Forum: Jamaica Joe's

New Defects reported by Coverity Scan for Synchronet

From scan-admin@coverity.com@VERT to All on Sunday, July 06, 2025 12:47:03

----==_mimepart_686a7047ce71_192e802d9f7544199c8471c
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)

** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()

_____________________________________________________________________________________________
*** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()
1775 if (msg == NULL)
1776 return JS_TRUE;
1777 }
1778
1779 if (argc > 3 && !JSVAL_NULL_OR_VOID(argv[3])) {
1780 if ((js_str = JS_ValueToString(cx, argv[3])) == NULL) >>> CID 569480: Resource leaks (RESOURCE_LEAK)

Variable "msg" going out of scope leaks the storage it points to.

1781 return JS_FALSE;
1782
1783 JSSTRING_TO_MSTRING(cx, js_str, replyto, NULL);
1784 HANDLE_PENDING(cx, replyto);
1785 if (replyto == NULL)
1786 return JS_TRUE;

** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()

_____________________________________________________________________________________________
*** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()
1787 }
1788
1789 JSSTRING_TO_MSTRING(cx, js_subj, subj, NULL);
1790 HANDLE_PENDING(cx, subj);
1791 if (subj == NULL) {
1792 free(msg);

CID 569479: Resource leaks (RESOURCE_LEAK)
Variable "replyto" going out of scope leaks the storage it points to. 1793 return JS_TRUE;

1794 }
1795
1796 rc = JS_SUSPENDREQUEST(cx);
1797 ret = notify(sys->cfg, usernumber, subj, msg, replyto) == 0; 1798 free(subj);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_686a7047ce71_192e802d9f7544199c8471c
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Shown:</strong> Showing 2 of 2 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()

_____________________________________________________________________________________________
*** CID 569480: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1781 in js_notify()
1775 if (msg == NULL)
1776 return JS_TRUE;
1777 }
1778
1779 if (argc > 3 && !JSVAL_NULL_OR_VOID(argv[3])) {
1780 if ((js_str = JS_ValueToString(cx, argv[3])) == NULL) >>> CID 569480: Resource leaks (RESOURCE_LEAK) >>> Variable "msg" going out of scope leaks the storage it points to.
1781 return JS_FALSE;
1782
1783 JSSTRING_TO_MSTRING(cx, js_str, replyto, NULL);
1784 HANDLE_PENDING(cx, replyto);
1785 if (replyto == NULL)
1786 return JS_TRUE;

** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()

_____________________________________________________________________________________________
*** CID 569479: Resource leaks (RESOURCE_LEAK)
/js_system.c: 1793 in js_notify()
1787 }
1788
1789 JSSTRING_TO_MSTRING(cx, js_subj, subj, NULL);
1790 HANDLE_PENDING(cx, subj);
1791 if (subj == NULL) {
1792 free(msg);
>>> CID 569479: Resource leaks (RESOURCE_LEAK) >>> Variable "replyto" going out of scope leaks the storage it points to.
1793 return JS_TRUE;
1794 }
1795
1796 rc = JS_SUSPENDREQUEST(cx);
1797 ret = notify(sys->cfg, usernumber, subj, msg, replyto) == 0; 1798 free(subj);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_686a7047ce71_192e802d9f7544199c8471c--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sunday, July 20, 2025 12:45:55

----==_mimepart_687ce502ba0a3_2748642bf92199999045dc
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

2 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)

** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()

_____________________________________________________________________________________________
*** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()
1350 if (!t)
1351 t = 1;
1352 if (zm.file_skipped)
1353 lprintf(LOG_WARNING, "File Skipped");
1354 else if (success)
1355 lprintf(LOG_INFO, "Successful - Time: %s CPS: %lu"

CID 582443: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

1356 , seconds_to_str((uint)t, tmp), (ulong)(file_bytes / t));
1357 else
1358 lprintf(LOG_ERR, "File Transfer %s"
1359 , zm.local_abort ? "Aborted": zm.cancelled ? "Cancelled":"Failure");
1360
1361 if (!(mode & XMODEM) && ftime)

** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
/sexyz.c: 1069 in send_files()

_____________________________________________________________________________________________
*** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
988 xm.sent_files++;
989 xm.sent_bytes += fsize;
990 if (zm.file_skipped)
991 lprintf(LOG_WARNING, "File Skipped");
992 else
993 lprintf(LOG_INFO, "Successful - Time: %s CPS: %u"

CID 582442: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

994 , seconds_to_str((uint)t, tmp)
995 , cps);
996
997 if (xm.total_files - xm.sent_files)
998 lprintf(LOG_INFO, "Remaining - Time: %s Files: %lu KBytes: %" PRId64
999 , seconds_to_str((uint)((xm.total_bytes - xm.sent_bytes) / cps), tmp)
/sexyz.c: 1069 in send_files()
1063 }
1064 if (xm.total_files > 1) {
1065 t = time(NULL) - startall;
1066 if (!t)
1067 t = 1;
1068 lprintf(LOG_INFO, "Overall - Time %s KBytes: %" PRId64 " CPS: %lu"

CID 582442: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".

1069 , seconds_to_str((uint)t, tmp)
1070 , total_bytes / 1024, total_bytes / t); 1071 }
1072 return 0; /* success */
1073 }
1074

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_687ce502ba0a3_2748642bf92199999045dc
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 2</li>
<li><strong>Defects Shown:</strong> Showing 2 of 2 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()

_____________________________________________________________________________________________
*** CID 582443: High impact quality (Y2K38_SAFETY)
/sexyz.c: 1356 in receive_files()
1350 if (!t)
1351 t = 1;
1352 if (zm.file_skipped)
1353 lprintf(LOG_WARNING, "File Skipped"); 1354 else if (success)
1355 lprintf(LOG_INFO, "Successful - Time: %s CPS: %lu"
>>> CID 582443: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".
1356 , seconds_to_str((uint)t, tmp), (ulong)(file_bytes / t));
1357 else
1358 lprintf(LOG_ERR, "File Transfer %s" 1359 , zm.local_abort ? "Aborted": zm.cancelled ? "Cancelled":"Failure");
1360
1361 if (!(mode & XMODEM) && ftime)

** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
/sexyz.c: 1069 in send_files()

_____________________________________________________________________________________________
*** CID 582442: (Y2K38_SAFETY)
/sexyz.c: 994 in send_files()
988 xm.sent_files++;
989 xm.sent_bytes += fsize;
990 if (zm.file_skipped)
991 lprintf(LOG_WARNING, "File Skipped");
992 else
993 lprintf(LOG_INFO, "Successful - Time: %s CPS: %u"
>>> CID 582442: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".
994 , seconds_to_str((uint)t, tmp)
995 , cps);
996
997 if (xm.total_files - xm.sent_files)
998 lprintf(LOG_INFO, "Remaining - Time: %s Files: %lu KBytes: %" PRId64
999 , seconds_to_str((uint)((xm.total_bytes - xm.sent_bytes) / cps), tmp)
/sexyz.c: 1069 in send_files()
1063 }
1064 if (xm.total_files > 1) {
1065 t = time(NULL) - startall;
1066 if (!t)
1067 t = 1;
1068 lprintf(LOG_INFO, "Overall - Time %s KBytes: %" PRId64 " CPS: %lu"
>>> CID 582442: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "t" is cast to "uint".
1069 , seconds_to_str((uint)t, tmp)
1070 , total_bytes / 1024, total_bytes / t); 1071 }
1072 return 0; /* success */
1073 }
1074

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_687ce502ba0a3_2748642bf92199999045dc--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sunday, August 10, 2025 14:15:47

----==_mimepart_6898a9938c063_f22012b538a7b399c12567
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()

_____________________________________________________________________________________________
*** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()
3165 if (protocol != NULL)
3166 SAFECOPY(user->connection, protocol);
3167 if (hostname != NULL)
3168 SAFECOPY(user->comp, hostname);
3169 if (ipaddr != NULL)
3170 SAFECOPY(user->ipaddr, ipaddr);

CID 583942: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "logontime" is cast to "time32_t".

