** CID 530524: Data race undermines locking (LOCK_EVASION)
/exec.cpp: 1410 in sbbs_t::exec(csi_t *)()
1404 csi->logic=strnicmp(csi->str,(char*)csi->ip,strlen((char*)csi->ip));
1405 break;
1406 default:
1407 errormsg(WHERE,ERR_CHK,"shell instruction",*(csi->ip-1));
1408 break;
1409 }

CID 530524: Data race undermines locking (LOCK_EVASION)
Thread1 sets "ip" to a new value. Now the two threads have an inconsistent view of "ip" and updates to fields correlated with "ip" may be lost.

1410 while(*(csi->ip++)); /* Find NULL */
1411 return(0);
1412 }
1413
1414 if(*csi->ip>=CS_THREE_BYTE) {
1415 switch(*(csi->ip++)) {

** CID 530523: Insecure data handling (INTEGER_OVERFLOW)


________________________________________________________________________________________________________
*** CID 530523: Insecure data handling (INTEGER_OVERFLOW)
/chat.cpp: 178 in sbbs_t::multinodechat(int)()
172 SAFECAT(str,"0");
173 i=getkeys(str,cfg.total_chans);
174 if(i&0x80000000L) { /* change channel */
175 savch=(char)(i&~0x80000000L); 176 if(savch==channel)
177 continue;

CID 530523: Insecure data handling (INTEGER_OVERFLOW)
"savch - 1", which might have underflowed, is passed to "this->chan_access(savch - 1)".

178 if(!chan_access(savch-1))
179 continue;
180 bprintf(text[WelcomeToChannelN] 181 ,savch,cfg.chan[savch-1]->name);
182
183 usrs=0;

** CID 530521: Control flow issues (DEADCODE)
/websrvr.c: 6459 in read_post_data()


________________________________________________________________________________________________________
*** CID 530521: Control flow issues (DEADCODE)
/websrvr.c: 6459 in read_post_data()
6453 if(ch_len==0)
6454 break;
6455 /* Check size */
6456 s += ch_len;
6457 if(s > MAX_POST_LEN) {
6458 if(s > SIZE_MAX) {

CID 530521: Control flow issues (DEADCODE)
Execution cannot reach this statement: "send_error(session, 6459U, ...".

6459 send_error(session,__LINE__,"413 Request entity too large");
6460 FCLOSE_OPEN_FILE(fp); 6461 return(false);
6462 }
6463 if(fp==NULL) {
6464 fp=open_post_file(session);

** CID 530517: Resource leaks (RESOURCE_LEAK)
/sbbsecho.c: 5884 in find_stray_packets()


________________________________________________________________________________________________________
*** CID 530517: Resource leaks (RESOURCE_LEAK)
/sbbsecho.c: 5884 in find_stray_packets()
5878 }
5879 if(terminator == FIDO_PACKET_TERMINATOR)
5880 lprintf(LOG_DEBUG, "Stray packet already finalized: %s", packet);
5881 else {
5882 if((pkt->fp = fopen(pkt->filename, "ab")) == NULL) {
5883 lprintf(LOG_ERR, "ERROR %d (%s) opening %s", errno, strerror(errno), pkt->filename);

CID 530517: Resource leaks (RESOURCE_LEAK)
Freeing "pkt" without freeing its pointer field "filename" leaks the storage that "filename" points to.

5884 free(pkt);
5885 continue;
5886 }
5887 }
5888 pkt->orig = pkt_orig;
5889 pkt->dest = pkt_dest;

** CID 530516: Integer handling issues (INTEGER_OVERFLOW)
/sbbsecho.c: 3920 in putfmsg()


________________________________________________________________________________________________________
*** CID 530516: Integer handling issues (INTEGER_OVERFLOW)
/sbbsecho.c: 3920 in putfmsg()
3914 lastlen=9; /* +strlen(seenby); */
3915 net_exists=0;
3916 fprintf(stream,"\rSEEN-BY:"); 3917 }
3918 }
3919

CID 530516: Integer handling issues (INTEGER_OVERFLOW)
Expression "u++", where "u" is known to be equal to 4294967295, overflows the type of "u++", which is type "unsigned int".

