-*- mode: compilation; default-directory: "/home/eslerm/audits/inetutils/lunar/inetutils-2.4"; -*- ftpd/ftpcmd.c:1498:7: Type: Out-of-bounds access (ARRAY_VS_SINGLETON) ftpd/ftpcmd.c:1425:3: 1. path: Jumping to label "yysetstate". ftpd/ftpcmd.c:1442:3: 2. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 3. path: Condition "yyss + yystacksize - 1 <= yyssp", taking true branch. ftpd/ftpcmd.c:1477:7: 4. path: Condition "10000 <= yystacksize", taking false branch. ftpd/ftpcmd.c:1480:7: 5. path: Condition "10000 < yystacksize", taking false branch. ftpd/ftpcmd.c:1488:9: 6. path: Condition "!yyptr", taking false branch. ftpd/ftpcmd.c:1490:9: 7. address_of: Taking address with "&yyptr->yyss_alloc" yields a singleton pointer. ftpd/ftpcmd.c:1490:9: 8. assign: Assigning: "yyss" = "&yyptr->yyss_alloc". ftpd/ftpcmd.c:1493:9: 9. path: Condition "yyss1 != yyssa", taking true branch. ftpd/ftpcmd.c:1498:7: 10. ptr_arith: Using "yyss" as an array. This might corrupt or misinterpret adjacent memory locations. libtelnet/auth.c:278:4: Type: Bad bit shift operation (BAD_SHIFT) libtelnet/auth.c:274:8: Bad bit shift operation. 1. assignment: Assigning: "x" = "0". libtelnet/auth.c:274:3: 2. path: Condition "x < 5", taking true branch. libtelnet/auth.c:276:7: 3. path: Condition "authtype_names[x]", taking true branch. libtelnet/auth.c:276:7: 4. path: Condition "!strcasecmp(name, authtype_names[x])", taking true branch. libtelnet/auth.c:278:4: 5. negative_shift: In expression "1 << x - 1", shifting by a negative amount has undefined behavior. The shift amount, "x - 1", is -1. talkd/acl.c:107:8: Type: Bad bit shift operation (BAD_SHIFT) talkd/acl.c:82:3: Bad bit shift operation. 1. path: Condition "strcmp(str, "any") == 0", taking false branch. talkd/acl.c:91:7: 2. path: Condition "ipaddr == 4294967295U /* (in_addr_t)4294967295U */", taking false branch. talkd/acl.c:93:7: 3. path: Condition "*str == 0", taking false branch. talkd/acl.c:95:12: 4. path: Condition "*str != '/'", taking false branch. talkd/acl.c:100:4: 5. path: Condition "read_address(&str, ipbuf) == 0", taking true branch. talkd/acl.c:103:8: 6. zero_return: Function call "strtoul(ipbuf, NULL, 0)" returns 0. talkd/acl.c:103:8: 7. assignment: Assigning: "len" = "strtoul(ipbuf, NULL, 0)". The value of "len" is now 0. talkd/acl.c:104:8: 8. path: Condition "len > 32", taking false branch. talkd/acl.c:107:8: 9. large_shift: In expression "netmask <<= 32U - len", left shifting by more than 31 bits has undefined behavior. The shift amount, "32U - len", is 32. ifconfig/options.c:565:6: Type: Bad bit shift operation (BAD_SHIFT) ifconfig/options.c:533:3: Bad bit shift operation. 1. path: Switch case value "65". ifconfig/options.c:553:2: 2. path: Condition "netlen", taking true branch. ifconfig/options.c:561:6: 3. zero_return: Function call "strtol(netlen, &end, 10)" returns 0. ifconfig/options.c:561:6: 4. assignment: Assigning: "n" = "strtol(netlen, &end, 10)". The value of "n" is now 0. ifconfig/options.c:562:6: 5. path: Condition "end == netlen", taking false branch. ifconfig/options.c:565:6: 6. large_shift: In expression "0xffffffffU << 32U - n", left shifting by more than 31 bits has undefined behavior. The shift amount, "32U - n", is 32. telnet/sys_bsd.c:1118:7: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1118:7: 14. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1125:7: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1125:7: 17. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1171:3: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1173:7: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1173:7: 23. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1181:3: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1185:7: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1185:7: 25. path: Condition "0", taking false branch. telnet/sys_bsd.c:1185:7: 26. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1314:3: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1087:3: 5. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 6. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 7. path: Condition "tout > nfds", taking false branch. telnet/sys_bsd.c:1101:3: 8. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 9. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 10. path: Condition "tin > nfds", taking false branch. telnet/sys_bsd.c:1104:7: 11. cond_at_most: Checking "tin > nfds" implies that "tin" may be up to 0 on the false branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking false branch. telnet/sys_bsd.c:1314:7: 25. path: Condition "0", taking false branch. telnet/sys_bsd.c:1314:3: 26. negative_shift: In expression "1UL << tin % 64", shifting by a negative amount has undefined behavior. The shift amount, "tin % 64", is as little as -63. telnet/sys_bsd.c:1316:7: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1087:3: 5. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 6. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 7. path: Condition "tout > nfds", taking false branch. telnet/sys_bsd.c:1101:3: 8. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 9. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 10. path: Condition "tin > nfds", taking false branch. telnet/sys_bsd.c:1104:7: 11. cond_at_most: Checking "tin > nfds" implies that "tin" may be up to 0 on the false branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking false branch. telnet/sys_bsd.c:1314:7: 25. path: Condition "0", taking false branch. telnet/sys_bsd.c:1314:3: 26. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << tin % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1316:7: 27. path: Condition "0", taking false branch. telnet/sys_bsd.c:1316:7: 28. negative_shift: In expression "1UL << tin % 64", shifting by a negative amount has undefined behavior. The shift amount, "tin % 64", is as little as -63. telnet/sys_bsd.c:1347:3: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking false branch. telnet/sys_bsd.c:1314:7: 25. path: Condition "0", taking false branch. telnet/sys_bsd.c:1314:3: 26. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << tin % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1316:7: 27. path: Condition "0", taking false branch. telnet/sys_bsd.c:1319:7: 28. path: Condition "c < 0", taking true branch. telnet/sys_bsd.c:1319:7: 29. path: Condition "*__errno_location() == 5", taking true branch. telnet/sys_bsd.c:1321:7: 30. path: Condition "c < 0", taking false branch. telnet/sys_bsd.c:1328:4: 31. path: Condition "c == 0", taking true branch. telnet/sys_bsd.c:1328:4: 32. path: Condition "globalmode & (3 /* 1 | 2 */)", taking true branch. telnet/sys_bsd.c:1328:4: 33. path: Condition "isatty(tin)", taking true branch. telnet/sys_bsd.c:1334:4: 34. path: Condition "c <= 0", taking false branch. telnet/sys_bsd.c:1338:4: 35. path: Condition "termdata", taking true branch. telnet/sys_bsd.c:1347:7: 36. path: Condition "0", taking false branch. telnet/sys_bsd.c:1347:3: 37. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1349:7: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1084:7: 5. cond_at_most: Checking "net > nfds" implies that "net" may be up to 0 on the false branch. telnet/sys_bsd.c:1087:3: 6. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 7. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 8. path: Condition "tout > nfds", taking true branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking false branch. telnet/sys_bsd.c:1314:7: 25. path: Condition "0", taking false branch. telnet/sys_bsd.c:1314:3: 26. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << tin % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1316:7: 27. path: Condition "0", taking false branch. telnet/sys_bsd.c:1319:7: 28. path: Condition "c < 0", taking true branch. telnet/sys_bsd.c:1319:7: 29. path: Condition "*__errno_location() == 5", taking true branch. telnet/sys_bsd.c:1321:7: 30. path: Condition "c < 0", taking false branch. telnet/sys_bsd.c:1328:4: 31. path: Condition "c == 0", taking true branch. telnet/sys_bsd.c:1328:4: 32. path: Condition "globalmode & (3 /* 1 | 2 */)", taking true branch. telnet/sys_bsd.c:1328:4: 33. path: Condition "isatty(tin)", taking true branch. telnet/sys_bsd.c:1334:4: 34. path: Condition "c <= 0", taking false branch. telnet/sys_bsd.c:1338:4: 35. path: Condition "termdata", taking true branch. telnet/sys_bsd.c:1347:7: 36. path: Condition "0", taking false branch. telnet/sys_bsd.c:1347:3: 37. path: Condition "(obits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1349:7: 38. path: Condition "0", taking false branch. telnet/sys_bsd.c:1349:7: 39. negative_shift: In expression "1UL << net % 64", shifting by a negative amount has undefined behavior. The shift amount, "net % 64", is as little as -63. telnet/sys_bsd.c:1352:3: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1087:3: 5. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 6. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 7. path: Condition "tout > nfds", taking false branch. telnet/sys_bsd.c:1090:7: 8. cond_at_most: Checking "tout > nfds" implies that "tout" may be up to 0 on the false branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking false branch. telnet/sys_bsd.c:1314:7: 25. path: Condition "0", taking false branch. telnet/sys_bsd.c:1314:3: 26. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << tin % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1316:7: 27. path: Condition "0", taking false branch. telnet/sys_bsd.c:1319:7: 28. path: Condition "c < 0", taking true branch. telnet/sys_bsd.c:1319:7: 29. path: Condition "*__errno_location() == 5", taking true branch. telnet/sys_bsd.c:1321:7: 30. path: Condition "c < 0", taking false branch. telnet/sys_bsd.c:1328:4: 31. path: Condition "c == 0", taking true branch. telnet/sys_bsd.c:1328:4: 32. path: Condition "globalmode & (3 /* 1 | 2 */)", taking true branch. telnet/sys_bsd.c:1328:4: 33. path: Condition "isatty(tin)", taking true branch. telnet/sys_bsd.c:1334:4: 34. path: Condition "c <= 0", taking false branch. telnet/sys_bsd.c:1338:4: 35. path: Condition "termdata", taking true branch. telnet/sys_bsd.c:1347:7: 36. path: Condition "0", taking false branch. telnet/sys_bsd.c:1347:3: 37. path: Condition "(obits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1349:7: 38. path: Condition "0", taking false branch. telnet/sys_bsd.c:1352:7: 39. path: Condition "0", taking false branch. telnet/sys_bsd.c:1352:3: 40. negative_shift: In expression "1UL << tout % 64", shifting by a negative amount has undefined behavior. The shift amount, "tout % 64", is as little as -63. telnet/sys_bsd.c:1354:7: Type: Bad bit shift operation (BAD_SHIFT) telnet/sys_bsd.c:1079:3: Bad bit shift operation. 1. assignment: Assigning: "nfds" = "0". telnet/sys_bsd.c:1081:3: 2. path: Condition "netout", taking true branch. telnet/sys_bsd.c:1083:7: 3. path: Condition "0", taking false branch. telnet/sys_bsd.c:1084:7: 4. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1087:3: 5. path: Condition "ttyout", taking true branch. telnet/sys_bsd.c:1089:7: 6. path: Condition "0", taking false branch. telnet/sys_bsd.c:1090:7: 7. path: Condition "tout > nfds", taking false branch. telnet/sys_bsd.c:1090:7: 8. cond_at_most: Checking "tout > nfds" implies that "tout" may be up to 0 on the false branch. telnet/sys_bsd.c:1101:3: 9. path: Condition "ttyin", taking true branch. telnet/sys_bsd.c:1103:7: 10. path: Condition "0", taking false branch. telnet/sys_bsd.c:1104:7: 11. path: Condition "tin > nfds", taking true branch. telnet/sys_bsd.c:1116:3: 12. path: Condition "netin", taking true branch. telnet/sys_bsd.c:1118:7: 13. path: Condition "0", taking false branch. telnet/sys_bsd.c:1119:7: 14. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1123:3: 15. path: Condition "netex", taking true branch. telnet/sys_bsd.c:1125:7: 16. path: Condition "0", taking false branch. telnet/sys_bsd.c:1126:7: 17. path: Condition "net > nfds", taking false branch. telnet/sys_bsd.c:1129:3: 18. path: Condition "poll == 0", taking true branch. telnet/sys_bsd.c:1129:3: 19. path: Condition "(c = select(nfds + 1, &ibits, &obits, &xbits, ((poll == 0) ? NULL : &TimeValue))) < 0", taking false branch. telnet/sys_bsd.c:1171:7: 20. path: Condition "0", taking false branch. telnet/sys_bsd.c:1171:3: 21. path: Condition "(xbits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1173:7: 22. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:7: 23. path: Condition "0", taking false branch. telnet/sys_bsd.c:1181:3: 24. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking false branch. telnet/sys_bsd.c:1314:7: 25. path: Condition "0", taking false branch. telnet/sys_bsd.c:1314:3: 26. path: Condition "(ibits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << tin % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1316:7: 27. path: Condition "0", taking false branch. telnet/sys_bsd.c:1319:7: 28. path: Condition "c < 0", taking true branch. telnet/sys_bsd.c:1319:7: 29. path: Condition "*__errno_location() == 5", taking true branch. telnet/sys_bsd.c:1321:7: 30. path: Condition "c < 0", taking false branch. telnet/sys_bsd.c:1328:4: 31. path: Condition "c == 0", taking true branch. telnet/sys_bsd.c:1328:4: 32. path: Condition "globalmode & (3 /* 1 | 2 */)", taking true branch. telnet/sys_bsd.c:1328:4: 33. path: Condition "isatty(tin)", taking true branch. telnet/sys_bsd.c:1334:4: 34. path: Condition "c <= 0", taking false branch. telnet/sys_bsd.c:1338:4: 35. path: Condition "termdata", taking true branch. telnet/sys_bsd.c:1347:7: 36. path: Condition "0", taking false branch. telnet/sys_bsd.c:1347:3: 37. path: Condition "(obits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << net % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1349:7: 38. path: Condition "0", taking false branch. telnet/sys_bsd.c:1352:7: 39. path: Condition "0", taking false branch. telnet/sys_bsd.c:1352:3: 40. path: Condition "(obits.fds_bits[({...; 0 ? (0 <= __d && __d < 1024) ? __d / (64L /* 8 * (int)sizeof (__fd_mask) */) : __fdelt_warn(__d) : __fdelt_chk(__d);})] & (__fd_mask)(1UL << tout % (64 /* 8 * (int)sizeof (__fd_mask) */))) != 0", taking true branch. telnet/sys_bsd.c:1354:7: 41. path: Condition "0", taking false branch. telnet/sys_bsd.c:1354:7: 42. negative_shift: In expression "1UL << tout % 64", shifting by a negative amount has undefined behavior. The shift amount, "tout % 64", is as little as -63. lib/fts.c:1839:13: Type: Incorrect sizeof expression (BAD_SIZEOF) lib/fts.c:1839:13: bad_sizeof: Taking the size of "&dummy", which is the address of an object, is suspicious. lib/fts.c:1839:13: remediation: Did you intend the size of "dummy" itself? libinetutils/utmp_init.c:83:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/utmp_init.c:83:3: 1. buffer_size_warning: Calling "strncpy" with a maximum size argument of 4 bytes on destination array "utx.ut_id" of size 4 bytes might leave the destination string unterminated. libinetutils/utmp_init.c:86:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/utmp_init.c:86:3: 1. buffer_size_warning: Calling "strncpy" with a maximum size argument of 32 bytes on destination array "utx.ut_user" of size 32 bytes might leave the destination string unterminated. libinetutils/utmp_init.c:91:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/utmp_init.c:91:3: 1. buffer_size_warning: Calling "strncpy" with a maximum size argument of 256 bytes on destination array "utx.ut_host" of size 256 bytes might leave the destination string unterminated. libinetutils/utmp_init.c:103:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/utmp_init.c:103:3: 1. buffer_size_warning: Calling "strncpy" with a maximum size argument of 32 bytes on destination array "utx.ut_line" of size 32 bytes might leave the destination string unterminated. libinetutils/utmp_logout.c:73:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/utmp_logout.c:73:3: 1. buffer_size_warning: Calling "strncpy" with a maximum size argument of 32 bytes on destination array "utx.ut_line" of size 32 bytes might leave the destination string unterminated. libinetutils/utmp_logout.c:78:3: 2. path: Condition "ut", taking true branch. libinetutils/logwtmp.c:127:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/logwtmp.c:118:3: 1. path: Condition "name", taking true branch. libinetutils/logwtmp.c:118:3: 2. path: Condition "*name", taking true branch. libinetutils/logwtmp.c:119:30: 3. path: Falling through to end of if statement. libinetutils/logwtmp.c:127:3: 4. buffer_size_warning: Calling "strncpy" with a maximum size argument of 32 bytes on destination array "ut.ut_line" of size 32 bytes might leave the destination string unterminated. libinetutils/logwtmp.c:129:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/logwtmp.c:118:3: 1. path: Condition "name", taking true branch. libinetutils/logwtmp.c:118:3: 2. path: Condition "*name", taking true branch. libinetutils/logwtmp.c:119:30: 3. path: Falling through to end of if statement. libinetutils/logwtmp.c:129:3: 4. buffer_size_warning: Calling "strncpy" with a maximum size argument of 32 bytes on destination array "ut.ut_user" of size 32 bytes might leave the destination string unterminated. libinetutils/logwtmp.c:135:3: Type: Buffer not null terminated (BUFFER_SIZE) libinetutils/logwtmp.c:118:3: 1. path: Condition "name", taking true branch. libinetutils/logwtmp.c:118:3: 2. path: Condition "*name", taking true branch. libinetutils/logwtmp.c:119:30: 3. path: Falling through to end of if statement. libinetutils/logwtmp.c:135:3: 4. buffer_size_warning: Calling "strncpy" with a maximum size argument of 256 bytes on destination array "ut.ut_host" of size 256 bytes might leave the destination string unterminated. ping/ping_common.c:214:3: Type: Unchecked return value from library (CHECKED_RETURN) ping/ping_common.c:214:3: Unchecked call to function 1. check_return: Calling "setsockopt(ping->ping_fd, 1, opt, (char *)&val, valsize)" without checking return value. This library function may fail and return an error code. src/inetd.c:1566:3: Type: Ignoring number of bytes read (CHECKED_RETURN) src/inetd.c:1566:3: Ignoring number of bytes read 1. check_return: "read(int, void *, size_t)" returns the number of bytes read, but it is ignored. tests/addrpeek.c:76:3: Type: Unchecked return value from library (CHECKED_RETURN) tests/addrpeek.c:76:3: Unchecked call to function 1. check_return: Calling "getsockopt(fd, 1, 3, &type, &sslen)" without checking return value. This library function may fail and return an error code. src/inetd.c:1539:3: Type: Unchecked return value from library (CHECKED_RETURN) src/inetd.c:1537:3: Unchecked call to function 1. path: Condition "i < 0", taking false branch. src/inetd.c:1539:3: 2. check_return: Calling "sendto(s, buffer, i, 0, __CONST_SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&sa}), 128U)" without checking return value. This library function may fail and return an error code. tests/addrpeek.c:81:7: Type: Unchecked return value from library (CHECKED_RETURN) tests/addrpeek.c:78:3: Unchecked call to function 1. path: Condition "type == SOCK_STREAM", taking true branch. tests/addrpeek.c:81:7: 2. check_return: Calling "getpeername(fd, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&ss}), &sslen)" without checking return value. This library function may fail and return an error code. src/inetd.c:1709:3: Type: Unchecked return value from library (CHECKED_RETURN) src/inetd.c:1705:3: Unchecked call to function 1. path: Condition "recvfrom(s, (char *)&result, 8UL /* sizeof (result) */, 0, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&sa}), &size) < 0", taking false branch. src/inetd.c:1709:3: 2. check_return: Calling "sendto(s, (char *)&result, 8UL, 0, __CONST_SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&sa}), 128U)" without checking return value. This library function may fail and return an error code. src/inetd.c:1746:3: Type: Unchecked return value from library (CHECKED_RETURN) src/inetd.c:1742:3: Unchecked call to function 1. path: Condition "recvfrom(s, buffer, 256UL /* sizeof (buffer) */, 0, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&sa}), &size) < 0", taking false branch. src/inetd.c:1746:3: 2. check_return: Calling "sendto(s, buffer, strlen(buffer), 0, __CONST_SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&sa}), 128U)" without checking return value. This library function may fail and return an error code. libinetutils/tftpsubs.c:300:4: Type: Unchecked return value from library (CHECKED_RETURN) libinetutils/tftpsubs.c:293:3: Unchecked call to function 1. path: Condition "1", taking true branch. libinetutils/tftpsubs.c:296:7: 