Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()


_____________________________________________________________________________________________
*** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()
629 return;
630 if (cterm->font_slot > 255)
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);

CID 645706: Error handling issues (NEGATIVE_RETURNS)
"i" is passed to a parameter that cannot be negative.

635 p2 = malloc(i);
636 if (p2) {
637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }

** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()


_____________________________________________________________________________________________
*** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);
635 p2 = malloc(i);
636 if (p2) {

CID 645705: Memory - corruptions (OVERRUN)
Calling "memcpy" with "p2" and "i" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned.

637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }
641 }
642 }

** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
/tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()


_____________________________________________________________________________________________
*** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");
2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");

CID 645704: (STRING_OVERFLOW)
You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->bg_tc_str" without checking the length.

2139 strcat(tmp, cterm->bg_tc_str);
2140 }
2141 strcat(tmp, "m\x1b\\");
2142 cterm_respond(cterm, tmp, strlen(tmp));
2143 }
2144 else { /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()
2129 case 6: strcat(tmp, ";43"); break;
2130 case 7: strcat(tmp, ";47"); break;
2131 }
2132 }
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");

CID 645704: (STRING_OVERFLOW)
You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->fg_tc_str" without checking the length.

2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");
2139 strcat(tmp, cterm->bg_tc_str);
2140 }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

6 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)


** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play()


_____________________________________________________________________________________________
*** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play() 2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);
2088 xp_audio_close(h);
2089 return -1;
2090 }
2091 s->ring = newring;

CID 645741: Data race undermines locking (LOCK_EVASION)
Thread1 sets "ring_frames" to a new value. Now the two threads have an inconsistent view of "ring_frames" and updates to fields correlated with "ring_frames" may be lost.

2092 s->ring_frames = nframes;
2093 assert_pthread_mutex_unlock(&s->mutex);
2094 }
2095 if (loop) {
2096 assert_pthread_mutex_lock(&s->mutex);
2097 s->loop = true;

** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()


_____________________________________________________________________________________________
*** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */

CID 645740: Null pointer dereferences (NULL_RETURNS)
Dereferencing "s", which is known to be "NULL".

2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()


_____________________________________________________________________________________________
*** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i];

CID 645739: Concurrent data access violations (MISSING_LOCK) >>> Accessing "r->done" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.done" is written to with "xp_audio_stream.mutex" held 4 out of 4 times (1 of these accesses strongly imply that it is necessary).

1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {

** CID 645738: Uninitialized variables (UNINIT)


_____________________________________________________________________________________________
*** CID 645738: Uninitialized variables (UNINIT) /tmp/sbbs-Apr-21-2026/src/conio/cterm_cterm.c: 1125 in play_music() 1119 if (buf) {
1120 if (note_frames > 0)
1121 xptone_makewave(freq, buf, note_frames, WAVE_SHAPE_SINE_SAW_HARM);
1122 if (pause_frames > 0)
1123 memset(buf + (size_t)note_frames * XPBEEP_CHANNELS, 0,
1124 (size_t)pause_frames * XPBEEP_FRAMESIZE);

CID 645738: Uninitialized variables (UNINIT)
Using uninitialized value "*buf" when calling "xp_audio_append".

1125 xp_audio_append(cterm->music_stream, buf, total_frames);
1126 free(buf);
1127 if (cterm->musicfore) {
1128 xp_audio_wait(cterm->music_stream);
1129 had_foreground = 1;
1130 }

** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()


_____________________________________________________________________________________________
*** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */

CID 645737: Concurrent data access violations (MISSING_LOCK) >>> Accessing "s->ring_frames" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.ring_frames" is written to with "xp_audio_stream.mutex" held 1 out of 1 times.

2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()


_____________________________________________________________________________________________
*** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i];

CID 645736: Concurrent data access violations (MISSING_LOCK) >>> Accessing "r->auto_close" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.auto_close" is written to with "xp_audio_stream.mutex" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary).

1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()


_____________________________________________________________________________________________
*** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()
1222 if (!cterm || duration_ms == 0)
1223 return false;
1224 if (!cterm_fx_ensure_open(cterm))
1225 return false;
1226 nframes = (size_t)XPBEEP_SAMPLE_RATE * duration_ms / 1000;
1227 if (nframes == 0)

CID 645757: Control flow issues (DEADCODE)
Execution cannot reach this statement: "return true;".

1228 return true;
1229 buf = (int16_t *)malloc(nframes * XPBEEP_FRAMESIZE);
1230 if (!buf)
1231 return false;
1232 xptone_makewave(freq, buf, (int)nframes, shape);
1233 return xp_audio_append(cterm->fx_stream, buf, nframes, NULL);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

15 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)


** CID 645808: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645808: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);

CID 645808: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed");
428 return false;
429 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);

CID 645808: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed");
428 return false;
429 }

** CID 645807: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645807: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type), 725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an allocation size.

727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 } /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type), 725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an offset.

727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 }

** CID 645806: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645806: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);

CID 645806: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);

CID 645806: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }

** CID 645805: Insecure data handling (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645805: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 261 in getstring()
255 uint32_t sz = get32(pkt);
256 /* Does `sz` bytes fit in the remaining allocation past cur? */ 257 if ((size_t)pkt->cur + offsetof(struct sftp_rx_pkt, data) + sz > pkt->sz) {
258 pkt->cur = saved_cur;
259 return NULL;
260 }

CID 645805: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "sz" to "sftp_memdup", which uses it as an allocation size.

261 sftp_str_t ret = sftp_memdup(&pkt->data[pkt->cur], sz);
262 if (ret == NULL)
263 pkt->cur = saved_cur;
264 else
265 pkt->cur += sz;
266 return ret;

** CID 645804: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645804: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);

CID 645804: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);

CID 645804: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }

** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet()


_____________________________________________________________________________________________
*** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() 205 extract_packet(sftp_rx_pkt_t stream)
206 {
207 if (!stream || !have_full_pkt(stream))
208 return NULL;
209 uint32_t sz = pkt_sz(stream);
210 size_t alloc_sz = offsetof(struct sftp_rx_pkt, len) + sizeof(uint32_t) + sz;

CID 645803: (TAINTED_SCALAR)
Passing tainted expression "alloc_sz" to "malloc", which uses it as an allocation size.

