BBS: TELESC.NET.BR
Assunto: New Defects reported by Coverity Scan for Synchronet
De: scan-admin@coverity.com
Data: Sat, 25 Apr 2026 12:52:12 +0000
-----------------------------------------------------------
Hi,
Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.
15 new defect(s) introduced to Synchronet found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)
** CID 645808: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645808: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str()
418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);
>>> CID 645808: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
427 "id_str_str: first getcstring failed");
428 return false;
429 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str()
418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);
>>> CID 645808: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
427 "id_str_str: first getcstring failed");
428 return false;
429 }
** CID 645807: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645807: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv()
721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type),
725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an allocation size.
727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv()
700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv()
721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type),
725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an offset.
727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv()
700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 }
** CID 645806: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645806: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);
>>> CID 645806: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
364 "id_str_attr: getcstring failed");
365 return false;
366 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);
>>> CID 645806: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
364 "id_str_attr: getcstring failed");
365 return false;
366 }
** CID 645805: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645805: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 261 in getstring()
255 uint32_t sz = get32(pkt);
256 /* Does `sz` bytes fit in the remaining allocation past cur? */
257 if ((size_t)pkt->cur + offsetof(struct sftp_rx_pkt, data) + sz > pkt->sz) {
258 pkt->cur = saved_cur;
259 return NULL;
260 }
>>> CID 645805: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "sz" to "sftp_memdup", which uses it as an allocation size.
261 sftp_str_t ret = sftp_memdup(&pkt->data[pkt->cur], sz);
262 if (ret == NULL)
263 pkt->cur = saved_cur;
264 else
265 pkt->cur += sz;
266 return ret;
** CID 645804: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645804: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);
>>> CID 645804: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
145 "OPEN: filename getcstring failed");
146 return false;
147 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);
>>> CID 645804: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
145 "OPEN: filename getcstring failed");
146 return false;
147 }
** CID 645803: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet()
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet()
_____________________________________________________________________________________________
*** CID 645803: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet()
205 extract_packet(sftp_rx_pkt_t stream)
206 {
207 if (!stream || !have_full_pkt(stream))
208 return NULL;
209 uint32_t sz = pkt_sz(stream);
210 size_t alloc_sz = offsetof(struct sftp_rx_pkt, len) + sizeof(uint32_t) + sz;
>>> CID 645803: (TAINTED_SCALAR)
>>> Passing tainted expression "alloc_sz" to "malloc", which uses it as an allocation size.
211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz;
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet()
211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz;
>>> CID 645803: (TAINTED_SCALAR)
>>> Passing tainted expression "out->used" to "memcpy", which uses it as an offset.
217 memcpy(&out->len, &stream->len, out->used);
218 remove_packet(stream);
219 return out;
220 }
221
222 #define GET_FUNC_BODY \
** CID 645802: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()
_____________________________________________________________________________________________
*** CID 645802: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()
79 static sftp_str_t
80 getcstring(sftps_state_t state)
81 {
82 sftp_str_t str = getstring(state->priv->rxp);
83 if (str == NULL)
84 return NULL;
>>> CID 645802: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "str->len" to "memchr", which uses it as an offset.
85 if (memchr(str->c_str, 0, str->len) != NULL) {
86 free_sftp_str(str);
87 return NULL;
88 }
89 return str;
90 }
** CID 645801: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()
_____________________________________________________________________________________________
*** CID 645801: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support.
99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;
102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;
>>> CID 645801: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "payload_len" as a loop boundary.
103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);
108 free_sftp_str(ext_data);
** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
_____________________________________________________________________________________________
*** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2178 if (request->len == nlen &&
2179 memcmp(request->c_str, SFTP_EXT_NAME_DESCS, nlen) == 0) {
2180 sftp_str_t path = sftp_rx_get_string(pkt);
2181 if (path == nullptr)
2182 return sftps_send_error(sbbs->sftp_state,
2183 SSH_FX_BAD_MESSAGE, "Missing path", nullptr);
>>> CID 645800: (TAINTED_SCALAR)
>>> Passing tainted expression "path->len + 1U" to "malloc", which uses it as an allocation size.
