Forum: Sea of Fantasy

New Defects reported by Coverity Scan for Synchronet

From scan-admin@coverity.com@VERT to All on Sun Mar 2 15:12:36 2025

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.
17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)

** CID 543172: Program hangs (SLEEP)

________________________________________________________________________________________________________
*** CID 543172: Program hangs (SLEEP)
/main.cpp: 3876 in sbbs_t::~sbbs_t()()
3870 fremove(WHERE, syspage_semfile);
3871
3872 /********************************/
3873 /* Free allocated class members */
3874 /********************************/
3875

CID 543172: Program hangs (SLEEP)
Call to "js_cleanup" might sleep while holding lock "this->nodefile_mutex".

3876 js_cleanup();
3877
3878 /* Reset text.dat */
3879
3880 for (i = 0; i < TOTAL_TEXT; i++)
3881 if (text[i] != text_sav[i]) {

** CID 543171: Null pointer dereferences (FORWARD_NULL)

________________________________________________________________________________________________________
*** CID 543171: Null pointer dereferences (FORWARD_NULL)
/main.cpp: 1528 in sbbs_t::js_create_user_objects(JSContext *, JSObject *)() 1522 bool sbbs_t::js_create_user_objects(JSContext* cx, JSObject* glob) 1523 {
1524 bool result = false;
1525 if (cx != NULL) {
1526 JS_BEGINREQUEST(cx);
1527 if (!js_CreateUserObjects(cx, glob, &cfg, &useron, &client, startup == NULL ? NULL :startup->web_file_vpath_prefix, subscan, mqtt))

CID 543171: Null pointer dereferences (FORWARD_NULL)
"errprintf" dereferences null "this->startup".

1528 errprintf(LOG_ERR, WHERE, "!JavaScript ERROR creating user objects");
1529 else
1530 result = true;
1531 JS_ENDREQUEST(cx);
1532 }
1533 return result;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Mon Mar 10 15:09:45 2025

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 544155: Error handling issues (CHECKED_RETURN)
/ssl.c: 540 in get_ssl_cert()

________________________________________________________________________________________________________
*** CID 544155: Error handling issues (CHECKED_RETURN)
/ssl.c: 540 in get_ssl_cert()
534 size_t backoff_ms = 1;
535 unsigned loops = 0;
536 while (cert_entry->cert == -1) {
537 assert_pthread_mutex_lock(&get_ssl_cert_mutex);
538 /* Get the certificate... first try loading it from a file... */
539 if (cryptStatusOK(cryptKeysetOpen(&ssl_keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, cert_path, CRYPT_KEYOPT_READONLY))) {

CID 544155: Error handling issues (CHECKED_RETURN)
Calling "log_cryptlib_error" without checking return value (as is done elsewhere 16 out of 17 times).

540 DO("getting private key", ssl_keyset, cryptGetPrivateKey(ssl_keyset, &cert_entry->cert, CRYPT_KEYID_NAME, "ssl_cert", cfg->sys_pass));
541 cryptKeysetClose(ssl_keyset);
542 }
543 if (cert_entry->cert == -1) {
544 lprintf(LOG_WARNING, "Failed to open/read TLS certificate: %s", cert_path);
545 if (cfg->create_self_signed_cert) {

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sun Mar 30 13:06:10 2025

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

5 new defect(s) introduced to Synchronet found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)

** CID 548252: Error handling issues (NEGATIVE_RETURNS)
/writemsg.cpp: 709 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()

________________________________________________________________________________________________________
*** CID 548252: Error handling issues (NEGATIVE_RETURNS)
/writemsg.cpp: 709 in sbbs_t::writemsg(const char *, const char *, char *, int, int, const char *, const char *, const char **, const char **)()
703 buf[0] = 0;
704 if (linesquoted || draft_restored) {
705 if ((file = nopen(msgtmp, O_RDONLY)) != -1) { 706 length = (long)filelength(file);
707 l = length > (int)(cfg.level_linespermsg[useron_level] * MAX_LINE_LEN) - 1
708 ? (cfg.level_linespermsg[useron_level] * MAX_LINE_LEN) - 1 : length;

CID 548252: Error handling issues (NEGATIVE_RETURNS)
"l" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]

709 if (read(file, buf, l) != l)
710 l = 0;
711 buf[l] = 0;
712 close(file);
713 // remove(msgtmp);
714 }

** CID 548251: Incorrect expression (SIZEOF_MISMATCH)
/xtrn.cpp: 1621 in sbbs_t::external(const char *, int, const char *)()

________________________________________________________________________________________________________
*** CID 548251: Incorrect expression (SIZEOF_MISMATCH)
/xtrn.cpp: 1621 in sbbs_t::external(const char *, int, const char *)()
1615 return -1;
1616 }
1617
1618 if ((mode & EX_STDIO) == EX_STDIO) {
1619 struct winsize winsize;
1620 struct termios termio;

CID 548251: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "&termio" of type "termios *" and argument "8UL" ("sizeof (this->term)") to function "memset" is suspicious because "sizeof (termios) /*60*/" is expected.

1621 memset(&termio, 0, sizeof(term));
1622 cfsetispeed(&termio, B19200);
1623 cfsetospeed(&termio, B19200);
1624 if (mode & EX_BIN)
1625 cfmakeraw(&termio);
1626 else {

** CID 548250: Control flow issues (NO_EFFECT)
/terminal.cpp: 31 in Terminal::scroll_hotspots(unsigned int)()

________________________________________________________________________________________________________
*** CID 548250: Control flow issues (NO_EFFECT)
/terminal.cpp: 31 in Terminal::scroll_hotspots(unsigned int)()
25 unsigned spots = 0;
26 unsigned remain = 0;
27 for (list_node_t* node = mouse_hotspots->first; node != NULL; node = node->next) {
28 struct mouse_hotspot* spot = (struct mouse_hotspot*)node->data; 29 spot->y -= count;
30 spots++;

CID 548250: Control flow issues (NO_EFFECT)
This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "spot->y >= 0U".

31 if (spot->y >= 0)
32 remain++;
33 }
34 #ifdef _DEBUG
35 if (spots)
36 sbbs->lprintf(LOG_DEBUG, "Scrolled %u mouse hot-spots %u rows (%u remain)", spots, count, remain);

** CID 548249: (DEADCODE)
/useredit.cpp: 89 in sbbs_t::useredit(int)()
/useredit.cpp: 89 in sbbs_t::useredit(int)()

________________________________________________________________________________________________________
*** CID 548249: (DEADCODE)
/useredit.cpp: 89 in sbbs_t::useredit(int)()
83 SAFEPRINTF2(user_pass, "%.*s..", (int)(max_len - 2), user.pass);
84 bprintf(text[UeditAliasPassword]
85 , user.alias
86 , datestr(user.pwmod, tmp)
87 , (user.level > useron.level || !(cfg.sys_misc & SM_ECHO_PW)) ? "<hidden>" : user_pass
88 );

CID 548249: (DEADCODE)
Execution cannot reach the expression ""XXXXXXXX"" inside this statement: "this->bprintf(this->text[Ue...".

89 bprintf(text[UeditRealNamePhone]
90 , user.level > useron.level && console & CON_R_ECHO
91 ? "XXXXXXXX" : user.name
92 , user.level > useron.level && console & CON_R_ECHO
93 ? "XXX-XXX-XXXX" : user.phone);
94 bprintf(text[UeditAddressBirthday]
/useredit.cpp: 89 in sbbs_t::useredit(int)()
83 SAFEPRINTF2(user_pass, "%.*s..", (int)(max_len - 2), user.pass);
84 bprintf(text[UeditAliasPassword]
85 , user.alias
86 , datestr(user.pwmod, tmp)
87 , (user.level > useron.level || !(cfg.sys_misc & SM_ECHO_PW)) ? "<hidden>" : user_pass
88 );

CID 548249: (DEADCODE)
Execution cannot reach the expression ""XXX-XXX-XXXX"" inside this statement: "this->bprintf(this->text[Ue...".

89 bprintf(text[UeditRealNamePhone]
90 , user.level > useron.level && console & CON_R_ECHO
91 ? "XXXXXXXX" : user.name
92 , user.level > useron.level && console & CON_R_ECHO
93 ? "XXX-XXX-XXXX" : user.phone);
94 bprintf(text[UeditAddressBirthday]

** CID 548248: Error handling issues (CHECKED_RETURN)
/writemsg.cpp: 1836 in sbbs_t::movemsg(smbmsg_t *, int)()

________________________________________________________________________________________________________
*** CID 548248: Error handling issues (CHECKED_RETURN)
/writemsg.cpp: 1836 in sbbs_t::movemsg(smbmsg_t *, int)()
1830 length = smb_getmsgdatlen(msg);
1831 if ((buf = (char *)malloc(length)) == NULL) {
1832 errormsg(WHERE, ERR_ALLOC, smb.file, length);
1833 return false;
1834 }
1835

CID 548248: Error handling issues (CHECKED_RETURN)
Calling "fseek(this->smb.sdt_fp, msg->hdr.offset, 0)" without checking return value. This library function may fail and return an error code.

1836 fseek(smb.sdt_fp, msg->hdr.offset, SEEK_SET);
1837 if (fread(buf, length, 1, smb.sdt_fp) != 1) {
1838 free(buf);
1839 errormsg(WHERE, ERR_READ, smb.file, length);
1840 return false;
1841 }

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sat Apr 5 12:46:11 2025

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 548912: Data race undermines locking (LOCK_EVASION)
/answer.cpp: 437 in sbbs_t::answer(bool *)()

________________________________________________________________________________________________________
*** CID 548912: Data race undermines locking (LOCK_EVASION)
/answer.cpp: 437 in sbbs_t::answer(bool *)()
431 activate_ssh = init_sftp(cid);
432 term->cols = 0;
433 term->rows = 0;
434 SAFECOPY(terminal, "sftp");
435 mouse_mode = MOUSE_MODE_OFF;
436 autoterm = 0;

CID 548912: Data race undermines locking (LOCK_EVASION)
Thread1 sets "sys_status" to a new value. Now the two threads have an inconsistent view of "sys_status" and updates to fields correlated with "sys_status" may be lost.

437 sys_status |= SS_USERON;
438 SAFECOPY(client.protocol, "SFTP");
439 SAFECOPY(client.user, useron.alias);
440 client.usernum = useron.number;
441 client_on(client_socket, &client, /* update: */ TRUE);
442 SAFECOPY(connection, client.protocol);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Fri Apr 11 15:36:53 2025

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)

** CID 549016: Integer handling issues (INTEGER_OVERFLOW)
/str.cpp: 1194 in sbbs_t::spy(unsigned int)()

________________________________________________________________________________________________________
*** CID 549016: Integer handling issues (INTEGER_OVERFLOW)
/str.cpp: 1194 in sbbs_t::spy(unsigned int)()
1188 && !msgabort()) {
1189 in = incom(1000);
1190 if (in == NOINP) {
1191 gettimeleft();
1192 continue;
1193 }

CID 549016: Integer handling issues (INTEGER_OVERFLOW)
Expression "ch", where "in" is known to be equal to 256, overflows the type of "ch", which is type "char".

1194 ch = in;
1195 if (ch == ESC) {
1196 if (ansi_len)
1197 ansi_len = 0;
1198 else {
1199 if ((in = incom(500)) != NOINP) {

** CID 549015: Uninitialized variables (UNINIT)

________________________________________________________________________________________________________
*** CID 549015: Uninitialized variables (UNINIT)
/js_system.c: 2089 in js_chkpassword()
2083
2084 js_system_private_t* sys;
2085 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
2086 return JS_FALSE;
2087
2088 rc = JS_SUSPENDREQUEST(cx);

CID 549015: Uninitialized variables (UNINIT)
Using uninitialized value "*str" when calling "check_pass".

