Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()


_____________________________________________________________________________________________
*** CID 645706: Error handling issues (NEGATIVE_RETURNS) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 635 in cterm_cterm_handle_font_dcs()
629 return;
630 if (cterm->font_slot > 255)
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);

CID 645706: Error handling issues (NEGATIVE_RETURNS)
"i" is passed to a parameter that cannot be negative.

635 p2 = malloc(i);
636 if (p2) {
637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }

** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()


_____________________________________________________________________________________________
*** CID 645705: Memory - corruptions (OVERRUN) /tmp/sbbs-Apr-19-2026/src/conio/cterm_cterm.c: 637 in cterm_cterm_handle_font_dcs()
631 return;
632 if (p && *p == ':') {
633 p++;
634 i = b64_decode(cterm->fontbuf, sizeof(cterm->fontbuf), p, 0);
635 p2 = malloc(i);
636 if (p2) {

CID 645705: Memory - corruptions (OVERRUN)
Calling "memcpy" with "p2" and "i" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned.

637 memcpy(p2, cterm->fontbuf, i);
638 replace_font(cterm->font_slot,
639 strdup("Remote Defined Font"), p2, i);
640 }
641 }
642 }

** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
/tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()


_____________________________________________________________________________________________
*** CID 645704: (STRING_OVERFLOW) /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2139 in cterm_dec_dcs_finish()
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");
2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");

CID 645704: (STRING_OVERFLOW)
You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->bg_tc_str" without checking the length.

2139 strcat(tmp, cterm->bg_tc_str);
2140 }
2141 strcat(tmp, "m\x1b\\");
2142 cterm_respond(cterm, tmp, strlen(tmp));
2143 }
2144 else { /tmp/sbbs-Apr-19-2026/src/conio/cterm_dec.c: 2135 in cterm_dec_dcs_finish()
2129 case 6: strcat(tmp, ";43"); break;
2130 case 7: strcat(tmp, ";47"); break;
2131 }
2132 }
2133 if (cterm->fg_tc_str) {
2134 strcat(tmp, ";");

CID 645704: (STRING_OVERFLOW)
You might overrun the 3072-character fixed-size string "tmp" by copying "cterm->fg_tc_str" without checking the length.

2135 strcat(tmp, cterm->fg_tc_str);
2136 }
2137 if (cterm->bg_tc_str) {
2138 strcat(tmp, ";");
2139 strcat(tmp, cterm->bg_tc_str);
2140 }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

6 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)


** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play()


_____________________________________________________________________________________________
*** CID 645741: Data race undermines locking (LOCK_EVASION) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2092 in xp_audio_play() 2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);
2088 xp_audio_close(h);
2089 return -1;
2090 }
2091 s->ring = newring;

CID 645741: Data race undermines locking (LOCK_EVASION)
Thread1 sets "ring_frames" to a new value. Now the two threads have an inconsistent view of "ring_frames" and updates to fields correlated with "ring_frames" may be lost.

2092 s->ring_frames = nframes;
2093 assert_pthread_mutex_unlock(&s->mutex);
2094 }
2095 if (loop) {
2096 assert_pthread_mutex_lock(&s->mutex);
2097 s->loop = true;

** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()


_____________________________________________________________________________________________
*** CID 645740: Null pointer dereferences (NULL_RETURNS) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */

CID 645740: Null pointer dereferences (NULL_RETURNS)
Dereferencing "s", which is known to be "NULL".

2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()


_____________________________________________________________________________________________
*** CID 645739: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i];

CID 645739: Concurrent data access violations (MISSING_LOCK) >>> Accessing "r->done" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.done" is written to with "xp_audio_stream.mutex" held 4 out of 4 times (1 of these accesses strongly imply that it is necessary).