211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz; /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet() 211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz;

CID 645803: (TAINTED_SCALAR)
Passing tainted expression "out->used" to "memcpy", which uses it as an offset.

217 memcpy(&out->len, &stream->len, out->used);
218 remove_packet(stream);
219 return out;
220 }
221
222 #define GET_FUNC_BODY \

** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()


_____________________________________________________________________________________________
*** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()
79 static sftp_str_t
80 getcstring(sftps_state_t state)
81 {
82 sftp_str_t str = getstring(state->priv->rxp);
83 if (str == NULL)
84 return NULL;

CID 645802: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "str->len" to "memchr", which uses it as an offset.

85 if (memchr(str->c_str, 0, str->len) != NULL) {
86 free_sftp_str(str);
87 return NULL;
88 }
89 return str;
90 }

** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()


_____________________________________________________________________________________________
*** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support. 99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;
102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;

CID 645801: Insecure data handling (TAINTED_SCALAR)
Using tainted variable "payload_len" as a loop boundary.

103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);
108 free_sftp_str(ext_data);

** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()


_____________________________________________________________________________________________
*** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2178 if (request->len == nlen &&
2179 memcmp(request->c_str, SFTP_EXT_NAME_DESCS, nlen) == 0) { 2180 sftp_str_t path = sftp_rx_get_string(pkt);
2181 if (path == nullptr)
2182 return sftps_send_error(sbbs->sftp_state,
2183 SSH_FX_BAD_MESSAGE, "Missing path", nullptr);

CID 645800: (TAINTED_SCALAR)
Passing tainted expression "path->len + 1U" to "malloc", which uses it as an allocation size.

2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr); 2189 }
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr); 2189 }

CID 645800: (TAINTED_SCALAR)
Passing tainted expression "path->len" to "memcpy", which uses it as an offset.

2190 memcpy(cpath, path->c_str, path->len);
2191 cpath[path->len] = '\0';
2192 free_sftp_str(path);
2193 sbbs->lprintf(LOG_DEBUG, "SFTP descs(%s)", cpath);
2194 bool ret = sftp_ext_descs(sbbs, cpath);
2195 free(cpath);

** CID 645799: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645799: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);

CID 645799: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);

CID 645799: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }

** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit()


_____________________________________________________________________________________________
*** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit() 63 }
64
65 static bool
66 server_exit(sftps_state_t state, bool retval)
67 {
68 assert(state->priv->running > 0);

CID 645798: Concurrent data access violations (MISSING_LOCK) >>> Accessing "state->priv->running" without holding lock "sftp_server_state_private.mtx". Elsewhere, "sftp_server_state_private.running" is written to with "sftp_server_state_private.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).

69 state->priv->running--;
70 pthread_mutex_unlock(&state->priv->mtx);
71 return retval;
72 }
73
74 /*

** CID 645797: Insecure data handling (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645797: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 190 in parse_status() 184 if (reply->type != SSH_FXP_STATUS)
185 return false;
186 uint32_t code = get32(reply);
187 if (out != NULL)
188 out->result = code;
189 sftp_str_t msg = getstring(reply);

CID 645797: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.

190 sftp_str_t lang = getstring(reply);
191 if (msg != NULL && msg->len > 0) {
192 sftpc_outcome_reply(out,
193 (const char *)msg->c_str, msg->len,
194 lang ? (const char *)lang->c_str : "",
195 lang ? lang->len : 0);

** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()


_____________________________________________________________________________________________
*** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()
96 if (state->version > SFTP_VERSION)
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support. 99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;

CID 645796: Integer handling issues (INTEGER_OVERFLOW)
Expression "pkt_sz(state->priv->rxp) - 1U", where "pkt_sz(state->priv->rxp)" is known to be equal to 0, underflows the type of "pkt_sz(state->priv->rxp) - 1U", which is type "unsigned int".

102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;
103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);

** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit()


_____________________________________________________________________________________________
*** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit() 81 }
82
83 static bool
84 client_exit(sftpc_state_t state, bool retval)
85 {
86 assert(state->running > 0);

CID 645795: Concurrent data access violations (MISSING_LOCK) >>> Accessing "state->running" without holding lock "sftp_client_state.mtx". Elsewhere, "sftp_client_state.running" is written to with "sftp_client_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).

87 state->running--;
88 pthread_mutex_unlock(&state->mtx);
89 return retval;
90 }
91
92 /* Pending-list helpers; state->mtx must be held. */

** CID 645794: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645794: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 338 in getfattr()
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {
335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.

338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
343 if (!sftp_fattr_add_ext(&ret, type, data)) { /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 335 in getfattr()
329 * size of the buffer since getstring()
330 * will fail long before we reach extcnt if
331 * it has a maliciously high value.
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.

335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "type->len" to "sftp_fattr_add_ext", which uses it as an allocation size.

343 if (!sftp_fattr_add_ext(&ret, type, data)) { 344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "data->len" to "sftp_fattr_add_ext", which uses it as an allocation size.

343 if (!sftp_fattr_add_ext(&ret, type, data)) { 344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 645832: Memory - illegal accesses (STRING_NULL)
/netmail.cpp: 417 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()


_____________________________________________________________________________________________
*** CID 645832: Memory - illegal accesses (STRING_NULL)
/netmail.cpp: 417 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
411
412 size_t kludge_hdrlen = 0;
413 char* beg = qwkbuf + QWK_BLOCK_LEN;
414 char* end = qwkbuf + (n * QWK_BLOCK_LEN);
415 p = beg;
416 if (into == NULL) {

CID 645832: Memory - illegal accesses (STRING_NULL)
Passing unterminated string "p" to "strlcpy", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]

417 SAFECOPY(to, p); /* To user on first line */
418 char* tp = strchr(to, QWK_NEWLINE); /* chop off at first CR */
419 if (tp != NULL)
420 *tp = 0;
421 p += strlen(to) + 1;
422 }

** CID 645831: (TAINTED_SCALAR)
/netmail.cpp: 512 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
/netmail.cpp: 544 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()


_____________________________________________________________________________________________
*** CID 645831: (TAINTED_SCALAR)
/netmail.cpp: 512 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
506 snprintf(str, sizeof str, "%.128s", qwkbuf + l + 5);
507 cp = strchr(str, QWK_NEWLINE);
508 if (cp)
509 *cp = 0;
510 l += strlen(str) + 1;
511 cp = str;

CID 645831: (TAINTED_SCALAR)
Using tainted variable "*cp" as a loop boundary.

