Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

14 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 14 of 14 defect(s)


** CID 515601: Program hangs (LOCK)
/js_bbs.cpp: 3400 in js_get_node_message(JSContext *, unsigned int, unsigned long *)()


________________________________________________________________________________________________________
*** CID 515601: Program hangs (LOCK)
/js_bbs.cpp: 3400 in js_get_node_message(JSContext *, unsigned int, unsigned long *)()
3394 clearline = JSVAL_TO_BOOLEAN(argv[0]);
3395
3396 rc=JS_SUSPENDREQUEST(cx);
3397 sbbs->getnmsg(clearline ? true : false);
3398 JS_RESUMEREQUEST(cx, rc);
3399

CID 515601: Program hangs (LOCK)
Returning without unlocking "sbbs->nodefile_mutex".

3400 return(JS_TRUE);
3401 }
3402
3403 static JSBool
3404 js_put_node_message(JSContext *cx, uintN argc, jsval *arglist)
3405 {

** CID 515600: Error handling issues (CHECKED_RETURN)
/download.cpp: 367 in sbbs_t::seqwait(unsigned int)()


________________________________________________________________________________________________________
*** CID 515600: Error handling issues (CHECKED_RETURN)
/download.cpp: 367 in sbbs_t::seqwait(unsigned int)()
361
362 if(!devnum)
363 return;
364 for(start=now=time(NULL);online && now-start<90;now=time(NULL)) {
365 if(msgabort()) /* max wait ^^^^ sec */
366 break;

CID 515600: Error handling issues (CHECKED_RETURN)
Calling "getnodedat" without checking return value (as is done elsewhere 52 out of 59 times).

367 getnodedat(cfg.node_num,&thisnode,true); /* open and lock this record */
368 for(i=1;i<=cfg.sys_nodes;i++) {
369 if(i==cfg.node_num) continue;
370 if(getnodedat(i,&node, true)) {
371 if((node.status==NODE_INUSE || node.status==NODE_QUIET)
372 && node.action==NODE_RFSD && node.aux==devnum) {

** CID 515599: Concurrent data access violations (MISSING_LOCK)
/putnode.cpp: 108 in sbbs_t::unlocknodedat(unsigned int)()


________________________________________________________________________________________________________
*** CID 515599: Concurrent data access violations (MISSING_LOCK) /putnode.cpp: 108 in sbbs_t::unlocknodedat(unsigned int)()
102 errormsg(WHERE, ERR_CHK, "node number", number);
103 return false;
104 }
105 int result = unlock(nodefile, (number - 1) * sizeof(node_t), sizeof(node_t));
106 if(cfg.node_misc & NM_CLOSENODEDAB) {
107 close(nodefile);

CID 515599: Concurrent data access violations (MISSING_LOCK)
Accessing "this->nodefile" without holding lock "sbbs_t.nodefile_mutex". Elsewhere, "sbbs_t.nodefile" is written to with "sbbs_t.nodefile_mutex" held 4 out of 5 times.

108 nodefile = -1;
109 }
110 pthread_mutex_unlock(&nodefile_mutex);
111 return result == 0;
112 }
113

** CID 515598: (SLEEP)


________________________________________________________________________________________________________
*** CID 515598: (SLEEP)
/getnode.cpp: 268 in sbbs_t::getnmsg(bool)()
262 buf[length]=0;
263
264 if(clearline)
265 this->clearline();
266 else if(column)
267 CRLF;

CID 515598: (SLEEP)
Call to "putmsg" might sleep while holding lock "this->nodefile_mutex". 268 putmsg(buf,P_NOATCODES);

269 free(buf);
270
271 return retval == 0;
272 }
273
/getnode.cpp: 265 in sbbs_t::getnmsg(bool)()
259 }
260 int retval = chsize(file,0L);
261 close(file);
262 buf[length]=0;
263
264 if(clearline)

CID 515598: (SLEEP)
Call to "clearline" might sleep while holding lock "this->nodefile_mutex".

265 this->clearline();
266 else if(column)
267 CRLF;
268 putmsg(buf,P_NOATCODES);
269 free(buf);
270

** CID 515597: Program hangs (LOCK)
/main.cpp: 2243 in input_thread(void *)()


________________________________________________________________________________________________________
*** CID 515597: Program hangs (LOCK)
/main.cpp: 2243 in input_thread(void *)()
2237 }
2238 else
2239 #endif
2240 rd = recv(sock, (char*)inbuf, rd, 0);
2241
2242 if(pthread_mutex_unlock(&sbbs->input_thread_mutex)!=0) >>> CID 515597: Program hangs (LOCK)

"errormsg" locks "sbbs->nodefile_mutex" while it is locked.

2243 sbbs->errormsg(WHERE,ERR_UNLOCK,"input_thread_mutex",0);
2244
2245 if (rd == 0 && !socket_recvdone(sock, 0))
2246 continue;
2247
2248 if(rd == SOCKET_ERROR)

** CID 515596: Program hangs (LOCK)
/logfile.cpp: 331 in sbbs_t::errormsg(int, const char *, const char *, const char *, const char *, int, const char *)()


________________________________________________________________________________________________________
*** CID 515596: Program hangs (LOCK)
/logfile.cpp: 331 in sbbs_t::errormsg(int, const char *, const char *, const char *, const char *, int, const char *)()
325 fprintf(logfile_fp,"!! %s%s", str, log_line_ending); 326 logcol=1;
327 fflush(logfile_fp);
328 }
329
330 errormsg_inside=false;

CID 515596: Program hangs (LOCK)
Returning without unlocking "this->nodefile_mutex".

331 }
332
333 /****************************************************************************/
334 /* Open a log file for append, supporting log rotation based on size */
335 /****************************************************************************/
336 extern "C" FILE* fopenlog(scfg_t* cfg, const char* path)

** CID 515595: Program hangs (LOCK)
/main.cpp: 4335 in sbbs_t::logoffstats()()


________________________________________________________________________________________________________
*** CID 515595: Program hangs (LOCK)
/main.cpp: 4335 in sbbs_t::logoffstats()()
4329
4330 for(i=0;i<2;i++) {
4331 FILE* fp = fopen_dstats(&cfg, i ? 0 : cfg.node_num, /* for_write: */true);
4332 if(fp == NULL)
4333 continue;
4334 if(!fread_dstats(fp, &stats)) {

CID 515595: Program hangs (LOCK)
"errormsg" locks "this->nodefile_mutex" while it is locked.

4335 errormsg(WHERE, ERR_READ, "dsts.ini", i);
4336 } else {
4337 stats.total.timeon += minutes_used;
4338 stats.today.timeon += minutes_used;
4339 if(!fwrite_dstats(fp, &stats, __FUNCTION__)) 4340 errormsg(WHERE, ERR_WRITE, "dsts.ini", i);

** CID 515594: (SLEEP)


________________________________________________________________________________________________________
*** CID 515594: (SLEEP)
/main.cpp: 4649 in sbbs_t::daily_maint()()
4643 backup(str,cfg.user_backup_level,false);
4644 }
4645
4646 if(cfg.mail_backup_level) {
4647 lputs(LOG_INFO,"DAILY: Backing-up mail data...");
4648 smb_t mail;

CID 515594: (SLEEP)
Call to "smb_open_sub" might sleep while holding lock "this->nodefile_mutex".

4649 int result = smb_open_sub(&cfg, &mail, INVALID_SUB); 4650 if(result != SMB_SUCCESS)
4651 lprintf(LOG_ERR, "ERROR %d (%s) opening mail base", result, mail.last_error);
4652 else {
4653 result = smb_lock(&mail);
4654 if(result != SMB_SUCCESS)
/main.cpp: 4778 in sbbs_t::daily_maint()()
4772 closeuserdat(userfile);
4773
4774 lputs(LOG_INFO,"DAILY: Purging deleted/expired e-mail");
4775 SAFEPRINTF(smb.file,"%smail",cfg.data_dir);
4776 smb.retry_time=cfg.smb_retry_time;
4777 smb.subnum=INVALID_SUB;

CID 515594: (SLEEP)
Call to "smb_open" might sleep while holding lock "this->nodefile_mutex".

4778 if((i=smb_open(&smb))!=0)
4779 errormsg(WHERE,ERR_OPEN,smb.file,i,smb.last_error); 4780 else {
4781 if(filelength(fileno(smb.shd_fp))>0) {
4782 if((i=smb_locksmbhdr(&smb))!=0)
4783 errormsg(WHERE,ERR_LOCK,smb.file,i,smb.last_error);

** CID 515593: (LOCK)
/getnode.cpp: 258 in sbbs_t::getnmsg(bool)()
/getnode.cpp: 252 in sbbs_t::getnmsg(bool)()
/getnode.cpp: 242 in sbbs_t::getnmsg(bool)()
/getnode.cpp: 271 in sbbs_t::getnmsg(bool)()
/getnode.cpp: 237 in sbbs_t::getnmsg(bool)()
/getnode.cpp: 247 in sbbs_t::getnmsg(bool)()


________________________________________________________________________________________________________
*** CID 515593: (LOCK)
/getnode.cpp: 258 in sbbs_t::getnmsg(bool)()
252 return false;
253 }
254 if(read(file,buf,length)!=length) {
255 close(file);
256 free(buf);
257 errormsg(WHERE,ERR_READ,str,length);

CID 515593: (LOCK)
Returning without unlocking "this->nodefile_mutex".

258 return false;
259 }
260 int retval = chsize(file,0L);
261 close(file);
262 buf[length]=0;
263
/getnode.cpp: 252 in sbbs_t::getnmsg(bool)()
246 close(file);
247 return true;
248 }
249 if((buf=(char *)malloc(length+1))==NULL) {
250 close(file);
251 errormsg(WHERE,ERR_ALLOC,str,length+1);

CID 515593: (LOCK)
Returning without unlocking "this->nodefile_mutex".

252 return false;
253 }
254 if(read(file,buf,length)!=length) {
255 close(file);
256 free(buf);
257 errormsg(WHERE,ERR_READ,str,length);
/getnode.cpp: 242 in sbbs_t::getnmsg(bool)()
236 if(flength(str)<1L)
237 return true;
238 if((file=nopen(str,O_RDWR))==-1) {
239 /**
240 errormsg(WHERE,ERR_OPEN,str,O_RDWR);
241 **/

CID 515593: (LOCK)
Returning without unlocking "this->nodefile_mutex".

242 return false;
243 }
244 length=(long)filelength(file);
245 if(length <= 0) {
246 close(file);
247 return true;
/getnode.cpp: 271 in sbbs_t::getnmsg(bool)()
265 this->clearline();
266 else if(column)
267 CRLF;
268 putmsg(buf,P_NOATCODES);
269 free(buf);
270

CID 515593: (LOCK)
Returning without unlocking "this->nodefile_mutex".

271 return retval == 0;
272 }
273
274 /****************************************************************************/
275 /* 'ext' must be at least 128 bytes! */
276 /****************************************************************************/
/getnode.cpp: 237 in sbbs_t::getnmsg(bool)()
231 thisnode.misc&=~NODE_NMSG; /* clear the NMSG flag */
232 putnodedat(cfg.node_num,&thisnode);
233 }
234
235 SAFEPRINTF2(str,"%smsgs/n%3.3u.msg",cfg.data_dir,cfg.node_num); 236 if(flength(str)<1L)

CID 515593: (LOCK)
Returning without unlocking "this->nodefile_mutex".

237 return true;
238 if((file=nopen(str,O_RDWR))==-1) {
239 /**
240 errormsg(WHERE,ERR_OPEN,str,O_RDWR);
241 **/
242 return false;
/getnode.cpp: 247 in sbbs_t::getnmsg(bool)()
241 **/
242 return false;
243 }
244 length=(long)filelength(file);
245 if(length <= 0) {
246 close(file);

CID 515593: (LOCK)
Returning without unlocking "this->nodefile_mutex".

247 return true;
248 }
249 if((buf=(char *)malloc(length+1))==NULL) {
250 close(file);
251 errormsg(WHERE,ERR_ALLOC,str,length+1);
252 return false;

** CID 515592: (SLEEP)


________________________________________________________________________________________________________
*** CID 515592: (SLEEP)
/getnode.cpp: 162 in sbbs_t::nodesync(bool)()
156 thisnode.misc&=~NODE_UDAT;
157 putnodedat(cfg.node_num,&thisnode);
158 }
159 }
160 if(!(sys_status&SS_MOFF)) {
161 if(thisnode.misc&NODE_MSGW)

CID 515592: (SLEEP)
Call to "getsmsg" might sleep while holding lock "this->nodefile_mutex".

162 getsmsg(useron.number, clearline); /* getsmsg clears MSGW flag */
163 if(thisnode.misc&NODE_NMSG)
164 getnmsg(clearline); /* getnmsg clears NMSG flag */
165 }
166 }
167
/getnode.cpp: 174 in sbbs_t::nodesync(bool)()
168 if(cfg.sync_mod[0])
169 exec_bin(cfg.sync_mod,&main_csi);
170
171 if(thisnode.misc&NODE_INTR) {
172 bputs(text[NodeLocked]);
173 logline(LOG_NOTICE,nulstr,"Interrupted");

CID 515592: (SLEEP)
Call to "hangup" might sleep while holding lock "this->nodefile_mutex". 174 hangup();

175 nodesync_inside=0;
176 return;
177 }
178
179 if(thisnode.misc&NODE_LCHAT) { // pulled into local chat with sysop
/getnode.cpp: 164 in sbbs_t::nodesync(bool)()
158 }
159 }
160 if(!(sys_status&SS_MOFF)) {
161 if(thisnode.misc&NODE_MSGW)
162 getsmsg(useron.number, clearline); /* getsmsg clears MSGW flag */
163 if(thisnode.misc&NODE_NMSG)

CID 515592: (SLEEP)
Call to "getnmsg" might sleep while holding lock "this->nodefile_mutex".

164 getnmsg(clearline); /* getnmsg clears NMSG flag */
165 }
166 }
167
168 if(cfg.sync_mod[0])
169 exec_bin(cfg.sync_mod,&main_csi);
/getnode.cpp: 211 in sbbs_t::nodesync(bool)()
205 }
206
207 if(sys_status&SS_USERON && online && (timeleft/60)<(5-timeleft_warn)
208 && !SYSOP) {
209 timeleft_warn=5-(timeleft/60);
210 if(!(sys_status&SS_MOFF)) {

CID 515592: (SLEEP)
Call to "attr" might sleep while holding lock "this->nodefile_mutex". 211 attr(LIGHTGRAY);

212 bprintf(text[OnlyXminutesLeft]
213 ,((ushort)timeleft/60)+1,(timeleft/60) ? "s" : nulstr);
214 }
215 }
216
/getnode.cpp: 217 in sbbs_t::nodesync(bool)()
211 attr(LIGHTGRAY);
212 bprintf(text[OnlyXminutesLeft]
213 ,((ushort)timeleft/60)+1,(timeleft/60) ? "s" : nulstr);
214 }
215 }
216

CID 515592: (SLEEP)
Call to "attr" might sleep while holding lock "this->nodefile_mutex". 217 attr(atr); /* replace original attributes */

218 nodesync_inside=0;
219 }
220
221 /****************************************************************************/
222 /* Prints short messages waiting for this node, if any... */
/getnode.cpp: 181 in sbbs_t::nodesync(bool)()
175 nodesync_inside=0;
176 return;
177 }
178
179 if(thisnode.misc&NODE_LCHAT) { // pulled into local chat with sysop
180 saveline();

CID 515592: (SLEEP)
Call to "privchat" might sleep while holding lock "this->nodefile_mutex".

181 privchat(true);
182 restoreline();
183 }
184
185 if(thisnode.misc&NODE_FCHAT) { // forced into private chat
186 int n = getpagingnode(&cfg);
/getnode.cpp: 182 in sbbs_t::nodesync(bool)()
176 return;
177 }
178
179 if(thisnode.misc&NODE_LCHAT) { // pulled into local chat with sysop
180 saveline();
181 privchat(true);

CID 515592: (SLEEP)
Call to "restoreline" might sleep while holding lock "this->nodefile_mutex".

182 restoreline();
183 }
184
185 if(thisnode.misc&NODE_FCHAT) { // forced into private chat
186 int n = getpagingnode(&cfg);
187 if(n) {
/getnode.cpp: 197 in sbbs_t::nodesync(bool)()
191 action = save_action;
192 restoreline();
193 }
194 if(getnodedat(cfg.node_num, &thisnode, true)) {
195 thisnode.action = action;
196 thisnode.misc &= ~NODE_FCHAT;

CID 515592: (SLEEP)
Call to "putnodedat" might sleep while holding lock "this->nodefile_mutex".

197 putnodedat(cfg.node_num, &thisnode);
198 }
199 }
200
201 if(sys_status&SS_USERON && memcmp(&nodesync_user,&useron,sizeof(user_t))) {
202 getusrdirs();

** CID 515591: (LOCK)
/getnode.cpp: 219 in sbbs_t::nodesync(bool)()
/getnode.cpp: 157 in sbbs_t::nodesync(bool)()


________________________________________________________________________________________________________
*** CID 515591: (LOCK)
/getnode.cpp: 219 in sbbs_t::nodesync(bool)()
213 ,((ushort)timeleft/60)+1,(timeleft/60) ? "s" : nulstr);
214 }
215 }
216
217 attr(atr); /* replace original attributes */
218 nodesync_inside=0;

CID 515591: (LOCK)
Returning without unlocking "this->nodefile_mutex".

219 }
220
221 /****************************************************************************/
222 /* Prints short messages waiting for this node, if any... */
223 /****************************************************************************/
224 bool sbbs_t::getnmsg(bool clearline)
/getnode.cpp: 164 in sbbs_t::nodesync(bool)()
158 }
159 }
160 if(!(sys_status&SS_MOFF)) {
161 if(thisnode.misc&NODE_MSGW)
162 getsmsg(useron.number, clearline); /* getsmsg clears MSGW flag */
163 if(thisnode.misc&NODE_NMSG)

CID 515591: (LOCK)
"getnmsg" locks "this->nodefile_mutex" while it is locked.

164 getnmsg(clearline); /* getnmsg clears NMSG flag */
165 }
166 }
167
168 if(cfg.sync_mod[0])
169 exec_bin(cfg.sync_mod,&main_csi);
/getnode.cpp: 197 in sbbs_t::nodesync(bool)()
191 action = save_action;
192 restoreline();
193 }
194 if(getnodedat(cfg.node_num, &thisnode, true)) {
195 thisnode.action = action;
196 thisnode.misc &= ~NODE_FCHAT;

CID 515591: (LOCK)
"putnodedat" locks "this->nodefile_mutex" while it is locked.

197 putnodedat(cfg.node_num, &thisnode);
198 }
199 }
200
201 if(sys_status&SS_USERON && memcmp(&nodesync_user,&useron,sizeof(user_t))) {
202 getusrdirs();
/getnode.cpp: 157 in sbbs_t::nodesync(bool)()
151 }
152 }
153 if(thisnode.misc&NODE_UDAT && !(useron.rest&FLAG('G'))) { /* not guest */
154 getuserdat(&cfg, &useron);
155 if(getnodedat(cfg.node_num,&thisnode, true)) { 156 thisnode.misc&=~NODE_UDAT;

CID 515591: (LOCK)
"putnodedat" locks "this->nodefile_mutex" while it is locked.

157 putnodedat(cfg.node_num,&thisnode);
158 }
159 }
160 if(!(sys_status&SS_MOFF)) {
161 if(thisnode.misc&NODE_MSGW)
162 getsmsg(useron.number, clearline); /* getsmsg clears MSGW flag */

** CID 515590: (LOCK)
/un_qwk.cpp: 94 in sbbs_t::unpack_qwk(char *, unsigned int)()
/un_qwk.cpp: 123 in sbbs_t::unpack_qwk(char *, unsigned int)()


________________________________________________________________________________________________________
*** CID 515590: (LOCK)
/un_qwk.cpp: 94 in sbbs_t::unpack_qwk(char *, unsigned int)()
88 lprintf(LOG_ERR, "libarchive error %ld (%s) extracting %s", file_count, error, packet);
89 if(*cfg.qhub[hubnum]->unpack == '\0')
90 return false;
91 i=external(cmdstr(cfg.qhub[hubnum]->unpack,packet,ALLFILES,NULL),EX_OFFLINE);
92 if(i) {
93 errormsg(WHERE,ERR_EXEC,cmdstr(cfg.qhub[hubnum]->unpack,packet,ALLFILES,NULL),i);

CID 515590: (LOCK)
Returning without unlocking "this->input_thread_mutex".

