----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.
18 new defect(s) introduced to Synchronet found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)
** CID 631146: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;
CID 631146: Program hangs (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.
4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/
** CID 631145: Program hangs (SLEEP)
_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node->data;
4356 SAFECOPY(name, attempt->user);
4357 truncstr(name, "@");
CID 631145: Program hangs (SLEEP)
Call to "trashcan" might sleep while holding lock "list->mutex".
4358 if (((settings.tempban_threshold && (attempt->count - attempt->dupes) >= settings.tempban_threshold)
4359 || trashcan(cfg, name, "name")) && now < (time32_t)(attempt->time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt->time);
4363 }
** CID 631144: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&client_list);
CID 631144: Program hangs (LOCK)
"listFindNode" locks "client_list.mutex" while it is locked.
654 if ((node = listFindTaggedNode(&client_list, sock)) != NULL)
655 memcpy(node->data, client, sizeof(client_t));
656 listUnlock(&client_list);
657 } else {
658 served++;
659 listAddNodeData(&client_list, client, sizeof(client_t), sock, LAST_NODE);
** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()
_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), "<%x%x%lx%lx@%.128s>"
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240
CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1241 sockprintf(socket, client.protocol, session, "+OK Synchronet %s Server %s%c-%s Ready %s"
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &client, FALSE /* update */);
1220
1221 if (startup->login_attempt.throttle
1222 && (login_attempts = loginAttempts(startup->login_attempt_list, &pop3->client_addr)) > 1) {
1223 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
1224 , socket, client.protocol, host_ip, login_attempts);
CID 631143: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1225 mswait(login_attempts * startup->login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&scfg, startup->login_attempt_list, socket, host_name, startup->login_attempt, &attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1199 return false;
1200 }
CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1201 if (trashcan2(&scfg, host_name, NULL, "host", &trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s"
1205 , socket, client.protocol, host_ip, host_name, trash_details(&trash, details, sizeof details));
1206 }
** CID 631142: Null pointer dereferences (FORWARD_NULL)
_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&msg_filters.ip_can);
377 strListFree(&msg_filters.host_can);
378 strListFree(&msg_filters.subject_can);
379 strListFree(&msg_filters.twit_list);
CID 631142: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
380 listFree(&user_list);
381
382 delfiles(cfg.temp_dir, "*.NDX");
383 SAFEPRINTF(str, "%sMESSAGES.DAT", cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, "%sDOOR.ID", cfg.temp_dir);
** CID 631141: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr->addr.sa_family != AF_INET && addr->addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)
CID 631141: Program hangs (LOCK)
"listRemoveNode" locks "list->mutex" while it is locked.
4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */
** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()
_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
CID 631140: (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
CID 631140: (LOCK)
"listUnlock" unlocks "list->mutex" while it is unlocked.
4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)
** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);
CID 631139: Program hangs (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);
** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, "%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)"
1646 , socket, service->protocol, remain, active_clients(), service->served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */
CID 631138: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".
1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;
** CID 631137: Program hangs (ORDER_REVERSAL)
_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup->max_clients && client_count > startup->max_clients) {
6963 lprintf(LOG_WARNING, "%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied"
6964 , socket, session.client.protocol, session.host_ip, startup->max_clients, client_count - startup->max_clients);
CID 631137: Program hangs (ORDER_REVERSAL)
Calling "send_error" acquires lock "jsrt_mutex" while holding lock "link_list.mutex" (count: 1 / 5).
6965 send_error(&session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(¤t_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup->max_concurrent_connections > 0 && connections > startup->max_concurrent_connections
6970 && !is_host_exempt(&scfg, session.host_ip, /* host_name */ NULL)) {
** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt->client_list.first; node != NULL; node = node->next) {
837 client_t* client = node->data;
838 format_client_info(str, sizeof(str), node->tag, client, client->time);
839 strListPush(&list, str);
840 client_count++;
841 }
CID 631136: (LOCK)
"listUnlock" unlocks "mqtt->client_list.mutex" while it is unlocked. 842 listUnlock(&mqtt->client_list);
843 char* buf = NULL;
844 if (client_count > 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, "\n");
/mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&mqtt->client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813
CID 631136: (LOCK)
"listFindNode" locks "mqtt->client_list.mutex" while it is locked.
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
CID 631136: (LOCK)
"listRemoveTaggedNode" locks "mqtt->client_list.mutex" while it is locked.
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/disconnect", str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
CID 631136: (LOCK)
"listAddNodeData" locks "mqtt->client_list.mutex" while it is locked. 820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
CID 631135: Uninitialized variables (UNINIT)
Using uninitialized value "*salt" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;
** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
CID 631134: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
** CID 631133: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt->pass, pass);
4299 attempt->count++;
4300 count = attempt->count - attempt->dupes;
4301 if (node == NULL) {
4302 attempt->first = attempt->time;
CID 631133: Program hangs (LOCK)
"listAddNodeData" locks "list->mutex" while it is locked.