512 while (*cp && *cp <= ' ') cp++;
513 safe_snprintf(senderaddr, sizeof(senderaddr), "%s/%s", sender_id, cp);
514 strupr(senderaddr);
515 smb_hfield(&msg, SENDERNETADDR, strlen(senderaddr), senderaddr);
516 }
517 else {
/netmail.cpp: 544 in sbbs_t::qwktonetmail(_IO_FILE *, char *, char *, unsigned int)()
538 snprintf(str, sizeof str, "%.128s", qwkbuf + l);
539 cp = strchr(str, QWK_NEWLINE);
540 if (cp)
541 *cp = 0;
542 l += strlen(str) + 1;
543 cp = str + 4;

CID 645831: (TAINTED_SCALAR)
Using tainted variable "*cp" as a loop boundary.

544 while (*cp && *cp <= ' ') cp++;
545 msg.hdr.when_written.zone = (short)ahtoul(cp); 546 }
547 else
548 msg.hdr.when_written.zone = sys_timezone(&cfg); 549 memset(&tm, 0, sizeof(tm));

** CID 645830: (STRING_NULL)
/qwktomsg.cpp: 340 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
/qwktomsg.cpp: 333 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()


_____________________________________________________________________________________________
*** CID 645830: (STRING_NULL)
/qwktomsg.cpp: 339 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
333 if ((p = strchr(qwkbuf + k, '\r')) == NULL
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */

CID 645830: (STRING_NULL)
Passing unterminated string "qwkbuf + k" to "strListAppend", which expects a null-terminated string.

339 strListPush(&kludges, qwkbuf + k);
340 k += strlen(qwkbuf + k);
341 continue;
342 }
343 if (!taillen && qwkbuf[k] == ' ' && col == 3 && bodylen >= 3
344 && body[bodylen - 3] == '-' && body[bodylen - 2] == '-'
/qwktomsg.cpp: 340 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */
339 strListPush(&kludges, qwkbuf + k);

CID 645830: (STRING_NULL)
Passing unterminated string "qwkbuf + k" to "strlen", which expects a null-terminated string.

340 k += strlen(qwkbuf + k);
341 continue;
342 }
343 if (!taillen && qwkbuf[k] == ' ' && col == 3 && bodylen >= 3
344 && body[bodylen - 3] == '-' && body[bodylen - 2] == '-'
345 && body[bodylen - 1] == '-') {
/qwktomsg.cpp: 333 in sbbs_t::qwk_import_msg(_IO_FILE *, char *, unsigned int, unsigned int, smb_t *, unsigned int, smbmsg_t *, bool *)()
327 if (bodylen == 0
328 && (qwkbuf[k] == '@'
329 || ((fromhub || (useron.qwk & QWK_EXT) || subnum == INVALID_SUB)
330 && (strnicmp(qwkbuf + k, "To:", 3) == 0
331 || strnicmp(qwkbuf + k, "From:", 5) == 0
332 || strnicmp(qwkbuf + k, "Subject:", 8) == 0)))) {

CID 645830: (STRING_NULL)
Passing unterminated string "qwkbuf + k" to "strchr", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]

333 if ((p = strchr(qwkbuf + k, '\r')) == NULL
334 && (p = strchr(qwkbuf + k, qwk_newline)) == NULL) {
335 body[bodylen++] = qwkbuf[k];
336 continue;
337 }
338 *p = 0; /* Converts QWK_NEWLINE to NUL */


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 645868: (TAINTED_SCALAR) /tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 440 in parse_init() /tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 438 in parse_init() /tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 419 in parse_init()


_____________________________________________________________________________________________
*** CID 645868: (TAINTED_SCALAR) /tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 440 in parse_init() 434 if (p->state->pubdir == NULL &&
435 ext_name->len == strlen(SFTP_EXT_NAME_PUBDIR) && 436 memcmp(ext_name->c_str, SFTP_EXT_NAME_PUBDIR,
437 ext_name->len) == 0) {
438 char *s = malloc((size_t)ext_data->len + 1); 439 if (s != NULL) {

CID 645868: (TAINTED_SCALAR)
Passing tainted expression "ext_data->len" to "memcpy", which uses it as an offset.

440 memcpy(s, ext_data->c_str, ext_data->len);
441 s[ext_data->len] = '\0';
442 p->state->pubdir = s;
443 p->state->extensions |= SFTP_EXT_PUBDIR;
444 }
445 }
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 438 in parse_init() 432 * name and capture the data as a NUL-terminated C string,
433 * setting the bit explicitly. */
434 if (p->state->pubdir == NULL &&
435 ext_name->len == strlen(SFTP_EXT_NAME_PUBDIR) && 436 memcmp(ext_name->c_str, SFTP_EXT_NAME_PUBDIR,
437 ext_name->len) == 0) {

CID 645868: (TAINTED_SCALAR)
Passing tainted expression "(size_t)ext_data->len + 1UL" to "malloc", which uses it as an allocation size.

438 char *s = malloc((size_t)ext_data->len + 1); 439 if (s != NULL) {
440 memcpy(s, ext_data->c_str, ext_data->len);
441 s[ext_data->len] = '\0';
442 p->state->pubdir = s;
443 p->state->extensions |= SFTP_EXT_PUBDIR;
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 421 in parse_init() 415 }
416 p->state->version = get32(reply);
417 p->state->extensions = 0;
418 uint32_t payload_len = pkt_sz(reply) - 1;
419 while (reply->cur + sizeof(uint32_t) <= payload_len) {
420 sftp_str_t ext_name = getstring(reply);

CID 645868: (TAINTED_SCALAR)
Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.

421 sftp_str_t ext_data = getstring(reply);
422 if (ext_name == NULL || ext_data == NULL) {
423 free_sftp_str(ext_name);
424 free_sftp_str(ext_data);
425 break;
426 }
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 419 in parse_init() 413 sftp_get_type_name(reply->type));
414 return;
415 }
416 p->state->version = get32(reply);
417 p->state->extensions = 0;
418 uint32_t payload_len = pkt_sz(reply) - 1;

CID 645868: (TAINTED_SCALAR)
Using tainted variable "payload_len" as a loop boundary.