2089 bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL)
2090 && !trashcan(sys->cfg, str, "password"); 2091 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result));
2092 JS_RESUMEREQUEST(cx, rc);
2093
2094 return JS_TRUE;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Tue May 20 12:44:44 2025

<!DOCTYPE html>
<html>
<head>
<style>
body {
font-family: Arial, sans-serif;
line-height: 1.6;
}
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff;
background-color: #007bff;
text-decoration: none;
border-radius: 5px;
}
.button:hover {
background-color: #0056b3;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Coverity Scan has identified new defect(s) in the project <strong>Synchronet</strong>.
</p>

<h3>Defect Summary:</h3>
<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Fixed:</strong> 1</li>
<li><strong>Defects Displayed:</strong> Showing 2 of 2</li>
</ul>

<p>
To view the full list of defects and take action, click the button below:
</p>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects</a>
</p>

<p>
If you have any questions or need assistance, feel free to contact our support team.
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>

---
* Synchronet * Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sun Jul 6 12:47:03 2025

----==_mimepart_686a7047ce71_192e802d9f7544199c8471c
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)

** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()

_____________________________________________________________________________________________
*** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()
1775 if (msg == NULL)
1776 return JS_TRUE;
1777 }
1778
1779 if (argc > 3 && !JSVAL_NULL_OR_VOID(argv[3])) {
1780 if ((js_str = JS_ValueToString(cx, argv[3])) == NULL) >>> CID 569480: Resource leaks (RESOURCE_LEAK)

Variable "msg" going out of scope leaks the storage it points to.

1781 return JS_FALSE;
1782
1783 JSSTRING_TO_MSTRING(cx, js_str, replyto, NULL);
1784 HANDLE_PENDING(cx, replyto);
1785 if (replyto == NULL)
1786 return JS_TRUE;

** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()

_____________________________________________________________________________________________
*** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()
1787 }
1788
1789 JSSTRING_TO_MSTRING(cx, js_subj, subj, NULL);
1790 HANDLE_PENDING(cx, subj);
1791 if (subj == NULL) {
1792 free(msg);

CID 569479: Resource leaks (RESOURCE_LEAK)
Variable "replyto" going out of scope leaks the storage it points to. 1793 return JS_TRUE;

1794 }
1795
1796 rc = JS_SUSPENDREQUEST(cx);
1797 ret = notify(sys->cfg, usernumber, subj, msg, replyto) == 0; 1798 free(subj);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_686a7047ce71_192e802d9f7544199c8471c
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Shown:</strong> Showing 2 of 2 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()

_____________________________________________________________________________________________
*** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()
1775 if (msg == NULL)
1776 return JS_TRUE;
1777 }
1778
1779 if (argc > 3 && !JSVAL_NULL_OR_VOID(argv[3])) {
1780 if ((js_str = JS_ValueToString(cx, argv[3])) == NULL) >>> CID 569480: Resource leaks (RESOURCE_LEAK) >>> Variable "msg" going out of scope leaks the storage it points to.
1781 return JS_FALSE;
1782
1783 JSSTRING_TO_MSTRING(cx, js_str, replyto, NULL);
1784 HANDLE_PENDING(cx, replyto);
1785 if (replyto == NULL)
1786 return JS_TRUE;

** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()

_____________________________________________________________________________________________
*** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()
1787 }
1788
1789 JSSTRING_TO_MSTRING(cx, js_subj, subj, NULL);
1790 HANDLE_PENDING(cx, subj);
1791 if (subj == NULL) {
1792 free(msg);
>>> CID 569479: Resource leaks (RESOURCE_LEAK) >>> Variable "replyto" going out of scope leaks the storage it points to.
1793 return JS_TRUE;
1794 }
1795
1796 rc = JS_SUSPENDREQUEST(cx);
1797 ret = notify(sys->cfg, usernumber, subj, msg, replyto) == 0; 1798 free(subj);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_686a7047ce71_192e802d9f7544199c8471c--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sun Jul 20 12:45:55 2025

----==_mimepart_687ce502ba0a3_2748642bf92199999045dc
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)

** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()

_____________________________________________________________________________________________
*** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()
1350 if (!t)
1351 t = 1;
1352 if (zm.file_skipped)
1353 lprintf(LOG_WARNING, "File Skipped");
1354 else if (success)
1355 lprintf(LOG_INFO, "Successful - Time: %s CPS: %lu"

CID 582443: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

1356 , seconds_to_str((uint)t, tmp), (ulong)(file_bytes / t));
1357 else
1358 lprintf(LOG_ERR, "File Transfer %s"
1359 , zm.local_abort ? "Aborted": zm.cancelled ? "Cancelled":"Failure");
1360
1361 if (!(mode & XMODEM) && ftime)

** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
/sexyz.c: 1069 in send_files()

_____________________________________________________________________________________________
*** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
988 xm.sent_files++;
989 xm.sent_bytes += fsize;
990 if (zm.file_skipped)
991 lprintf(LOG_WARNING, "File Skipped");
992 else
993 lprintf(LOG_INFO, "Successful - Time: %s CPS: %u"

CID 582442: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

994 , seconds_to_str((uint)t, tmp)
995 , cps);
996
997 if (xm.total_files - xm.sent_files)
998 lprintf(LOG_INFO, "Remaining - Time: %s Files: %lu KBytes: %" PRId64
999 , seconds_to_str((uint)((xm.total_bytes - xm.sent_bytes) / cps), tmp)
/sexyz.c: 1069 in send_files()
1063 }
1064 if (xm.total_files > 1) {
1065 t = time(NULL) - startall;
1066 if (!t)
1067 t = 1;
1068 lprintf(LOG_INFO, "Overall - Time %s KBytes: %" PRId64 " CPS: %lu"

CID 582442: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

1069 , seconds_to_str((uint)t, tmp)
1070 , total_bytes / 1024, total_bytes / t); 1071 }
1072 return 0; /* success */
1073 }
1074

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_687ce502ba0a3_2748642bf92199999045dc
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Shown:</strong> Showing 2 of 2 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()

_____________________________________________________________________________________________
*** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()
1350 if (!t)
1351 t = 1;
1352 if (zm.file_skipped)
1353 lprintf(LOG_WARNING, "File Skipped"); 1354 else if (success)
1355 lprintf(LOG_INFO, "Successful - Time: %s CPS: %lu"
>>> CID 582443: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".
1356 , seconds_to_str((uint)t, tmp), (ulong)(file_bytes / t));
1357 else
1358 lprintf(LOG_ERR, "File Transfer %s" 1359 , zm.local_abort ? "Aborted": zm.cancelled ? "Cancelled":"Failure");
1360
1361 if (!(mode & XMODEM) && ftime)

** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
/sexyz.c: 1069 in send_files()

_____________________________________________________________________________________________
*** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
988 xm.sent_files++;
989 xm.sent_bytes += fsize;
990 if (zm.file_skipped)
991 lprintf(LOG_WARNING, "File Skipped");
992 else
993 lprintf(LOG_INFO, "Successful - Time: %s CPS: %u"
>>> CID 582442: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".
994 , seconds_to_str((uint)t, tmp)
995 , cps);
996
997 if (xm.total_files - xm.sent_files)
998 lprintf(LOG_INFO, "Remaining - Time: %s Files: %lu KBytes: %" PRId64
999 , seconds_to_str((uint)((xm.total_bytes - xm.sent_bytes) / cps), tmp)
/sexyz.c: 1069 in send_files()
1063 }
1064 if (xm.total_files > 1) {
1065 t = time(NULL) - startall;
1066 if (!t)
1067 t = 1;
1068 lprintf(LOG_INFO, "Overall - Time %s KBytes: %" PRId64 " CPS: %lu"
>>> CID 582442: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".
1069 , seconds_to_str((uint)t, tmp)
1070 , total_bytes / 1024, total_bytes / t); 1071 }
1072 return 0; /* success */
1073 }
1074

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_687ce502ba0a3_2748642bf92199999045dc--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sun Aug 10 14:15:47 2025

----==_mimepart_6898a9938c063_f22012b538a7b399c12567
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()

_____________________________________________________________________________________________
*** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()
3165 if (protocol != NULL)
3166 SAFECOPY(user->connection, protocol);
3167 if (hostname != NULL)
3168 SAFECOPY(user->comp, hostname);
3169 if (ipaddr != NULL)
3170 SAFECOPY(user->ipaddr, ipaddr);

CID 583942: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "logontime" is cast to "time32_t".

3171 user->logontime = logontime;
3172
3173 return putuserdat(cfg, user);
3174 }
3175
3176 /****************************************************************************/

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_6898a9938c063_f22012b538a7b399c12567
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()

_____________________________________________________________________________________________
*** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()
3165 if (protocol != NULL)
3166 SAFECOPY(user->connection, protocol);
3167 if (hostname != NULL)
3168 SAFECOPY(user->comp, hostname);
3169 if (ipaddr != NULL)
3170 SAFECOPY(user->ipaddr, ipaddr);
>>> CID 583942: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "logontime" is cast to "time32_t".
3171 user->logontime = logontime;
3172
3173 return putuserdat(cfg, user);
3174 }
3175
3176 /****************************************************************************/

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_6898a9938c063_f22012b538a7b399c12567--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Mon Aug 11 13:57:59 2025

----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 583999: (UNINIT)

_____________________________________________________________________________________________
*** CID 583999: (UNINIT)
/file.cpp: 182 in sbbs_t::removefcdt(smbmsg_t *)()
176 if (cfg.dir[f->dir]->misc & DIR_CDTUL)
177 cdt = ((ulong)(f->cost * (cfg.dir[f->dir]->up_pct / 100.0)) / cur_cps) / 60;
178 if (cfg.dir[f->dir]->misc & DIR_CDTDL
179 && f->hdr.times_downloaded) /* all downloads */ 180 cdt += ((ulong)((long)f->hdr.times_downloaded 181 * f->cost * (cfg.dir[f->dir]->dn_pct / 100.0)) / cur_cps) / 60;

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 182 adjustuserval(&cfg, &user, USER_MIN, -cdt);

183 snprintf(str, sizeof str, "%lu minute", cdt);
184 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
185 , f->name, cdt ? str : text[No]);
186 putsmsg(user.number, tmp);
187 }
/file.cpp: 203 in sbbs_t::removefcdt(smbmsg_t *)()
197 bprintf(text[CreditsToRemove], f->from);
198 getstr(str, 10, K_NUMBER | K_LINE | K_EDIT | K_AUTODEL);
199 if (msgabort(true))
200 return false;
201 cdt = atol(str);
202 }

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 203 adjustuserval(&cfg, &user, USER_CDT, -cdt);

204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
/file.cpp: 209 in sbbs_t::removefcdt(smbmsg_t *)()
203 adjustuserval(&cfg, &user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 209 adjustuserval(&cfg, &user, USER_ULB, -f->size);

210 adjustuserval(&cfg, &user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
/file.cpp: 210 in sbbs_t::removefcdt(smbmsg_t *)()
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
209 adjustuserval(&cfg, &user, USER_ULB, -f->size);

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 210 adjustuserval(&cfg, &user, USER_ULS, -1);

211 return true;
212 }
213
214 /****************************************************************************/
215 /****************************************************************************/

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 583999: (UNINIT)

