search

zephyrproject-rtos / zephyr

Primary Git Repository for the Zephyr Project. Zephyr is a new generation, scalable, optimized, secure RTOS for multiple hardware architectures.
https://docs.zephyrproject.org
Apache License 2.0
11.01k stars 6.7k forks source link

[Coverity CID: 392530] Unintentional integer overflow in subsys/net/lib/ptp/port.c #74806

Open zephyrbot opened 5 months ago

zephyrbot commented 5 months ago

Static code scan issues found in file:

https://github.com/zephyrproject-rtos/zephyr/tree/dcf42917c550714d2457947538b9e29d083e872e/subsys/net/lib/ptp/port.c#L91

Category: Integer handling issues Function: port_timer_set_timeout Component: Networking CID: 392530

Details:

https://github.com/zephyrproject-rtos/zephyr/blob/dcf42917c550714d2457947538b9e29d083e872e/subsys/net/lib/ptp/port.c

86       return ptp_transport_send(port, msg, idx);
87     }
88    
89     static void port_timer_set_timeout(struct k_timer *timer, uint8_t factor, int8_t log_seconds)
90     {
91       uint64_t timeout = log_seconds < 0 ? (NSEC_PER_SEC * factor) >> (log_seconds * -1) :
>>>     CID 392530:    (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "1000000000U * factor" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
92                                            (NSEC_PER_SEC * factor) << log_seconds;
93    
94       k_timer_start(timer, K_NSEC(timeout), K_NO_WAIT);
95     }
96    
97     static void port_timer_set_timeout_random(struct k_timer *timer,
85    
86       return ptp_transport_send(port, msg, idx);
87     }
88    
89     static void port_timer_set_timeout(struct k_timer *timer, uint8_t factor, int8_t log_seconds)
90     {
>>>     CID 392530:    (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "1000000000U * factor" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
91       uint64_t timeout = log_seconds < 0 ? (NSEC_PER_SEC * factor) >> (log_seconds * -1) :
92                                            (NSEC_PER_SEC * factor) << log_seconds;
93    
94       k_timer_start(timer, K_NSEC(timeout), K_NO_WAIT);
95     }
96

For more information about the violation, check the Coverity Reference. (CWE-190)

Please fix or provide comments in coverity using the link:

https://scan9.scan.coverity.com/#/project-view/29271/12996?selectedIssue=392530

Note: This issue was created automatically. Priority was set based on classification of the file affected and the impact field in coverity. Assignees were set using the MAINTAINERS file.

zephyrbot commented 1 week ago

This coverity CID still appears as an outstanding issue. Please make sure any fixes correctly address the problem or triage the issue correctly in coverity on https://scan.coverity.com/.

carlescufi commented 14 hours ago

@awojasinski please take another look at Coverity, still complains after your fix.