419 while (reply->cur + sizeof(uint32_t) <= payload_len) {
420 sftp_str_t ext_name = getstring(reply);
421 sftp_str_t ext_data = getstring(reply);
422 if (ext_name == NULL || ext_data == NULL) {
423 free_sftp_str(ext_name);
424 free_sftp_str(ext_data);

** CID 645867: Insecure data handling (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645867: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 123 in parse_status_into_pending()
117 {
118 sftp_rx_pkt_t reply = p->reply;
119 if (reply->type != SSH_FXP_STATUS)
120 return false;
121 p->result = get32(reply);
122 sftp_str_t msg = getstring(reply);

CID 645867: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.

123 sftp_str_t lang = getstring(reply);
124 if (msg != NULL && msg->len > 0) {
125 pending_record_reply(p,
126 (const char *)msg->c_str, msg->len,
127 lang ? (const char *)lang->c_str : "",
128 lang ? lang->len : 0);

** CID 645866: (TAINTED_SCALAR) /tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 1144 in parse_readdir()


_____________________________________________________________________________________________
*** CID 645866: (TAINTED_SCALAR) /tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 1144 in parse_readdir()
1138 if (reply->type == SSH_FXP_NAME) {
1139 uint32_t n = get32(reply);
1140 if (n == 0) {
1141 base->result = SSH_FX_OK;
1142 return;
1143 }

CID 645866: (TAINTED_SCALAR)
Passing tainted expression "n" to "calloc", which uses it as an allocation size.

1144 p->entries = calloc(n, sizeof(*p->entries));
1145 if (p->entries == NULL) {
1146 PENDING_RECORD(base, SFTP_ERR_OOM,
1147 "calloc(%" PRIu32 " entries) failed", n); 1148 return;
1149 }
/tmp/sbbs-Apr-29-2026/src/sftp/sftp_client.c: 1153 in parse_readdir()
1147 "calloc(%" PRIu32 " entries) failed", n); 1148 return;
1149 }
1150 for (uint32_t i = 0; i < n; i++) {
1151 p->entries[i].filename = getstring(reply);
1152 p->entries[i].longname = getstring(reply);

CID 645866: (TAINTED_SCALAR)
Passing tainted expression "reply->cur" to "getfattr", which uses it as an offset.

1153 p->entries[i].attrs = getfattr(reply);
1154 if (p->entries[i].filename == NULL ||
1155 p->entries[i].longname == NULL ||
1156 p->entries[i].attrs == NULL) {
1157 PENDING_RECORD(base, SFTP_ERR_REPLY_BAD_STRING,
1158 "getstring/getfattr failed at entry %"


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

4 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 645973: Error handling issues (NEGATIVE_RETURNS)
/prntfile.cpp: 447 in sbbs_t::printfile(const char *, int, int, JSObject *)()


_____________________________________________________________________________________________
*** CID 645973: Error handling issues (NEGATIVE_RETURNS) /prntfile.cpp: 447 in sbbs_t::printfile(const char *, int, int, JSObject *)()
441 last_match = i;
442 break;
443 }
444 }
445 bputs(text[SeekingFileDone]);
446 if (!found) { >>> CID 645973: Error handling issues (NEGATIVE_RETURNS)

"saved_pos" is passed to a parameter that cannot be negative.

447 (void)fseeko(stream, saved_pos, SEEK_SET);
448 clearerr(stream);
449 bputs(text[FindStringNotFound]);
450 reprompt = true;
451 }
452 break;

** CID 645972: Memory - illegal accesses (OVERRUN) /tmp/sbbs-May-04-2026/src/hash/sha256.c: 141 in SHA256Final()


_____________________________________________________________________________________________
*** CID 645972: Memory - illegal accesses (OVERRUN) /tmp/sbbs-May-04-2026/src/hash/sha256.c: 141 in SHA256Final()
135 size_t buf_off = (size_t)(ctx->count % SHA256_BLOCK_SIZE); 136 int i;
137
138 /* Append 0x80, pad with zeros to leave 8 bytes for the length. */
139 ctx->buffer[buf_off++] = 0x80;
140 if (buf_off > SHA256_BLOCK_SIZE - 8) {

CID 645972: Memory - illegal accesses (OVERRUN)
Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer "ctx->buffer + buf_off".

141 memset(ctx->buffer + buf_off, 0, SHA256_BLOCK_SIZE - buf_off);
142 SHA256Transform(ctx->state, ctx->buffer);
143 buf_off = 0;
144 }
145 memset(ctx->buffer + buf_off, 0, (SHA256_BLOCK_SIZE - 8) - buf_off);
146 /* 64-bit BE bit count. */

** CID 645971: Memory - corruptions (OVERRUN)
/ftpsrvr.cpp: 1360 in filexfer(xp_sockaddr *, int, int, int, int, int *, int *, char *, long, volatile bool *, volatile bool *, bool, bool, long *, user_t *, client_t *, int, bool, bool, bool, char *, bool)()


_____________________________________________________________________________________________
*** CID 645971: Memory - corruptions (OVERRUN)
/ftpsrvr.cpp: 1360 in filexfer(xp_sockaddr *, int, int, int, int, int *, int *, char *, long, volatile bool *, volatile bool *, bool, bool, long *, user_t *, client_t *, int, bool, bool, bool, char *, bool)()
1354 }
1355
1356 addr_len = sizeof(*addr);
1357 #ifdef SOCKET_DEBUG_ACCEPT
1358 socket_debug[ctrl_sock] |= SOCKET_DEBUG_ACCEPT;
1359 #endif

CID 645971: Memory - corruptions (OVERRUN)
Overrunning struct type sockaddr of 16 bytes by passing it to a function which accesses it at byte offset 127 using argument "addr_len" (which evaluates to 128).