2. path: Condition "i", taking true branch. libinetutils/tftpsubs.c:300:4: 3. check_return: Calling "recvfrom(f, rbuf, 516UL, 0, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&from}), &fromlen)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] tests/addrpeek.c:86:7: Type: Unchecked return value from library (CHECKED_RETURN) tests/addrpeek.c:78:3: Unchecked call to function 1. path: Condition "type == SOCK_STREAM", taking false branch. tests/addrpeek.c:83:8: 2. path: Condition "type == SOCK_DGRAM", taking true branch. tests/addrpeek.c:86:7: 3. check_return: Calling "recvfrom(fd, answer, 128UL, 0, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&ss}), &sslen)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/cleansess.c:64:3: Type: Unchecked return value from library (CHECKED_RETURN) libinetutils/cleansess.c:55:3: Unchecked call to function 1. path: Condition "strncmp(tty, "/dev/", 5UL /* sizeof ("/dev/") - 1 */) == 0", taking true branch. libinetutils/cleansess.c:56:41: 2. path: Falling through to end of if statement. libinetutils/cleansess.c:61:3: 3. path: Condition "logout(line)", taking true branch. libinetutils/cleansess.c:64:3: 4. check_return: Calling "chmod(tty, 438U)" without checking return value. This library function may fail and return an error code. ping/ping6.c:267:3: Type: Unchecked return value from library (CHECKED_RETURN) ping/ping6.c:255:3: Unchecked call to function 1. path: Condition "getuid() == 0", taking true branch. ping/ping6.c:263:3: 2. path: Condition "ping == NULL", taking false branch. ping/ping6.c:267:3: 3. check_return: Calling "setsockopt(ping->ping_fd, 1, 6, (char *)&one, 4U)" without checking return value. This library function may fail and return an error code. telnetd/pty.c:165:3: Type: Unchecked return value from library (CHECKED_RETURN) telnetd/pty.c:152:3: Unchecked call to function 1. path: Condition "sig == 17", taking true branch. telnetd/pty.c:159:5: 2. path: Falling through to end of if statement. telnetd/pty.c:165:3: 3. check_return: Calling "chmod(line, 420U)" without checking return value. This library function may fail and return an error code. src/inetd.c:438:6: Type: Unchecked return value from library (CHECKED_RETURN) src/inetd.c:420:3: Unchecked call to function 1. path: Condition "sep->se_bi", taking false branch. src/inetd.c:426:7: 2. path: Condition "debug", taking true branch. src/inetd.c:433:7: 3. path: Condition "pwd == NULL", taking true branch. src/inetd.c:437:4: 4. path: Condition "sep->se_socktype != SOCK_STREAM", taking true branch. src/inetd.c:438:6: 5. check_return: Calling "recv(0, buf, 50UL, 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] tests/addrpeek.c:99:3: Type: Unchecked return value from library (CHECKED_RETURN) tests/addrpeek.c:78:3: Unchecked call to function 1. path: Condition "type == SOCK_STREAM", taking true branch. tests/addrpeek.c:82:5: 2. path: Falling through to end of if statement. tests/addrpeek.c:99:3: 3. check_return: Calling "sendto(fd, answer, len, 0, __CONST_SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&ss}), sslen)" without checking return value. This library function may fail and return an error code. src/inetd.c:1657:3: Type: Unchecked return value from library (CHECKED_RETURN) src/inetd.c:1635:3: Unchecked call to function 1. path: Condition "endring == NULL", taking true branch. src/inetd.c:1642:3: 2. path: Condition "recvfrom(s, text, 74UL /* sizeof (text) */, 0, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&sa}), &size) < 0", taking false branch. src/inetd.c:1646:3: 3. path: Condition "len >= 72", taking true branch. src/inetd.c:1647:32: 4. path: Falling through to end of if statement. src/inetd.c:1653:3: 5. path: Condition "++rs == endring", taking false branch. src/inetd.c:1657:3: 6. check_return: Calling "sendto(s, text, 74UL, 0, __CONST_SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&sa}), 128U)" without checking return value. This library function may fail and return an error code. libinetutils/tftpsubs.c:260:6: Type: Unchecked return value from library (CHECKED_RETURN) libinetutils/tftpsubs.c:237:3: Unchecked call to function 1. path: Condition "b->counter < -1", taking false branch. libinetutils/tftpsubs.c:243:3: 2. path: Condition "!nextone", taking true branch. libinetutils/tftpsubs.c:246:3: 3. path: Condition "count <= 0", taking false branch. libinetutils/tftpsubs.c:249:3: 4. path: Condition "convert == 0", taking false branch. libinetutils/tftpsubs.c:254:3: 5. path: Condition "ct--", taking true branch. libinetutils/tftpsubs.c:257:7: 6. path: Condition "prevchar == 13", taking true branch. libinetutils/tftpsubs.c:259:4: 7. path: Condition "c == 10", taking true branch. libinetutils/tftpsubs.c:260:6: 8. check_return: Calling "fseeko(file, -1L, 1)" without checking return value. This library function may fail and return an error code. libinetutils/kerberos5.c:85:3: Type: Ignoring number of bytes read (CHECKED_RETURN) libinetutils/kerberos5.c:59:3: Ignoring number of bytes read 1. path: Condition "krb5_sname_to_principal(*ctx, sname, "host", 3, &server)", taking false branch. libinetutils/kerberos5.c:64:3: 2. path: Condition "realm == NULL", taking true branch. libinetutils/kerberos5.c:85:3: 3. check_return: "read(int, void *, size_t)" returns the number of bytes read, but it is ignored. ftpd/ftpd.c:1252:4: Type: Unchecked return value from library (CHECKED_RETURN) ftpd/ftpd.c:1224:3: Unchecked call to function 1. path: Condition "size != -1L /* (off_t)-1 */", taking true branch. ftpd/ftpd.c:1225:75: 2. path: Falling through to end of if statement. ftpd/ftpd.c:1228:3: 3. path: Condition "pdata >= 0", taking true branch. ftpd/ftpd.c:1238:7: 4. path: Condition "s < 0", taking false branch. ftpd/ftpd.c:1249:7: 5. path: Condition "from.ss_family == 2", taking true branch. ftpd/ftpd.c:1252:4: 6. check_return: Calling "setsockopt(s, IPPROTO_IP, 1, (char *)&tos, 4U)" without checking return value. This library function may fail and return an error code. src/inetd.c:449:3: Type: Unchecked return value from library (CHECKED_RETURN) src/inetd.c:420:3: Unchecked call to function 1. path: Condition "sep->se_bi", taking false branch. src/inetd.c:426:7: 2. path: Condition "debug", taking true branch. src/inetd.c:433:7: 3. path: Condition "pwd == NULL", taking false branch. src/inetd.c:441:7: 4. path: Condition "sep->se_group", taking true branch. src/inetd.c:441:7: 5. path: Condition "*sep->se_group", taking true branch. src/inetd.c:444:4: 6. path: Condition "grp == NULL", taking true branch. src/inetd.c:448:8: 7. path: Condition "sep->se_socktype != SOCK_STREAM", taking true branch. src/inetd.c:449:3: 8. check_return: Calling "recv(0, buf, 50UL, 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] ftpd/ftpd.c:1259:2: Type: Unchecked return value from library (CHECKED_RETURN) ftpd/ftpd.c:1224:3: Unchecked call to function 1. path: Condition "size != -1L /* (off_t)-1 */", taking true branch. ftpd/ftpd.c:1225:75: 2. path: Falling through to end of if statement. ftpd/ftpd.c:1228:3: 3. path: Condition "pdata >= 0", taking true branch. ftpd/ftpd.c:1238:7: 4. path: Condition "s < 0", taking false branch. ftpd/ftpd.c:1249:7: 5. path: Condition "from.ss_family == 2", taking true branch. ftpd/ftpd.c:1259:2: 6. check_return: Calling "setsockopt(s, 1, 9, (char *)&keepalive, 4U)" without checking return value. This library function may fail and return an error code. src/inetd.c:483:2: Type: Unchecked return value from library (CHECKED_RETURN) src/inetd.c:420:3: Unchecked call to function 1. path: Condition "sep->se_bi", taking false branch. src/inetd.c:426:7: 2. path: Condition "debug", taking true branch. src/inetd.c:433:7: 3. path: Condition "pwd == NULL", taking false branch. src/inetd.c:441:7: 4. path: Condition "sep->se_group", taking true branch. src/inetd.c:441:7: 5. path: Condition "*sep->se_group", taking true branch. src/inetd.c:444:4: 6. path: Condition "grp == NULL", taking false branch. src/inetd.c:453:7: 7. path: Condition "pwd->pw_uid", taking true branch. src/inetd.c:455:4: 8. path: Condition "grp", taking true branch. src/inetd.c:455:4: 9. path: Condition "grp->gr_gid", taking true branch. src/inetd.c:457:8: 10. path: Condition "setgid(grp->gr_gid) < 0", taking false branch. src/inetd.c:463:6: 11. path: Falling through to end of if statement. src/inetd.c:471:4: 12. path: Condition "grp", taking true branch. src/inetd.c:471:4: 13. path: Condition "grp->gr_gid", taking true branch. src/inetd.c:474:4: 14. path: Condition "setuid(pwd->pw_uid) < 0", taking false branch. src/inetd.c:482:7: 15. path: Condition "sep->se_socktype != SOCK_STREAM", taking true branch. src/inetd.c:483:2: 16. check_return: Calling "recv(0, buf, 50UL, 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/ttymsg.c:184:4: Type: Unchecked return value from library (CHECKED_RETURN) libinetutils/ttymsg.c:82:3: Unchecked call to function 1. path: Condition "iovcnt > 6 /* (int)(sizeof (localiov) / sizeof (localiov[0])) */", taking false branch. libinetutils/ttymsg.c:86:3: 2. path: Condition "!device", taking false branch. libinetutils/ttymsg.c:96:3: 3. path: Condition "strncmp(device, "/dev/", strlen("/dev/"))", taking false branch. libinetutils/ttymsg.c:108:3: 4. path: Condition "fd < 0", taking false branch. libinetutils/ttymsg.c:117:3: 5. path: Condition "cnt < iovcnt", taking true branch. libinetutils/ttymsg.c:118:29: 6. path: Jumping back to the beginning of the loop. libinetutils/ttymsg.c:117:3: 7. path: Condition "cnt < iovcnt", taking true branch. libinetutils/ttymsg.c:118:29: 8. path: Jumping back to the beginning of the loop. libinetutils/ttymsg.c:117:3: 9. path: Condition "cnt < iovcnt", taking false branch. libinetutils/ttymsg.c:120:3: 10. path: Condition "true", taking true branch. libinetutils/ttymsg.c:123:7: 11. path: Condition "wret >= left", taking false branch. libinetutils/ttymsg.c:125:7: 12. path: Condition "wret >= 0", taking true branch. libinetutils/ttymsg.c:128:4: 13. path: Condition "iov != localiov", taking true branch. libinetutils/ttymsg.c:133:4: 14. path: Condition "wret >= (int)iov->iov_len", taking true branch. libinetutils/ttymsg.c:138:6: 15. path: Jumping back to the beginning of the loop. libinetutils/ttymsg.c:133:4: 16. path: Condition "wret >= (int)iov->iov_len", taking true branch. libinetutils/ttymsg.c:138:6: 17. path: Jumping back to the beginning of the loop. libinetutils/ttymsg.c:133:4: 18. path: Condition "wret >= (int)iov->iov_len", taking false branch. libinetutils/ttymsg.c:139:4: 19. path: Condition "wret", taking true branch. libinetutils/ttymsg.c:144:4: 20. path: Continuing loop. libinetutils/ttymsg.c:120:3: 21. path: Condition "true", taking true branch. libinetutils/ttymsg.c:123:7: 22. path: Condition "wret >= left", taking false branch. libinetutils/ttymsg.c:125:7: 23. path: Condition "wret >= 0", taking true branch. libinetutils/ttymsg.c:128:4: 24. path: Condition "iov != localiov", taking true branch. libinetutils/ttymsg.c:133:4: 25. path: Condition "wret >= (int)iov->iov_len", taking true branch. libinetutils/ttymsg.c:138:6: 26. path: Jumping back to the beginning of the loop. libinetutils/ttymsg.c:133:4: 27. path: Condition "wret >= (int)iov->iov_len", taking true branch. libinetutils/ttymsg.c:138:6: 28. path: Jumping back to the beginning of the loop. libinetutils/ttymsg.c:133:4: 29. path: Condition "wret >= (int)iov->iov_len", taking true branch. libinetutils/ttymsg.c:138:6: 30. path: Jumping back to the beginning of the loop. libinetutils/ttymsg.c:133:4: 31. path: Condition "wret >= (int)iov->iov_len", taking false branch. libinetutils/ttymsg.c:139:4: 32. path: Condition "wret", taking true branch. libinetutils/ttymsg.c:144:4: 33. path: Continuing loop. libinetutils/ttymsg.c:120:3: 34. path: Condition "true", taking true branch. libinetutils/ttymsg.c:123:7: 35. path: Condition "wret >= left", taking false branch. libinetutils/ttymsg.c:125:7: 36. path: Condition "wret >= 0", taking true branch. libinetutils/ttymsg.c:128:4: 37. path: Condition "iov != localiov", taking true branch. libinetutils/ttymsg.c:133:4: 38. path: Condition "wret >= (int)iov->iov_len", taking false branch. libinetutils/ttymsg.c:139:4: 39. path: Condition "wret", taking false branch. libinetutils/ttymsg.c:144:4: 40. path: Continuing loop. libinetutils/ttymsg.c:120:3: 41. path: Condition "true", taking true branch. libinetutils/ttymsg.c:123:7: 42. path: Condition "wret >= left", taking false branch. libinetutils/ttymsg.c:125:7: 43. path: Condition "wret >= 0", taking false branch. libinetutils/ttymsg.c:146:7: 44. path: Condition "*__errno_location() == 11", taking true branch. libinetutils/ttymsg.c:150:4: 45. path: Condition "forked", taking false branch. libinetutils/ttymsg.c:156:4: 46. path: Condition "cpid < 0", taking false branch. libinetutils/ttymsg.c:164:4: 47. path: Condition "cpid", taking false branch. libinetutils/ttymsg.c:184:4: 48. check_return: Calling "rpl_fcntl(fd, 2048, &off)" without checking return value. It wraps a library function that may fail and return an error code. lib/fcntl.c:211:3: Unchecked call to function 48.1. path: Switch case value "0". lib/fcntl.c:216:9: 48.2. return_wrapper: The function wraps and returns the value of "rpl_fcntl_DUPFD(fd, target)". lib/fcntl.c:482:3: Unchecked call to function 48.2.1. return_wrapper: The function wraps and returns the value of "fcntl(fd, 0, target)". lib/fcntl.c:217:9: 48.3. path: Breaking from switch. libinetutils/kcmd.c:239:7: Type: Unchecked return value from library (CHECKED_RETURN) libinetutils/kcmd.c:134:3: Unchecked call to function 1. path: Condition "host", taking false branch. libinetutils/kcmd.c:151:3: 2. path: Condition "rc", taking false branch. libinetutils/kcmd.c:162:3: 3. path: Condition "!rc", taking true branch. libinetutils/kcmd.c:165:7: 4. path: Condition "host_save == NULL", taking false branch. libinetutils/kcmd.c:168:5: 5. path: Falling through to end of if statement. libinetutils/kcmd.c:193:3: 6. path: Condition "host == *ahost", taking true branch. libinetutils/kcmd.c:194:23: 7. path: Falling through to end of if statement. libinetutils/kcmd.c:219:3: 8. path: Condition "true", taking true branch. libinetutils/kcmd.c:226:7: 9. path: Condition "s < 0", taking false branch. libinetutils/kcmd.c:239:7: 10. check_return: Calling "rpl_fcntl(s, 8, pid)" without checking return value. It wraps a library function that may fail and return an error code. lib/fcntl.c:211:3: Unchecked call to function 10.1. path: Switch case value "0". lib/fcntl.c:216:9: 10.2. return_wrapper: The function wraps and returns the value of "rpl_fcntl_DUPFD(fd, target)". lib/fcntl.c:482:3: Unchecked call to function 10.2.1. return_wrapper: The function wraps and returns the value of "fcntl(fd, 0, target)". lib/fcntl.c:217:9: 10.3. path: Breaking from switch. libinetutils/kerberos5.c:173:3: Type: Ignoring number of bytes read (CHECKED_RETURN) libinetutils/kerberos5.c:59:3: Ignoring number of bytes read 1. path: Condition "krb5_sname_to_principal(*ctx, sname, "host", 3, &server)", taking false branch. libinetutils/kerberos5.c:64:3: 2. path: Condition "realm == NULL", taking true branch. libinetutils/kerberos5.c:86:3: 3. path: Condition "auth", taking false branch. libinetutils/kerberos5.c:102:3: 4. path: Condition "verbose", taking true branch. libinetutils/kerberos5.c:111:3: 5. path: Condition "!tmpserver", taking false branch. libinetutils/kerberos5.c:118:3: 6. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 7. path: Condition "p", taking false branch. libinetutils/kerberos5.c:126:3: 8. path: Condition "!realm", taking false branch. libinetutils/kerberos5.c:139:3: 9. path: Condition "strncmp(cmd, "-x ", 3) == 0", taking true branch. libinetutils/kerberos5.c:148:3: 10. path: Condition "rc == -1765328177L", taking false branch. libinetutils/kerberos5.c:173:3: 11. check_return: "read(int, void *, size_t)" returns the number of bytes read, but it is ignored. telnetd/telnetd.c:529:3: Type: Unchecked return value from library (CHECKED_RETURN) telnetd/telnetd.c:339:3: Unchecked call to function 1. path: Condition "getpeername(fd, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&saddr}), &len) < 0", taking false branch. telnetd/telnetd.c:348:3: 2. path: Condition "err", taking false branch. telnetd/telnetd.c:366:3: 3. path: Condition "reverse_lookup", taking true branch. telnetd/telnetd.c:370:7: 4. path: Condition "err", taking false branch. telnetd/telnetd.c:386:7: 5. path: Condition "err", taking false branch. telnetd/telnetd.c:400:7: 6. path: Condition "aip", taking true branch. telnetd/telnetd.c:402:4: 7. path: Condition "aip->ai_family != saddr.ss_family", taking true branch. telnetd/telnetd.c:403:6: 8. path: Continuing loop. telnetd/telnetd.c:400:7: 9. path: Condition "aip", taking true branch. telnetd/telnetd.c:402:4: 10. path: Condition "aip->ai_family != saddr.ss_family", taking false branch. telnetd/telnetd.c:408:4: 11. path: Condition "aip->ai_family == 2", taking true branch. telnetd/telnetd.c:408:4: 12. path: Condition "!memcmp(&((struct sockaddr_in *)aip->ai_addr)->sin_addr, &((struct sockaddr_in *)&saddr)->sin_addr, 4UL /* sizeof (struct in_addr) */)", taking true branch. telnetd/telnetd.c:412:6: 13. path: Breaking from loop. telnetd/telnetd.c:420:7: 14. path: Condition "aip == NULL", taking false branch. telnetd/telnetd.c:428:5: 15. path: Falling through to end of if statement. telnetd/telnetd.c:485:3: 16. path: Condition "keepalive", taking true branch. telnetd/telnetd.c:485:3: 17. path: Condition "setsockopt(fd, 1, 9, (char *)&on, 4U /* sizeof (on) */) < 0", taking false branch. telnetd/telnetd.c:490:3: 18. path: Condition "debug_tcp", taking true branch. telnetd/telnetd.c:490:3: 19. path: Condition "setsockopt(fd, 1, 1, (char *)&on, 4U /* sizeof (on) */) < 0", taking false branch. telnetd/telnetd.c:516:3: 20. path: Condition "terminaltype", taking true branch. telnetd/telnetd.c:517:3: 21. path: Condition "uname[0]", taking true branch. telnetd/telnetd.c:529:3: 22. check_return: Calling "setsockopt(net, 1, 10, (char *)&on, 4U)" without checking return value. This library function may fail and return an error code. lib/argp-parse.c:632:9: Type: Unchecked return value (CHECKED_RETURN) lib/argp-parse.c:575:3: Unchecked call to function 1. path: Condition "err == 7", taking true branch. lib/argp-parse.c:575:3: 2. path: Condition "arg_ebadkey", taking true branch. lib/argp-parse.c:579:3: 3. path: Condition "!err", taking true branch. lib/argp-parse.c:581:7: 4. path: Condition "parser->state.next == parser->state.argc", taking true branch. lib/argp-parse.c:585:11: 5. path: Condition "group < parser->egroup", taking true branch. lib/argp-parse.c:585:11: 6. path: Condition "!err", taking true branch. lib/argp-parse.c:588:13: 7. path: Condition "group->args_processed == 0", taking true branch. lib/argp-parse.c:589:77: 8. path: Jumping back to the beginning of the loop. lib/argp-parse.c:585:11: 9. path: Condition "group < parser->egroup", taking true branch. lib/argp-parse.c:585:11: 10. path: Condition "!err", taking false branch. lib/argp-parse.c:585:11: 11. path: Condition "err == 7", taking false branch. lib/argp-parse.c:590:11: 12. path: Condition "group >= parser->groups", taking true branch. lib/argp-parse.c:590:11: 13. path: Condition "!err", taking false branch. lib/argp-parse.c:590:11: 14. path: Condition "err == 7", taking false branch. lib/argp-parse.c:595:11: 15. path: Condition "err == 7", taking false branch. lib/argp-parse.c:599:11: 16. path: Condition "end_index", taking true branch. lib/argp-parse.c:601:9: 17. path: Falling through to end of if statement. lib/argp-parse.c:621:3: 18. path: Condition "err", taking true branch. lib/argp-parse.c:624:7: 19. path: Condition "err == 7", taking false branch. lib/argp-parse.c:631:7: 20. path: Condition "group < parser->egroup", taking true branch. lib/argp-parse.c:632:9: 21. check_return: Calling "group_parse" without checking return value (as is done elsewhere 8 out of 10 times). lib/argp-parse.c:589:15: Examples where return value from this function is checked 22. example_assign: Example 1: Assigning: "err" = return value from "group_parse(group, &parser->state, 16777218, NULL)". lib/argp-parse.c:585:11: 23. example_checked: Example 1 (cont.): "err" has its value checked in "err". lib/argp-parse.c:540:7: Examples where return value from this function is checked 24. example_assign: Example 2: Assigning: "err" = return value from "group_parse(group, &parser->state, 16777219, NULL)". lib/argp-parse.c:525:3: 25. example_checked: Example 2 (cont.): "err" has its value checked in "err". lib/argp-parse.c:682:7: Examples where return value from this function is