Forum: Starbase Discovery

New Defects reported by Coverity Scan for Synchronet

From scan-admin@coverity.com@1:103/705 to All on Tue Mar 17 12:54:04 2026

----==_mimepart_69b94eebf2ddc_969e92cf51abf19a41186d
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

4 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)

** CID 645010: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1136 in ds_send()

_____________________________________________________________________________________________
*** CID 645010: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1136 in ds_send()
1130 {
1131 assert_pthread_mutex_lock(&wl_copybuf_mutex);
1132 if (wl_copybuf) {
1133 size_t len = strlen(wl_copybuf);
1134 size_t sent = 0;
1135 while (sent < len) {

CID 645010: Insecure data handling (INTEGER_OVERFLOW)
"len - sent", which might have underflowed, is passed to "write(fd, wl_copybuf + sent, len - sent)".

1136 ssize_t rv = write(fd, wl_copybuf + sent, len - sent);
1137 if (rv <= 0)
1138 break;
1139 sent += rv;
1140 }
1141 }

** CID 645009: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1459 in readev()

_____________________________________________________________________________________________
*** CID 645009: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1459 in readev()
1453 readev(struct wl_local_event *lev)
1454 {
1455 size_t got = 0;
1456 char *buf = (char *)lev;
1457
1458 while (got < sizeof(*lev)) {

CID 645009: Insecure data handling (INTEGER_OVERFLOW)
"96UL - got", which might have underflowed, is passed to "read(wl_local_pipe[0], buf + got, 96UL - got)".

1459 int rv = read(wl_local_pipe[0], buf + got, sizeof(*lev) - got);
1460 if (rv > 0)
1461 got += rv;
1462 }
1463 }
1464

** CID 645008: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Mar-17-2026/src/conio/wl_cio.c: 243 in wl_copytext()

_____________________________________________________________________________________________
*** CID 645008: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Mar-17-2026/src/conio/wl_cio.c: 243 in wl_copytext()
237
238 assert_pthread_mutex_lock(&wl_copybuf_mutex);
239 FREE_AND_NULL(wl_copybuf);
240 wl_copybuf = strdup(text);
241 assert_pthread_mutex_unlock(&wl_copybuf_mutex);
242

CID 645008: Concurrent data access violations (MISSING_LOCK) >>> Accessing "wl_copybuf" without holding lock "wl_copybuf_mutex". Elsewhere, "wl_copybuf" is written to with "wl_copybuf_mutex" held 2 out of 2 times.

243 if (wl_copybuf) {
244 ev.type = WL_LOCAL_COPY;
245 write_event(&ev);
246 }
247 }
248

** CID 645007: Program hangs (SLEEP)

_____________________________________________________________________________________________
*** CID 645007: Program hangs (SLEEP) /tmp/sbbs-Mar-17-2026/src/conio/ciolib.c: 2754 in ciolib_add_hyperlink()
2748 }
2749 }
2750
2751 /* Run GC if free list is empty */
2752 if (hyperlink_free_head == 0)
2753 hyperlink_gc();

CID 645007: Program hangs (SLEEP)
Call to "hyperlink_gc" might sleep while holding lock "hyperlink_mutex".

2754
2755 /* Still empty after GC table is full */
2756 if (hyperlink_free_head == 0) {
2757 pthread_mutex_unlock(&hyperlink_mutex);
2758 return 0;
2759 }

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69b94eebf2ddc_969e92cf51abf19a41186d
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 4</li>
<li><strong>Defects Shown:</strong> Showing 4 of 4 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 645010: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1136 in ds_send()

_____________________________________________________________________________________________
*** CID 645010: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1136 in ds_send()
1130 {
1131 assert_pthread_mutex_lock(&wl_copybuf_mutex);
1132 if (wl_copybuf) {
1133 size_t len = strlen(wl_copybuf);
1134 size_t sent = 0;
1135 while (sent < len) {
>>> CID 645010: Insecure data handling (INTEGER_OVERFLOW) >>> "len - sent", which might have underflowed, is passed to "write(fd, wl_copybuf + sent, len - sent)".
1136 ssize_t rv = write(fd, wl_copybuf + sent, len - sent);
1137 if (rv <= 0)
1138 break;
1139 sent += rv;
1140 }
1141 }

** CID 645009: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1459 in readev()

_____________________________________________________________________________________________
*** CID 645009: Insecure data handling (INTEGER_OVERFLOW) /tmp/sbbs-Mar-17-2026/src/conio/wl_events.c: 1459 in readev()
1453 readev(struct wl_local_event *lev)
1454 {
1455 size_t got = 0;
1456 char *buf = (char *)lev;
1457
1458 while (got < sizeof(*lev)) {
>>> CID 645009: Insecure data handling (INTEGER_OVERFLOW) >>> "96UL - got", which might have underflowed, is passed to "read(wl_local_pipe[0], buf + got, 96UL - got)".
1459 int rv = read(wl_local_pipe[0], buf + got, sizeof(*lev) - got);
1460 if (rv > 0)
1461 got += rv;
1462 }
1463 }
1464