_____________________________________________________________________________________________
*** CID 583999: (UNINIT)
/file.cpp: 182 in sbbs_t::removefcdt(smbmsg_t *)()
176 if (cfg.dir[f->dir]->misc & DIR_CDTUL)
177 cdt = ((ulong)(f->cost * (cfg.dir[f->dir]->up_pct / 100.0)) / cur_cps) / 60;
178 if (cfg.dir[f->dir]->misc & DIR_CDTDL
179 && f->hdr.times_downloaded) /* all downloads */
180 cdt += ((ulong)((long)f->hdr.times_downloaded
181 * f->cost * (cfg.dir[f->dir]->dn_pct / 100.0)) / cur_cps) / 60;
>>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
182 adjustuserval(&cfg, &user, USER_MIN, -cdt);
183 snprintf(str, sizeof str, "%lu minute", cdt); 184 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
185 , f->name, cdt ? str : text[No]);
186 putsmsg(user.number, tmp);
187 }
/file.cpp: 203 in sbbs_t::removefcdt(smbmsg_t *)()
197 bprintf(text[CreditsToRemove], f->from);
198 getstr(str, 10, K_NUMBER | K_LINE | K_EDIT | K_AUTODEL);
199 if (msgabort(true))
200 return false;
201 cdt = atol(str);
202 }
>>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
203 adjustuserval(&cfg, &user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
/file.cpp: 209 in sbbs_t::removefcdt(smbmsg_t *)()
203 adjustuserval(&cfg, &user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
>>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
209 adjustuserval(&cfg, &user, USER_ULB, -f->size);
210 adjustuserval(&cfg, &user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
/file.cpp: 210 in sbbs_t::removefcdt(smbmsg_t *)()
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
209 adjustuserval(&cfg, &user, USER_ULB, -f->size); >>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
210 adjustuserval(&cfg, &user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
215 /****************************************************************************/

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Mon Aug 18 13:37:12 2025

----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
/logon.cpp: 642 in sbbs_t::logonstats()()
/logon.cpp: 638 in sbbs_t::logonstats()()

_____________________________________________________________________________________________
*** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
625 errormsg(WHERE, ERR_READ, "system stats");
626 return 0;
627 }
628
629 now = time(NULL);
630 if (stats.date > now + (24L * 60L * 60L)) /* More than a day in the future? */

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

631 errormsg(WHERE, ERR_CHK, "Daily stats date/time stamp", (int)stats.date);
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
/logon.cpp: 642 in sbbs_t::logonstats()()
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {
638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;
644 }
645
646 sys_status |= SS_NEW_DAY;
647 if (tm.tm_mon != update_tm.tm_mon)
/logon.cpp: 638 in sbbs_t::logonstats()()
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {
642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
/logon.cpp: 642 in sbbs_t::logonstats()()
/logon.cpp: 638 in sbbs_t::logonstats()()

_____________________________________________________________________________________________
*** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
625 errormsg(WHERE, ERR_READ, "system stats"); 626 return 0;
627 }
628
629 now = time(NULL);
630 if (stats.date > now + (24L * 60L * 60L)) /* More than a day in the future? */
>>> CID 584091: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".
631 errormsg(WHERE, ERR_CHK, "Daily stats date/time stamp", (int)stats.date);
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
/logon.cpp: 642 in sbbs_t::logonstats()()
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {
638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) { >>> CID 584091: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".
642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;
644 }
645
646 sys_status |= SS_NEW_DAY;
647 if (tm.tm_mon != update_tm.tm_mon)
/logon.cpp: 638 in sbbs_t::logonstats()()
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {
>>> CID 584091: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".
638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {
642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Mon Sep 1 03:04:51 2025

----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 584833: Error handling issues (CHECKED_RETURN)

_____________________________________________________________________________________________
*** CID 584833: Error handling issues (CHECKED_RETURN)
/mailsrvr.c: 2877 in archive_mail()
2871 bool archive_mail(const char* fname, int usernumber, const char* subdir, const char* session_id)
2872 {
2873 char tmp[128];
2874 char path[MAX_PATH + 1];
2875
2876 snprintf(path, sizeof path, "%suser/%04u/%s/", scfg.data_dir, usernumber, subdir);

CID 584833: Error handling issues (CHECKED_RETURN)
Calling "mkpath(path)" without checking return value. It wraps a library function that may fail and return an error code.

2877 mkpath(path);
2878 SAFECAT(path, gmtime_to_isoDateTimeStr(time(NULL), tmp, sizeof tmp));
2879 SAFECAT(path, "-");
2880 SAFECAT(path, session_id);
2881 SAFECAT(path, ".eml");
2882 return CopyFile(fname, path, /* fail-if-exists: */true);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 584833: Error handling issues (CHECKED_RETURN)

_____________________________________________________________________________________________
*** CID 584833: Error handling issues (CHECKED_RETURN)
/mailsrvr.c: 2877 in archive_mail()
2871 bool archive_mail(const char* fname, int usernumber, const char* subdir, const char* session_id)
2872 {
2873 char tmp[128];
2874 char path[MAX_PATH + 1];
2875
2876 snprintf(path, sizeof path, "%suser/%04u/%s/", scfg.data_dir, usernumber, subdir);
>>> CID 584833: Error handling issues (CHECKED_RETURN) >>> Calling "mkpath(path)" without checking return value. It wraps a library function that may fail and return an error code.
2877 mkpath(path);
2878 SAFECAT(path, gmtime_to_isoDateTimeStr(time(NULL), tmp, sizeof tmp));
2879 SAFECAT(path, "-");
2880 SAFECAT(path, session_id);
2881 SAFECAT(path, ".eml");
2882 return CopyFile(fname, path, /* fail-if-exists: */true);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Wed Sep 24 12:45:25 2025

----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
/tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()

_____________________________________________________________________________________________
*** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
1577 free(old);
1578 assert_rwlock_unlock(&vstatlock);
1579 return 0;
1580 }

CID 630343: (ATOMICITY)
Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.

1581 pold=old;
1582 pnew=new;
1583 for(row=0; row<ti.screenheight; row++) {
1584 for(col=0; col<ti.screenwidth; col++) { 1585 if(row < oh) {
1586 if(col < ow) { /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()
1571 bitmap_vmem_gettext_locked(1,1,ow,oh,old);
1572 assert_rwlock_unlock(&vstatlock);
1573 textmode(newmode);
1574 assert_rwlock_wrlock(&vstatlock);
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {

CID 630343: (ATOMICITY)
Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.

1577 free(old);
1578 assert_rwlock_unlock(&vstatlock);
1579 return 0;
1580 }
1581 pold=old;
1582 pnew=new;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
/tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()

_____________________________________________________________________________________________
*** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
1577 free(old);
1578 assert_rwlock_unlock(&vstatlock); 1579 return 0;
1580 }
>>> CID 630343: (ATOMICITY)
>>> Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.
1581 pold=old;
1582 pnew=new;
1583 for(row=0; row<ti.screenheight; row++) { 1584 for(col=0; col<ti.screenwidth; col++) {
1585 if(row < oh) {
1586 if(col < ow) { /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()
1571 bitmap_vmem_gettext_locked(1,1,ow,oh,old);
1572 assert_rwlock_unlock(&vstatlock);
1573 textmode(newmode);
1574 assert_rwlock_wrlock(&vstatlock);
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
>>> CID 630343: (ATOMICITY)
>>> Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.
1577 free(old);
1578 assert_rwlock_unlock(&vstatlock); 1579 return 0;
1580 }
1581 pold=old;
1582 pnew=new;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sat Sep 27 12:45:34 2025

----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()

_____________________________________________________________________________________________
*** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()
433 #else
434 fd_set socket_set;
435 struct timeval tv;
436 #endif
437 int magic_errno;
438

CID 630956: Control flow issues (UNREACHABLE)
Since the loop increment is unreachable, the loop body will never execute more than once.

439 for (;;) {
440 if (inbuf_len > inbuf_pos)
441 return inbuf_len - inbuf_pos;
442 #ifdef __unix__
443 if (stdio) {
444 i = read(STDIN_FILENO, inbuf, sizeof(inbuf));

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()

_____________________________________________________________________________________________
*** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()
433 #else
434 fd_set socket_set;
435 struct timeval tv;
436 #endif
437 int magic_errno;
438
>>> CID 630956: Control flow issues (UNREACHABLE) >>> Since the loop increment is unreachable, the loop body will never execute more than once.
439 for (;;) {
440 if (inbuf_len > inbuf_pos)
441 return inbuf_len - inbuf_pos;
442 #ifdef __unix__
443 if (stdio) {
444 i = read(STDIN_FILENO, inbuf, sizeof(inbuf));

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Mon Sep 29 14:35:08 2025

----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)

_____________________________________________________________________________________________
*** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) /tmp/sbbs-Sep-29-2025/src/xpdev/ini_file.c: 1658 in iniParseSections()
1652 break;
1653 }
1654
1655 if (list[i] != NULL) {
1656 // TODO: A comment will create a zero-length root section, which kinda sucks...
1657 if (*p != INI_OPEN_SECTION_CHAR) {

CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)
Passing "&iniParsedRootValue" to function "addParsedSection" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.

1658 if (!addParsedSection(&lp, &sections, &iniParsedRootValue))
1659 goto error_return;
1660 keys = 0;
1661 for (; list[i] != NULL; ++i) {
1662 p = list[i];
1663 SKIP_WHITESPACE(p);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)

_____________________________________________________________________________________________
*** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) /tmp/sbbs-Sep-29-2025/src/xpdev/ini_file.c: 1658 in iniParseSections()
1652 break;
1653 }
1654
1655 if (list[i] != NULL) {
1656 // TODO: A comment will create a zero-length root section, which kinda sucks...
1657 if (*p != INI_OPEN_SECTION_CHAR) {
>>> CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "&iniParsedRootValue" to function "addParsedSection" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
1658 if (!addParsedSection(&lp, &sections, &iniParsedRootValue))
1659 goto error_return;
1660 keys = 0;
1661 for (; list[i] != NULL; ++i) {
1662 p = list[i];
1663 SKIP_WHITESPACE(p);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Tue Sep 30 14:17:12 2025

----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)

** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()

_____________________________________________________________________________________________
*** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()
3361 return 0;
3362 }
3363 if (name == NULL || name->str == NULL)
3364 return -1;
3365 entShorter = fp->name.len < name->len;
3366 cmplen = entShorter ? fp->name.len : name->len;

CID 631052: Null pointer dereferences (FORWARD_NULL)
Passing null pointer "fp->name.str" to "strncasecmp", which dereferences it.

3367 cmp = strnicmp(name->str, fp->name.str, cmplen);
3368 if (cmp == 0) {
3369 if (fp->name.len == name->len)
3370 return 0;
3371 if (entShorter)
3372 return 1;

** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()

_____________________________________________________________________________________________
*** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()
3153 struct fp_section *sect;
3154 size_t slen;
3155 str++;
3156 slen = strlen(str);
3157 while (slen && (IS_WHITESPACE(str[slen - 1]))) 3158 slen--;

CID 631051: Integer handling issues (INTEGER_OVERFLOW)
Expression "slen - 1UL", where "slen" is known to be equal to 0, underflows the type of "slen - 1UL", which is type "unsigned long".