3920 for(u=0;u<area.links;u++) { /* Add all links to SEEN-BYs */
3921 nodecfg_t* nodecfg=findnodecfg(&cfg, area.link[u], /* exact: */false);
3922 if(nodecfg!=NULL && nodecfg->passive) 3923 continue;
3924 strcpy(seenby," ");
3925 if(foreign_zone(addr.zone, area.link[u].zone) || area.link[u].point)

** CID 530515: Insecure data handling (INTEGER_OVERFLOW)
/js_system.c: 1575 in js_get_node()


________________________________________________________________________________________________________
*** CID 530515: Insecure data handling (INTEGER_OVERFLOW)
/js_system.c: 1575 in js_get_node()
1569 JS_DefineProperty(cx, nodeobj, "action", INT_TO_JSVAL((int)node.action), NULL, NULL, JSPROP_ENUMERATE);
1570 JS_DefineProperty(cx, nodeobj, "activity", STRING_TO_JSVAL(JS_NewStringCopyZ(cx, node_activity(sys->cfg, &node, str, sizeof str, node_num))), NULL, NULL, JSPROP_ENUMERATE);
1571 JS_DefineProperty(cx, nodeobj, "useron", INT_TO_JSVAL((int)node.useron), NULL, NULL, JSPROP_ENUMERATE);
1572 JS_DefineProperty(cx, nodeobj, "connection", INT_TO_JSVAL((int)node.connection), NULL, NULL, JSPROP_ENUMERATE);
1573 JS_DefineProperty(cx, nodeobj, "misc", INT_TO_JSVAL((int)node.misc), NULL, NULL, JSPROP_ENUMERATE);
1574 JS_DefineProperty(cx, nodeobj, "aux", INT_TO_JSVAL((int)node.aux), NULL, NULL, JSPROP_ENUMERATE);

CID 530515: Insecure data handling (INTEGER_OVERFLOW)
The cast of "node.extaux" to a signed type could result in a negative number.

1575 JS_DefineProperty(cx, nodeobj, "extaux", INT_TO_JSVAL((int)node.extaux), NULL, NULL, JSPROP_ENUMERATE);
1576 JS_SET_RVAL(cx, arglist, OBJECT_TO_JSVAL(nodeobj));
1577 return JS_TRUE;
1578 }
1579
1580 static JSBool

** CID 530514: (INTEGER_OVERFLOW)
/scansubs.cpp: 312 in sbbs_t::new_scan_ptr_cfg()()
/scansubs.cpp: 375 in sbbs_t::new_scan_ptr_cfg()()


________________________________________________________________________________________________________
*** CID 530514: (INTEGER_OVERFLOW)
/scansubs.cpp: 312 in sbbs_t::new_scan_ptr_cfg()()
306 else
307 subscan[usrsub[i][j]].ptr=l-s;
308 }
309 progress(text[LoadingMsgPtrs], subs, total_subs);
310 continue;
311 }

CID 530514: (INTEGER_OVERFLOW)
Expression "i", where "(s & 0xffffffff7fffffffL) - 1L" is known to be equal to -1, overflows the type of "i", which is type "int".

312 i=(s&~0x80000000L)-1;
313 while(online) {
314 l=0;
315 bprintf(text[CfgSubLstHdr],cfg.grp[usrgrp[i]]->lname);
316 for(j=0;j<usrsubs[i] && !msgabort();j++) {
317 checkline();
/scansubs.cpp: 375 in sbbs_t::new_scan_ptr_cfg()()
369 subscan[usrsub[i][j]].ptr=l-s;
370 }
371 progress(text[LoadingMsgPtrs], j, usrsubs[i]);
372 continue;
373 }
374 else {

CID 530514: (INTEGER_OVERFLOW)
Expression "j", where "(s & 0xffffffff7fffffffL) - 1L" is known to be equal to -1, overflows the type of "j", which is type "int".