checked 26. example_assign: Example 3: Assigning: "err" = return value from "group_parse(group, &parser->state, key, val)". lib/argp-parse.c:684:7: 27. example_checked: Example 3 (cont.): "err" has its value checked in "err == 7". lib/argp-parse.c:736:15: Examples where return value from this function is checked 28. example_assign: Example 4: Assigning: "err" = return value from "group_parse(group, &parser->state, opt, parser->opt_data.rpl_optarg)". lib/argp-parse.c:752:3: 29. example_checked: Example 4 (cont.): "err" has its value checked in "err == 7". lib/argp-parse.c:747:7: Examples where return value from this function is checked 30. example_assign: Example 5: Assigning: "err" = return value from "group_parse(&parser->groups[group_key - 1], &parser->state, user_key, parser->opt_data.rpl_optarg)". lib/argp-parse.c:752:3: 31. example_checked: Example 5 (cont.): "err" has its value checked in "err == 7". lib/argp-parse.c:650:5: Type: Unchecked return value (CHECKED_RETURN) lib/argp-parse.c:575:3: Unchecked call to function 1. path: Condition "err == 7", taking true branch. lib/argp-parse.c:575:3: 2. path: Condition "arg_ebadkey", taking true branch. lib/argp-parse.c:579:3: 3. path: Condition "!err", taking true branch. lib/argp-parse.c:581:7: 4. path: Condition "parser->state.next == parser->state.argc", taking true branch. lib/argp-parse.c:585:11: 5. path: Condition "group < parser->egroup", taking true branch. lib/argp-parse.c:585:11: 6. path: Condition "!err", taking true branch. lib/argp-parse.c:588:13: 7. path: Condition "group->args_processed == 0", taking true branch. lib/argp-parse.c:589:77: 8. path: Jumping back to the beginning of the loop. lib/argp-parse.c:585:11: 9. path: Condition "group < parser->egroup", taking true branch. lib/argp-parse.c:585:11: 10. path: Condition "!err", taking false branch. lib/argp-parse.c:585:11: 11. path: Condition "err == 7", taking false branch. lib/argp-parse.c:590:11: 12. path: Condition "group >= parser->groups", taking true branch. lib/argp-parse.c:590:11: 13. path: Condition "!err", taking false branch. lib/argp-parse.c:590:11: 14. path: Condition "err == 7", taking false branch. lib/argp-parse.c:595:11: 15. path: Condition "err == 7", taking false branch. lib/argp-parse.c:599:11: 16. path: Condition "end_index", taking true branch. lib/argp-parse.c:601:9: 17. path: Falling through to end of if statement. lib/argp-parse.c:621:3: 18. path: Condition "err", taking true branch. lib/argp-parse.c:624:7: 19. path: Condition "err == 7", taking false branch. lib/argp-parse.c:631:7: 20. path: Condition "group < parser->egroup", taking true branch. lib/argp-parse.c:632:63: 21. path: Jumping back to the beginning of the loop. lib/argp-parse.c:631:7: 22. path: Condition "group < parser->egroup", taking false branch. lib/argp-parse.c:633:5: 23. path: Falling through to end of if statement. lib/argp-parse.c:649:3: 24. path: Condition "group >= parser->groups", taking true branch. lib/argp-parse.c:650:5: 25. check_return: Calling "group_parse" without checking return value (as is done elsewhere 8 out of 10 times). lib/argp-parse.c:589:15: Examples where return value from this function is checked 26. example_assign: Example 1: Assigning: "err" = return value from "group_parse(group, &parser->state, 16777218, NULL)". lib/argp-parse.c:585:11: 27. example_checked: Example 1 (cont.): "err" has its value checked in "err". lib/argp-parse.c:540:7: Examples where return value from this function is checked 28. example_assign: Example 2: Assigning: "err" = return value from "group_parse(group, &parser->state, 16777219, NULL)". lib/argp-parse.c:525:3: 29. example_checked: Example 2 (cont.): "err" has its value checked in "err". lib/argp-parse.c:682:7: Examples where return value from this function is checked 30. example_assign: Example 3: Assigning: "err" = return value from "group_parse(group, &parser->state, key, val)". lib/argp-parse.c:684:7: 31. example_checked: Example 3 (cont.): "err" has its value checked in "err == 7". lib/argp-parse.c:736:15: Examples where return value from this function is checked 32. example_assign: Example 4: Assigning: "err" = return value from "group_parse(group, &parser->state, opt, parser->opt_data.rpl_optarg)". lib/argp-parse.c:752:3: 33. example_checked: Example 4 (cont.): "err" has its value checked in "err == 7". lib/argp-parse.c:747:7: Examples where return value from this function is checked 34. example_assign: Example 5: Assigning: "err" = return value from "group_parse(&parser->groups[group_key - 1], &parser->state, user_key, parser->opt_data.rpl_optarg)". lib/argp-parse.c:752:3: 35. example_checked: Example 5 (cont.): "err" has its value checked in "err == 7". ftp/cmds.c:1731:5: Type: Unchecked return value (CHECKED_RETURN) ftp/cmds.c:1730:3: Unchecked call to function 1. path: Condition "argc < 2", taking true branch. ftp/cmds.c:1731:5: 2. check_return: Calling "another" without checking return value (as is done elsewhere 25 out of 27 times). ftp/cmds.c:1402:3: Examples where return value from this function is checked 3. example_checked: Example 1: "another(&argc, &argv, "remote-directory")" has its value checked in "another(&argc, &argv, "remote-directory")". ftp/cmds.c:1469:3: Examples where return value from this function is checked 4. example_checked: Example 2: "another(&argc, &argv, "remote-file")" has its value checked in "another(&argc, &argv, "remote-file")". ftp/cmds.c:1933:3: Examples where return value from this function is checked 5. example_checked: Example 3: "another(&argc, &argv, "mode")" has its value checked in "another(&argc, &argv, "mode")". ftp/cmds.c:2132:3: Examples where return value from this function is checked 6. example_checked: Example 4: "another(&argc, &argv, "command")" has its value checked in "another(&argc, &argv, "command")". ftp/cmds.c:809:3: Examples where return value from this function is checked 7. example_checked: Example 5: "another(&argc, &argv, "remote-file")" has its value checked in "another(&argc, &argv, "remote-file")". ftp/cmds.c:248:9: Type: Unchecked return value (CHECKED_RETURN) ftp/cmds.c:231:3: Unchecked call to function 1. path: Condition "connected", taking true branch. ftp/cmds.c:231:3: 2. path: Condition "command("NOOP") != 2", taking true branch. ftp/cmds.c:232:22: 3. path: Falling through to end of if statement. ftp/cmds.c:240:3: 4. path: Condition "argc < 2", taking true branch. ftp/cmds.c:242:7: 5. path: Condition "hostname", taking false branch. ftp/cmds.c:248:9: 6. check_return: Calling "another" without checking return value (as is done elsewhere 25 out of 27 times). ftp/cmds.c:1402:3: Examples where return value from this function is checked 7. example_checked: Example 1: "another(&argc, &argv, "remote-directory")" has its value checked in "another(&argc, &argv, "remote-directory")". ftp/cmds.c:1469:3: Examples where return value from this function is checked 8. example_checked: Example 2: "another(&argc, &argv, "remote-file")" has its value checked in "another(&argc, &argv, "remote-file")". ftp/cmds.c:1933:3: Examples where return value from this function is checked 9. example_checked: Example 3: "another(&argc, &argv, "mode")" has its value checked in "another(&argc, &argv, "mode")". ftp/cmds.c:2132:3: Examples where return value from this function is checked 10. example_checked: Example 4: "another(&argc, &argv, "command")" has its value checked in "another(&argc, &argv, "command")". ftp/cmds.c:809:3: Examples where return value from this function is checked 11. example_checked: Example 5: "another(&argc, &argv, "remote-file")" has its value checked in "another(&argc, &argv, "remote-file")". lib/ialloc.h:51:10: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/ialloc.h:51:10: result_independent_of_operands: "s <= 18446744073709551615UL" is always true regardless of the values of its operands. This occurs as the logical first operand of "?:". lib/ialloc.h:61:10: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/ialloc.h:61:10: result_independent_of_operands: "s <= 18446744073709551615UL" is always true regardless of the values of its operands. This occurs as the logical first operand of "?:". lib/ialloc.h:69:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/ialloc.h:69:7: result_independent_of_operands: "18446744073709551615UL < n" is always false regardless of the values of its operands. This occurs as the logical operand of "if". lib/ialloc.h:75:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/ialloc.h:75:7: result_independent_of_operands: "18446744073709551615UL < s" is always false regardless of the values of its operands. This occurs as the logical operand of "if". lib/ialloc.h:91:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/ialloc.h:91:11: result_independent_of_operands: "n <= 18446744073709551615UL" is always true regardless of the values of its operands. This occurs as the logical first operand of "&&". lib/malloc/dynarray_emplace_enlarge.c:59:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloc/dynarray_emplace_enlarge.c:59:7: result_independent_of_operands: "18446744073709551615UL /* -1 - 0 */ < new_allocated - 1" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/malloc/dynarray_emplace_enlarge.c:59:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloc/dynarray_emplace_enlarge.c:59:7: result_independent_of_operands: "18446744073709551615UL /* -1 - 0 */ < element_size - 1" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/malloc/dynarray_resize.c:45:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloc/dynarray_resize.c:45:7: result_independent_of_operands: "18446744073709551615UL /* -1 - 0 */ < element_size - 1" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/malloc/dynarray_resize.c:45:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloc/dynarray_resize.c:45:7: result_independent_of_operands: "18446744073709551615UL /* -1 - 0 */ < size - 1" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/malloca.c:53:8: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloca.c:53:8: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < plus" is always false regardless of the values of its operands. This occurs as the logical first operand of "||". lib/malloca.c:53:8: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloca.c:53:8: result_independent_of_operands: "9223372036854775807L < plus" is always false regardless of the values of its operands. This occurs as the logical first operand of "||". lib/malloca.c:53:8: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloca.c:53:8: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n + plus" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/malloca.c:53:8: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/malloca.c:53:8: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:199:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:199:11: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < (n >> 1) + 1" is always false regardless of the values of its operands. This occurs as the logical first operand of "||". lib/xmalloc.c:199:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:199:11: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n + ((n >> 1) + 1)" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/xmalloc.c:199:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:199:11: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "(n0 >> 1) < -9223372036854775808L /* -9223372036854775807L - 1L */" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < (n0 >> 1)" is always false regardless of the values of its operands. This occurs as the logical first operand of "||". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < (n0 >> 1)" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n0 + (n0 >> 1)" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n0" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "9223372036854775807L < (n0 >> 1)" is always false regardless of the values of its operands. This occurs as the logical first operand of "||". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "9223372036854775807L < (n0 >> 1)" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "9223372036854775807L < n0 + (n0 >> 1)" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "9223372036854775807L < n0" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:240:7: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:240:7: result_independent_of_operands: "n0 < -9223372036854775808L /* -9223372036854775807L - 1L */" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:255:8: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:255:8: result_independent_of_operands: "9223372036854775807L /* -1 - (-9223372036854775807L - 1L) */ < s - 1" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:255:8: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:255:8: result_independent_of_operands: "9223372036854775807L /* -1 - (-9223372036854775807L - 1L) */ < n - 1" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n0" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "9223372036854775807L < n0" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "n0 < -9223372036854775808L /* -9223372036854775807L - 1L */" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n0 + n_incr_min" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "9223372036854775807L < n0 + n_incr_min" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n_incr_min" is always false regardless of the values of its operands. This occurs as the logical first operand of "||". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n_incr_min" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "9223372036854775807L < n_incr_min" is always false regardless of the values of its operands. This occurs as the logical first operand of "||". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "9223372036854775807L < n_incr_min" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:267:11: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:267:11: result_independent_of_operands: "n_incr_min < -9223372036854775808L /* -9223372036854775807L - 1L */" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". lib/xmalloc.c:269:14: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:269:14: result_independent_of_operands: "9223372036854775807L /* -1 - (-9223372036854775807L - 1L) */ < s - 1" is always false regardless of the values of its operands. This occurs as the third operand of "?:". lib/xmalloc.c:269:14: Type: Operands don't affect result (CONSTANT_EXPRESSION_RESULT) lib/xmalloc.c:269:14: result_independent_of_operands: "9223372036854775807L /* -1 - (-9223372036854775807L - 1L) */ < n - 1" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". tests/test-snprintf.c:65:12: Type: Pointless string comparison (CONSTANT_EXPRESSION_RESULT) tests/test-snprintf.c:65:12: pointless_string_compare: "strcmp("inetutils", "inetutils")" is always 0 because ""inetutils"" is compared against itself. lib/filemode.c:161:5: Type: Logically dead code (DEADCODE) lib/filemode.c:160:8: dead_error_condition: The condition "statp->st_mode - statp->st_mode" cannot be true. lib/filemode.c:161:5: dead_error_line: Execution cannot reach this statement: "str[0] = 'Q';". lib/filemode.c:163:5: Type: Logically dead code (DEADCODE) lib/filemode.c:162:8: dead_error_condition: The condition "statp->st_mode - statp->st_mode" cannot be true. lib/filemode.c:163:5: dead_error_line: Execution cannot reach this statement: "str[0] = 'S';". lib/dirname-lgpl.c:38:3: Type: Logically dead code (DEADCODE) lib/dirname-lgpl.c:34:3: assignment: Assigning: "prefix_length" = "((void)file) , 0". lib/dirname-lgpl.c:38:21: const: At condition "prefix_length != 0UL", the value of "prefix_length" must be equal to 0. lib/dirname-lgpl.c:38:3: dead_error_condition: The condition "prefix_length != 0UL" cannot be true. lib/dirname-lgpl.c:38:3: dead_error_line: Execution cannot reach the expression "0" inside this statement: "prefix_length += ((prefix_l...". lib/mgetgroups.c:122:3: Type: Logically dead code (DEADCODE) lib/mgetgroups.c:81:3: cond_null: Condition "username", taking false branch. Now the value of "username" is "NULL". lib/mgetgroups.c:122:19: null: At condition "username", the value of "username" must be "NULL". lib/mgetgroups.c:122:3: dead_error_condition: The condition "username" cannot be true. lib/mgetgroups.c:122:3: dead_error_line: Execution cannot reach the expression "getugroups(0, NULL, username, gid)" inside this statement: "max_n_groups = (username ? ...". lib/mgetgroups.c:146:3: Type: Logically dead code (DEADCODE) lib/mgetgroups.c:81:3: cond_null: Condition "username", taking false branch. Now the value of "username" is "NULL". lib/mgetgroups.c:146:9: null: At condition "username", the value of "username" must be "NULL". lib/mgetgroups.c:146:3: dead_error_condition: The condition "username" cannot be true. lib/mgetgroups.c:146:3: dead_error_line: Execution cannot reach the expression "getugroups(max_n_groups, g, username, gid)" inside this statement: "ng = (username ? getugroups...". src/logger.c:280:7: Type: Logically dead code (DEADCODE) src/logger.c:158:7: assignment: Assigning: "family" = "1". src/logger.c:278:7: const: At condition "family == 2", the value of "family" must be equal to 1. src/logger.c:278:3: dead_error_condition: The condition "family == 2" cannot be true. src/logger.c:280:7: dead_error_begin: Execution cannot reach this statement: "struct sockaddr_in s;". lib/xmalloc.c:260:7: Type: Division or modulo by zero (DIVIDE_BY_ZERO) lib/xmalloc.c:240:3: 1. path: Condition "0 /* sizeof (n) == sizeof (signed char) */", taking false branch. lib/xmalloc.c:240:3: 2. path: Condition "0 /* sizeof (n) == sizeof (short) */", taking false branch. lib/xmalloc.c:240:3: 3. path: Condition "0 /* sizeof (n) == sizeof (int) */", taking false branch. lib/xmalloc.c:240:3: 4. path: Condition "1 /* sizeof (n) == sizeof (long) */", taking true branch. lib/xmalloc.c:240:3: 5. path: Condition "1", taking true branch. lib/xmalloc.c:240:3: 6. path: Condition "(1 ? 0 : n) - 1 < 0", taking true branch. lib/xmalloc.c:240:3: 7. path: Condition "(n0 >> 1) < 0", taking true branch. lib/xmalloc.c:240:3: 8. path: Condition "1 /* -9223372036854775807L - 1L */", taking true branch. lib/xmalloc.c:240:3: 9. path: Condition "1", taking true branch. lib/xmalloc.c:240:3: 10. path: Condition "(1 ? 0 : ((1 ? 0 : n0) + (-9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1)))) - 1 < 0", taking true branch. lib/xmalloc.c:240:3: 11. path: Condition "n0 < -9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1)", taking true branch. lib/xmalloc.c:240:3: 12. path: Condition "(1 /* -9223372036854775807L - 1L */) ? ((1 ? 0 : ((1 ? 0 : n0) + (-9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < -9223372036854775808L /* -9223372036854775807L - 1L */) && n0 < -9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))", taking true branch. lib/xmalloc.c:240:3: 13. path: Condition "((n0 >> 1) < 0) ? ((1 /* -9223372036854775807L - 1L */) ? ((1 ? 0 : ((1 ? 0 : n0) + (-9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < -9223372036854775808L /* -9223372036854775807L - 1L */) && n0 < -9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (9223372036854775807L < n0)) && 9223372036854775807L < n0 + (n0 >> 1)) : ((n0 < 0) ? ((1 /* -9223372036854775807L - 1L */) ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (-9223372036854775808L /* -9223372036854775807L - 1L */ - n0))) - 1 < 0 || n0 < -9223372036854775808L /* -9223372036854775807L - 1L */) && (n0 >> 1) < -9223372036854775808L /* -9223372036854775807L - 1L */ - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 9223372036854775807L < (n0 >> 1)) && 9223372036854775807L < n0 + (n0 >> 1)) : (9223372036854775807L < (n0 >> 1) || 9223372036854775807L - (n0 >> 1) < n0))", taking true branch. lib/xmalloc.c:240:3: 14. path: Condition "(0 /* sizeof (n) == sizeof (signed char) */) ? 1 /* !((idx_t)0 < (idx_t)-1) */ ? (((n0 >> 1) < 0) ? ((1 /* -127 - 1 */) ? ((1 ? 0 : ((1 ? 