Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Coverity CID :203909]Memory - corruptions in /subsys/mgmt/smp_shell.c #18962

Closed
aasthagr opened this issue Sep 6, 2019 · 7 comments
Closed

[Coverity CID :203909]Memory - corruptions in /subsys/mgmt/smp_shell.c #18962

aasthagr opened this issue Sep 6, 2019 · 7 comments
Assignees
@nordic-krch @Mierunski
Labels
area: Shell Shell subsystem bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix False positive Coverity identified issue that has been determined to be a false positive priority: medium Medium impact/importance bug

Comments

@aasthagr
Copy link
Collaborator

aasthagr commented Sep 6, 2019

Static code scan issues seen in File: /subsys/mgmt/smp_shell.c
Category: Memory - corruptions
Function: smp_shell_rx_byte
Component: Other
CID: 203909
Please fix or provide comments to square it off in coverity in the link: https://scan9.coverity.com/reports.htm#v32951/p12996
@aasthagr aasthagr added area: Other bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix labels Sep 6, 2019
@aasthagr
Copy link
Collaborator Author

aasthagr commented Sep 6, 2019 

*** CID 203909:    (ARRAY_VS_SINGLETON)
/subsys/mgmt/smp_shell.c: 108 in smp_shell_rx_byte()
102     	if (mcumgr_state == SMP_SHELL_MCUMGR_STATE_PAYLOAD && byte == '\n') {
103     		data->mcumgr_buff[data->cur + data->end] = '\0';
104     		data->cmd_rdy = true;
105     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_PKT_1);
106     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_PKT_2);
107     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_FRAG_1);
>>>     CID 203909:    (ARRAY_VS_SINGLETON)
>>>     Passing "&data->esc_state" to function "atomic_clear_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
108     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_FRAG_2);
109     		data->cur = 0U;
110     		data->end = 0U;
111     	}
112     
113     	return true;
/subsys/mgmt/smp_shell.c: 107 in smp_shell_rx_byte()
101     	}
102     	if (mcumgr_state == SMP_SHELL_MCUMGR_STATE_PAYLOAD && byte == '\n') {
103     		data->mcumgr_buff[data->cur + data->end] = '\0';
104     		data->cmd_rdy = true;
105     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_PKT_1);
106     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_PKT_2);
>>>     CID 203909:    (ARRAY_VS_SINGLETON)
>>>     Passing "&data->esc_state" to function "atomic_clear_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
107     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_FRAG_1);
108     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_FRAG_2);
109     		data->cur = 0U;
110     		data->end = 0U;
111     	}
112     
/subsys/mgmt/smp_shell.c: 105 in smp_shell_rx_byte()
99     	if (data->cur + data->end < sizeof(data->mcumgr_buff) - 1) {
100     		data->mcumgr_buff[data->cur++] = byte;
101     	}
102     	if (mcumgr_state == SMP_SHELL_MCUMGR_STATE_PAYLOAD && byte == '\n') {
103     		data->mcumgr_buff[data->cur + data->end] = '\0';
104     		data->cmd_rdy = true;
>>>     CID 203909:    (ARRAY_VS_SINGLETON)
>>>     Passing "&data->esc_state" to function "atomic_clear_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
105     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_PKT_1);
106     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_PKT_2);
107     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_FRAG_1);
108     		atomic_clear_bit(&data->esc_state, ESC_MCUMGR_FRAG_2);
109     		data->cur = 0U;
110     		data->end = 0U;

@aescolar
Copy link
Member

aescolar commented Sep 6, 2019

Seems to originate in 8587bb1

@aescolar aescolar added area: Shell Shell subsystem and removed area: Other labels Sep 6, 2019
@aescolar
Copy link
Member

aescolar commented Sep 6, 2019

CC @jakub-uC @nordic-krch

@galak galak added the priority: medium Medium impact/importance bug label Sep 6, 2019
@ioannisg
Copy link
Member

@nordic-krch can you address this bug, for v2.1 Zephyr release?

@nordic-krch
Copy link
Contributor

not sure how to fix it. atomic_clear_bit in fact can clear bit in an array (if second argument is >31) but argument is used from enum in that file (enum smp_shell_esc_mcumgr). If in other places where atomic_clear_bit is used there are no complains maybe the fix is to initialize enum?

enum smp_shell_esc_mcumgr {
	ESC_MCUMGR_PKT_1 = 0,
        ...

?

@d3zd3z
Copy link
Collaborator

d3zd3z commented Dec 10, 2019

I consider this a false positive, and have marked the Coverity issue as such. There are many fewer items in the enum than the 32-bits in the atomic value.

@dleach02 dleach02 added the False positive Coverity identified issue that has been determined to be a false positive label Jan 13, 2020
@ioannisg
Copy link
Member

Closing this since it is already marked as "False positive" and "Action: ignore" in Coverity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nordic-krch nordic-krch

@Mierunski Mierunski

Labels
area: Shell Shell subsystem bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix False positive Coverity identified issue that has been determined to be a false positive priority: medium Medium impact/importance bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@d3zd3z @ioannisg @galak @nordic-krch @Mierunski @dleach02 @aescolar @aasthagr