** CID 645008: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Mar-17-2026/src/conio/wl_cio.c: 243 in wl_copytext()

_____________________________________________________________________________________________
*** CID 645008: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Mar-17-2026/src/conio/wl_cio.c: 243 in wl_copytext()
237
238 assert_pthread_mutex_lock(&wl_copybuf_mutex);
239 FREE_AND_NULL(wl_copybuf);
240 wl_copybuf = strdup(text);
241 assert_pthread_mutex_unlock(&wl_copybuf_mutex);
242
>>> CID 645008: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "wl_copybuf" without holding lock "wl_copybuf_mutex". Elsewhere, "wl_copybuf" is written to with "wl_copybuf_mutex" held 2 out of 2 times.
243 if (wl_copybuf) {
244 ev.type = WL_LOCAL_COPY;
245 write_event(&ev);
246 }
247 }
248

** CID 645007: Program hangs (SLEEP)

_____________________________________________________________________________________________
*** CID 645007: Program hangs (SLEEP) /tmp/sbbs-Mar-17-2026/src/conio/ciolib.c: 2754 in ciolib_add_hyperlink()
2748 }
2749 }
2750
2751 /* Run GC if free list is empty */
2752 if (hyperlink_free_head == 0)
2753 hyperlink_gc();
>>> CID 645007: Program hangs (SLEEP)
>>> Call to "hyperlink_gc" might sleep while holding lock "hyperlink_mutex".
2754
2755 /* Still empty after GC table is full */
2756 if (hyperlink_free_head == 0) {
2757 pthread_mutex_unlock(&hyperlink_mutex);
2758 return 0;
2759 }

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69b94eebf2ddc_969e92cf51abf19a41186d--

--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From scan-admin@coverity.com@1:103/705 to cov-scan@synchro.net on Wed Mar 18 13:09:04 2026

----==_mimepart_69baa3f089f7b_a71c32cf51abf19a411859
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 645069: Control flow issues (DEADCODE) /tmp/sbbs-Mar-18-2026/src/conio/cterm.c: 2702 in sgr_diff()

_____________________________________________________________________________________________
*** CID 645069: Control flow issues (DEADCODE) /tmp/sbbs-Mar-18-2026/src/conio/cterm.c: 2702 in sgr_diff()
2696 else {
2697 int params = 0;
2698 char sgrbuf[128];
2699 sgrbuf[0] = '\0';
2700
2701 if ((na & 0x08) && !(pa & 0x08)) {

CID 645069: Control flow issues (DEADCODE)
Execution cannot reach the expression "";1"" inside this statement: "strcat(sgrbuf, (params++ ? ...".

2702 strcat(sgrbuf, params++ ? ";1" : "1");
2703 }
2704 if ((na & 0x80) && !(pa & 0x80)) {
2705 strcat(sgrbuf, params++ ? ";5" : "5");
2706 }
2707 if ((na & 0x07) != (pa & 0x07)) {

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69baa3f089f7b_a71c32cf51abf19a411859
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 645069: Control flow issues (DEADCODE) /tmp/sbbs-Mar-18-2026/src/conio/cterm.c: 2702 in sgr_diff()

_____________________________________________________________________________________________
*** CID 645069: Control flow issues (DEADCODE) /tmp/sbbs-Mar-18-2026/src/conio/cterm.c: 2702 in sgr_diff()
2696 else {
2697 int params = 0;
2698 char sgrbuf[128];
2699 sgrbuf[0] = '\0';
2700
2701 if ((na & 0x08) && !(pa & 0x08)) { >>> CID 645069: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "";1"" inside this statement: "strcat(sgrbuf, (params++ ? ...".
2702 strcat(sgrbuf, params++ ? ";1" : "1");
2703 }
2704 if ((na & 0x80) && !(pa & 0x80)) {
2705 strcat(sgrbuf, params++ ? ";5" : "5");
2706 }
2707 if ((na & 0x07) != (pa & 0x07)) {

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69baa3f089f7b_a71c32cf51abf19a411859--

--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From scan-admin@coverity.com@1:103/705 to All on Sun Apr 19 12:52:20 2026

----==_mimepart_69e4d004e21bf_13347f2c65a87519a05474a
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)

** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()

_____________________________________________________________________________________________
*** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()
629 return;
630 if (cterm->font_slot > 255)
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);

CID 645706: Error handling issues (NEGATIVE_RETURNS)
"i" is passed to a parameter that cannot be negative.

635 p2 = malloc(i);
636 if (p2) {
637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }

** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()

_____________________________________________________________________________________________
*** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);
635 p2 = malloc(i);
636 if (p2) {

CID 645705: Memory - corruptions (OVERRUN)
Calling "memcpy" with "p2" and "i" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned.

637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }
641 }
642 }

** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
/tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()

_____________________________________________________________________________________________
*** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");
2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");

CID 645704: (STRING_OVERFLOW)
You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->bg_tc_str" without checking the length.

2139 strcat(tmp, cterm->bg_tc_str);
2140 }
2141 strcat(tmp, "m\x1b\\");
2142 cterm_respond(cterm, tmp, strlen(tmp));
2143 }
2144 else { /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()
2129 case 6: strcat(tmp, ";43"); break;
2130 case 7: strcat(tmp, ";47"); break;
2131 }
2132 }
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");

CID 645704: (STRING_OVERFLOW)
You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->fg_tc_str" without checking the length.