375 j=(s&~0x80000000L)-1;
376 mnemonics(text[SetMsgPtrPrompt]);
377 SAFEPRINTF2(keys, "%s%c", text[DateLastKeys], quit_key());
378 s=getkeys(keys, 9999);
379 if(s==-1 || s==quit_key())
380 continue;

** CID 530512: Integer handling issues (INTEGER_OVERFLOW)
/scansubs.cpp: 472 in sbbs_t::new_scan_cfg(unsigned int)()


________________________________________________________________________________________________________
*** CID 530512: Integer handling issues (INTEGER_OVERFLOW)
/scansubs.cpp: 472 in sbbs_t::new_scan_cfg(unsigned int)()
466 subscan[usrsub[i][j]].cfg&=~SUB_CFG_YSCAN;
467 subscan[usrsub[i][j]].cfg|=misc;
468 }
469 }
470 continue;
471 }

CID 530512: Integer handling issues (INTEGER_OVERFLOW)
Expression "j", where "(s & 0xffffffff7fffffffL) - 1L" is known to be equal to -1, overflows the type of "j", which is type "int".

472 j=(s&~0x80000000L)-1;
473 if(misc&SUB_CFG_NSCAN && !(subscan[usrsub[i][j]].cfg&misc)) {
474 if(!(useron.rest&FLAG('Q')) && !noyes(text[MsgsToYouOnlyQ]))
475 subscan[usrsub[i][j]].cfg|=SUB_CFG_YSCAN;
476 else
477 subscan[usrsub[i][j]].cfg&=~SUB_CFG_YSCAN;

** CID 530511: (INTEGER_OVERFLOW)
/websrvr.c: 706 in sess_sendbuf()
/websrvr.c: 719 in sess_sendbuf()


________________________________________________________________________________________________________
*** CID 530511: (INTEGER_OVERFLOW)
/websrvr.c: 706 in sess_sendbuf()
700 }
701 else
702 *failed=true;
703 result = tls_sent;
704 }
705 else {

CID 530511: (INTEGER_OVERFLOW)
"len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)".

706 result=sendsocket(session->socket,buf+sent,len-sent);
707 if(result==SOCKET_ERROR) {
708 if(SOCKET_ERRNO==ECONNRESET) 709 lprintf(LOG_NOTICE,"%04d Connection reset by peer on send",session->socket);
710 else if(SOCKET_ERRNO==ECONNABORTED)
711 lprintf(LOG_NOTICE,"%04d Connection aborted by peer on send",session->socket);
/websrvr.c: 719 in sess_sendbuf()
713 else if(SOCKET_ERRNO==EPIPE) 714 lprintf(LOG_NOTICE,"%04d Unable to send to peer",session->socket);
715 #endif
716 else if(session->socket != INVALID_SOCKET)
717 lprintf(LOG_WARNING,"%04d !ERROR %d sending on socket",session->socket,SOCKET_ERRNO);
718 *failed=true;

CID 530511: (INTEGER_OVERFLOW)
"sent", which might have underflowed, is returned from the function. 719 return(sent);

720 }
721 }
722 }
723 else {
724 lprintf(LOG_WARNING,"%04d Timeout waiting for socket to become writable",session->socket);

** CID 530509: (INTEGER_OVERFLOW)
/getstr.cpp: 338 in sbbs_t::getstr(char *, unsigned long, int, char **)() /getstr.cpp: 482 in sbbs_t::getstr(char *, unsigned long, int, char **)() /getstr.cpp: 427 in sbbs_t::getstr(char *, unsigned long, int, char **)() /getstr.cpp: 617 in sbbs_t::getstr(char *, unsigned long, int, char **)()


________________________________________________________________________________________________________
*** CID 530509: (INTEGER_OVERFLOW)
/getstr.cpp: 338 in sbbs_t::getstr(char *, unsigned long, int, char **)()
332 l=strlen(strout);
333 if(mode&K_NOECHO)
334 return(l);
335 if(mode&K_MSG)
336 redrwstr(strout,i,l,K_MSG);
337 else {

CID 530509: (INTEGER_OVERFLOW)
Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "size_t".