3159 if (str[slen - 1] == INI_CLOSE_SECTION_CHAR) 3160 slen--;
3161 else // Discard line
3162 continue;
3163 ret->totalSections++;
3164 if ((ret->totalSections) >= arraySz) {

** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()

_____________________________________________________________________________________________
*** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()
3325 if (sz)
3326 *sz = 0;
3327 return ret;
3328 }
3329 if (prefix)
3330 prefixLen = strlen(prefix);

CID 631050: Integer handling issues (INTEGER_OVERFLOW)
Expression "i++", where "i" is known to be equal to 18446744073709551615, overflows the type of "i++", which is type "size_t".

3331 for (i = iniGetFastPrefixStart(fp, prefix); i <= fp->lastUncut; i++) {
3332 if (fp->sections[i].name.str == NULL)
3333 continue;
3334 if (fp->sections[i].cut)
3335 continue;
3336 if (fp->sections[i].name.len < prefixLen)

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 3</li>
<li><strong>Defects Shown:</strong> Showing 3 of 3 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()

_____________________________________________________________________________________________
*** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()
3361 return 0;
3362 }
3363 if (name == NULL || name->str == NULL)
3364 return -1;
3365 entShorter = fp->name.len < name->len;
3366 cmplen = entShorter ? fp->name.len : name->len; >>> CID 631052: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "fp->name.str" to "strncasecmp", which dereferences it.
3367 cmp = strnicmp(name->str, fp->name.str, cmplen);
3368 if (cmp == 0) {
3369 if (fp->name.len == name->len)
3370 return 0;
3371 if (entShorter)
3372 return 1;

** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()

_____________________________________________________________________________________________
*** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()
3153 struct fp_section *sect;
3154 size_t slen;
3155 str++;
3156 slen = strlen(str);
3157 while (slen && (IS_WHITESPACE(str[slen - 1])))
3158 slen--;
>>> CID 631051: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "slen - 1UL", where "slen" is known to be equal to 0, underflows the type of "slen - 1UL", which is type "unsigned long".
3159 if (str[slen - 1] == INI_CLOSE_SECTION_CHAR) 3160 slen--;
3161 else // Discard line
3162 continue;
3163 ret->totalSections++;
3164 if ((ret->totalSections) >= arraySz) {

** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()

_____________________________________________________________________________________________
*** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()
3325 if (sz)
3326 *sz = 0;
3327 return ret;
3328 }
3329 if (prefix)
3330 prefixLen = strlen(prefix);
>>> CID 631050: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "i++", where "i" is known to be equal to 18446744073709551615, overflows the type of "i++", which is type "size_t".
3331 for (i = iniGetFastPrefixStart(fp, prefix); i <= fp->lastUncut; i++) {
3332 if (fp->sections[i].name.str == NULL)
3333 continue;
3334 if (fp->sections[i].cut)
3335 continue;
3336 if (fp->sections[i].name.len < prefixLen)

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Wed Oct 1 16:08:39 2025

----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

9 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)

** CID 631076: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631076: Memory - corruptions (OVERRUN)
/sbbsecho.c: 314 in parse_echostat_msg()
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);

CID 631076: Memory - corruptions (OVERRUN)
Overrunning array "msg.from" of 36 bytes by passing it to a function which accesses it at byte offset 1023.

314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

** CID 631075: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631075: Memory - corruptions (OVERRUN)
/sbbsecho.c: 319 in parse_echostat_msg()
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

CID 631075: Memory - corruptions (OVERRUN)
Overrunning array "msg.tid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);

** CID 631074: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631074: Memory - corruptions (OVERRUN)
/sbbsecho.c: 317 in parse_echostat_msg()
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);

CID 631074: Memory - corruptions (OVERRUN)
Overrunning array "msg.reply_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);

** CID 631073: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631073: Memory - corruptions (OVERRUN)
/sbbsecho.c: 316 in parse_echostat_msg()
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);

CID 631073: Memory - corruptions (OVERRUN)
Overrunning array "msg.msg_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);

** CID 631072: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631072: Memory - corruptions (OVERRUN)
/sbbsecho.c: 313 in parse_echostat_msg()
307 echostat_msg_t parse_echostat_msg(str_list_t ini, const char* section, const char* prefix)
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312

CID 631072: Memory - corruptions (OVERRUN)
Overrunning array "msg.to" of 36 bytes by passing it to a function which accesses it at byte offset 1023.

313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

** CID 631071: (OVERRUN)

_____________________________________________________________________________________________
*** CID 631071: (OVERRUN)
/sbbsecho.c: 327 in parse_echostat_msg()
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);

CID 631071: (OVERRUN)
Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);
330
331 return msg;
332 }
/sbbsecho.c: 324 in parse_echostat_msg()
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

CID 631071: (OVERRUN)
Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);

** CID 631070: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631070: Memory - corruptions (OVERRUN)
/sbbsecho.c: 315 in parse_echostat_msg()
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);

CID 631070: Memory - corruptions (OVERRUN)
Overrunning array "msg.subj" of 72 bytes by passing it to a function which accesses it at byte offset 1023.

315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);

** CID 631069: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631069: Memory - corruptions (OVERRUN)
/sbbsecho.c: 318 in parse_echostat_msg()
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);

CID 631069: Memory - corruptions (OVERRUN)
Overrunning array "msg.pid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

** CID 631068: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631068: Memory - corruptions (OVERRUN)
/sbbsecho.c: 320 in parse_echostat_msg()
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

CID 631068: Memory - corruptions (OVERRUN)
Overrunning array "msg.msg_tz" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 9</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 9 of 9 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631076: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631076: Memory - corruptions (OVERRUN)
/sbbsecho.c: 314 in parse_echostat_msg()
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
>>> CID 631076: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.from" of 36 bytes by passing it to a function which accesses it at byte offset 1023.
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

** CID 631075: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631075: Memory - corruptions (OVERRUN)
/sbbsecho.c: 319 in parse_echostat_msg()
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
>>> CID 631075: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.tid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);

** CID 631074: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631074: Memory - corruptions (OVERRUN)
/sbbsecho.c: 317 in parse_echostat_msg()
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
>>> CID 631074: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.reply_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);

** CID 631073: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631073: Memory - corruptions (OVERRUN)
/sbbsecho.c: 316 in parse_echostat_msg()
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
>>> CID 631073: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.msg_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);

** CID 631072: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631072: Memory - corruptions (OVERRUN)
/sbbsecho.c: 313 in parse_echostat_msg()
307 echostat_msg_t parse_echostat_msg(str_list_t ini, const char* section, const char* prefix)
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
>>> CID 631072: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.to" of 36 bytes by passing it to a function which accesses it at byte offset 1023.
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

** CID 631071: (OVERRUN)

_____________________________________________________________________________________________
*** CID 631071: (OVERRUN)
/sbbsecho.c: 327 in parse_echostat_msg()
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
>>> CID 631071: (OVERRUN)
>>> Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);
330
331 return msg;
332 }
/sbbsecho.c: 324 in parse_echostat_msg()
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
>>> CID 631071: (OVERRUN)
>>> Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);

** CID 631070: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631070: Memory - corruptions (OVERRUN)
/sbbsecho.c: 315 in parse_echostat_msg()
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
>>> CID 631070: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.subj" of 72 bytes by passing it to a function which accesses it at byte offset 1023.
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);

** CID 631069: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631069: Memory - corruptions (OVERRUN)
/sbbsecho.c: 318 in parse_echostat_msg()
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
>>> CID 631069: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.pid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

** CID 631068: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631068: Memory - corruptions (OVERRUN)
/sbbsecho.c: 320 in parse_echostat_msg()
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
>>> CID 631068: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.msg_tz" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sun Oct 5 16:13:51 2025

----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

18 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)

** CID 631146: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;

CID 631146: Program hangs (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.

4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/

** CID 631145: Program hangs (SLEEP)

_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node->data;
4356 SAFECOPY(name, attempt->user);
4357 truncstr(name, "@");

CID 631145: Program hangs (SLEEP)
Call to "trashcan" might sleep while holding lock "list->mutex".

4358 if (((settings.tempban_threshold && (attempt->count - attempt->dupes) >= settings.tempban_threshold)
4359 || trashcan(cfg, name, "name")) && now < (time32_t)(attempt->time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt->time);
4363 }

** CID 631144: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&client_list);

CID 631144: Program hangs (LOCK)
"listFindNode" locks "client_list.mutex" while it is locked.

654 if ((node = listFindTaggedNode(&client_list, sock)) != NULL)
655 memcpy(node->data, client, sizeof(client_t));
656 listUnlock(&client_list);
657 } else {
658 served++;
659 listAddNodeData(&client_list, client, sizeof(client_t), sock, LAST_NODE);

** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), "<%x%x%lx%lx@%.128s>"
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1241 sockprintf(socket, client.protocol, session, "+OK Synchronet %s Server %s%c-%s Ready %s"
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &client, FALSE /* update */);
1220
1221 if (startup->login_attempt.throttle
1222 && (login_attempts = loginAttempts(startup->login_attempt_list, &pop3->client_addr)) > 1) {
1223 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
1224 , socket, client.protocol, host_ip, login_attempts);

CID 631143: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

1225 mswait(login_attempts * startup->login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&scfg, startup->login_attempt_list, socket, host_name, startup->login_attempt, &attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;

CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1199 return false;
1200 }

CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

1201 if (trashcan2(&scfg, host_name, NULL, "host", &trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s"
1205 , socket, client.protocol, host_ip, host_name, trash_details(&trash, details, sizeof details));
1206 }

** CID 631142: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&msg_filters.ip_can);
377 strListFree(&msg_filters.host_can);
378 strListFree(&msg_filters.subject_can);
379 strListFree(&msg_filters.twit_list);

CID 631142: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".

380 listFree(&user_list);
381
382 delfiles(cfg.temp_dir, "*.NDX");
383 SAFEPRINTF(str, "%sMESSAGES.DAT", cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, "%sDOOR.ID", cfg.temp_dir);

** CID 631141: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr->addr.sa_family != AF_INET && addr->addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)

CID 631141: Program hangs (LOCK)
"listRemoveNode" locks "list->mutex" while it is locked.

4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */

** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()

_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;

CID 631140: (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.

4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);

CID 631140: (LOCK)
"listUnlock" unlocks "list->mutex" while it is unlocked.

4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)

** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);

CID 631139: Program hangs (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, "%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)"
1646 , socket, service->protocol, remain, active_clients(), service->served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */

CID 631138: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".

1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;

** CID 631137: Program hangs (ORDER_REVERSAL)

_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup->max_clients && client_count > startup->max_clients) {
6963 lprintf(LOG_WARNING, "%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied"
6964 , socket, session.client.protocol, session.host_ip, startup->max_clients, client_count - startup->max_clients);

CID 631137: Program hangs (ORDER_REVERSAL)
Calling "send_error" acquires lock "jsrt_mutex" while holding lock "link_list.mutex" (count: 1 / 5).

6965 send_error(&session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(&current_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup->max_concurrent_connections > 0 && connections > startup->max_concurrent_connections
6970 && !is_host_exempt(&scfg, session.host_ip, /* host_name */ NULL)) {

** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()

_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt->client_list.first; node != NULL; node = node->next) {
837 client_t* client = node->data;
838 format_client_info(str, sizeof(str), node->tag, client, client->time);
839 strListPush(&list, str);
840 client_count++;
841 }

CID 631136: (LOCK)
"listUnlock" unlocks "mqtt->client_list.mutex" while it is unlocked. 842 listUnlock(&mqtt->client_list);

843 char* buf = NULL;
844 if (client_count > 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, "\n");
/mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&mqtt->client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813

CID 631136: (LOCK)
"listFindNode" locks "mqtt->client_list.mutex" while it is locked.