94 return(false);
95 }
96 }
97 SAFEPRINTF(str,"%sMESSAGES.DAT",cfg.temp_dir);
98 if(!fexistcase(str)) {
99 lprintf(LOG_WARNING,"%s doesn't contain MESSAGES.DAT (%s)",packet,str);
/un_qwk.cpp: 123 in sbbs_t::unpack_qwk(char *, unsigned int)()
117 remove(fname);
118 }
119 SAFEPRINTF(fname, "%sVOTING.DAT", cfg.temp_dir);
120 if(fexistcase(fname)) {
121 lprintf(LOG_DEBUG, "Reading %s", fname);
122 if((fp=fopen(fname,"r")) == NULL)

CID 515590: (LOCK)
"errormsg" locks "this->nodefile_mutex" while it is locked.

123 errormsg(WHERE,ERR_OPEN,fname,O_RDONLY);
124 else {
125 voting=iniReadFile(fp);
126 fclose(fp);
127 }
128 remove(fname);

** CID 515589: Error handling issues (CHECKED_RETURN)
/logon.cpp: 124 in sbbs_t::logon()()


________________________________________________________________________________________________________
*** CID 515589: Error handling issues (CHECKED_RETURN)
/logon.cpp: 124 in sbbs_t::logon()()
118 ,useron.number,useron.alias);
119 logline(LOG_NOTICE,"+!",str);
120 hangup();
121 return(false);
122 }
123 if(yesno(text[RemoveNodeLockQ])) {

CID 515589: Error handling issues (CHECKED_RETURN)
Calling "getnodedat" without checking return value (as is done elsewhere 52 out of 59 times).

124 getnodedat(cfg.node_num,&thisnode, true);
125 logline("S-","Removed Node Lock");
126 thisnode.misc&=~NODE_LOCK;
127 }
128 else
129 getnodedat(cfg.node_num,&thisnode, true);

** CID 515588: (SLEEP)
/main.cpp: 3450 in event_thread(void *)()
/main.cpp: 3272 in event_thread(void *)()


________________________________________________________________________________________________________
*** CID 515588: (SLEEP)
/main.cpp: 3277 in event_thread(void *)()
3271 while(!sbbs->terminated) {
3272 mswait(1000); 3273 now=time(NULL); 3274 if(now-start>10 && now-lastnodechk<10)
3275 continue;
3276 for(j=first_node;j<=last_node;j++) {

CID 515588: (SLEEP)
Call to "getnodedat" might sleep while holding lock "sbbs->nodefile_mutex".

3277 if(!sbbs->getnodedat(j,&node, true))
3278 continue;
3279 if(node.status==NODE_WFC)
3280 node.status=NODE_EVENT_LIMBO;
3281 node.aux=sbbs->cfg.event[i]->node;
3282 sbbs->putnodedat(j,&node);
/main.cpp: 3450 in event_thread(void *)()
3444 }
3445 }
3446 }
3447 }
3448 }
3449 sbbs->event_code = nulstr;

CID 515588: (SLEEP)
Call to "nanosleep" might sleep while holding lock "sbbs->nodefile_mutex".

3450 mswait(1000);
3451 }
3452 sbbs->cfg.node_num=0;
3453 sbbs->useron.number = 0;
3454 sbbs->js_cleanup();
3455
/main.cpp: 3373 in event_thread(void *)()
3367 && (sbbs->cfg.event[i]->node<first_node || sbbs->cfg.event[i]->node>last_node)) {
3368 sbbs->lprintf(LOG_NOTICE,"Changing node status for nodes %d through %d to WFC"
3369 ,first_node,last_node); 3370 sbbs->cfg.event[i]->last=(time32_t)now;
3371 for(j=first_node;j<=last_node;j++) {
3372 node.status=NODE_INVALID_STATUS;

CID 515588: (SLEEP)
Call to "getnodedat" might sleep while holding lock "sbbs->nodefile_mutex".

3373 if(!sbbs->getnodedat(j,&node, true))
3374 continue;
3375 node.status=NODE_WFC; 3376 sbbs->putnodedat(j,&node);
3377 }
3378 }
/main.cpp: 3413 in event_thread(void *)()
3407 cmd = sbbs->cmdstr(cmd, nulstr, sbbs->cfg.event[i]->dir, NULL);
3408 sbbs->lprintf(LOG_INFO,"Running %s%stimed event: %s"
3409 ,native_executable(&sbbs->cfg, cmd, ex_mode) ? "native ":"16-bit DOS "
3410 ,(ex_mode&EX_BG) ? "background ":""
3411 ,cmd);
3412 {

CID 515588: (SLEEP)
Call to "external" might sleep while holding lock "sbbs->nodefile_mutex".

3413 int result = sbbs->external(cmd, ex_mode, sbbs->cfg.event[i]->dir);
3414 if(!(ex_mode&EX_BG)) 3415 sbbs->lprintf(result ? sbbs->cfg.event[i]->errlevel : LOG_INFO, "Timed event: '%s' returned %d", cmd, result);
3416 else
3417 sbbs->lprintf(LOG_DEBUG, "Background timed event spawned: %s", cmd);
3418 }
/main.cpp: 3277 in event_thread(void *)()
3271 while(!sbbs->terminated) {
3272 mswait(1000); 3273 now=time(NULL); 3274 if(now-start>10 && now-lastnodechk<10)
3275 continue;
3276 for(j=first_node;j<=last_node;j++) {

CID 515588: (SLEEP)
Call to "getnodedat" might sleep while holding lock "sbbs->nodefile_mutex".

3277 if(!sbbs->getnodedat(j,&node, true))
3278 continue;
3279 if(node.status==NODE_WFC)
3280 node.status=NODE_EVENT_LIMBO;
3281 node.aux=sbbs->cfg.event[i]->node;
3282 sbbs->putnodedat(j,&node);
/main.cpp: 2986 in event_thread(void *)()
2980 if(!fexist(fname))
2981 continue;
2982 sbbs->useron.number = 0;
2983 sbbs->lprintf(LOG_INFO, "QWK pack semaphore signaled: %s", fname);
2984 int usernum = atoi(fname+offset);
2985 sbbs->useron.number = usernum;

CID 515588: (SLEEP)
Call to "getuserdat" might sleep while holding lock "sbbs->nodefile_mutex".

2986 int retval = getuserdat(&sbbs->cfg,&sbbs->useron);
2987 if(retval != 0) {
2988 sbbs->lprintf(LOG_WARNING, "ERROR %d reading user data for user #%d", retval, usernum);
2989 sbbs->fremove(WHERE, fname, /* log-all-errors: */true);
2990 continue;
2991 }
/main.cpp: 3272 in event_thread(void *)()
3266 sbbs->lprintf(LOG_DEBUG,"event last run: %s (0x%08x)"
3267 ,sbbs->timestr(sbbs->cfg.event[i]->last)
3268 ,sbbs->cfg.event[i]->last);
3269 lastnodechk=0; /* really last event time check */
3270 start=time(NULL);
3271 while(!sbbs->terminated) {

CID 515588: (SLEEP)
Call to "nanosleep" might sleep while holding lock "sbbs->nodefile_mutex".

3272 mswait(1000); 3273 now=time(NULL); 3274 if(now-start>10 && now-lastnodechk<10)
3275 continue;
3276 for(j=first_node;j<=last_node;j++) {
3277 if(!sbbs->getnodedat(j,&node, true))


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3D0VuE_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZXtRHBZwsv7Kfty0nOtNaK0UAFlR-2FrVR2f6CKktOSW3KEH5A-2BAGbll45RILco6MRWsB-2BPA-2F5LbzoDmAwnm2EdPSGWu8DKQDA8ovxbR0nzs0zWwn4zpQwqZ0g5MQ5Uxv60wCv-2BEyap91XzPuWSQ2OUE7j0iN0wndXT1J2mredhBFg-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 515659: Resource leaks (RESOURCE_LEAK)
/readmail.cpp: 814 in sbbs_t::readmail(unsigned int, int, int)()


________________________________________________________________________________________________________
*** CID 515659: Resource leaks (RESOURCE_LEAK)
/readmail.cpp: 814 in sbbs_t::readmail(unsigned int, int, int)()
808 }
809
810 smb_close(&smb);
811 smb_stack(&smb,SMB_STACK_POP);
812 current_msg=NULL;
813

CID 515659: Resource leaks (RESOURCE_LEAK)
Variable "mail" going out of scope leaks the storage it points to.

814 return lm_mode;
815 }
816
817 int sbbs_t::searchmail(mail_t *mail, int start, int msgs, int which, const char *search, const char* order)
818 {
819 char* buf;

** CID 515658: Error handling issues (CHECKED_RETURN)


________________________________________________________________________________________________________
*** CID 515658: Error handling issues (CHECKED_RETURN)
/dupefind.c: 75 in display_filename()
69 char *display_filename(scfg_t *cfg, uint dirnum, uint32_t fil_off)
70 {
71 static char str[256];
72 static smb_t smb;
73 if(smb_open_dir(cfg, &smb, dirnum) != SMB_SUCCESS)
74 return smb.last_error;

CID 515658: Error handling issues (CHECKED_RETURN)
Calling "smb_fseek(smb.sid_fp, (fil_off - 1U) * 128UL, 0)" without checking return value. It wraps a library function that may fail and return an error code.

75 smb_fseek(smb.sid_fp, (fil_off - 1) * sizeof(fileidxrec_t), SEEK_SET); 76 fileidxrec_t idx;
77 if(smb_fread(&smb, &idx, sizeof(idx), smb.sid_fp) != sizeof(idx)) {
78 smb_close(&smb);
79 return smb.last_error;
80 }

** CID 515657: Error handling issues (CHECKED_RETURN)
/load_cfg.c: 627 in smb_open_dir()


________________________________________________________________________________________________________
*** CID 515657: Error handling issues (CHECKED_RETURN)
/load_cfg.c: 627 in smb_open_dir()
621 if(filelength(fileno(smb->shd_fp)) < 1) {
622 smb->status.max_files = cfg->dir[dirnum]->maxfiles; 623 smb->status.max_age = cfg->dir[dirnum]->maxage;
624 smb->status.attr = SMB_FILE_DIRECTORY; 625 if(cfg->dir[dirnum]->misc & DIR_NOHASH)
626 smb->status.attr |= SMB_NOHASH;

CID 515657: Error handling issues (CHECKED_RETURN)
Calling "smb_create" without checking return value (as is done elsewhere 16 out of 17 times).

627 smb_create(smb);
628 }
629 return SMB_SUCCESS;
630 }
631
632 int get_lang_count(scfg_t* cfg)


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DArCi_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZBUi-2F07t06F46PFVW9NK8AEOuHmZrMv6aNSdOw0AIeo4ogvPzV8VRWZ8jRTfiHC12zKsA4sipybJiH6RgyZ0m7AfiNQvXpSFbavk3k9Q6PyWgsjGH13ueAcyWa7DsklJg0kfAfT7EZWBHjtJZZ7z9FYBEIQ4aPAWfq3llNwIH-2F5w-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
8 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 515673: Code maintainability issues (SIZEOF_MISMATCH)
/sbbsecho.c: 1309 in link_area()


________________________________________________________________________________________________________
*** CID 515673: Code maintainability issues (SIZEOF_MISMATCH)
/sbbsecho.c: 1309 in link_area()
1303 return false;
1304 }
1305
1306 void link_area(unsigned area_num, const fidoaddr_t* addr)
1307 {
1308 area_t* area = &cfg.area[area_num];

CID 515673: Code maintainability issues (SIZEOF_MISMATCH)
Passing argument "area->link" of type "fidoaddr_t const *" and argument "8UL /* sizeof (addr) */ * (area->links + 1)" to function "realloc_or_free" is suspicious. In this case, "sizeof (fidoaddr_t const *)" is equal to "sizeof (fidoaddr_t const)", but this is not a portable assumption.

1309 if((area->link = realloc_or_free(area->link, (sizeof addr) * (area->links + 1))) == NULL) {
1310 lprintf(LOG_ERR,"ERROR line %d allocating memory for area "
1311 "#%u links.",__LINE__, area_num + 1);
1312 bail(1);
1313 return;
1314 }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DjswB_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZTIkIcVsFEubRKPyVR-2BCuKY5oHLU9ayFn6T1x6if3eS0nVM4zzDglf0kSu84NvdLQvLmLpVUMBWFTCqIbKw97TOhNhU4Up-2FQ0gGVaItXyTTfc3Uu2zZfP2qWOCQU0YU4SaCyb8-2B3kJNnxUzaATxOedk4YqKEgN0RG-2F7ZgTWOZJ5A-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 515715: Incorrect expression (SIZEOF_MISMATCH)
/userdat.c: 1420 in node_vstatus()


________________________________________________________________________________________________________
*** CID 515715: Incorrect expression (SIZEOF_MISMATCH)
/userdat.c: 1420 in node_vstatus()
1414 return cfg->text != NULL ? cfg->text[NodeStatusOffline] : "Offline";
1415 case NODE_NETTING: /* Obsolete */
1416 return "Networking";
1417 case NODE_LOGON:
1418 return cfg->text != NULL ? cfg->text[NodeStatusLogon] : "At login prompt";
1419 case NODE_LOGOUT:

CID 515715: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "str" of type "char *" and argument "8UL /* sizeof (str) */" to function "safe_snprintf" is suspicious.

1420 snprintf(str, sizeof str, cfg->text != NULL ? cfg->text[NodeStatusLogout] : "Logging out %s", username(cfg,node->useron,tmp));
1421 return str;
1422 case NODE_EVENT_WAITING:
1423 return cfg->text != NULL ? cfg->text[NodeStatusEventWaiting] : "Waiting for all nodes to become inactive";
1424 case NODE_EVENT_LIMBO:
1425 snprintf(str, size, cfg->text != NULL ? cfg->text[NodeStatusEventLimbo] : "Waiting for node %d to finish external event"

** CID 515714: Uninitialized variables (UNINIT)


________________________________________________________________________________________________________
*** CID 515714: Uninitialized variables (UNINIT)
/getnode.cpp: 289 in sbbs_t::getnodeext(unsigned int, char *)()
283 errormsg(WHERE,ERR_CHK,"node number",number);
284 return false;
285 }
286
287 if((node_ext=opennodeext(&cfg))==-1) {
288 memset(ext,0,128);

CID 515714: Uninitialized variables (UNINIT)
Using uninitialized value "*str" when calling "errormsg".

289 errormsg(WHERE,ERR_OPEN,str,O_RDONLY|O_DENYNONE);
290 return false;
291 }
292
293 number--; /* make zero based */
294 for(count=0;count<LOOP_NODEDAB;count++) {

** CID 515713: Incorrect expression (SIZEOF_MISMATCH)
/userdat.c: 1512 in node_activity()


________________________________________________________________________________________________________
*** CID 515713: Incorrect expression (SIZEOF_MISMATCH)
/userdat.c: 1512 in node_activity()
1506 return cfg->text != NULL ? cfg->text[NodeActivityLoggingOn] : "logging on";
1507 case NODE_LCHT:
1508 snprintf(str, size, cfg->text != NULL ? cfg->text[NodeActivityLocalChat] : "chatting with %s", cfg->sys_op);
1509 break;
1510 case NODE_MCHT:
1511 if(node->aux != 0)

CID 515713: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "str" of type "char *" and argument "8UL /* sizeof (str) */" to function "safe_snprintf" is suspicious.

1512 snprintf(str, sizeof str
1513 ,cfg->text != NULL ? cfg->text[NodeActivityChatChannel] : "in multinode chat channel %d"
1514 ,node->aux & 0xff);
1515 else
1516 return cfg->text != NULL ? cfg->text[NodeActivityGlobalChat] : "in multinode global chat channel";
1517 break;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3Drf1g_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQY9ty8xtnl2sw1SqlPRU2WILlz6B-2F41RYA0wpD7iGPK7iJJRJMlj06LpTw8H4oLu0ZD6NOR-2Fs4yPZ6xU2n8ZKWHL4-2F4cgQ0xljfi-2B5nJtvQuTTNG4kyAp2Ph0XvRGRr1KcMs8Gin6jWDWu2x-2Bkj9Q6Trx86Of-2BJRienYR-2Fbv9gQgw-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 516068: Null pointer dereferences (FORWARD_NULL)
/websrvr.c: 5419 in js_ErrorReporter()


________________________________________________________________________________________________________
*** CID 516068: Null pointer dereferences (FORWARD_NULL)
/websrvr.c: 5419 in js_ErrorReporter()
5413 pthread_mutex_lock(&mutex);
5414 if(lastline == report->lineno && report->filename != NULL && strcmp(lastfile, report->filename) == 0)
5415 log_level = LOG_WARNING;
5416 else
5417 log_level = LOG_ERR;
5418 lastline = report->lineno;

CID 516068: Null pointer dereferences (FORWARD_NULL)
Passing null pointer "report->filename" to "strlcpy", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]

5419 SAFECOPY(lastfile, report->filename);
5420 pthread_mutex_unlock(&mutex);
5421 warning="";
5422 }
5423
5424 lprintf(log_level,"%04d !JavaScript %s%s%s: %s, Request: %s"


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DwGMb_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQYoPlNm5BibC088PrWc35An4cdaeXCJhAHOfo6MdQKpuyixiVEFSUvV84YSqGOWCuXdzqHO6D3vFmsefEKTNsriv31FvxSemaYCwQ1e-2F5VqBGX6SKqkk-2F5GGTcyG8HHnvAZdIDYA7eRF8DYP-2F3cg26HCdIpmNxtLPnr6lFDWLJb2Q-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

9 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)


** CID 516415: Error handling issues (CHECKED_RETURN)
/userdat.c: 1472 in node_activity()


________________________________________________________________________________________________________
*** CID 516415: Error handling issues (CHECKED_RETURN)
/userdat.c: 1472 in node_activity()
1466 case NODE_AMSG:
1467 return cfg->text != NULL ? cfg->text[NodeActivityAutoMsg] : "posting auto-message";
1468 case NODE_XTRN:
1469 if(node->aux == 0)
1470 return cfg->text != NULL ? cfg->text[NodeActivityXtrnMenu] : "at external program menu";
1471 user.number = node->useron;

CID 516415: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

1472 getuserdat(cfg, &user);
1473 xtrnnum = getxtrnnum(cfg, user.curxtrn);
1474 if(is_valid_xtrnnum(cfg, xtrnnum))
1475 snprintf(str, size, "%s %s"
1476 ,cfg->text != NULL ? cfg->text[NodeActivityRunningXtrn] : "running"
1477 ,cfg->xtrn[xtrnnum]->name);

** CID 516414: Error handling issues (CHECKED_RETURN)
/useredit.cpp: 65 in sbbs_t::useredit(int)()


________________________________________________________________________________________________________
*** CID 516414: Error handling issues (CHECKED_RETURN)
/useredit.cpp: 65 in sbbs_t::useredit(int)()
59 if(sys_status&SS_INUEDIT)
60 return;
61 sys_status|=SS_INUEDIT;
62 while(online) {
63 CLS;
64 attr(LIGHTGRAY);

CID 516414: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

65 getuserdat(&cfg,&user);
66 if(!user.number) {
67 user.number=1;
68 getuserdat(&cfg,&user);
69 if(!user.number) {
70 bputs(text[NoUserData]);

** CID 516413: Error handling issues (CHECKED_RETURN)
/answer.cpp: 168 in sbbs_t::answer()()


________________________________________________________________________________________________________
*** CID 516413: Error handling issues (CHECKED_RETURN)
/answer.cpp: 168 in sbbs_t::answer()()
162 (but keep full terminal type/speed string in rlogin_term): */
163 truncstr(terminal,"/");
164 useron.number = 0;
165 if(rlogin_name[0])
166 useron.number = find_login_id(&cfg, rlogin_name);
167 if(useron.number) {

CID 516413: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

168 getuserdat(&cfg,&useron);
169 SAFEPRINTF(path,"%srlogin.cfg",cfg.ctrl_dir);
170 if(!findstr(client.addr,path)) {
171 SAFECOPY(tmp, rlogin_pass);
172 for(i=0;i<3 && online;i++) { 173 if(stricmp(tmp,useron.pass)) {

** CID 516412: Error handling issues (CHECKED_RETURN)
/login.cpp: 51 in sbbs_t::login(const char *, const char *, const char *, const char *)()


________________________________________________________________________________________________________
*** CID 516412: Error handling issues (CHECKED_RETURN)
/login.cpp: 51 in sbbs_t::login(const char *, const char *, const char *, const char *)()
45 long useron_misc=useron.misc;
46
47 username = parse_login(username);
48
49 useron.number = find_login_id(&cfg, username);
50 if(useron.number) {

CID 516412: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

51 getuserdat(&cfg,&useron);
52 if(useron.number && useron.misc&(DELETED|INACTIVE))
53 useron.number=0;
54 }
55
56 if(!useron.number) {

** CID 516411: (CHECKED_RETURN)
/useredit.cpp: 733 in sbbs_t::maindflts(user_t *)()
/useredit.cpp: 738 in sbbs_t::maindflts(user_t *)()