1360 *data_sock = accept(pasv_sock, &addr->addr, &addr_len); 1361 #ifdef SOCKET_DEBUG_ACCEPT
1362 socket_debug[ctrl_sock] &= ~SOCKET_DEBUG_ACCEPT;
1363 #endif
1364 if (*data_sock == INVALID_SOCKET) {
1365 lprintf(LOG_WARNING, "%04d <%s> PASV !DATA ERROR %d accepting connection on socket %d"

** CID 645970: Program hangs (NEGATIVE_RETURNS)
/main.cpp: 4476 in node_thread(void *)()


_____________________________________________________________________________________________
*** CID 645970: Program hangs (NEGATIVE_RETURNS)
/main.cpp: 4476 in node_thread(void *)()
4470 #endif
4471
4472 if (startup->login_attempt.throttle
4473 && (login_attempts = loginAttempts(startup->login_attempt_list, &sbbs->client_addr)) > 1) {
4474 lprintf(LOG_DEBUG, "Node %d Throttling suspicious connection from: %s (%u login attempts)"
4475 , sbbs->cfg.node_num, sbbs->client_ipaddr, login_attempts);

CID 645970: Program hangs (NEGATIVE_RETURNS)
Using unsigned variable "login_attempts" in a loop exit condition.

4476 for (uint i = 0; i < login_attempts; ++i) {
4477 mswait(startup->login_attempt.throttle);
4478 sbbs->socket_inactive = 0;
4479 }
4480 }
4481


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
40 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 645990: Control flow issues (NO_EFFECT)
/writemsg.cpp: 414 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()


_____________________________________________________________________________________________
*** CID 645990: Control flow issues (NO_EFFECT)
/writemsg.cpp: 414 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()
408 free(buf);
409 fclose(stream);
410 return false;
411 }
412
413 l = (long)ftell(stream); /* l now points to start of message */

CID 645990: Control flow issues (NO_EFFECT)
This less-than-zero comparison of an unsigned value is never true. "l < 0U".

414 if (l < 0) {
415 errormsg(WHERE, ERR_LEN, msgtmp, 0); 416 fclose(stream);
417 close(file);
418 free(buf);
419 return false;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

15 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)


** CID 646018: Error handling issues (CHECKED_RETURN)
/mqtt_broker.cpp: 561 in mqtt5::Broker::broker_thread()()


_____________________________________________________________________________________________
*** CID 646018: Error handling issues (CHECKED_RETURN) /mqtt_broker.cpp: 561 in mqtt5::Broker::broker_thread()()
555 break;
556 }
557
558 #ifndef _WIN32
559 if (m_wakeup_pipe[0] >= 0 && FD_ISSET(m_wakeup_pipe[0], &rfds)) {
560 char buf[64];

CID 646018: Error handling issues (CHECKED_RETURN)
"read(int, void *, size_t)" returns the number of bytes read, but it is ignored.

561 (void)read(m_wakeup_pipe[0], buf, sizeof(buf)); 562 }
563 #endif
564
565 if (m_listen_sock >= 0 && FD_ISSET(m_listen_sock, &rfds))
566 accept_connection(m_listen_sock);

** CID 646017: (CHECKED_RETURN)
/mqtt_broker.cpp: 175 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
/mqtt_broker.cpp: 181 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
/mqtt_broker.cpp: 166 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()


_____________________________________________________________________________________________
*** CID 646017: (CHECKED_RETURN)
/mqtt_broker.cpp: 175 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
169 closesocket(m_listen_sock);
170 m_listen_sock = -1;
171 return false;
172 }
173 } else {
174 int off = 0;

CID 646017: (CHECKED_RETURN)
Calling "setsockopt(this->m_listen_sock, IPPROTO_IPV6, 26, (char const *)&off, 4U)" without checking return value. This library function may fail and return an error code.

175 setsockopt(m_listen_sock, IPPROTO_IPV6, IPV6_V6ONLY, (const char *)&off, sizeof(off));
176 struct sockaddr_in6 addr = {};
177 addr.sin6_family = AF_INET6;
178 addr.sin6_port = htons(port);
179 addr.sin6_addr = in6addr_any;
180 int opt = 1;
/mqtt_broker.cpp: 181 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
175 setsockopt(m_listen_sock, IPPROTO_IPV6, IPV6_V6ONLY, (const char *)&off, sizeof(off));
176 struct sockaddr_in6 addr = {};
177 addr.sin6_family = AF_INET6;
178 addr.sin6_port = htons(port);
179 addr.sin6_addr = in6addr_any;
180 int opt = 1;

CID 646017: (CHECKED_RETURN)
Calling "setsockopt(this->m_listen_sock, 1, 2, (char const *)&opt, 4U)" without checking return value. This library function may fail and return an error code.

181 setsockopt(m_listen_sock, SOL_SOCKET, SO_REUSEADDR, (const char *)&opt, sizeof(opt));
182 if (bind(m_listen_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
183 log(LOG_ERR, "MQTT broker: bind() port %u failed: %d", port, ERROR_VALUE);
184 closesocket(m_listen_sock);
185 m_listen_sock = -1;
186 return false;
/mqtt_broker.cpp: 166 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
160 }
161 struct sockaddr_in addr = {};
162 addr.sin_family = AF_INET;
163 addr.sin_port = htons(port);
164 addr.sin_addr.s_addr = INADDR_ANY;
165 int opt = 1;

CID 646017: (CHECKED_RETURN)
Calling "setsockopt(this->m_listen_sock, 1, 2, (char const *)&opt, 4U)" without checking return value. This library function may fail and return an error code.

166 setsockopt(m_listen_sock, SOL_SOCKET, SO_REUSEADDR, (const char *)&opt, sizeof(opt));
167 if (bind(m_listen_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
168 log(LOG_ERR, "MQTT broker: bind() port %u failed: %d", port, ERROR_VALUE);
169 closesocket(m_listen_sock);
170 m_listen_sock = -1;
171 return false;

** CID 646016: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 347 in mqtt5::Broker::local_subscribe(mqtt5::LocalClient *, const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, int)::[lambda(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) (instance 1)]::operator ()(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) const()


_____________________________________________________________________________________________
*** CID 646016: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 347 in mqtt5::Broker::local_subscribe(mqtt5::LocalClient *, const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, int)::[lambda(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) (instance 1)]::operator ()(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) const()
341 {
342 std::lock_guard<std::mutex> slock(client->sub_mutex); 343 client->subscriptions.push_back(topic);
344 }
345
346 m_topics.match_retained(topic, [&](const std::string &, std::shared_ptr<Message> msg) {

CID 646016: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "msg" is passed-by-value as parameter to "std::shared_ptr<mqtt5::Message>::shared_ptr(std::shared_ptr<mqtt5::Message> const &) /*explicit =default*/", when it could be moved instead.