3171 user->logontime = logontime;
3172
3173 return putuserdat(cfg, user);
3174 }
3175
3176 /****************************************************************************/

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_6898a9938c063_f22012b538a7b399c12567
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()

_____________________________________________________________________________________________
*** CID 583942: High impact quality (Y2K38_SAFETY)
/userdat.c: 3171 in loginuserdat()
3165 if (protocol != NULL)
3166 SAFECOPY(user->connection, protocol);
3167 if (hostname != NULL)
3168 SAFECOPY(user->comp, hostname);
3169 if (ipaddr != NULL)
3170 SAFECOPY(user->ipaddr, ipaddr);
>>> CID 583942: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "logontime" is cast to "time32_t".
3171 user->logontime = logontime;
3172
3173 return putuserdat(cfg, user);
3174 }
3175
3176 /****************************************************************************/

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_6898a9938c063_f22012b538a7b399c12567--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Monday, August 11, 2025 13:57:59

----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 583999: (UNINIT)

_____________________________________________________________________________________________
*** CID 583999: (UNINIT)
/file.cpp: 182 in sbbs_t::removefcdt(smbmsg_t *)()
176 if (cfg.dir[f->dir]->misc & DIR_CDTUL)
177 cdt = ((ulong)(f->cost * (cfg.dir[f->dir]->up_pct / 100.0)) / cur_cps) / 60;
178 if (cfg.dir[f->dir]->misc & DIR_CDTDL
179 && f->hdr.times_downloaded) /* all downloads */ 180 cdt += ((ulong)((long)f->hdr.times_downloaded 181 * f->cost * (cfg.dir[f->dir]->dn_pct / 100.0)) / cur_cps) / 60;

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 182 adjustuserval(&cfg, &user, USER_MIN, -cdt);

183 snprintf(str, sizeof str, "%lu minute", cdt);
184 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
185 , f->name, cdt ? str : text[No]);
186 putsmsg(user.number, tmp);
187 }
/file.cpp: 203 in sbbs_t::removefcdt(smbmsg_t *)()
197 bprintf(text[CreditsToRemove], f->from);
198 getstr(str, 10, K_NUMBER | K_LINE | K_EDIT | K_AUTODEL);
199 if (msgabort(true))
200 return false;
201 cdt = atol(str);
202 }

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 203 adjustuserval(&cfg, &user, USER_CDT, -cdt);

204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
/file.cpp: 209 in sbbs_t::removefcdt(smbmsg_t *)()
203 adjustuserval(&cfg, &user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 209 adjustuserval(&cfg, &user, USER_ULB, -f->size);

210 adjustuserval(&cfg, &user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
/file.cpp: 210 in sbbs_t::removefcdt(smbmsg_t *)()
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
209 adjustuserval(&cfg, &user, USER_ULB, -f->size);

CID 583999: (UNINIT)
Using uninitialized value "user.level" when calling "adjustuserval". 210 adjustuserval(&cfg, &user, USER_ULS, -1);

211 return true;
212 }
213
214 /****************************************************************************/
215 /****************************************************************************/

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 583999: (UNINIT)

_____________________________________________________________________________________________
*** CID 583999: (UNINIT)
/file.cpp: 182 in sbbs_t::removefcdt(smbmsg_t *)()
176 if (cfg.dir[f->dir]->misc & DIR_CDTUL)
177 cdt = ((ulong)(f->cost * (cfg.dir[f->dir]->up_pct / 100.0)) / cur_cps) / 60;
178 if (cfg.dir[f->dir]->misc & DIR_CDTDL
179 && f->hdr.times_downloaded) /* all downloads */
180 cdt += ((ulong)((long)f->hdr.times_downloaded
181 * f->cost * (cfg.dir[f->dir]->dn_pct / 100.0)) / cur_cps) / 60;
>>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
182 adjustuserval(&cfg, &user, USER_MIN, -cdt);
183 snprintf(str, sizeof str, "%lu minute", cdt); 184 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
185 , f->name, cdt ? str : text[No]);
186 putsmsg(user.number, tmp);
187 }
/file.cpp: 203 in sbbs_t::removefcdt(smbmsg_t *)()
197 bprintf(text[CreditsToRemove], f->from);
198 getstr(str, 10, K_NUMBER | K_LINE | K_EDIT | K_AUTODEL);
199 if (msgabort(true))
200 return false;
201 cdt = atol(str);
202 }
>>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
203 adjustuserval(&cfg, &user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
/file.cpp: 209 in sbbs_t::removefcdt(smbmsg_t *)()
203 adjustuserval(&cfg, &user, USER_CDT, -cdt);
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
>>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
209 adjustuserval(&cfg, &user, USER_ULB, -f->size);
210 adjustuserval(&cfg, &user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
/file.cpp: 210 in sbbs_t::removefcdt(smbmsg_t *)()
204 snprintf(tmp, sizeof tmp, text[FileRemovedUserMsg]
205 , f->name, cdt > 0 ? ultoac(cdt, str) : text[No]);
206 putsmsg(user.number, tmp);
207 }
208
209 adjustuserval(&cfg, &user, USER_ULB, -f->size); >>> CID 583999: (UNINIT)
>>> Using uninitialized value "user.level" when calling "adjustuserval".
210 adjustuserval(&cfg, &user, USER_ULS, -1);
211 return true;
212 }
213
214 /****************************************************************************/
215 /****************************************************************************/

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_6899f6e6bbda6_101b942b538a7b399c1257b--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Monday, August 18, 2025 13:37:12

----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
/logon.cpp: 642 in sbbs_t::logonstats()()
/logon.cpp: 638 in sbbs_t::logonstats()()

_____________________________________________________________________________________________
*** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
625 errormsg(WHERE, ERR_READ, "system stats");
626 return 0;
627 }
628
629 now = time(NULL);
630 if (stats.date > now + (24L * 60L * 60L)) /* More than a day in the future? */

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

631 errormsg(WHERE, ERR_CHK, "Daily stats date/time stamp", (int)stats.date);
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
/logon.cpp: 642 in sbbs_t::logonstats()()
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {
638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;
644 }
645
646 sys_status |= SS_NEW_DAY;
647 if (tm.tm_mon != update_tm.tm_mon)
/logon.cpp: 638 in sbbs_t::logonstats()()
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {

CID 584091: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".

638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {
642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
/logon.cpp: 642 in sbbs_t::logonstats()()
/logon.cpp: 638 in sbbs_t::logonstats()()

_____________________________________________________________________________________________
*** CID 584091: (Y2K38_SAFETY)
/logon.cpp: 631 in sbbs_t::logonstats()()
625 errormsg(WHERE, ERR_READ, "system stats"); 626 return 0;
627 }
628
629 now = time(NULL);
630 if (stats.date > now + (24L * 60L * 60L)) /* More than a day in the future? */
>>> CID 584091: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".
631 errormsg(WHERE, ERR_CHK, "Daily stats date/time stamp", (int)stats.date);
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
/logon.cpp: 642 in sbbs_t::logonstats()()
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {
638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) { >>> CID 584091: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".
642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;
644 }
645
646 sys_status |= SS_NEW_DAY;
647 if (tm.tm_mon != update_tm.tm_mon)
/logon.cpp: 638 in sbbs_t::logonstats()()
632
633 if (!dates_are_same(now, stats.date)) {
634
635 struct tm tm{};
636 struct tm update_tm{};
637 if (localtime_r(&stats.date, &update_tm) == NULL) {
>>> CID 584091: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "stats.date" is cast to "int".
638 errormsg(WHERE, ERR_CHK, "Daily stats date/time break down", (int)stats.date);
639 return 0;
640 }
641 if (localtime_r(&now, &tm) == NULL) {
642 errormsg(WHERE, ERR_CHK, "Current date/time break down", (int)stats.date);
643 return 0;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68a32c876d3fd_16fcff2e2b69fdf990236c2--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Monday, September 01, 2025 03:04:51

----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 584833: Error handling issues (CHECKED_RETURN)

_____________________________________________________________________________________________
*** CID 584833: Error handling issues (CHECKED_RETURN)
/mailsrvr.c: 2877 in archive_mail()
2871 bool archive_mail(const char* fname, int usernumber, const char* subdir, const char* session_id)
2872 {
2873 char tmp[128];
2874 char path[MAX_PATH + 1];
2875
2876 snprintf(path, sizeof path, "%suser/%04u/%s/", scfg.data_dir, usernumber, subdir);

CID 584833: Error handling issues (CHECKED_RETURN)
Calling "mkpath(path)" without checking return value. It wraps a library function that may fail and return an error code.