0 : n0) + (-128L /* -127 - 1 */ - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < -128L /* -127 - 1 */) && n0 < -128L /* -127 - 1 */ - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (127 < n0)) && 127 < n0 + (n0 >> 1)) : ((n0 < 0) ? ((1 /* -127 - 1 */) ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (-128L /* -127 - 1 */ - n0))) - 1 < 0 || n0 < -128L /* -127 - 1 */) && (n0 >> 1) < -128L /* -127 - 1 */ - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 127 < (n0 >> 1)) && 127 < n0 + (n0 >> 1)) : (127 < (n0 >> 1) || 127 - (n0 >> 1) < n0))) ? (n = (signed char)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 1 : ((n = (signed char)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 0) : ((((n0 >> 1) < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : n0) + (0 - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < 0) && n0 < 0 - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (255L /* 127 * 2 + 1 */ < n0)) && 255L /* 127 * 2 + 1 */ < n0 + (n0 >> 1)) : ((n0 < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (0 - n0))) - 1 < 0 || n0 < 0) && (n0 >> 1) < 0 - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 255L /* 127 * 2 + 1 */ < (n0 >> 1)) && 255L /* 127 * 2 + 1 */ < n0 + (n0 >> 1)) : (255L /* 127 * 2 + 1 */ < (n0 >> 1) || 255L /* 127 * 2 + 1 */ - (n0 >> 1) < n0))) ? (n = (unsigned char)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 1 : ((n = (unsigned char)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 0)) : ((0 /* sizeof (n) == sizeof (short) */) ? 1 /* !((idx_t)0 < (idx_t)-1) */ ? (((n0 >> 1) < 0) ? ((1 /* -32767 - 1 */) ? ((1 ? 0 : ((1 ? 0 : n0) + (-32768L /* -32767 - 1 */ - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < -32768L /* -32767 - 1 */) && n0 < -32768L /* -32767 - 1 */ - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (32767 < n0)) && 32767 < n0 + (n0 >> 1)) : ((n0 < 0) ? ((1 /* -32767 - 1 */) ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (-32768L /* -32767 - 1 */ - n0))) - 1 < 0 || n0 < -32768L /* -32767 - 1 */) && (n0 >> 1) < -32768L /* -32767 - 1 */ - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 32767 < (n0 >> 1)) && 32767 < n0 + (n0 >> 1)) : (32767 < (n0 >> 1) || 32767 - (n0 >> 1) < n0))) ? (n = (short)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 1 : ((n = (short)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 0) : ((((n0 >> 1) < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : n0) + (0 - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < 0) && n0 < 0 - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (65535L /* 32767 * 2 + 1 */ < n0)) && 65535L /* 32767 * 2 + 1 */ < n0 + (n0 >> 1)) : ((n0 < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (0 - n0))) - 1 < 0 || n0 < 0) && (n0 >> 1) < 0 - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 65535L /* 32767 * 2 + 1 */ < (n0 >> 1)) && 65535L /* 32767 * 2 + 1 */ < n0 + (n0 >> 1)) : (65535L /* 32767 * 2 + 1 */ < (n0 >> 1) || 65535L /* 32767 * 2 + 1 */ - (n0 >> 1) < n0))) ? (n = (unsigned short)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 1 : ((n = (unsigned short)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 0)) : ((0 /* sizeof (n) == sizeof (int) */) ? ((1 ? 0 : n) - 1 < 0) ? (((n0 >> 1) < 0) ? ((1 /* -2147483647 - 1 */) ? ((1 ? 0 : ((1 ? 0 : n0) + (-2147483648L /* -2147483647 - 1 */ - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < -2147483648L /* -2147483647 - 1 */) && n0 < -2147483648L /* -2147483647 - 1 */ - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (2147483647 < n0)) && 2147483647 < n0 + (n0 >> 1)) : ((n0 < 0) ? ((1 /* -2147483647 - 1 */) ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (-2147483648L /* -2147483647 - 1 */ - n0))) - 1 < 0 || n0 < -2147483648L /* -2147483647 - 1 */) && (n0 >> 1) < -2147483648L /* -2147483647 - 1 */ - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 2147483647 < (n0 >> 1)) && 2147483647 < n0 + (n0 >> 1)) : (2147483647 < (n0 >> 1) || 2147483647 - (n0 >> 1) < n0))) ? (n = (int)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 1 : ((n = (int)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 0) : ((((n0 >> 1) < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : n0) + (0 - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < 0) && n0 < 0 - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (4294967295L /* 2147483647 * 2U + 1U */ < n0)) && 4294967295L /* 2147483647 * 2U + 1U */ < n0 + (n0 >> 1)) : ((n0 < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (0 - n0))) - 1 < 0 || n0 < 0) && (n0 >> 1) < 0 - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 4294967295L /* 2147483647 * 2U + 1U */ < (n0 >> 1)) && 4294967295L /* 2147483647 * 2U + 1U */ < n0 + (n0 >> 1)) : (4294967295L /* 2147483647 * 2U + 1U */ < (n0 >> 1) || 4294967295L /* 2147483647 * 2U + 1U */ - (n0 >> 1) < n0))) ? (n = (unsigned int)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 1 : ((n = (unsigned int)((unsigned int)n0 + (unsigned int)(n0 >> 1))) , 0)) : ((1 /* sizeof (n) == sizeof (long) */) ? ((1 ? 0 : n) - 1 < 0) ? (((n0 >> 1) < 0) ? ((1 /* -9223372036854775807L - 1L */) ? ((1 ? 0 : ((1 ? 0 : n0) + (-9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < -9223372036854775808L /* -9223372036854775807L - 1L */) && n0 < -9223372036854775808L /* -9223372036854775807L - 1L */ - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (9223372036854775807L < n0)) && 9223372036854775807L < n0 + (n0 >> 1)) : ((n0 < 0) ? ((1 /* -9223372036854775807L - 1L */) ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (-9223372036854775808L /* -9223372036854775807L - 1L */ - n0))) - 1 < 0 || n0 < -9223372036854775808L /* -9223372036854775807L - 1L */) && (n0 >> 1) < -9223372036854775808L /* -9223372036854775807L - 1L */ - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 9223372036854775807L < (n0 >> 1)) && 9223372036854775807L < n0 + (n0 >> 1)) : (9223372036854775807L < (n0 >> 1) || 9223372036854775807L - (n0 >> 1) < n0))) ? (n = (long)((unsigned long)n0 + (unsigned long)(n0 >> 1))) , 1 : ((n = (long)((unsigned long)n0 + (unsigned long)(n0 >> 1))) , 0) : ((((n0 >> 1) < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : n0) + (0 - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < 0) && n0 < 0 - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n0)) && 18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n0 + (n0 >> 1)) : ((n0 < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (0 - n0))) - 1 < 0 || n0 < 0) && (n0 >> 1) < 0 - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < (n0 >> 1)) && 18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < n0 + (n0 >> 1)) : (18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ < (n0 >> 1) || 18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */ - (n0 >> 1) < n0))) ? (n = (unsigned long)((unsigned long)n0 + (unsigned long)(n0 >> 1))) , 1 : ((n = (unsigned long)((unsigned long)n0 + (unsigned long)(n0 >> 1))) , 0)) : (((1 ? 0 : n) - 1 < 0) ? (((n0 >> 1) < 0) ? ((1 /* -9223372036854775807LL - 1LL */) ? ((1 ? 0 : ((1 ? 0 : n0) + (-9223372036854775808LL /* -9223372036854775807LL - 1LL */ - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < -9223372036854775808LL /* -9223372036854775807LL - 1LL */) && n0 < -9223372036854775808LL /* -9223372036854775807LL - 1LL */ - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (9223372036854775807LL < n0)) && 9223372036854775807LL < n0 + (n0 >> 1)) : ((n0 < 0) ? ((1 /* -9223372036854775807LL - 1LL */) ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (-9223372036854775808LL /* -9223372036854775807LL - 1LL */ - n0))) - 1 < 0 || n0 < -9223372036854775808LL /* -9223372036854775807LL - 1LL */) && (n0 >> 1) < -9223372036854775808LL /* -9223372036854775807LL - 1LL */ - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 9223372036854775807LL < (n0 >> 1)) && 9223372036854775807LL < n0 + (n0 >> 1)) : (9223372036854775807LL < (n0 >> 1) || 9223372036854775807LL - (n0 >> 1) < n0))) ? (n = (long long)((unsigned long long)n0 + (unsigned long long)(n0 >> 1))) , 1 : ((n = (long long)((unsigned long long)n0 + (unsigned long long)(n0 >> 1))) , 0) : ((((n0 >> 1) < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : n0) + (0 - (n0 >> 1)))) - 1 < 0 || (n0 >> 1) < 0) && n0 < 0 - (n0 >> 1) : (n0 <= -1 - (n0 >> 1))) || ((((1 ? 0 : n0) - 1 < 0) ? 0 <= n0 : (18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */ < n0)) && 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */ < n0 + (n0 >> 1)) : ((n0 < 0) ? (0 ? ((1 ? 0 : ((1 ? 0 : (n0 >> 1)) + (0 - n0))) - 1 < 0 || n0 < 0) && (n0 >> 1) < 0 - n0 : ((n0 >> 1) <= -1 - n0)) || (((1 ? 0 : ((1 ? 0 : n0) + (n0 >> 1))) - 1 < 0 || 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */ < (n0 >> 1)) && 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */ < n0 + (n0 >> 1)) : (18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */ < (n0 >> 1) || 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */ - (n0 >> 1) < n0))) ? (n = (unsigned long long)((unsigned long long)n0 + (unsigned long long)(n0 >> 1))) , 1 : ((n = (unsigned long long)((unsigned long long)n0 + (unsigned long long)(n0 >> 1))) , 0))))))", taking true branch. lib/xmalloc.c:242:3: 15. path: Condition "0 <= n_max", taking true branch. lib/xmalloc.c:242:3: 16. path: Condition "n_max < n", taking true branch. lib/xmalloc.c:254:3: 17. cond_at_least: Checking "s < 0L" implies that "s" is at least 0 on the false branch. lib/xmalloc.c:254:3: 18. cond_const: Checking "s == 0L" implies that "s" is 0 on the true branch. lib/xmalloc.c:258:3: 19. path: Condition "adjusted_nbytes", taking true branch. lib/xmalloc.c:260:7: 20. divide_by_zero: In expression "adjusted_nbytes / s", division by expression "s" which may be zero has undefined behavior. libinetutils/logwtmp.c:129:3: Type: Dereference after null check (FORWARD_NULL) libinetutils/logwtmp.c:118:3: 1. path: Condition "name", taking false branch. libinetutils/logwtmp.c:118:3: 2. var_compare_op: Comparing "name" to null implies that "name" might be null. libinetutils/logwtmp.c:129:3: 3. var_deref_model: Passing null pointer "name" to "strncpy", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.] src/inetd.c:1006:7: Type: Explicit null dereferenced (FORWARD_NULL) src/inetd.c:994:3: 1. assign_zero: Assigning: "argv" = "NULL". src/inetd.c:999:3: 2. path: Condition "serv_node", taking false branch. src/inetd.c:1004:3: 3. path: Condition "1", taking true branch. src/inetd.c:1006:7: 4. var_deref_model: Passing null pointer "argv" to "argcv_free", which dereferences it. libinetutils/argcv.c:129:3: 4.1. path: Condition "--argc >= 0", taking true branch. libinetutils/argcv.c:130:5: 4.2. deref_parm: Directly dereferencing parameter "argv". src/logger.c:170:7: Type: Dereference after null check (FORWARD_NULL) src/logger.c:145:3: 1. path: Condition "host != NULL", taking false branch. src/logger.c:145:3: 2. var_compare_op: Comparing "host" to null implies that "host" might be null. src/logger.c:145:3: 3. path: Condition "unixsock != NULL", taking false branch. src/logger.c:170:7: 4. var_deref_op: Dereferencing null pointer "host". ftp/ftp.c:959:3: Type: Dereference after null check (FORWARD_NULL) ftp/ftp.c:925:3: 1. path: Condition "strcmp(cmd, "RETR") == 0", taking true branch. ftp/ftp.c:926:3: 2. path: Condition "is_retr", taking true branch. ftp/ftp.c:926:3: 3. path: Condition "verbose", taking true branch. ftp/ftp.c:926:3: 4. path: Condition "printnames", taking true branch. ftp/ftp.c:928:7: 5. path: Condition "local", taking false branch. ftp/ftp.c:928:7: 6. var_compare_op: Comparing "local" to null implies that "local" might be null. ftp/ftp.c:930:7: 7. path: Condition "remote", taking true branch. ftp/ftp.c:933:3: 8. path: Condition "proxy", taking false branch. ftp/ftp.c:941:3: 9. path: Condition "!crflag", taking true branch. ftp/ftp.c:941:3: 10. path: Condition "is_retr", taking true branch. ftp/ftp.c:942:3: 11. path: Condition "setjmp(recvabort)", taking false branch. ftp/ftp.c:959:3: 12. var_deref_model: Passing null pointer "local" to "strcmp", which dereferences it. ftp/ftp.c:659:3: Type: Dereference after null check (FORWARD_NULL) ftp/ftp.c:622:3: 1. path: Condition "verbose", taking true branch. ftp/ftp.c:622:3: 2. path: Condition "printnames", taking true branch. ftp/ftp.c:624:7: 3. path: Condition "local", taking false branch. ftp/ftp.c:624:7: 4. var_compare_op: Comparing "local" to null implies that "local" might be null. ftp/ftp.c:626:7: 5. path: Condition "remote", taking true branch. ftp/ftp.c:629:3: 6. path: Condition "proxy", taking false branch. ftp/ftp.c:634:3: 7. path: Condition "curtype != type", taking true branch. ftp/ftp.c:640:3: 8. path: Condition "setjmp(sendabort)", taking false branch. ftp/ftp.c:659:3: 9. var_deref_model: Passing null pointer "local" to "strcmp", which dereferences it. ftp/cmdtab.c:295:8: Type: Dereference after null check (FORWARD_NULL) ftp/cmdtab.c:258:3: 1. path: Condition "argc == 1", taking true branch. ftp/cmdtab.c:264:7: 2. path: Condition "c < &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:268:4: 3. path: Condition "len > width", taking true branch. ftp/cmdtab.c:270:2: 4. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:264:7: 5. path: Condition "c < &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:268:4: 6. path: Condition "len > width", taking false branch. ftp/cmdtab.c:270:2: 7. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:264:7: 8. path: Condition "c < &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking false branch. ftp/cmdtab.c:273:7: 9. path: Condition "columns == 0", taking true branch. ftp/cmdtab.c:276:7: 10. path: Condition "i < lines", taking true branch. ftp/cmdtab.c:278:4: 11. path: Condition "j < columns", taking true branch. ftp/cmdtab.c:281:8: 12. path: Condition "c->c_name", taking true branch. ftp/cmdtab.c:281:8: 13. path: Condition "!proxy", taking true branch. ftp/cmdtab.c:284:3: 14. path: Falling through to end of if statement. ftp/cmdtab.c:290:8: 15. path: Condition "c + lines >= &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:293:5: 16. path: Breaking from loop. ftp/cmdtab.c:302:2: 17. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:276:7: 18. path: Condition "i < lines", taking true branch. ftp/cmdtab.c:278:4: 19. path: Condition "j < columns", taking true branch. ftp/cmdtab.c:281:8: 20. path: Condition "c->c_name", taking true branch. ftp/cmdtab.c:281:8: 21. path: Condition "!proxy", taking true branch. ftp/cmdtab.c:284:3: 22. path: Falling through to end of if statement. ftp/cmdtab.c:290:8: 23. path: Condition "c + lines >= &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:293:5: 24. path: Breaking from loop. ftp/cmdtab.c:302:2: 25. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:276:7: 26. path: Condition "i < lines", taking true branch. ftp/cmdtab.c:278:4: 27. path: Condition "j < columns", taking true branch. ftp/cmdtab.c:281:8: 28. path: Condition "c->c_name", taking false branch. ftp/cmdtab.c:285:13: 29. path: Condition "c->c_name", taking false branch. ftp/cmdtab.c:285:13: 30. var_compare_op: Comparing "c->c_name" to null implies that "c->c_name" might be null. ftp/cmdtab.c:290:8: 31. path: Condition "c + lines >= &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking false branch. ftp/cmdtab.c:295:8: 32. var_deref_model: Passing null pointer "c->c_name" to "strlen", which dereferences it. libtelnet/kerberos5.c:612:3: Type: Dereference after null check (FORWARD_NULL) libtelnet/kerberos5.c:464:3: 1. path: Condition "!r", taking true branch. libtelnet/kerberos5.c:464:3: 2. path: Condition "!auth_context", taking true branch. libtelnet/kerberos5.c:466:3: 3. path: Condition "!r", taking true branch. libtelnet/kerberos5.c:471:7: 4. path: Condition "!r", taking true branch. libtelnet/kerberos5.c:471:7: 5. path: Condition "!rcache", taking true branch. libtelnet/kerberos5.c:475:4: 6. path: Condition "!r", taking true branch. libtelnet/kerberos5.c:477:8: 7. path: Condition "0 < server->length", taking true branch. libtelnet/kerberos5.c:484:7: 8. path: Condition "!r", taking true branch. libtelnet/kerberos5.c:488:3: 9. path: Condition "!r", taking true branch. libtelnet/kerberos5.c:488:3: 10. path: Condition "telnet_srvtab", taking true branch. libtelnet/kerberos5.c:490:3: 11. path: Condition "!r", taking true branch. libtelnet/kerberos5.c:493:3: 12. path: Condition "r", taking false branch. libtelnet/kerberos5.c:503:3: 13. path: Condition "0 < ticket->server->length", taking true branch. libtelnet/kerberos5.c:503:3: 14. path: Condition "((0 < ticket->server->length) ? ticket->server->data + 0 : NULL)->length < 256", taking true branch. libtelnet/kerberos5.c:506:7: 15. path: Condition "0 < ticket->server->length", taking true branch. libtelnet/kerberos5.c:506:7: 16. path: Condition "0 < ticket->server->length", taking true branch. libtelnet/kerberos5.c:510:7: 17. path: Condition "0 < ticket->server->length", taking true branch. libtelnet/kerberos5.c:512:7: 18. path: Condition "strcmp("host", princ)", taking false branch. libtelnet/kerberos5.c:518:5: 19. path: Falling through to end of if statement. libtelnet/kerberos5.c:527:3: 20. path: Condition "r", taking false branch. libtelnet/kerberos5.c:545:3: 21. path: Condition "authenticator->checksum", taking true branch. libtelnet/kerberos5.c:556:7: 22. path: Condition "r", taking false branch. libtelnet/kerberos5.c:570:7: 23. path: Condition "r", taking false branch. libtelnet/kerberos5.c:597:3: 24. path: Condition "(ap->way & 2) == 2", taking true branch. libtelnet/kerberos5.c:599:7: 25. path: Condition "r = krb5_mk_rep(telnet_context, auth_context, &outbuf)", taking false branch. libtelnet/kerberos5.c:609:3: 26. path: Condition "krb5_unparse_name(telnet_context, ticket->enc_part2->client, &name)", taking true branch. libtelnet/kerberos5.c:612:3: 27. path: Condition "name", taking false branch. libtelnet/kerberos5.c:612:3: 28. var_compare_op: Comparing "name" to null implies that "name" might be null. libtelnet/kerberos5.c:612:3: 29. var_deref_model: Passing null pointer "name" to "Data", which dereferences it. libtelnet/kerberos5.c:89:3: 29.1. var_assign_parm: Assigning: "cd" = "d". libtelnet/kerberos5.c:91:3: 29.2. path: Condition "c == -1", taking true branch. libtelnet/kerberos5.c:92:5: 29.3. deref_var_in_call: Function "strlen" dereferences "cd" (which is a copy of "d"). ftpd/ftpcmd.y:1632:7: Type: Missing break in switch (MISSING_BREAK) ftpd/ftpcmd.y:1632:7: unterminated_case: The case for value "4" is not terminated by a "break" statement. ftpd/ftpcmd.y:1639:7: fallthrough: The above case falls through to this one. ftpd/ftpcmd.y:1654:7: Type: Missing break in switch (MISSING_BREAK) ftpd/ftpcmd.y:1654:7: unterminated_case: The case for value "6" is not terminated by a "break" statement. ftpd/ftpcmd.y:1661:7: fallthrough: The above case falls through to this one. src/syslogd.c:910:7: Type: Argument cannot be negative (NEGATIVE_RETURNS) src/syslogd.c:888:3: 1. path: Condition "path[0] == 0", taking false branch. src/syslogd.c:891:3: 2. path: Condition "strlen(path) >= 108UL /* sizeof (sunx.sun_path) */", taking false branch. src/syslogd.c:903:3: 3. negative_return_fn: Function "socket(1, SOCK_DGRAM, 0)" returns a negative number. src/syslogd.c:903:3: 4. assign: Assigning: "fd" = "socket(1, SOCK_DGRAM, 0)". src/syslogd.c:904:3: 5. path: Condition "fd < 0", taking true branch. src/syslogd.c:910:7: 6. negative_returns: "fd" is passed to a parameter that cannot be negative. tests/tcpget.c:115:2: Type: Argument cannot be negative (NEGATIVE_RETURNS) tests/tcpget.c:61:3: 1. path: Condition "(opt = rpl_getopt(argc, argv, "t:")) != -1", taking false branch. tests/tcpget.c:79:3: 2. path: Condition "argc < rpl_optind + 2", taking false branch. tests/tcpget.c:88:3: 3. path: Condition "rc", taking false branch. tests/tcpget.c:94:3: 4. path: Condition "ai", taking true branch. tests/tcpget.c:97:7: 5. path: Condition "fd < 0", taking true branch. tests/tcpget.c:98:2: 6. path: Continuing loop. tests/tcpget.c:94:3: 7. path: Condition "ai", taking true branch. tests/tcpget.c:97:7: 8. path: Condition "fd < 0", taking false branch. tests/tcpget.c:100:7: 9. path: Condition "connect(fd, __CONST_SOCKADDR_ARG({.__sockaddr__ = ai->ai_addr}), ai->ai_addrlen) >= 0", taking true branch. tests/tcpget.c:101:2: 10. path: Breaking from loop. tests/tcpget.c:108:3: 11. path: Condition "ai", taking true branch. tests/tcpget.c:108:3: 12. path: Condition "fd >= 0", taking true branch. tests/tcpget.c:114:7: 13. path: Condition "n = recv(fd, buffer, 256UL /* sizeof (buffer) */, 0)", taking true branch. tests/tcpget.c:115:34: 14. path: Jumping back to the beginning of the loop. tests/tcpget.c:114:7: 15. negative_return_fn: Function "recv(fd, buffer, 256UL, 0)" returns a negative number. [Note: The source code implementation of the function has been overridden by a builtin model.] tests/tcpget.c:114:7: 16. assign: Assigning: "n" = "recv(fd, buffer, 256UL, 0)". tests/tcpget.c:114:7: 17. path: Condition "n = recv(fd, buffer, 256UL /* sizeof (buffer) */, 0)", taking true branch. tests/tcpget.c:115:2: 18. negative_returns: "n" is passed to a parameter that cannot be negative. ftpd/ftpd.c:1210:3: Type: Argument cannot be negative (NEGATIVE_RETURNS) ftpd/ftpd.c:1152:3: 1. path: Condition "data >= 0", taking false branch. ftpd/ftpd.c:1155:3: 2. negative_return_fn: Function "socket(ctrl_addr.ss_family, SOCK_STREAM, 0)" returns a negative number. ftpd/ftpd.c:1155:3: 3. assign: Assigning: "s" = "socket(ctrl_addr.ss_family, SOCK_STREAM, 0)". ftpd/ftpd.c:1156:3: 4. path: Condition "s < 0", taking true branch. ftpd/ftpd.c:1157:5: 5. path: Jumping to label "bad". ftpd/ftpd.c:1208:3: 6. path: Condition "seteuid((uid_t)cred.uid) != 0", taking false branch. ftpd/ftpd.c:1210:3: 7. negative_returns: "s" is passed to a parameter that cannot be negative. ftp/ftp.c:254:3: Type: Argument cannot be negative (NEGATIVE_RETURNS) ftp/ftp.c:137:3: 1. path: Condition "p", taking false branch. ftp/ftp.c:167:3: 2. path: Condition "status", taking false branch. ftp/ftp.c:175:3: 3. path: Condition "res->ai_canonname", taking true branch. ftp/ftp.c:176:71: 4. path: Falling through to end of if statement. ftp/ftp.c:184:3: 5. path: Condition "ai != NULL", taking true branch. ftp/ftp.c:186:7: 6. path: Condition "again", taking false branch. ftp/ftp.c:194:7: 7. path: Condition "s < 0", taking false branch. ftp/ftp.c:199:7: 8. path: Condition "setsockopt(s, 1, 21, &timeout, 16U /* sizeof (timeout) */) < 0", taking false branch. ftp/ftp.c:203:7: 9. path: Condition "connect(s, __CONST_SOCKADDR_ARG({.