________________________________________________________________________________________________________
*** CID 516411: (CHECKED_RETURN)
/useredit.cpp: 733 in sbbs_t::maindflts(user_t *)()
727
728 action=NODE_DFLT;
729 if (cfg.usercfg_mod[0]) {
730 char cmdline[256];
731 snprintf(cmdline, sizeof(cmdline), "%s %u", cfg.usercfg_mod, user->number);
732 exec_bin(cmdline, &main_csi);

CID 516411: (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

733 getuserdat(&cfg, user);
734 return;
735 }
736 while(online) {
737 CLS;
738 getuserdat(&cfg,user);
/useredit.cpp: 738 in sbbs_t::maindflts(user_t *)()
732 exec_bin(cmdline, &main_csi);
733 getuserdat(&cfg, user);
734 return;
735 }
736 while(online) {
737 CLS;

CID 516411: (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

738 getuserdat(&cfg,user);
739 bprintf(text[UserDefaultsHdr],user->alias,user->number);
740 if(user == &useron) {
741 update_nodeterm();
742 load_user_text();
743 }

** CID 516410: Error handling issues (CHECKED_RETURN)
/websrvr.c: 1662 in http_logon()


________________________________________________________________________________________________________
*** CID 516410: Error handling issues (CHECKED_RETURN)
/websrvr.c: 1662 in http_logon()
1656 session->req.finished=true;
1657 }
1658
1659 void http_logon(http_session_t * session, user_t *usr)
1660 {
1661 if(usr==NULL)

CID 516410: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

1662 getuserdat(&scfg, &session->user);
1663 else
1664 session->user=*usr;
1665
1666 if(session->user.number==session->last_user_num)
1667 return;

** CID 516409: Error handling issues (CHECKED_RETURN)
/str.cpp: 1388 in sbbs_t::change_user()()


________________________________________________________________________________________________________
*** CID 516409: Error handling issues (CHECKED_RETURN)
/str.cpp: 1388 in sbbs_t::change_user()()
1382 putmsgptrs();
1383 putuserstr(useron.number, USER_CURSUB
1384 ,cfg.sub[usrsub[curgrp][cursub[curgrp]]]->code);
1385 putuserstr(useron.number, USER_CURDIR
1386 ,cfg.dir[usrdir[curlib][curdir[curlib]]]->code);
1387 useron.number=i;

CID 516409: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

1388 getuserdat(&cfg,&useron);
1389 if(getnodedat(cfg.node_num,&thisnode, true)) {
1390 thisnode.useron=useron.number;
1391 putnodedat(cfg.node_num,&thisnode);
1392 }
1393 getmsgptrs();

** CID 516408: Error handling issues (CHECKED_RETURN)
/useredit.cpp: 1166 in sbbs_t::purgeuser(int)()


________________________________________________________________________________________________________
*** CID 516408: Error handling issues (CHECKED_RETURN)
/useredit.cpp: 1166 in sbbs_t::purgeuser(int)()
1160
1161 void sbbs_t::purgeuser(int usernumber)
1162 { char str[128];
1163 user_t user;
1164
1165 user.number=usernumber;

CID 516408: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

1166 getuserdat(&cfg,&user);
1167 SAFEPRINTF2(str,"Purged %s #%u",user.alias,usernumber);
1168 logentry("!*",str);
1169 delallmail(usernumber, MAIL_ANY);
1170 putusername(&cfg,usernumber,nulstr);
1171 putusermisc(usernumber, user.misc | DELETED);

** CID 516407: Error handling issues (CHECKED_RETURN)
/websrvr.c: 2037 in check_ars()


________________________________________________________________________________________________________
*** CID 516407: Error handling issues (CHECKED_RETURN)
/websrvr.c: 2037 in check_ars()
2031 else
2032 lprintf(LOG_NOTICE,"%04d !UNKNOWN USER: '%s'" 2033 ,session->socket,session->req.auth.username);
2034 return(false);
2035 }
2036 thisuser.number=i;

CID 516407: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

2037 getuserdat(&scfg, &thisuser);
2038 switch(session->req.auth.type) {
2039 case AUTHENTICATION_TLS_PSK:
2040 if((auth_allowed & (1<<AUTHENTICATION_TLS_PSK))==0)
2041 return(false);
2042 if(session->last_user_num!=0) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DQyWe_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZaRdcpKH1DbVbWKil-2BYXbuPo6Nlz2IWCRH2bHbIl-2BZWutyiZLTcraL5FS1iiZSM0cIaa70yw-2BvQnYvTFtY90cnRY6AunfTZ3TOchBhkmrNG5r6R9YGJilsgu5Suh4msrRA-2BqV-2BHoo-2B29c88W6IVBSZdgQoHyw-2Bn9zmKTgeEHvaqQ-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 516431: Incorrect expression (EVALUATION_ORDER)
/scfg/scfgsys.c: 1740 in sys_cfg()


________________________________________________________________________________________________________
*** CID 516431: Incorrect expression (EVALUATION_ORDER)
/scfg/scfgsys.c: 1740 in sys_cfg()
1734 char sys_pass[sizeof(cfg.sys_pass)];
1735 SAFECOPY(sys_pass, cfg.sys_pass);
1736 while(1) {
1737 i=0;
1738 snprintf(opt[i++],MAX_OPLN,"%-20s%s","BBS Name",cfg.sys_name);
1739 snprintf(opt[i++],MAX_OPLN,"%-20s%s","Location",cfg.sys_location);

CID 516431: Incorrect expression (EVALUATION_ORDER)
In argument #6 of "safe_snprintf(opt[i++], 75UL, "%-20s%s%s %s", "Local Time Zone", ((cfg.sys_timezone == -1) ? "Auto: " : ""), smb_zonestr(sys_timezone(&cfg), NULL), ((!(cfg.sys_timezone <= 1000 && cfg.sys_timezone >= -1000) && (cfg.sys_timezone & 0xc000 || cfg.sys_timezone == 4096 || cfg.sys_timezone == 4156 || cfg.sys_timezone == 4216 || cfg.sys_timezone == 4816 || cfg.sys_timezone == 4696 || cfg.sys_timezone == 4666) && cfg.sys_misc & 0x4000U) ? "(Auto-DST)" : ""))", a call is made to "sys_timezone(&cfg)". In argument #1 of this function, the object "cfg.sys_timezone" is modified. This object is also used in "(cfg.sys_timezone == -1) ? "Auto: " : """, the argument #5 of the outer function call. The order in which these arguments are evaluated is not specified, and will vary between platforms.

1740 snprintf(opt[i++],MAX_OPLN,"%-20s%s%s %s","Local Time Zone"
1741 ,cfg.sys_timezone == SYS_TIMEZONE_AUTO ? "Auto: " : ""
1742 ,smb_zonestr(sys_timezone(&cfg),NULL)
1743 ,SMB_TZ_HAS_DST(cfg.sys_timezone) && cfg.sys_misc&SM_AUTO_DST ? "(Auto-DST)" : "");
1744 snprintf(opt[i++],MAX_OPLN,"%-20s%s (e.g. %s)","Short Date Format"
1745 ,date_format(&cfg, str, sizeof str)


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3Du0AK_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZX-2BkC2-2BAZJhPPYfXPDeIQ-2B4YvLEfkbd-2Bd6D-2Bq6Hgb3A8yT9nXPdJTazBcJukBEh03pJKxvVooRsB2exFituB7-2FZiW-2B-2FFf3SbStI-2Fat2UXSZKXBODkmruS46NddedKGixq1GgfIg-2BgPQfkssXqpoMR-2BzxwZcTjLKvzCO0Vk2ny9Gw-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
7 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 516462: Resource leaks (RESOURCE_LEAK)
/str.cpp: 277 in sbbs_t::sif(char *, char *, int)()


________________________________________________________________________________________________________
*** CID 516462: Resource leaks (RESOURCE_LEAK)
/str.cpp: 277 in sbbs_t::sif(char *, char *, int)()
271 errormsg(WHERE,ERR_OPEN,str,O_RDONLY);
272 return;
273 }
274 length=(int)filelength(file);
275 if(length < 0) {
276 errormsg(WHERE, ERR_CHK, str, length);

CID 516462: Resource leaks (RESOURCE_LEAK)
Handle variable "file" going out of scope leaks the handle.

277 return;
278 }
279 if((buf=(char *)calloc(length + 1, 1))==0) {
280 close(file);
281 errormsg(WHERE,ERR_ALLOC,str,length);
282 return;

** CID 516461: Resource leaks (RESOURCE_LEAK)
/writemsg.cpp: 678 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()


________________________________________________________________________________________________________
*** CID 516461: Resource leaks (RESOURCE_LEAK)
/writemsg.cpp: 678 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()
672 return(false);
673 }
674 length=(long)filelength(file);
675 if(length < 0) {
676 errormsg(WHERE, ERR_LEN, msgtmp, length);
677 free(buf);

CID 516461: Resource leaks (RESOURCE_LEAK)
Handle variable "file" going out of scope leaks the handle.

678 return false;
679 }
680 l=strlen((char *)buf); /* reserve space for top and terminating null */
681 /* truncate if too big */
682 if(length>(long)((cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-(l+1))) {
683 length=(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)-(l+1);

** CID 516460: Error handling issues (CHECKED_RETURN)
/chat.cpp: 254 in sbbs_t::multinodechat(int)()


________________________________________________________________________________________________________
*** CID 516460: Error handling issues (CHECKED_RETURN)
/chat.cpp: 254 in sbbs_t::multinodechat(int)()
248 if(getstr(str,8,K_UPPER|K_ALPHA|K_LINE)) {
249 getnodedat(cfg.node_num,&thisnode,true);
250 thisnode.aux=channel;
251 packchatpass(str,&thisnode);
252 }
253 else {

CID 516460: Error handling issues (CHECKED_RETURN)
Calling "getnodedat" without checking return value (as is done elsewhere 54 out of 58 times).

254 getnodedat(cfg.node_num,&thisnode,true);
255 thisnode.aux=channel;
256 }
257 }
258 else {
259 getnodedat(cfg.node_num,&thisnode,true);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DT8kj_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZ0FBX-2BUT7uzaWITu7U3dUMhdetuA-2BXV7YO8edQOGefnmNi1UdppKCC6vLOx06Y8sPuw5srJbsIYFYToJzSPdHxTD057AtOipCaMaoVsZPXJm19KDepDOzvHsB8koLerJtFoWwn5Qu57g8OiPy6q-2FxqWajzzHkfT1WyGUJ-2Bbs009Q-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 528581: Control flow issues (DEADCODE) /tmp/sbbs-Jan-01-2025/src/conio/sdl_con.c: 994 in sdl_video_event_thread()


________________________________________________________________________________________________________
*** CID 528581: Control flow issues (DEADCODE) /tmp/sbbs-Jan-01-2025/src/conio/sdl_con.c: 994 in sdl_video_event_thread()
988 if (bios_key >= 429496730 ||
989 (bios_key == 429496729 && ((ev.key.keysym.sym > SDLK_KP_5) || (ev.key.keysym.sym == SDLK_KP_0)))) {
990 terminate_bios = true;
991 }
992 }
993 else {

CID 528581: Control flow issues (DEADCODE)
Execution cannot reach the expression "ev.key.keysym.sym > SDLK_KP_5" inside this statement: "if (bios_key >= 26U || (bio...".

994 if (bios_key >= 26 ||
995 (bios_key == 429496729 && ((ev.key.keysym.sym > SDLK_KP_5) || (ev.key.keysym.sym == SDLK_KP_0)))) {
996 terminate_bios = true;
997 }
998 }
999 if (terminate_bios) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DXNhu_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQbC0dee144hDhJdlAtpKcHwzMEyb91qJk06-2BZ5IIx-2F9DZxU4TfNPF8J4DJ1D5ZwCMW0WOJBoN8726nac3S-2FDDq0nwEjPKYHJxK0wxgZqFE1jRhzJfndbA8hvw5ibvT9tO3VGpQu88n0PuZ5Z9AmM7-2Fkauxnye2PWIl66kbToPTPZw-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 529876: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 457 in lzh_update() /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 458 in lzh_update()


________________________________________________________________________________________________________
*** CID 529876: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 457 in lzh_update()
451
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ)
455 huff->parent[tmp + 1] = l;
456

CID 529876: (OVERRUN)
Overrunning array "huff->child" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

457 tmp2 = huff->child[l];
458 huff->child[l] = tmp;
459
460 huff->parent[tmp2] = c;
461 if (tmp2 < LZH_TABLE_SZ)
462 huff->parent[tmp2 + 1] = c; /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 458 in lzh_update()
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ)
455 huff->parent[tmp + 1] = l;
456
457 tmp2 = huff->child[l];

CID 529876: (OVERRUN)
Overrunning array "huff->child" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

458 huff->child[l] = tmp;
459
460 huff->parent[tmp2] = c;
461 if (tmp2 < LZH_TABLE_SZ)
462 huff->parent[tmp2 + 1] = c;
463 huff->child[c] = tmp2;

** CID 529875: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 450 in lzh_update() /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 449 in lzh_update() /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 445 in lzh_update()


________________________________________________________________________________________________________
*** CID 529875: (OVERRUN)
/tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 450 in lzh_update()
444 // If we exited before the end of table, decrement l
445 if (tmp <= huff->freq[l])
446 l--;
447
448 // Now swap nodes
449 huff->freq[c] = huff->freq[l];

CID 529875: (OVERRUN)
Overrunning array "huff->freq" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

450 huff->freq[l] = tmp;
451
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ)
455 huff->parent[tmp + 1] = l; /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 449 in lzh_update()
443
444 // If we exited before the end of table, decrement l
445 if (tmp <= huff->freq[l])
446 l--;
447
448 // Now swap nodes

CID 529875: (OVERRUN)
Overrunning array "huff->freq" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

449 huff->freq[c] = huff->freq[l];
450 huff->freq[l] = tmp;
451
452 tmp = huff->child[c];
453 huff->parent[tmp] = l;
454 if (tmp < LZH_TABLE_SZ) /tmp/sbbs-Jan-05-2025/src/encode/lzh.c: 445 in lzh_update()
439 * that has a lower frequency than our new one 440 */
441 for (l = c + 1; l <= LZH_TABLE_SZ && tmp > huff->freq[l]; l++)
442 ;
443
444 // If we exited before the end of table, decrement l

CID 529875: (OVERRUN)
Overrunning array "huff->freq" of 628 2-byte elements at element index 628 (byte offset 1257) using index "l" (which evaluates to 628).

445 if (tmp <= huff->freq[l])
446 l--;
447
448 // Now swap nodes
449 huff->freq[c] = huff->freq[l];
450 huff->freq[l] = tmp;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4gdQbQRNsarCbK0jIoVQSWT2zCPijRqaed4AhLiEI9Z7MR9SJQ09ot5XPbn9SW-2F14-3DVjXG_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQYmOS4dF7bzpu1cVppVHTeUZERPDt2v2E4lCt9lCuWdNtkNglNtUqzAPEUlnwGBzZlBueizPFLO26MyF5roLbzi-2F0G80IHg4mwTrYLGZfPUf8Sg5333ueo95zQQtd4OVT7zx85Gr8TBXnJTKyUKhNeMTemzlJoM0HPQHEa-2FpXlaaw-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 529977: Incorrect expression (SIZEOF_MISMATCH)
/atcodes.cpp: 2311 in sbbs_t::atcode(const char *, char *, unsigned long, int *, bool, JSObject *)()


________________________________________________________________________________________________________
*** CID 529977: Incorrect expression (SIZEOF_MISMATCH)
/atcodes.cpp: 2311 in sbbs_t::atcode(const char *, char *, unsigned long, int *, bool, JSObject *)()
2305 : (current_file->from == nullptr ? nulstr : current_file->from);
2306 if(strcmp(sp, "FILE_BYTES") == 0) {
2307 safe_snprintf(str, maxlen, "%ld", (long)current_file->size);
2308 return str;
2309 }
2310 if(strcmp(sp, "FILE_SIZE") == 0)

CID 529977: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "str" of type "char *" and argument "8UL /* sizeof (str) */" to function "byte_estimate_to_str" is suspicious.

2311 return byte_estimate_to_str(current_file->size, str, sizeof str, /* units: */1024, /* precision: */1);
2312 if(strcmp(sp, "FILE_CREDITS") == 0) {
2313 safe_snprintf(str, maxlen, "%" PRIu64, current_file->cost);
2314 return str;
2315 }
2316 if(strcmp(sp, "FILE_CRC32") == 0) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://url2497.blackduck.com/ls/click?upn=u001.Ji18sHaXCxZb7Rfw8sC51j9Suwl84vq-2FeHTSxCm409PbgTgYEdi2VnuaQNlDgcb5JjALxNeaZf2yWZEMA-2FE6JEQm092Z-2B02AUi7Sp54Z-2B6I-3DjXBk_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQZ-2BccbwOBuD5ui7v9trYaUtAyk5nXDg6l2xX3MkPoD01xhpnfT-2Fkg6ap91bIfb4XqTQXNlxWOzjRjRNOVMZ2H7I9Q-2BXHowhaav-2B3SVUHs-2B21No7COFVbHUcCKKxzwKovyWxOeYInAxTYvAJs43a5sYtCMrwgWJgXbztBD8zm37Rwg-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 529991: Control flow issues (DEADCODE) /tmp/sbbs-Jan-09-2025/src/xpdev/genwrap.c: 1151 in xp_fast_timer64()


________________________________________________________________________________________________________
*** CID 529991: Control flow issues (DEADCODE) /tmp/sbbs-Jan-09-2025/src/xpdev/genwrap.c: 1151 in xp_fast_timer64()
1145 if (clock_getres(CLOCK_MONOTONIC_RAW, &ts) == 0)
1146 cid = CLOCK_MONOTONIC_RAW;
1147 }
1148 cid = CLOCK_MONOTONIC_RAW;
1149 #endif
1150 if (cid == CLOCK_REALTIME)

CID 529991: Control flow issues (DEADCODE)
Execution cannot reach this statement: "cid = 1;".

1151 cid = CLOCK_MONOTONIC;
1152
1153 if (clock_gettime(cid, &ts) == 0)
1154 ret = ts.tv_sec;
1155 else
1156 ret = -1;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://url2497.blackduck.com/ls/click?upn=u001.Ji18sHaXCxZb7Rfw8sC51j9Suwl84vq-2FeHTSxCm409PbgTgYEdi2VnuaQNlDgcb5JjALxNeaZf2yWZEMA-2FE6JEQm092Z-2B02AUi7Sp54Z-2B6I-3DJzn7_7FYjIqE8olEh4k02KWtt1r1LGSyuXVEtCuKuJCXgAQYw9HgWY5fw-2BKTu3iNJoyd7G2ZoeBsWXuqG5dV8s2gHJJ3z7riRhQ4NsZmnjMPwb0d5EgUIDxBYRgoxCBOeIJM-2FTyx1gDXnmdIG86yJoS96pjUoxOjapj4QBWqvYthXwRmCXtEhEMTEAYvLzxwt5vpbI04EqHQ4ulGmUuTBimQnkA-3D-3D



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 530002: (NULL_RETURNS)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1544 in bitmap_clrscr()


________________________________________________________________________________________________________
*** CID 530002: (NULL_RETURNS)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1547 in bitmap_clrscr()
1541 cols = vstat.cols;
1542 for (y = cio_textinfo.wintop - 1; y < cio_textinfo.winbottom && y < rows; y++) {
1543 for (x = cio_textinfo.winleft - 1; x < cio_textinfo.winright && x < cols; x++) {
1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg);
1545 }
1546 }

CID 530002: (NULL_RETURNS)
Dereferencing a pointer that might be "NULL" "va" when calling "bitmap_draw_vmem".

1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va);
1548 release_vmem(vmem_ptr);
1549 pthread_mutex_unlock(&vstatlock);
1550 }
1551
1552 void bitmap_getcustomcursor(int *s, int *e, int *r, int *b, int *v) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1544 in bitmap_clrscr()
1538 pthread_mutex_lock(&vstatlock);
1539 vmem_ptr = get_vmem(&vstat);
1540 rows = vstat.rows;
1541 cols = vstat.cols;
1542 for (y = cio_textinfo.wintop - 1; y < cio_textinfo.winbottom && y < rows; y++) {
1543 for (x = cio_textinfo.winleft - 1; x < cio_textinfo.winright && x < cols; x++) {

CID 530002: (NULL_RETURNS)
Dereferencing "va", which is known to be "NULL".