2877 mkpath(path);
2878 SAFECAT(path, gmtime_to_isoDateTimeStr(time(NULL), tmp, sizeof tmp));
2879 SAFECAT(path, "-");
2880 SAFECAT(path, session_id);
2881 SAFECAT(path, ".eml");
2882 return CopyFile(fname, path, /* fail-if-exists: */true);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 584833: Error handling issues (CHECKED_RETURN)

_____________________________________________________________________________________________
*** CID 584833: Error handling issues (CHECKED_RETURN)
/mailsrvr.c: 2877 in archive_mail()
2871 bool archive_mail(const char* fname, int usernumber, const char* subdir, const char* session_id)
2872 {
2873 char tmp[128];
2874 char path[MAX_PATH + 1];
2875
2876 snprintf(path, sizeof path, "%suser/%04u/%s/", scfg.data_dir, usernumber, subdir);
>>> CID 584833: Error handling issues (CHECKED_RETURN) >>> Calling "mkpath(path)" without checking return value. It wraps a library function that may fail and return an error code.
2877 mkpath(path);
2878 SAFECAT(path, gmtime_to_isoDateTimeStr(time(NULL), tmp, sizeof tmp));
2879 SAFECAT(path, "-");
2880 SAFECAT(path, session_id);
2881 SAFECAT(path, ".eml");
2882 return CopyFile(fname, path, /* fail-if-exists: */true);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68b50d534c480_2468dc2e83776d99ac35483--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Wednesday, September 24, 2025 12:45:25

----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
/tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()

_____________________________________________________________________________________________
*** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
1577 free(old);
1578 assert_rwlock_unlock(&vstatlock);
1579 return 0;
1580 }

CID 630343: (ATOMICITY)
Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.

1581 pold=old;
1582 pnew=new;
1583 for(row=0; row<ti.screenheight; row++) {
1584 for(col=0; col<ti.screenwidth; col++) { 1585 if(row < oh) {
1586 if(col < ow) { /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()
1571 bitmap_vmem_gettext_locked(1,1,ow,oh,old);
1572 assert_rwlock_unlock(&vstatlock);
1573 textmode(newmode);
1574 assert_rwlock_wrlock(&vstatlock);
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {

CID 630343: (ATOMICITY)
Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.

1577 free(old);
1578 assert_rwlock_unlock(&vstatlock);
1579 return 0;
1580 }
1581 pold=old;
1582 pnew=new;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
/tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()

_____________________________________________________________________________________________
*** CID 630343: (ATOMICITY) /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1581 in bitmap_setfont()
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
1577 free(old);
1578 assert_rwlock_unlock(&vstatlock); 1579 return 0;
1580 }
>>> CID 630343: (ATOMICITY)
>>> Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.
1581 pold=old;
1582 pnew=new;
1583 for(row=0; row<ti.screenheight; row++) { 1584 for(col=0; col<ti.screenwidth; col++) {
1585 if(row < oh) {
1586 if(col < ow) { /tmp/sbbs-Sep-24-2025/src/conio/bitmap_con.c: 1577 in bitmap_setfont()
1571 bitmap_vmem_gettext_locked(1,1,ow,oh,old);
1572 assert_rwlock_unlock(&vstatlock);
1573 textmode(newmode);
1574 assert_rwlock_wrlock(&vstatlock);
1575 new=malloc(ti.screenwidth*ti.screenheight*sizeof(*new));
1576 if(!new) {
>>> CID 630343: (ATOMICITY)
>>> Using an unreliable value of "old" inside the second locked section. If the data that "old" depends on was changed by another thread, this use might be incorrect.
1577 free(old);
1578 assert_rwlock_unlock(&vstatlock); 1579 return 0;
1580 }
1581 pold=old;
1582 pnew=new;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68d3e7e5d7b6_b44382cc43c0b59a0513eb--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Saturday, September 27, 2025 12:45:34

----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()

_____________________________________________________________________________________________
*** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()
433 #else
434 fd_set socket_set;
435 struct timeval tv;
436 #endif
437 int magic_errno;
438

CID 630956: Control flow issues (UNREACHABLE)
Since the loop increment is unreachable, the loop body will never execute more than once.

439 for (;;) {
440 if (inbuf_len > inbuf_pos)
441 return inbuf_len - inbuf_pos;
442 #ifdef __unix__
443 if (stdio) {
444 i = read(STDIN_FILENO, inbuf, sizeof(inbuf));

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()

_____________________________________________________________________________________________
*** CID 630956: Control flow issues (UNREACHABLE)
/sexyz.c: 439 in recv_buffer()
433 #else
434 fd_set socket_set;
435 struct timeval tv;
436 #endif
437 int magic_errno;
438
>>> CID 630956: Control flow issues (UNREACHABLE) >>> Since the loop increment is unreachable, the loop body will never execute more than once.
439 for (;;) {
440 if (inbuf_len > inbuf_pos)
441 return inbuf_len - inbuf_pos;
442 #ifdef __unix__
443 if (stdio) {
444 i = read(STDIN_FILENO, inbuf, sizeof(inbuf));

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68d7dc6e205cb_1d74a2b4f2a4a99a449ab--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Monday, September 29, 2025 14:35:08

----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)

_____________________________________________________________________________________________
*** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) /tmp/sbbs-Sep-29-2025/src/xpdev/ini_file.c: 1658 in iniParseSections()
1652 break;
1653 }
1654
1655 if (list[i] != NULL) {
1656 // TODO: A comment will create a zero-length root section, which kinda sucks...
1657 if (*p != INI_OPEN_SECTION_CHAR) {

CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)
Passing "&iniParsedRootValue" to function "addParsedSection" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.

1658 if (!addParsedSection(&lp, &sections, &iniParsedRootValue))
1659 goto error_return;
1660 keys = 0;
1661 for (; list[i] != NULL; ++i) {
1662 p = list[i];
1663 SKIP_WHITESPACE(p);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON)

_____________________________________________________________________________________________
*** CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) /tmp/sbbs-Sep-29-2025/src/xpdev/ini_file.c: 1658 in iniParseSections()
1652 break;
1653 }
1654
1655 if (list[i] != NULL) {
1656 // TODO: A comment will create a zero-length root section, which kinda sucks...
1657 if (*p != INI_OPEN_SECTION_CHAR) {
>>> CID 631019: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "&iniParsedRootValue" to function "addParsedSection" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
1658 if (!addParsedSection(&lp, &sections, &iniParsedRootValue))
1659 goto error_return;
1660 keys = 0;
1661 for (; list[i] != NULL; ++i) {
1662 p = list[i];
1663 SKIP_WHITESPACE(p);

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68da991cc30d_3dac62b4f2a4a99a44987--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Tuesday, September 30, 2025 14:17:12

----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

3 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)

** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()

_____________________________________________________________________________________________
*** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()
3361 return 0;
3362 }
3363 if (name == NULL || name->str == NULL)
3364 return -1;
3365 entShorter = fp->name.len < name->len;
3366 cmplen = entShorter ? fp->name.len : name->len;

CID 631052: Null pointer dereferences (FORWARD_NULL)
Passing null pointer "fp->name.str" to "strncasecmp", which dereferences it.

3367 cmp = strnicmp(name->str, fp->name.str, cmplen);
3368 if (cmp == 0) {
3369 if (fp->name.len == name->len)
3370 return 0;
3371 if (entShorter)
3372 return 1;

** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()

_____________________________________________________________________________________________
*** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()
3153 struct fp_section *sect;
3154 size_t slen;
3155 str++;
3156 slen = strlen(str);
3157 while (slen && (IS_WHITESPACE(str[slen - 1]))) 3158 slen--;

CID 631051: Integer handling issues (INTEGER_OVERFLOW)
Expression "slen - 1UL", where "slen" is known to be equal to 0, underflows the type of "slen - 1UL", which is type "unsigned long".