1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {

** CID 645738: Uninitialized variables (UNINIT)


_____________________________________________________________________________________________
*** CID 645738: Uninitialized variables (UNINIT) /tmp/sbbs-Apr-21-2026/src/conio/cterm_cterm.c: 1125 in play_music() 1119 if (buf) {
1120 if (note_frames > 0)
1121 xptone_makewave(freq, buf, note_frames, WAVE_SHAPE_SINE_SAW_HARM);
1122 if (pause_frames > 0)
1123 memset(buf + (size_t)note_frames * XPBEEP_CHANNELS, 0,
1124 (size_t)pause_frames * XPBEEP_FRAMESIZE);

CID 645738: Uninitialized variables (UNINIT)
Using uninitialized value "*buf" when calling "xp_audio_append".

1125 xp_audio_append(cterm->music_stream, buf, total_frames);
1126 free(buf);
1127 if (cterm->musicfore) {
1128 xp_audio_wait(cterm->music_stream);
1129 had_foreground = 1;
1130 }

** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play()


_____________________________________________________________________________________________
*** CID 645737: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 2082 in xp_audio_play() 2076
2077 if (h < 0)
2078 return -1;
2079 s = stream_from_handle(h);
2080 /* Resize ring to fit exactly if larger than default. Loop mode requires
2081 * the ring to hold the full sample (read wraps to write_pos). */

CID 645737: Concurrent data access violations (MISSING_LOCK) >>> Accessing "s->ring_frames" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.ring_frames" is written to with "xp_audio_stream.mutex" held 1 out of 1 times.

2082 if (nframes > s->ring_frames) {
2083 int16_t *newring;
2084 assert_pthread_mutex_lock(&s->mutex);
2085 newring = realloc(s->ring, nframes * S_CHANNELS * sizeof(int16_t));
2086 if (!newring) {
2087 assert_pthread_mutex_unlock(&s->mutex);

** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open()


_____________________________________________________________________________________________
*** CID 645736: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-21-2026/src/xpdev/xpbeep.c: 1862 in xp_audio_open() 1856
1857 assert_pthread_mutex_lock(&mixer_lock);
1858 /* Reap any done+auto_close streams first to free slots. Safe under
1859 * mixer_lock no mixer pull is in progress. */
1860 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {
1861 struct xp_audio_stream *r = mixer_streams[i];

CID 645736: Concurrent data access violations (MISSING_LOCK) >>> Accessing "r->auto_close" without holding lock "xp_audio_stream.mutex". Elsewhere, "xp_audio_stream.auto_close" is written to with "xp_audio_stream.mutex" held 1 out of 1 times (1 of these accesses strongly imply that it is necessary).

1862 if (r && r->auto_close && r->done) {
1863 mixer_streams[i] = NULL;
1864 free_stream_locked(r);
1865 }
1866 }
1867 for (i = 0; i < XP_AUDIO_MAX_STREAMS; i++) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()


_____________________________________________________________________________________________
*** CID 645757: Control flow issues (DEADCODE) /tmp/sbbs-Apr-22-2026/src/conio/cterm_cterm.c: 1228 in cterm_play_fx_tone()
1222 if (!cterm || duration_ms == 0)
1223 return false;
1224 if (!cterm_fx_ensure_open(cterm))
1225 return false;
1226 nframes = (size_t)XPBEEP_SAMPLE_RATE * duration_ms / 1000;
1227 if (nframes == 0)

CID 645757: Control flow issues (DEADCODE)
Execution cannot reach this statement: "return true;".

1228 return true;
1229 buf = (int16_t *)malloc(nframes * XPBEEP_FRAMESIZE);
1230 if (!buf)
1231 return false;
1232 xptone_makewave(freq, buf, (int)nframes, shape);
1233 return xp_audio_append(cterm->fx_stream, buf, nframes, NULL);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

15 new defect(s) introduced to Synchronet found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)


** CID 645808: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645808: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);

CID 645808: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed");
428 return false;
429 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 424 in s_id_str_str() 418 {
419 bool ret;
420 sftp_str_t str1;
421 sftp_str_t str2;
422
423 state->priv->id = get32(state->priv->rxp);

CID 645808: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

424 str1 = getcstring(state);
425 if (str1 == NULL) {
426 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 427 "id_str_str: first getcstring failed");
428 return false;
429 }

** CID 645807: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645807: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type), 725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an allocation size.