347 if (msg) deliver_to_local(client, msg);
348 });
349
350 return 0;
351 }
352

** CID 646015: Error handling issues (CHECKED_RETURN)
/mqtt_broker.cpp: 636 in mqtt5::Broker::accept_connection(int)()


_____________________________________________________________________________________________
*** CID 646015: Error handling issues (CHECKED_RETURN) /mqtt_broker.cpp: 636 in mqtt5::Broker::accept_connection(int)() 630 struct sockaddr_storage addr;
631 socklen_t addrlen = sizeof(addr);
632 int sock = accept(listen_sock, (struct sockaddr *)&addr, &addrlen);
633 if (sock < 0) return;
634
635 int nodelay = 1;

CID 646015: Error handling issues (CHECKED_RETURN)
Calling "setsockopt(sock, IPPROTO_TCP, 1, (char *)&nodelay, 4U)" without checking return value. This library function may fail and return an error code.

636 setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&nodelay, sizeof(nodelay));
637
638 CRYPT_SESSION tls_sess = CRYPT_UNUSED;
639 int ret;
640
641 if (!do_cryptInit(broker_lprintf)) {

** CID 646029: Insecure data handling (TAINTED_SCALAR) /mqtt_protocol.cpp: 174 in mqtt5::Reader::read_utf8(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &)()


_____________________________________________________________________________________________
*** CID 646029: Insecure data handling (TAINTED_SCALAR) /mqtt_protocol.cpp: 174 in mqtt5::Reader::read_utf8(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &)()
168
169 bool Reader::read_utf8(std::string &out)
170 {
171 uint16_t len;
172 if (!read_u16(len)) return false;
173 if (m_pos + len > m_len) return false;

CID 646029: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "len" to "assign", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]

174 out.assign(reinterpret_cast<const char *>(m_data + m_pos), len);
175 m_pos += len;
176 return true;
177 }
178
179 bool Reader::read_binary(std::vector<uint8_t> &out)

** CID 646028: Performance inefficiencies (AUTO_CAUSES_COPY) /mqtt_broker.cpp: 365 in mqtt5::Broker::route_publish(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>)::[lambda(const mqtt5::Subscriber &) (instance 1)]::operator ()(const mqtt5::Subscriber &) const()


_____________________________________________________________________________________________
*** CID 646028: Performance inefficiencies (AUTO_CAUSES_COPY) /mqtt_broker.cpp: 365 in mqtt5::Broker::route_publish(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>)::[lambda(const mqtt5::Subscriber &) (instance 1)]::operator ()(const mqtt5::Subscriber &) const()
359
360 std::unordered_map<std::string, const SubscriptionOptions *> delivered;
361
362 m_topics.publish(msg->topic, [&](const Subscriber &sub) {
363 if (sub.opts.no_local && sub.client_id == sender_id) 364 return;

CID 646028: Performance inefficiencies (AUTO_CAUSES_COPY)
Using the "auto" keyword without an "&" causes the copy of an object of type "std::string".

365 auto key = sub.client_id;
366 if (delivered.count(key))
367 return;
368 delivered[key] = &sub.opts;
369
370 for (const auto &lc : m_local_clients) {

** CID 646027: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 303 in mqtt5::Broker::publish_sys(const char *, const void *, unsigned long)()


_____________________________________________________________________________________________
*** CID 646027: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 303 in mqtt5::Broker::publish_sys(const char *, const void *, unsigned long)()
297 if (payload && len > 0)
298 msg->payload.assign(static_cast<const uint8_t *>(payload),
299 static_cast<const uint8_t *>(payload) + len);
300 msg->created_at = time(nullptr);
301
302 std::lock_guard<std::recursive_mutex> lock(m_mutex);

CID 646027: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "msg" is passed-by-value as parameter to "std::shared_ptr<mqtt5::Message>::shared_ptr(std::shared_ptr<mqtt5::Message> const &) /*explicit =default*/", when it could be moved instead.

303 route_publish("$SYS", msg);
304 }
305
306 void Broker::deregister_local(LocalClient *client)
307 {
308 std::lock_guard<std::recursive_mutex> lock(m_mutex);

** CID 646026: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 101 in mqtt5::Broker::build_psk_table()()


_____________________________________________________________________________________________
*** CID 646026: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 101 in mqtt5::Broker::build_psk_table()()
95 if (user.misc & (DELETED | INACTIVE))
96 continue;
97 std::string alias(user.alias);
98 std::string pass(user.pass);
99 std::transform(alias.begin(), alias.end(), alias.begin(), ::tolower);
100 std::transform(pass.begin(), pass.end(), pass.begin(), ::tolower);

CID 646026: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "pass" is copied in call to copy assignment for class "std::string", when it could be moved instead.

101 m_psk_table[alias] = pass;
102 }
103 log(LOG_DEBUG, "MQTT broker: loaded %zu PSK identities", m_psk_table.size());
104 }
105
106 bool Broker::authenticate_psk(const std::string &identity, const std::string &password)

** CID 646025: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 971 in mqtt5::Broker::handle_subscribe(mqtt5::NetworkSession &, const unsigned char *, unsigned long)::[lambda(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) (instance 1)]::operator ()(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) const()


_____________________________________________________________________________________________
*** CID 646025: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 971 in mqtt5::Broker::handle_subscribe(mqtt5::NetworkSession &, const unsigned char *, unsigned long)::[lambda(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) (instance 1)]::operator ()(const std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> &, std::shared_ptr<mqtt5::Message>) const()
965 if (!msg) return;
966 if (msg->props.has(PROP_MESSAGE_EXPIRY)) {
967 uint32_t expiry = msg->props.get_u32(PROP_MESSAGE_EXPIRY, 0);
968 if (time(nullptr) - msg->created_at > (time_t)expiry)
969 return;
970 }

CID 646025: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "msg" is passed-by-value as parameter to "std::shared_ptr<mqtt5::Message>::shared_ptr(std::shared_ptr<mqtt5::Message> const &) /*explicit =default*/", when it could be moved instead.