3159 if (str[slen - 1] == INI_CLOSE_SECTION_CHAR) 3160 slen--;
3161 else // Discard line
3162 continue;
3163 ret->totalSections++;
3164 if ((ret->totalSections) >= arraySz) {

** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()

_____________________________________________________________________________________________
*** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()
3325 if (sz)
3326 *sz = 0;
3327 return ret;
3328 }
3329 if (prefix)
3330 prefixLen = strlen(prefix);

CID 631050: Integer handling issues (INTEGER_OVERFLOW)
Expression "i++", where "i" is known to be equal to 18446744073709551615, overflows the type of "i++", which is type "size_t".

3331 for (i = iniGetFastPrefixStart(fp, prefix); i <= fp->lastUncut; i++) {
3332 if (fp->sections[i].name.str == NULL)
3333 continue;
3334 if (fp->sections[i].cut)
3335 continue;
3336 if (fp->sections[i].name.len < prefixLen)

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 3</li>
<li><strong>Defects Shown:</strong> Showing 3 of 3 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()

_____________________________________________________________________________________________
*** CID 631052: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3367 in iniGetFastParsedSectionCmp()
3361 return 0;
3362 }
3363 if (name == NULL || name->str == NULL)
3364 return -1;
3365 entShorter = fp->name.len < name->len;
3366 cmplen = entShorter ? fp->name.len : name->len; >>> CID 631052: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "fp->name.str" to "strncasecmp", which dereferences it.
3367 cmp = strnicmp(name->str, fp->name.str, cmplen);
3368 if (cmp == 0) {
3369 if (fp->name.len == name->len)
3370 return 0;
3371 if (entShorter)
3372 return 1;

** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()

_____________________________________________________________________________________________
*** CID 631051: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3159 in iniFastParseSections()
3153 struct fp_section *sect;
3154 size_t slen;
3155 str++;
3156 slen = strlen(str);
3157 while (slen && (IS_WHITESPACE(str[slen - 1])))
3158 slen--;
>>> CID 631051: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "slen - 1UL", where "slen" is known to be equal to 0, underflows the type of "slen - 1UL", which is type "unsigned long".
3159 if (str[slen - 1] == INI_CLOSE_SECTION_CHAR) 3160 slen--;
3161 else // Discard line
3162 continue;
3163 ret->totalSections++;
3164 if ((ret->totalSections) >= arraySz) {

** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()

_____________________________________________________________________________________________
*** CID 631050: Integer handling issues (INTEGER_OVERFLOW) /tmp/sbbs-Sep-30-2025/src/xpdev/ini_file.c: 3331 in iniGetFastParsedSectionList()
3325 if (sz)
3326 *sz = 0;
3327 return ret;
3328 }
3329 if (prefix)
3330 prefixLen = strlen(prefix);
>>> CID 631050: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "i++", where "i" is known to be equal to 18446744073709551615, overflows the type of "i++", which is type "size_t".
3331 for (i = iniGetFastPrefixStart(fp, prefix); i <= fp->lastUncut; i++) {
3332 if (fp->sections[i].name.str == NULL)
3333 continue;
3334 if (fp->sections[i].cut)
3335 continue;
3336 if (fp->sections[i].name.len < prefixLen)

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68dbe667f0fba_4d6e62b4f2a4a99a44915--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Wednesday, October 01, 2025 16:08:39

----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

9 new defect(s) introduced to Synchronet found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)

** CID 631076: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631076: Memory - corruptions (OVERRUN)
/sbbsecho.c: 314 in parse_echostat_msg()
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);

CID 631076: Memory - corruptions (OVERRUN)
Overrunning array "msg.from" of 36 bytes by passing it to a function which accesses it at byte offset 1023.

314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

** CID 631075: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631075: Memory - corruptions (OVERRUN)
/sbbsecho.c: 319 in parse_echostat_msg()
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

CID 631075: Memory - corruptions (OVERRUN)
Overrunning array "msg.tid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);

** CID 631074: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631074: Memory - corruptions (OVERRUN)
/sbbsecho.c: 317 in parse_echostat_msg()
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);

CID 631074: Memory - corruptions (OVERRUN)
Overrunning array "msg.reply_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);

** CID 631073: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631073: Memory - corruptions (OVERRUN)
/sbbsecho.c: 316 in parse_echostat_msg()
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);

CID 631073: Memory - corruptions (OVERRUN)
Overrunning array "msg.msg_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);

** CID 631072: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631072: Memory - corruptions (OVERRUN)
/sbbsecho.c: 313 in parse_echostat_msg()
307 echostat_msg_t parse_echostat_msg(str_list_t ini, const char* section, const char* prefix)
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312

CID 631072: Memory - corruptions (OVERRUN)
Overrunning array "msg.to" of 36 bytes by passing it to a function which accesses it at byte offset 1023.

313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

** CID 631071: (OVERRUN)

_____________________________________________________________________________________________
*** CID 631071: (OVERRUN)
/sbbsecho.c: 327 in parse_echostat_msg()
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);

CID 631071: (OVERRUN)
Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);
330
331 return msg;
332 }
/sbbsecho.c: 324 in parse_echostat_msg()
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

CID 631071: (OVERRUN)
Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);

** CID 631070: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631070: Memory - corruptions (OVERRUN)
/sbbsecho.c: 315 in parse_echostat_msg()
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);

CID 631070: Memory - corruptions (OVERRUN)
Overrunning array "msg.subj" of 72 bytes by passing it to a function which accesses it at byte offset 1023.

315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);

** CID 631069: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631069: Memory - corruptions (OVERRUN)
/sbbsecho.c: 318 in parse_echostat_msg()
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);

CID 631069: Memory - corruptions (OVERRUN)
Overrunning array "msg.pid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

** CID 631068: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631068: Memory - corruptions (OVERRUN)
/sbbsecho.c: 320 in parse_echostat_msg()
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

CID 631068: Memory - corruptions (OVERRUN)
Overrunning array "msg.msg_tz" of 128 bytes by passing it to a function which accesses it at byte offset 1023.

320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 9</li>
<li>
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 9 of 9 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631076: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631076: Memory - corruptions (OVERRUN)
/sbbsecho.c: 314 in parse_echostat_msg()
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
>>> CID 631076: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.from" of 36 bytes by passing it to a function which accesses it at byte offset 1023.
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);

** CID 631075: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631075: Memory - corruptions (OVERRUN)
/sbbsecho.c: 319 in parse_echostat_msg()
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
>>> CID 631075: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.tid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);

** CID 631074: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631074: Memory - corruptions (OVERRUN)
/sbbsecho.c: 317 in parse_echostat_msg()
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
>>> CID 631074: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.reply_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);

** CID 631073: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631073: Memory - corruptions (OVERRUN)
/sbbsecho.c: 316 in parse_echostat_msg()
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
>>> CID 631073: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.msg_id" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);

** CID 631072: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631072: Memory - corruptions (OVERRUN)
/sbbsecho.c: 313 in parse_echostat_msg()
307 echostat_msg_t parse_echostat_msg(str_list_t ini, const char* section, const char* prefix)
308 {
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
>>> CID 631072: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.to" of 36 bytes by passing it to a function which accesses it at byte offset 1023.
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);

** CID 631071: (OVERRUN)

_____________________________________________________________________________________________
*** CID 631071: (OVERRUN)
/sbbsecho.c: 327 in parse_echostat_msg()
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
>>> CID 631071: (OVERRUN)
>>> Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);
330
331 return msg;
332 }
/sbbsecho.c: 324 in parse_echostat_msg()
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
>>> CID 631071: (OVERRUN)
>>> Overrunning array "str" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])
326 msg.origaddr = atofaddr(str);
327 snprintf(key, sizeof key, "%s.pkt_orig", prefix), iniGetString(ini, section, key, NULL, str);
328 if (str[0])
329 msg.pkt_orig = atofaddr(str);

** CID 631070: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631070: Memory - corruptions (OVERRUN)
/sbbsecho.c: 315 in parse_echostat_msg()
309 char str[128];
310 char key[128];
311 echostat_msg_t msg = {{0}};
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
>>> CID 631070: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.subj" of 72 bytes by passing it to a function which accesses it at byte offset 1023.
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);