1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg);
1545 }
1546 }
1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va);
1548 release_vmem(vmem_ptr);
1549 pthread_mutex_unlock(&vstatlock);

** CID 530001: (EVALUATION_ORDER)
/pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() /pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)()


________________________________________________________________________________________________________
*** CID 530001: (EVALUATION_ORDER)
/pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)()
744 lprintf(LOG_ERR, "libarchive error (%s) creating %s", error, packet);
745 else
746 lprintf(LOG_INFO, "libarchive created %s from %d files", packet, file_count);
747 }
748 if(flength(packet) < 1) {
749 remove(packet);

CID 530001: (EVALUATION_ORDER)
In argument #1 of "this->external(this->cmdstr(this->temp_cmd(ex), packet, path, NULL, ex), ex | 1, NULL)", a call is made to "this->temp_cmd(ex)". In argument #1 of this function, the object "ex" is modified. This object is also used in "ex | 1", the argument #2 of the outer function call. The order in which these arguments are evaluated is not specified, and will vary between platforms.

750 if((i = external(cmdstr(temp_cmd(ex),packet,path,NULL,ex), ex|EX_WILDCARD)) != 0)
751 errormsg(WHERE, ERR_EXEC, cmdstr_output, i); 752 if(flength(packet) < 1) {
753 bputs(text[QWKCompressionFailed]);
754 return(false);
755 }
/pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)()
744 lprintf(LOG_ERR, "libarchive error (%s) creating %s", error, packet);
745 else
746 lprintf(LOG_INFO, "libarchive created %s from %d files", packet, file_count);
747 }
748 if(flength(packet) < 1) {
749 remove(packet);

CID 530001: (EVALUATION_ORDER)
In argument #1 of "this->cmdstr(this->temp_cmd(ex), packet, path, NULL, ex)", a call is made to "this->temp_cmd(ex)". In argument #1 of this function, the object "ex" is modified. This object is also used in "ex", the argument #5 of the outer function call. The order in which these arguments are evaluated is not specified, and will vary between platforms.

750 if((i = external(cmdstr(temp_cmd(ex),packet,path,NULL,ex), ex|EX_WILDCARD)) != 0)
751 errormsg(WHERE, ERR_EXEC, cmdstr_output, i); 752 if(flength(packet) < 1) {
753 bputs(text[QWKCompressionFailed]);
754 return(false);
755 }

** CID 530000: (RESOURCE_LEAK)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1550 in bitmap_clrscr() /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1536 in bitmap_clrscr()


________________________________________________________________________________________________________
*** CID 530000: (RESOURCE_LEAK) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1550 in bitmap_clrscr()
1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg);
1545 }
1546 }
1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va);
1548 release_vmem(vmem_ptr);
1549 pthread_mutex_unlock(&vstatlock);

CID 530000: (RESOURCE_LEAK)
Variable "va" going out of scope leaks the storage it points to.

1550 }
1551
1552 void bitmap_getcustomcursor(int *s, int *e, int *r, int *b, int *v) 1553 {
1554 pthread_mutex_lock(&vstatlock);
1555 if(s)
/tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1536 in bitmap_clrscr()
1530 struct vstat_vmem *vmem_ptr;
1531 size_t c = 0;
1532 int rows, cols;
1533 struct vmem_cell *va = malloc(((cio_textinfo.winright - cio_textinfo.winleft + 1) * (cio_textinfo.winbottom - cio_textinfo.wintop + 1)) * sizeof(struct vmem_cell));
1534
1535 if(!bitmap_initialized)

CID 530000: (RESOURCE_LEAK)
Variable "va" going out of scope leaks the storage it points to.

1536 return;
1537
1538 pthread_mutex_lock(&vstatlock);
1539 vmem_ptr = get_vmem(&vstat);
1540 rows = vstat.rows;
1541 cols = vstat.cols;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

46 new defect(s) introduced to Synchronet found with Coverity Scan.
22 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 46 defect(s)


** CID 530529: Insecure data handling (INTEGER_OVERFLOW)


________________________________________________________________________________________________________
*** CID 530529: Insecure data handling (INTEGER_OVERFLOW)
/str.cpp: 420 in sbbs_t::sif(char *, char *, int)()
414 answers[a+cr]=str[cr];
415 while(cr<max)
416 answers[a+cr++]=ETX;
417 a+=max;
418 }
419 else {

CID 530529: Insecure data handling (INTEGER_OVERFLOW)
"max", which might have underflowed, is passed to "putrec(answers, a, max, str)".

420 putrec(answers,a,max,str);
421 putrec(answers,a+max,2,crlf);
422 a+=max+2;
423 }
424 }
425 }

** CID 530527: Data race undermines locking (LOCK_EVASION)
/download.cpp: 188 in sbbs_t::protocol(prot_t *, XFER_TYPE, const char *, const char *, bool, bool, long *)()


________________________________________________________________________________________________________
*** CID 530527: Data race undermines locking (LOCK_EVASION)
/download.cpp: 188 in sbbs_t::protocol(prot_t *, XFER_TYPE, const char *, const char *, bool, bool, long *)()
182 logline(LOG_DEBUG,nulstr,protlog);
183 }
184 fclose(stream);
185 }
186
187 CRLF;

CID 530527: Data race undermines locking (LOCK_EVASION)
Thread1 sets "sys_status" to a new value. Now the two threads have an inconsistent view of "sys_status" and updates to fields correlated with "sys_status" may be lost.

188 if(autohang) sys_status|=SS_PAUSEOFF; /* Pause off after download */
189 if(elapsed != nullptr) {
190 *elapsed = end - start;
191 if(*elapsed < 0)
192 *elapsed = 0;
193 }

** CID 530526: Control flow issues (UNREACHABLE)
/uedit/uedit.c: 2189 in main()


________________________________________________________________________________________________________
*** CID 530526: Control flow issues (UNREACHABLE)
/uedit/uedit.c: 2189 in main()
2183 edit_user(&cfg, atoi(opt[i]));
2184 break;
2185 }
2186 }
2187 }
2188 }

CID 530526: Control flow issues (UNREACHABLE)
This code cannot be reached: "free_opts(opt);".

2189 free_opts(opt);

** CID 530525: Insecure data handling (INTEGER_OVERFLOW)
/getmsg.cpp: 540 in sbbs_t::getmsgnum(int, long)()


________________________________________________________________________________________________________
*** CID 530525: Insecure data handling (INTEGER_OVERFLOW)
/getmsg.cpp: 540 in sbbs_t::getmsgnum(int, long)()
534 errormsg(WHERE,ERR_OPEN,smb.file,i,smb.last_error);
535 return 0;
536 }
537 int result = smb_getmsgidx_by_time(&smb, &idx, t);
538 smb_close(&smb);
539 if(result >= SMB_SUCCESS)

CID 530525: Insecure data handling (INTEGER_OVERFLOW)
"idx.number - 1U", which might have underflowed, is returned from the function.

540 return idx.number - 1;
541 return ~0;
542 }
543
544 /****************************************************************************/
545 /* Returns the time of the message number pointed to by 'ptr' */

** CID 530524: Data race undermines locking (LOCK_EVASION)
/exec.cpp: 1410 in sbbs_t::exec(csi_t *)()


________________________________________________________________________________________________________
*** CID 530524: Data race undermines locking (LOCK_EVASION)
/exec.cpp: 1410 in sbbs_t::exec(csi_t *)()
1404 csi->logic=strnicmp(csi->str,(char*)csi->ip,strlen((char*)csi->ip));
1405 break;
1406 default:
1407 errormsg(WHERE,ERR_CHK,"shell instruction",*(csi->ip-1));
1408 break;
1409 }

CID 530524: Data race undermines locking (LOCK_EVASION)
Thread1 sets "ip" to a new value. Now the two threads have an inconsistent view of "ip" and updates to fields correlated with "ip" may be lost.

1410 while(*(csi->ip++)); /* Find NULL */
1411 return(0);
1412 }
1413
1414 if(*csi->ip>=CS_THREE_BYTE) {
1415 switch(*(csi->ip++)) {

** CID 530523: Insecure data handling (INTEGER_OVERFLOW)


________________________________________________________________________________________________________
*** CID 530523: Insecure data handling (INTEGER_OVERFLOW)
/chat.cpp: 178 in sbbs_t::multinodechat(int)()
172 SAFECAT(str,"0");
173 i=getkeys(str,cfg.total_chans);
174 if(i&0x80000000L) { /* change channel */
175 savch=(char)(i&~0x80000000L); 176 if(savch==channel)
177 continue;

CID 530523: Insecure data handling (INTEGER_OVERFLOW)
"savch - 1", which might have underflowed, is passed to "this->chan_access(savch - 1)".

178 if(!chan_access(savch-1))
179 continue;
180 bprintf(text[WelcomeToChannelN] 181 ,savch,cfg.chan[savch-1]->name);
182
183 usrs=0;

** CID 530521: Control flow issues (DEADCODE)
/websrvr.c: 6459 in read_post_data()


________________________________________________________________________________________________________
*** CID 530521: Control flow issues (DEADCODE)
/websrvr.c: 6459 in read_post_data()
6453 if(ch_len==0)
6454 break;
6455 /* Check size */
6456 s += ch_len;
6457 if(s > MAX_POST_LEN) {
6458 if(s > SIZE_MAX) {

CID 530521: Control flow issues (DEADCODE)
Execution cannot reach this statement: "send_error(session, 6459U, ...".

6459 send_error(session,__LINE__,"413 Request entity too large");
6460 FCLOSE_OPEN_FILE(fp); 6461 return(false);
6462 }
6463 if(fp==NULL) {
6464 fp=open_post_file(session);

** CID 530517: Resource leaks (RESOURCE_LEAK)
/sbbsecho.c: 5884 in find_stray_packets()


________________________________________________________________________________________________________
*** CID 530517: Resource leaks (RESOURCE_LEAK)
/sbbsecho.c: 5884 in find_stray_packets()
5878 }
5879 if(terminator == FIDO_PACKET_TERMINATOR)
5880 lprintf(LOG_DEBUG, "Stray packet already finalized: %s", packet);
5881 else {
5882 if((pkt->fp = fopen(pkt->filename, "ab")) == NULL) {
5883 lprintf(LOG_ERR, "ERROR %d (%s) opening %s", errno, strerror(errno), pkt->filename);

CID 530517: Resource leaks (RESOURCE_LEAK)
Freeing "pkt" without freeing its pointer field "filename" leaks the storage that "filename" points to.

5884 free(pkt);
5885 continue;
5886 }
5887 }
5888 pkt->orig = pkt_orig;
5889 pkt->dest = pkt_dest;

** CID 530516: Integer handling issues (INTEGER_OVERFLOW)
/sbbsecho.c: 3920 in putfmsg()


________________________________________________________________________________________________________
*** CID 530516: Integer handling issues (INTEGER_OVERFLOW)
/sbbsecho.c: 3920 in putfmsg()
3914 lastlen=9; /* +strlen(seenby); */
3915 net_exists=0;
3916 fprintf(stream,"\rSEEN-BY:"); 3917 }
3918 }
3919

CID 530516: Integer handling issues (INTEGER_OVERFLOW)
Expression "u++", where "u" is known to be equal to 4294967295, overflows the type of "u++", which is type "unsigned int".

3920 for(u=0;u<area.links;u++) { /* Add all links to SEEN-BYs */
3921 nodecfg_t* nodecfg=findnodecfg(&cfg, area.link[u], /* exact: */false);
3922 if(nodecfg!=NULL && nodecfg->passive) 3923 continue;
3924 strcpy(seenby," ");
3925 if(foreign_zone(addr.zone, area.link[u].zone) || area.link[u].point)

** CID 530515: Insecure data handling (INTEGER_OVERFLOW)
/js_system.c: 1575 in js_get_node()


________________________________________________________________________________________________________
*** CID 530515: Insecure data handling (INTEGER_OVERFLOW)
/js_system.c: 1575 in js_get_node()
1569 JS_DefineProperty(cx, nodeobj, "action", INT_TO_JSVAL((int)node.action), NULL, NULL, JSPROP_ENUMERATE);
1570 JS_DefineProperty(cx, nodeobj, "activity", STRING_TO_JSVAL(JS_NewStringCopyZ(cx, node_activity(sys->cfg, &node, str, sizeof str, node_num))), NULL, NULL, JSPROP_ENUMERATE);
1571 JS_DefineProperty(cx, nodeobj, "useron", INT_TO_JSVAL((int)node.useron), NULL, NULL, JSPROP_ENUMERATE);
1572 JS_DefineProperty(cx, nodeobj, "connection", INT_TO_JSVAL((int)node.connection), NULL, NULL, JSPROP_ENUMERATE);
1573 JS_DefineProperty(cx, nodeobj, "misc", INT_TO_JSVAL((int)node.misc), NULL, NULL, JSPROP_ENUMERATE);
1574 JS_DefineProperty(cx, nodeobj, "aux", INT_TO_JSVAL((int)node.aux), NULL, NULL, JSPROP_ENUMERATE);

CID 530515: Insecure data handling (INTEGER_OVERFLOW)
The cast of "node.extaux" to a signed type could result in a negative number.

1575 JS_DefineProperty(cx, nodeobj, "extaux", INT_TO_JSVAL((int)node.extaux), NULL, NULL, JSPROP_ENUMERATE);
1576 JS_SET_RVAL(cx, arglist, OBJECT_TO_JSVAL(nodeobj));
1577 return JS_TRUE;
1578 }
1579
1580 static JSBool

** CID 530514: (INTEGER_OVERFLOW)
/scansubs.cpp: 312 in sbbs_t::new_scan_ptr_cfg()()
/scansubs.cpp: 375 in sbbs_t::new_scan_ptr_cfg()()


________________________________________________________________________________________________________
*** CID 530514: (INTEGER_OVERFLOW)
/scansubs.cpp: 312 in sbbs_t::new_scan_ptr_cfg()()
306 else
307 subscan[usrsub[i][j]].ptr=l-s;
308 }
309 progress(text[LoadingMsgPtrs], subs, total_subs);
310 continue;
311 }

CID 530514: (INTEGER_OVERFLOW)
Expression "i", where "(s & 0xffffffff7fffffffL) - 1L" is known to be equal to -1, overflows the type of "i", which is type "int".

312 i=(s&~0x80000000L)-1;
313 while(online) {
314 l=0;
315 bprintf(text[CfgSubLstHdr],cfg.grp[usrgrp[i]]->lname);
316 for(j=0;j<usrsubs[i] && !msgabort();j++) {
317 checkline();
/scansubs.cpp: 375 in sbbs_t::new_scan_ptr_cfg()()
369 subscan[usrsub[i][j]].ptr=l-s;
370 }
371 progress(text[LoadingMsgPtrs], j, usrsubs[i]);
372 continue;
373 }
374 else {

CID 530514: (INTEGER_OVERFLOW)
Expression "j", where "(s & 0xffffffff7fffffffL) - 1L" is known to be equal to -1, overflows the type of "j", which is type "int".

375 j=(s&~0x80000000L)-1;
376 mnemonics(text[SetMsgPtrPrompt]);
377 SAFEPRINTF2(keys, "%s%c", text[DateLastKeys], quit_key());
378 s=getkeys(keys, 9999);
379 if(s==-1 || s==quit_key())
380 continue;

** CID 530512: Integer handling issues (INTEGER_OVERFLOW)
/scansubs.cpp: 472 in sbbs_t::new_scan_cfg(unsigned int)()


________________________________________________________________________________________________________
*** CID 530512: Integer handling issues (INTEGER_OVERFLOW)
/scansubs.cpp: 472 in sbbs_t::new_scan_cfg(unsigned int)()
466 subscan[usrsub[i][j]].cfg&=~SUB_CFG_YSCAN;
467 subscan[usrsub[i][j]].cfg|=misc;
468 }
469 }
470 continue;
471 }

CID 530512: Integer handling issues (INTEGER_OVERFLOW)
Expression "j", where "(s & 0xffffffff7fffffffL) - 1L" is known to be equal to -1, overflows the type of "j", which is type "int".

472 j=(s&~0x80000000L)-1;
473 if(misc&SUB_CFG_NSCAN && !(subscan[usrsub[i][j]].cfg&misc)) {
474 if(!(useron.rest&FLAG('Q')) && !noyes(text[MsgsToYouOnlyQ]))
475 subscan[usrsub[i][j]].cfg|=SUB_CFG_YSCAN;
476 else
477 subscan[usrsub[i][j]].cfg&=~SUB_CFG_YSCAN;

** CID 530511: (INTEGER_OVERFLOW)
/websrvr.c: 706 in sess_sendbuf()
/websrvr.c: 719 in sess_sendbuf()


________________________________________________________________________________________________________
*** CID 530511: (INTEGER_OVERFLOW)
/websrvr.c: 706 in sess_sendbuf()
700 }
701 else
702 *failed=true;
703 result = tls_sent;
704 }
705 else {

CID 530511: (INTEGER_OVERFLOW)
"len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)".

706 result=sendsocket(session->socket,buf+sent,len-sent);
707 if(result==SOCKET_ERROR) {
708 if(SOCKET_ERRNO==ECONNRESET) 709 lprintf(LOG_NOTICE,"%04d Connection reset by peer on send",session->socket);
710 else if(SOCKET_ERRNO==ECONNABORTED)
711 lprintf(LOG_NOTICE,"%04d Connection aborted by peer on send",session->socket);
/websrvr.c: 719 in sess_sendbuf()
713 else if(SOCKET_ERRNO==EPIPE) 714 lprintf(LOG_NOTICE,"%04d Unable to send to peer",session->socket);
715 #endif
716 else if(session->socket != INVALID_SOCKET)
717 lprintf(LOG_WARNING,"%04d !ERROR %d sending on socket",session->socket,SOCKET_ERRNO);
718 *failed=true;

CID 530511: (INTEGER_OVERFLOW)
"sent", which might have underflowed, is returned from the function. 719 return(sent);

720 }
721 }
722 }
723 else {
724 lprintf(LOG_WARNING,"%04d Timeout waiting for socket to become writable",session->socket);

** CID 530509: (INTEGER_OVERFLOW)
/getstr.cpp: 338 in sbbs_t::getstr(char *, unsigned long, int, char **)() /getstr.cpp: 482 in sbbs_t::getstr(char *, unsigned long, int, char **)() /getstr.cpp: 427 in sbbs_t::getstr(char *, unsigned long, int, char **)() /getstr.cpp: 617 in sbbs_t::getstr(char *, unsigned long, int, char **)()


________________________________________________________________________________________________________
*** CID 530509: (INTEGER_OVERFLOW)
/getstr.cpp: 338 in sbbs_t::getstr(char *, unsigned long, int, char **)()
332 l=strlen(strout);
333 if(mode&K_NOECHO)
334 return(l);
335 if(mode&K_MSG)
336 redrwstr(strout,i,l,K_MSG);
337 else {

CID 530509: (INTEGER_OVERFLOW)
Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "size_t".

338 while(i--)
339 bputs("\b");
340 bputs(strout);
341 if(mode&K_LINE)
342 attr(LIGHTGRAY);
343 }
/getstr.cpp: 482 in sbbs_t::getstr(char *, unsigned long, int, char **)()
476 if(history != NULL) {
477 if(history[hidx + 1] == NULL) { 478 outchar(BEL);
479 break;
480 }
481 hidx++;

CID 530509: (INTEGER_OVERFLOW)
Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "size_t".

482 while(i--)
483 backspace();
484 SAFECOPY(str1, history[hidx]); 485 i=l=strlen(str1);
486 rputs(str1);
487 cleartoeol();
/getstr.cpp: 427 in sbbs_t::getstr(char *, unsigned long, int, char **)()
421 }
422 i=0;
423 console|=CON_DELETELINE;
424 break;
425 case CTRL_Z: /* Undo */
426 if(!(mode&K_NOECHO)) {

CID 530509: (INTEGER_OVERFLOW)
Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "size_t".

427 while(i--)
428 backspace();
429 }
430 SAFECOPY(str1,undo);
431 i=l=strlen(str1);
432 rputs(str1);
/getstr.cpp: 617 in sbbs_t::getstr(char *, unsigned long, int, char **)()
611 }
612 getstr_offset=i;
613 if(!online)
614 return(0);
615 if(i>l)
616 l=i;

CID 530509: (INTEGER_OVERFLOW)
"l", which might have underflowed, is passed to "str1[l]".

617 str1[l]=0;
618 if(!(sys_status&SS_ABORT)) {
619 strcpy(strout,str1);
620 if(mode&K_TRIM)
621 truncsp(strout);
622 if((strip_invalid_attr(strout) || (console&CON_INSERT)) && !(mode&K_NOECHO))

** CID 530506: Concurrent data access violations (MISSING_LOCK)
/ssl.c: 640 in destroy_session()


________________________________________________________________________________________________________
*** CID 530506: Concurrent data access violations (MISSING_LOCK)
/ssl.c: 640 in destroy_session()
634 while (sess != NULL) {
635 if (sess->sess == csess) {
636 if (psess == NULL) {
637 sess_list = sess->next;
638 }
639 else {

CID 530506: Concurrent data access violations (MISSING_LOCK)
Accessing "psess->next" without holding lock "ssl_cert_list_mutex". Elsewhere, "cert_list.next" is written to with "ssl_cert_list_mutex" held 2 out of 4 times (2 of these accesses strongly imply that it is necessary).