971 deliver_to_network(session, msg, opts); 972 });
973 }
974
975 reason_codes.push_back(tf.qos());
976 }

** CID 646024: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 224 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()


_____________________________________________________________________________________________
*** CID 646024: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 224 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
218 auto msg = std::make_shared<Message>();
219 msg->type = PUBLISH;
220 msg->flags = 1;
221 msg->topic = "$SYS/broker/version";
222 msg->payload.assign(ver, ver + strlen(ver));
223 msg->created_at = time(nullptr);

CID 646024: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "msg" is passed-by-value as parameter to "std::shared_ptr<mqtt5::Message>::shared_ptr(std::shared_ptr<mqtt5::Message> const &) /*explicit =default*/", when it could be moved instead.

224 m_topics.set_retained("$SYS/broker/version", msg);
225 }
226
227 log(LOG_INFO, "MQTT broker: listening on port %u", port);
228 return true;
229 }

** CID 646023: (CHECKED_RETURN)
/mqtt_broker.cpp: 204 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
/mqtt_broker.cpp: 205 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()


_____________________________________________________________________________________________
*** CID 646023: (CHECKED_RETURN)
/mqtt_broker.cpp: 204 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
198 if (pipe(m_wakeup_pipe) < 0) {
199 log(LOG_ERR, "MQTT broker: pipe() failed: %d", errno); 200 closesocket(m_listen_sock);
201 m_listen_sock = -1;
202 return false;
203 }

CID 646023: (CHECKED_RETURN)
Calling "fcntl(this->m_wakeup_pipe[0], 4, 2048)" without checking return value. This library function may fail and return an error code.

204 fcntl(m_wakeup_pipe[0], F_SETFL, O_NONBLOCK);
205 fcntl(m_wakeup_pipe[1], F_SETFL, O_NONBLOCK);
206 #endif
207
208 m_running = true;
209 m_thread = std::thread(&Broker::broker_thread, this); /mqtt_broker.cpp: 205 in mqtt5::Broker::start(scfg_t *, unsigned short, int (*)(void *, int, const char *), void *)()
199 log(LOG_ERR, "MQTT broker: pipe() failed: %d", errno); 200 closesocket(m_listen_sock);
201 m_listen_sock = -1;
202 return false;
203 }
204 fcntl(m_wakeup_pipe[0], F_SETFL, O_NONBLOCK);

CID 646023: (CHECKED_RETURN)
Calling "fcntl(this->m_wakeup_pipe[1], 4, 2048)" without checking return value. This library function may fail and return an error code.

205 fcntl(m_wakeup_pipe[1], F_SETFL, O_NONBLOCK);
206 #endif
207
208 m_running = true;
209 m_thread = std::thread(&Broker::broker_thread, this);
210

** CID 646022: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 715 in mqtt5::Broker::accept_connection(int)()


_____________________________________________________________________________________________
*** CID 646022: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 715 in mqtt5::Broker::accept_connection(int)() 709
710 std::string temp_id = "pending-" + std::to_string(sock);
711 std::lock_guard<std::recursive_mutex> lock(m_mutex);
712 auto &session = m_sessions[temp_id];
713 session.socket = sock;
714 session.tls_sess = tls_sess;

CID 646022: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "psk_id" is copied in call to copy assignment for class "std::string", when it could be moved instead.

715 session.tls_psk_id = psk_id;
716 session.last_activity = time(nullptr);
717 log(LOG_DEBUG, "MQTT broker: new TLS connection on socket %d", sock);
718 }
719
720 // Network data handling

** CID 646021: Concurrent data access violations (MISSING_LOCK) /mqtt_broker.cpp: 57 in mqtt5::Broker::instance()()


_____________________________________________________________________________________________
*** CID 646021: Concurrent data access violations (MISSING_LOCK) /mqtt_broker.cpp: 57 in mqtt5::Broker::instance()()
51
52 Broker *Broker::s_instance = nullptr;
53 std::mutex Broker::s_instance_mutex;
54
55 Broker *Broker::instance()
56 {

CID 646021: Concurrent data access violations (MISSING_LOCK) >>> Accessing "mqtt5::Broker::s_instance" without holding lock "mqtt5::Broker::s_instance_mutex". Elsewhere, "mqtt5::Broker::s_instance" is written to with "mqtt5::Broker::s_instance_mutex" held 2 out of 2 times (1 of these accesses strongly imply that it is necessary).

57 return s_instance;
58 }
59
60 Broker::Broker()
61 {
62 }

** CID 646020: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 915 in mqtt5::Broker::handle_publish(mqtt5::NetworkSession &, unsigned char, const unsigned char *, unsigned long)()


_____________________________________________________________________________________________
*** CID 646020: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 915 in mqtt5::Broker::handle_publish(mqtt5::NetworkSession &, unsigned char, const unsigned char *, unsigned long)()
909 teardown_network(session, 0x81);
910 return;
911 }
912
913 uint8_t qos = msg->qos();
914

CID 646020: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "msg" is passed-by-value as parameter to "std::shared_ptr<mqtt5::Message>::shared_ptr(std::shared_ptr<mqtt5::Message> const &) /*explicit =default*/", when it could be moved instead.

915 route_publish(session.client_id, msg);
916
917 if (qos == 1) {
918 send_to_network(session, build_ack(PUBACK, pid, 0)); 919 } else if (qos == 2) {
920 session.rx_unacked[pid] = true;

** CID 646019: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 413 in mqtt5::Broker::deliver_to_network(mqtt5::NetworkSession &, std::shared_ptr<mqtt5::Message>, const mqtt5::SubscriptionOptions &)()


_____________________________________________________________________________________________
*** CID 646019: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 413 in mqtt5::Broker::deliver_to_network(mqtt5::NetworkSession &, std::shared_ptr<mqtt5::Message>, const mqtt5::SubscriptionOptions &)()
407 auto pkt = build_publish(*msg, pid, false, qos,
408 extra.empty() ? nullptr : &extra); 409 send_to_network(session, pkt);
410
411 if (qos > 0) {
412 Queued q;

CID 646019: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "msg" is copied in call to copy assignment for class "std::shared_ptr<mqtt5::Message>", when it could be moved instead.