4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;
** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp);
CID 631132: Control flow issues (NO_EFFECT)
This less-than-zero comparison of an unsigned value is never true. "rret < 0UL".
3630 if (rret < 0 || rret > INT_MAX)
3631 goto done;
3632 if ((streamCipher && rret > 0) || rret == bufferSize) { 3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))
** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()
_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&scfg, startup->login_attempt_list, session.socket, host_name, startup->login_attempt, &attempted);
6909
6910 /* host_ip wasn't defined in http_session_thread */
CID 631131: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
6911 if (banned || trashcan2(&scfg, session.host_ip, NULL, "ip", &trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver < HTTP_1_0) || redirp != NULL || parse_headers(&session)) {
7052 if (check_request(&session)) { 7053 if (session.req.send_location < MOVED_TEMP || session.req.virtual_path[0] != '/' || loop_count++ >= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&session))
CID 631131: (SLEEP)
Call to "respond" might sleep while holding lock "startup->login_attempt_list->mutex".
7055 respond(&session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), "%s %s%s%s", methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver < HTTP_1_0?"":" ", http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &session.client, /* update existing client record? */ false);
6943
6944 if (startup->login_attempt.throttle
6945 && (login_attempts = loginAttempts(startup->login_attempt_list, &session.addr)) > 1) {
6946 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
6947 , socket, session.client.protocol, session.host_ip, login_attempts);
CID 631131: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
6948 mswait(login_attempts * startup->login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;
** CID 631130: Null pointer dereferences (FORWARD_NULL)
_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&msg_filters.ip_can);
535 strListFree(&msg_filters.host_can);
536 strListFree(&msg_filters.subject_can);
537 strListFree(&msg_filters.twit_list);
CID 631130: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
538 listFree(&user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&smb);
542 fclose(rep);
543
** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
CID 631129: Memory - corruptions (OVERRUN)
Overrunning array "salt" of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument "cp" (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/synchronet?tab=overview
----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>
<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>
<ul>
<li><strong>New Defects Found:</strong> 18</li>
<li><strong>Defects Shown:</strong> Showing 18 of 18 defect(s)</li>
</ul>
<h3>Defect Details</h3>
<pre>
** CID 631146: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;
>>> CID 631146: Program hangs (LOCK)
>>> "listCountNodes" locks "list->mutex" while it is locked.
4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/
** CID 631145: Program hangs (SLEEP)
_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node->data;
4356 SAFECOPY(name, attempt->user);
4357 truncstr(name, "@");
>>> CID 631145: Program hangs (SLEEP)
>>> Call to "trashcan" might sleep while holding lock "list->mutex".
4358 if (((settings.tempban_threshold && (attempt->count - attempt->dupes) >= settings.tempban_threshold)
4359 || trashcan(cfg, name, "name")) && now < (time32_t)(attempt->time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt->time);
4363 }
** CID 631144: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&client_list);
>>> CID 631144: Program hangs (LOCK)
>>> "listFindNode" locks "client_list.mutex" while it is locked.
654 if ((node = listFindTaggedNode(&client_list, sock)) != NULL)
655 memcpy(node->data, client, sizeof(client_t));
656 listUnlock(&client_list);
657 } else {
658 served++;
659 listAddNodeData(&client_list, client, sizeof(client_t), sock, LAST_NODE);
** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()
_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), "<%x%x%lx%lx@%.128s>"
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1241 sockprintf(socket, client.protocol, session, "+OK Synchronet %s Server %s%c-%s Ready %s"
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &client, FALSE /* update */);
1220
1221 if (startup->login_attempt.throttle
1222 && (login_attempts = loginAttempts(startup->login_attempt_list, &pop3->client_addr)) > 1) {
1223 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
1224 , socket, client.protocol, host_ip, login_attempts);
>>> CID 631143: (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1225 mswait(login_attempts * startup->login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&scfg, startup->login_attempt_list, socket, host_name, startup->login_attempt, &attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
>>> CID 631143: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1199 return false;
1200 }
>>> CID 631143: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1201 if (trashcan2(&scfg, host_name, NULL, "host", &trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s"
1205 , socket, client.protocol, host_ip, host_name, trash_details(&trash, details, sizeof details));
1206 }
** CID 631142: Null pointer dereferences (FORWARD_NULL)
_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&msg_filters.ip_can);
377 strListFree(&msg_filters.host_can);
378 strListFree(&msg_filters.subject_can);
379 strListFree(&msg_filters.twit_list);
>>> CID 631142: Null pointer dereferences (FORWARD_NULL) >>> Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
380 listFree(&user_list);
381
382 delfiles(cfg.temp_dir, "*.NDX");
383 SAFEPRINTF(str, "%sMESSAGES.DAT", cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, "%sDOOR.ID", cfg.temp_dir);
** CID 631141: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr->addr.sa_family != AF_INET && addr->addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)
>>> CID 631141: Program hangs (LOCK)
>>> "listRemoveNode" locks "list->mutex" while it is locked.