640 psess->next = sess->next;
641 }
642 break;
643 }
644 psess = sess;
645 sess = sess->next;

** CID 530505: Resource leaks (RESOURCE_LEAK)
/bulkmail.cpp: 177 in sbbs_t::bulkmailhdr(smb_t *, smbmsg_t *, unsigned int)()


________________________________________________________________________________________________________
*** CID 530505: Resource leaks (RESOURCE_LEAK)
/bulkmail.cpp: 177 in sbbs_t::bulkmailhdr(smb_t *, smbmsg_t *, unsigned int)() 171
172 user.number=usernum;
173 if(getuserdat(&cfg, &user)!=0)
174 return(0);
175
176 if((i=smb_copymsgmem(NULL,&newmsg,msg))!=SMB_SUCCESS)

CID 530505: Resource leaks (RESOURCE_LEAK)
Variable "newmsg" going out of scope leaks the storage "newmsg.hfield_dat" points to.

177 return(i);
178
179 SAFECOPY(str,user.alias);
180 smb_hfield_str(&newmsg,RECIPIENT,str);
181
182 if(cfg.sys_misc&SM_FWDTONET && user.misc&NETMAIL && user.netmail[0]) {

** CID 530504: Insecure data handling (INTEGER_OVERFLOW)
/websrvr.c: 6476 in read_post_data()


________________________________________________________________________________________________________
*** CID 530504: Insecure data handling (INTEGER_OVERFLOW)
/websrvr.c: 6476 in read_post_data()
6470 return(false);
6471 }
6472 }
6473 else {
6474 /* realloc() to new size */ 6475 /* FREE()d in close_request */ >>> CID 530504: Insecure data handling (INTEGER_OVERFLOW)

"s", which might have underflowed, is passed to "realloc(session->req.post_data, s)".

6476 p=realloc(session->req.post_data, s);
6477 if(p==NULL) {
6478 errprintf(LOG_CRIT, WHERE, "%04d !ERROR Allocating %lu bytes of memory",session->socket, (ulong)session->req.post_len);
6479 send_error(session,__LINE__,"413 Request entity too large");
6480 FCLOSE_OPEN_FILE(fp); 6481 return(false);

** CID 530501: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3239 in js_connected_socket_constructor()


________________________________________________________________________________________________________
*** CID 530501: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3239 in js_connected_socket_constructor()
3233
3234 dbprintf(false, p, "object constructed");
3235 return(JS_TRUE);
3236
3237 fail:
3238 if (p)

CID 530501: Resource leaks (RESOURCE_LEAK)
Freeing "p" without freeing its handle field "sock" leaks the handle. 3239 free(p);

3240 if (protocol)
3241 free(protocol);
3242 if (host)
3243 free(host);
3244 return JS_FALSE;

** CID 530500: Control flow issues (DEADCODE) /tmp/sbbs-Jan-12-2025/src/xpdev/xpsem.c: 62 in xp_sem_init()


________________________________________________________________________________________________________
*** CID 530500: Control flow issues (DEADCODE) /tmp/sbbs-Jan-12-2025/src/xpdev/xpsem.c: 62 in xp_sem_init()
56 errno = EPERM;
57 retval = -1;
58 goto RETURN;
59 }
60
61 if (value > XP_SEM_VALUE_MAX) {

CID 530500: Control flow issues (DEADCODE)
Execution cannot reach this statement: "*__errno_location() = 22;".

62 errno = EINVAL;
63 retval = -1;
64 goto RETURN;
65 }
66
67 *sem = (xp_sem_t)malloc(sizeof(struct xp_sem));

** CID 530498: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3413 in js_listening_socket_constructor()


________________________________________________________________________________________________________
*** CID 530498: Resource leaks (RESOURCE_LEAK)
/js_socket.c: 3413 in js_listening_socket_constructor()
3407 return(JS_FALSE);
3408 }
3409
3410 if(!js_DefineSocketOptionsArray(cx, obj, type)) {
3411 free(p);
3412 free(set);

CID 530498: Resource leaks (RESOURCE_LEAK)
Variable "protocol" going out of scope leaks the storage it points to. 3413 return(JS_FALSE);

3414 }
3415
3416 #ifdef BUILD_JSDOCS
3417 js_DescribeSyncObject(cx,obj,"Class used for incoming TCP/IP socket communications",317);
3418 js_DescribeSyncConstructor(cx,obj,"To create a new ListeningSocket object: "


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 530828: Possible Control flow issues (DEADCODE)
/load_cfg.c: 147 in load_cfg()


________________________________________________________________________________________________________
*** CID 530828: Possible Control flow issues (DEADCODE)
/load_cfg.c: 147 in load_cfg()
141 free(text[n]);
142 text[n] = strdup(list[i]->value);
143 }
144 iniFreeNamedStringList(list);
145 iniFreeStringList(ini);
146 if (!success)

CID 530828: Possible Control flow issues (DEADCODE)
Execution cannot reach this statement: "return false;".

147 return false;
148 }
149
150 cfg->text = text;
151 }
152


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 530902: (CHECKED_RETURN)
/useredit.cpp: 745 in sbbs_t::user_config(user_t *)()
/useredit.cpp: 740 in sbbs_t::user_config(user_t *)()


________________________________________________________________________________________________________
*** CID 530902: (CHECKED_RETURN)
/useredit.cpp: 745 in sbbs_t::user_config(user_t *)()
739 exec_bin(cmdline, &main_csi);
740 getuserdat(&cfg, user);
741 return;
742 }
743 while (online) {
744 CLS;

CID 530902: (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

745 getuserdat(&cfg, user);
746 bprintf(text[UserDefaultsHdr], user->alias, user->number);
747 if (user == &useron) {
748 update_nodeterm();
749 load_user_text();
750 }
/useredit.cpp: 740 in sbbs_t::user_config(user_t *)()
734
735 action = NODE_DFLT;
736 if (cfg.usercfg_mod[0]) {
737 char cmdline[256];
738 snprintf(cmdline, sizeof(cmdline), "%s %u", cfg.usercfg_mod, user->number);
739 exec_bin(cmdline, &main_csi);

CID 530902: (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 83 out of 98 times).

740 getuserdat(&cfg, user);
741 return;
742 }
743 while (online) {
744 CLS;
745 getuserdat(&cfg, user);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 531895: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Jan-24-2025/src/conio/bitmap_con.c: 783 in draw_char_row_slow()


________________________________________________________________________________________________________
*** CID 531895: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Jan-24-2025/src/conio/bitmap_con.c: 783 in draw_char_row_slow()
777
778 uint8_t fb = cs->font[cs->fontoffset];
779 for(unsigned x = 0; x < vstat.charwidth; x++) {
780 unsigned bitnum = x & 0x07;
781 if (bs->expand && x == bs->font_data_width) {
782 if (cs->gexpand)

CID 531895: Integer handling issues (INTEGER_OVERFLOW)
Expression "x - 1U", where "x" is known to be equal to 0, underflows the type of "x - 1U", which is type "unsigned int".

783 fbb = cs->font[cs->fontoffset - 1] & (0x80 >> ((x - 1) & 7));
784 else
785 fbb = 0;
786 }
787 else {
788 if (bitnum == 0 && x != 0) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 531919: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Jan-26-2025/src/xpdev/named_str_list.c: 43 in namedStrListDelete()


________________________________________________________________________________________________________
*** CID 531919: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Jan-26-2025/src/xpdev/named_str_list.c: 43 in namedStrListDelete()
37 size_t count;
38 named_string_t *old;
39 named_string_t **newlist;
40
41 COUNT_LIST_ITEMS(*list, count);
42 if (index == NAMED_STR_LIST_LAST_INDEX)

CID 531919: Integer handling issues (INTEGER_OVERFLOW)
Expression "count - 1UL", where "count" is known to be equal to 0, underflows the type of "count - 1UL", which is type "unsigned long".

43 index = count - 1;
44 if (index >= count)
45 return false;
46 newlist = (named_string_t **)realloc(*list, (count + 1) * sizeof(named_string_t*));
47 if (newlist != NULL)
48 *list = newlist;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 532317: Error handling issues (CHECKED_RETURN)
/js_socket.c: 2380 in js_socket_set()


________________________________________________________________________________________________________
*** CID 532317: Error handling issues (CHECKED_RETURN)
/js_socket.c: 2380 in js_socket_set()
2374 size_t key_sz;
2375 JS_IdToValue(cx, ids->vector[k], &js_id);
2376 id = NULL;
2377 JSVALUE_TO_MSTRING(cx, js_id, id, &id_sz);
2378 if (id != NULL) {
2379 if (!JS_IsExceptionPending(cx)) {

CID 532317: Error handling issues (CHECKED_RETURN)
Calling "JS_GetProperty" without checking return value (as is done elsewhere 196 out of 203 times).

2380 JS_GetProperty(cx, p->tls_psk, id, &js_key);
2381 JSVALUE_TO_MSTRING(cx, js_key, key, &key_sz);
2382 if (key != NULL) {
2383 if (!JS_IsExceptionPending(cx)) {
2384 if (do_cryptAttributeString(p->session, CRYPT_SESSINFO_USERNAME, id, id_sz) == CRYPT_OK)
2385 do_cryptAttributeString(p->session, CRYPT_SESSINFO_PASSWORD, key, key_sz);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.
17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 543172: Program hangs (SLEEP)


________________________________________________________________________________________________________
*** CID 543172: Program hangs (SLEEP)
/main.cpp: 3876 in sbbs_t::~sbbs_t()()
3870 fremove(WHERE, syspage_semfile);
3871
3872 /********************************/
3873 /* Free allocated class members */
3874 /********************************/
3875

CID 543172: Program hangs (SLEEP)
Call to "js_cleanup" might sleep while holding lock "this->nodefile_mutex".

3876 js_cleanup();
3877
3878 /* Reset text.dat */
3879
3880 for (i = 0; i < TOTAL_TEXT; i++)
3881 if (text[i] != text_sav[i]) {

** CID 543171: Null pointer dereferences (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 543171: Null pointer dereferences (FORWARD_NULL)
/main.cpp: 1528 in sbbs_t::js_create_user_objects(JSContext *, JSObject *)() 1522 bool sbbs_t::js_create_user_objects(JSContext* cx, JSObject* glob) 1523 {
1524 bool result = false;
1525 if (cx != NULL) {
1526 JS_BEGINREQUEST(cx);
1527 if (!js_CreateUserObjects(cx, glob, &cfg, &useron, &client, startup == NULL ? NULL :startup->web_file_vpath_prefix, subscan, mqtt))

CID 543171: Null pointer dereferences (FORWARD_NULL)
"errprintf" dereferences null "this->startup".

1528 errprintf(LOG_ERR, WHERE, "!JavaScript ERROR creating user objects");
1529 else
1530 result = true;
1531 JS_ENDREQUEST(cx);
1532 }
1533 return result;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 544155: Error handling issues (CHECKED_RETURN)
/ssl.c: 540 in get_ssl_cert()


________________________________________________________________________________________________________
*** CID 544155: Error handling issues (CHECKED_RETURN)
/ssl.c: 540 in get_ssl_cert()
534 size_t backoff_ms = 1;
535 unsigned loops = 0;
536 while (cert_entry->cert == -1) {
537 assert_pthread_mutex_lock(&get_ssl_cert_mutex);
538 /* Get the certificate... first try loading it from a file... */
539 if (cryptStatusOK(cryptKeysetOpen(&ssl_keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, cert_path, CRYPT_KEYOPT_READONLY))) {

CID 544155: Error handling issues (CHECKED_RETURN)
Calling "log_cryptlib_error" without checking return value (as is done elsewhere 16 out of 17 times).

540 DO("getting private key", ssl_keyset, cryptGetPrivateKey(ssl_keyset, &cert_entry->cert, CRYPT_KEYID_NAME, "ssl_cert", cfg->sys_pass));
541 cryptKeysetClose(ssl_keyset);
542 }
543 if (cert_entry->cert == -1) {
544 lprintf(LOG_WARNING, "Failed to open/read TLS certificate: %s", cert_path);
545 if (cfg->create_self_signed_cert) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

5 new defect(s) introduced to Synchronet found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 548252: Error handling issues (NEGATIVE_RETURNS)
/writemsg.cpp: 709 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()


________________________________________________________________________________________________________
*** CID 548252: Error handling issues (NEGATIVE_RETURNS)
/writemsg.cpp: 709 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()
703 buf[0] = 0;
704 if (linesquoted || draft_restored) {
705 if ((file = nopen(msgtmp, O_RDONLY)) != -1) { 706 length = (long)filelength(file);
707 l = length > (int)(cfg.level_linespermsg[useron_level] * MAX_LINE_LEN) - 1
708 ? (cfg.level_linespermsg[useron_level] * MAX_LINE_LEN) - 1 : length;

CID 548252: Error handling issues (NEGATIVE_RETURNS)
"l" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]

709 if (read(file, buf, l) != l)
710 l = 0;
711 buf[l] = 0;
712 close(file);
713 // remove(msgtmp);
714 }

** CID 548251: Incorrect expression (SIZEOF_MISMATCH)
/xtrn.cpp: 1621 in sbbs_t::external(const char *, int, const char *)()


________________________________________________________________________________________________________
*** CID 548251: Incorrect expression (SIZEOF_MISMATCH)
/xtrn.cpp: 1621 in sbbs_t::external(const char *, int, const char *)()
1615 return -1;
1616 }
1617
1618 if ((mode & EX_STDIO) == EX_STDIO) {
1619 struct winsize winsize;
1620 struct termios termio;

CID 548251: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "&termio" of type "termios *" and argument "8UL" ("sizeof (this->term)") to function "memset" is suspicious because "sizeof (termios) /*60*/" is expected.

1621 memset(&termio, 0, sizeof(term));
1622 cfsetispeed(&termio, B19200);
1623 cfsetospeed(&termio, B19200);
1624 if (mode & EX_BIN)
1625 cfmakeraw(&termio);
1626 else {

** CID 548250: Control flow issues (NO_EFFECT)
/terminal.cpp: 31 in Terminal::scroll_hotspots(unsigned int)()


________________________________________________________________________________________________________
*** CID 548250: Control flow issues (NO_EFFECT)
/terminal.cpp: 31 in Terminal::scroll_hotspots(unsigned int)()
25 unsigned spots = 0;
26 unsigned remain = 0;
27 for (list_node_t* node = mouse_hotspots->first; node != NULL; node = node->next) {
28 struct mouse_hotspot* spot = (struct mouse_hotspot*)node->data; 29 spot->y -= count;
30 spots++;

CID 548250: Control flow issues (NO_EFFECT)
This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "spot->y >= 0U".

31 if (spot->y >= 0)
32 remain++;
33 }
34 #ifdef _DEBUG
35 if (spots)
36 sbbs->lprintf(LOG_DEBUG, "Scrolled %u mouse hot-spots %u rows (%u remain)", spots, count, remain);

** CID 548249: (DEADCODE)
/useredit.cpp: 89 in sbbs_t::useredit(int)()
/useredit.cpp: 89 in sbbs_t::useredit(int)()


________________________________________________________________________________________________________
*** CID 548249: (DEADCODE)
/useredit.cpp: 89 in sbbs_t::useredit(int)()
83 SAFEPRINTF2(user_pass, "%.*s..", (int)(max_len - 2), user.pass);
84 bprintf(text[UeditAliasPassword]
85 , user.alias
86 , datestr(user.pwmod, tmp)
87 , (user.level > useron.level || !(cfg.sys_misc & SM_ECHO_PW)) ? "<hidden>" : user_pass
88 );

CID 548249: (DEADCODE)
Execution cannot reach the expression ""XXXXXXXX"" inside this statement: "this->bprintf(this->text[Ue...".

89 bprintf(text[UeditRealNamePhone]
90 , user.level > useron.level && console & CON_R_ECHO
91 ? "XXXXXXXX" : user.name
92 , user.level > useron.level && console & CON_R_ECHO
93 ? "XXX-XXX-XXXX" : user.phone);
94 bprintf(text[UeditAddressBirthday]
/useredit.cpp: 89 in sbbs_t::useredit(int)()
83 SAFEPRINTF2(user_pass, "%.*s..", (int)(max_len - 2), user.pass);
84 bprintf(text[UeditAliasPassword]
85 , user.alias
86 , datestr(user.pwmod, tmp)
87 , (user.level > useron.level || !(cfg.sys_misc & SM_ECHO_PW)) ? "<hidden>" : user_pass
88 );

CID 548249: (DEADCODE)
Execution cannot reach the expression ""XXX-XXX-XXXX"" inside this statement: "this->bprintf(this->text[Ue...".

89 bprintf(text[UeditRealNamePhone]
90 , user.level > useron.level && console & CON_R_ECHO
91 ? "XXXXXXXX" : user.name
92 , user.level > useron.level && console & CON_R_ECHO
93 ? "XXX-XXX-XXXX" : user.phone);
94 bprintf(text[UeditAddressBirthday]

** CID 548248: Error handling issues (CHECKED_RETURN)
/writemsg.cpp: 1836 in sbbs_t::movemsg(smbmsg_t *, int)()


________________________________________________________________________________________________________
*** CID 548248: Error handling issues (CHECKED_RETURN)
/writemsg.cpp: 1836 in sbbs_t::movemsg(smbmsg_t *, int)()
1830 length = smb_getmsgdatlen(msg);
1831 if ((buf = (char *)malloc(length)) == NULL) {
1832 errormsg(WHERE, ERR_ALLOC, smb.file, length);
1833 return false;
1834 }
1835

CID 548248: Error handling issues (CHECKED_RETURN)
Calling "fseek(this->smb.sdt_fp, msg->hdr.offset, 0)" without checking return value. This library function may fail and return an error code.

1836 fseek(smb.sdt_fp, msg->hdr.offset, SEEK_SET);
1837 if (fread(buf, length, 1, smb.sdt_fp) != 1) {
1838 free(buf);
1839 errormsg(WHERE, ERR_READ, smb.file, length);
1840 return false;
1841 }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 548912: Data race undermines locking (LOCK_EVASION)
/answer.cpp: 437 in sbbs_t::answer(bool *)()


________________________________________________________________________________________________________
*** CID 548912: Data race undermines locking (LOCK_EVASION)
/answer.cpp: 437 in sbbs_t::answer(bool *)()
431 activate_ssh = init_sftp(cid);
432 term->cols = 0;
433 term->rows = 0;
434 SAFECOPY(terminal, "sftp");
435 mouse_mode = MOUSE_MODE_OFF;
436 autoterm = 0;

CID 548912: Data race undermines locking (LOCK_EVASION)
Thread1 sets "sys_status" to a new value. Now the two threads have an inconsistent view of "sys_status" and updates to fields correlated with "sys_status" may be lost.

437 sys_status |= SS_USERON;
438 SAFECOPY(client.protocol, "SFTP");
439 SAFECOPY(client.user, useron.alias);
440 client.usernum = useron.number;
441 client_on(client_socket, &client, /* update: */ TRUE);
442 SAFECOPY(connection, client.protocol);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 549016: Integer handling issues (INTEGER_OVERFLOW)
/str.cpp: 1194 in sbbs_t::spy(unsigned int)()


________________________________________________________________________________________________________
*** CID 549016: Integer handling issues (INTEGER_OVERFLOW)
/str.cpp: 1194 in sbbs_t::spy(unsigned int)()
1188 && !msgabort()) {
1189 in = incom(1000);
1190 if (in == NOINP) {
1191 gettimeleft();
1192 continue;
1193 }

CID 549016: Integer handling issues (INTEGER_OVERFLOW)
Expression "ch", where "in" is known to be equal to 256, overflows the type of "ch", which is type "char".

1194 ch = in;
1195 if (ch == ESC) {
1196 if (ansi_len)
1197 ansi_len = 0;
1198 else {
1199 if ((in = incom(500)) != NOINP) {

** CID 549015: Uninitialized variables (UNINIT)


________________________________________________________________________________________________________
*** CID 549015: Uninitialized variables (UNINIT)
/js_system.c: 2089 in js_chkpassword()
2083
2084 js_system_private_t* sys;
2085 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
2086 return JS_FALSE;
2087
2088 rc = JS_SUSPENDREQUEST(cx);

CID 549015: Uninitialized variables (UNINIT)
Using uninitialized value "*str" when calling "check_pass".