413 q.msg = msg;
414 q.pid = pid;
415 session.tx_unacked[pid] = std::move(q);
416 }
417 }
418


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

4 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 646038: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 292 in mqtt5::Broker::publish_sys(const char *, const void *, unsigned long, const mqtt5::Properties *)()


_____________________________________________________________________________________________
*** CID 646038: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_broker.cpp: 292 in mqtt5::Broker::publish_sys(const char *, const void *, unsigned long, const mqtt5::Properties *)()
286 static_cast<const uint8_t *>(payload) + len);
287 if (props)
288 msg->props = *props;
289 msg->created_at = time(nullptr);
290
291 std::lock_guard<std::recursive_mutex> lock(m_mutex);

CID 646038: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "msg" is passed-by-value as parameter to "std::shared_ptr<mqtt5::Message>::shared_ptr(std::shared_ptr<mqtt5::Message> const &) /*explicit =default*/", when it could be moved instead.

292 route_publish("$SYS", msg);
293 for (auto it_s = m_sessions.begin(); it_s != m_sessions.end(); ++it_s)
294 if (!it_s->second.send_buf.empty())
295 flush_network(it_s->second);
296 }
297

** CID 646037: Error handling issues (CHECKED_RETURN)
/mqtt_client.cpp: 323 in mqtt5::Client::connect(const char *, unsigned short, const char *, const char *, const char *, int, int, int, const char *, const char *, const char *, const char *, const char *, const char *, scfg_t *, int (*)(int, const char *, ...))()


_____________________________________________________________________________________________
*** CID 646037: Error handling issues (CHECKED_RETURN) /mqtt_client.cpp: 323 in mqtt5::Client::connect(const char *, unsigned short, const char *, const char *, const char *, int, int, int, const char *, const char *, const char *, const char *, const char *, const char *, scfg_t *, int (*)(int, const char *, ...))()
317
318 cryptSetAttribute(m_tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, m_sock);
319 if (tls_mode == MQTT_TLS_PSK || tls_mode == MQTT_TLS_SBBS) {
320 cryptSetAttribute(m_tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_DISABLE_CERTVERIFY);
321 cryptSetAttribute(m_tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_DISABLE_NAMEVERIFY);
322 }

CID 646037: Error handling issues (CHECKED_RETURN)
Calling "cryptSetAttributeString" without checking return value (as is done elsewhere 18 out of 21 times).

323 cryptSetAttributeString(m_tls_sess, CRYPT_SESSINFO_SERVER_NAME, host, strlen(host));
324 ret = cryptSetAttribute(m_tls_sess, CRYPT_SESSINFO_ACTIVE, 1);
325 if (ret != CRYPT_OK) {
326 if (lprintf) {
327 char *estr = NULL;
328 get_crypt_error_string(ret, m_tls_sess, &estr, "TLS handshake", NULL);

** CID 646036: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)


_____________________________________________________________________________________________
*** CID 646036: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) /mqtt_client.cpp: 162 in mqtt5::Client::handle_packet(unsigned char, unsigned char, const unsigned char *, unsigned long)()
156 ReceivedMessage rm;
157 rm.topic = msg->topic;
158 rm.payload = msg->payload;
159 rm.mid = pid;
160 rm.qos = msg->qos();
161 rm.retain = msg->retain();

CID 646036: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) >>> "rm" is copied and then passed-by-reference as parameter to STL insertion function "std::deque<mqtt5::ReceivedMessage, std::allocator<mqtt5::ReceivedMessage> >::push_back(std::deque<mqtt5::ReceivedMessage, std::allocator<mqtt5::ReceivedMessage> >::value_type const &)", when it could be moved instead.

162 m_queue.push_back(rm);
163 if (msg->qos() == 1)
164 send_packet(build_ack(PUBACK, pid, 0));
165 else if (msg->qos() == 2) {
166 send_packet(build_ack(PUBREC, pid, 0));
167 }

** CID 646035: Error handling issues (CHECKED_RETURN)
/mqtt_client.cpp: 264 in mqtt5::Client::connect(const char *, unsigned short, const char *, const char *, const char *, int, int, int, const char *, const char *, const char *, const char *, const char *, const char *, scfg_t *, int (*)(int, const char *, ...))()


_____________________________________________________________________________________________
*** CID 646035: Error handling issues (CHECKED_RETURN) /mqtt_client.cpp: 264 in mqtt5::Client::connect(const char *, unsigned short, const char *, const char *, const char *, int, int, int, const char *, const char *, const char *, const char *, const char *, const char *, scfg_t *, int (*)(int, const char *, ...))()
258 if (m_sock == INVALID_SOCKET) {
259 m_last_error = -1;
260 return -1;
261 }
262
263 int nodelay = 1;

CID 646035: Error handling issues (CHECKED_RETURN)
Calling "setsockopt(this->m_sock, IPPROTO_TCP, 1, (char *)&nodelay, 4U)" without checking return value. This library function may fail and return an error code.

264 setsockopt(m_sock, IPPROTO_TCP, TCP_NODELAY, (char *)&nodelay, sizeof(nodelay));
265
266 if (tls_mode != MQTT_TLS_DISABLED) {
267 if (!do_cryptInit(lprintf)) {
268 closesocket(m_sock);
269 m_sock = INVALID_SOCKET;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 646043: Null pointer dereferences (FORWARD_NULL)
/mqtt.cpp: 1095 in mqtt_startup()


_____________________________________________________________________________________________
*** CID 646043: Null pointer dereferences (FORWARD_NULL)
/mqtt.cpp: 1095 in mqtt_startup()
1089 }
1090 broker = mqtt5::Broker::instance();
1091 }
1092 }
1093
1094 char client_id[256];

CID 646043: Null pointer dereferences (FORWARD_NULL)
Dereferencing null pointer "startup".

1095 snprintf(client_id, sizeof(client_id), "sbbs-%s-%s-%s",
1096 cfg->sys_id, mqtt->host, server_type_desc((enum server_type)startup->type));
1097
1098 auto *lc = broker->register_local(client_id, mqtt_local_message_callback, mqtt);
1099 mqtt->local = lc;
1100 mqtt->connected = true;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net