814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {

CID 631136: (LOCK)
"listRemoveTaggedNode" locks "mqtt->client_list.mutex" while it is locked.

825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/disconnect", str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {

CID 631136: (LOCK)
"listAddNodeData" locks "mqtt->client_list.mutex" while it is locked. 820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);

821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);

** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)

CID 631135: Uninitialized variables (UNINIT)
Using uninitialized value "*salt" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]

3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");

CID 631134: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".

1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];

** CID 631133: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt->pass, pass);
4299 attempt->count++;
4300 count = attempt->count - attempt->dupes;
4301 if (node == NULL) {
4302 attempt->first = attempt->time;

CID 631133: Program hangs (LOCK)
"listAddNodeData" locks "list->mutex" while it is locked.

4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;

** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp);

CID 631132: Control flow issues (NO_EFFECT)
This less-than-zero comparison of an unsigned value is never true. "rret < 0UL".

3630 if (rret < 0 || rret > INT_MAX)
3631 goto done;
3632 if ((streamCipher && rret > 0) || rret == bufferSize) { 3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))

** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()

_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&scfg, startup->login_attempt_list, session.socket, host_name, startup->login_attempt, &attempted);
6909
6910 /* host_ip wasn't defined in http_session_thread */

CID 631131: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

6911 if (banned || trashcan2(&scfg, session.host_ip, NULL, "ip", &trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver < HTTP_1_0) || redirp != NULL || parse_headers(&session)) {
7052 if (check_request(&session)) { 7053 if (session.req.send_location < MOVED_TEMP || session.req.virtual_path[0] != '/' || loop_count++ >= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&session))

CID 631131: (SLEEP)
Call to "respond" might sleep while holding lock "startup->login_attempt_list->mutex".

7055 respond(&session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), "%s %s%s%s", methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver < HTTP_1_0?"":" ", http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &session.client, /* update existing client record? */ false);
6943
6944 if (startup->login_attempt.throttle
6945 && (login_attempts = loginAttempts(startup->login_attempt_list, &session.addr)) > 1) {
6946 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
6947 , socket, session.client.protocol, session.host_ip, login_attempts);

CID 631131: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

6948 mswait(login_attempts * startup->login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;

** CID 631130: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&msg_filters.ip_can);
535 strListFree(&msg_filters.host_can);
536 strListFree(&msg_filters.subject_can);
537 strListFree(&msg_filters.twit_list);

CID 631130: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".

538 listFree(&user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&smb);
542 fclose(rep);
543

** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)

CID 631129: Memory - corruptions (OVERRUN)
Overrunning array "salt" of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument "cp" (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]

3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 18</li>
<li><strong>Defects Shown:</strong> Showing 18 of 18 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631146: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;
>>> CID 631146: Program hangs (LOCK)
>>> "listCountNodes" locks "list->mutex" while it is locked.
4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/

** CID 631145: Program hangs (SLEEP)

_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node->data;
4356 SAFECOPY(name, attempt->user);
4357 truncstr(name, "@");
>>> CID 631145: Program hangs (SLEEP)
>>> Call to "trashcan" might sleep while holding lock "list->mutex".
4358 if (((settings.tempban_threshold && (attempt->count - attempt->dupes) >= settings.tempban_threshold)
4359 || trashcan(cfg, name, "name")) && now < (time32_t)(attempt->time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt->time);
4363 }

** CID 631144: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&client_list);
>>> CID 631144: Program hangs (LOCK)
>>> "listFindNode" locks "client_list.mutex" while it is locked.
654 if ((node = listFindTaggedNode(&client_list, sock)) != NULL)
655 memcpy(node->data, client, sizeof(client_t));
656 listUnlock(&client_list);
657 } else {
658 served++;
659 listAddNodeData(&client_list, client, sizeof(client_t), sock, LAST_NODE);

** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), "<%x%x%lx%lx@%.128s>"
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1241 sockprintf(socket, client.protocol, session, "+OK Synchronet %s Server %s%c-%s Ready %s"
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &client, FALSE /* update */);
1220
1221 if (startup->login_attempt.throttle
1222 && (login_attempts = loginAttempts(startup->login_attempt_list, &pop3->client_addr)) > 1) {
1223 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
1224 , socket, client.protocol, host_ip, login_attempts);
>>> CID 631143: (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1225 mswait(login_attempts * startup->login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&scfg, startup->login_attempt_list, socket, host_name, startup->login_attempt, &attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
>>> CID 631143: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1199 return false;
1200 }
>>> CID 631143: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1201 if (trashcan2(&scfg, host_name, NULL, "host", &trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s"
1205 , socket, client.protocol, host_ip, host_name, trash_details(&trash, details, sizeof details));
1206 }

** CID 631142: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&msg_filters.ip_can);
377 strListFree(&msg_filters.host_can);
378 strListFree(&msg_filters.subject_can);
379 strListFree(&msg_filters.twit_list);
>>> CID 631142: Null pointer dereferences (FORWARD_NULL) >>> Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
380 listFree(&user_list);
381
382 delfiles(cfg.temp_dir, "*.NDX");
383 SAFEPRINTF(str, "%sMESSAGES.DAT", cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, "%sDOOR.ID", cfg.temp_dir);

** CID 631141: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr->addr.sa_family != AF_INET && addr->addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)
>>> CID 631141: Program hangs (LOCK)
>>> "listRemoveNode" locks "list->mutex" while it is locked.
4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */

** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()

_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
>>> CID 631140: (LOCK)
>>> "listCountNodes" locks "list->mutex" while it is locked.
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
>>> CID 631140: (LOCK)
>>> "listUnlock" unlocks "list->mutex" while it is unlocked.
4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)

** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);
>>> CID 631139: Program hangs (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, "%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)"
1646 , socket, service->protocol, remain, active_clients(), service->served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */ >>> CID 631138: Program hangs (LOCK)
>>> Returning without unlocking "startup->login_attempt_list->mutex".
1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;

** CID 631137: Program hangs (ORDER_REVERSAL)

_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup->max_clients && client_count > startup->max_clients) {
6963 lprintf(LOG_WARNING, "%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied"
6964 , socket, session.client.protocol, session.host_ip, startup->max_clients, client_count - startup->max_clients);
>>> CID 631137: Program hangs (ORDER_REVERSAL) >>> Calling "send_error" acquires lock "jsrt_mutex" while holding lock "link_list.mutex" (count: 1 / 5).
6965 send_error(&session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(&current_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup->max_concurrent_connections > 0 && connections > startup->max_concurrent_connections
6970 && !is_host_exempt(&scfg, session.host_ip, /* host_name */ NULL)) {

** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()

_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt->client_list.first; node != NULL; node = node->next) {
837 client_t* client = node->data;
838 format_client_info(str, sizeof(str), node->tag, client, client->time);
839 strListPush(&list, str);
840 client_count++;
841 }
>>> CID 631136: (LOCK)
>>> "listUnlock" unlocks "mqtt->client_list.mutex" while it is unlocked.
842 listUnlock(&mqtt->client_list);
843 char* buf = NULL;
844 if (client_count > 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, "\n"); /mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&mqtt->client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813
>>> CID 631136: (LOCK)
>>> "listFindNode" locks "mqtt->client_list.mutex" while it is locked.
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
>>> CID 631136: (LOCK)
>>> "listRemoveTaggedNode" locks "mqtt->client_list.mutex" while it is locked.
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/disconnect", str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
>>> CID 631136: (LOCK)
>>> "listAddNodeData" locks "mqtt->client_list.mutex" while it is locked.
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);

** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
>>> CID 631135: Uninitialized variables (UNINIT) >>> Using uninitialized value "*salt" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
>>> CID 631134: Program hangs (LOCK)
>>> Returning without unlocking "startup->login_attempt_list->mutex".
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];

** CID 631133: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt->pass, pass);
4299 attempt->count++;
4300 count = attempt->count - attempt->dupes;
4301 if (node == NULL) {
4302 attempt->first = attempt->time;
>>> CID 631133: Program hangs (LOCK)
>>> "listAddNodeData" locks "list->mutex" while it is locked.
4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;

** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp); >>> CID 631132: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. "rret < 0UL".
3630 if (rret < 0 || rret > INT_MAX)
3631 goto done;
3632 if ((streamCipher && rret > 0) || rret == bufferSize) {
3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))

** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()

_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&scfg, startup->login_attempt_list, session.socket, host_name, startup->login_attempt, &attempted);
6909
6910 /* host_ip wasn't defined in http_session_thread */ >>> CID 631131: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
6911 if (banned || trashcan2(&scfg, session.host_ip, NULL, "ip", &trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver < HTTP_1_0) || redirp != NULL || parse_headers(&session)) {
7052 if (check_request(&session)) {
7053 if (session.req.send_location < MOVED_TEMP || session.req.virtual_path[0] != '/' || loop_count++ >= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&session))
>>> CID 631131: (SLEEP)
>>> Call to "respond" might sleep while holding lock "startup->login_attempt_list->mutex".
7055 respond(&session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), "%s %s%s%s", methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver < HTTP_1_0?"":" ", http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &session.client, /* update existing client record? */ false);
6943
6944 if (startup->login_attempt.throttle
6945 && (login_attempts = loginAttempts(startup->login_attempt_list, &session.addr)) > 1) {
6946 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
6947 , socket, session.client.protocol, session.host_ip, login_attempts);
>>> CID 631131: (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
6948 mswait(login_attempts * startup->login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;

** CID 631130: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&msg_filters.ip_can);
535 strListFree(&msg_filters.host_can);
536 strListFree(&msg_filters.subject_can);
537 strListFree(&msg_filters.twit_list);
>>> CID 631130: Null pointer dereferences (FORWARD_NULL) >>> Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
538 listFree(&user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&smb);
542 fclose(rep);
543

** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
>>> CID 631129: Memory - corruptions (OVERRUN) >>> Overrunning array "salt" of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument "cp" (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Thu Oct 9 22:28:15 2025

----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 631415: (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631415: (FORWARD_NULL) /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2120 in bitmap_setpixels()
2114 }
2115 if (++cpx >= vstat.charwidth) { 2116 cpx = 0;
2117 charx++;
2118 xupdated = false;
2119 assert(off >= 0);

CID 631415: (FORWARD_NULL)
Passing null pointer "vstat.vmem" to "vmem_next_offset", which dereferences it.

2120 off = vmem_next_offset(vstat.vmem, off);
2121 }
2122 }
2123 if (screena.rect->data[pixel_offset(&screena, x, y)] != pixels->pixels[pos]) {
2124 screena.rect->data[pixel_offset(&screena, x, y)] = pixels->pixels[pos];
2125 screena.update_pixels = 1; /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2094 in bitmap_setpixels()
2088 int ccols = vstat.cols * vstat.charwidth;
2089 for (y = sy; y <= ey; y++) {
2090 pos = pixels->width*(y-sy+y_off)+x_off;
2091 bool in_text_area = y < crows;
2092 if (in_text_area && !yupdated) {
2093 charx = charsx;

CID 631415: (FORWARD_NULL)
Passing null pointer "vstat.vmem" to "vmem_cell_offset", which dereferences it.