2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");
2139 strcat(tmp, cterm->bg_tc_str);
2140 }

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69e4d004e21bf_13347f2c65a87519a05474a
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 3</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 3 of 3 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()

_____________________________________________________________________________________________
*** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()
629 return;
630 if (cterm->font_slot > 255)
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);
>>> CID 645706: Error handling issues (NEGATIVE_RETURNS) >>> "i" is passed to a parameter that cannot be negative.
635 p2 = malloc(i);
636 if (p2) {
637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }

** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()

_____________________________________________________________________________________________
*** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);
635 p2 = malloc(i);
636 if (p2) {
>>> CID 645705: Memory - corruptions (OVERRUN) >>> Calling "memcpy" with "p2" and "i" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned.
637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }
641 }
642 }

** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
/tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()

_____________________________________________________________________________________________
*** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");
2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");
>>> CID 645704: (STRING_OVERFLOW)
>>> You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->bg_tc_str" without checking the length.
2139 strcat(tmp, cterm->bg_tc_str);
2140 }
2141 strcat(tmp, "m\x1b\\");
2142 cterm_respond(cterm, tmp, strlen(tmp));
2143 }
2144 else { /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()
2129 case 6: strcat(tmp, ";43"); break;
2130 case 7: strcat(tmp, ";47"); break;
2131 }
2132 }
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");
>>> CID 645704: (STRING_OVERFLOW)
>>> You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->fg_tc_str" without checking the length.
2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");
2139 strcat(tmp, cterm->bg_tc_str);
2140 }

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69e4d004e21bf_13347f2c65a87519a05474a--

--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From scan-admin@coverity.com@1:103/705 to All on Tue Apr 21 12:52:54 2026

----==_mimepart_69e77325c1f19_1534e22c65a87519a054733
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

6 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)

** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play()

_____________________________________________________________________________________________
*** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play() 2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);
2088 xp_audio_close(h);
2089 return -1;
2090 }
2091 s->ring = newring;

CID 645741: Data race undermines locking (LOCK_EVASION)
Thread1 sets "ring_frames" to a new value. Now the two threads have an inconsistent view of "ring_frames" and updates to fields correlated with "ring_frames" may be lost.

2092 s->ring_frames = nframes;
2093 assert_pthread_mutex_unlock(&s->mutex);
2094 }
2095 if (loop) {
2096 assert_pthread_mutex_lock(&s->mutex);
2097 s->loop = true;

** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()

_____________________________________________________________________________________________
*** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */

CID 645740: Null pointer dereferences (NULL_RETURNS)
Dereferencing "s", which is known to be "NULL".

2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()

_____________________________________________________________________________________________
*** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i];

CID 645739: Concurrent data access violations (MISSING_LOCK) >>> Accessing "r->done" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.done" is written to with "xp_audio_stream.mutex" held 4 out of 4 times (1 of these accesses strongly imply that it is necessary).

1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {

** CID 645738: Uninitialized variables (UNINIT)

_____________________________________________________________________________________________
*** CID 645738: Uninitialized variables (UNINIT) /tmp/sbbs-Apr-21-2026/src/conio/cterm_cterm.c: 1125 in play_music() 1119 if (buf) {
1120 if (note_frames > 0)
1121 xptone_makewave(freq, buf, note_frames, WAVE_SHAPE_SINE_SAW_HARM);
1122 if (pause_frames > 0)
1123 memset(buf + (size_t)note_frames * XPBEEP_CHANNELS, 0,
1124 (size_t)pause_frames * XPBEEP_FRAMESIZE);

CID 645738: Uninitialized variables (UNINIT)
Using uninitialized value "*buf" when calling "xp_audio_append".

1125 xp_audio_append(cterm->music_stream, buf, total_frames);
1126 free(buf);
1127 if (cterm->musicfore) {
1128 xp_audio_wait(cterm->music_stream);
1129 had_foreground = 1;
1130 }

** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()

_____________________________________________________________________________________________
*** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */

CID 645737: Concurrent data access violations (MISSING_LOCK) >>> Accessing "s->ring_frames" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.ring_frames" is written to with "xp_audio_stream.mutex" held 1 out of 1 times.

2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()

_____________________________________________________________________________________________
*** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i];

CID 645736: Concurrent data access violations (MISSING_LOCK) >>> Accessing "r->auto_close" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.auto_close" is written to with "xp_audio_stream.mutex" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary).

1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69e77325c1f19_1534e22c65a87519a054733
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 6</li>
<li>
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 6 of 6 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play()

_____________________________________________________________________________________________
*** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play() 2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex); 2088 xp_audio_close(h);
2089 return -1;
2090 }
2091 s->ring = newring;
>>> CID 645741: Data race undermines locking (LOCK_EVASION)
>>> Thread1 sets "ring_frames" to a new value. Now the two threads have an inconsistent view of "ring_frames" and updates to fields correlated with "ring_frames" may be lost.
2092 s->ring_frames = nframes;
2093 assert_pthread_mutex_unlock(&s->mutex);
2094 }
2095 if (loop) {
2096 assert_pthread_mutex_lock(&s->mutex);
2097 s->loop = true;

** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()

_____________________________________________________________________________________________
*** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */
>>> CID 645740: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing "s", which is known to be "NULL".
2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()

_____________________________________________________________________________________________
*** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i]; >>> CID 645739: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "r->done" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.done" is written to with "xp_audio_stream.mutex" held 4 out of 4 times (1 of these accesses strongly imply that it is necessary).
1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {

** CID 645738: Uninitialized variables (UNINIT)

_____________________________________________________________________________________________
*** CID 645738: Uninitialized variables (UNINIT) /tmp/sbbs-Apr-21-2026/src/conio/cterm_cterm.c: 1125 in play_music() 1119 if (buf) {
1120 if (note_frames > 0)
1121 xptone_makewave(freq, buf, note_frames, WAVE_SHAPE_SINE_SAW_HARM);
1122 if (pause_frames > 0)
1123 memset(buf + (size_t)note_frames * XPBEEP_CHANNELS, 0,
1124 (size_t)pause_frames * XPBEEP_FRAMESIZE);
>>> CID 645738: Uninitialized variables (UNINIT) >>> Using uninitialized value "*buf" when calling "xp_audio_append".
1125 xp_audio_append(cterm->music_stream, buf, total_frames);
1126 free(buf);
1127 if (cterm->musicfore) {
1128 xp_audio_wait(cterm->music_stream);
1129 had_foreground = 1;
1130 }

** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()

_____________________________________________________________________________________________
*** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */
>>> CID 645737: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "s->ring_frames" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.ring_frames" is written to with "xp_audio_stream.mutex" held 1 out of 1 times.
2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()

_____________________________________________________________________________________________
*** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i]; >>> CID 645736: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "r->auto_close" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.auto_close" is written to with "xp_audio_stream.mutex" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary).
1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69e77325c1f19_1534e22c65a87519a054733--

--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From scan-admin@coverity.com@1:103/705 to All on Wed Apr 22 13:18:50 2026

----==_mimepart_69e8cab9a8d78_1637042c65a87519a0547fb
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()

_____________________________________________________________________________________________
*** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()
1222 if (!cterm || duration_ms == 0)
1223 return false;
1224 if (!cterm_fx_ensure_open(cterm))
1225 return false;
1226 nframes = (size_t)XPBEEP_SAMPLE_RATE * duration_ms / 1000;
1227 if (nframes == 0)

CID 645757: Control flow issues (DEADCODE)
Execution cannot reach this statement: "return true;".

1228 return true;
1229 buf = (int16_t *)malloc(nframes * XPBEEP_FRAMESIZE);
1230 if (!buf)
1231 return false;
1232 xptone_makewave(freq, buf, (int)nframes, shape);
1233 return xp_audio_append(cterm->fx_stream, buf, nframes, NULL);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69e8cab9a8d78_1637042c65a87519a0547fb
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()

_____________________________________________________________________________________________
*** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()
1222 if (!cterm || duration_ms == 0)
1223 return false;
1224 if (!cterm_fx_ensure_open(cterm))
1225 return false;
1226 nframes = (size_t)XPBEEP_SAMPLE_RATE * duration_ms / 1000;
1227 if (nframes == 0)
>>> CID 645757: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return true;".
1228 return true;
1229 buf = (int16_t *)malloc(nframes * XPBEEP_FRAMESIZE);
1230 if (!buf)
1231 return false;
1232 xptone_makewave(freq, buf, (int)nframes, shape);
1233 return xp_audio_append(cterm->fx_stream, buf, nframes, NULL);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69e8cab9a8d78_1637042c65a87519a0547fb--

--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From scan-admin@coverity.com@1:103/705 to All on Sat Apr 25 12:52:12 2026

----==_mimepart_69ecb8fbe93d7_192b812e859c9b599c683bf
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

15 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)

** CID 645808: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645808: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);

CID 645808: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed");
428 return false;
429 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);

CID 645808: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed");
428 return false;
429 }

** CID 645807: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645807: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type), 725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an allocation size.

727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 } /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type), 725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an offset.

727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 }

** CID 645806: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645806: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);

CID 645806: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);

CID 645806: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }

** CID 645805: Insecure data handling (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645805: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 261 in getstring()
255 uint32_t sz = get32(pkt);
256 /* Does `sz` bytes fit in the remaining allocation past cur? */ 257 if ((size_t)pkt->cur + offsetof(struct sftp_rx_pkt, data) + sz > pkt->sz) {
258 pkt->cur = saved_cur;
259 return NULL;
260 }

CID 645805: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "sz" to "sftp_memdup", which uses it as an allocation size.

261 sftp_str_t ret = sftp_memdup(&pkt->data[pkt->cur], sz);
262 if (ret == NULL)
263 pkt->cur = saved_cur;
264 else
265 pkt->cur += sz;
266 return ret;

** CID 645804: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645804: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);

CID 645804: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);

CID 645804: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }

** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet()

_____________________________________________________________________________________________
*** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() 205 extract_packet(sftp_rx_pkt_t stream)
206 {
207 if (!stream || !have_full_pkt(stream))
208 return NULL;
209 uint32_t sz = pkt_sz(stream);
210 size_t alloc_sz = offsetof(struct sftp_rx_pkt, len) + sizeof(uint32_t) + sz;

CID 645803: (TAINTED_SCALAR)
Passing tainted expression "alloc_sz" to "malloc", which uses it as an allocation size.

211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz; /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet() 211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz;

CID 645803: (TAINTED_SCALAR)
Passing tainted expression "out->used" to "memcpy", which uses it as an offset.