2089 bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL)
2090 && !trashcan(sys->cfg, str, "password"); 2091 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result));
2092 JS_RESUMEREQUEST(cx, rc);
2093
2094 return JS_TRUE;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

<!DOCTYPE html>
<html>
<head>
<style>
body {
font-family: Arial, sans-serif;
line-height: 1.6;
}
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff;
background-color: #007bff;
text-decoration: none;
border-radius: 5px;
}
.button:hover {
background-color: #0056b3;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Coverity Scan has identified new defect(s) in the project <strong>Synchronet</strong>.
</p>

<h3>Defect Summary:</h3>
<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Fixed:</strong> 1</li>
<li><strong>Defects Displayed:</strong> Showing 2 of 2</li>
</ul>

<p>
To view the full list of defects and take action, click the button below:
</p>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects</a>
</p>

<p>
If you have any questions or need assistance, feel free to contact our support team.
</p>


<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_686a7047ce71_192e802d9f7544199c8471c
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()


_____________________________________________________________________________________________
*** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()
1775 if (msg == NULL)
1776 return JS_TRUE;
1777 }
1778
1779 if (argc > 3 && !JSVAL_NULL_OR_VOID(argv[3])) {
1780 if ((js_str = JS_ValueToString(cx, argv[3])) == NULL) >>> CID 569480: Resource leaks (RESOURCE_LEAK)

Variable "msg" going out of scope leaks the storage it points to.

1781 return JS_FALSE;
1782
1783 JSSTRING_TO_MSTRING(cx, js_str, replyto, NULL);
1784 HANDLE_PENDING(cx, replyto);
1785 if (replyto == NULL)
1786 return JS_TRUE;

** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()


_____________________________________________________________________________________________
*** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()
1787 }
1788
1789 JSSTRING_TO_MSTRING(cx, js_subj, subj, NULL);
1790 HANDLE_PENDING(cx, subj);
1791 if (subj == NULL) {
1792 free(msg);

CID 569479: Resource leaks (RESOURCE_LEAK)
Variable "replyto" going out of scope leaks the storage it points to. 1793 return JS_TRUE;

1794 }
1795
1796 rc = JS_SUSPENDREQUEST(cx);
1797 ret = notify(sys->cfg, usernumber, subj, msg, replyto) == 0; 1798 free(subj);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_686a7047ce71_192e802d9f7544199c8471c
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Shown:</strong> Showing 2 of 2 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()


_____________________________________________________________________________________________
*** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()
1775 if (msg == NULL)
1776 return JS_TRUE;
1777 }
1778
1779 if (argc &gt; 3 &amp;&amp; !JSVAL_NULL_OR_VOID(argv[3])) {
1780 if ((js_str = JS_ValueToString(cx, argv[3])) == NULL) &gt;&gt;&gt; CID 569480: Resource leaks (RESOURCE_LEAK) &gt;&gt;&gt; Variable &quot;msg&quot; going out of scope leaks the storage it points to.
1781 return JS_FALSE;
1782
1783 JSSTRING_TO_MSTRING(cx, js_str, replyto, NULL);
1784 HANDLE_PENDING(cx, replyto);
1785 if (replyto == NULL)
1786 return JS_TRUE;

** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()


_____________________________________________________________________________________________
*** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()
1787 }
1788
1789 JSSTRING_TO_MSTRING(cx, js_subj, subj, NULL);
1790 HANDLE_PENDING(cx, subj);
1791 if (subj == NULL) {
1792 free(msg);
&gt;&gt;&gt; CID 569479: Resource leaks (RESOURCE_LEAK) &gt;&gt;&gt; Variable &quot;replyto&quot; going out of scope leaks the storage it points to.
1793 return JS_TRUE;
1794 }
1795
1796 rc = JS_SUSPENDREQUEST(cx);
1797 ret = notify(sys-&gt;cfg, usernumber, subj, msg, replyto) == 0; 1798 free(subj);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_686a7047ce71_192e802d9f7544199c8471c--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_687ce502ba0a3_2748642bf92199999045dc
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()


_____________________________________________________________________________________________
*** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()
1350 if (!t)
1351 t = 1;
1352 if (zm.file_skipped)
1353 lprintf(LOG_WARNING, "File Skipped");
1354 else if (success)
1355 lprintf(LOG_INFO, "Successful - Time: %s CPS: %lu"

CID 582443: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

1356 , seconds_to_str((uint)t, tmp), (ulong)(file_bytes / t));
1357 else
1358 lprintf(LOG_ERR, "File Transfer %s"
1359 , zm.local_abort ? "Aborted": zm.cancelled ? "Cancelled":"Failure");
1360
1361 if (!(mode & XMODEM) && ftime)

** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
/sexyz.c: 1069 in send_files()


_____________________________________________________________________________________________
*** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
988 xm.sent_files++;
989 xm.sent_bytes += fsize;
990 if (zm.file_skipped)
991 lprintf(LOG_WARNING, "File Skipped");
992 else
993 lprintf(LOG_INFO, "Successful - Time: %s CPS: %u"

CID 582442: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

994 , seconds_to_str((uint)t, tmp)
995 , cps);
996
997 if (xm.total_files - xm.sent_files)
998 lprintf(LOG_INFO, "Remaining - Time: %s Files: %lu KBytes: %" PRId64
999 , seconds_to_str((uint)((xm.total_bytes - xm.sent_bytes) / cps), tmp)
/sexyz.c: 1069 in send_files()
1063 }
1064 if (xm.total_files > 1) {
1065 t = time(NULL) - startall;
1066 if (!t)
1067 t = 1;
1068 lprintf(LOG_INFO, "Overall - Time %s KBytes: %" PRId64 " CPS: %lu"

CID 582442: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

1069 , seconds_to_str((uint)t, tmp)
1070 , total_bytes / 1024, total_bytes / t); 1071 }
1072 return 0; /* success */
1073 }
1074


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_687ce502ba0a3_2748642bf92199999045dc
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Shown:</strong> Showing 2 of 2 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()


_____________________________________________________________________________________________
*** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()
1350 if (!t)
1351 t = 1;
1352 if (zm.file_skipped)
1353 lprintf(LOG_WARNING, &quot;File Skipped&quot;); 1354 else if (success)
1355 lprintf(LOG_INFO, &quot;Successful - Time: %s CPS: %lu&quot;
&gt;&gt;&gt; CID 582443: High impact quality (Y2K38_SAFETY) &gt;&gt;&gt; A &quot;time_t&quot; value is stored in an integer with too few bits to accommodate it. The expression &quot;t&quot; is cast to &quot;uint&quot;.
1356 , seconds_to_str((uint)t, tmp), (ulong)(file_bytes / t));
1357 else
1358 lprintf(LOG_ERR, &quot;File Transfer %s&quot; 1359 , zm.local_abort ? &quot;Aborted&quot;: zm.cancelled ? &quot;Cancelled&quot;:&quot;Failure&quot;);
1360
1361 if (!(mode &amp; XMODEM) &amp;&amp; ftime)

** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
/sexyz.c: 1069 in send_files()


_____________________________________________________________________________________________
*** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
988 xm.sent_files++;
989 xm.sent_bytes += fsize;
990 if (zm.file_skipped)
991 lprintf(LOG_WARNING, &quot;File Skipped&quot;);
992 else
993 lprintf(LOG_INFO, &quot;Successful - Time: %s CPS: %u&quot;
&gt;&gt;&gt; CID 582442: (Y2K38_SAFETY)
&gt;&gt;&gt; A &quot;time_t&quot; value is stored in an integer with too few bits to accommodate it. The expression &quot;t&quot; is cast to &quot;uint&quot;.
994 , seconds_to_str((uint)t, tmp)
995 , cps);
996
997 if (xm.total_files - xm.sent_files)
998 lprintf(LOG_INFO, &quot;Remaining - Time: %s Files: %lu KBytes: %&quot; PRId64
999 , seconds_to_str((uint)((xm.total_bytes - xm.sent_bytes) / cps), tmp)
/sexyz.c: 1069 in send_files()
1063 }
1064 if (xm.total_files &gt; 1) {
1065 t = time(NULL) - startall;
1066 if (!t)
1067 t = 1;
1068 lprintf(LOG_INFO, &quot;Overall - Time %s KBytes: %&quot; PRId64 &quot; CPS: %lu&quot;
&gt;&gt;&gt; CID 582442: (Y2K38_SAFETY)
&gt;&gt;&gt; A &quot;time_t&quot; value is stored in an integer with too few bits to accommodate it. The expression &quot;t&quot; is cast to &quot;uint&quot;.
1069 , seconds_to_str((uint)t, tmp)
1070 , total_bytes / 1024, total_bytes / t); 1071 }
1072 return 0; /* success */
1073 }
1074

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_687ce502ba0a3_2748642bf92199999045dc--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_6898a9938c063_f22012b538a7b399c12567
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()


_____________________________________________________________________________________________
*** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()
3165 if (protocol != NULL)
3166 SAFECOPY(user->connection, protocol);
3167 if (hostname != NULL)
3168 SAFECOPY(user->comp, hostname);
3169 if (ipaddr != NULL)
3170 SAFECOPY(user->ipaddr, ipaddr);

CID 583942: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "logontime" is cast to "time32_t".

3171 user->logontime = logontime;
3172
3173 return putuserdat(cfg, user);
3174 }
3175
3176 /****************************************************************************/


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_6898a9938c063_f22012b538a7b399c12567
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()


_____________________________________________________________________________________________
*** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()
3165 if (protocol != NULL)
3166 SAFECOPY(user-&gt;connection, protocol);
3167 if (hostname != NULL)
3168 SAFECOPY(user-&gt;comp, hostname);
3169 if (ipaddr != NULL)
3170 SAFECOPY(user-&gt;ipaddr, ipaddr);
&gt;&gt;&gt; CID 583942: High impact quality (Y2K38_SAFETY) &gt;&gt;&gt; A &quot;time_t&quot; value is stored in an integer with too few bits to accommodate it. The expression &quot;logontime&quot; is cast to &quot;time32_t&quot;.
3171 user-&gt;logontime = logontime;
3172
3173 return putuserdat(cfg, user);
3174 }
3175
3176 /****************************************************************************/

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_6898a9938c063_f22012b538a7b399c12567--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 583999: (UNINIT)


_____________________________________________________________________________________________
*** CID 583999: (UNINIT)
/file.cpp: 182 in sbbs_t::removefcdt(smbmsg_t *)()
176 if (cfg.dir[f->dir]->misc & DIR_CDTUL)
177 cdt = ((ulong)(f->cost * (cfg.dir[f->dir]->up_pct / 100.0)) / cur_cps) / 60;
178 if (cfg.dir[f->dir]->misc & DIR_CDTDL
179 && f->hdr.times_downloaded) /* all downloads */ 180 cdt += ((ulong)((long)f->hdr.times_downloaded 181 * f->cost * (cfg.dir[f->dir]->dn_pct / 100.0)) / cur_cps) / 60;

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 182 adjustuserval(&cfg, &user, USER_MIN, -cdt);

183 snprintf(str, sizeof str, "%lu minute", cdt);
184 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
185 , f->name, cdt ? str : text[No]);
186 putsmsg(user.number, tmp);
187 }
/file.cpp: 203 in sbbs_t::removefcdt(smbmsg_t *)()
197 bprintf(text[CreditsToRemove], f->from);
198 getstr(str, 10, K_NUMBER | K_LINE | K_EDIT | K_AUTODEL);
199 if (msgabort(true))
200 return false;
201 cdt = atol(str);
202 }

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 203 adjustuserval(&cfg, &user, USER_CDT, -cdt);

204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
/file.cpp: 209 in sbbs_t::removefcdt(smbmsg_t *)()
203 adjustuserval(&cfg, &user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 209 adjustuserval(&cfg, &user, USER_ULB, -f->size);

210 adjustuserval(&cfg, &user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
/file.cpp: 210 in sbbs_t::removefcdt(smbmsg_t *)()
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
209 adjustuserval(&cfg, &user, USER_ULB, -f->size);

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 210 adjustuserval(&cfg, &user, USER_ULS, -1);

211 return true;
212 }
213
214 /****************************************************************************/
215 /****************************************************************************/


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 583999: (UNINIT)


_____________________________________________________________________________________________
*** CID 583999: (UNINIT)
/file.cpp: 182 in sbbs_t::removefcdt(smbmsg_t *)()
176 if (cfg.dir[f-&gt;dir]-&gt;misc &amp; DIR_CDTUL)
177 cdt = ((ulong)(f-&gt;cost * (cfg.dir[f-&gt;dir]-&gt;up_pct / 100.0)) / cur_cps) / 60;
178 if (cfg.dir[f-&gt;dir]-&gt;misc &amp; DIR_CDTDL
179 &amp;&amp; f-&gt;hdr.times_downloaded) /* all downloads */
180 cdt += ((ulong)((long)f-&gt;hdr.times_downloaded
181 * f-&gt;cost * (cfg.dir[f-&gt;dir]-&gt;dn_pct / 100.0)) / cur_cps) / 60;
&gt;&gt;&gt; CID 583999: (UNINIT)
&gt;&gt;&gt; Using uninitialized value &quot;user.level&quot; when calling &quot;adjustuserval&quot;.
182 adjustuserval(&amp;cfg, &amp;user, USER_MIN, -cdt);
183 snprintf(str, sizeof str, &quot;%lu minute&quot;, cdt); 184 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
185 , f-&gt;name, cdt ? str : text[No]);
186 putsmsg(user.number, tmp);
187 }
/file.cpp: 203 in sbbs_t::removefcdt(smbmsg_t *)()
197 bprintf(text[CreditsToRemove], f-&gt;from);
198 getstr(str, 10, K_NUMBER | K_LINE | K_EDIT | K_AUTODEL);
199 if (msgabort(true))
200 return false;
201 cdt = atol(str);
202 }
&gt;&gt;&gt; CID 583999: (UNINIT)
&gt;&gt;&gt; Using uninitialized value &quot;user.level&quot; when calling &quot;adjustuserval&quot;.
203 adjustuserval(&amp;cfg, &amp;user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f-&gt;name, cdt &gt; 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
/file.cpp: 209 in sbbs_t::removefcdt(smbmsg_t *)()
203 adjustuserval(&amp;cfg, &amp;user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f-&gt;name, cdt &gt; 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
&gt;&gt;&gt; CID 583999: (UNINIT)
&gt;&gt;&gt; Using uninitialized value &quot;user.level&quot; when calling &quot;adjustuserval&quot;.
209 adjustuserval(&amp;cfg, &amp;user, USER_ULB, -f-&gt;size);
210 adjustuserval(&amp;cfg, &amp;user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
/file.cpp: 210 in sbbs_t::removefcdt(smbmsg_t *)()
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f-&gt;name, cdt &gt; 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
209 adjustuserval(&amp;cfg, &amp;user, USER_ULB, -f-&gt;size); &gt;&gt;&gt; CID 583999: (UNINIT)
&gt;&gt;&gt; Using uninitialized value &quot;user.level&quot; when calling &quot;adjustuserval&quot;.
210 adjustuserval(&amp;cfg, &amp;user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
215 /****************************************************************************/

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
/logon.cpp: 642 in sbbs_t::logonstats()()
/logon.cpp: 638 in sbbs_t::logonstats()()


_____________________________________________________________________________________________
*** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
625 errormsg(WHERE, ERR_READ, "system stats");
626 return 0;
627 }
628
629 now = time(NULL);
630 if (stats.date > now + (24L * 60L * 60L)) /* More than a day in the future? */

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

631 errormsg(WHERE, ERR_CHK, "Daily stats date/time stamp", (int)stats.date);
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
/logon.cpp: 642 in sbbs_t::logonstats()()
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {
638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;
644 }
645
646 sys_status |= SS_NEW_DAY;
647 if (tm.tm_mon != update_tm.tm_mon)
/logon.cpp: 638 in sbbs_t::logonstats()()
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {
642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
/logon.cpp: 642 in sbbs_t::logonstats()()
/logon.cpp: 638 in sbbs_t::logonstats()()


_____________________________________________________________________________________________
*** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
625 errormsg(WHERE, ERR_READ, &quot;system stats&quot;); 626 return 0;
627 }
628
629 now = time(NULL);
630 if (stats.date &gt; now + (24L * 60L * 60L)) /* More than a day in the future? */
&gt;&gt;&gt; CID 584091: (Y2K38_SAFETY)
&gt;&gt;&gt; A &quot;time_t&quot; value is stored in an integer with too few bits to accommodate it. The expression &quot;stats.date&quot; is cast to &quot;int&quot;.
631 errormsg(WHERE, ERR_CHK, &quot;Daily stats date/time stamp&quot;, (int)stats.date);
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
/logon.cpp: 642 in sbbs_t::logonstats()()
636 struct tm update_tm{};
637 if (localtime_r(&amp;stats.date, &amp;update_tm) == NULL) {
638 errormsg(WHERE, ERR_CHK, &quot;Daily stats date/time break down&quot;, (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&amp;now, &amp;tm) == NULL) { &gt;&gt;&gt; CID 584091: (Y2K38_SAFETY)
&gt;&gt;&gt; A &quot;time_t&quot; value is stored in an integer with too few bits to accommodate it. The expression &quot;stats.date&quot; is cast to &quot;int&quot;.
642 errormsg(WHERE, ERR_CHK, &quot;Current date/time break down&quot;, (int)stats.date);
643 return 0;
644 }
645
646 sys_status |= SS_NEW_DAY;
647 if (tm.tm_mon != update_tm.tm_mon)
/logon.cpp: 638 in sbbs_t::logonstats()()
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
637 if (localtime_r(&amp;stats.date, &amp;update_tm) == NULL) {
&gt;&gt;&gt; CID 584091: (Y2K38_SAFETY)
&gt;&gt;&gt; A &quot;time_t&quot; value is stored in an integer with too few bits to accommodate it. The expression &quot;stats.date&quot; is cast to &quot;int&quot;.
638 errormsg(WHERE, ERR_CHK, &quot;Daily stats date/time break down&quot;, (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&amp;now, &amp;tm) == NULL) {
642 errormsg(WHERE, ERR_CHK, &quot;Current date/time break down&quot;, (int)stats.date);
643 return 0;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 584833: Error handling issues (CHECKED_RETURN)


_____________________________________________________________________________________________
*** CID 584833: Error handling issues (CHECKED_RETURN)
/mailsrvr.c: 2877 in archive_mail()
2871 bool archive_mail(const char* fname, int usernumber, const char* subdir, const char* session_id)
2872 {
2873 char tmp[128];
2874 char path[MAX_PATH + 1];
2875
2876 snprintf(path, sizeof path, "%suser/%04u/%s/", scfg.data_dir, usernumber, subdir);

CID 584833: Error handling issues (CHECKED_RETURN)
Calling "mkpath(path)" without checking return value. It wraps a library function that may fail and return an error code.

2877 mkpath(path);
2878 SAFECAT(path, gmtime_to_isoDateTimeStr(time(NULL), tmp, sizeof tmp));
2879 SAFECAT(path, "-");
2880 SAFECAT(path, session_id);
2881 SAFECAT(path, ".eml");
2882 return CopyFile(fname, path, /* fail-if-exists: */true);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 584833: Error handling issues (CHECKED_RETURN)


_____________________________________________________________________________________________
*** CID 584833: Error handling issues (CHECKED_RETURN)
/mailsrvr.c: 2877 in archive_mail()
2871 bool archive_mail(const char* fname, int usernumber, const char* subdir, const char* session_id)
2872 {
2873 char tmp[128];
2874 char path[MAX_PATH + 1];
2875
2876 snprintf(path, sizeof path, &quot;%suser/%04u/%s/&quot;, scfg.data_dir, usernumber, subdir);
&gt;&gt;&gt; CID 584833: Error handling issues (CHECKED_RETURN) &gt;&gt;&gt; Calling &quot;mkpath(path)&quot; without checking return value. It wraps a library function that may fail and return an error code.
2877 mkpath(path);
2878 SAFECAT(path, gmtime_to_isoDateTimeStr(time(NULL), tmp, sizeof tmp));
2879 SAFECAT(path, &quot;-&quot;);
2880 SAFECAT(path, session_id);
2881 SAFECAT(path, &quot;.eml&quot;);
2882 return CopyFile(fname, path, /* fail-if-exists: */true);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
/tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()


_____________________________________________________________________________________________
*** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
1577 free(old);
1578 assert_rwlock_unlock(&vstatlock);
1579 return 0;
1580 }

CID 630343: (ATOMICITY)
Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.

1581 pold=old;
1582 pnew=new;
1583 for(row=0; row<ti.screenheight; row++) {
1584 for(col=0; col<ti.screenwidth; col++) { 1585 if(row < oh) {
1586 if(col < ow) { /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()
1571 bitmap_vmem_gettext_locked(1,1,ow,oh,old);
1572 assert_rwlock_unlock(&vstatlock);
1573 textmode(newmode);
1574 assert_rwlock_wrlock(&vstatlock);
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {

CID 630343: (ATOMICITY)
Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.