727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 } /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 727 in sftps_recv() 721 }
722 if (!handled) {
723 lprintf(state, SSH_FX_FAILURE, "Unhandled request type: %s (%d)",
724 sftp_get_type_name(state->priv->rxp->type), 725 state->priv->rxp->type);
726 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "sftps_send_error", which uses it as an offset.

727 if (!sftps_send_error(state, SSH_FX_OP_UNSUPPORTED,
728 "Operation not implemented", out))
729 return server_exit(state, false);
730 }
731 remove_packet(state->priv->rxp);
732 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 706 in sftps_recv() 700 handled = true;
701 }
702 break;
703 case SSH_FXP_EXTENDED:
704 if (state->version >= 3 && state->extended) {
705 state->priv->id = get32(state->priv->rxp);

CID 645807: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

706 sftp_str_t request = getcstring(state);
707 if (request == NULL) {
708 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING,
709 "EXTENDED: request getcstring failed");
710 return server_exit(state, false);
711 }

** CID 645806: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645806: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);

CID 645806: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 361 in s_id_str_attr()
355 {
356 bool ret;
357 sftp_str_t str;
358 sftp_file_attr_t attrs;
359
360 state->priv->id = get32(state->priv->rxp);

CID 645806: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

361 str = getcstring(state);
362 if (str == NULL) {
363 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 364 "id_str_attr: getcstring failed");
365 return false;
366 }

** CID 645805: Insecure data handling (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645805: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 261 in getstring()
255 uint32_t sz = get32(pkt);
256 /* Does `sz` bytes fit in the remaining allocation past cur? */ 257 if ((size_t)pkt->cur + offsetof(struct sftp_rx_pkt, data) + sz > pkt->sz) {
258 pkt->cur = saved_cur;
259 return NULL;
260 }

CID 645805: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "sz" to "sftp_memdup", which uses it as an allocation size.

261 sftp_str_t ret = sftp_memdup(&pkt->data[pkt->cur], sz);
262 if (ret == NULL)
263 pkt->cur = saved_cur;
264 else
265 pkt->cur += sz;
266 return ret;

** CID 645804: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645804: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);

CID 645804: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 142 in s_open()
136 bool ret;
137 sftp_str_t fname;
138 uint32_t flags;
139 sftp_file_attr_t attrs;
140
141 state->priv->id = get32(state->priv->rxp);

CID 645804: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

142 fname = getcstring(state);
143 if (fname == NULL) {
144 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 145 "OPEN: filename getcstring failed");
146 return false;
147 }

** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet()


_____________________________________________________________________________________________
*** CID 645803: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 211 in extract_packet() 205 extract_packet(sftp_rx_pkt_t stream)
206 {
207 if (!stream || !have_full_pkt(stream))
208 return NULL;
209 uint32_t sz = pkt_sz(stream);
210 size_t alloc_sz = offsetof(struct sftp_rx_pkt, len) + sizeof(uint32_t) + sz;

CID 645803: (TAINTED_SCALAR)
Passing tainted expression "alloc_sz" to "malloc", which uses it as an allocation size.

211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz; /tmp/sbbs-Apr-25-2026/src/sftp/sftp_pkt.c: 217 in extract_packet() 211 sftp_rx_pkt_t out = (sftp_rx_pkt_t)malloc(alloc_sz);
212 if (out == NULL)
213 return NULL;
214 out->cur = 0;
215 out->sz = alloc_sz;
216 out->used = sizeof(uint32_t) + sz;

CID 645803: (TAINTED_SCALAR)
Passing tainted expression "out->used" to "memcpy", which uses it as an offset.