** CID 631069: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631069: Memory - corruptions (OVERRUN)
/sbbsecho.c: 318 in parse_echostat_msg()
312
313 snprintf(key, sizeof key, "%s.to", prefix), iniGetString(ini, section, key, NULL, msg.to);
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
>>> CID 631069: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.pid" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);

** CID 631068: Memory - corruptions (OVERRUN)

_____________________________________________________________________________________________
*** CID 631068: Memory - corruptions (OVERRUN)
/sbbsecho.c: 320 in parse_echostat_msg()
314 snprintf(key, sizeof key, "%s.from", prefix), iniGetString(ini, section, key, NULL, msg.from);
315 snprintf(key, sizeof key, "%s.subj", prefix), iniGetString(ini, section, key, NULL, msg.subj);
316 snprintf(key, sizeof key, "%s.msg_id", prefix), iniGetString(ini, section, key, NULL, msg.msg_id);
317 snprintf(key, sizeof key, "%s.reply_id", prefix), iniGetString(ini, section, key, NULL, msg.reply_id);
318 snprintf(key, sizeof key, "%s.pid", prefix), iniGetString(ini, section, key, NULL, msg.pid);
319 snprintf(key, sizeof key, "%s.tid", prefix), iniGetString(ini, section, key, NULL, msg.tid);
>>> CID 631068: Memory - corruptions (OVERRUN) >>> Overrunning array "msg.msg_tz" of 128 bytes by passing it to a function which accesses it at byte offset 1023.
320 snprintf(key, sizeof key, "%s.msg_tz", prefix), iniGetString(ini, section, key, NULL, msg.msg_tz);
321 snprintf(key, sizeof key, "%s.msg_time", prefix), msg.msg_time = iniGetDateTime(ini, section, key, 0);
322 snprintf(key, sizeof key, "%s.localtime", prefix), msg.localtime = iniGetDateTime(ini, section, key, 0);
323 snprintf(key, sizeof key, "%s.length", prefix), msg.length = (size_t)iniGetBytes(ini, section, key, 1, 0);
324 snprintf(key, sizeof key, "%s.origaddr", prefix), iniGetString(ini, section, key, NULL, str);
325 if (str[0])

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68dd52075cd65_5ee032b4f2a4a99a44999--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Sunday, October 05, 2025 16:13:51

----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

18 new defect(s) introduced to Synchronet found with Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)

** CID 631146: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;

CID 631146: Program hangs (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.

4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/

** CID 631145: Program hangs (SLEEP)

_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node->data;
4356 SAFECOPY(name, attempt->user);
4357 truncstr(name, "@");

CID 631145: Program hangs (SLEEP)
Call to "trashcan" might sleep while holding lock "list->mutex".

4358 if (((settings.tempban_threshold && (attempt->count - attempt->dupes) >= settings.tempban_threshold)
4359 || trashcan(cfg, name, "name")) && now < (time32_t)(attempt->time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt->time);
4363 }

** CID 631144: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&client_list);

CID 631144: Program hangs (LOCK)
"listFindNode" locks "client_list.mutex" while it is locked.

654 if ((node = listFindTaggedNode(&client_list, sock)) != NULL)
655 memcpy(node->data, client, sizeof(client_t));
656 listUnlock(&client_list);
657 } else {
658 served++;
659 listAddNodeData(&client_list, client, sizeof(client_t), sock, LAST_NODE);

** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), "<%x%x%lx%lx@%.128s>"
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1241 sockprintf(socket, client.protocol, session, "+OK Synchronet %s Server %s%c-%s Ready %s"
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &client, FALSE /* update */);
1220
1221 if (startup->login_attempt.throttle
1222 && (login_attempts = loginAttempts(startup->login_attempt_list, &pop3->client_addr)) > 1) {
1223 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
1224 , socket, client.protocol, host_ip, login_attempts);

CID 631143: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

1225 mswait(login_attempts * startup->login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&scfg, startup->login_attempt_list, socket, host_name, startup->login_attempt, &attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {

CID 631143: (SLEEP)
Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".

1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;

CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1199 return false;
1200 }

CID 631143: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

1201 if (trashcan2(&scfg, host_name, NULL, "host", &trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s"
1205 , socket, client.protocol, host_ip, host_name, trash_details(&trash, details, sizeof details));
1206 }

** CID 631142: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&msg_filters.ip_can);
377 strListFree(&msg_filters.host_can);
378 strListFree(&msg_filters.subject_can);
379 strListFree(&msg_filters.twit_list);

CID 631142: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".

380 listFree(&user_list);
381
382 delfiles(cfg.temp_dir, "*.NDX");
383 SAFEPRINTF(str, "%sMESSAGES.DAT", cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, "%sDOOR.ID", cfg.temp_dir);

** CID 631141: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr->addr.sa_family != AF_INET && addr->addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)

CID 631141: Program hangs (LOCK)
"listRemoveNode" locks "list->mutex" while it is locked.

4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */

** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()

_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;

CID 631140: (LOCK)
"listCountNodes" locks "list->mutex" while it is locked.

4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);

CID 631140: (LOCK)
"listUnlock" unlocks "list->mutex" while it is unlocked.

4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)

** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);

CID 631139: Program hangs (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, "%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)"
1646 , socket, service->protocol, remain, active_clients(), service->served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */

CID 631138: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".

1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;

** CID 631137: Program hangs (ORDER_REVERSAL)

_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup->max_clients && client_count > startup->max_clients) {
6963 lprintf(LOG_WARNING, "%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied"
6964 , socket, session.client.protocol, session.host_ip, startup->max_clients, client_count - startup->max_clients);

CID 631137: Program hangs (ORDER_REVERSAL)
Calling "send_error" acquires lock "jsrt_mutex" while holding lock "link_list.mutex" (count: 1 / 5).

6965 send_error(&session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(&current_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup->max_concurrent_connections > 0 && connections > startup->max_concurrent_connections
6970 && !is_host_exempt(&scfg, session.host_ip, /* host_name */ NULL)) {

** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()

_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt->client_list.first; node != NULL; node = node->next) {
837 client_t* client = node->data;
838 format_client_info(str, sizeof(str), node->tag, client, client->time);
839 strListPush(&list, str);
840 client_count++;
841 }

CID 631136: (LOCK)
"listUnlock" unlocks "mqtt->client_list.mutex" while it is unlocked. 842 listUnlock(&mqtt->client_list);

843 char* buf = NULL;
844 if (client_count > 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, "\n");
/mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&mqtt->client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813

CID 631136: (LOCK)
"listFindNode" locks "mqtt->client_list.mutex" while it is locked.

814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {

CID 631136: (LOCK)
"listRemoveTaggedNode" locks "mqtt->client_list.mutex" while it is locked.

825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/disconnect", str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {

CID 631136: (LOCK)
"listAddNodeData" locks "mqtt->client_list.mutex" while it is locked. 820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);

821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);

** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)

CID 631135: Uninitialized variables (UNINIT)
Using uninitialized value "*salt" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]

3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");

CID 631134: Program hangs (LOCK)
Returning without unlocking "startup->login_attempt_list->mutex".

1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];

** CID 631133: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt->pass, pass);
4299 attempt->count++;
4300 count = attempt->count - attempt->dupes;
4301 if (node == NULL) {
4302 attempt->first = attempt->time;

CID 631133: Program hangs (LOCK)
"listAddNodeData" locks "list->mutex" while it is locked.

4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;

** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp);

CID 631132: Control flow issues (NO_EFFECT)
This less-than-zero comparison of an unsigned value is never true. "rret < 0UL".

3630 if (rret < 0 || rret > INT_MAX)
3631 goto done;
3632 if ((streamCipher && rret > 0) || rret == bufferSize) { 3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))

** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()

_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&scfg, startup->login_attempt_list, session.socket, host_name, startup->login_attempt, &attempted);
6909
6910 /* host_ip wasn't defined in http_session_thread */

CID 631131: (SLEEP)
Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".