338 while(i--)
339 bputs("\b");
340 bputs(strout);
341 if(mode&K_LINE)
342 attr(LIGHTGRAY);
343 }
/getstr.cpp: 482 in sbbs_t::getstr(char *, unsigned long, int, char **)()
476 if(history != NULL) {
477 if(history[hidx + 1] == NULL) { 478 outchar(BEL);
479 break;
480 }
481 hidx++;

CID 530509: (INTEGER_OVERFLOW)
Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "size_t".

482 while(i--)
483 backspace();
484 SAFECOPY(str1, history[hidx]); 485 i=l=strlen(str1);
486 rputs(str1);
487 cleartoeol();
/getstr.cpp: 427 in sbbs_t::getstr(char *, unsigned long, int, char **)()
421 }
422 i=0;
423 console|=CON_DELETELINE;
424 break;
425 case CTRL_Z: /* Undo */
426 if(!(mode&K_NOECHO)) {

CID 530509: (INTEGER_OVERFLOW)
Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "size_t".

427 while(i--)
428 backspace();
429 }
430 SAFECOPY(str1,undo);
431 i=l=strlen(str1);
432 rputs(str1);
/getstr.cpp: 617 in sbbs_t::getstr(char *, unsigned long, int, char **)()
611 }
612 getstr_offset=i;
613 if(!online)
614 return(0);
615 if(i>l)
616 l=i;

CID 530509: (INTEGER_OVERFLOW)
"l", which might have underflowed, is passed to "str1[l]".

617 str1[l]=0;
618 if(!(sys_status&SS_ABORT)) {
619 strcpy(strout,str1);
620 if(mode&K_TRIM)
621 truncsp(strout);
622 if((strip_invalid_attr(strout) || (console&CON_INSERT)) && !(mode&K_NOECHO))

** CID 530506: Concurrent data access violations (MISSING_LOCK)
/ssl.c: 640 in destroy_session()


________________________________________________________________________________________________________
*** CID 530506: Concurrent data access violations (MISSING_LOCK)
/ssl.c: 640 in destroy_session()
634 while (sess != NULL) {
635 if (sess->sess == csess) {
636 if (psess == NULL) {
637 sess_list = sess->next;
638 }
639 else {

CID 530506: Concurrent data access violations (MISSING_LOCK)
Accessing "psess->next" without holding lock "ssl_cert_list_mutex". Elsewhere, "cert_list.next" is written to with "ssl_cert_list_mutex" held 2 out of 4 times (2 of these accesses strongly imply that it is necessary).

640 psess->next = sess->next;
641 }
642 break;
643 }
644 psess = sess;
645 sess = sess->next;

** CID 530505: Resource leaks (RESOURCE_LEAK)
/bulkmail.cpp: 177 in sbbs_t::bulkmailhdr(smb_t *, smbmsg_t *, unsigned int)()


________________________________________________________________________________________________________
*** CID 530505: Resource leaks (RESOURCE_LEAK)
/bulkmail.cpp: 177 in sbbs_t::bulkmailhdr(smb_t *, smbmsg_t *, unsigned int)() 171
172 user.number=usernum;
173 if(getuserdat(&cfg, &user)!=0)
174 return(0);
175
176 if((i=smb_copymsgmem(NULL,&newmsg,msg))!=SMB_SUCCESS)

CID 530505: Resource leaks (RESOURCE_LEAK)
Variable "newmsg" going out of scope leaks the storage "newmsg.hfield_dat" points to.