217 memcpy(&out->len, &stream->len, out->used);
218 remove_packet(stream);
219 return out;
220 }
221
222 #define GET_FUNC_BODY \

** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()

_____________________________________________________________________________________________
*** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()
79 static sftp_str_t
80 getcstring(sftps_state_t state)
81 {
82 sftp_str_t str = getstring(state->priv->rxp);
83 if (str == NULL)
84 return NULL;

CID 645802: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "str->len" to "memchr", which uses it as an offset.

85 if (memchr(str->c_str, 0, str->len) != NULL) {
86 free_sftp_str(str);
87 return NULL;
88 }
89 return str;
90 }

** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()

_____________________________________________________________________________________________
*** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support. 99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;
102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;

CID 645801: Insecure data handling (TAINTED_SCALAR)
Using tainted variable "payload_len" as a loop boundary.

103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);
108 free_sftp_str(ext_data);

** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()

_____________________________________________________________________________________________
*** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2178 if (request->len == nlen &&
2179 memcmp(request->c_str, SFTP_EXT_NAME_DESCS, nlen) == 0) { 2180 sftp_str_t path = sftp_rx_get_string(pkt);
2181 if (path == nullptr)
2182 return sftps_send_error(sbbs->sftp_state,
2183 SSH_FX_BAD_MESSAGE, "Missing path", nullptr);

CID 645800: (TAINTED_SCALAR)
Passing tainted expression "path->len + 1U" to "malloc", which uses it as an allocation size.

2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr); 2189 }
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr); 2189 }

CID 645800: (TAINTED_SCALAR)
Passing tainted expression "path->len" to "memcpy", which uses it as an offset.

2190 memcpy(cpath, path->c_str, path->len);
2191 cpath[path->len] = '\0';
2192 free_sftp_str(path);
2193 sbbs->lprintf(LOG_DEBUG, "SFTP descs(%s)", cpath);
2194 bool ret = sftp_ext_descs(sbbs, cpath);
2195 free(cpath);

** CID 645799: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645799: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);

CID 645799: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);

CID 645799: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }

** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit()

_____________________________________________________________________________________________
*** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit() 63 }
64
65 static bool
66 server_exit(sftps_state_t state, bool retval)
67 {
68 assert(state->priv->running > 0);

CID 645798: Concurrent data access violations (MISSING_LOCK) >>> Accessing "state->priv->running" without holding lock "sftp_server_state_private.mtx". Elsewhere, "sftp_server_state_private.running" is written to with "sftp_server_state_private.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).

69 state->priv->running--;
70 pthread_mutex_unlock(&state->priv->mtx);
71 return retval;
72 }
73
74 /*

** CID 645797: Insecure data handling (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645797: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 190 in parse_status() 184 if (reply->type != SSH_FXP_STATUS)
185 return false;
186 uint32_t code = get32(reply);
187 if (out != NULL)
188 out->result = code;
189 sftp_str_t msg = getstring(reply);

CID 645797: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.

190 sftp_str_t lang = getstring(reply);
191 if (msg != NULL && msg->len > 0) {
192 sftpc_outcome_reply(out,
193 (const char *)msg->c_str, msg->len,
194 lang ? (const char *)lang->c_str : "",
195 lang ? lang->len : 0);

** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()

_____________________________________________________________________________________________
*** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()
96 if (state->version > SFTP_VERSION)
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support. 99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;

CID 645796: Integer handling issues (INTEGER_OVERFLOW)
Expression "pkt_sz(state->priv->rxp) - 1U", where "pkt_sz(state->priv->rxp)" is known to be equal to 0, underflows the type of "pkt_sz(state->priv->rxp) - 1U", which is type "unsigned int".

102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;
103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);

** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit()

_____________________________________________________________________________________________
*** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit() 81 }
82
83 static bool
84 client_exit(sftpc_state_t state, bool retval)
85 {
86 assert(state->running > 0);

CID 645795: Concurrent data access violations (MISSING_LOCK) >>> Accessing "state->running" without holding lock "sftp_client_state.mtx". Elsewhere, "sftp_client_state.running" is written to with "sftp_client_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).

87 state->running--;
88 pthread_mutex_unlock(&state->mtx);
89 return retval;
90 }
91
92 /* Pending-list helpers; state->mtx must be held. */

** CID 645794: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645794: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 338 in getfattr()
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {
335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.

338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
343 if (!sftp_fattr_add_ext(&ret, type, data)) { /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 335 in getfattr()
329 * size of the buffer since getstring()
330 * will fail long before we reach extcnt if
331 * it has a maliciously high value.
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.

335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "type->len" to "sftp_fattr_add_ext", which uses it as an allocation size.

343 if (!sftp_fattr_add_ext(&ret, type, data)) { 344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "data->len" to "sftp_fattr_add_ext", which uses it as an allocation size.