1577 free(old);
1578 assert_rwlock_unlock(&vstatlock);
1579 return 0;
1580 }
1581 pold=old;
1582 pnew=new;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
/tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()


_____________________________________________________________________________________________
*** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
1577 free(old);
1578 assert_rwlock_unlock(&amp;vstatlock); 1579 return 0;
1580 }
&gt;&gt;&gt; CID 630343: (ATOMICITY)
&gt;&gt;&gt; Using an unreliable value of &quot;old&quot; inside the second locked section. If the data that &quot;old&quot; depends on was changed by another thread, this use might be incorrect.
1581 pold=old;
1582 pnew=new;
1583 for(row=0; row&lt;ti.screenheight; row++) { 1584 for(col=0; col&lt;ti.screenwidth; col++) {
1585 if(row &lt; oh) {
1586 if(col &lt; ow) { /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()
1571 bitmap_vmem_gettext_locked(1,1,ow,oh,old);
1572 assert_rwlock_unlock(&amp;vstatlock);
1573 textmode(newmode);
1574 assert_rwlock_wrlock(&amp;vstatlock);
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
&gt;&gt;&gt; CID 630343: (ATOMICITY)
&gt;&gt;&gt; Using an unreliable value of &quot;old&quot; inside the second locked section. If the data that &quot;old&quot; depends on was changed by another thread, this use might be incorrect.
1577 free(old);
1578 assert_rwlock_unlock(&amp;vstatlock); 1579 return 0;
1580 }
1581 pold=old;
1582 pnew=new;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()


_____________________________________________________________________________________________
*** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()
433 #else
434 fd_set socket_set;
435 struct timeval tv;
436 #endif
437 int magic_errno;
438

CID 630956: Control flow issues (UNREACHABLE)
Since the loop increment is unreachable, the loop body will never execute more than once.

439 for (;;) {
440 if (inbuf_len > inbuf_pos)
441 return inbuf_len - inbuf_pos;
442 #ifdef __unix__
443 if (stdio) {
444 i = read(STDIN_FILENO, inbuf, sizeof(inbuf));


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()


_____________________________________________________________________________________________
*** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()
433 #else
434 fd_set socket_set;
435 struct timeval tv;
436 #endif
437 int magic_errno;
438
&gt;&gt;&gt; CID 630956: Control flow issues (UNREACHABLE) &gt;&gt;&gt; Since the loop increment is unreachable, the loop body will never execute more than once.
439 for (;;) {
440 if (inbuf_len &gt; inbuf_pos)
441 return inbuf_len - inbuf_pos;
442 #ifdef __unix__
443 if (stdio) {
444 i = read(STDIN_FILENO, inbuf, sizeof(inbuf));

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)


_____________________________________________________________________________________________
*** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) /tmp/sbbs-Sep-29-2025/src/xpdev/ini_file.c: 1658 in iniParseSections()
1652 break;
1653 }
1654
1655 if (list[i] != NULL) {
1656 // TODO: A comment will create a zero-length root section, which kinda sucks...
1657 if (*p != INI_OPEN_SECTION_CHAR) {

CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)
Passing "&iniParsedRootValue" to function "addParsedSection" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.

1658 if (!addParsedSection(&lp, &sections, &iniParsedRootValue))
1659 goto error_return;
1660 keys = 0;
1661 for (; list[i] != NULL; ++i) {
1662 p = list[i];
1663 SKIP_WHITESPACE(p);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)


_____________________________________________________________________________________________
*** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) /tmp/sbbs-Sep-29-2025/src/xpdev/ini_file.c: 1658 in iniParseSections()
1652 break;
1653 }
1654
1655 if (list[i] != NULL) {
1656 // TODO: A comment will create a zero-length root section, which kinda sucks...
1657 if (*p != INI_OPEN_SECTION_CHAR) {
&gt;&gt;&gt; CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) &gt;&gt;&gt; Passing &quot;&amp;iniParsedRootValue&quot; to function &quot;addParsedSection&quot; which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
1658 if (!addParsedSection(&amp;lp, &amp;sections, &amp;iniParsedRootValue))
1659 goto error_return;
1660 keys = 0;
1661 for (; list[i] != NULL; ++i) {
1662 p = list[i];
1663 SKIP_WHITESPACE(p);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()


_____________________________________________________________________________________________
*** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()
3361 return 0;
3362 }
3363 if (name == NULL || name->str == NULL)
3364 return -1;
3365 entShorter = fp->name.len < name->len;
3366 cmplen = entShorter ? fp->name.len : name->len;

CID 631052: Null pointer dereferences (FORWARD_NULL)
Passing null pointer "fp->name.str" to "strncasecmp", which dereferences it.

3367 cmp = strnicmp(name->str, fp->name.str, cmplen);
3368 if (cmp == 0) {
3369 if (fp->name.len == name->len)
3370 return 0;
3371 if (entShorter)
3372 return 1;

** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()


_____________________________________________________________________________________________
*** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()
3153 struct fp_section *sect;
3154 size_t slen;
3155 str++;
3156 slen = strlen(str);
3157 while (slen && (IS_WHITESPACE(str[slen - 1]))) 3158 slen--;

CID 631051: Integer handling issues (INTEGER_OVERFLOW)
Expression "slen - 1UL", where "slen" is known to be equal to 0, underflows the type of "slen - 1UL", which is type "unsigned long".

3159 if (str[slen - 1] == INI_CLOSE_SECTION_CHAR) 3160 slen--;
3161 else // Discard line
3162 continue;
3163 ret->totalSections++;
3164 if ((ret->totalSections) >= arraySz) {

** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()


_____________________________________________________________________________________________
*** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()
3325 if (sz)
3326 *sz = 0;
3327 return ret;
3328 }
3329 if (prefix)
3330 prefixLen = strlen(prefix);

CID 631050: Integer handling issues (INTEGER_OVERFLOW)
Expression "i++", where "i" is known to be equal to 18446744073709551615, overflows the type of "i++", which is type "size_t".

3331 for (i = iniGetFastPrefixStart(fp, prefix); i <= fp->lastUncut; i++) {
3332 if (fp->sections[i].name.str == NULL)
3333 continue;
3334 if (fp->sections[i].cut)
3335 continue;
3336 if (fp->sections[i].name.len < prefixLen)


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 3</li>
<li><strong>Defects Shown:</strong> Showing 3 of 3 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()


_____________________________________________________________________________________________
*** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()
3361 return 0;
3362 }
3363 if (name == NULL || name-&gt;str == NULL)
3364 return -1;
3365 entShorter = fp-&gt;name.len &lt; name-&gt;len;
3366 cmplen = entShorter ? fp-&gt;name.len : name-&gt;len; &gt;&gt;&gt; CID 631052: Null pointer dereferences (FORWARD_NULL) &gt;&gt;&gt; Passing null pointer &quot;fp-&gt;name.str&quot; to &quot;strncasecmp&quot;, which dereferences it.
3367 cmp = strnicmp(name-&gt;str, fp-&gt;name.str, cmplen);
3368 if (cmp == 0) {
3369 if (fp-&gt;name.len == name-&gt;len)
3370 return 0;
3371 if (entShorter)
3372 return 1;

** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()


_____________________________________________________________________________________________
*** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()
3153 struct fp_section *sect;
3154 size_t slen;
3155 str++;
3156 slen = strlen(str);
3157 while (slen &amp;&amp; (IS_WHITESPACE(str[slen - 1])))
3158 slen--;
&gt;&gt;&gt; CID 631051: Integer handling issues (INTEGER_OVERFLOW)
&gt;&gt;&gt; Expression &quot;slen - 1UL&quot;, where &quot;slen&quot; is known to be equal to 0, underflows the type of &quot;slen - 1UL&quot;, which is type &quot;unsigned long&quot;.
3159 if (str[slen - 1] == INI_CLOSE_SECTION_CHAR) 3160 slen--;
3161 else // Discard line
3162 continue;
3163 ret-&gt;totalSections++;
3164 if ((ret-&gt;totalSections) &gt;= arraySz) {

** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()


_____________________________________________________________________________________________
*** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()
3325 if (sz)
3326 *sz = 0;
3327 return ret;
3328 }
3329 if (prefix)
3330 prefixLen = strlen(prefix);
&gt;&gt;&gt; CID 631050: Integer handling issues (INTEGER_OVERFLOW)
&gt;&gt;&gt; Expression &quot;i++&quot;, where &quot;i&quot; is known to be equal to 18446744073709551615, overflows the type of &quot;i++&quot;, which is type &quot;size_t&quot;.
3331 for (i = iniGetFastPrefixStart(fp, prefix); i &lt;= fp-&gt;lastUncut; i++) {
3332 if (fp-&gt;sections[i].name.str == NULL)
3333 continue;
3334 if (fp-&gt;sections[i].cut)
3335 continue;
3336 if (fp-&gt;sections[i].name.len &lt; prefixLen)

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

9 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)


** CID 631076: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631076: Memory - corruptions (OVERRUN)
/sbbsecho.c: 314 in parse_echostat_msg()
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);

CID 631076: Memory - corruptions (OVERRUN)
Overrunning array "msg.from" of 36 bytes by passing it to a function which accesses it at byte offset 1023.

314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

** CID 631075: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631075: Memory - corruptions (OVERRUN)
/sbbsecho.c: 319 in parse_echostat_msg()
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

CID 631075: Memory - corruptions (OVERRUN)
Overrunning array "msg.tid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);

** CID 631074: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631074: Memory - corruptions (OVERRUN)
/sbbsecho.c: 317 in parse_echostat_msg()
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);

CID 631074: Memory - corruptions (OVERRUN)
Overrunning array "msg.reply_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);

** CID 631073: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631073: Memory - corruptions (OVERRUN)
/sbbsecho.c: 316 in parse_echostat_msg()
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);

CID 631073: Memory - corruptions (OVERRUN)
Overrunning array "msg.msg_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);

** CID 631072: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631072: Memory - corruptions (OVERRUN)
/sbbsecho.c: 313 in parse_echostat_msg()
307 echostat_msg_t parse_echostat_msg(str_list_t ini, const char* section, const char* prefix)
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312

CID 631072: Memory - corruptions (OVERRUN)
Overrunning array "msg.to" of 36 bytes by passing it to a function which accesses it at byte offset 1023.

313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

** CID 631071: (OVERRUN)


_____________________________________________________________________________________________
*** CID 631071: (OVERRUN)
/sbbsecho.c: 327 in parse_echostat_msg()
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);

CID 631071: (OVERRUN)
Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);
330
331 return msg;
332 }
/sbbsecho.c: 324 in parse_echostat_msg()
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

CID 631071: (OVERRUN)
Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);

** CID 631070: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631070: Memory - corruptions (OVERRUN)
/sbbsecho.c: 315 in parse_echostat_msg()
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);

CID 631070: Memory - corruptions (OVERRUN)
Overrunning array "msg.subj" of 72 bytes by passing it to a function which accesses it at byte offset 1023.

315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);

** CID 631069: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631069: Memory - corruptions (OVERRUN)
/sbbsecho.c: 318 in parse_echostat_msg()
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);

CID 631069: Memory - corruptions (OVERRUN)
Overrunning array "msg.pid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

** CID 631068: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631068: Memory - corruptions (OVERRUN)
/sbbsecho.c: 320 in parse_echostat_msg()
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

CID 631068: Memory - corruptions (OVERRUN)
Overrunning array "msg.msg_tz" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 9</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 9 of 9 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631076: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631076: Memory - corruptions (OVERRUN)
/sbbsecho.c: 314 in parse_echostat_msg()
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, &quot;%s.to&quot;, prefix), iniGetString(ini, section, key, NULL, msg.to);
&gt;&gt;&gt; CID 631076: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.from&quot; of 36 bytes by passing it to a function which accesses it at byte offset 1023.
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);

** CID 631075: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631075: Memory - corruptions (OVERRUN)
/sbbsecho.c: 319 in parse_echostat_msg()
313 snprintf(key, sizeof key, &quot;%s.to&quot;, prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
&gt;&gt;&gt; CID 631075: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.tid&quot; of 128 bytes by passing it to a function which accesses it at byte offset 1023.
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, &quot;%s.msg_tz&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, &quot;%s.msg_time&quot;, prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, &quot;%s.localtime&quot;, prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, &quot;%s.length&quot;, prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, &quot;%s.origaddr&quot;, prefix), iniGetString(ini, section, key, NULL, str);

** CID 631074: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631074: Memory - corruptions (OVERRUN)
/sbbsecho.c: 317 in parse_echostat_msg()
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, &quot;%s.to&quot;, prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
&gt;&gt;&gt; CID 631074: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.reply_id&quot; of 128 bytes by passing it to a function which accesses it at byte offset 1023.
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, &quot;%s.msg_tz&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, &quot;%s.msg_time&quot;, prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, &quot;%s.localtime&quot;, prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);

** CID 631073: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631073: Memory - corruptions (OVERRUN)
/sbbsecho.c: 316 in parse_echostat_msg()
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, &quot;%s.to&quot;, prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
&gt;&gt;&gt; CID 631073: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.msg_id&quot; of 128 bytes by passing it to a function which accesses it at byte offset 1023.
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, &quot;%s.msg_tz&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, &quot;%s.msg_time&quot;, prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);

** CID 631072: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631072: Memory - corruptions (OVERRUN)
/sbbsecho.c: 313 in parse_echostat_msg()
307 echostat_msg_t parse_echostat_msg(str_list_t ini, const char* section, const char* prefix)
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
&gt;&gt;&gt; CID 631072: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.to&quot; of 36 bytes by passing it to a function which accesses it at byte offset 1023.
313 snprintf(key, sizeof key, &quot;%s.to&quot;, prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);

** CID 631071: (OVERRUN)


_____________________________________________________________________________________________
*** CID 631071: (OVERRUN)
/sbbsecho.c: 327 in parse_echostat_msg()
321 snprintf(key, sizeof key, &quot;%s.msg_time&quot;, prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, &quot;%s.localtime&quot;, prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, &quot;%s.length&quot;, prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, &quot;%s.origaddr&quot;, prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
&gt;&gt;&gt; CID 631071: (OVERRUN)
&gt;&gt;&gt; Overrunning array &quot;str&quot; of 128 bytes by passing it to a function which accesses it at byte offset 1023.
327 snprintf(key, sizeof key, &quot;%s.pkt_orig&quot;, prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);
330
331 return msg;
332 }
/sbbsecho.c: 324 in parse_echostat_msg()
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, &quot;%s.msg_tz&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, &quot;%s.msg_time&quot;, prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, &quot;%s.localtime&quot;, prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, &quot;%s.length&quot;, prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
&gt;&gt;&gt; CID 631071: (OVERRUN)
&gt;&gt;&gt; Overrunning array &quot;str&quot; of 128 bytes by passing it to a function which accesses it at byte offset 1023.
324 snprintf(key, sizeof key, &quot;%s.origaddr&quot;, prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
327 snprintf(key, sizeof key, &quot;%s.pkt_orig&quot;, prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);

** CID 631070: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631070: Memory - corruptions (OVERRUN)
/sbbsecho.c: 315 in parse_echostat_msg()
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, &quot;%s.to&quot;, prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
&gt;&gt;&gt; CID 631070: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.subj&quot; of 72 bytes by passing it to a function which accesses it at byte offset 1023.
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, &quot;%s.msg_tz&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);

** CID 631069: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631069: Memory - corruptions (OVERRUN)
/sbbsecho.c: 318 in parse_echostat_msg()
312
313 snprintf(key, sizeof key, &quot;%s.to&quot;, prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
&gt;&gt;&gt; CID 631069: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.pid&quot; of 128 bytes by passing it to a function which accesses it at byte offset 1023.
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, &quot;%s.msg_tz&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, &quot;%s.msg_time&quot;, prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, &quot;%s.localtime&quot;, prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, &quot;%s.length&quot;, prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

** CID 631068: Memory - corruptions (OVERRUN)


_____________________________________________________________________________________________
*** CID 631068: Memory - corruptions (OVERRUN)
/sbbsecho.c: 320 in parse_echostat_msg()
314 snprintf(key, sizeof key, &quot;%s.from&quot;, prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, &quot;%s.subj&quot;, prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, &quot;%s.msg_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, &quot;%s.reply_id&quot;, prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, &quot;%s.pid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, &quot;%s.tid&quot;, prefix), iniGetString(ini, section, key, NULL, msg.tid);
&gt;&gt;&gt; CID 631068: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;msg.msg_tz&quot; of 128 bytes by passing it to a function which accesses it at byte offset 1023.
320 snprintf(key, sizeof key, &quot;%s.msg_tz&quot;, prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, &quot;%s.msg_time&quot;, prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, &quot;%s.localtime&quot;, prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, &quot;%s.length&quot;, prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, &quot;%s.origaddr&quot;, prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

18 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)


** CID 631146: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;

CID 631146: Program hangs (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.

4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/

** CID 631145: Program hangs (SLEEP)


_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node->data;
4356 SAFECOPY(name, attempt->user);
4357 truncstr(name, "@");

CID 631145: Program hangs (SLEEP)
Call to "trashcan" might sleep while holding lock "list->mutex".

4358 if (((settings.tempban_threshold && (attempt->count - attempt->dupes) >= settings.tempban_threshold)
4359 || trashcan(cfg, name, "name")) && now < (time32_t)(attempt->time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt->time);
4363 }

** CID 631144: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&client_list);

CID 631144: Program hangs (LOCK)
"listFindNode" locks "client_list.mutex" while it is locked.

654 if ((node = listFindTaggedNode(&client_list, sock)) != NULL)
655 memcpy(node->data, client, sizeof(client_t));
656 listUnlock(&client_list);
657 } else {
658 served++;
659 listAddNodeData(&client_list, client, sizeof(client_t), sock, LAST_NODE);

** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()


_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), "<%x%x%lx%lx@%.128s>"
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1241 sockprintf(socket, client.protocol, session, "+OK Synchronet %s Server %s%c-%s Ready %s"
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &client, FALSE /* update */);
1220
1221 if (startup->login_attempt.throttle
1222 && (login_attempts = loginAttempts(startup->login_attempt_list, &pop3->client_addr)) > 1) {
1223 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
1224 , socket, client.protocol, host_ip, login_attempts);

CID 631143: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

1225 mswait(login_attempts * startup->login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&scfg, startup->login_attempt_list, socket, host_name, startup->login_attempt, &attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;

CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1199 return false;
1200 }

CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

1201 if (trashcan2(&scfg, host_name, NULL, "host", &trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s"
1205 , socket, client.protocol, host_ip, host_name, trash_details(&trash, details, sizeof details));
1206 }

** CID 631142: Null pointer dereferences (FORWARD_NULL)


_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&msg_filters.ip_can);
377 strListFree(&msg_filters.host_can);
378 strListFree(&msg_filters.subject_can);
379 strListFree(&msg_filters.twit_list);

CID 631142: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".

380 listFree(&user_list);
381
382 delfiles(cfg.temp_dir, "*.NDX");
383 SAFEPRINTF(str, "%sMESSAGES.DAT", cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, "%sDOOR.ID", cfg.temp_dir);

** CID 631141: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr->addr.sa_family != AF_INET && addr->addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)

CID 631141: Program hangs (LOCK)
"listRemoveNode" locks "list->mutex" while it is locked.

4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */

** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()


_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;

CID 631140: (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.

4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);

CID 631140: (LOCK)
"listUnlock" unlocks "list->mutex" while it is unlocked.

4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)

** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()


_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);

CID 631139: Program hangs (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()


_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, "%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)"
1646 , socket, service->protocol, remain, active_clients(), service->served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */

CID 631138: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".

1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;

** CID 631137: Program hangs (ORDER_REVERSAL)


_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup->max_clients && client_count > startup->max_clients) {
6963 lprintf(LOG_WARNING, "%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied"
6964 , socket, session.client.protocol, session.host_ip, startup->max_clients, client_count - startup->max_clients);

CID 631137: Program hangs (ORDER_REVERSAL)
Calling "send_error" acquires lock "jsrt_mutex" while holding lock "link_list.mutex" (count: 1 / 5).

6965 send_error(&session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(&current_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup->max_concurrent_connections > 0 && connections > startup->max_concurrent_connections
6970 && !is_host_exempt(&scfg, session.host_ip, /* host_name */ NULL)) {

** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()


_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt->client_list.first; node != NULL; node = node->next) {
837 client_t* client = node->data;
838 format_client_info(str, sizeof(str), node->tag, client, client->time);
839 strListPush(&list, str);
840 client_count++;
841 }

CID 631136: (LOCK)
"listUnlock" unlocks "mqtt->client_list.mutex" while it is unlocked. 842 listUnlock(&mqtt->client_list);

843 char* buf = NULL;
844 if (client_count > 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, "\n");
/mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&mqtt->client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813

CID 631136: (LOCK)
"listFindNode" locks "mqtt->client_list.mutex" while it is locked.

814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {

CID 631136: (LOCK)
"listRemoveTaggedNode" locks "mqtt->client_list.mutex" while it is locked.