177 return(i);
178
179 SAFECOPY(str,user.alias);
180 smb_hfield_str(&newmsg,RECIPIENT,str);
181
182 if(cfg.sys_misc&SM_FWDTONET && user.misc&NETMAIL && user.netmail[0]) {

** CID 530504: Insecure data handling (INTEGER_OVERFLOW)
/websrvr.c: 6476 in read_post_data()


________________________________________________________________________________________________________
*** CID 530504: Insecure data handling (INTEGER_OVERFLOW)
/websrvr.c: 6476 in read_post_data()
6470 return(false);
6471 }
6472 }
6473 else {
6474 /* realloc() to new size */ 6475 /* FREE()d in close_request */ >>> CID 530504: Insecure data handling (INTEGER_OVERFLOW)

"s", which might have underflowed, is passed to "realloc(session->req.post_data, s)".

6476 p=realloc(session->req.post_data, s);
6477 if(p==NULL) {
6478 errprintf(LOG_CRIT, WHERE, "%04d !ERROR Allocating %lu bytes of memory",session->socket, (ulong)session->req.post_len);
6479 send_error(session,__LINE__,"413 Request entity too large");
6480 FCLOSE_OPEN_FILE(fp); 6481 return(false);

** CID 530501: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3239 in js_connected_socket_constructor()


________________________________________________________________________________________________________
*** CID 530501: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3239 in js_connected_socket_constructor()
3233
3234 dbprintf(false, p, "object constructed");
3235 return(JS_TRUE);
3236
3237 fail:
3238 if (p)

CID 530501: Resource leaks (RESOURCE_LEAK)
Freeing "p" without freeing its handle field "sock" leaks the handle. 3239 free(p);

3240 if (protocol)
3241 free(protocol);
3242 if (host)
3243 free(host);
3244 return JS_FALSE;

** CID 530500: Control flow issues (DEADCODE) /tmp/sbbs-Jan-12-2025/src/xpdev/xpsem.c: 62 in xp_sem_init()


________________________________________________________________________________________________________
*** CID 530500: Control flow issues (DEADCODE) /tmp/sbbs-Jan-12-2025/src/xpdev/xpsem.c: 62 in xp_sem_init()
56 errno = EPERM;
57 retval = -1;
58 goto RETURN;
59 }
60
61 if (value > XP_SEM_VALUE_MAX) {

CID 530500: Control flow issues (DEADCODE)
Execution cannot reach this statement: "*__errno_location() = 22;".

62 errno = EINVAL;
63 retval = -1;
64 goto RETURN;
65 }
66
67 *sem = (xp_sem_t)malloc(sizeof(struct xp_sem));

** CID 530498: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3413 in js_listening_socket_constructor()


________________________________________________________________________________________________________
*** CID 530498: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3413 in js_listening_socket_constructor()
3407 return(JS_FALSE);
3408 }
3409
3410 if(!js_DefineSocketOptionsArray(cx, obj, type)) {
3411 free(p);
3412 free(set);

CID 530498: Resource leaks (RESOURCE_LEAK)
Variable "protocol" going out of scope leaks the storage it points to. 3413 return(JS_FALSE);

3414 }
3415
3416 #ifdef BUILD_JSDOCS
3417 js_DescribeSyncObject(cx,obj,"Class used for incoming TCP/IP socket communications",317);
3418 js_DescribeSyncConstructor(cx,obj,"To create a new ListeningSocket object: "


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 530828: Possible Control flow issues (DEADCODE)
/load_cfg.c: 147 in load_cfg()


________________________________________________________________________________________________________
*** CID 530828: Possible Control flow issues (DEADCODE)
/load_cfg.c: 147 in load_cfg()
141 free(text[n]);
142 text[n] = strdup(list[i]->value);
143 }
144 iniFreeNamedStringList(list);
145 iniFreeStringList(ini);
146 if (!success)

CID 530828: Possible Control flow issues (DEADCODE)
Execution cannot reach this statement: "return false;".

