[prev in list] [next in list] [prev in thread] [next in thread]
List: helix-protocol-dev
Subject: [Protocol-dev] CR: Coverity False Positives for module PROTOCOL.
From: "Chandra Bhushan Kumar" <ext-chandra.2.kumar () nokia ! com>
Date: 2011-11-03 9:44:26
Message-ID: XESEFE101dgaR18cJ0a000017fc () xesefe101 ! nee ! nokia ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
"Nokia submits this code under the terms of a commercial contribution
agreement with Real Networks, and I am authorized to contribute this code
under said agreement."
Modified by: ext-anil.1.jena@nokia.com, avinash.nabait@sasken.com
<blocked::mailto:avinash.nabait@sasken.com>
Reviewed by: ext-paul.galea@nokia.com
<blocked::mailto:ext-paul.galea@nokia.com>
RC Id: TBD
Date: 11/03/2011
Project: SymbianMmf_wm
Synopsis: Coverity is a static analysis tool which generates defects for
checkers: FORWARD_NULL, USE_AFTER_FREE, OVERRUN_STATIC, OVERRUN_DYNAMIC,
REVERSE_INULL, NULL_RETURNS, NEGATIVE_RETURN, CHECKED_RETURN etc.
Overview:
There are several coverity false positive bugs. For your reference we are
explaining some cases why those are false positives.There is no code changes
in the false positive cases only commented macro of coverity is added to
suppress the false positive bug.
Case 1:Reading a pointer to deallocated memory is undefined because the
pointer value is indeterminate.References to memory that has been
deallocated are referred to as dangling pointers. This explaination is for
file rtpwrap.h line number 327.
Case 2:Freeing memory multiple times has similar consequences to accessing
memory after it is freed and these types of issues are referred to as
double-free vulnerabilities. This explaination is for file
hxcloakedsocket.cpp at line number 314.
Fix:
Added macro comment "// coverity[event_name:FALSE]" to supress coverity
defect for false positive cases.
Files modified & changes:
/cvsroot/protocol/common/util/hxcloakedsocket.cpp
/cvsroot/protocol/common/util/mimealtfilt.cpp
/cvsroot/protocol/rtsp/rtspclnt.cpp
/cvsroot/protocol/rtsp/rtspmdsc.cpp
/cvsroot/protocol/transport/rtp/pub/rtpwrap.h
/cvsroot/protocol/transport/rtp/rtptran.cpp
Image Size and Heap Use impact: No impact
Module Release testing (STIF) : Passed
Test case(s) Added : No
Memory leak check performed : N/A
Platforms and Profiles Functionality verified: armv5
MCL Branch: 420 brizo
Diff files: Attached
[Note]: Please let us know whether it will go to Head or not?
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.17098" name=GENERATOR></HEAD>
<BODY>
<DIV>
<DIV><FONT face=Arial size=2>"Nokia submits this code under the terms of a
commercial contribution agreement with Real Networks, and I am authorized to
contribute this code under said agreement."</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Modified by: </FONT><FONT face=Arial><FONT
size=2><SPAN class=290193511-02112011><A
href="mailto:ext-anil.1.jena@nokia.com">ext-anil.1.jena@nokia.com</A>, <A
href="blocked::mailto:avinash.nabait@sasken.com">avinash.nabait@sasken.com</A></SPAN></FONT></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Reviewed by: <A
href="blocked::mailto:ext-paul.galea@nokia.com">ext-paul.galea@nokia.com</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>RC Id: TBD</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Date: 11/0<SPAN
class=290193511-02112011>3</SPAN>/2011</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Project: SymbianMmf_wm </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=290193511-02112011>Synopsis: <SPAN
class=290193511-02112011>Coverity <SPAN class=269271105-03112011>is a
static analysis tool which </SPAN><SPAN
class=269271105-03112011>generates </SPAN>defect<SPAN
class=269271105-03112011>s</SPAN> for checkers: FORWARD_NULL, USE_AFTER_FREE,
OVERRUN_STATIC, OVERRUN_DYNAMIC, REVERSE_INULL, NULL_RETURNS, NEGATIVE_RETURN,
CHECKED_RETURN<SPAN class=269271105-03112011> </SPAN>etc.<SPAN
class=269271105-03112011> </SPAN></SPAN><BR></SPAN> <BR>Overview: <BR><SPAN \
class=269271105-03112011>There are several coverity false positive bugs. For
your reference we are explaining some cases why those are false
positives.There is no code changes in the false positive cases only
commented macro of coverity is added to suppress the false positive
bug. </SPAN></FONT></DIV>
<DIV><SPAN class=290193511-02112011><FONT face=Arial size=2><FONT
size=2></FONT></FONT></SPAN> </DIV>
<DIV><SPAN class=290193511-02112011><FONT><FONT face=Arial><FONT size=2>Case
1:Reading a pointer to deallocated memory is undefined because the pointer value
is indeterminate.References to memory that has been deallocated are referred to
as dangling pointers.<SPAN class=377561205-03112011> This explaination is for
file rtpwrap.h line number 327.</SPAN></FONT></FONT></DIV>
<DIV></FONT></SPAN><SPAN class=290193511-02112011><FONT face=Arial><FONT
size=2></FONT></FONT></SPAN> </DIV>
<DIV><SPAN class=290193511-02112011><FONT face=Arial><FONT size=2>Case 2:Freeing
memory multiple times has similar consequences to accessing memory after it is
freed and these types of issues are referred to as double-free
vulnerabilities.<SPAN class=377561205-03112011>
</SPAN></FONT></FONT></SPAN><SPAN class=290193511-02112011><FONT face=Arial
size=2><SPAN class=377561205-03112011>This explaination is for file
hxcloakedsocket.cpp at line number 314. </SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=290193511-02112011><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial size=2>Fix: <BR>Added macro comment "// coverity[<SPAN
class=290193511-02112011>event_name</SPAN>:FALSE]" to supress <SPAN
class=290193511-02112011>coverity defect for false positive cases</SPAN>.