825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/disconnect", str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {

CID 631136: (LOCK)
"listAddNodeData" locks "mqtt->client_list.mutex" while it is locked. 820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);

821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);

** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()


_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)

CID 631135: Uninitialized variables (UNINIT)
Using uninitialized value "*salt" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]

3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()


_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");

CID 631134: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".

1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];

** CID 631133: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt->pass, pass);
4299 attempt->count++;
4300 count = attempt->count - attempt->dupes;
4301 if (node == NULL) {
4302 attempt->first = attempt->time;

CID 631133: Program hangs (LOCK)
"listAddNodeData" locks "list->mutex" while it is locked.

4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;

** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()


_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp);

CID 631132: Control flow issues (NO_EFFECT)
This less-than-zero comparison of an unsigned value is never true. "rret < 0UL".

3630 if (rret < 0 || rret > INT_MAX)
3631 goto done;
3632 if ((streamCipher && rret > 0) || rret == bufferSize) { 3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))

** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()


_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&scfg, startup->login_attempt_list, session.socket, host_name, startup->login_attempt, &attempted);
6909
6910 /* host_ip wasn't defined in http_session_thread */

CID 631131: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

6911 if (banned || trashcan2(&scfg, session.host_ip, NULL, "ip", &trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver < HTTP_1_0) || redirp != NULL || parse_headers(&session)) {
7052 if (check_request(&session)) { 7053 if (session.req.send_location < MOVED_TEMP || session.req.virtual_path[0] != '/' || loop_count++ >= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&session))

CID 631131: (SLEEP)
Call to "respond" might sleep while holding lock "startup->login_attempt_list->mutex".

7055 respond(&session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), "%s %s%s%s", methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver < HTTP_1_0?"":" ", http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &session.client, /* update existing client record? */ false);
6943
6944 if (startup->login_attempt.throttle
6945 && (login_attempts = loginAttempts(startup->login_attempt_list, &session.addr)) > 1) {
6946 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
6947 , socket, session.client.protocol, session.host_ip, login_attempts);

CID 631131: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

6948 mswait(login_attempts * startup->login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;

** CID 631130: Null pointer dereferences (FORWARD_NULL)


_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&msg_filters.ip_can);
535 strListFree(&msg_filters.host_can);
536 strListFree(&msg_filters.subject_can);
537 strListFree(&msg_filters.twit_list);

CID 631130: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".

538 listFree(&user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&smb);
542 fclose(rep);
543

** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()


_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)

CID 631129: Memory - corruptions (OVERRUN)
Overrunning array "salt" of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument "cp" (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]

3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 18</li>
<li><strong>Defects Shown:</strong> Showing 18 of 18 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631146: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;
&gt;&gt;&gt; CID 631146: Program hangs (LOCK)
&gt;&gt;&gt; &quot;listCountNodes&quot; locks &quot;list-&gt;mutex&quot; while it is locked.
4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/

** CID 631145: Program hangs (SLEEP)


_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node-&gt;data;
4356 SAFECOPY(name, attempt-&gt;user);
4357 truncstr(name, &quot;@&quot;);
&gt;&gt;&gt; CID 631145: Program hangs (SLEEP)
&gt;&gt;&gt; Call to &quot;trashcan&quot; might sleep while holding lock &quot;list-&gt;mutex&quot;.
4358 if (((settings.tempban_threshold &amp;&amp; (attempt-&gt;count - attempt-&gt;dupes) &gt;= settings.tempban_threshold)
4359 || trashcan(cfg, name, &quot;name&quot;)) &amp;&amp; now &lt; (time32_t)(attempt-&gt;time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt-&gt;time);
4363 }

** CID 631144: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&amp;client_list);
&gt;&gt;&gt; CID 631144: Program hangs (LOCK)
&gt;&gt;&gt; &quot;listFindNode&quot; locks &quot;client_list.mutex&quot; while it is locked.
654 if ((node = listFindTaggedNode(&amp;client_list, sock)) != NULL)
655 memcpy(node-&gt;data, client, sizeof(client_t));
656 listUnlock(&amp;client_list);
657 } else {
658 served++;
659 listAddNodeData(&amp;client_list, client, sizeof(client_t), sock, LAST_NODE);

** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()


_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), &quot;&lt;%x%x%lx%lx@%.128s&gt;&quot;
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240
&gt;&gt;&gt; CID 631143: (SLEEP)
&gt;&gt;&gt; Call to &quot;sockprintf&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1241 sockprintf(socket, client.protocol, session, &quot;+OK Synchronet %s Server %s%c-%s Ready %s&quot;
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &amp;client, FALSE /* update */);
1220
1221 if (startup-&gt;login_attempt.throttle
1222 &amp;&amp; (login_attempts = loginAttempts(startup-&gt;login_attempt_list, &amp;pop3-&gt;client_addr)) &gt; 1) {
1223 lprintf(LOG_DEBUG, &quot;%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)&quot;
1224 , socket, client.protocol, host_ip, login_attempts);
&gt;&gt;&gt; CID 631143: (SLEEP)
&gt;&gt;&gt; Call to &quot;nanosleep&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1225 mswait(login_attempts * startup-&gt;login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&amp;scfg, startup-&gt;login_attempt_list, socket, host_name, startup-&gt;login_attempt, &amp;attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, &quot;%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s&quot;
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
&gt;&gt;&gt; CID 631143: (SLEEP)
&gt;&gt;&gt; Call to &quot;sockprintf&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1189 sockprintf(socket, client.protocol, session, &quot;-ERR Access denied.&quot;);
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&amp;scfg, host_ip, NULL, &quot;ip&quot;, &amp;trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
&gt;&gt;&gt; CID 631143: (SLEEP)
&gt;&gt;&gt; Call to &quot;sockprintf&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1323 sockprintf(socket, client.protocol, session, &quot;+OK&quot;);
1324 if (!sockgetrsp(socket, client.protocol, session, &quot;PASS &quot;, buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, &quot;-ERR PASS command expected&quot;);
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, &quot;+OK&quot;);
1324 if (!sockgetrsp(socket, client.protocol, session, &quot;PASS &quot;, buf, sizeof(buf))) {
&gt;&gt;&gt; CID 631143: (SLEEP)
&gt;&gt;&gt; Call to &quot;sockprintf&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1325 sockprintf(socket, client.protocol, session, &quot;-ERR PASS command expected&quot;);
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, &quot;-ERR Access denied.&quot;);
1190 return false;
1191 }
1192 struct trash trash;
&gt;&gt;&gt; CID 631143: (SLEEP)
&gt;&gt;&gt; Call to &quot;trashcan2&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1193 if (trashcan2(&amp;scfg, host_ip, NULL, &quot;ip&quot;, &amp;trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, &quot;%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s&quot;, socket, client.protocol, host_ip, trash_details(&amp;trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, &quot;-ERR Access denied.&quot;);
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, &quot;%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s&quot;, socket, client.protocol, host_ip, trash_details(&amp;trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, &quot;-ERR Access denied.&quot;);
1199 return false;
1200 }
&gt;&gt;&gt; CID 631143: (SLEEP)
&gt;&gt;&gt; Call to &quot;trashcan2&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1201 if (trashcan2(&amp;scfg, host_name, NULL, &quot;host&quot;, &amp;trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, &quot;%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s&quot;
1205 , socket, client.protocol, host_ip, host_name, trash_details(&amp;trash, details, sizeof details));
1206 }

** CID 631142: Null pointer dereferences (FORWARD_NULL)


_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&amp;msg_filters.ip_can);
377 strListFree(&amp;msg_filters.host_can);
378 strListFree(&amp;msg_filters.subject_can);
379 strListFree(&amp;msg_filters.twit_list);
&gt;&gt;&gt; CID 631142: Null pointer dereferences (FORWARD_NULL) &gt;&gt;&gt; Passing &quot;&amp;user_list&quot; to &quot;listFree&quot;, which dereferences null &quot;user_list.sem&quot;.
380 listFree(&amp;user_list);
381
382 delfiles(cfg.temp_dir, &quot;*.NDX&quot;);
383 SAFEPRINTF(str, &quot;%sMESSAGES.DAT&quot;, cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, &quot;%sDOOR.ID&quot;, cfg.temp_dir);

** CID 631141: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr-&gt;addr.sa_family != AF_INET &amp;&amp; addr-&gt;addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)
&gt;&gt;&gt; CID 631141: Program hangs (LOCK)
&gt;&gt;&gt; &quot;listRemoveNode&quot; locks &quot;list-&gt;mutex&quot; while it is locked.
4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */

** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()


_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
&gt;&gt;&gt; CID 631140: (LOCK)
&gt;&gt;&gt; &quot;listCountNodes&quot; locks &quot;list-&gt;mutex&quot; while it is locked.
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
&gt;&gt;&gt; CID 631140: (LOCK)
&gt;&gt;&gt; &quot;listUnlock&quot; unlocks &quot;list-&gt;mutex&quot; while it is unlocked.
4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)

** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()


_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &amp;client, false /* update */);
1614
1615 if (startup-&gt;login_attempt.throttle
1616 &amp;&amp; (login_attempts = loginAttempts(startup-&gt;login_attempt_list, &amp;service_client.addr)) &gt; 1) {
1617 lprintf(LOG_DEBUG, &quot;%04d %s Throttling suspicious connection from: %s (%lu login attempts)&quot;
1618 , socket, service-&gt;protocol, client.addr, login_attempts);
&gt;&gt;&gt; CID 631139: Program hangs (SLEEP)
&gt;&gt;&gt; Call to &quot;nanosleep&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1619 mswait(login_attempts * startup-&gt;login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service-&gt;cmd, &quot;/\\&quot;) == NULL)
1624 SAFEPRINTF2(cmd, &quot;%s%s&quot;, scfg.exec_dir, service-&gt;cmd);

** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()


_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, &quot;%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)&quot;
1646 , socket, service-&gt;protocol, remain, active_clients(), service-&gt;served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */ &gt;&gt;&gt; CID 631138: Program hangs (LOCK)
&gt;&gt;&gt; Returning without unlocking &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;

** CID 631137: Program hangs (ORDER_REVERSAL)


_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup-&gt;max_clients &amp;&amp; client_count &gt; startup-&gt;max_clients) {
6963 lprintf(LOG_WARNING, &quot;%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied&quot;
6964 , socket, session.client.protocol, session.host_ip, startup-&gt;max_clients, client_count - startup-&gt;max_clients);
&gt;&gt;&gt; CID 631137: Program hangs (ORDER_REVERSAL) &gt;&gt;&gt; Calling &quot;send_error&quot; acquires lock &quot;jsrt_mutex&quot; while holding lock &quot;link_list.mutex&quot; (count: 1 / 5).
6965 send_error(&amp;session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(&amp;current_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup-&gt;max_concurrent_connections &gt; 0 &amp;&amp; connections &gt; startup-&gt;max_concurrent_connections
6970 &amp;&amp; !is_host_exempt(&amp;scfg, session.host_ip, /* host_name */ NULL)) {

** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()


_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt-&gt;client_list.first; node != NULL; node = node-&gt;next) {
837 client_t* client = node-&gt;data;
838 format_client_info(str, sizeof(str), node-&gt;tag, client, client-&gt;time);
839 strListPush(&amp;list, str);
840 client_count++;
841 }
&gt;&gt;&gt; CID 631136: (LOCK)
&gt;&gt;&gt; &quot;listUnlock&quot; unlocks &quot;mqtt-&gt;client_list.mutex&quot; while it is unlocked.
842 listUnlock(&amp;mqtt-&gt;client_list);
843 char* buf = NULL;
844 if (client_count &gt; 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, &quot;\n&quot;); /mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&amp;mqtt-&gt;client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813
&gt;&gt;&gt; CID 631136: (LOCK)
&gt;&gt;&gt; &quot;listFindNode&quot; locks &quot;mqtt-&gt;client_list.mutex&quot; while it is locked.
814 if ((node = listFindTaggedNode(&amp;mqtt-&gt;client_list, sock)) != NULL) {
815 memcpy(node-&gt;data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, &quot;client/action/update&quot;, str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&amp;mqtt-&gt;client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client-&gt;time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, &quot;client/action/connect&quot;, str);
823 }
824 } else {
&gt;&gt;&gt; CID 631136: (LOCK)
&gt;&gt;&gt; &quot;listRemoveTaggedNode&quot; locks &quot;mqtt-&gt;client_list.mutex&quot; while it is locked.
825 client = listRemoveTaggedNode(&amp;mqtt-&gt;client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, &quot;client/action/disconnect&quot;, str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&amp;mqtt-&gt;client_list, sock)) != NULL) {
815 memcpy(node-&gt;data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, &quot;client/action/update&quot;, str);
818 }
819 } else {
&gt;&gt;&gt; CID 631136: (LOCK)
&gt;&gt;&gt; &quot;listAddNodeData&quot; locks &quot;mqtt-&gt;client_list.mutex&quot; while it is locked.
820 listAddNodeData(&amp;mqtt-&gt;client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client-&gt;time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, &quot;client/action/connect&quot;, str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&amp;mqtt-&gt;client_list, sock, /* free_data: */ false);

** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()


_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf &amp;&amp; saltsz &amp;&amp; *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp &lt; saltLength)
3693 cp = saltLength;
3694 if (cp)
&gt;&gt;&gt; CID 631135: Uninitialized variables (UNINIT) &gt;&gt;&gt; Using uninitialized value &quot;*salt&quot; when calling &quot;memcpy&quot;. [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp &lt; *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()


_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, &quot;%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s&quot;
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, &quot;-ERR Access denied.&quot;);
&gt;&gt;&gt; CID 631134: Program hangs (LOCK)
&gt;&gt;&gt; Returning without unlocking &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&amp;scfg, host_ip, NULL, &quot;ip&quot;, &amp;trash)) {
1194 if (!trash.quiet) {
1195 char details[128];

** CID 631133: Program hangs (LOCK)


_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt-&gt;pass, pass);
4299 attempt-&gt;count++;
4300 count = attempt-&gt;count - attempt-&gt;dupes;
4301 if (node == NULL) {
4302 attempt-&gt;first = attempt-&gt;time;
&gt;&gt;&gt; CID 631133: Program hangs (LOCK)
&gt;&gt;&gt; &quot;listAddNodeData&quot; locks &quot;list-&gt;mutex&quot; while it is locked.
4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;

** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()


_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp); &gt;&gt;&gt; CID 631132: Control flow issues (NO_EFFECT) &gt;&gt;&gt; This less-than-zero comparison of an unsigned value is never true. &quot;rret &lt; 0UL&quot;.
3630 if (rret &lt; 0 || rret &gt; INT_MAX)
3631 goto done;
3632 if ((streamCipher &amp;&amp; rret &gt; 0) || rret == bufferSize) {
3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))

** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()


_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&amp;scfg, startup-&gt;login_attempt_list, session.socket, host_name, startup-&gt;login_attempt, &amp;attempted);
6909
6910 /* host_ip wasn&#39;t defined in http_session_thread */ &gt;&gt;&gt; CID 631131: (SLEEP)
&gt;&gt;&gt; Call to &quot;trashcan2&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
6911 if (banned || trashcan2(&amp;scfg, session.host_ip, NULL, &quot;ip&quot;, &amp;trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, &quot;%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s&quot;
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver &lt; HTTP_1_0) || redirp != NULL || parse_headers(&amp;session)) {
7052 if (check_request(&amp;session)) {
7053 if (session.req.send_location &lt; MOVED_TEMP || session.req.virtual_path[0] != &#39;/&#39; || loop_count++ &gt;= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&amp;session))
&gt;&gt;&gt; CID 631131: (SLEEP)
&gt;&gt;&gt; Call to &quot;respond&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
7055 respond(&amp;session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), &quot;%s %s%s%s&quot;, methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver &lt; HTTP_1_0?&quot;&quot;:&quot; &quot;, http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &amp;session.client, /* update existing client record? */ false);
6943
6944 if (startup-&gt;login_attempt.throttle
6945 &amp;&amp; (login_attempts = loginAttempts(startup-&gt;login_attempt_list, &amp;session.addr)) &gt; 1) {
6946 lprintf(LOG_DEBUG, &quot;%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)&quot;
6947 , socket, session.client.protocol, session.host_ip, login_attempts);
&gt;&gt;&gt; CID 631131: (SLEEP)
&gt;&gt;&gt; Call to &quot;nanosleep&quot; might sleep while holding lock &quot;startup-&gt;login_attempt_list-&gt;mutex&quot;.
6948 mswait(login_attempts * startup-&gt;login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;

** CID 631130: Null pointer dereferences (FORWARD_NULL)


_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&amp;msg_filters.ip_can);
535 strListFree(&amp;msg_filters.host_can);
536 strListFree(&amp;msg_filters.subject_can);
537 strListFree(&amp;msg_filters.twit_list);
&gt;&gt;&gt; CID 631130: Null pointer dereferences (FORWARD_NULL) &gt;&gt;&gt; Passing &quot;&amp;user_list&quot; to &quot;listFree&quot;, which dereferences null &quot;user_list.sem&quot;.
538 listFree(&amp;user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&amp;smb);
542 fclose(rep);
543

** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()


_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf &amp;&amp; saltsz &amp;&amp; *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp &lt; saltLength)
3693 cp = saltLength;
3694 if (cp)
&gt;&gt;&gt; CID 631129: Memory - corruptions (OVERRUN) &gt;&gt;&gt; Overrunning array &quot;salt&quot; of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument &quot;cp&quot; (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp &lt; *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 631415: (FORWARD_NULL)


_____________________________________________________________________________________________
*** CID 631415: (FORWARD_NULL) /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2120 in bitmap_setpixels()
2114 }
2115 if (++cpx >= vstat.charwidth) { 2116 cpx = 0;
2117 charx++;
2118 xupdated = false;
2119 assert(off >= 0);

CID 631415: (FORWARD_NULL)
Passing null pointer "vstat.vmem" to "vmem_next_offset", which dereferences it.

2120 off = vmem_next_offset(vstat.vmem, off);
2121 }
2122 }
2123 if (screena.rect->data[pixel_offset(&screena, x, y)] != pixels->pixels[pos]) {
2124 screena.rect->data[pixel_offset(&screena, x, y)] = pixels->pixels[pos];
2125 screena.update_pixels = 1; /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2094 in bitmap_setpixels()
2088 int ccols = vstat.cols * vstat.charwidth;
2089 for (y = sy; y <= ey; y++) {
2090 pos = pixels->width*(y-sy+y_off)+x_off;
2091 bool in_text_area = y < crows;
2092 if (in_text_area && !yupdated) {
2093 charx = charsx;

CID 631415: (FORWARD_NULL)
Passing null pointer "vstat.vmem" to "vmem_cell_offset", which dereferences it.

2094 off = vmem_cell_offset(vstat.vmem, charx, chary);
2095 }
2096 if (mask == NULL) {
2097 for (x = sx; x <= ex; x++) {
2098 if (x >= ccols)
2099 in_text_area = false;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview


----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631415: (FORWARD_NULL)


_____________________________________________________________________________________________
*** CID 631415: (FORWARD_NULL) /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2120 in bitmap_setpixels()
2114 }
2115 if (++cpx &gt;= vstat.charwidth) {
2116 cpx = 0;
2117 charx++;
2118 xupdated = false;
2119 assert(off &gt;= 0); &gt;&gt;&gt; CID 631415: (FORWARD_NULL)
&gt;&gt;&gt; Passing null pointer &quot;vstat.vmem&quot; to &quot;vmem_next_offset&quot;, which dereferences it.
2120 off = vmem_next_offset(vstat.vmem, off);
2121 }
2122 }
2123 if (screena.rect-&gt;data[pixel_offset(&amp;screena, x, y)] != pixels-&gt;pixels[pos]) {
2124 screena.rect-&gt;data[pixel_offset(&amp;screena, x, y)] = pixels-&gt;pixels[pos];
2125 screena.update_pixels = 1; /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2094 in bitmap_setpixels()
2088 int ccols = vstat.cols * vstat.charwidth;
2089 for (y = sy; y &lt;= ey; y++) {
2090 pos = pixels-&gt;width*(y-sy+y_off)+x_off;
2091 bool in_text_area = y &lt; crows;
2092 if (in_text_area &amp;&amp; !yupdated) {
2093 charx = charsx;
&gt;&gt;&gt; CID 631415: (FORWARD_NULL)
&gt;&gt;&gt; Passing null pointer &quot;vstat.vmem&quot; to &quot;vmem_cell_offset&quot;, which dereferences it.
2094 off = vmem_cell_offset(vstat.vmem, charx, chary);
2095 }
2096 if (mask == NULL) {
2097 for (x = sx; x &lt;= ex; x++) {
2098 if (x &gt;= ccols)
2099 in_text_area = false;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e--


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net