2094 off = vmem_cell_offset(vstat.vmem, charx, chary);
2095 }
2096 if (mask == NULL) {
2097 for (x = sx; x <= ex; x++) {
2098 if (x >= ccols)
2099 in_text_area = false;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631415: (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631415: (FORWARD_NULL) /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2120 in bitmap_setpixels()
2114 }
2115 if (++cpx >= vstat.charwidth) {
2116 cpx = 0;
2117 charx++;
2118 xupdated = false;
2119 assert(off >= 0); >>> CID 631415: (FORWARD_NULL)
>>> Passing null pointer "vstat.vmem" to "vmem_next_offset", which dereferences it.
2120 off = vmem_next_offset(vstat.vmem, off);
2121 }
2122 }
2123 if (screena.rect->data[pixel_offset(&screena, x, y)] != pixels->pixels[pos]) {
2124 screena.rect->data[pixel_offset(&screena, x, y)] = pixels->pixels[pos];
2125 screena.update_pixels = 1; /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2094 in bitmap_setpixels()
2088 int ccols = vstat.cols * vstat.charwidth;
2089 for (y = sy; y <= ey; y++) {
2090 pos = pixels->width*(y-sy+y_off)+x_off;
2091 bool in_text_area = y < crows;
2092 if (in_text_area && !yupdated) {
2093 charx = charsx;
>>> CID 631415: (FORWARD_NULL)
>>> Passing null pointer "vstat.vmem" to "vmem_cell_offset", which dereferences it.
2094 off = vmem_cell_offset(vstat.vmem, charx, chary);
2095 }
2096 if (mask == NULL) {
2097 for (x = sx; x <= ex; x++) {
2098 if (x >= ccols)
2099 in_text_area = false;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sun Nov 9 13:52:52 2025

----==_mimepart_69109cb38f643_144442ddf8a1d19a097965
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 638545: Control flow issues (MISSING_BREAK)
/js_socket.c: 2707 in js_socket_get()

_____________________________________________________________________________________________
*** CID 638545: Control flow issues (MISSING_BREAK)
/js_socket.c: 2707 in js_socket_get()
2701 case SOCK_PROP_TLS_PSK:
2702 if (p->tls_psk == NULL)
2703 *vp = JSVAL_VOID;
2704 else
2705 *vp = OBJECT_TO_JSVAL(p->tls_psk);
2706 break;

CID 638545: Control flow issues (MISSING_BREAK)
The case for value "SOCK_PROP_TLS_PSK_ID" is not terminated by a "break" statement.

2707 case SOCK_PROP_TLS_PSK_ID:
2708 if (p->tls_psk == NULL)
2709 *vp = JSVAL_VOID;
2710 else {
2711 int attrval;
2712 if ((cryptGetAttribute(p->session, CRYPT_SESSINFO_TLS_OPTIONS, &attrval) != CRYPT_OK)

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_69109cb38f643_144442ddf8a1d19a097965
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 638545: Control flow issues (MISSING_BREAK)
/js_socket.c: 2707 in js_socket_get()

_____________________________________________________________________________________________
*** CID 638545: Control flow issues (MISSING_BREAK)
/js_socket.c: 2707 in js_socket_get()
2701 case SOCK_PROP_TLS_PSK:
2702 if (p->tls_psk == NULL)
2703 *vp = JSVAL_VOID;
2704 else
2705 *vp = OBJECT_TO_JSVAL(p->tls_psk); 2706 break;
>>> CID 638545: Control flow issues (MISSING_BREAK) >>> The case for value "SOCK_PROP_TLS_PSK_ID" is not terminated by a "break" statement.
2707 case SOCK_PROP_TLS_PSK_ID:
2708 if (p->tls_psk == NULL)
2709 *vp = JSVAL_VOID;
2710 else {
2711 int attrval;
2712 if ((cryptGetAttribute(p->session, CRYPT_SESSINFO_TLS_OPTIONS, &attrval) != CRYPT_OK)

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_69109cb38f643_144442ddf8a1d19a097965--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sun Dec 14 13:48:36 2025

----==_mimepart_693ec0347df67_815e22c07a52839ac105f0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

89 new defect(s) introduced to Synchronet found with Coverity Scan.
88 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 89 defect(s)

** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()

_____________________________________________________________________________________________
*** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()
2041 else
2042 lprintf(LOG_NOTICE, "%04d !UNKNOWN USER: '%s'" 2043 , session->socket, session->req.auth.username);
2044 return false;
2045 }
2046 thisuser.number = i;

CID 639949: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 90 out of 103 times).

2047 getuserdat(&scfg, &thisuser);
2048 switch (session->req.auth.type) {
2049 case AUTHENTICATION_TLS_PSK:
2050 if ((auth_allowed & (1 << AUTHENTICATION_TLS_PSK)) == 0)
2051 return false;
2052 if (session->last_user_num != 0) {

** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()

_____________________________________________________________________________________________
*** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);

CID 639948: Program hangs (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()

_____________________________________________________________________________________________
*** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()
6527 if (ch_len == 0)
6528 break;
6529 /* Check size */
6530 s += ch_len;
6531 if (s > MAX_POST_LEN) {
6532 if (s > SIZE_MAX) {

CID 639947: Control flow issues (DEADCODE)
Execution cannot reach this statement: "send_error(session, 6533U, ...".

6533 send_error(session, __LINE__, "413 Request entity too large");
6534 FCLOSE_OPEN_FILE(fp); 6535 return false;
6536 }
6537 if (fp == NULL) {
6538 fp = open_post_file(session);

** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
1406
1407 if ((p = (js_socket_private_t*)js_GetClassPrivate(cx, obj, &js_socket_class)) == NULL) {
1408 return JS_FALSE;
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {

CID 639946: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).

1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) {
1415 JS_ValueToInt32(cx, argv[1], &timeout);
1416 }
1417 }
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {
1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) {

CID 639946: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).

1415 JS_ValueToInt32(cx, argv[1], &timeout);
1416 }
1417 }
1418
1419 if ((buf = (char*)malloc(len + 1)) == NULL) {
1420 JS_ReportError(cx, "Error allocating %u bytes", len + 1);

** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
996 if ((js_str = JS_ValueToString(cx, argv[1])) == NULL)
997 return JS_FALSE;
998
999 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum]))
1000 JS_ValueToBoolean(cx, argv[argnum++], &match_del);
1001 if (argnum < argc && JSVAL_IS_NUMBER(argv[argnum]))

CID 639945: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).

1002 JS_ValueToInt32(cx, argv[argnum++], &usernumber);
1003 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum]))
1004 JS_ValueToBoolean(cx, argv[argnum++], &match_next); 1005
1006 JSSTRING_TO_ASTRING(cx, js_str, p, 128, NULL);
1007 if (p == NULL)
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
981 return JS_TRUE;
982 }
983 js_system_private_t* sys;
984 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
985 return JS_FALSE;
986

CID 639945: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).

987 JS_ValueToInt32(cx, argv[0], &field);
988 rc = JS_SUSPENDREQUEST(cx);
989 len = user_field_len(static_cast<user_field>(field));
990 JS_RESUMEREQUEST(cx, rc);
991 if (len < 1) {
992 JS_ReportError(cx, "Invalid user field: %d", field);

** CID 639944: Uninitialized variables (UNINIT)

_____________________________________________________________________________________________
*** CID 639944: Uninitialized variables (UNINIT)
/js_system.cpp: 2108 in js_chkpassword(JSContext *, unsigned int, unsigned long *)()
2102
2103 js_system_private_t* sys;
2104 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
2105 return JS_FALSE;
2106
2107 rc = JS_SUSPENDREQUEST(cx);

CID 639944: Uninitialized variables (UNINIT)
Using uninitialized value "*str" when calling "check_pass".

2108 bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL);
2109 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result));
2110 JS_RESUMEREQUEST(cx, rc);
2111
2112 return JS_TRUE;
2113 }

** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));
1587 JS_RESUMEREQUEST(cx, rc);
1588 *vp = UINT_TO_JSVAL(p->smb.status.total_files); 1589 break;
1590 case FB_PROP_UPDATE_TIME:

CID 639943: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "newfiletime(&p->smb)" is cast to "uint32_t".

1591 *vp = UINT_TO_JSVAL((uint32_t)newfiletime(&p->smb));
1592 break;
1593 case FB_PROP_MAX_FILES:
1594 *vp = UINT_TO_JSVAL(p->smb.status.max_files); 1595 break;
1596 case FB_PROP_MAX_AGE:
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1575 smb_getstatus(&(p->smb));
1576 JS_RESUMEREQUEST(cx, rc);
1577 *vp = UINT_TO_JSVAL(p->smb.status.last_file); 1578 break;
1579 case FB_PROP_LAST_FILE_TIME:
1580 rc = JS_SUSPENDREQUEST(cx);

CID 639943: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "lastfiletime(&p->smb)" is cast to "uint32_t".

1581 *vp = UINT_TO_JSVAL((uint32_t)lastfiletime(&p->smb));
1582 JS_RESUMEREQUEST(cx, rc);
1583 break;
1584 case FB_PROP_FILES:
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));

** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()
3618 return JS_TRUE;
3619 }
3620 }
3621
3622 for (; i < argc; i++) {
3623 if (JSVAL_IS_NUMBER(argv[i])) {

CID 639942: Error handling issues (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).

3624 JS_ValueToInt32(cx, argv[i], &type);
3625 }
3626 else if (JSVAL_IS_BOOLEAN(argv[i])) {
3627 if (argv[i] == JSVAL_TRUE)
3628 domain = AF_INET6;
3629 }

** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()

_____________________________________________________________________________________________
*** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()
6850 session.tls_sess = -1;
6851 close_session_no_rb(&session);
6852 thread_down();
6853 return;
6854 }
6855 bool nodelay = true;

CID 639941: Error handling issues (CHECKED_RETURN)
Calling "setsockopt(session.socket, IPPROTO_TCP, 1, (char *)&nodelay, 1U)" without checking return value. This library function may fail and return an error code.

6856 setsockopt(session.socket, IPPROTO_TCP, TCP_NODELAY, (char*)&nodelay, sizeof(nodelay));
6857
6858 if (looking_good)
6859 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_MINVER_TLS12), &session, "setting TLS minver to 1.2");
6860 if (looking_good)
6861 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, session.socket), &session, "setting network socket");

** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()
695 if (size == -1)
696 JS_ReportError(cx, "File does not exist: %s", path); 697 else {
698 smb_setfilesize(&file.idx, size);
699 if ((p->smb_result = smb_hashfile(path, size, &file.file_idx.hash.data)) > 0) {
700 file.file_idx.hash.flags = p->smb_result;

CID 639940: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fdate(path)" is cast to "uint32_t".

701 file.hdr.when_written.time = (uint32_t)fdate(path);
702 JSObject* fobj;
703 if ((fobj = JS_NewObject(cx, NULL, NULL, obj)) == NULL)
704 JS_ReportError(cx, "object allocation failure, line %d", __LINE__);
705 else {
706 set_file_properties(cx, fobj, &file, detail);

** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()

_____________________________________________________________________________________________
*** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()
7027 memset(session.req.ld, 0, sizeof(struct log_data));
7028 /* FREE()d in http_logging_thread */
7029 session.req.ld->hostname = strdup(session.host_name);
7030 }
7031 while ((redirp == NULL || session.req.send_location >= MOVED_TEMP)
7032 && !session.finished && !session.req.finished >>> CID 639939: Memory - corruptions (REVERSE_NEGATIVE)

You might be using variable "session.socket" before verifying that it is >= 0.

7033 && session.socket != INVALID_SOCKET) {
7034 SAFECOPY(session.req.status, "200 OK");
7035 session.req.send_location = NO_LOCATION;
7036 if (session.req.headers == NULL) {
7037 /* FREE()d in close_request() */
7038 if ((session.req.headers = strListInit()) == NULL) {

** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);

CID 639938: (CHECKED_RETURN)
Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).