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Files modified & changes:</DIV>
<DIV>/cvsroot/protocol/common/util/hxcloakedsocket.cpp<BR>/cvsroot/protocol/common/uti \
l/mimealtfilt.cpp<BR>/cvsroot/protocol/rtsp/rtspclnt.cpp<BR>/cvsroot/protocol/rtsp/rts \
pmdsc.cpp<BR>/cvsroot/protocol/transport/rtp/pub/rtpwrap.h<BR>/cvsroot/protocol/transport/rtp/rtptran.cpp</DIV>
<DIV> </DIV>
<DIV><BR>Image Size and Heap Use impact: No impact</DIV>
<DIV> </DIV>
<DIV>Module Release testing (STIF) : Passed</DIV>
<DIV> </DIV>
<DIV>Test case(s) Added : No</DIV>
<DIV> </DIV>
<DIV>Memory leak check performed : N/A</DIV>
<DIV> </DIV>
<DIV>Platforms and Profiles Functionality verified: armv5 </DIV>
<DIV> </DIV>
<DIV>MCL Branch: 420 brizo</DIV>
<DIV> </DIV>
<DIV>Diff files: Attached</DIV>
<DIV> </DIV>
<DIV>
<DIV><SPAN class=269271105-03112011><FONT face=Arial color=#0000ff
size=2>[Note]: Please let us know whether it will go to Head or
not?</FONT></SPAN></DIV></DIV></FONT></DIV></BODY></HTML>
["diff_protocol.txt" (text/plain)]
Index: hxcloakedsocket.cpp
===================================================================
RCS file: /cvsroot/protocol/common/util/hxcloakedsocket.cpp,v
retrieving revision 1.19
diff -u -w -r1.19 hxcloakedsocket.cpp
--- hxcloakedsocket.cpp 18 Aug 2008 21:50:48 -0000 1.19
+++ hxcloakedsocket.cpp 2 Nov 2011 12:17:36 -0000
@@ -314,6 +314,7 @@
while( 0<unCount )
{
+ //coverity[double_free:FALSE]
IHXBuffer* pBuf = (IHXBuffer*)list.RemoveHead();
UINT16 unBufSize = (UINT16)pBuf->GetSize();
@@ -965,6 +966,7 @@
while (m_PendingWriteBuffers.GetCount() > 0)
{
+ //coverity[double_free:FALSE]
IHXBuffer* pBuffer = (IHXBuffer*) m_PendingWriteBuffers.RemoveHead();
pBuffer->Release();
}
@@ -2425,6 +2427,7 @@
m_pOutboundPreEncodedPostData->EnQueue(pBuffer->GetBuffer(),
(UINT16) pBuffer->GetSize());
pBuffer->Release();
+ //coverity[double_free:FALSE]
m_PendingWriteBuffers.RemoveHead();
}
else
@@ -3005,6 +3008,7 @@
//Empty the inbound GET queue.
while( m_InboundGetData.GetCount() )
{
+ //coverity[double_free:FALSE]
IHXBuffer* pBuf = (IHXBuffer*)m_InboundGetData.RemoveHead();
HX_RELEASE(pBuf);
}
@@ -3094,6 +3098,7 @@
//Empty the inbound GET queue.
while( m_InboundGetData.GetCount() )
{
+ //coverity[double_free:FALSE]
IHXBuffer* pBuf = (IHXBuffer*)m_InboundGetData.RemoveHead();
HX_RELEASE(pBuf);
}
@@ -3150,6 +3155,7 @@
//Empty the inbound GET queue.