6911 if (banned || trashcan2(&scfg, session.host_ip, NULL, "ip", &trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver < HTTP_1_0) || redirp != NULL || parse_headers(&session)) {
7052 if (check_request(&session)) { 7053 if (session.req.send_location < MOVED_TEMP || session.req.virtual_path[0] != '/' || loop_count++ >= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&session))

CID 631131: (SLEEP)
Call to "respond" might sleep while holding lock "startup->login_attempt_list->mutex".

7055 respond(&session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), "%s %s%s%s", methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver < HTTP_1_0?"":" ", http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &session.client, /* update existing client record? */ false);
6943
6944 if (startup->login_attempt.throttle
6945 && (login_attempts = loginAttempts(startup->login_attempt_list, &session.addr)) > 1) {
6946 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
6947 , socket, session.client.protocol, session.host_ip, login_attempts);

CID 631131: (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".

6948 mswait(login_attempts * startup->login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;

** CID 631130: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&msg_filters.ip_can);
535 strListFree(&msg_filters.host_can);
536 strListFree(&msg_filters.subject_can);
537 strListFree(&msg_filters.twit_list);

CID 631130: Null pointer dereferences (FORWARD_NULL)
Passing "&user_list" to "listFree", which dereferences null "user_list.sem".

538 listFree(&user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&smb);
542 fclose(rep);
543

** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)

CID 631129: Memory - corruptions (OVERRUN)
Overrunning array "salt" of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument "cp" (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]

3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 18</li>
<li><strong>Defects Shown:</strong> Showing 18 of 18 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631146: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631146: Program hangs (LOCK)
/userdat.c: 4189 in loginAttemptListCount()
4183 long loginAttemptListCount(link_list_t* list)
4184 {
4185 long count;
4186
4187 if (!listLock(list))
4188 return -1;
>>> CID 631146: Program hangs (LOCK)
>>> "listCountNodes" locks "list->mutex" while it is locked.
4189 count = listCountNodes(list);
4190 listUnlock(list);
4191 return count;
4192 }
4193
4194 /****************************************************************************/

** CID 631145: Program hangs (SLEEP)

_____________________________________________________________________________________________
*** CID 631145: Program hangs (SLEEP)
/userdat.c: 4358 in loginBanned()
4352 listUnlock(list);
4353 if (node == NULL)
4354 return 0;
4355 attempt = node->data;
4356 SAFECOPY(name, attempt->user);
4357 truncstr(name, "@");
>>> CID 631145: Program hangs (SLEEP)
>>> Call to "trashcan" might sleep while holding lock "list->mutex".
4358 if (((settings.tempban_threshold && (attempt->count - attempt->dupes) >= settings.tempban_threshold)
4359 || trashcan(cfg, name, "name")) && now < (time32_t)(attempt->time + settings.tempban_duration)) {
4360 if (details != NULL)
4361 *details = *attempt;
4362 return settings.tempban_duration - (now - attempt->time);
4363 }

** CID 631144: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631144: Program hangs (LOCK)
/sbbscon.c: 654 in client_on()
648 {
649 if (on) {
650 if (update) {
651 list_node_t* node;
652
653 listLock(&client_list);
>>> CID 631144: Program hangs (LOCK)
>>> "listFindNode" locks "client_list.mutex" while it is locked.
654 if ((node = listFindTaggedNode(&client_list, sock)) != NULL)
655 memcpy(node->data, client, sizeof(client_t));
656 listUnlock(&client_list);
657 } else {
658 served++;
659 listAddNodeData(&client_list, client, sizeof(client_t), sock, LAST_NODE);

** CID 631143: (SLEEP)
/mailsrvr.c: 1225 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631143: (SLEEP)
/mailsrvr.c: 1241 in pop3_client_thread()
1235
1236 srand((unsigned int)(time(NULL) ^ (time_t)GetCurrentThreadId())); /* seed random number generator */
1237 (void)rand(); /* throw-away first result */
1238 safe_snprintf(challenge, sizeof(challenge), "<%x%x%lx%lx@%.128s>"
1239 , rand(), socket, (ulong)time(NULL), (ulong)clock(), server_host_name());
1240
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1241 sockprintf(socket, client.protocol, session, "+OK Synchronet %s Server %s%c-%s Ready %s"
1242 , client.protocol, VERSION, REVISION, PLATFORM_DESC, challenge);
1243
1244 /* Requires USER or APOP command first */
1245 for (i = 5; i; i--) {
1246 if (!sockgetrsp(socket, client.protocol, session, NULL, buf, sizeof(buf)))
/mailsrvr.c: 1225 in pop3_client_thread()
1219 client_on(socket, &client, FALSE /* update */);
1220
1221 if (startup->login_attempt.throttle
1222 && (login_attempts = loginAttempts(startup->login_attempt_list, &pop3->client_addr)) > 1) {
1223 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
1224 , socket, client.protocol, host_ip, login_attempts);
>>> CID 631143: (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1225 mswait(login_attempts * startup->login_attempt.throttle);
1226 }
1227
1228 mail = NULL;
1229
1230 do {
/mailsrvr.c: 1189 in pop3_client_thread()
1183 ulong banned = loginBanned(&scfg, startup->login_attempt_list, socket, host_name, startup->login_attempt, &attempted);
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
/mailsrvr.c: 1323 in pop3_client_thread()
1317 if ((p = strstr(username, NO_SPAM)) != NULL) {
1318 *p = 0;
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
/mailsrvr.c: 1325 in pop3_client_thread()
1319 lm_mode = LM_NOSPAM;
1320 } else
1321 lm_mode = 0;
1322 if (!apop) {
1323 sockprintf(socket, client.protocol, session, "+OK");
1324 if (!sockgetrsp(socket, client.protocol, session, "PASS ", buf, sizeof(buf))) {
>>> CID 631143: (SLEEP)
>>> Call to "sockprintf" might sleep while holding lock "startup->login_attempt_list->mutex".
1325 sockprintf(socket, client.protocol, session, "-ERR PASS command expected");
1326 break;
1327 }
1328 p = buf + 5;
1329 SKIP_WHITESPACE(p);
1330 SAFECOPY(password, p);
/mailsrvr.c: 1193 in pop3_client_thread()
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1190 return false;
1191 }
1192 struct trash trash;
>>> CID 631143: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
/mailsrvr.c: 1201 in pop3_client_thread()
1195 char details[128];
1196 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in ip.can %s", socket, client.protocol, host_ip, trash_details(&trash, details, sizeof details));
1197 }
1198 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
1199 return false;
1200 }
>>> CID 631143: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
1201 if (trashcan2(&scfg, host_name, NULL, "host", &trash)) {
1202 if (!trash.quiet) {
1203 char details[128];
1204 lprintf(LOG_NOTICE, "%04d %-5s [%s] !CLIENT BLOCKED in host.can: %s %s"
1205 , socket, client.protocol, host_ip, host_name, trash_details(&trash, details, sizeof details));
1206 }

** CID 631142: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631142: Null pointer dereferences (FORWARD_NULL)
/un_qwk.cpp: 380 in sbbs_t::unpack_qwk(char *, unsigned int)()
374 iniFreeStringList(voting);
375
376 strListFree(&msg_filters.ip_can);
377 strListFree(&msg_filters.host_can);
378 strListFree(&msg_filters.subject_can);
379 strListFree(&msg_filters.twit_list);
>>> CID 631142: Null pointer dereferences (FORWARD_NULL) >>> Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
380 listFree(&user_list);
381
382 delfiles(cfg.temp_dir, "*.NDX");
383 SAFEPRINTF(str, "%sMESSAGES.DAT", cfg.temp_dir);
384 removecase(str);
385 SAFEPRINTF(str, "%sDOOR.ID", cfg.temp_dir);

** CID 631141: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631141: Program hangs (LOCK)
/userdat.c: 4264 in loginSuccess()
4258 list_node_t* node;
4259
4260 if (addr->addr.sa_family != AF_INET && addr->addr.sa_family != AF_INET6)
4261 return;
4262 listLock(list);
4263 if ((node = login_attempted(list, addr)) != NULL)
>>> CID 631141: Program hangs (LOCK)
>>> "listRemoveNode" locks "list->mutex" while it is locked.
4264 listRemoveNode(list, node, /* freeData: */ true);
4265 listUnlock(list);
4266 }
4267
4268 /****************************************************************************/
4269 /* Returns number of *unique* login attempts (excludes consecutive dupes) */