2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr);
2189 }
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr);
2189 }
>>> CID 645800: (TAINTED_SCALAR)
>>> Passing tainted expression "path->len" to "memcpy", which uses it as an offset.
2190 memcpy(cpath, path->c_str, path->len);
2191 cpath[path->len] = '\0';
2192 free_sftp_str(path);
2193 sbbs->lprintf(LOG_DEBUG, "SFTP descs(%s)", cpath);
2194 bool ret = sftp_ext_descs(sbbs, cpath);
2195 free(cpath);
** CID 645799: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645799: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);
>>> CID 645799: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
318 "id_str: getcstring failed");
319 return false;
320 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);
>>> CID 645799: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
318 "id_str: getcstring failed");
319 return false;
320 }
** CID 645798: Concurrent data access violations (MISSING_LOCK)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit()
_____________________________________________________________________________________________
*** CID 645798: Concurrent data access violations (MISSING_LOCK)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit()
63 }
64
65 static bool
66 server_exit(sftps_state_t state, bool retval)
67 {
68 assert(state->priv->running > 0);
>>> CID 645798: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "state->priv->running" without holding lock "sftp_server_state_private.mtx". Elsewhere, "sftp_server_state_private.running" is written to with "sftp_server_state_private.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).
69 state->priv->running--;
70 pthread_mutex_unlock(&state->priv->mtx);
71 return retval;
72 }
73
74 /*
** CID 645797: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645797: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 190 in parse_status()
184 if (reply->type != SSH_FXP_STATUS)
185 return false;
186 uint32_t code = get32(reply);
187 if (out != NULL)
188 out->result = code;
189 sftp_str_t msg = getstring(reply);
>>> CID 645797: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.
190 sftp_str_t lang = getstring(reply);
191 if (msg != NULL && msg->len > 0) {
192 sftpc_outcome_reply(out,
193 (const char *)msg->c_str, msg->len,
194 lang ? (const char *)lang->c_str : "",
195 lang ? lang->len : 0);
** CID 645796: Integer handling issues (INTEGER_OVERFLOW)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()
_____________________________________________________________________________________________
*** CID 645796: Integer handling issues (INTEGER_OVERFLOW)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()
96 if (state->version > SFTP_VERSION)
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support.
99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;
>>> CID 645796: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "pkt_sz(state->priv->rxp) - 1U", where "pkt_sz(state->priv->rxp)" is known to be equal to 0, underflows the type of "pkt_sz(state->priv->rxp) - 1U", which is type "unsigned int".
102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;
103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);
** CID 645795: Concurrent data access violations (MISSING_LOCK)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit()
_____________________________________________________________________________________________
*** CID 645795: Concurrent data access violations (MISSING_LOCK)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit()
81 }
82
83 static bool
84 client_exit(sftpc_state_t state, bool retval)
85 {
86 assert(state->running > 0);
>>> CID 645795: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "state->running" without holding lock "sftp_client_state.mtx". Elsewhere, "sftp_client_state.running" is written to with "sftp_client_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).
87 state->running--;
88 pthread_mutex_unlock(&state->mtx);
89 return retval;
90 }
91
92 /* Pending-list helpers; state->mtx must be held. */
** CID 645794: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645794: (TAINTED_SCALAR)
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 338 in getfattr()
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {
335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
343 if (!sftp_fattr_add_ext(&ret, type, data)) {
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 335 in getfattr()
329 * size of the buffer since getstring()
330 * will fail long before we reach extcnt if
331 * it has a maliciously high value.
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.
335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "type->len" to "sftp_fattr_add_ext", which uses it as an allocation size.
343 if (!sftp_fattr_add_ext(&ret, type, data)) {
344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type);
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "data->len" to "sftp_fattr_add_ext", which uses it as an allocation size.
343 if (!sftp_fattr_add_ext(&ret, type, data)) {
344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview
n
---
* mSynchronetn * hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net
-----------------------------------------------------------
[Voltar]