217 memcpy(&out->len, &stream->len, out->used);
218 remove_packet(stream);
219 return out;
220 }
221
222 #define GET_FUNC_BODY \

** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()


_____________________________________________________________________________________________
*** CID 645802: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 85 in getcstring()
79 static sftp_str_t
80 getcstring(sftps_state_t state)
81 {
82 sftp_str_t str = getstring(state->priv->rxp);
83 if (str == NULL)
84 return NULL;

CID 645802: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "str->len" to "memchr", which uses it as an offset.

85 if (memchr(str->c_str, 0, str->len) != NULL) {
86 free_sftp_str(str);
87 return NULL;
88 }
89 return str;
90 }

** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()


_____________________________________________________________________________________________
*** CID 645801: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 103 in init()
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support. 99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;
102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;

CID 645801: Insecure data handling (TAINTED_SCALAR)
Using tainted variable "payload_len" as a loop boundary.

103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);
108 free_sftp_str(ext_data);

** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()


_____________________________________________________________________________________________
*** CID 645800: (TAINTED_SCALAR)
/sftp.cpp: 2184 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2178 if (request->len == nlen &&
2179 memcmp(request->c_str, SFTP_EXT_NAME_DESCS, nlen) == 0) { 2180 sftp_str_t path = sftp_rx_get_string(pkt);
2181 if (path == nullptr)
2182 return sftps_send_error(sbbs->sftp_state,
2183 SSH_FX_BAD_MESSAGE, "Missing path", nullptr);

CID 645800: (TAINTED_SCALAR)
Passing tainted expression "path->len + 1U" to "malloc", which uses it as an allocation size.

2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr); 2189 }
/sftp.cpp: 2190 in sftp_extended(sftp_string *, sftp_rx_pkt *, void *)()
2184 char *cpath = (char *)malloc(path->len + 1);
2185 if (cpath == nullptr) {
2186 free_sftp_str(path);
2187 return sftps_send_error(sbbs->sftp_state,
2188 SSH_FX_FAILURE, "Out of memory", nullptr); 2189 }

CID 645800: (TAINTED_SCALAR)
Passing tainted expression "path->len" to "memcpy", which uses it as an offset.

2190 memcpy(cpath, path->c_str, path->len);
2191 cpath[path->len] = '\0';
2192 free_sftp_str(path);
2193 sbbs->lprintf(LOG_DEBUG, "SFTP descs(%s)", cpath);
2194 bool ret = sftp_ext_descs(sbbs, cpath);
2195 free(cpath);

** CID 645799: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645799: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);

CID 645799: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an allocation size.

315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }
/tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 315 in s_id_str()
309 struct sftps_outcome *out)
310 {
311 bool ret;
312 sftp_str_t str;
313
314 state->priv->id = get32(state->priv->rxp);

CID 645799: (TAINTED_SCALAR)
Passing tainted expression "state->priv" to "getcstring", which uses it as an offset.

315 str = getcstring(state);
316 if (str == NULL) {
317 sftps_outcome_record(out, SFTP_ERR_REPLY_BAD_STRING, 318 "id_str: getcstring failed");
319 return false;
320 }

** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit()


_____________________________________________________________________________________________
*** CID 645798: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 69 in server_exit() 63 }
64
65 static bool
66 server_exit(sftps_state_t state, bool retval)
67 {
68 assert(state->priv->running > 0);

CID 645798: Concurrent data access violations (MISSING_LOCK) >>> Accessing "state->priv->running" without holding lock "sftp_server_state_private.mtx". Elsewhere, "sftp_server_state_private.running" is written to with "sftp_server_state_private.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).