147 return false;
148 }
149
150 cfg->text = text;
151 }
152


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 530902: (CHECKED_RETURN)
/useredit.cpp: 745 in sbbs_t::user_config(user_t *)()
/useredit.cpp: 740 in sbbs_t::user_config(user_t *)()


________________________________________________________________________________________________________
*** CID 530902: (CHECKED_RETURN)
/useredit.cpp: 745 in sbbs_t::user_config(user_t *)()
739 exec_bin(cmdline, &main_csi);
740 getuserdat(&cfg, user);
741 return;
742 }
743 while (online) {
744 CLS;

CID 530902: (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

745 getuserdat(&cfg, user);
746 bprintf(text[UserDefaultsHdr], user->alias, user->number);
747 if (user == &useron) {
748 update_nodeterm();
749 load_user_text();
750 }
/useredit.cpp: 740 in sbbs_t::user_config(user_t *)()
734
735 action = NODE_DFLT;
736 if (cfg.usercfg_mod[0]) {
737 char cmdline[256];
738 snprintf(cmdline, sizeof(cmdline), "%s %u", cfg.usercfg_mod, user->number);
739 exec_bin(cmdline, &main_csi);

CID 530902: (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

740 getuserdat(&cfg, user);
741 return;
742 }
743 while (online) {
744 CLS;
745 getuserdat(&cfg, user);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

5 new defect(s) introduced to Synchronet found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 548252: Error handling issues (NEGATIVE_RETURNS)
/writemsg.cpp: 709 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()


________________________________________________________________________________________________________
*** CID 548252: Error handling issues (NEGATIVE_RETURNS)
/writemsg.cpp: 709 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()
703 buf[0] = 0;
704 if (linesquoted || draft_restored) {
705 if ((file = nopen(msgtmp, O_RDONLY)) != -1) { 706 length = (long)filelength(file);
707 l = length > (int)(cfg.level_linespermsg[useron_level] * MAX_LINE_LEN) - 1
708 ? (cfg.level_linespermsg[useron_level] * MAX_LINE_LEN) - 1 : length;

CID 548252: Error handling issues (NEGATIVE_RETURNS)
"l" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]

709 if (read(file, buf, l) != l)
710 l = 0;
711 buf[l] = 0;
712 close(file);
713 // remove(msgtmp);
714 }

** CID 548251: Incorrect expression (SIZEOF_MISMATCH)
/xtrn.cpp: 1621 in sbbs_t::external(const char *, int, const char *)()


________________________________________________________________________________________________________
*** CID 548251: Incorrect expression (SIZEOF_MISMATCH)
/xtrn.cpp: 1621 in sbbs_t::external(const char *, int, const char *)()
1615 return -1;
1616 }
1617
1618 if ((mode & EX_STDIO) == EX_STDIO) {
1619 struct winsize winsize;
1620 struct termios termio;

CID 548251: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "&termio" of type "termios *" and argument "8UL" ("sizeof (this->term)") to function "memset" is suspicious because "sizeof (termios) /*60*/" is expected.

1621 memset(&termio, 0, sizeof(term));
1622 cfsetispeed(&termio, B19200);
1623 cfsetospeed(&termio, B19200);
1624 if (mode & EX_BIN)
1625 cfmakeraw(&termio);
1626 else {

** CID 548250: Control flow issues (NO_EFFECT)
/terminal.cpp: 31 in Terminal::scroll_hotspots(unsigned int)()


________________________________________________________________________________________________________
*** CID 548250: Control flow issues (NO_EFFECT)
/terminal.cpp: 31 in Terminal::scroll_hotspots(unsigned int)()
25 unsigned spots = 0;
26 unsigned remain = 0;
27 for (list_node_t* node = mouse_hotspots->first; node != NULL; node = node->next) {
28 struct mouse_hotspot* spot = (struct mouse_hotspot*)node->data; 29 spot->y -= count;
30 spots++;

CID 548250: Control flow issues (NO_EFFECT)
This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "spot->y >= 0U".