4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */
** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()
_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
>>> CID 631140: (LOCK)
>>> "listCountNodes" locks "list->mutex" while it is locked.
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
>>> CID 631140: (LOCK)
>>> "listUnlock" unlocks "list->mutex" while it is unlocked.
4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)
** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);
>>> CID 631139: Program hangs (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);
** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, "%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)"
1646 , socket, service->protocol, remain, active_clients(), service->served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */ >>> CID 631138: Program hangs (LOCK)
>>> Returning without unlocking "startup->login_attempt_list->mutex".
1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;
** CID 631137: Program hangs (ORDER_REVERSAL)
_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup->max_clients && client_count > startup->max_clients) {
6963 lprintf(LOG_WARNING, "%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied"
6964 , socket, session.client.protocol, session.host_ip, startup->max_clients, client_count - startup->max_clients);
>>> CID 631137: Program hangs (ORDER_REVERSAL) >>> Calling "send_error" acquires lock "jsrt_mutex" while holding lock "link_list.mutex" (count: 1 / 5).
6965 send_error(&session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(&current_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup->max_concurrent_connections > 0 && connections > startup->max_concurrent_connections
6970 && !is_host_exempt(&scfg, session.host_ip, /* host_name */ NULL)) {
** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt->client_list.first; node != NULL; node = node->next) {
837 client_t* client = node->data;
838 format_client_info(str, sizeof(str), node->tag, client, client->time);
839 strListPush(&list, str);
840 client_count++;
841 }
>>> CID 631136: (LOCK)
>>> "listUnlock" unlocks "mqtt->client_list.mutex" while it is unlocked.
842 listUnlock(&mqtt->client_list);
843 char* buf = NULL;
844 if (client_count > 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, "\n"); /mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&mqtt->client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813
>>> CID 631136: (LOCK)
>>> "listFindNode" locks "mqtt->client_list.mutex" while it is locked.
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
>>> CID 631136: (LOCK)
>>> "listRemoveTaggedNode" locks "mqtt->client_list.mutex" while it is locked.
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/disconnect", str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
>>> CID 631136: (LOCK)
>>> "listAddNodeData" locks "mqtt->client_list.mutex" while it is locked.
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
>>> CID 631135: Uninitialized variables (UNINIT) >>> Using uninitialized value "*salt" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;
** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
>>> CID 631134: Program hangs (LOCK)
>>> Returning without unlocking "startup->login_attempt_list->mutex".
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
** CID 631133: Program hangs (LOCK)
_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt->pass, pass);
4299 attempt->count++;
4300 count = attempt->count - attempt->dupes;
4301 if (node == NULL) {
4302 attempt->first = attempt->time;
>>> CID 631133: Program hangs (LOCK)
>>> "listAddNodeData" locks "list->mutex" while it is locked.
4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;
** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp); >>> CID 631132: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. "rret < 0UL".
3630 if (rret < 0 || rret > INT_MAX)
3631 goto done;
3632 if ((streamCipher && rret > 0) || rret == bufferSize) {
3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))
** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()
_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&scfg, startup->login_attempt_list, session.socket, host_name, startup->login_attempt, &attempted);
6909
6910 /* host_ip wasn't defined in http_session_thread */ >>> CID 631131: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
6911 if (banned || trashcan2(&scfg, session.host_ip, NULL, "ip", &trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver < HTTP_1_0) || redirp != NULL || parse_headers(&session)) {
7052 if (check_request(&session)) {
7053 if (session.req.send_location < MOVED_TEMP || session.req.virtual_path[0] != '/' || loop_count++ >= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&session))
>>> CID 631131: (SLEEP)
>>> Call to "respond" might sleep while holding lock "startup->login_attempt_list->mutex".
7055 respond(&session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), "%s %s%s%s", methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver < HTTP_1_0?"":" ", http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &session.client, /* update existing client record? */ false);
6943
6944 if (startup->login_attempt.throttle
6945 && (login_attempts = loginAttempts(startup->login_attempt_list, &session.addr)) > 1) {
6946 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
6947 , socket, session.client.protocol, session.host_ip, login_attempts);
>>> CID 631131: (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
6948 mswait(login_attempts * startup->login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;
** CID 631130: Null pointer dereferences (FORWARD_NULL)
_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&msg_filters.ip_can);
535 strListFree(&msg_filters.host_can);
536 strListFree(&msg_filters.subject_can);
537 strListFree(&msg_filters.twit_list);
>>> CID 631130: Null pointer dereferences (FORWARD_NULL) >>> Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
538 listFree(&user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&smb);
542 fclose(rep);
543
** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
>>> CID 631129: Memory - corruptions (OVERRUN) >>> Overrunning array "salt" of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument "cp" (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;
</pre>
<p>
<a href="
https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>
<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="
https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454--
---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net
![https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg"](https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg"){kind=link}