343 if (!sftp_fattr_add_ext(&ret, type, data)) { 344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69ecb8fbe93d7_192b812e859c9b599c683bf
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 15</li>
<li><strong>Defects Shown:</strong> Showing 15 of 15 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 645808: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645808: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp); >>> CID 645808: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed"); 428 return false;
429 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp); >>> CID 645808: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed"); 428 return false;
429 }

** CID 645807: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645807: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type),
725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an allocation size.
727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 } /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type),
725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an offset.
727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);
>>> CID 645807: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 }

** CID 645806: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645806: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp); >>> CID 645806: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp); >>> CID 645806: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }

** CID 645805: Insecure data handling (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645805: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 261 in getstring()
255 uint32_t sz = get32(pkt);
256 /* Does `sz` bytes fit in the remaining allocation past cur? */ 257 if ((size_t)pkt->cur + offsetof(struct sftp_rx_pkt, data) + sz > pkt->sz) {
258 pkt->cur = saved_cur;
259 return NULL;
260 }
>>> CID 645805: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "sz" to "sftp_memdup", which uses it as an allocation size.
261 sftp_str_t ret = sftp_memdup(&pkt->data[pkt->cur], sz);
262 if (ret == NULL)
263 pkt->cur = saved_cur;
264 else
265 pkt->cur += sz;
266 return ret;

** CID 645804: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645804: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp); >>> CID 645804: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp); >>> CID 645804: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }

** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet()

_____________________________________________________________________________________________
*** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() 205 extract_packet(sftp_rx_pkt_t stream)
206 {
207 if (!stream || !have_full_pkt(stream))
208 return NULL;
209 uint32_t sz = pkt_sz(stream);
210 size_t alloc_sz = offsetof(struct sftp_rx_pkt, len) + sizeof(uint32_t) + sz;
>>> CID 645803: (TAINTED_SCALAR)
>>> Passing tainted expression "alloc_sz" to "malloc", which uses it as an allocation size.
211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz; /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet() 211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz;
>>> CID 645803: (TAINTED_SCALAR)
>>> Passing tainted expression "out->used" to "memcpy", which uses it as an offset.
217 memcpy(&out->len, &stream->len, out->used); 218 remove_packet(stream);
219 return out;
220 }
221
222 #define GET_FUNC_BODY \

** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()

_____________________________________________________________________________________________
*** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()
79 static sftp_str_t
80 getcstring(sftps_state_t state)
81 {
82 sftp_str_t str = getstring(state->priv->rxp);
83 if (str == NULL)
84 return NULL;
>>> CID 645802: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "str->len" to "memchr", which uses it as an offset.
85 if (memchr(str->c_str, 0, str->len) != NULL) {
86 free_sftp_str(str);
87 return NULL;
88 }
89 return str;
90 }

** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()

_____________________________________________________________________________________________
*** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support.
99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;
102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1; >>> CID 645801: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "payload_len" as a loop boundary.
103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);
108 free_sftp_str(ext_data);

** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()

_____________________________________________________________________________________________
*** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2178 if (request->len == nlen &&
2179 memcmp(request->c_str, SFTP_EXT_NAME_DESCS, nlen) == 0) {
2180 sftp_str_t path = sftp_rx_get_string(pkt);
2181 if (path == nullptr)
2182 return sftps_send_error(sbbs->sftp_state, 2183 SSH_FX_BAD_MESSAGE, "Missing path", nullptr);
>>> CID 645800: (TAINTED_SCALAR)
>>> Passing tainted expression "path->len + 1U" to "malloc", which uses it as an allocation size.
2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state, 2188 SSH_FX_FAILURE, "Out of memory", nullptr);
2189 }
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state, 2188 SSH_FX_FAILURE, "Out of memory", nullptr);
2189 }
>>> CID 645800: (TAINTED_SCALAR)
>>> Passing tainted expression "path->len" to "memcpy", which uses it as an offset.
2190 memcpy(cpath, path->c_str, path->len);
2191 cpath[path->len] = '\0';
2192 free_sftp_str(path);
2193 sbbs->lprintf(LOG_DEBUG, "SFTP descs(%s)", cpath);
2194 bool ret = sftp_ext_descs(sbbs, cpath);
2195 free(cpath);

** CID 645799: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645799: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp); >>> CID 645799: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.
315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp); >>> CID 645799: (TAINTED_SCALAR)
>>> Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.
315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }

** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit()

_____________________________________________________________________________________________
*** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit() 63 }
64
65 static bool
66 server_exit(sftps_state_t state, bool retval)
67 {
68 assert(state->priv->running > 0);
>>> CID 645798: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "state->priv->running" without holding lock "sftp_server_state_private.mtx". Elsewhere, "sftp_server_state_private.running" is written to with "sftp_server_state_private.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).
69 state->priv->running--;
70 pthread_mutex_unlock(&state->priv->mtx);
71 return retval;
72 }
73
74 /*

** CID 645797: Insecure data handling (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645797: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 190 in parse_status() 184 if (reply->type != SSH_FXP_STATUS)
185 return false;
186 uint32_t code = get32(reply);
187 if (out != NULL)
188 out->result = code;
189 sftp_str_t msg = getstring(reply);
>>> CID 645797: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.
190 sftp_str_t lang = getstring(reply);
191 if (msg != NULL && msg->len > 0) {
192 sftpc_outcome_reply(out,
193 (const char *)msg->c_str, msg->len,
194 lang ? (const char *)lang->c_str : "", 195 lang ? lang->len : 0);

** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()

_____________________________________________________________________________________________
*** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()
96 if (state->version > SFTP_VERSION)
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support.
99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;
>>> CID 645796: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "pkt_sz(state->priv->rxp) - 1U", where "pkt_sz(state->priv->rxp)" is known to be equal to 0, underflows the type of "pkt_sz(state->priv->rxp) - 1U", which is type "unsigned int".
102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;
103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);

** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit()

_____________________________________________________________________________________________
*** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit() 81 }
82
83 static bool
84 client_exit(sftpc_state_t state, bool retval)
85 {
86 assert(state->running > 0);
>>> CID 645795: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "state->running" without holding lock "sftp_client_state.mtx". Elsewhere, "sftp_client_state.running" is written to with "sftp_client_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).
87 state->running--;
88 pthread_mutex_unlock(&state->mtx);
89 return retval;
90 }
91
92 /* Pending-list helpers; state->mtx must be held. */

** CID 645794: (TAINTED_SCALAR)

_____________________________________________________________________________________________
*** CID 645794: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 338 in getfattr()
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {
335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
343 if (!sftp_fattr_add_ext(&ret, type, data)) {
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 335 in getfattr()
329 * size of the buffer since getstring()
330 * will fail long before we reach extcnt if
331 * it has a maliciously high value.
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.
335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "type->len" to "sftp_fattr_add_ext", which uses it as an allocation size.
343 if (!sftp_fattr_add_ext(&ret, type, data)) {
344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
>>> CID 645794: (TAINTED_SCALAR)
>>> Passing tainted expression "data->len" to "sftp_fattr_add_ext", which uses it as an allocation size.
343 if (!sftp_fattr_add_ext(&ret, type, data)) {
344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69ecb8fbe93d7_192b812e859c9b599c683bf--

--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From scan-admin@coverity.com@1:103/705 to cov-scan@synchro.net on Mon Apr 27 14:33:50 2026

----==_mimepart_69ef73ce25741_1b32332e859c9b599c6836d
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)

** CID 645832: Memory - illegal accesses (STRING_NULL)
/netmail.cpp: 417 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()

_____________________________________________________________________________________________
*** CID 645832: Memory - illegal accesses (STRING_NULL)
/netmail.cpp: 417 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
411
412 size_t kludge_hdrlen = 0;
413 char* beg = qwkbuf + QWK_BLOCK_LEN;
414 char* end = qwkbuf + (n * QWK_BLOCK_LEN);
415 p = beg;
416 if (into == NULL) {

CID 645832: Memory - illegal accesses (STRING_NULL)
Passing unterminated string "p" to "strlcpy", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]

417 SAFECOPY(to, p); /* To user on first line */
418 char* tp = strchr(to, QWK_NEWLINE); /* chop off at first CR */
419 if (tp != NULL)
420 *tp = 0;
421 p += strlen(to) + 1;
422 }

** CID 645831: (TAINTED_SCALAR)
/netmail.cpp: 512 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
/netmail.cpp: 544 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()

_____________________________________________________________________________________________
*** CID 645831: (TAINTED_SCALAR)
/netmail.cpp: 512 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
506 snprintf(str, sizeof str, "%.128s", qwkbuf + l + 5);
507 cp = strchr(str, QWK_NEWLINE);
508 if (cp)
509 *cp = 0;
510 l += strlen(str) + 1;
511 cp = str;

CID 645831: (TAINTED_SCALAR)
Using tainted variable "*cp" as a loop boundary.

512 while (*cp && *cp <= ' ') cp++;
513 safe_snprintf(senderaddr, sizeof(senderaddr), "%s/%s", sender_id, cp);
514 strupr(senderaddr);
515 smb_hfield(&msg, SENDERNETADDR, strlen(senderaddr), senderaddr);
516 }
517 else {
/netmail.cpp: 544 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
538 snprintf(str, sizeof str, "%.128s", qwkbuf + l);
539 cp = strchr(str, QWK_NEWLINE);
540 if (cp)
541 *cp = 0;
542 l += strlen(str) + 1;
543 cp = str + 4;

CID 645831: (TAINTED_SCALAR)
Using tainted variable "*cp" as a loop boundary.

544 while (*cp && *cp <= ' ') cp++;
545 msg.hdr.when_written.zone = (short)ahtoul(cp); 546 }
547 else
548 msg.hdr.when_written.zone = sys_timezone(&cfg); 549 memset(&tm, 0, sizeof(tm));

** CID 645830: (STRING_NULL)
/qwktomsg.cpp: 340 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
/qwktomsg.cpp: 333 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()

_____________________________________________________________________________________________
*** CID 645830: (STRING_NULL)
/qwktomsg.cpp: 339 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
333 if ((p = strchr(qwkbuf + k, '\r')) == NULL
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */

CID 645830: (STRING_NULL)
Passing unterminated string "qwkbuf + k" to "strListAppend", which expects a null-terminated string.

339 strListPush(&kludges, qwkbuf + k);
340 k += strlen(qwkbuf + k);
341 continue;
342 }
343 if (!taillen && qwkbuf[k] == ' ' && col == 3 && bodylen >= 3
344 && body[bodylen - 3] == '-' && body[bodylen - 2] == '-'
/qwktomsg.cpp: 340 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */
339 strListPush(&kludges, qwkbuf + k);

CID 645830: (STRING_NULL)
Passing unterminated string "qwkbuf + k" to "strlen", which expects a null-terminated string.

340 k += strlen(qwkbuf + k);
341 continue;
342 }
343 if (!taillen && qwkbuf[k] == ' ' && col == 3 && bodylen >= 3
344 && body[bodylen - 3] == '-' && body[bodylen - 2] == '-'
345 && body[bodylen - 1] == '-') {
/qwktomsg.cpp: 333 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
327 if (bodylen == 0
328 && (qwkbuf[k] == '@'
329 || ((fromhub || (useron.qwk & QWK_EXT) || subnum == INVALID_SUB)
330 && (strnicmp(qwkbuf + k, "To:", 3) == 0
331 || strnicmp(qwkbuf + k, "From:", 5) == 0
332 || strnicmp(qwkbuf + k, "Subject:", 8) == 0)))) {

CID 645830: (STRING_NULL)
Passing unterminated string "qwkbuf + k" to "strchr", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]

333 if ((p = strchr(qwkbuf + k, '\r')) == NULL
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69ef73ce25741_1b32332e859c9b599c6836d
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 3</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 3 of 3 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 645832: Memory - illegal accesses (STRING_NULL)
/netmail.cpp: 417 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()

_____________________________________________________________________________________________
*** CID 645832: Memory - illegal accesses (STRING_NULL)
/netmail.cpp: 417 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
411
412 size_t kludge_hdrlen = 0;
413 char* beg = qwkbuf + QWK_BLOCK_LEN;
414 char* end = qwkbuf + (n * QWK_BLOCK_LEN);
415 p = beg;
416 if (into == NULL) {
>>> CID 645832: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "p" to "strlcpy", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
417 SAFECOPY(to, p); /* To user on first line */
418 char* tp = strchr(to, QWK_NEWLINE); /* chop off at first CR */
419 if (tp != NULL)
420 *tp = 0;
421 p += strlen(to) + 1;
422 }

** CID 645831: (TAINTED_SCALAR)
/netmail.cpp: 512 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
/netmail.cpp: 544 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()

_____________________________________________________________________________________________
*** CID 645831: (TAINTED_SCALAR)
/netmail.cpp: 512 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
506 snprintf(str, sizeof str, "%.128s", qwkbuf + l + 5);
507 cp = strchr(str, QWK_NEWLINE);
508 if (cp)
509 *cp = 0;
510 l += strlen(str) + 1;
511 cp = str;
>>> CID 645831: (TAINTED_SCALAR)
>>> Using tainted variable "*cp" as a loop boundary.
512 while (*cp && *cp <= ' ') cp++;
513 safe_snprintf(senderaddr, sizeof(senderaddr), "%s/%s", sender_id, cp);
514 strupr(senderaddr);
515 smb_hfield(&msg, SENDERNETADDR, strlen(senderaddr), senderaddr);
516 }
517 else {
/netmail.cpp: 544 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
538 snprintf(str, sizeof str, "%.128s", qwkbuf + l);
539 cp = strchr(str, QWK_NEWLINE);
540 if (cp)
541 *cp = 0;
542 l += strlen(str) + 1;
543 cp = str + 4;
>>> CID 645831: (TAINTED_SCALAR)
>>> Using tainted variable "*cp" as a loop boundary.
544 while (*cp && *cp <= ' ') cp++;
545 msg.hdr.when_written.zone = (short)ahtoul(cp); 546 }
547 else
548 msg.hdr.when_written.zone = sys_timezone(&cfg);
549 memset(&tm, 0, sizeof(tm));

** CID 645830: (STRING_NULL)
/qwktomsg.cpp: 340 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
/qwktomsg.cpp: 333 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()

_____________________________________________________________________________________________
*** CID 645830: (STRING_NULL)
/qwktomsg.cpp: 339 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
333 if ((p = strchr(qwkbuf + k, '\r')) == NULL
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */ >>> CID 645830: (STRING_NULL)
>>> Passing unterminated string "qwkbuf + k" to "strListAppend", which expects a null-terminated string.
339 strListPush(&kludges, qwkbuf + k);
340 k += strlen(qwkbuf + k);
341 continue;
342 }
343 if (!taillen && qwkbuf[k] == ' ' && col == 3 && bodylen >= 3
344 && body[bodylen - 3] == '-' && body[bodylen - 2] == '-'
/qwktomsg.cpp: 340 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */
339 strListPush(&kludges, qwkbuf + k); >>> CID 645830: (STRING_NULL)
>>> Passing unterminated string "qwkbuf + k" to "strlen", which expects a null-terminated string.
340 k += strlen(qwkbuf + k);
341 continue;
342 }
343 if (!taillen && qwkbuf[k] == ' ' && col == 3 && bodylen >= 3
344 && body[bodylen - 3] == '-' && body[bodylen - 2] == '-'
345 && body[bodylen - 1] == '-') { /qwktomsg.cpp: 333 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
327 if (bodylen == 0
328 && (qwkbuf[k] == '@'
329 || ((fromhub || (useron.qwk & QWK_EXT) || subnum == INVALID_SUB)
330 && (strnicmp(qwkbuf + k, "To:", 3) == 0
331 || strnicmp(qwkbuf + k, "From:", 5) == 0
332 || strnicmp(qwkbuf + k, "Subject:", 8) == 0)))) {
>>> CID 645830: (STRING_NULL)
>>> Passing unterminated string "qwkbuf + k" to "strchr", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
333 if ((p = strchr(qwkbuf + k, '\r')) == NULL
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69ef73ce25741_1b32332e859c9b599c6836d--

--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Sysop:	Tj Barlow
Location:	Colorado Springs, CO.
Users:	11
Nodes:	10 (0 / 10)
Uptime:	78:39:15
Calls:	55
Messages:	57,633

New Defects reported by Coverity Scan for Synchronet

Who's Online

Recent Visitors

System Info