31 if (spot->y >= 0)
32 remain++;
33 }
34 #ifdef _DEBUG
35 if (spots)
36 sbbs->lprintf(LOG_DEBUG, "Scrolled %u mouse hot-spots %u rows (%u remain)", spots, count, remain);

** CID 548249: (DEADCODE)
/useredit.cpp: 89 in sbbs_t::useredit(int)()
/useredit.cpp: 89 in sbbs_t::useredit(int)()


________________________________________________________________________________________________________
*** CID 548249: (DEADCODE)
/useredit.cpp: 89 in sbbs_t::useredit(int)()
83 SAFEPRINTF2(user_pass, "%.*s..", (int)(max_len - 2), user.pass);
84 bprintf(text[UeditAliasPassword]
85 , user.alias
86 , datestr(user.pwmod, tmp)
87 , (user.level > useron.level || !(cfg.sys_misc & SM_ECHO_PW)) ? "<hidden>" : user_pass
88 );

CID 548249: (DEADCODE)
Execution cannot reach the expression ""XXXXXXXX"" inside this statement: "this->bprintf(this->text[Ue...".

89 bprintf(text[UeditRealNamePhone]
90 , user.level > useron.level && console & CON_R_ECHO
91 ? "XXXXXXXX" : user.name
92 , user.level > useron.level && console & CON_R_ECHO
93 ? "XXX-XXX-XXXX" : user.phone);
94 bprintf(text[UeditAddressBirthday]
/useredit.cpp: 89 in sbbs_t::useredit(int)()
83 SAFEPRINTF2(user_pass, "%.*s..", (int)(max_len - 2), user.pass);
84 bprintf(text[UeditAliasPassword]
85 , user.alias
86 , datestr(user.pwmod, tmp)
87 , (user.level > useron.level || !(cfg.sys_misc & SM_ECHO_PW)) ? "<hidden>" : user_pass
88 );

CID 548249: (DEADCODE)
Execution cannot reach the expression ""XXX-XXX-XXXX"" inside this statement: "this->bprintf(this->text[Ue...".

89 bprintf(text[UeditRealNamePhone]
90 , user.level > useron.level && console & CON_R_ECHO
91 ? "XXXXXXXX" : user.name
92 , user.level > useron.level && console & CON_R_ECHO
93 ? "XXX-XXX-XXXX" : user.phone);
94 bprintf(text[UeditAddressBirthday]

** CID 548248: Error handling issues (CHECKED_RETURN)
/writemsg.cpp: 1836 in sbbs_t::movemsg(smbmsg_t *, int)()


________________________________________________________________________________________________________
*** CID 548248: Error handling issues (CHECKED_RETURN)
/writemsg.cpp: 1836 in sbbs_t::movemsg(smbmsg_t *, int)()
1830 length = smb_getmsgdatlen(msg);
1831 if ((buf = (char *)malloc(length)) == NULL) {
1832 errormsg(WHERE, ERR_ALLOC, smb.file, length);
1833 return false;
1834 }
1835

CID 548248: Error handling issues (CHECKED_RETURN)
Calling "fseek(this->smb.sdt_fp, msg->hdr.offset, 0)" without checking return value. This library function may fail and return an error code.

1836 fseek(smb.sdt_fp, msg->hdr.offset, SEEK_SET);
1837 if (fread(buf, length, 1, smb.sdt_fp) != 1) {
1838 free(buf);
1839 errormsg(WHERE, ERR_READ, smb.file, length);
1840 return false;
1841 }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


--- SBBSecho 3.24-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)