while( m_InboundGetData.GetCount() )
{
+ //coverity[double_free:FALSE]
IHXBuffer* pBuf = (IHXBuffer*)m_InboundGetData.RemoveHead();
HX_RELEASE(pBuf);
}
Index: mimealtfilt.cpp
===================================================================
RCS file: /cvsroot/protocol/common/util/mimealtfilt.cpp,v
retrieving revision 1.4
diff -u -w -r1.4 mimealtfilt.cpp
--- mimealtfilt.cpp 6 Jul 2007 20:51:32 -0000 1.4
+++ mimealtfilt.cpp 2 Nov 2011 12:18:36 -0000
@@ -117,6 +117,8 @@
if ((HXR_OK == res) && bSupportedMimetype)
{
+ //coverity[check_return:FALSE]
+ //coverity[unchecked_value:FALSE]
newIDSet.AddID(uAltID);
}
}
Index: rtspclnt.cpp
===================================================================
RCS file: /cvsroot/protocol/rtsp/rtspclnt.cpp,v
retrieving revision 1.245.4.8
diff -u -w -r1.245.4.8 rtspclnt.cpp
--- rtspclnt.cpp 25 Jul 2011 12:13:45 -0000 1.245.4.8
+++ rtspclnt.cpp 2 Nov 2011 12:20:08 -0000
@@ -2313,7 +2313,8 @@
/*
* RTSPClientProtocol methods
*/
-
+//coverity[check_return:FALSE]
+//coverity[unchecked_value:FALSE]
IMPLEMENT_MANAGED_COMPONENT(RTSPClientProtocol)
BEGIN_COMPONENT_INTERFACE_LIST(RTSPClientProtocol)
@@ -5767,6 +5768,7 @@
while (pUDPPortList->GetCount())
{
+ //coverity[double_free:FALSE]
pUDPPort = (UDP_PORTS*)pUDPPortList->RemoveHead();
HX_DELETE(pUDPPort);
}
@@ -9825,6 +9827,8 @@
RTSPTransport* pTrans = 0;
if (m_pTransportStreamMap)
{
+ //coverity[check_return:FALSE]
+ //coverity[unchecked_value:FALSE]
m_pTransportStreamMap->Lookup(idxStream, (void*&)pTrans);
}
return pTrans;
@@ -12163,6 +12167,7 @@
while (pQueue->GetCount() > 0)
{
// Get the buffer from the queue
+ //coverity[double_free:FALSE]
IHXBuffer* pBuffer = (IHXBuffer*) pQueue->RemoveHead();
// If handlePacket() returns an error, then we
// will still empty the queue, but not pass any
@@ -12206,6 +12211,7 @@
{
while (pQueue->GetCount() > 0)
{
+ //coverity[double_free:FALSE]
IHXBuffer* pBuffer = (IHXBuffer*) pQueue->RemoveHead();
HX_RELEASE(pBuffer);
}
Index: rtspmdsc.cpp
===================================================================
RCS file: /cvsroot/protocol/rtsp/rtspmdsc.cpp,v
retrieving revision 1.8
diff -u -w -r1.8 rtspmdsc.cpp
--- rtspmdsc.cpp 6 Jul 2007 20:51:35 -0000 1.8
+++ rtspmdsc.cpp 2 Nov 2011 12:21:07 -0000
@@ -243,7 +243,7 @@
delete pTag;
}
delete pQueue;
-
+ //coverity[double_free:FALSE]
return hresult;
}
Index: rtpwrap.h
===================================================================
RCS file: /cvsroot/protocol/transport/rtp/pub/rtpwrap.h,v
retrieving revision 1.20
diff -u -w -r1.20 rtpwrap.h
--- rtpwrap.h 1 May 2009 17:49:42 -0000 1.20
+++ rtpwrap.h 2 Nov 2011 12:22:33 -0000
@@ -327,6 +327,7 @@
/* SDESItem objects keep ptrs so copy the buffer. Is this needed? */
UINT8* pOff = new UINT8[length * 4];
+ //coverity[deref_arg:FALSE]
memcpy(pOff, sdes_data, length * 4 * sizeof(UINT8)); /* Flawfinder: ignore */
sdes_data = pOff;
@@ -384,6 +385,7 @@
// NB: RTCPPacketBase::unpack() succeeded so length>=2
UINT32 ulDataLen = (length - 2) * 4;
UINT8* pOff = new UINT8[ulDataLen];
+ //coverity[deref_arg:FALSE]
memcpy(pOff, app_data, (size_t)ulDataLen); /* Flawfinder: ignore */
app_data = pOff;
Index: rtptran.cpp
===================================================================
RCS file: /cvsroot/protocol/transport/rtp/rtptran.cpp,v
retrieving revision 1.117.14.2
diff -u -w -r1.117.14.2 rtptran.cpp
--- rtptran.cpp 22 Jul 2011 14:46:29 -0000 1.117.14.2
+++ rtptran.cpp 2 Nov 2011 12:23:33 -0000
@@ -1662,6 +1662,7 @@
while ((m_ulWaitQueueBytes > ulTransportByteLimit) &&
(m_StartInfoWaitQueue.GetCount() > MIN_NUM_PACKETS_SCANNED_FOR_LIVE_START))
{
+ //coverity[double_free:FALSE]
pSpilledBuffer = (IHXBuffer*) m_StartInfoWaitQueue.RemoveHead();
m_ulWaitQueueBytes -= pSpilledBuffer->GetSize();
pSpilledBuffer->Release();
_______________________________________________
Protocol-dev mailing list
Protocol-dev@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/protocol-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic