BBS: TELESC.NET.BR
Assunto: New Defects reported by Coverity Scan for Synchronet
De: scan-admin@coverity.com
Data: Wed, 29 Apr 2026 13:42:50 +0000
-----------------------------------------------------------
Hi,
Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.
3 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 645868: (TAINTED_SCALAR)
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 440 in parse_init()
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 438 in parse_init()
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 419 in parse_init()
_____________________________________________________________________________________________
*** CID 645868: (TAINTED_SCALAR)
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 440 in parse_init()
434 if (p->state->pubdir == NULL &&
435 ext_name->len == strlen(SFTP_EXT_NAME_PUBDIR) &&
436 memcmp(ext_name->c_str, SFTP_EXT_NAME_PUBDIR,
437 ext_name->len) == 0) {
438 char *s = malloc((size_t)ext_data->len + 1);
439 if (s != NULL) {
>>> CID 645868: (TAINTED_SCALAR)
>>> Passing tainted expression "ext_data->len" to "memcpy", which uses it as an offset.
440 memcpy(s, ext_data->c_str, ext_data->len);
441 s[ext_data->len] = '\0';
442 p->state->pubdir = s;
443 p->state->extensions |= SFTP_EXT_PUBDIR;
444 }
445 }
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 438 in parse_init()
432 * name and capture the data as a NUL-terminated C string,
433 * setting the bit explicitly. */
434 if (p->state->pubdir == NULL &&
435 ext_name->len == strlen(SFTP_EXT_NAME_PUBDIR) &&
436 memcmp(ext_name->c_str, SFTP_EXT_NAME_PUBDIR,
437 ext_name->len) == 0) {
>>> CID 645868: (TAINTED_SCALAR)
>>> Passing tainted expression "(size_t)ext_data->len + 1UL" to "malloc", which uses it as an allocation size.
438 char *s = malloc((size_t)ext_data->len + 1);
439 if (s != NULL) {
440 memcpy(s, ext_data->c_str, ext_data->len);
441 s[ext_data->len] = '\0';
442 p->state->pubdir = s;
443 p->state->extensions |= SFTP_EXT_PUBDIR;
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 421 in parse_init()
415 }
416 p->state->version = get32(reply);
417 p->state->extensions = 0;
418 uint32_t payload_len = pkt_sz(reply) - 1;
419 while (reply->cur + sizeof(uint32_t) <= payload_len) {
420 sftp_str_t ext_name = getstring(reply);
>>> CID 645868: (TAINTED_SCALAR)
>>> Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.
421 sftp_str_t ext_data = getstring(reply);
422 if (ext_name == NULL || ext_data == NULL) {
423 free_sftp_str(ext_name);
424 free_sftp_str(ext_data);
425 break;
426 }
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 419 in parse_init()
413 sftp_get_type_name(reply->type));
414 return;
415 }
416 p->state->version = get32(reply);
417 p->state->extensions = 0;
418 uint32_t payload_len = pkt_sz(reply) - 1;
>>> CID 645868: (TAINTED_SCALAR)
>>> Using tainted variable "payload_len" as a loop boundary.
419 while (reply->cur + sizeof(uint32_t) <= payload_len) {
420 sftp_str_t ext_name = getstring(reply);
421 sftp_str_t ext_data = getstring(reply);
422 if (ext_name == NULL || ext_data == NULL) {
423 free_sftp_str(ext_name);
424 free_sftp_str(ext_data);
** CID 645867: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645867: Insecure data handling (TAINTED_SCALAR)
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 123 in parse_status_into_pending()
117 {
118 sftp_rx_pkt_t reply = p->reply;
119 if (reply->type != SSH_FXP_STATUS)
120 return false;
121 p->result = get32(reply);
122 sftp_str_t msg = getstring(reply);
>>> CID 645867: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.
123 sftp_str_t lang = getstring(reply);
124 if (msg != NULL && msg->len > 0) {
125 pending_record_reply(p,
126 (const char *)msg->c_str, msg->len,
127 lang ? (const char *)lang->c_str : "",
128 lang ? lang->len : 0);
** CID 645866: (TAINTED_SCALAR)
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 1144 in parse_readdir()
_____________________________________________________________________________________________
*** CID 645866: (TAINTED_SCALAR)
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 1144 in parse_readdir()
1138 if (reply->type == SSH_FXP_NAME) {
1139 uint32_t n = get32(reply);
1140 if (n == 0) {
1141 base->result = SSH_FX_OK;
1142 return;
1143 }
>>> CID 645866: (TAINTED_SCALAR)
>>> Passing tainted expression "n" to "calloc", which uses it as an allocation size.
1144 p->entries = calloc(n, sizeof(*p->entries));
1145 if (p->entries == NULL) {
1146 PENDING_RECORD(base, SFTP_ERR_OOM,
1147 "calloc(%" PRIu32 " entries) failed", n);
1148 return;
1149 }
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 1153 in parse_readdir()
1147 "calloc(%" PRIu32 " entries) failed", n);
1148 return;
1149 }
1150 for (uint32_t i = 0; i < n; i++) {
1151 p->entries[i].filename = getstring(reply);
1152 p->entries[i].longname = getstring(reply);
>>> CID 645866: (TAINTED_SCALAR)
>>> Passing tainted expression "reply->cur" to "getfattr", which uses it as an offset.
1153 p->entries[i].attrs = getfattr(reply);
1154 if (p->entries[i].filename == NULL ||
1155 p->entries[i].longname == NULL ||
1156 p->entries[i].attrs == NULL) {
1157 PENDING_RECORD(base, SFTP_ERR_REPLY_BAD_STRING,
1158 "getstring/getfattr failed at entry %"
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview
n
---
* mSynchronetn * hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net
-----------------------------------------------------------
[Voltar]