69 state->priv->running--;
70 pthread_mutex_unlock(&state->priv->mtx);
71 return retval;
72 }
73
74 /*

** CID 645797: Insecure data handling (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645797: Insecure data handling (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 190 in parse_status() 184 if (reply->type != SSH_FXP_STATUS)
185 return false;
186 uint32_t code = get32(reply);
187 if (out != NULL)
188 out->result = code;
189 sftp_str_t msg = getstring(reply);

CID 645797: Insecure data handling (TAINTED_SCALAR)
Passing tainted expression "reply->cur" to "getstring", which uses it as an offset.

190 sftp_str_t lang = getstring(reply);
191 if (msg != NULL && msg->len > 0) {
192 sftpc_outcome_reply(out,
193 (const char *)msg->c_str, msg->len,
194 lang ? (const char *)lang->c_str : "",
195 lang ? lang->len : 0);

** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()


_____________________________________________________________________________________________
*** CID 645796: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_server.c: 102 in init()
96 if (state->version > SFTP_VERSION)
97 state->version = SFTP_VERSION;
98 /* Intersect client's advertised extensions with the ones we support. 99 * The result is what we enable for this session AND what we echo
100 * back to the client in VERSION. */
101 state->extensions = 0;

CID 645796: Integer handling issues (INTEGER_OVERFLOW)
Expression "pkt_sz(state->priv->rxp) - 1U", where "pkt_sz(state->priv->rxp)" is known to be equal to 0, underflows the type of "pkt_sz(state->priv->rxp) - 1U", which is type "unsigned int".

102 uint32_t payload_len = pkt_sz(state->priv->rxp) - 1;
103 while (state->priv->rxp->cur + sizeof(uint32_t) <= payload_len) {
104 sftp_str_t ext_name = getstring(state->priv->rxp);
105 sftp_str_t ext_data = getstring(state->priv->rxp);
106 if (ext_name == NULL || ext_data == NULL) {
107 free_sftp_str(ext_name);

** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit()


_____________________________________________________________________________________________
*** CID 645795: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_client.c: 87 in client_exit() 81 }
82
83 static bool
84 client_exit(sftpc_state_t state, bool retval)
85 {
86 assert(state->running > 0);

CID 645795: Concurrent data access violations (MISSING_LOCK) >>> Accessing "state->running" without holding lock "sftp_client_state.mtx". Elsewhere, "sftp_client_state.running" is written to with "sftp_client_state.mtx" held 1 out of 2 times (1 of these accesses strongly imply that it is necessary).

87 state->running--;
88 pthread_mutex_unlock(&state->mtx);
89 return retval;
90 }
91
92 /* Pending-list helpers; state->mtx must be held. */

** CID 645794: (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 645794: (TAINTED_SCALAR) /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 338 in getfattr()
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {
335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.

338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }
343 if (!sftp_fattr_add_ext(&ret, type, data)) { /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 335 in getfattr()
329 * size of the buffer since getstring()
330 * will fail long before we reach extcnt if
331 * it has a maliciously high value.
332 */
333 extcnt &= 0x3FFFFFFF;
334 for (ext = 0; ext < extcnt; ext++) {

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "pkt->cur" to "getstring", which uses it as an offset.

335 sftp_str_t type = getstring(pkt);
336 if (type == NULL)
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "type->len" to "sftp_fattr_add_ext", which uses it as an allocation size.

343 if (!sftp_fattr_add_ext(&ret, type, data)) { 344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type); /tmp/sbbs-Apr-25-2026/src/sftp/sftp_attr.c: 343 in getfattr()
337 break;
338 sftp_str_t data = getstring(pkt);
339 if (data == NULL) {
340 free_sftp_str(type);
341 break;
342 }

CID 645794: (TAINTED_SCALAR)
Passing tainted expression "data->len" to "sftp_fattr_add_ext", which uses it as an allocation size.

343 if (!sftp_fattr_add_ext(&ret, type, data)) { 344 free_sftp_str(type);
345 free_sftp_str(data);
346 break;
347 }
348 free_sftp_str(type);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview



---
* Synchronet * Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net