-*- mode: compilation; default-directory: "/home/eslerm/audits/protection-domain-mapper/mantic/protection-domain-mapper-1.0"; -*-
pd-mapper.c:246:3:
  Type: Negative array index write (NEGATIVE_RETURNS)

pd-mapper.c:215:2:
  1. path: Condition "class_fd < 0", taking false branch.
pd-mapper.c:221:2:
  2. path: Condition "!class_dir", taking false branch.
pd-mapper.c:226:2:
  3. path: Condition "(de = readdir(class_dir)) != NULL", taking true branch.
pd-mapper.c:227:3:
  4. path: Condition "!strcmp(de->d_name, ".")", taking false branch.
pd-mapper.c:227:3:
  5. path: Condition "!strcmp(de->d_name, "..")", taking false branch.
pd-mapper.c:230:3:
  6. path: Condition "strlen(de->d_name) + 10UL /* sizeof ("/firmware") */ > 32UL /* sizeof (firmware_attr) */", taking false branch.
pd-mapper.c:237:3:
  7. path: Condition "firmware_fd < 0", taking false branch.
pd-mapper.c:240:3:
  8. negative_return_fn: Function "read(firmware_fd, firmware_value, 4096UL)" returns a negative number. [Note: The source code implementation of the function has been overridden by a builtin model.]
pd-mapper.c:240:3:
  9. assign: Assigning: "n" = "read(firmware_fd, firmware_value, 4096UL)".
pd-mapper.c:242:3:
  10. path: Condition "n < 0", taking false branch.
pd-mapper.c:246:3:
  11. negative_returns: Using variable "n" as an index to array "firmware_value".

pd-mapper.c:242:7:
  Type: Unsigned compared against 0 (NO_EFFECT)

pd-mapper.c:242:7:
  unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "n < 0UL".

pd-mapper.c:246:3:
  Type: Out-of-bounds write (OVERRUN)

pd-mapper.c:215:2:
  1. path: Condition "class_fd < 0", taking false branch.
pd-mapper.c:221:2:
  2. path: Condition "!class_dir", taking false branch.
pd-mapper.c:226:2:
  3. path: Condition "(de = readdir(class_dir)) != NULL", taking true branch.
pd-mapper.c:227:3:
  4. path: Condition "!strcmp(de->d_name, ".")", taking true branch.
pd-mapper.c:228:4:
  5. path: Continuing loop.
pd-mapper.c:226:2:
  6. path: Condition "(de = readdir(class_dir)) != NULL", taking true branch.
pd-mapper.c:227:3:
  7. path: Condition "!strcmp(de->d_name, ".")", taking false branch.
pd-mapper.c:227:3:
  8. path: Condition "!strcmp(de->d_name, "..")", taking false branch.
pd-mapper.c:230:3:
  9. path: Condition "strlen(de->d_name) + 10UL /* sizeof ("/firmware") */ > 32UL /* sizeof (firmware_attr) */", taking false branch.
pd-mapper.c:237:3:
  10. path: Condition "firmware_fd < 0", taking false branch.
pd-mapper.c:240:3:
  11. identity_transfer: Passing "4096UL" as argument 3 to function "read", which returns that argument. [Note: The source code implementation of the function has been overridden by a builtin model.]
pd-mapper.c:240:3:
  12. assignment: Assigning: "n" = "read(firmware_fd, firmware_value, 4096UL)". The value of "n" is now 4096.
pd-mapper.c:242:3:
  13. path: Condition "n < 0", taking false branch.
pd-mapper.c:246:3:
  14. overrun-local: Overrunning array "firmware_value" of 4096 bytes at byte offset 4096 using index "n" (which evaluates to 4096).

json.c:332:3:
  Type: Resource leak (RESOURCE_LEAK)

json.c:324:2:
  1. open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a builtin model.]
json.c:324:2:
  2. var_assign: Assigning: "fd" = handle returned from "open(file, 0)".
json.c:325:2:
  3. path: Condition "fd < 0", taking false branch.
json.c:330:2:
  4. noescape: Resource "fd" is not freed or pointed-to in "fstat".
json.c:331:2:
  5. path: Condition "ret < 0", taking true branch.
json.c:332:3:
  6. leaked_handle: Handle variable "fd" going out of scope leaks the handle.

pd-mapper.c:150:3:
  Type: Resource leak (RESOURCE_LEAK)

pd-mapper.c:140:2:
  1. alloc_fn: Storage is returned from allocation function "json_parse_file".
json.c:325:2:
  1.1. path: Condition "fd < 0", taking false branch.
json.c:331:2:
  1.2. path: Condition "ret < 0", taking false branch.
json.c:342:2:
  1.3. path: Condition "ret != input_len", taking false branch.
json.c:347:2:
  1.4. alloc_fn: Storage is returned from allocation function "calloc".
json.c:347:2:
  1.5. assign: Assigning: "root" = "calloc(1UL, 32UL)".
json.c:348:2:
  1.6. path: Condition "!root", taking false branch.
json.c:351:2:
  1.7. noescape: Resource "root" is not freed or pointed-to in function "json_parse_value".
json.c:150:48:
  1.7.1. noescape: "json_parse_value(struct json_value *)" does not free or save its parameter "value".
json.c:352:2:
  1.8. path: Condition "ret != 1", taking false branch.
json.c:357:2:
  1.9. return_alloc: Returning allocated memory "root".
pd-mapper.c:140:2:
  2. var_assign: Assigning: "root" = storage returned from "json_parse_file(file)".
pd-mapper.c:141:2:
  3. path: Condition "!root", taking false branch.
pd-mapper.c:144:2:
  4. noescape: Resource "root" is not freed or pointed-to in "json_get_child".
json.c:360:54:
  4.1. noescape: "json_get_child(struct json_value *, char const *)" does not free or save its parameter "object".
pd-mapper.c:149:2:
  5. path: Condition "ret", taking true branch.
pd-mapper.c:150:3:
  6. leaked_storage: Variable "root" going out of scope leaks the storage it points to.

pd-mapper.c:154:3:
  Type: Resource leak (RESOURCE_LEAK)

pd-mapper.c:140:2:
  1. alloc_fn: Storage is returned from allocation function "json_parse_file".
json.c:325:2:
  1.1. path: Condition "fd < 0", taking false branch.
json.c:331:2:
  1.2. path: Condition "ret < 0", taking false branch.
json.c:342:2:
  1.3. path: Condition "ret != input_len", taking false branch.
json.c:347:2:
  1.4. alloc_fn: Storage is returned from allocation function "calloc".
json.c:347:2:
  1.5. assign: Assigning: "root" = "calloc(1UL, 32UL)".
json.c:348:2:
  1.6. path: Condition "!root", taking false branch.
json.c:351:2:
  1.7. noescape: Resource "root" is not freed or pointed-to in function "json_parse_value".
json.c:150:48:
  1.7.1. noescape: "json_parse_value(struct json_value *)" does not free or save its parameter "value".
json.c:352:2:
  1.8. path: Condition "ret != 1", taking false branch.
json.c:357:2:
  1.9. return_alloc: Returning allocated memory "root".
pd-mapper.c:140:2:
  2. var_assign: Assigning: "root" = storage returned from "json_parse_file(file)".
pd-mapper.c:141:2:
  3. path: Condition "!root", taking false branch.
pd-mapper.c:144:2:
  4. noescape: Resource "root" is not freed or pointed-to in "json_get_child".
json.c:360:54:
  4.1. noescape: "json_get_child(struct json_value *, char const *)" does not free or save its parameter "object".
pd-mapper.c:149:2:
  5. path: Condition "ret", taking false branch.
pd-mapper.c:152:2:
  6. path: Condition "!soc", taking true branch.
pd-mapper.c:154:3:
  7. leaked_storage: Variable "root" going out of scope leaks the storage it points to.

pd-mapper.c:59:42:
  Type: Large stack use (STACK_USE)

pd-mapper.c:59:42:
  stack_use_local_overflow: Local variable "resp" uses 69380 bytes of stack space, which exceeds the maximum single use of 10000 bytes.

pd-mapper.c:87:4:
  Type: Copy into fixed size buffer (STRING_OVERFLOW)

pd-mapper.c:71:2:
  1. path: Condition "ret < 0", taking false branch.
pd-mapper.c:83:2:
  2. path: Condition "pd_map->service", taking true branch.
pd-mapper.c:84:3:
  3. path: Condition "!strcmp(pd_map->service, req.name)", taking true branch.
pd-mapper.c:87:4:
  4. fixed_size_dest: You might overrun the 256-character fixed-size string "entry->name" by copying "pd_map->domain" without checking the length.

pd-mapper.c:253:3:
  Type: Copy into fixed size buffer (STRING_OVERFLOW)

pd-mapper.c:215:2:
  1. path: Condition "class_fd < 0", taking false branch.
pd-mapper.c:221:2:
  2. path: Condition "!class_dir", taking false branch.
pd-mapper.c:226:2:
  3. path: Condition "(de = readdir(class_dir)) != NULL", taking true branch.
pd-mapper.c:227:3:
  4. path: Condition "!strcmp(de->d_name, ".")", taking true branch.
pd-mapper.c:228:4:
  5. path: Continuing loop.
pd-mapper.c:226:2:
  6. path: Condition "(de = readdir(class_dir)) != NULL", taking true branch.
pd-mapper.c:227:3:
  7. path: Condition "!strcmp(de->d_name, ".")", taking false branch.
pd-mapper.c:227:3:
  8. path: Condition "!strcmp(de->d_name, "..")", taking false branch.
pd-mapper.c:230:3:
  9. path: Condition "strlen(de->d_name) + 10UL /* sizeof ("/firmware") */ > 32UL /* sizeof (firmware_attr) */", taking false branch.
pd-mapper.c:237:3:
  10. path: Condition "firmware_fd < 0", taking false branch.
pd-mapper.c:242:3:
  11. path: Condition "n < 0", taking false branch.
pd-mapper.c:248:3:
  12. path: Condition "strlen("/lib/firmware/") + strlen("updates/") + strlen(firmware_value) + 1 > 4096UL /* sizeof (path) */", taking false branch.
pd-mapper.c:253:3:
  13. fixed_size_dest: You might overrun the 4096-character fixed-size string "path" by copying the return value of "dirname" without checking the length.

pd-mapper.c:289:2:
  Type: Double close (USE_AFTER_FREE)

pd-mapper.c:215:2:
  1. path: Condition "class_fd < 0", taking false branch.
pd-mapper.c:220:2:
  2. closed_arg: "fdopendir(int)" closes "class_fd".
pd-mapper.c:221:2:
  3. path: Condition "!class_dir", taking false branch.
pd-mapper.c:226:2:
  4. path: Condition "(de = readdir(class_dir)) != NULL", taking false branch.
pd-mapper.c:289:2:
  5. double_close: Calling "close(int)" closes handle "class_fd" which has already been closed.