** CID 631140: (LOCK)
/userdat.c: 4206 in loginAttemptListClear()

_____________________________________________________________________________________________
*** CID 631140: (LOCK)
/userdat.c: 4204 in loginAttemptListClear()
4198 long loginAttemptListClear(link_list_t* list)
4199 {
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
>>> CID 631140: (LOCK)
>>> "listCountNodes" locks "list->mutex" while it is locked.
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
4206 listUnlock(list);
4207 return count;
4208 }
4209
/userdat.c: 4206 in loginAttemptListClear()
4200 long count;
4201
4202 if (!listLock(list))
4203 return -1;
4204 count = listCountNodes(list);
4205 count -= listFreeNodes(list);
>>> CID 631140: (LOCK)
>>> "listUnlock" unlocks "list->mutex" while it is unlocked.
4206 listUnlock(list);
4207 return count;
4208 }
4209
4210 /****************************************************************************/
4211 static list_node_t* login_attempted(link_list_t* list, const union xp_sockaddr* addr)

** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631139: Program hangs (SLEEP)
/services.c: 1619 in native_service_thread()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);
>>> CID 631139: Program hangs (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);

** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()

_____________________________________________________________________________________________
*** CID 631138: Program hangs (LOCK)
/services.c: 1651 in native_service_thread()
1645 lprintf(LOG_INFO, "%04d %s service thread terminated (%lu clients remain, %lu total, %lu served)"
1646 , socket, service->protocol, remain, active_clients(), service->served);
1647
1648 client_off(socket);
1649 close_socket(socket);
1650 closesocket(socket_dup); /* close duplicate handle */ >>> CID 631138: Program hangs (LOCK)
>>> Returning without unlocking "startup->login_attempt_list->mutex".
1651 }
1652
1653
1654 void services_terminate(void)
1655 {
1656 uint32_t i;

** CID 631137: Program hangs (ORDER_REVERSAL)

_____________________________________________________________________________________________
*** CID 631137: Program hangs (ORDER_REVERSAL)
/websrvr.c: 6965 in http_session_thread()
6959 */
6960 session.req.method = HTTP_GET;
6961 session.http_ver = HTTP_1_0;
6962 if (startup->max_clients && client_count > startup->max_clients) {
6963 lprintf(LOG_WARNING, "%04d %-5s [%s] !MAXIMUM CLIENTS (%u) exceeded by %u, access denied"
6964 , socket, session.client.protocol, session.host_ip, startup->max_clients, client_count - startup->max_clients);
>>> CID 631137: Program hangs (ORDER_REVERSAL) >>> Calling "send_error" acquires lock "jsrt_mutex" while holding lock "link_list.mutex" (count: 1 / 5).
6965 send_error(&session, __LINE__, error_503);
6966 session.finished = true;
6967 } else {
6968 uint connections = listCountMatches(&current_connections, session.host_ip, strlen(session.host_ip) + 1);
6969 if (startup->max_concurrent_connections > 0 && connections > startup->max_concurrent_connections
6970 && !is_host_exempt(&scfg, session.host_ip, /* host_name */ NULL)) {

** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()

_____________________________________________________________________________________________
*** CID 631136: (LOCK)
/mqtt.c: 842 in mqtt_client_on()
836 for (list_node_t* node = mqtt->client_list.first; node != NULL; node = node->next) {
837 client_t* client = node->data;
838 format_client_info(str, sizeof(str), node->tag, client, client->time);
839 strListPush(&list, str);
840 client_count++;
841 }
>>> CID 631136: (LOCK)
>>> "listUnlock" unlocks "mqtt->client_list.mutex" while it is unlocked.
842 listUnlock(&mqtt->client_list);
843 char* buf = NULL;
844 if (client_count > 0) {
845 size_t buflen = client_count * MAX_CLIENT_STRLEN * 2; 846 buf = malloc(buflen);
847 strListJoin(list, buf, buflen, "\n"); /mqtt.c: 814 in mqtt_client_on()
808
809 listLock(&mqtt->client_list);
810 if (on) {
811 if (update) {
812 list_node_t* node;
813
>>> CID 631136: (LOCK)
>>> "listFindNode" locks "mqtt->client_list.mutex" while it is locked.
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
/mqtt.c: 825 in mqtt_client_on()
819 } else {
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
>>> CID 631136: (LOCK)
>>> "listRemoveTaggedNode" locks "mqtt->client_list.mutex" while it is locked.
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);
826 if (client != NULL) {
827 format_client_info(str, sizeof(str), sock, client, time(NULL));
828 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/disconnect", str);
829 FREE_AND_NULL(client);
830 }
/mqtt.c: 820 in mqtt_client_on()
814 if ((node = listFindTaggedNode(&mqtt->client_list, sock)) != NULL) {
815 memcpy(node->data, client, sizeof(client_t));
816 format_client_info(str, sizeof(str), sock, client, time(NULL));
817 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/update", str);
818 }
819 } else {
>>> CID 631136: (LOCK)
>>> "listAddNodeData" locks "mqtt->client_list.mutex" while it is locked.
820 listAddNodeData(&mqtt->client_list, client, sizeof(client_t), sock, LAST_NODE);
821 format_client_info(str, sizeof(str), sock, client, client->time);
822 mqtt_pub_strval(mqtt, TOPIC_SERVER, "client/action/connect", str);
823 }
824 } else {
825 client = listRemoveTaggedNode(&mqtt->client_list, sock, /* free_data: */ false);

** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631135: Uninitialized variables (UNINIT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
>>> CID 631135: Uninitialized variables (UNINIT) >>> Using uninitialized value "*salt" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()

_____________________________________________________________________________________________
*** CID 631134: Program hangs (LOCK)
/mailsrvr.c: 1190 in pop3_client_thread()
1184 if (banned) {
1185 char ban_duration[128];
1186 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
1187 , socket, client.protocol, host_ip, attempted.count - attempted.dupes, attempted.user
1188 , duration_estimate_to_vstr(banned, ban_duration, sizeof ban_duration, 1, 1));
1189 sockprintf(socket, client.protocol, session, "-ERR Access denied.");
>>> CID 631134: Program hangs (LOCK)
>>> Returning without unlocking "startup->login_attempt_list->mutex".
1190 return false;
1191 }
1192 struct trash trash;
1193 if (trashcan2(&scfg, host_ip, NULL, "ip", &trash)) {
1194 if (!trash.quiet) {
1195 char details[128];

** CID 631133: Program hangs (LOCK)

_____________________________________________________________________________________________
*** CID 631133: Program hangs (LOCK)
/userdat.c: 4303 in loginFailure()
4297 if (pass != NULL)
4298 SAFECOPY(attempt->pass, pass);
4299 attempt->count++;
4300 count = attempt->count - attempt->dupes;
4301 if (node == NULL) {
4302 attempt->first = attempt->time;
>>> CID 631133: Program hangs (LOCK)
>>> "listAddNodeData" locks "list->mutex" while it is locked.
4303 listPushNodeData(list, attempt, sizeof(login_attempt_t));
4304 }
4305 listUnlock(list);
4306
4307 if (details != NULL)
4308 *details = *attempt;

** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631132: Control flow issues (NO_EFFECT) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3630 in iniReadEncryptedFile()
3624 buffer = malloc(bufferSize);
3625 if (buffer == NULL)
3626 goto done;
3627 size_t lines = 0;
3628 while(!feof(fp)) {
3629 size_t rret = fread(buffer, 1, bufferSize, fp); >>> CID 631132: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. "rret < 0UL".
3630 if (rret < 0 || rret > INT_MAX)
3631 goto done;
3632 if ((streamCipher && rret > 0) || rret == bufferSize) {
3633 size_t bufpos = 0;
3634 status = cryptDecrypt(ctx, buffer, rret);
3635 if (cryptStatusError(status))