3037 smb_getstatus(&(p->smb));
3038 JS_RESUMEREQUEST(cx, rc);
3039 *vp = UINT_TO_JSVAL(p->smb.status.total_msgs); 3040 break;
3041 case SMB_PROP_MAX_CRCS:
3042 *vp = UINT_TO_JSVAL(p->smb.status.max_crcs); /js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3025 } else {
3026 *vp = UINT_TO_JSVAL(p->first_msg);
3027 }
3028 break;
3029 case SMB_PROP_LAST_MSG:
3030 rc = JS_SUSPENDREQUEST(cx);

CID 639938: (CHECKED_RETURN)
Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).

3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);

** CID 639937: Incorrect expression (PRECEDENCE_ERROR)
/js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639937: Incorrect expression (PRECEDENCE_ERROR) /js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()
1248
1249 memset(&hints, 0, sizeof(hints));
1250 hints.ai_socktype = p->type;
1251 hints.ai_flags = AI_ADDRCONFIG;
1252 dbprintf(false, p, "resolving hostname: %s", p->hostname);
1253

CID 639937: Incorrect expression (PRECEDENCE_ERROR)
Evaluates as: "result = (getaddrinfo(p->hostname, NULL, &hints, &res) != 0)", because "!=" has higher operator precedence than "=". The context suggests that this might be in error.

1254 if ((result = getaddrinfo(p->hostname, NULL, &hints, &res) != 0)) {
1255 store_socket_error(p, result, gai_strerror(result)); 1256 dbprintf(TRUE, p, "getaddrinfo(%s) failed with error %d", p->hostname, result);
1257 JS_SET_RVAL(cx, arglist, JSVAL_FALSE);
1258 free(cp);
1259 JS_RESUMEREQUEST(cx, rc);

** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()
2357
2358 if (ssl_sync(scfg, lprintf)) { 2359 if ((ret = cryptCreateSession(&p->session, CRYPT_UNUSED, tiny == SOCK_PROP_SSL_SESSION ? CRYPT_SESSION_TLS: CRYPT_SESSION_TLS_SERVER)) == CRYPT_OK) {
2360 ulong nb = 0; 2361 ioctlsocket(p->sock, FIONBIO, &nb);
2362 nb = 1;

CID 639936: Error handling issues (CHECKED_RETURN)
Calling "setsockopt(p->sock, IPPROTO_TCP, 1, (char *)&nb, 8U)" without checking return value. This library function may fail and return an error code.

2363 setsockopt(p->sock, IPPROTO_TCP, TCP_NODELAY, (char*)&nb, sizeof(nb));
2364 if ((ret = do_cryptAttribute(p->session, CRYPT_SESSINFO_NETWORKSOCKET, p->sock)) == CRYPT_OK) {
2365 int minver = CRYPT_TLSOPTION_MINVER_TLS12;
2366 if (p->tls_minver == 100)
2367 minver = CRYPT_TLSOPTION_MINVER_TLS10;
2368 else if (p->tls_minver == 101)

** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()

_____________________________________________________________________________________________
*** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
719 else if (SOCKET_ERRNO == EPIPE) 720 lprintf(LOG_NOTICE, "%04d %-5s [%s] Unable to send to peer", session->socket, session->client.protocol, session->host_ip);
721 #endif
722 else if (session->socket != INVALID_SOCKET)
723 lprintf(LOG_WARNING, "%04d %-5s [%s] !ERROR %d sending on socket", session->socket, session->client.protocol, session->host_ip, SOCKET_ERRNO);
724 *failed = true;

CID 639935: (INTEGER_OVERFLOW)
"sent", which might have underflowed, is returned from the function. 725 return sent;

726 }
727 }
728 }
729 else {
730 lprintf(LOG_WARNING, "%04d %-5s [%s] Timeout waiting for socket to become writable", session->socket, session->client.protocol, session->host_ip);
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
706 }
707 else
708 *failed = true;
709 result = tls_sent;
710 }
711 else {

CID 639935: (INTEGER_OVERFLOW)
"len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)".

712 result = sendsocket(session->socket, buf + sent, len - sent);
713 if (result == SOCKET_ERROR) {
714 if (SOCKET_ERRNO == ECONNRESET) 715 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection reset by peer on send", session->socket, session->client.protocol, session->host_ip);
716 else if (SOCKET_ERRNO == ECONNABORTED)
717 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection aborted by peer on send", session->socket, session->client.protocol, session->host_ip);

** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()
1273
1274 uintN argn = 0;
1275 if (argc > argn && JSVAL_IS_STRING(argv[argn])) {
1276 char *p;
1277 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), p, LEN_EXTCODE + 2, NULL);
1278 for (dirnum = 0; dirnum < scfg->total_dirs; dirnum++) >>> CID 639934: Uninitialized variables (UNINIT)

Using uninitialized value "*p" when calling "strcasecmp".

1279 if (!stricmp(scfg->dir[dirnum]->code, p))
1280 break;
1281 argn++;
1282 }
1283 if (argc > argn && JSVAL_IS_STRING(argv[argn])) {
1284 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), fname, MAX_PATH + 1, NULL);

** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()
1475 js_system_private_t* sys;
1476 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1477 return JS_FALSE;
1478
1479 for (i = 0; i < argc && fname == NULL; i++) {
1480 if (JSVAL_IS_NUMBER(argv[i])) {

CID 639933: Error handling issues (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).

1481 JS_ValueToInt32(cx, argv[i], &duration);
1482 continue;
1483 }
1484 if (!JSVAL_IS_STRING(argv[i]))
1485 continue;
1486 JSVALUE_TO_MSTRING(cx, argv[i], p, NULL);

** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()

_____________________________________________________________________________________________
*** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()
1182 FCLOSE_OPEN_FILE(session->req.fp);
1183
1184 for (i = 0; i < MAX_CLEANUPS; i++) {
1185 if (session->req.cleanup_file[i] != NULL) {
1186 if (i != CLEANUP_SSJS_TMP_FILE
1187 || !(startup->options & WEB_OPT_DEBUG_SSJS))

CID 639932: Error handling issues (CHECKED_RETURN)
Calling "remove(session->req.cleanup_file[i])" without checking return value. This library function may fail and return an error code.

1188 remove(session->req.cleanup_file[i]); 1189 free(session->req.cleanup_file[i]);
1190 }
1191 }
1192
1193 smb_freefilemem(&session->file);

** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()

_____________________________________________________________________________________________
*** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()
895 np = "\r\n"; // Send at least one line of message text (issue #822)
896 else
897 np = msgtxt;
898 long bytes = 0;
899 while (*np && lines < maxlines) {
900 len = 0;

CID 639931: Memory - illegal accesses (OVERRUN)
Overrunning array of 3 bytes at byte offset 997 by dereferencing pointer "np + len".

901 while (len < RFC822_MAX_LINE_LEN && *(np + len) != 0 && *(np + len) != '\n')
902 len++;
903
904 tlen = len;
905 while (tlen && *(np + (tlen - 1)) <= ' ') /* Takes care of '\r' or spaces */
906 tlen--;

** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()
1634 return JS_FALSE;
1635
1636 js_system_private_t* sys;
1637 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1638 return JS_FALSE;
1639

CID 639930: Error handling issues (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).

1640 JS_ValueToInt32(cx, argv[0], &node);
1641 if (node < 1)
1642 node = 1;
1643
1644 if ((js_msg = JS_ValueToString(cx, argv[1])) == NULL)
1645 return JS_FALSE;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_693ec0347df67_815e22c07a52839ac105f0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 89</li>
<li>
88 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 20 of 89 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()

_____________________________________________________________________________________________
*** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()
2041 else
2042 lprintf(LOG_NOTICE, "%04d !UNKNOWN USER: '%s'"
2043 , session->socket, session->req.auth.username);
2044 return false;
2045 }
2046 thisuser.number = i;
>>> CID 639949: Error handling issues (CHECKED_RETURN) >>> Calling "getuserdat" without checking return value (as is done elsewhere 90 out of 103 times).
2047 getuserdat(&scfg, &thisuser);
2048 switch (session->req.auth.type) {
2049 case AUTHENTICATION_TLS_PSK:
2050 if ((auth_allowed & (1 << AUTHENTICATION_TLS_PSK)) == 0)
2051 return false;
2052 if (session->last_user_num != 0) {

** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()

_____________________________________________________________________________________________
*** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);
>>> CID 639948: Program hangs (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()

_____________________________________________________________________________________________
*** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()
6527 if (ch_len == 0)
6528 break;
6529 /* Check size */
6530 s += ch_len;
6531 if (s > MAX_POST_LEN) {
6532 if (s > SIZE_MAX) { >>> CID 639947: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "send_error(session, 6533U, ...".
6533 send_error(session, __LINE__, "413 Request entity too large");
6534 FCLOSE_OPEN_FILE(fp); 6535 return false;
6536 }
6537 if (fp == NULL) {
6538 fp = open_post_file(session);

** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
1406
1407 if ((p = (js_socket_private_t*)js_GetClassPrivate(cx, obj, &js_socket_class)) == NULL) {
1408 return JS_FALSE;
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {
>>> CID 639946: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) { 1415 JS_ValueToInt32(cx, argv[1], &timeout); 1416 }
1417 }
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {
1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) { >>> CID 639946: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1415 JS_ValueToInt32(cx, argv[1], &timeout); 1416 }
1417 }
1418
1419 if ((buf = (char*)malloc(len + 1)) == NULL) {
1420 JS_ReportError(cx, "Error allocating %u bytes", len + 1);

** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
996 if ((js_str = JS_ValueToString(cx, argv[1])) == NULL)
997 return JS_FALSE;
998
999 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum])) 1000 JS_ValueToBoolean(cx, argv[argnum++], &match_del); 1001 if (argnum < argc && JSVAL_IS_NUMBER(argv[argnum])) >>> CID 639945: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1002 JS_ValueToInt32(cx, argv[argnum++], &usernumber); 1003 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum])) 1004 JS_ValueToBoolean(cx, argv[argnum++], &match_next); 1005
1006 JSSTRING_TO_ASTRING(cx, js_str, p, 128, NULL);
1007 if (p == NULL)
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
981 return JS_TRUE;
982 }
983 js_system_private_t* sys;
984 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
985 return JS_FALSE;
986
>>> CID 639945: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
987 JS_ValueToInt32(cx, argv[0], &field);
988 rc = JS_SUSPENDREQUEST(cx);
989 len = user_field_len(static_cast<user_field>(field));
990 JS_RESUMEREQUEST(cx, rc);
991 if (len < 1) {
992 JS_ReportError(cx, "Invalid user field: %d", field);

** CID 639944: Uninitialized variables (UNINIT)

_____________________________________________________________________________________________
*** CID 639944: Uninitialized variables (UNINIT)
/js_system.cpp: 2108 in js_chkpassword(JSContext *, unsigned int, unsigned long *)()
2102
2103 js_system_private_t* sys;
2104 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
2105 return JS_FALSE;
2106
2107 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639944: Uninitialized variables (UNINIT) >>> Using uninitialized value "*str" when calling "check_pass".
2108 bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL);
2109 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result));
2110 JS_RESUMEREQUEST(cx, rc);
2111
2112 return JS_TRUE;
2113 }

** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));
1587 JS_RESUMEREQUEST(cx, rc);
1588 *vp = UINT_TO_JSVAL(p->smb.status.total_files);
1589 break;
1590 case FB_PROP_UPDATE_TIME:
>>> CID 639943: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "newfiletime(&p->smb)" is cast to "uint32_t".
1591 *vp = UINT_TO_JSVAL((uint32_t)newfiletime(&p->smb));
1592 break;
1593 case FB_PROP_MAX_FILES:
1594 *vp = UINT_TO_JSVAL(p->smb.status.max_files);
1595 break;
1596 case FB_PROP_MAX_AGE:
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1575 smb_getstatus(&(p->smb));
1576 JS_RESUMEREQUEST(cx, rc);
1577 *vp = UINT_TO_JSVAL(p->smb.status.last_file);
1578 break;
1579 case FB_PROP_LAST_FILE_TIME:
1580 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639943: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "lastfiletime(&p->smb)" is cast to "uint32_t".
1581 *vp = UINT_TO_JSVAL((uint32_t)lastfiletime(&p->smb));
1582 JS_RESUMEREQUEST(cx, rc);
1583 break;
1584 case FB_PROP_FILES:
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));

** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()
3618 return JS_TRUE;
3619 }
3620 }
3621
3622 for (; i < argc; i++) {
3623 if (JSVAL_IS_NUMBER(argv[i])) {
>>> CID 639942: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
3624 JS_ValueToInt32(cx, argv[i], &type);
3625 }
3626 else if (JSVAL_IS_BOOLEAN(argv[i])) {
3627 if (argv[i] == JSVAL_TRUE)
3628 domain = AF_INET6;
3629 }

** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()

_____________________________________________________________________________________________
*** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()
6850 session.tls_sess = -1;
6851 close_session_no_rb(&session);
6852 thread_down();
6853 return;
6854 }
6855 bool nodelay = true;
>>> CID 639941: Error handling issues (CHECKED_RETURN) >>> Calling "setsockopt(session.socket, IPPROTO_TCP, 1, (char *)&nodelay, 1U)" without checking return value. This library function may fail and return an error code.
6856 setsockopt(session.socket, IPPROTO_TCP, TCP_NODELAY, (char*)&nodelay, sizeof(nodelay));
6857
6858 if (looking_good)
6859 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_MINVER_TLS12), &session, "setting TLS minver to 1.2");
6860 if (looking_good)
6861 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, session.socket), &session, "setting network socket");

** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()
695 if (size == -1)
696 JS_ReportError(cx, "File does not exist: %s", path);
697 else {
698 smb_setfilesize(&file.idx, size);
699 if ((p->smb_result = smb_hashfile(path, size, &file.file_idx.hash.data)) > 0) {
700 file.file_idx.hash.flags = p->smb_result; >>> CID 639940: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fdate(path)" is cast to "uint32_t".
701 file.hdr.when_written.time = (uint32_t)fdate(path);
702 JSObject* fobj;
703 if ((fobj = JS_NewObject(cx, NULL, NULL, obj)) == NULL)
704 JS_ReportError(cx, "object allocation failure, line %d", __LINE__);
705 else {
706 set_file_properties(cx, fobj, &file, detail);

** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()

_____________________________________________________________________________________________
*** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()
7027 memset(session.req.ld, 0, sizeof(struct log_data));
7028 /* FREE()d in http_logging_thread */
7029 session.req.ld->hostname = strdup(session.host_name);
7030 }
7031 while ((redirp == NULL || session.req.send_location >= MOVED_TEMP)
7032 && !session.finished && !session.req.finished
>>> CID 639939: Memory - corruptions (REVERSE_NEGATIVE) >>> You might be using variable "session.socket" before verifying that it is >= 0.
7033 && session.socket != INVALID_SOCKET) { 7034 SAFECOPY(session.req.status, "200 OK");
7035 session.req.send_location = NO_LOCATION;
7036 if (session.req.headers == NULL) {
7037 /* FREE()d in close_request() */
7038 if ((session.req.headers = strListInit()) == NULL) {

** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639938: (CHECKED_RETURN)
>>> Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3037 smb_getstatus(&(p->smb));
3038 JS_RESUMEREQUEST(cx, rc);
3039 *vp = UINT_TO_JSVAL(p->smb.status.total_msgs);
3040 break;
3041 case SMB_PROP_MAX_CRCS:
3042 *vp = UINT_TO_JSVAL(p->smb.status.max_crcs); /js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3025 } else {
3026 *vp = UINT_TO_JSVAL(p->first_msg); 3027 }
3028 break;
3029 case SMB_PROP_LAST_MSG:
3030 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639938: (CHECKED_RETURN)
>>> Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);

** CID 639937: Incorrect expression (PRECEDENCE_ERROR)
/js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639937: Incorrect expression (PRECEDENCE_ERROR) /js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()
1248
1249 memset(&hints, 0, sizeof(hints));
1250 hints.ai_socktype = p->type;
1251 hints.ai_flags = AI_ADDRCONFIG;
1252 dbprintf(false, p, "resolving hostname: %s", p->hostname);
1253
>>> CID 639937: Incorrect expression (PRECEDENCE_ERROR) >>> Evaluates as: "result = (getaddrinfo(p->hostname, NULL, &hints, &res) != 0)", because "!=" has higher operator precedence than "=". The context suggests that this might be in error.
1254 if ((result = getaddrinfo(p->hostname, NULL, &hints, &res) != 0)) {
1255 store_socket_error(p, result, gai_strerror(result)); 1256 dbprintf(TRUE, p, "getaddrinfo(%s) failed with error %d", p->hostname, result);
1257 JS_SET_RVAL(cx, arglist, JSVAL_FALSE);
1258 free(cp);
1259 JS_RESUMEREQUEST(cx, rc);

** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()
2357
2358 if (ssl_sync(scfg, lprintf)) { 2359 if ((ret = cryptCreateSession(&p->session, CRYPT_UNUSED, tiny == SOCK_PROP_SSL_SESSION ? CRYPT_SESSION_TLS: CRYPT_SESSION_TLS_SERVER)) == CRYPT_OK) {
2360 ulong nb = 0; 2361 ioctlsocket(p->sock, FIONBIO, &nb);
2362 nb = 1; >>> CID 639936: Error handling issues (CHECKED_RETURN) >>> Calling "setsockopt(p->sock, IPPROTO_TCP, 1, (char *)&nb, 8U)" without checking return value. This library function may fail and return an error code.
2363 setsockopt(p->sock, IPPROTO_TCP, TCP_NODELAY, (char*)&nb, sizeof(nb));
2364 if ((ret = do_cryptAttribute(p->session, CRYPT_SESSINFO_NETWORKSOCKET, p->sock)) == CRYPT_OK) {
2365 int minver = CRYPT_TLSOPTION_MINVER_TLS12;
2366 if (p->tls_minver == 100)
2367 minver = CRYPT_TLSOPTION_MINVER_TLS10;
2368 else if (p->tls_minver == 101)

** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()

_____________________________________________________________________________________________
*** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
719 else if (SOCKET_ERRNO == EPIPE) 720 lprintf(LOG_NOTICE, "%04d %-5s [%s] Unable to send to peer", session->socket, session->client.protocol, session->host_ip);
721 #endif
722 else if (session->socket != INVALID_SOCKET)
723 lprintf(LOG_WARNING, "%04d %-5s [%s] !ERROR %d sending on socket", session->socket, session->client.protocol, session->host_ip, SOCKET_ERRNO);
724 *failed = true;
>>> CID 639935: (INTEGER_OVERFLOW)
>>> "sent", which might have underflowed, is returned from the function.
725 return sent;
726 }
727 }
728 }
729 else {
730 lprintf(LOG_WARNING, "%04d %-5s [%s] Timeout waiting for socket to become writable", session->socket, session->client.protocol, session->host_ip);
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
706 }
707 else
708 *failed = true;
709 result = tls_sent;
710 }
711 else {
>>> CID 639935: (INTEGER_OVERFLOW)
>>> "len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)".
712 result = sendsocket(session->socket, buf + sent, len - sent);
713 if (result == SOCKET_ERROR) {
714 if (SOCKET_ERRNO == ECONNRESET) 715 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection reset by peer on send", session->socket, session->client.protocol, session->host_ip);
716 else if (SOCKET_ERRNO == ECONNABORTED)
717 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection aborted by peer on send", session->socket, session->client.protocol, session->host_ip);

** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()
1273
1274 uintN argn = 0;
1275 if (argc > argn && JSVAL_IS_STRING(argv[argn])) { 1276 char *p;
1277 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), p, LEN_EXTCODE + 2, NULL);
1278 for (dirnum = 0; dirnum < scfg->total_dirs; dirnum++)
>>> CID 639934: Uninitialized variables (UNINIT) >>> Using uninitialized value "*p" when calling "strcasecmp".
1279 if (!stricmp(scfg->dir[dirnum]->code, p)) 1280 break;
1281 argn++;
1282 }
1283 if (argc > argn && JSVAL_IS_STRING(argv[argn])) { 1284 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), fname, MAX_PATH + 1, NULL);

** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()
1475 js_system_private_t* sys;
1476 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1477 return JS_FALSE;
1478
1479 for (i = 0; i < argc && fname == NULL; i++) {
1480 if (JSVAL_IS_NUMBER(argv[i])) {
>>> CID 639933: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1481 JS_ValueToInt32(cx, argv[i], &duration); 1482 continue;
1483 }
1484 if (!JSVAL_IS_STRING(argv[i]))
1485 continue;
1486 JSVALUE_TO_MSTRING(cx, argv[i], p, NULL);

** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()

_____________________________________________________________________________________________
*** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()
1182 FCLOSE_OPEN_FILE(session->req.fp);
1183
1184 for (i = 0; i < MAX_CLEANUPS; i++) {
1185 if (session->req.cleanup_file[i] != NULL) {
1186 if (i != CLEANUP_SSJS_TMP_FILE
1187 || !(startup->options & WEB_OPT_DEBUG_SSJS))
>>> CID 639932: Error handling issues (CHECKED_RETURN) >>> Calling "remove(session->req.cleanup_file[i])" without checking return value. This library function may fail and return an error code.
1188 remove(session->req.cleanup_file[i]);
1189 free(session->req.cleanup_file[i]);
1190 }
1191 }
1192
1193 smb_freefilemem(&session->file);

** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()

_____________________________________________________________________________________________
*** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()
895 np = "\r\n"; // Send at least one line of message text (issue #822)
896 else
897 np = msgtxt;
898 long bytes = 0;
899 while (*np && lines < maxlines) {
900 len = 0;
>>> CID 639931: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 3 bytes at byte offset 997 by dereferencing pointer "np + len".
901 while (len < RFC822_MAX_LINE_LEN && *(np + len) != 0 && *(np + len) != '\n')
902 len++;
903
904 tlen = len;
905 while (tlen && *(np + (tlen - 1)) <= ' ') /* Takes care of '\r' or spaces */
906 tlen--;

** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()

_____________________________________________________________________________________________
*** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()
1634 return JS_FALSE;
1635
1636 js_system_private_t* sys;
1637 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1638 return JS_FALSE;
1639
>>> CID 639930: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1640 JS_ValueToInt32(cx, argv[0], &node);
1641 if (node < 1)
1642 node = 1;
1643
1644 if ((js_msg = JS_ValueToString(cx, argv[1])) == NULL)
1645 return JS_FALSE;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_693ec0347df67_815e22c07a52839ac105f0--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

Sysop:	Mysteria
Location:	Fremont, CA
Users:	14
Nodes:	10 (0 / 10)
Uptime:	36:57:45
Calls:	83
Calls today:	83
Messages:	17,107
Posted today:	4

New Defects reported by Coverity Scan for Synchronet

Who's Online

Recent Visitors

System Info