** CID 631131: (SLEEP)
/websrvr.c: 6948 in http_session_thread()

_____________________________________________________________________________________________
*** CID 631131: (SLEEP)
/websrvr.c: 6911 in http_session_thread()
6905 }
6906
6907 login_attempt_t attempted;
6908 ulong banned = loginBanned(&scfg, startup->login_attempt_list, session.socket, host_name, startup->login_attempt, &attempted);
6909
6910 /* host_ip wasn't defined in http_session_thread */ >>> CID 631131: (SLEEP)
>>> Call to "trashcan2" might sleep while holding lock "startup->login_attempt_list->mutex".
6911 if (banned || trashcan2(&scfg, session.host_ip, NULL, "ip", &trash)) {
6912 if (banned) {
6913 char ban_duration[128];
6914 lprintf(LOG_NOTICE, "%04d %-5s [%s] !TEMPORARY BAN (%lu login attempts, last: %s) - remaining: %s"
6915 , session.socket, session.client.protocol
6916 , session.host_ip, attempted.count - attempted.dupes, attempted.user
/websrvr.c: 7055 in http_session_thread()
7049 }
7050 /* At this point, if redirp is non-NULL then the headers have already been parsed */
7051 if ((session.http_ver < HTTP_1_0) || redirp != NULL || parse_headers(&session)) {
7052 if (check_request(&session)) {
7053 if (session.req.send_location < MOVED_TEMP || session.req.virtual_path[0] != '/' || loop_count++ >= MAX_REDIR_LOOPS) {
7054 if (read_post_data(&session))
>>> CID 631131: (SLEEP)
>>> Call to "respond" might sleep while holding lock "startup->login_attempt_list->mutex".
7055 respond(&session);
7056 }
7057 else {
7058 if (!session.redir_req[0]) {
7059 safe_snprintf(session.redir_req, sizeof(session.redir_req), "%s %s%s%s", methods[session.req.method]
7060 , session.req.virtual_path, session.http_ver < HTTP_1_0?"":" ", http_vers[session.http_ver]);
/websrvr.c: 6948 in http_session_thread()
6942 client_on(session.socket, &session.client, /* update existing client record? */ false);
6943
6944 if (startup->login_attempt.throttle
6945 && (login_attempts = loginAttempts(startup->login_attempt_list, &session.addr)) > 1) {
6946 lprintf(LOG_DEBUG, "%04d %-5s [%s] Throttling suspicious connection (%lu login attempts)"
6947 , socket, session.client.protocol, session.host_ip, login_attempts);
>>> CID 631131: (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
6948 mswait(login_attempts * startup->login_attempt.throttle);
6949 }
6950
6951 session.last_user_num = -1;
6952 session.last_js_user_num = -1;
6953 session.logon_time = 0;

** CID 631130: Null pointer dereferences (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631130: Null pointer dereferences (FORWARD_NULL)
/un_rep.cpp: 538 in sbbs_t::unpack_rep(char *)()
532 iniFreeStringList(voting);
533
534 strListFree(&msg_filters.ip_can);
535 strListFree(&msg_filters.host_can);
536 strListFree(&msg_filters.subject_can);
537 strListFree(&msg_filters.twit_list);
>>> CID 631130: Null pointer dereferences (FORWARD_NULL) >>> Passing "&user_list" to "listFree", which dereferences null "user_list.sem".
538 listFree(&user_list);
539
540 if (lastsub != INVALID_SUB)
541 smb_close(&smb);
542 fclose(rep);
543

** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()

_____________________________________________________________________________________________
*** CID 631129: Memory - corruptions (OVERRUN) /tmp/sbbs-Oct-05-2025/src/xpdev/ini_file.c: 3695 in iniReadEncryptedFile()
3689 *ks = keySize;
3690 if (saltBuf && saltsz && *saltsz) {
3691 size_t cp = *saltsz;
3692 if (cp < saltLength)
3693 cp = saltLength;
3694 if (cp)
>>> CID 631129: Memory - corruptions (OVERRUN) >>> Overrunning array "salt" of 64 bytes by passing it to a function which accesses it at byte offset 64 using argument "cp" (which evaluates to 65). [Note: The source code implementation of the function has been overridden by a builtin model.]
3695 memcpy(saltBuf, salt, cp);
3696 if (cp < *saltsz)
3697 saltBuf[cp] = 0;
3698 }
3699 if (saltsz)
3700 *saltsz = saltLength;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68e2993ee711b_9d27f2d5dd76db9a859454--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From scan-admin@coverity.com@VERT to All on Thursday, October 09, 2025 22:28:15

----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.

1 new defect(s) introduced to Synchronet found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)

** CID 631415: (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631415: (FORWARD_NULL) /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2120 in bitmap_setpixels()
2114 }
2115 if (++cpx >= vstat.charwidth) { 2116 cpx = 0;
2117 charx++;
2118 xupdated = false;
2119 assert(off >= 0);

CID 631415: (FORWARD_NULL)
Passing null pointer "vstat.vmem" to "vmem_next_offset", which dereferences it.

2120 off = vmem_next_offset(vstat.vmem, off);
2121 }
2122 }
2123 if (screena.rect->data[pixel_offset(&screena, x, y)] != pixels->pixels[pos]) {
2124 screena.rect->data[pixel_offset(&screena, x, y)] = pixels->pixels[pos];
2125 screena.update_pixels = 1; /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2094 in bitmap_setpixels()
2088 int ccols = vstat.cols * vstat.charwidth;
2089 for (y = sy; y <= ey; y++) {
2090 pos = pixels->width*(y-sy+y_off)+x_off;
2091 bool in_text_area = y < crows;
2092 if (in_text_area && !yupdated) {
2093 charx = charsx;

CID 631415: (FORWARD_NULL)
Passing null pointer "vstat.vmem" to "vmem_cell_offset", which dereferences it.

2094 off = vmem_cell_offset(vstat.vmem, charx, chary);
2095 }
2096 if (mask == NULL) {
2097 for (x = sx; x <= ex; x++) {
2098 if (x >= ccols)
2099 in_text_area = false;

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview

----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>

<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>

<ul>
<li><strong>New Defects Found:</strong> 1</li>
<li>
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 1 of 1 defect(s)</li>
</ul>

<h3>Defect Details</h3>
<pre>
** CID 631415: (FORWARD_NULL)

_____________________________________________________________________________________________
*** CID 631415: (FORWARD_NULL) /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2120 in bitmap_setpixels()
2114 }
2115 if (++cpx >= vstat.charwidth) {
2116 cpx = 0;
2117 charx++;
2118 xupdated = false;
2119 assert(off >= 0); >>> CID 631415: (FORWARD_NULL)
>>> Passing null pointer "vstat.vmem" to "vmem_next_offset", which dereferences it.
2120 off = vmem_next_offset(vstat.vmem, off);
2121 }
2122 }
2123 if (screena.rect->data[pixel_offset(&screena, x, y)] != pixels->pixels[pos]) {
2124 screena.rect->data[pixel_offset(&screena, x, y)] = pixels->pixels[pos];
2125 screena.update_pixels = 1; /tmp/sbbs-Oct-09-2025/src/conio/bitmap_con.c: 2094 in bitmap_setpixels()
2088 int ccols = vstat.cols * vstat.charwidth;
2089 for (y = sy; y <= ey; y++) {
2090 pos = pixels->width*(y-sy+y_off)+x_off;
2091 bool in_text_area = y < crows;
2092 if (in_text_area && !yupdated) {
2093 charx = charsx;
>>> CID 631415: (FORWARD_NULL)
>>> Passing null pointer "vstat.vmem" to "vmem_cell_offset", which dereferences it.
2094 off = vmem_cell_offset(vstat.vmem, charx, chary);
2095 }
2096 if (mask == NULL) {
2097 for (x = sx; x <= ex; x++) {
2098 if (x >= ccols)
2099 in_text_area = false;

</pre>

<p>
<a href="https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>

<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_68e836fea603a_df2962d5dd76db9a85941e--

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

Sysop:	Jamaica Joe
Location:	Las Vegas, NV
Users:	19
Nodes:	7 (0 / 7)
Uptime:	240:13:38
Calls:	145
Messages:	8,913

New Defects reported by Coverity Scan for Synchronet

Who's Online

Recent Visitors

System Info