__sockaddr__ = ai->ai_addr}), ai->ai_addrlen) < 0", taking false branch. ftp/ftp.c:223:7: 10. path: Breaking from loop. ftp/ftp.c:226:3: 11. path: Condition "res", taking true branch. ftp/ftp.c:229:3: 12. path: Condition "ai == NULL", taking false branch. ftp/ftp.c:237:3: 13. path: Condition "getsockname(s, __SOCKADDR_ARG({.__sockaddr__ = (struct sockaddr *)&myctladdr}), &len) < 0", taking false branch. ftp/ftp.c:246:3: 14. path: Condition "myctladdr.ss_family == 2", taking true branch. ftp/ftp.c:246:3: 15. path: Condition "setsockopt(s, IPPROTO_IP, 1, (char *)&tos, 4U /* sizeof (int) */) < 0", taking false branch. ftp/ftp.c:254:3: 16. negative_return_fn: Function "dup(s)" returns a negative number. ftp/ftp.c:254:3: 17. negative_returns: "dup(s)" is passed to a parameter that cannot be negative. lib/anytostr.c:41:7: Type: Unsigned compared against 0 (NO_EFFECT) lib/anytostr.c:41:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "i < 0U". lib/anytostr.c:41:7: Type: Unsigned compared against 0 (NO_EFFECT) lib/anytostr.c:41:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "i < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: Type: Macro compares unsigned to 0 (NO_EFFECT) lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -128)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -128)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -128)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : new_allocated) + -128)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : new_allocated) + -128)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : new_allocated) + -128)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : new_allocated) + -2147483648)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : new_allocated) + -2147483648)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : new_allocated) + -2147483648)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : new_allocated) + -32768)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : new_allocated) + -32768)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : new_allocated) + -32768)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : new_allocated) + -9223372036854775808L)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : new_allocated) + -9223372036854775808L)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : new_allocated) + -9223372036854775808L)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : new_allocated) + 0UL)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : new_allocated) + 0UL)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : new_allocated) + 0UL)) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : element_size) - 1UL < 0UL) ? ~((((1 ? 0UL : element_size) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : element_size) + 0UL)) < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) - 1ULL < 0ULL) ? ~((((1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) + 1ULL << 62UL) - 1ULL) * 2ULL + 1ULL) : ((1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) + 0ULL)) < 0ULL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0ULL : ((1 ? 0UL : new_allocated) + -9223372036854775808LL)) - 1ULL < 0ULL) ? ~((((1 ? 0ULL : ((1 ? 0UL : new_allocated) + -9223372036854775808LL)) + 1ULL << 62UL) - 1ULL) * 2ULL + 1ULL) : ((1 ? 0ULL : ((1 ? 0UL : new_allocated) + -9223372036854775808LL)) + 0ULL)) < 0ULL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -128)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : new_allocated) + -128)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : new_allocated) + -2147483648)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : new_allocated) + -32768)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : new_allocated) + -9223372036854775808L)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : new_allocated) + 0UL)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + element_size)) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : element_size) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : new_allocated) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : new_size) - 1UL < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) - 1ULL < 0ULL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : new_allocated) + -9223372036854775808LL)) - 1ULL < 0ULL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : (0ULL + element_size)) - 1ULL < 0ULL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "element_size < 0UL". lib/malloc/dynarray_emplace_enlarge.c:59:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "new_allocated < 0UL". lib/malloc/dynarray_resize.c:45:7: Type: Macro compares unsigned to 0 (NO_EFFECT) lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -128)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -128)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -128)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : size) + -128)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : size) + -128)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : size) + -128)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : size) + -2147483648)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : size) + -2147483648)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : size) + -2147483648)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : size) + -32768)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : size) + -32768)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : size) + -32768)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : size) + -9223372036854775808L)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : size) + -9223372036854775808L)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : size) + -9223372036854775808L)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : ((1 ? 0UL : size) + 0UL)) - 1UL < 0UL) ? ~((((1 ? 0UL : ((1 ? 0UL : size) + 0UL)) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : ((1 ? 0UL : size) + 0UL)) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0UL : element_size) - 1UL < 0UL) ? ~((((1 ? 0UL : element_size) + 1UL << 62UL) - 1UL) * 2UL + 1UL) : ((1 ? 0UL : element_size) + 0UL)) < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) - 1ULL < 0ULL) ? ~((((1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) + 1ULL << 62UL) - 1ULL) * 2ULL + 1ULL) : ((1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) + 0ULL)) < 0ULL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(((1 ? 0ULL : ((1 ? 0UL : size) + -9223372036854775808LL)) - 1ULL < 0ULL) ? ~((((1 ? 0ULL : ((1 ? 0UL : size) + -9223372036854775808LL)) + 1ULL << 62UL) - 1ULL) * 2ULL + 1ULL) : ((1 ? 0ULL : ((1 ? 0UL : size) + -9223372036854775808LL)) + 0ULL)) < 0ULL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -128)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -2147483648)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -32768)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + -9223372036854775808L)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : element_size) + 0UL)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : size) + -128)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : size) + -2147483648)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : size) + -32768)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : size) + -9223372036854775808L)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : size) + 0UL)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + element_size)) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : element_size) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : new_size_bytes) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : size) - 1UL < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : element_size) + -9223372036854775808LL)) - 1ULL < 0ULL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : size) + -9223372036854775808LL)) - 1ULL < 0ULL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : (0ULL + element_size)) - 1ULL < 0ULL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "element_size < 0UL". lib/malloc/dynarray_resize.c:45:7: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "size < 0UL". lib/xmalloc.c:199:11: Type: Macro compares unsigned to 0 (NO_EFFECT) lib/xmalloc.c:199:11: unsigned_compare: This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "0UL <= n". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : ((n >> 1) + 1UL)) + (-128 - n))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : ((n >> 1) + 1UL)) + (-2147483648 - n))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : ((n >> 1) + 1UL)) + (-32768 - n))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : ((n >> 1) + 1UL)) + (-9223372036854775808L - n))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : ((n >> 1) + 1UL)) + (0UL - n))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + ((n >> 1) + 1UL))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-128 - ((n >> 1) + 1UL)))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-2147483648 - ((n >> 1) + 1UL)))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-32768 - ((n >> 1) + 1UL)))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-9223372036854775808L - ((n >> 1) + 1UL)))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (0UL - ((n >> 1) + 1UL)))) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : n) - 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : ((n >> 1) + 1UL)) + (-9223372036854775808LL - n))) - 1ULL < 0ULL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : n) + (-9223372036854775808LL - ((n >> 1) + 1UL)))) - 1ULL < 0ULL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(n >> 1) + 1UL < 0UL". lib/xmalloc.c:199:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "n < 0UL". lib/malloca.c:53:8: Type: Macro compares unsigned to 0 (NO_EFFECT) lib/malloca.c:53:8: unsigned_compare: This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "0UL <= n". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0 : plus) + (-128 - n))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0 : plus) + (-2147483648 - n))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0 : plus) + (-32768 - n))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0 : plus) + (-9223372036854775808L - n))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0 : plus) + (0UL - n))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-128 - plus))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-2147483648 - plus))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-32768 - plus))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (-9223372036854775808L - plus))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + (0 - plus))) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : n) + plus)) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : n) - 1UL < 0UL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0 : plus) + (-9223372036854775808LL - n))) - 1ULL < 0ULL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : n) + (-9223372036854775808LL - plus))) - 1ULL < 0ULL". lib/malloca.c:53:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "n < 0UL". lib/malloca.c:62:11: unsigned_compare: This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "0UL <= umem". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : umem) + (-128 - 16UL))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : umem) + (-2147483648 - 16UL))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : umem) + (-32768 - 16UL))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : umem) + (-9223372036854775808L - 16UL))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : umem) + 16UL)) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : ((1 ? 0UL : umem) + 18446744073709551600UL)) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + (-128 - umem))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + (-2147483648 - umem))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + (-32768 - umem))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + (-9223372036854775808L - umem))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + (0UL - umem))) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : umem) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : umemplus) - 1UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : ((1 ? 0UL : umem) + (-9223372036854775808LL - 16ULL))) - 1ULL < 0ULL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : (0ULL + (-9223372036854775808LL - umem))) - 1ULL < 0ULL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "16UL < 0UL". lib/malloca.c:62:11: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "umem < 0UL". lib/xmalloc.c:255:8: Type: Macro compares unsigned to 0 (NO_EFFECT) lib/xmalloc.c:255:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + s)) - 1UL < 0UL". lib/xmalloc.c:255:8: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : (0ULL + s)) - 1ULL < 0ULL". lib/xmalloc.c:269:14: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0UL : (0UL + s)) - 1UL < 0UL". lib/xmalloc.c:269:14: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "(1 ? 0ULL : (0ULL + s)) - 1ULL < 0ULL". ifconfig/printif.c:284:3: Type: Dereference null return value (NULL_RETURNS) ifconfig/printif.c:283:3: Call to null-returning function 1. returned_null: "strchr" returns "NULL" (checked 54 out of 60 times). ifconfig/printif.c:283:3: 2. var_assigned: Assigning: "p" = "NULL" return value from "strchr". ifconfig/printif.c:284:3: 3. dereference: Dereferencing "p", which is known to be "NULL". ftp/cmds.c:179:7: Examples where return value was checked for null 4. example_assign: Example 1: Assigning: "nl" = return value from "strchr(arg, 10)". ftp/cmds.c:180:7: 5. example_checked: Example 1 (cont.): "nl" has its value checked in "nl". ftp/main.c:410:8: Examples where return value was checked for null 6. example_assign: Example 2: Assigning: "nl" = return value from "strchr(line, 10)". ftp/main.c:412:8: 7. example_checked: Example 2 (cont.): "nl" has its value checked in "nl". ftp/ruserpass.c:197:6: Examples where return value was checked for null 8. example_assign: Example 3: Assigning: "tmp" = return value from "strchr(host, 46)". ftp/ruserpass.c:198:6: 9. example_checked: Example 3 (cont.): "tmp" has its value checked in "tmp != NULL". ftpd/ftpcmd.y:2023:3: Examples where return value was checked for null 10. example_assign: Example 4: Assigning: "cp" = return value from "strchr(cbuf, 10)". ftpd/ftpcmd.y:2024:3: 11. example_checked: Example 4 (cont.): "cp" has its value checked in "cp != NULL". ftpd/ftpcmd.y:1563:4: Examples where return value was checked for null 12. example_assign: Example 5: Assigning: "cp" = return value from "strchr(cbuf, 13)". ftpd/ftpcmd.y:1564:4: 13. example_checked: Example 5 (cont.): "cp" has its value checked in "cp". ifconfig/printif.c:288:3: Type: Dereference null return value (NULL_RETURNS) ifconfig/printif.c:287:3: Call to null-returning function 1. returned_null: "strchr" returns "NULL" (checked 54 out of 60 times). ifconfig/printif.c:287:3: 2. var_assigned: Assigning: "p" = "NULL" return value from "strchr". ifconfig/printif.c:288:3: 3. dereference: Dereferencing "p", which is known to be "NULL". ftp/cmds.c:179:7: Examples where return value was checked for null 4. example_assign: Example 1: Assigning: "nl" = return value from "strchr(arg, 10)". ftp/cmds.c:180:7: 5. example_checked: Example 1 (cont.): "nl" has its value checked in "nl". ftp/main.c:410:8: Examples where return value was checked for null 6. example_assign: Example 2: Assigning: "nl" = return value from "strchr(line, 10)". ftp/main.c:412:8: 7. example_checked: Example 2 (cont.): "nl" has its value checked in "nl". ftp/ruserpass.c:197:6: Examples where return value was checked for null 8. example_assign: Example 3: Assigning: "tmp" = return value from "strchr(host, 46)". ftp/ruserpass.c:198:6: 9. example_checked: Example 3 (cont.): "tmp" has its value checked in "tmp != NULL". ftpd/ftpcmd.y:2023:3: Examples where return value was checked for null 10. example_assign: Example 4: Assigning: "cp" = return value from "strchr(cbuf, 10)". ftpd/ftpcmd.y:2024:3: 11. example_checked: Example 4 (cont.): "cp" has its value checked in "cp != NULL". ftpd/ftpcmd.y:1563:4: Examples where return value was checked for null 12. example_assign: Example 5: Assigning: "cp" = return value from "strchr(cbuf, 13)". ftpd/ftpcmd.y:1564:4: 13. example_checked: Example 5 (cont.): "cp" has its value checked in "cp". ifconfig/printif.c:280:3: Type: Dereference null return value (NULL_RETURNS) ifconfig/printif.c:278:3: Call to null-returning function 1. returned_null: "strchr" returns "NULL" (checked 54 out of 60 times). ifconfig/printif.c:278:3: 2. var_assigned: Assigning: "p" = "NULL" return value from "strchr". ifconfig/printif.c:280:3: 3. dereference: Dereferencing "p", which is known to be "NULL". ftp/cmds.c:179:7: Examples where return value was checked for null 4. example_assign: Example 1: Assigning: "nl" = return value from "strchr(arg, 10)". ftp/cmds.c:180:7: 5. example_checked: Example 1 (cont.): "nl" has its value checked in "nl". ftp/main.c:410:8: Examples where return value was checked for null 6. example_assign: Example 2: Assigning: "nl" = return value from "strchr(line, 10)". ftp/main.c:412:8: 7. example_checked: Example 2 (cont.): "nl" has its value checked in "nl". ftp/ruserpass.c:197:6: Examples where return value was checked for null 8. example_assign: Example 3: Assigning: "tmp" = return value from "strchr(host, 46)". ftp/ruserpass.c:198:6: 9. example_checked: Example 3 (cont.): "tmp" has its value checked in "tmp != NULL". ftpd/ftpcmd.y:2023:3: Examples where return value was checked for null 10. example_assign: Example 4: Assigning: "cp" = return value from "strchr(cbuf, 10)". ftpd/ftpcmd.y:2024:3: 11. example_checked: Example 4 (cont.): "cp" has its value checked in "cp != NULL". ftpd/ftpcmd.y:1563:4: Examples where return value was checked for null 12. example_assign: Example 5: Assigning: "cp" = return value from "strchr(cbuf, 13)". ftpd/ftpcmd.y:1564:4: 13. example_checked: Example 5 (cont.): "cp" has its value checked in "cp". telnet/commands.c:1920:7: Type: Dereference null return value (NULL_RETURNS) telnet/commands.c:1897:3: Call to null-returning function 1. path: Condition "*epp", taking true branch. telnet/commands.c:1900:7: 2. path: Condition "cp", taking false branch. telnet/commands.c:1907:5: 3. path: Jumping back to the beginning of the loop. telnet/commands.c:1897:3: 4. path: Condition "*epp", taking false branch. telnet/commands.c:1913:3: 5. path: Condition "ep = env_find("DISPLAY")", taking true branch. telnet/commands.c:1913:3: 6. path: Condition "*ep->value == 58", taking true branch. telnet/commands.c:1918:7: 7. returned_null: "strchr" returns "NULL" (checked 54 out of 60 times). telnet/commands.c:1918:7: 8. var_assigned: Assigning: "cp2" = "NULL" return value from "strchr". telnet/commands.c:1920:7: 9. dereference: Dereferencing a pointer that might be "NULL" "cp2" when calling "strlen". ftp/cmds.c:179:7: Examples where return value was checked for null 10. example_assign: Example 1: Assigning: "nl" = return value from "strchr(arg, 10)". ftp/cmds.c:180:7: 11. example_checked: Example 1 (cont.): "nl" has its value checked in "nl". ftp/main.c:410:8: Examples where return value was checked for null 12. example_assign: Example 2: Assigning: "nl" = return value from "strchr(line, 10)". ftp/main.c:412:8: 13. example_checked: Example 2 (cont.): "nl" has its value checked in "nl". ftp/ruserpass.c:197:6: Examples where return value was checked for null 14. example_assign: Example 3: Assigning: "tmp" = return value from "strchr(host, 46)". ftp/ruserpass.c:198:6: 15. example_checked: Example 3 (cont.): "tmp" has its value checked in "tmp != NULL". ftpd/ftpcmd.y:2023:3: Examples where return value was checked for null 16. example_assign: Example 4: Assigning: "cp" = return value from "strchr(cbuf, 10)". ftpd/ftpcmd.y:2024:3: 17. example_checked: Example 4 (cont.): "cp" has its value checked in "cp != NULL". ftpd/ftpcmd.y:1563:4: Examples where return value was checked for null 18. example_assign: Example 5: Assigning: "cp" = return value from "strchr(cbuf, 13)". ftpd/ftpcmd.y:1564:4: 19. example_checked: Example 5 (cont.): "cp" has its value checked in "cp". tests/test-snprintf.c:57:3: Type: Copy of overlapping memory (OVERLAPPING_COPY) tests/test-snprintf.c:57:3: 1. overlapping_copy: In the call to function "snprintf", the arguments "msg" and "msg" may point to the same object. ping/libping.c:195:3: Type: Out-of-bounds read (OVERRUN) ping/libping.c:192:3: 1. alias: Assigning: "orig_ip" = "&icmp->icmp_dun.id_ip.idi_ip". "orig_ip" now points to element 0 of "icmp->icmp_dun.id_ip.idi_ip" (which consists of 1 20-byte elements). ping/libping.c:193:3: 2. alias: Assigning: "orig_icmp" = "orig_ip + 1". "orig_icmp" now points to byte 20 of "icmp->icmp_dun.id_ip.idi_ip" (which consists of 20 bytes). ping/libping.c:195:3: 3. path: Condition "orig_ip->ip_dst.s_addr == p->ping_dest.ping_sockaddr.sin_addr.s_addr", taking true branch. ping/libping.c:195:3: 4. path: Condition "orig_ip->ip_p == IPPROTO_ICMP", taking true branch. ping/libping.c:195:3: 5. overrun-local: Overrunning array of 20 bytes at byte offset 20 by dereferencing pointer "orig_icmp". ftpd/pam.c:265:8: Type: Out-of-bounds access (OVERRUN) ftpd/pam.c:265:8: 1. alloc_strlen: Allocating insufficient memory for the terminating null of the string. ftpd/pam.c:267:3: 2. path: Condition "pamh != NULL", taking true branch. ftpd/pam.c:284:3: 3. path: Condition "error == 0", taking true branch. ftpd/pam.c:286:3: 4. path: Condition "error == 0", taking true branch. ftpd/pam.c:288:3: 5. path: Condition "error != 0", taking true branch. ftpd/pam.c:294:3: 6. path: Condition "pamh", taking false branch. ftpd/pam.c:297:3: 7. path: Condition "error != 0", taking true branch. talkd/acl.c:180:7: Type: Out-of-bounds access (OVERRUN) talkd/acl.c:138:3: 1. path: Condition "!config_file", taking false branch. talkd/acl.c:138:3: 2. path: Condition "!config_file[0]", taking false branch. talkd/acl.c:142:3: 3. path: Condition "!fp", taking false branch. talkd/acl.c:155:3: 4. path: Condition "system < 0", taking true branch. talkd/acl.c:170:7: 5. path: Condition "!acl", taking false branch. talkd/acl.c:175:7: 6. path: Condition "regcomp(&re, any_user, 0) != 0", taking false branch. talkd/acl.c:180:7: 7. overrun-buffer-val: Overrunning array "any_host" of 4 bytes by passing it to a function which accesses it at byte offset 15. talkd/acl.c:82:3: 7.1. path: Condition "strcmp(str, "any") == 0", taking false branch. talkd/acl.c:89:7: 7.2. access_dbuff_const: Calling "read_address" indexes array "str" at index 15. talkd/acl.c:55:3: 7.2.1. var_assign_parm: Assigning: "startp" = "*line_ptr". talkd/acl.c:59:3: 7.2.2. path: Condition "*endp", taking true branch. talkd/acl.c:60:5: 7.2.3. path: Condition "*__ctype_b_loc()[(int)*endp] & 2048 /* (unsigned short)_ISdigit */", taking false branch. talkd/acl.c:60:5: 7.2.4. path: Condition "*endp == '.'", taking true branch. talkd/acl.c:62:10: 7.2.5. element_addr: Forming the address of the element at index "16" requires buffer "startp" to have at least 16 elements. ftp/cmdtab.c:290:8: Type: Illegal address computation (OVERRUN) ftp/cmdtab.c:258:3: 1. path: Condition "argc == 1", taking true branch. ftp/cmdtab.c:264:7: 2. path: Condition "c < &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:268:4: 3. path: Condition "len > width", taking true branch. ftp/cmdtab.c:270:2: 4. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:264:7: 5. path: Condition "c < &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:268:4: 6. path: Condition "len > width", taking true branch. ftp/cmdtab.c:270:2: 7. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:264:7: 8. path: Condition "c < &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking false branch. ftp/cmdtab.c:273:7: 9. path: Condition "columns == 0", taking true branch. ftp/cmdtab.c:274:2: 10. assignment: Assigning: "columns" = "1". ftp/cmdtab.c:275:7: 11. assignment: Assigning: "lines" = "(77UL + columns - 1UL) / columns". The value of "lines" is now 77. ftp/cmdtab.c:276:7: 12. path: Condition "i < lines", taking true branch. ftp/cmdtab.c:278:4: 13. path: Condition "j < columns", taking true branch. ftp/cmdtab.c:281:8: 14. path: Condition "c->c_name", taking true branch. ftp/cmdtab.c:281:8: 15. path: Condition "!proxy", taking false branch. ftp/cmdtab.c:281:8: 16. path: Condition "c->c_proxy", taking true branch. ftp/cmdtab.c:284:3: 17. path: Falling through to end of if statement. ftp/cmdtab.c:290:8: 18. path: Condition "c + lines >= &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:293:5: 19. path: Breaking from loop. ftp/cmdtab.c:302:2: 20. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:276:7: 21. path: Condition "i < lines", taking true branch. ftp/cmdtab.c:276:7: 22. cond_at_most: Checking "i < lines" implies that "i" may be up to 76 on the true branch. ftp/cmdtab.c:278:9: 23. assignment: Assigning: "j" = "0". ftp/cmdtab.c:278:4: 24. path: Condition "j < columns", taking true branch. ftp/cmdtab.c:280:8: 25. alias: Assigning: "c" = "cmdtab + j * lines + i". "c" may now point to as high as element 76 of "cmdtab" (which consists of 78 32-byte elements). ftp/cmdtab.c:281:8: 26. path: Condition "c->c_name", taking true branch. ftp/cmdtab.c:281:8: 27. path: Condition "!proxy", taking false branch. ftp/cmdtab.c:281:8: 28. path: Condition "c->c_proxy", taking false branch. ftp/cmdtab.c:285:13: 29. path: Condition "c->c_name", taking true branch. ftp/cmdtab.c:287:5: 30. path: Condition "k < (int)strlen(c->c_name)", taking true branch. ftp/cmdtab.c:288:20: 31. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:287:5: 32. path: Condition "k < (int)strlen(c->c_name)", taking false branch. ftp/cmdtab.c:290:8: 33. illegal_address: "c + lines" evaluates to an address that is at byte offset 4896 of an array of 2496 bytes. ftp/cmdtab.c:290:8: 34. path: Condition "c + lines >= &cmdtab[77UL /* sizeof (cmdtab) / sizeof (cmdtab[0]) - 1 */]", taking true branch. ftp/cmdtab.c:293:5: 35. path: Breaking from loop. ftp/cmdtab.c:302:2: 36. path: Jumping back to the beginning of the loop. ftp/cmdtab.c:276:7: 37. path: Condition "i < lines", taking false branch. ftp/ruserpass.c:284:8: Type: Out-of-bounds write (OVERRUN) ftp/ruserpass.c:121:3: 1. path: Condition "hdir == NULL", taking true branch. ftp/ruserpass.c:126:3: 2. path: Condition "!netrc", taking true branch. ftp/ruserpass.c:129:3: 3. path: Condition "netrc", taking true branch. ftp/ruserpass.c:129:3: 4. path: Condition "netrc[0]", taking true branch. ftp/ruserpass.c:133:3: 5. path: Condition "cfile == NULL", taking false branch. ftp/ruserpass.c:144:3: 6. path: Condition "lstat(buf, &stb) < 0", taking false branch. ftp/ruserpass.c:151:3: 7. path: Condition "!((stb.st_mode & 61440) == 32768)", taking false branch. ftp/ruserpass.c:163:3: 8. path: Condition "!myname", taking false branch. ftp/ruserpass.c:167:3: 9. path: Condition "mydomain == NULL", taking true branch. ftp/ruserpass.c:171:3: 10. path: Condition "t = token()", taking true branch. ftp/ruserpass.c:172:5: 11. path: Switch case value "1". ftp/ruserpass.c:179:2: 12. path: Condition "!usedefault", taking false branch. ftp/ruserpass.c:206:2: 13. path: Condition "t = token()", taking true branch. ftp/ruserpass.c:206:2: 14. path: Condition "t != 11", taking true branch. ftp/ruserpass.c:206:2: 15. path: Condition "t != 1", taking true branch. ftp/ruserpass.c:207:4: 16. path: Switch case value "2". ftp/ruserpass.c:210:8: 17. path: Condition "token()", taking true branch. ftp/ruserpass.c:212:19: 18. path: Condition "*aname == NULL", taking true branch. ftp/ruserpass.c:216:21: 19. path: Falling through to end of if statement. ftp/ruserpass.c:223:8: 20. path: Breaking from switch. ftp/ruserpass.c:332:6: 21. path: Jumping back to the beginning of the loop. ftp/ruserpass.c:206:2: 22. path: Condition "t = token()", taking true branch. ftp/ruserpass.c:206:2: 23. path: Condition "t != 11", taking true branch. ftp/ruserpass.c:206:2: 24. path: Condition "t != 1", taking true branch. ftp/ruserpass.c:207:4: 25. path: Switch case value "5". ftp/ruserpass.c:256:8: 26. path: Condition "proxy", taking false branch. ftp/ruserpass.c:259:8: 27. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:259:8: 28. path: Condition "c == 32", taking true branch. ftp/ruserpass.c:260:3: 29. path: Jumping back to the beginning of the loop. ftp/ruserpass.c:259:8: 30. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:259:8: 31. path: Condition "c == 32", taking false branch. ftp/ruserpass.c:259:8: 32. path: Condition "c == 9", taking false branch. ftp/ruserpass.c:261:8: 33. path: Condition "c == -1", taking false branch. ftp/ruserpass.c:261:8: 34. path: Condition "c == 10", taking false branch. ftp/ruserpass.c:266:8: 35. path: Condition "macnum == 16", taking false branch. ftp/ruserpass.c:273:8: 36. path: Condition "i < 8UL /* sizeof (macros[macnum].mac_name) - 1 */", taking true branch. ftp/ruserpass.c:273:8: 37. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:273:8: 38. path: Condition "!(*__ctype_b_loc()[(int)c] & 8192 /* (unsigned short)_ISspace */)", taking true branch. ftp/ruserpass.c:278:3: 39. path: Jumping back to the beginning of the loop. ftp/ruserpass.c:273:8: 40. path: Condition "i < 8UL /* sizeof (macros[macnum].mac_name) - 1 */", taking true branch. ftp/ruserpass.c:273:8: 41. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:273:8: 42. path: Condition "!(*__ctype_b_loc()[(int)c] & 8192 /* (unsigned short)_ISspace */)", taking true branch. ftp/ruserpass.c:278:3: 43. path: Jumping back to the beginning of the loop. ftp/ruserpass.c:273:8: 44. path: Condition "i < 8UL /* sizeof (macros[macnum].mac_name) - 1 */", taking true branch. ftp/ruserpass.c:273:8: 45. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:273:8: 46. path: Condition "!(*__ctype_b_loc()[(int)c] & 8192 /* (unsigned short)_ISspace */)", taking false branch. ftp/ruserpass.c:279:8: 47. path: Condition "c == -1", taking false branch. ftp/ruserpass.c:285:8: 48. path: Condition "c != 10", taking true branch. ftp/ruserpass.c:287:5: 49. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:287:5: 50. path: Condition "c != 10", taking true branch. ftp/ruserpass.c:287:51: 51. path: Jumping back to the beginning of the loop. ftp/ruserpass.c:287:5: 52. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:287:5: 53. path: Condition "c != 10", taking false branch. ftp/ruserpass.c:289:8: 54. path: Condition "c == -1", taking false branch. ftp/ruserpass.c:294:8: 55. path: Condition "macnum == 0", taking true branch. ftp/ruserpass.c:297:3: 56. path: Falling through to end of if statement. ftp/ruserpass.c:303:8: 57. path: Condition "tmp < macbuf + 4096UL /* sizeof (macbuf) */", taking true branch. ftp/ruserpass.c:305:5: 58. path: Condition "(c = getc(cfile)) == -1", taking false branch. ftp/ruserpass.c:312:5: 59. path: Condition "*tmp == 10", taking true branch. ftp/ruserpass.c:314:9: 60. path: Condition "*(tmp - 1) == 0", taking true branch. ftp/ruserpass.c:317:6: 61. path: Breaking from loop. ftp/ruserpass.c:323:8: 62. path: Condition "tmp == macbuf + 4096UL /* sizeof (macbuf) */", taking false branch. ftp/ruserpass.c:328:8: 63. path: Breaking from switch. ftp/ruserpass.c:332:6: 64. path: Jumping back to the beginning of the loop. ftp/ruserpass.c:206:2: 65. path: Condition "t = token()", taking true branch. ftp/ruserpass.c:206:2: 66. path: Condition "t != 11", taking true branch. ftp/ruserpass.c:206:2: 67. path: Condition "t != 1", taking true branch. ftp/ruserpass.c:207:4: 68. path: Switch case value "2". ftp/ruserpass.c:210:8: 69. path: Condition "token()", taking true branch. ftp/ruserpass.c:212:19: 70. path: Condition "*aname == NULL", taking false branch. ftp/ruserpass.c:219:23: 71. path: Condition "strcmp(*aname, tokval)", taking true branch. ftp/ruserpass.c:220:25: 72. path: Jumping to label "next". ftp/ruserpass.c:171:3: 73. path: Condition "t = token()", taking true branch. ftp/ruserpass.c:172:5: 74. path: Switch case value "11". ftp/ruserpass.c:179:2: 75. path: Condition "!usedefault", taking false branch. ftp/ruserpass.c:206:2: 76. path: Condition "t = token()", taking true branch. ftp/ruserpass.c:206:2: 77. path: Condition "t != 11", taking true branch. ftp/ruserpass.c:206:2: 78. path: Condition "t != 1", taking true branch. ftp/ruserpass.c:207:4: 79. path: Switch case value "5". ftp/ruserpass.c:256:8: 80. path: Condition "proxy", taking false branch. ftp/ruserpass.c:259:8: 81. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:259:8: 82. path: Condition "c == 32", taking false branch. ftp/ruserpass.c:259:8: 83. path: Condition "c == 9", taking false branch. ftp/ruserpass.c:261:8: 84. path: Condition "c == -1", taking false branch. ftp/ruserpass.c:261:8: 85. path: Condition "c == 10", taking false branch. ftp/ruserpass.c:266:8: 86. path: Condition "macnum == 16", taking false branch. ftp/ruserpass.c:271:8: 87. alias: Assigning: "tmp" = "macros[macnum].mac_name". "tmp" now points to byte 0 of "macros[macnum].mac_name" (which consists of 9 bytes). ftp/ruserpass.c:272:8: 88. ptr_incr: Incrementing "tmp". "tmp" now points to byte 1 of "macros[macnum].mac_name" (which consists of 9 bytes). ftp/ruserpass.c:273:8: 89. path: Condition "i < 8UL /* sizeof (macros[macnum].mac_name) - 1 */", taking true branch. ftp/ruserpass.c:273:8: 90. path: Condition "(c = getc(cfile)) != -1", taking true branch. ftp/ruserpass.c:273:8: 91. path: Condition "!(*__ctype_b_loc()[(int)c] & 8192 /* (unsigned short)_ISspace */)", taking true branch. ftp/ruserpass.c:277:5: 92. ptr_incr: Incrementing "tmp". "tmp" now points to byte 2 of "macros[macnum].mac_name" (which consists of 9 bytes). ftp/ruserpass.c:278:3: 93. path: Jumping back to the beginning of the loop. ftp/ruserpass.c:273:8: 94. path: Condition "i < 8UL /* sizeof (macros[macnum].mac_name) - 1 */", taking false branch. ftp/ruserpass.c:273:8: 95. ptr_incr: In this loop, counter "i" goes from 0 up to 7, executing the loop body a total of 8 times. The loop also increments "tmp" by 1 in each iteration, so that it points to element index 9 after the final iteration. ftp/ruserpass.c:279:8: 96. path: Condition "c == -1", taking false branch. ftp/ruserpass.c:284:8: 97. overrun-local: Overrunning array of 9 bytes at byte offset 9 by dereferencing pointer "tmp". ftpd/ftpcmd.c:1506:7: Type: Illegal address computation (OVERRUN) ftpd/ftpcmd.c:1393:5: 1. assignment: Assigning: "yystacksize" = "200L". ftpd/ftpcmd.c:1425:3: 2. path: Jumping to label "yysetstate". ftpd/ftpcmd.c:1442:3: 3. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 4. path: Condition "yyss + yystacksize - 1 <= yyssp", taking true branch. ftpd/ftpcmd.c:1477:7: 5. path: Condition "10000 <= yystacksize", taking false branch. ftpd/ftpcmd.c:1479:7: 6. assignment: Assigning: "yystacksize" *= "2L". The value of "yystacksize" is now 400. ftpd/ftpcmd.c:1480:7: 7. path: Condition "10000 < yystacksize", taking false branch. ftpd/ftpcmd.c:1488:9: 8. path: Condition "!yyptr", taking false branch. ftpd/ftpcmd.c:1490:9: 9. alias: Assigning: "yyss" = "&yyptr->yyss_alloc". "yyss" now points to element 0 of "yyptr->yyss_alloc" (which consists of 4 2-byte elements). ftpd/ftpcmd.c:1493:9: 10. path: Condition "yyss1 != yyssa", taking true branch. ftpd/ftpcmd.c:1506:7: 11. illegal_address: "yyss + yystacksize - 1" evaluates to an address that is at byte offset 798 of an array of 8 bytes. ftpd/ftpcmd.c:1506:7: 12. path: Condition "yyss + yystacksize - 1 <= yyssp", taking true branch. ftpd/ftpcmd.c:1507:9: 13. path: Jumping to label "yyabortlab". ftpd/ftpcmd.c:3102:3: 14. path: Jumping to label "yyreturn". ftpd/ftpcmd.c:3120:3: 15. path: Condition "yychar != -2", taking false branch. ftpd/ftpcmd.c:3132:3: 16. path: Condition "yyssp != yyss", taking false branch. ftpd/ftpcmd.c:3139:3: 17. path: Condition "yyss != yyssa", taking true branch. talkd/talkd.c:174:7: Type: Filesystem path, filename, or URI manipulation (PATH_MANIPULATION) talkd/talkd.c:156:3: Constructing a path or URI using tainted data 1. path: Condition "1", taking true branch. talkd/talkd.c:165:7: 2. tainted_argument: Calling function "recvfrom" taints argument "msg". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/talkd.c:167:7: 3. path: Condition "rc != 84UL /* sizeof (msg) */", taking false branch. talkd/talkd.c:174:7: 4. path_manipulation_sink: Constructing a path or URI using the tainted value "msg" and passing it to "process_request". This may allow an attacker to access, modify, or test the existence of critical or sensitive files. talkd/process.c:35:3: Constructing a path or URI using tainted data 4.1. path: Condition "msg->vers != 1", taking false branch. talkd/process.c:50:3: 4.2. path: Condition "msg->addr.sa_family != 2", taking false branch. talkd/process.c:59:3: 4.3. path: Condition "msg->ctl_addr.sa_family != 2", taking false branch. talkd/process.c:69:3: 4.4. path: Condition "acl_match(msg, sa_in) == 1", taking false branch. talkd/process.c:86:3: 4.5. path: Condition "debug", taking true branch. talkd/process.c:93:3: 4.6. path: Switch case value "3". talkd/process.c:96:7: 4.7. taint_sink_lv_call: Passing tainted expression "*msg" to taint sink "do_announce". talkd/process.c:157:3: Constructing a path or URI using tainted data 4.7.1. path: Condition "result != 0", taking false branch. talkd/process.c:165:3: 4.7.2. path: Condition "!hp", taking false branch. talkd/process.c:171:3: 4.7.3. path: Condition "!ptr", taking true branch. talkd/process.c:174:7: 4.7.4. taint_sink_lv_call: Passing tainted expression "mp->r_tty" to taint sink "announce". talkd/announce.c:135:3: Constructing a path or URI using tainted data 4.7.4.1. path: Condition "!ttypath", taking false branch. talkd/announce.c:140:3: 4.7.4.2. vararg_transitive: Call to "sprintf" with tainted argument "request->r_tty" taints "*ttypath". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/announce.c:141:3: 4.7.4.3. taint_sink_lv_call: Passing tainted expression "*ttypath" to taint sink "stat". talkd/talkd.c:174:7: 5. remediation: Path manipulation vulnerabilities can be addressed by proper input validation. Disallowing directory traversal characters (using a deny list) can improve the safety of the input, but the recommended approach is to restrict to a specific set of allowed characters (using an allow list). This should exclude absolute paths and upward directory traversal. talkd/talkd.c:174:7: Type: Filesystem path, filename, or URI manipulation (PATH_MANIPULATION) talkd/talkd.c:156:3: Constructing a path or URI using tainted data 1. path: Condition "1", taking true branch. talkd/talkd.c:165:7: 2. tainted_argument: Calling function "recvfrom" taints argument "msg". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/talkd.c:167:7: 3. path: Condition "rc != 84UL /* sizeof (msg) */", taking false branch. talkd/talkd.c:174:7: 4. path_manipulation_sink: Constructing a path or URI using the tainted value "msg.r_tty" and passing it to "process_request". This may allow an attacker to access, modify, or test the existence of critical or sensitive files. talkd/process.c:35:3: Constructing a path or URI using tainted data 4.1. path: Condition "msg->vers != 1", taking false branch. talkd/process.c:50:3: 4.2. path: Condition "msg->addr.sa_family != 2", taking false branch. talkd/process.c:59:3: 4.3. path: Condition "msg->ctl_addr.sa_family != 2", taking false branch. talkd/process.c:69:3: 4.4. path: Condition "acl_match(msg, sa_in) == 1", taking false branch. talkd/process.c:86:3: 4.5. path: Condition "debug", taking true branch. talkd/process.c:93:3: 4.6. path: Switch case value "3". talkd/process.c:96:7: 4.7. taint_sink_lv_call: Passing tainted expression "msg->r_tty" to taint sink "do_announce". talkd/process.c:157:3: Constructing a path or URI using tainted data 4.7.1. path: Condition "result != 0", taking false branch. talkd/process.c:165:3: 4.7.2. path: Condition "!hp", taking false branch. talkd/process.c:171:3: 4.7.3. path: Condition "!ptr", taking true branch. talkd/process.c:174:7: 4.7.4. taint_sink_lv_call: Passing tainted expression "mp->r_tty" to taint sink "announce". talkd/announce.c:135:3: Constructing a path or URI using tainted data 4.7.4.1. path: Condition "!ttypath", taking false branch. talkd/announce.c:140:3: 4.7.4.2. vararg_transitive: Call to "sprintf" with tainted argument "request->r_tty" taints "*ttypath". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/announce.c:141:3: 4.7.4.3. taint_sink_lv_call: Passing tainted expression "*ttypath" to taint sink "stat". talkd/talkd.c:174:7: 5. remediation: Path manipulation vulnerabilities can be addressed by proper input validation. Disallowing directory traversal characters (using a deny list) can improve the safety of the input, but the recommended approach is to restrict to a specific set of allowed characters (using an allow list). This should exclude absolute paths and upward directory traversal. ftpd/ftpcmd.y:527:12: Type: Invalid type in argument to printf format specifier (PRINTF_ARGS) ftpd/ftpcmd.y:527:12: invalid_type: Argument "yyvsp[-1].i" to format specifier "%03o" was expected to have type "unsigned int" but has type "long". ftpd/ftpd.c:1694:3: printf_function: Calling "vprintf" which uses a "printf"-style format string. [Note: The source code implementation of the function has been overridden by a builtin model.] src/syslogd.c:1407:9: Type: Invalid type in argument to printf format specifier (PRINTF_ARGS) src/syslogd.c:1407:9: invalid_type: Argument "180L - fwd_suspend" to format specifier "%d" was expected to have type "int" but has type "long". src/syslogd.c:2508:3: path: Condition "NoDetach", taking true branch. src/syslogd.c:2508:3: path: Condition "dbg_output", taking true branch. src/syslogd.c:2512:3: printf_function: Calling "vfprintf" which uses a "printf"-style format string. [Note: The source code implementation of the function has been overridden by a builtin model.] src/syslogd.c:1451:7: Type: Invalid type in argument to printf format specifier (PRINTF_ARGS) src/syslogd.c:1451:7: invalid_type: Argument "180L - fwd_suspend" to format specifier "%d" was expected to have type "int" but has type "long". src/syslogd.c:2508:3: path: Condition "NoDetach", taking true branch. src/syslogd.c:2508:3: path: Condition "dbg_output", taking true branch. src/syslogd.c:2512:3: printf_function: Calling "vfprintf" which uses a "printf"-style format string. [Note: The source code implementation of the function has been overridden by a builtin model.] telnetd/utility.c:1572:37: Type: Extra argument to printf format specifier (PRINTF_ARGS) telnetd/utility.c:1572:37: extra_argument: This argument was not used by the format string: "pointer[1]". telnetd/utility.c:930:3: path: Condition "debug_open()", taking false branch. telnetd/utility.c:933:3: printf_function: Calling "vfprintf" which uses a "printf"-style format string. [Note: The source code implementation of the function has been overridden by a builtin model.] telnetd/utility.c:1576:37: Type: Extra argument to printf format specifier (PRINTF_ARGS) telnetd/utility.c:1576:37: extra_argument: This argument was not used by the format string: "pointer[1]". telnetd/utility.c:930:3: path: Condition "debug_open()", taking false branch. telnetd/utility.c:933:3: printf_function: Calling "vfprintf" which uses a "printf"-style format string. [Note: The source code implementation of the function has been overridden by a builtin model.] ifconfig/printif.h:27:23: Type: Recursion in included headers (PW.INCLUDE_RECURSION) ifconfig/printif.h:27:23: 1. include_recursion: #include file "ifconfig.h" includes itself: ifconfig.h -> printif.h -> ifconfig.h ifconfig/printif.h:27:23: Type: Recursion in included headers (PW.INCLUDE_RECURSION) ifconfig/printif.h:27:23: 1. include_recursion: #include file "system/../ifconfig.h" includes itself: ifconfig.h -> printif.h -> ifconfig.h ifconfig/system/linux.c:942:5: Type: Resource leak (RESOURCE_LEAK) ifconfig/system/linux.c:935:3: 1. open_fn: Returning handle opened by "socket". ifconfig/system/linux.c:935:3: 2. var_assign: Assigning: "fd" = handle returned from "socket(2, SOCK_DGRAM, 0)". ifconfig/system/linux.c:936:3: 3. path: Condition "fd < 0", taking false branch. ifconfig/system/linux.c:941:3: 4. path: Condition "content == NULL", taking true branch. ifconfig/system/linux.c:942:5: 5. leaked_handle: Handle variable "fd" going out of scope leaks the handle. ftp/cmds.c:955:3: Type: Resource leak (RESOURCE_LEAK) ftp/cmds.c:945:3: 1. path: Condition "argc < 2", taking true branch. ftp/cmds.c:945:3: 2. path: Condition "!another(&argc, &argv, "remote-files")", taking false branch. ftp/cmds.c:955:3: 3. alloc_fn: Storage is returned from allocation function "remglob". ftp/cmds.c:1016:3: 3.1. path: Condition "!mflag", taking false branch. ftp/cmds.c:1032:3: 3.2. path: Condition "!doglob", taking true branch. ftp/cmds.c:1034:7: 3.3. path: Condition "args == NULL", taking true branch. ftp/cmds.c:1036:7: 3.4. path: Condition "(cp = *++args) == NULL", taking false branch. ftp/cmds.c:1038:7: 3.5. path: Condition "cp", taking true branch. ftp/cmds.c:1038:7: 3.6. alloc_fn: Storage is returned from allocation function "strdup". ftp/cmds.c:1038:7: 3.7. return_alloc: Returning allocated memory "cp ? strdup(cp) : NULL". ftp/cmds.c:955:3: 4. var_assign: Assigning: "cp" = storage returned from "remglob(argv, proxy)". ftp/cmds.c:955:3: 5. path: Condition "(cp = remglob(argv, proxy)) != NULL", taking true branch. ftp/cmds.c:957:7: 6. path: Condition "*cp == 0", taking true branch. ftp/cmds.c:960:4: 7. path: Continuing loop. ftp/cmds.c:955:3: 8. overwrite_var: Overwriting "cp" in "cp = remglob(argv, proxy)" leaks the storage that "cp" points to. ftp/cmds.c:1498:3: Type: Resource leak (RESOURCE_LEAK) ftp/cmds.c:1488:3: 1. path: Condition "argc < 2", taking true branch. ftp/cmds.c:1488:3: 2. path: Condition "!another(&argc, &argv, "remote-files")", taking false branch. ftp/cmds.c:1498:3: 3. alloc_fn: Storage is returned from allocation function "remglob". ftp/cmds.c:1016:3: 3.1. path: Condition "!mflag", taking false branch. ftp/cmds.c:1032:3: 3.2. path: Condition "!doglob", taking true branch. ftp/cmds.c:1034:7: 3.3. path: Condition "args == NULL", taking true branch. ftp/cmds.c:1036:7: 3.4. path: Condition "(cp = *++args) == NULL", taking false branch. ftp/cmds.c:1038:7: 3.5. path: Condition "cp", taking true branch. ftp/cmds.c:1038:7: 3.6. alloc_fn: Storage is returned from allocation function "strdup". ftp/cmds.c:1038:7: 3.7. return_alloc: Returning allocated memory "cp ? strdup(cp) : NULL". ftp/cmds.c:1498:3: 4. var_assign: Assigning: "cp" = storage returned from "remglob(argv, 0)". ftp/cmds.c:1498:3: 5. path: Condition "(cp = remglob(argv, 0)) != NULL", taking true branch. ftp/cmds.c:1500:7: 6. path: Condition "*cp == 0", taking true branch. ftp/cmds.c:1503:4: 7. path: Continuing loop. ftp/cmds.c:1498:3: 8. overwrite_var: Overwriting "cp" in "cp = remglob(argv, 0)" leaks the storage that "cp" points to. libinetutils/ttymsg.c:100:7: Type: Resource leak (RESOURCE_LEAK) libinetutils/ttymsg.c:82:3: 1. path: Condition "iovcnt > 6 /* (int)(sizeof (localiov) / sizeof (localiov[0])) */", taking false branch. libinetutils/ttymsg.c:85:3: 2. alloc_fn: Storage is returned from allocation function "malloc". libinetutils/ttymsg.c:85:3: 3. var_assign: Assigning: "device" = storage returned from "malloc(5UL + strlen(line) + 1UL)". libinetutils/ttymsg.c:86:3: 4. path: Condition "!device", taking false branch. libinetutils/ttymsg.c:93:3: 5. noescape: Resource "device" is not freed or pointed-to in "strcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/ttymsg.c:94:3: 6. noescape: Resource "device" is not freed or pointed-to in "strcat". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/ttymsg.c:95:3: 7. noescape: Resource "device" is not freed or pointed-to in "normalize_path". libinetutils/ttymsg.c:252:23: 7.1. noescape: "normalize_path(char *, char const *)" does not free or save its parameter "path". libinetutils/ttymsg.c:96:3: 8. noescape: Resource "device" is not freed or pointed-to in "strncmp". libinetutils/ttymsg.c:96:3: 9. path: Condition "strncmp(device, "/dev/", strlen("/dev/"))", taking true branch. libinetutils/ttymsg.c:100:7: 10. leaked_storage: Variable "device" going out of scope leaks the storage it points to. ftpd/ftpd.c:1084:7: Type: Resource leak (RESOURCE_LEAK) ftpd/ftpd.c:1063:3: 1. path: Condition "unique", taking true branch. ftpd/ftpd.c:1063:3: 2. path: Condition "stat(name, &st) == 0", taking true branch. ftpd/ftpd.c:1067:7: 3. path: Condition "name_unique", taking true branch. ftpd/ftpd.c:1068:27: 4. path: Falling through to end of if statement. ftpd/ftpd.c:1076:3: 5. path: Condition "restart_point", taking true branch. ftpd/ftpd.c:1078:3: 6. alloc_fn: Storage is returned from allocation function "fopen". ftpd/ftpd.c:1078:3: 7. var_assign: Assigning: "fout" = storage returned from "fopen(name, mode)". ftpd/ftpd.c:1080:3: 8. path: Condition "fout == NULL", taking false branch. ftpd/ftpd.c:1080:3: 9. noescape: Resource "fout" is not freed or pointed-to in "fileno". ftpd/ftpd.c:1080:3: 10. path: Condition "fstat(fileno(fout), &st) < 0", taking true branch. ftpd/ftpd.c:1083:7: 11. path: Condition "logging > 1", taking true branch. ftpd/ftpd.c:1083:7: 12. path: Condition "*mode == 'w'", taking false branch. ftpd/ftpd.c:1083:7: 13. path: Condition "*name == '/'", taking true branch. ftpd/ftpd.c:1084:7: 14. leaked_storage: Variable "fout" going out of scope leaks the storage it points to. talkd/acl.c:322:5: Type: Resource leak (RESOURCE_LEAK) talkd/acl.c:301:3: 1. path: Condition "!pw", taking false branch. talkd/acl.c:304:3: 2. alloc_fn: Storage is returned from allocation function "malloc". talkd/acl.c:304:3: 3. var_assign: Assigning: "filename" = storage returned from "malloc(strlen(pw->pw_dir) + 8UL + 2UL)". talkd/acl.c:307:3: 4. path: Condition "!filename", taking false branch. talkd/acl.c:313:3: 5. noescape: Resource "filename" is not freed or pointed-to in "sprintf". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/acl.c:320:3: 6. noescape: Resource "filename" is not freed or pointed-to in "stat". talkd/acl.c:321:3: 7. path: Condition "rc < 0", taking true branch. talkd/acl.c:322:5: 8. leaked_storage: Variable "filename" going out of scope leaks the storage it points to. src/hostname.c:201:9: Type: Resource leak (RESOURCE_LEAK) src/hostname.c:175:3: 1. path: Condition "!sname", taking false branch. src/hostname.c:178:3: 2. path: Condition "args->hostname_alias == 1", taking false branch. src/hostname.c:180:8: 3. path: Condition "args->hostname_fqdn == 1", taking true branch. src/hostname.c:182:7: 4. alloc_fn: Storage is returned from allocation function "get_fqdn". src/hostname.c:290:3: 4.1. path: Condition "ht == NULL", taking true branch. src/hostname.c:291:5: 4.2. alloc_fn: Storage is returned from allocation function "strdup". src/hostname.c:291:5: 4.3. assign: Assigning: "fqdn" = "strdup(host_name)". src/hostname.c:291:30: 4.4. path: Falling through to end of if statement. src/hostname.c:295:3: 4.5. path: Condition "fqdn == NULL", taking false branch. src/hostname.c:298:3: 4.6. return_alloc: Returning allocated memory "fqdn". src/hostname.c:182:7: 5. var_assign: Assigning: "name" = storage returned from "get_fqdn(sname)". src/hostname.c:184:7: 6. path: Condition "args->hostname_dns_domain == 1", taking true branch. src/hostname.c:187:4: 7. path: Condition "name", taking true branch. src/hostname.c:187:4: 8. path: Condition "*name", taking false branch. src/hostname.c:193:9: 9. path: Condition "name", taking true branch. src/hostname.c:193:9: 10. path: Condition "*name == '('", taking false branch. src/hostname.c:200:7: 11. path: Condition "args->hostname_dns_domain == 1", taking true branch. src/hostname.c:201:9: 12. overwrite_var: Overwriting "name" in "name = get_dns_domain_name(sname)" leaks the storage that "name" points to. src/hostname.c:203:9: Type: Resource leak (RESOURCE_LEAK) src/hostname.c:175:3: 1. path: Condition "!sname", taking false branch. src/hostname.c:178:3: 2. path: Condition "args->hostname_alias == 1", taking false branch. src/hostname.c:180:8: 3. path: Condition "args->hostname_fqdn == 1", taking true branch. src/hostname.c:182:7: 4. alloc_fn: Storage is returned from allocation function "get_fqdn". src/hostname.c:290:3: 4.1. path: Condition "ht == NULL", taking true branch. src/hostname.c:291:5: 4.2. alloc_fn: Storage is returned from allocation function "strdup". src/hostname.c:291:5: 4.3. assign: Assigning: "fqdn" = "strdup(host_name)". src/hostname.c:291:30: 4.4. path: Falling through to end of if statement. src/hostname.c:295:3: 4.5. path: Condition "fqdn == NULL", taking false branch. src/hostname.c:298:3: 4.6. return_alloc: Returning allocated memory "fqdn". src/hostname.c:182:7: 5. var_assign: Assigning: "name" = storage returned from "get_fqdn(sname)". src/hostname.c:184:7: 6. path: Condition "args->hostname_dns_domain == 1", taking false branch. src/hostname.c:184:7: 7. path: Condition "args->hostname_short == 1", taking true branch. src/hostname.c:187:4: 8. path: Condition "name", taking true branch. src/hostname.c:187:4: 9. path: Condition "*name", taking false branch. src/hostname.c:193:9: 10. path: Condition "name", taking true branch. src/hostname.c:193:9: 11. path: Condition "*name == '('", taking false branch. src/hostname.c:200:7: 12. path: Condition "args->hostname_dns_domain == 1", taking false branch. src/hostname.c:202:12: 13. path: Condition "args->hostname_short == 1", taking true branch. src/hostname.c:203:9: 14. overwrite_var: Overwriting "name" in "name = get_short_hostname(sname)" leaks the storage that "name" points to. libinetutils/ttymsg.c:111:2: Type: Resource leak (RESOURCE_LEAK) libinetutils/ttymsg.c:82:3: 1. path: Condition "iovcnt > 6 /* (int)(sizeof (localiov) / sizeof (localiov[0])) */", taking false branch. libinetutils/ttymsg.c:85:3: 2. alloc_fn: Storage is returned from allocation function "malloc". libinetutils/ttymsg.c:85:3: 3. var_assign: Assigning: "device" = storage returned from "malloc(5UL + strlen(line) + 1UL)". libinetutils/ttymsg.c:86:3: 4. path: Condition "!device", taking false branch. libinetutils/ttymsg.c:93:3: 5. noescape: Resource "device" is not freed or pointed-to in "strcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/ttymsg.c:94:3: 6. noescape: Resource "device" is not freed or pointed-to in "strcat". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/ttymsg.c:95:3: 7. noescape: Resource "device" is not freed or pointed-to in "normalize_path". libinetutils/ttymsg.c:252:23: 7.1. noescape: "normalize_path(char *, char const *)" does not free or save its parameter "path". libinetutils/ttymsg.c:96:3: 8. noescape: Resource "device" is not freed or pointed-to in "strncmp". libinetutils/ttymsg.c:96:3: 9. path: Condition "strncmp(device, "/dev/", strlen("/dev/"))", taking false branch. libinetutils/ttymsg.c:107:3: 10. noescape: Resource "device" is not freed or pointed-to in "open". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/ttymsg.c:108:3: 11. path: Condition "fd < 0", taking true branch. libinetutils/ttymsg.c:110:7: 12. path: Condition "*__errno_location() == 16", taking true branch. libinetutils/ttymsg.c:111:2: 13. leaked_storage: Variable "device" going out of scope leaks the storage it points to. src/syslogd.c:2069:4: Type: Resource leak (RESOURCE_LEAK) src/syslogd.c:2049:3: 1. path: Condition "dir == NULL", taking false branch. src/syslogd.c:2055:3: 2. path: Condition "(dent = readdir(dir)) != NULL", taking true branch. src/syslogd.c:2060:7: 3. path: Condition "asprintf(&file, "%s/%s", dirname, dent->d_name) < 0", taking false branch. src/syslogd.c:2066:7: 4. path: Condition "stat(file, &st) != 0", taking false branch. src/syslogd.c:2073:7: 5. path: Condition "(st.st_mode & 61440) == 32768", taking true branch. src/syslogd.c:2080:5: 6. path: Jumping back to the beginning of the loop. src/syslogd.c:2055:3: 7. path: Condition "(dent = readdir(dir)) != NULL", taking true branch. src/syslogd.c:2060:7: 8. path: Condition "asprintf(&file, "%s/%s", dirname, dent->d_name) < 0", taking false branch. src/syslogd.c:2066:7: 9. path: Condition "stat(file, &st) != 0", taking false branch. src/syslogd.c:2073:7: 10. path: Condition "(st.st_mode & 61440) == 32768", taking true branch. src/syslogd.c:2080:5: 11. path: Jumping back to the beginning of the loop. src/syslogd.c:2055:3: 12. path: Condition "(dent = readdir(dir)) != NULL", taking true branch. src/syslogd.c:2060:7: 13. alloc_arg: "asprintf" allocates memory that is stored into "file". [Note: The source code implementation of the function has been overridden by a builtin model.] src/syslogd.c:2060:7: 14. path: Condition "asprintf(&file, "%s/%s", dirname, dent->d_name) < 0", taking false branch. src/syslogd.c:2066:7: 15. noescape: Resource "file" is not freed or pointed-to in "stat". src/syslogd.c:2066:7: 16. path: Condition "stat(file, &st) != 0", taking true branch. src/syslogd.c:2069:4: 17. path: Continuing loop. src/syslogd.c:2069:4: 18. leaked_storage: Variable "file" going out of scope leaks the storage it points to. libinetutils/kcmd.c:166:2: Type: Resource leak (RESOURCE_LEAK) libinetutils/kcmd.c:134:3: 1. path: Condition "host", taking false branch. libinetutils/kcmd.c:150:3: 2. alloc_arg: "getaddrinfo" allocates memory that is stored into "res". libinetutils/kcmd.c:151:3: 3. path: Condition "rc", taking false branch. libinetutils/kcmd.c:157:3: 4. var_assign: Assigning: "ai" = "res". libinetutils/kcmd.c:162:3: 5. path: Condition "!rc", taking true branch. libinetutils/kcmd.c:165:7: 6. path: Condition "host_save == NULL", taking true branch. libinetutils/kcmd.c:166:2: 7. leaked_storage: Variable "res" going out of scope leaks the storage it points to. libinetutils/kcmd.c:166:2: 8. leaked_storage: Variable "ai" going out of scope leaks the storage it points to. src/syslogd.c:2063:4: Type: Resource leak (RESOURCE_LEAK) src/syslogd.c:2048:3: 1. alloc_fn: Storage is returned from allocation function "opendir". src/syslogd.c:2048:3: 2. var_assign: Assigning: "dir" = storage returned from "opendir(dirname)". src/syslogd.c:2049:3: 3. path: Condition "dir == NULL", taking false branch. src/syslogd.c:2055:3: 4. noescape: Resource "dir" is not freed or pointed-to in "readdir". src/syslogd.c:2055:3: 5. path: Condition "(dent = readdir(dir)) != NULL", taking true branch. src/syslogd.c:2060:7: 6. path: Condition "asprintf(&file, "%s/%s", dirname, dent->d_name) < 0", taking false branch. src/syslogd.c:2066:7: 7. path: Condition "stat(file, &st) != 0", taking false branch. src/syslogd.c:2073:7: 8. path: Condition "(st.st_mode & 61440) == 32768", taking true branch. src/syslogd.c:2080:5: 9. path: Jumping back to the beginning of the loop. src/syslogd.c:2055:3: 10. noescape: Resource "dir" is not freed or pointed-to in "readdir". src/syslogd.c:2055:3: 11. path: Condition "(dent = readdir(dir)) != NULL", taking true branch. src/syslogd.c:2060:7: 12. path: Condition "asprintf(&file, "%s/%s", dirname, dent->d_name) < 0", taking false branch. src/syslogd.c:2066:7: 13. path: Condition "stat(file, &st) != 0", taking false branch. src/syslogd.c:2073:7: 14. path: Condition "(st.st_mode & 61440) == 32768", taking true branch. src/syslogd.c:2080:5: 15. path: Jumping back to the beginning of the loop. src/syslogd.c:2055:3: 16. noescape: Resource "dir" is not freed or pointed-to in "readdir". src/syslogd.c:2055:3: 17. path: Condition "(dent = readdir(dir)) != NULL", taking true branch. src/syslogd.c:2060:7: 18. path: Condition "asprintf(&file, "%s/%s", dirname, dent->d_name) < 0", taking true branch. src/syslogd.c:2063:4: 19. leaked_storage: Variable "dir" going out of scope leaks the storage it points to. libinetutils/kcmd.c:173:2: Type: Resource leak (RESOURCE_LEAK) libinetutils/kcmd.c:134:3: 1. path: Condition "host", taking false branch. libinetutils/kcmd.c:150:3: 2. alloc_arg: "getaddrinfo" allocates memory that is stored into "res". libinetutils/kcmd.c:151:3: 3. path: Condition "rc", taking false branch. libinetutils/kcmd.c:157:3: 4. var_assign: Assigning: "ai" = "res". libinetutils/kcmd.c:162:3: 5. path: Condition "!rc", taking false branch. libinetutils/kcmd.c:172:7: 6. path: Condition "host_save == NULL", taking true branch. libinetutils/kcmd.c:173:2: 7. leaked_storage: Variable "res" going out of scope leaks the storage it points to. libinetutils/kcmd.c:173:2: 8. leaked_storage: Variable "ai" going out of scope leaks the storage it points to. src/syslogd.c:947:7: Type: Resource leak (RESOURCE_LEAK) src/syslogd.c:925:3: 1. path: Condition "!LogPortText", taking false branch. src/syslogd.c:937:3: 2. path: Condition "err", taking false branch. src/syslogd.c:943:3: 3. path: Condition "ai", taking true branch. src/syslogd.c:948:7: 4. path: Condition "fd < 0", taking true branch. src/syslogd.c:949:2: 5. path: Continuing loop. src/syslogd.c:943:3: 6. path: Condition "ai", taking true branch. src/syslogd.c:948:7: 7. path: Condition "fd < 0", taking false branch. src/syslogd.c:952:7: 8. path: Condition "err < 0", taking false branch. src/syslogd.c:955:7: 9. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:961:7: 10. path: Condition "bind(fd, __CONST_SOCKADDR_ARG({.__sockaddr__ = ai->ai_addr}), ai->ai_addrlen) < 0", taking false branch. src/syslogd.c:968:7: 11. path: Condition "ai->ai_family == 2", taking false branch. src/syslogd.c:970:12: 12. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:970:12: 13. path: Condition "fd46[1] < 0", taking true branch. src/syslogd.c:972:5: 14. path: Jumping back to the beginning of the loop. src/syslogd.c:943:3: 15. path: Condition "ai", taking true branch. src/syslogd.c:947:7: 16. open_fn: Returning handle opened by "socket". src/syslogd.c:947:7: 17. var_assign: Assigning: "fd" = handle returned from "socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)". src/syslogd.c:948:7: 18. path: Condition "fd < 0", taking false branch. src/syslogd.c:951:7: 19. noescape: Resource "fd" is not freed or pointed-to in "setsockopt". src/syslogd.c:952:7: 20. path: Condition "err < 0", taking false branch. src/syslogd.c:955:7: 21. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:958:4: 22. noescape: Resource "fd" is not freed or pointed-to in "setsockopt". src/syslogd.c:961:7: 23. noescape: Resource "fd" is not freed or pointed-to in "bind". src/syslogd.c:961:7: 24. path: Condition "bind(fd, __CONST_SOCKADDR_ARG({.__sockaddr__ = ai->ai_addr}), ai->ai_addrlen) < 0", taking false branch. src/syslogd.c:968:7: 25. path: Condition "ai->ai_family == 2", taking false branch. src/syslogd.c:970:12: 26. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:970:12: 27. path: Condition "fd46[1] < 0", taking false branch. src/syslogd.c:972:5: 28. path: Jumping back to the beginning of the loop. src/syslogd.c:943:3: 29. path: Condition "ai", taking true branch. src/syslogd.c:947:7: 30. overwrite_var: Overwriting handle "fd" in "fd = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)" leaks the handle. src/syslogd.c:980:3: Type: Resource leak (RESOURCE_LEAK) src/syslogd.c:925:3: 1. path: Condition "!LogPortText", taking false branch. src/syslogd.c:937:3: 2. path: Condition "err", taking false branch. src/syslogd.c:943:3: 3. path: Condition "ai", taking true branch. src/syslogd.c:948:7: 4. path: Condition "fd < 0", taking true branch. src/syslogd.c:949:2: 5. path: Continuing loop. src/syslogd.c:943:3: 6. path: Condition "ai", taking true branch. src/syslogd.c:948:7: 7. path: Condition "fd < 0", taking false branch. src/syslogd.c:952:7: 8. path: Condition "err < 0", taking false branch. src/syslogd.c:955:7: 9. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:961:7: 10. path: Condition "bind(fd, __CONST_SOCKADDR_ARG({.__sockaddr__ = ai->ai_addr}), ai->ai_addrlen) < 0", taking false branch. src/syslogd.c:968:7: 11. path: Condition "ai->ai_family == 2", taking false branch. src/syslogd.c:970:12: 12. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:970:12: 13. path: Condition "fd46[1] < 0", taking true branch. src/syslogd.c:972:5: 14. path: Jumping back to the beginning of the loop. src/syslogd.c:943:3: 15. path: Condition "ai", taking true branch. src/syslogd.c:947:7: 16. open_fn: Returning handle opened by "socket". src/syslogd.c:947:7: 17. var_assign: Assigning: "fd" = handle returned from "socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)". src/syslogd.c:948:7: 18. path: Condition "fd < 0", taking false branch. src/syslogd.c:951:7: 19. noescape: Resource "fd" is not freed or pointed-to in "setsockopt". src/syslogd.c:952:7: 20. path: Condition "err < 0", taking false branch. src/syslogd.c:955:7: 21. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:958:4: 22. noescape: Resource "fd" is not freed or pointed-to in "setsockopt". src/syslogd.c:961:7: 23. noescape: Resource "fd" is not freed or pointed-to in "bind". src/syslogd.c:961:7: 24. path: Condition "bind(fd, __CONST_SOCKADDR_ARG({.__sockaddr__ = ai->ai_addr}), ai->ai_addrlen) < 0", taking false branch. src/syslogd.c:968:7: 25. path: Condition "ai->ai_family == 2", taking false branch. src/syslogd.c:970:12: 26. path: Condition "ai->ai_family == 10", taking true branch. src/syslogd.c:970:12: 27. path: Condition "fd46[1] < 0", taking false branch. src/syslogd.c:972:5: 28. path: Jumping back to the beginning of the loop. src/syslogd.c:943:3: 29. path: Condition "ai", taking false branch. src/syslogd.c:975:3: 30. path: Condition "fd46[0] < 0", taking true branch. src/syslogd.c:975:3: 31. path: Condition "fd46[1] < 0", taking false branch. src/syslogd.c:980:3: 32. leaked_handle: Handle variable "fd" going out of scope leaks the handle. ifconfig/system/linux.c:994:11: Type: Resource leak (RESOURCE_LEAK) ifconfig/system/linux.c:936:3: 1. path: Condition "fd < 0", taking false branch. ifconfig/system/linux.c:941:3: 2. path: Condition "content == NULL", taking false branch. ifconfig/system/linux.c:953:15: 3. path: Condition "it", taking true branch. ifconfig/system/linux.c:953:15: 4. path: Condition "it", taking true branch. ifconfig/system/linux.c:953:15: 5. path: Condition "it", taking false branch. ifconfig/system/linux.c:955:5: 6. alloc_fn: Storage is returned from allocation function "malloc". ifconfig/system/linux.c:955:5: 7. var_assign: Assigning: "idx" = storage returned from "malloc(n * 16UL)". ifconfig/system/linux.c:956:5: 8. path: Condition "idx == NULL", taking false branch. ifconfig/system/linux.c:966:3: 9. path: Condition "it", taking true branch. ifconfig/system/linux.c:972:7: 10. path: Condition "*start != ' '", taking true branch. ifconfig/system/linux.c:972:7: 11. path: Condition "*start != 10", taking true branch. ifconfig/system/linux.c:973:16: 12. path: Jumping back to the beginning of the loop. ifconfig/system/linux.c:972:7: 13. path: Condition "*start != ' '", taking true branch. ifconfig/system/linux.c:972:7: 14. path: Condition "*start != 10", taking false branch. ifconfig/system/linux.c:983:9: 15. path: Condition "rpl_ioctl(fd, 35123, &cur) >= 0", taking true branch. ifconfig/system/linux.c:988:7: 16. path: Condition "idx[index].if_name == NULL", taking true branch. ifconfig/system/linux.c:994:11: 17. leaked_storage: Variable "idx" going out of scope leaks the storage it points to. ifconfig/system/linux.c:1002:3: Type: Resource leak (RESOURCE_LEAK) ifconfig/system/linux.c:935:3: 1. open_fn: Returning handle opened by "socket". ifconfig/system/linux.c:935:3: 2. var_assign: Assigning: "fd" = handle returned from "socket(2, SOCK_DGRAM, 0)". ifconfig/system/linux.c:936:3: 3. path: Condition "fd < 0", taking false branch. ifconfig/system/linux.c:941:3: 4. path: Condition "content == NULL", taking false branch. ifconfig/system/linux.c:953:15: 5. path: Condition "it", taking true branch. ifconfig/system/linux.c:953:15: 6. path: Condition "it", taking true branch. ifconfig/system/linux.c:953:15: 7. path: Condition "it", taking false branch. ifconfig/system/linux.c:956:5: 8. path: Condition "idx == NULL", taking false branch. ifconfig/system/linux.c:966:3: 9. path: Condition "it", taking false branch. ifconfig/system/linux.c:1002:3: 10. leaked_handle: Handle variable "fd" going out of scope leaks the handle. libinetutils/daemon.c:197:3: Type: Resource leak (RESOURCE_LEAK) libinetutils/daemon.c:128:3: 1. path: Switch case value "0". libinetutils/daemon.c:134:7: 2. path: Breaking from switch. libinetutils/daemon.c:146:3: 3. path: Condition "setsid() == -1", taking false branch. libinetutils/daemon.c:155:3: 4. path: Switch case value "0". libinetutils/daemon.c:158:7: 5. path: Breaking from switch. libinetutils/daemon.c:167:3: 6. path: Condition "!nochdir", taking true branch. libinetutils/daemon.c:167:3: 7. path: Condition "chdir("/") < 0", taking false branch. libinetutils/daemon.c:170:3: 8. path: Condition "!noclose", taking true branch. libinetutils/daemon.c:181:7: 9. path: Condition "fdlimit == -1", taking false branch. libinetutils/daemon.c:184:7: 10. path: Condition "i < fdlimit", taking true branch. libinetutils/daemon.c:185:11: 11. path: Jumping back to the beginning of the loop. libinetutils/daemon.c:184:7: 12. path: Condition "i < fdlimit", taking true branch. libinetutils/daemon.c:185:11: 13. path: Jumping back to the beginning of the loop. libinetutils/daemon.c:184:7: 14. path: Condition "i < fdlimit", taking false branch. libinetutils/daemon.c:187:7: 15. open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/daemon.c:187:7: 16. var_assign: Assigning: "fd" = handle returned from "open("/dev/null", 2, 0)". libinetutils/daemon.c:188:7: 17. path: Condition "fd != -1", taking true branch. libinetutils/daemon.c:190:4: 18. noescape: Resource "fd" is not freed or pointed-to in "dup2". libinetutils/daemon.c:191:4: 19. noescape: Resource "fd" is not freed or pointed-to in "dup2". libinetutils/daemon.c:192:4: 20. noescape: Resource "fd" is not freed or pointed-to in "dup2". libinetutils/daemon.c:193:4: 21. path: Condition "fd > 2", taking false branch. libinetutils/daemon.c:197:3: 22. leaked_handle: Handle variable "fd" going out of scope leaks the handle. libinetutils/kerberos5.c:151:5: Type: Resource leak (RESOURCE_LEAK) libinetutils/kerberos5.c:59:3: 1. path: Condition "krb5_sname_to_principal(*ctx, sname, "host", 3, &server)", taking false branch. libinetutils/kerberos5.c:64:3: 2. path: Condition "realm == NULL", taking true branch. libinetutils/kerberos5.c:86:3: 3. path: Condition "auth", taking false branch. libinetutils/kerberos5.c:102:3: 4. path: Condition "verbose", taking true branch. libinetutils/kerberos5.c:110:3: 5. alloc_fn: Storage is returned from allocation function "malloc". libinetutils/kerberos5.c:110:3: 6. var_assign: Assigning: "tmpserver" = storage returned from "malloc(strlen("host") + strlen(sname) + 2UL)". libinetutils/kerberos5.c:111:3: 7. path: Condition "!tmpserver", taking false branch. libinetutils/kerberos5.c:118:3: 8. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 9. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 10. noescape: Resource "tmpserver" is not freed or pointed-to in "sprintf". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/kerberos5.c:126:3: 11. path: Condition "!realm", taking false branch. libinetutils/kerberos5.c:139:3: 12. path: Condition "strncmp(cmd, "-x ", 3) == 0", taking true branch. libinetutils/kerberos5.c:148:3: 13. path: Condition "rc == -1765328177L", taking true branch. libinetutils/kerberos5.c:151:5: 14. leaked_storage: Variable "tmpserver" going out of scope leaks the storage it points to. libinetutils/kcmd.c:237:4: Type: Resource leak (RESOURCE_LEAK) libinetutils/kcmd.c:134:3: 1. path: Condition "host", taking false branch. libinetutils/kcmd.c:150:3: 2. alloc_arg: "getaddrinfo" allocates memory that is stored into "res". libinetutils/kcmd.c:151:3: 3. path: Condition "rc", taking false branch. libinetutils/kcmd.c:157:3: 4. var_assign: Assigning: "ai" = "res". libinetutils/kcmd.c:162:3: 5. path: Condition "!rc", taking true branch. libinetutils/kcmd.c:165:7: 6. path: Condition "host_save == NULL", taking false branch. libinetutils/kcmd.c:168:5: 7. path: Falling through to end of if statement. libinetutils/kcmd.c:193:3: 8. path: Condition "host == *ahost", taking true branch. libinetutils/kcmd.c:194:23: 9. path: Falling through to end of if statement. libinetutils/kcmd.c:219:3: 10. path: Condition "true", taking true branch. libinetutils/kcmd.c:226:7: 11. path: Condition "s < 0", taking true branch. libinetutils/kcmd.c:228:4: 12. path: Condition "*__errno_location() == 11", taking true branch. libinetutils/kcmd.c:229:58: 13. path: Falling through to end of if statement. libinetutils/kcmd.c:237:4: 14. leaked_storage: Variable "res" going out of scope leaks the storage it points to. libinetutils/kcmd.c:237:4: 15. leaked_storage: Variable "ai" going out of scope leaks the storage it points to. ftpd/server_mode.c:235:5: Type: Resource leak (RESOURCE_LEAK) ftpd/server_mode.c:123:3: 1. path: Condition "daemon(1, 1) < 0", taking false branch. ftpd/server_mode.c:132:3: 2. path: Condition "sv == NULL", taking true branch. ftpd/server_mode.c:144:3: 3. path: Condition "usefamily != 0", taking true branch. ftpd/server_mode.c:147:3: 4. path: Condition "err", taking false branch. ftpd/server_mode.c:153:3: 5. path: Condition "ai", taking true branch. ftpd/server_mode.c:156:7: 6. path: Condition "ctl_sock < 0", taking true branch. ftpd/server_mode.c:157:2: 7. path: Continuing loop. ftpd/server_mode.c:153:3: 8. path: Condition "ai", taking true branch. ftpd/server_mode.c:156:7: 9. path: Condition "ctl_sock < 0", taking false branch. ftpd/server_mode.c:162:2: 10. path: Condition "setsockopt(ctl_sock, 1, 2, (char *)&on, 4U /* sizeof (on) */) < 0", taking false branch. ftpd/server_mode.c:168:7: 11. path: Condition "usefamily == 0", taking false branch. ftpd/server_mode.c:176:7: 12. path: Condition "bind(ctl_sock, __CONST_SOCKADDR_ARG({.__sockaddr__ = ai->ai_addr}), ai->ai_addrlen)", taking false branch. ftpd/server_mode.c:183:7: 13. path: Condition "listen(ctl_sock, 32) < 0", taking false branch. ftpd/server_mode.c:191:7: 14. path: Breaking from loop. ftpd/server_mode.c:194:3: 15. path: Condition "res", taking true branch. ftpd/server_mode.c:197:3: 16. path: Condition "ai == NULL", taking false branch. ftpd/server_mode.c:206:5: 17. path: Condition "pid_fp == NULL", taking false branch. ftpd/server_mode.c:218:3: 18. path: Condition "1", taking true branch. ftpd/server_mode.c:221:7: 19. open_fn: Returning handle opened by "accept". ftpd/server_mode.c:221:7: 20. var_assign: Assigning: "fd" = handle returned from "accept(ctl_sock, __SOCKADDR_ARG({.__sockaddr__ = phis_addr}), phis_addrlen)". ftpd/server_mode.c:222:7: 21. path: Condition "fork() == 0", taking true branch. ftpd/server_mode.c:224:4: 22. noescape: Resource "fd" is not freed or pointed-to in "dup2". ftpd/server_mode.c:225:4: 23. noescape: Resource "fd" is not freed or pointed-to in "dup2". ftpd/server_mode.c:227:4: 24. path: Breaking from loop. ftpd/server_mode.c:234:3: 25. path: Condition "!check_host(phis_addr, *phis_addrlen)", taking true branch. ftpd/server_mode.c:235:5: 26. leaked_handle: Handle variable "fd" going out of scope leaks the handle. libinetutils/kerberos5.c:175:5: Type: Resource leak (RESOURCE_LEAK) libinetutils/kerberos5.c:59:3: 1. path: Condition "krb5_sname_to_principal(*ctx, sname, "host", 3, &server)", taking false branch. libinetutils/kerberos5.c:64:3: 2. path: Condition "realm == NULL", taking true branch. libinetutils/kerberos5.c:86:3: 3. path: Condition "auth", taking false branch. libinetutils/kerberos5.c:102:3: 4. path: Condition "verbose", taking true branch. libinetutils/kerberos5.c:110:3: 5. alloc_fn: Storage is returned from allocation function "malloc". libinetutils/kerberos5.c:110:3: 6. var_assign: Assigning: "tmpserver" = storage returned from "malloc(strlen("host") + strlen(sname) + 2UL)". libinetutils/kerberos5.c:111:3: 7. path: Condition "!tmpserver", taking false branch. libinetutils/kerberos5.c:118:3: 8. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 9. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 10. noescape: Resource "tmpserver" is not freed or pointed-to in "sprintf". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/kerberos5.c:126:3: 11. path: Condition "!realm", taking false branch. libinetutils/kerberos5.c:139:3: 12. path: Condition "strncmp(cmd, "-x ", 3) == 0", taking true branch. libinetutils/kerberos5.c:148:3: 13. path: Condition "rc == -1765328177L", taking false branch. libinetutils/kerberos5.c:174:3: 14. path: Condition "rc", taking true branch. libinetutils/kerberos5.c:175:5: 15. leaked_storage: Variable "tmpserver" going out of scope leaks the storage it points to. libinetutils/kerberos5.c:183:3: Type: Resource leak (RESOURCE_LEAK) libinetutils/kerberos5.c:59:3: 1. path: Condition "krb5_sname_to_principal(*ctx, sname, "host", 3, &server)", taking false branch. libinetutils/kerberos5.c:64:3: 2. path: Condition "realm == NULL", taking true branch. libinetutils/kerberos5.c:86:3: 3. path: Condition "auth", taking false branch. libinetutils/kerberos5.c:102:3: 4. path: Condition "verbose", taking true branch. libinetutils/kerberos5.c:110:3: 5. alloc_fn: Storage is returned from allocation function "malloc". libinetutils/kerberos5.c:110:3: 6. var_assign: Assigning: "tmpserver" = storage returned from "malloc(strlen("host") + strlen(sname) + 2UL)". libinetutils/kerberos5.c:111:3: 7. path: Condition "!tmpserver", taking false branch. libinetutils/kerberos5.c:118:3: 8. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 9. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 10. noescape: Resource "tmpserver" is not freed or pointed-to in "sprintf". [Note: The source code implementation of the function has been overridden by a builtin model.] libinetutils/kerberos5.c:126:3: 11. path: Condition "!realm", taking false branch. libinetutils/kerberos5.c:139:3: 12. path: Condition "strncmp(cmd, "-x ", 3) == 0", taking true branch. libinetutils/kerberos5.c:148:3: 13. path: Condition "rc == -1765328177L", taking false branch. libinetutils/kerberos5.c:174:3: 14. path: Condition "rc", taking false branch. libinetutils/kerberos5.c:180:3: 15. path: Condition "verbose", taking true branch. libinetutils/kerberos5.c:183:3: 16. leaked_storage: Variable "tmpserver" going out of scope leaks the storage it points to. telnet/telnet.c:751:5: Type: Resource leak (RESOURCE_LEAK) telnet/telnet.c:621:3: 1. path: Condition "name", taking true branch. telnet/telnet.c:623:7: 2. path: Condition "(int)strlen(name) > 40", taking true branch. telnet/telnet.c:627:2: 3. path: Falling through to end of if statement. telnet/telnet.c:633:5: 4. path: Falling through to end of if statement. telnet/telnet.c:640:3: 5. path: Condition "!buf", taking false branch. telnet/telnet.c:640:3: 6. path: Condition "!*buf", taking false branch. telnet/telnet.c:647:3: 7. path: Condition "*cp", taking true branch. telnet/telnet.c:647:3: 8. path: Condition "*cp != ':'", taking true branch. telnet/telnet.c:649:7: 9. path: Condition "*cp == '|'", taking true branch. telnet/telnet.c:651:5: 10. path: Jumping back to the beginning of the loop. telnet/telnet.c:647:3: 11. path: Condition "*cp", taking true branch. telnet/telnet.c:647:3: 12. path: Condition "*cp != ':'", taking true branch. telnet/telnet.c:649:7: 13. path: Condition "*cp == '|'", taking true branch. telnet/telnet.c:651:5: 14. path: Jumping back to the beginning of the loop. telnet/telnet.c:647:3: 15. path: Condition "*cp", taking true branch. telnet/telnet.c:647:3: 16. path: Condition "*cp != ':'", taking false branch. telnet/telnet.c:656:3: 17. alloc_fn: Storage is returned from allocation function "malloc". telnet/telnet.c:656:3: 18. var_assign: Assigning: "argv" = storage returned from "malloc((n + 3) * 8UL)". telnet/telnet.c:657:3: 19. path: Condition "argv == NULL", taking false branch. telnet/telnet.c:664:3: 20. var_assign: Assigning: "argvp" = "argv". telnet/telnet.c:668:3: 21. path: Condition "c = *cp", taking true branch. telnet/telnet.c:670:7: 22. path: Condition "c == '|'", taking true branch. telnet/telnet.c:680:4: 23. path: Condition "n", taking false branch. telnet/telnet.c:680:4: 24. path: Condition "cp - cp2 > 41", taking true branch. telnet/telnet.c:681:6: 25. path: Falling through to end of if statement. telnet/telnet.c:691:4: 26. path: Condition "c == ':'", taking false branch. telnet/telnet.c:699:4: 27. path: Condition "(c = *cp) == '|'", taking true branch. telnet/telnet.c:700:10: 28. path: Jumping back to the beginning of the loop. telnet/telnet.c:699:4: 29. path: Condition "(c = *cp) == '|'", taking false branch. telnet/telnet.c:709:7: 30. path: Condition "c == ' '", taking true branch. telnet/telnet.c:710:7: 31. path: Falling through to end of if statement. telnet/telnet.c:713:5: 32. path: Jumping back to the beginning of the loop. telnet/telnet.c:668:3: 33. path: Condition "c = *cp", taking true branch. telnet/telnet.c:670:7: 34. path: Condition "c == '|'", taking false branch. telnet/telnet.c:670:7: 35. path: Condition "c == ':'", taking true branch. telnet/telnet.c:680:4: 36. path: Condition "n", taking true branch. telnet/telnet.c:681:6: 37. path: Falling through to end of if statement. telnet/telnet.c:691:4: 38. path: Condition "c == ':'", taking true branch. telnet/telnet.c:692:6: 39. path: Breaking from loop. telnet/telnet.c:720:3: 40. path: Condition "argv[1] == buf", taking true branch. telnet/telnet.c:720:3: 41. path: Condition "strlen(argv[1]) == 2", taking true branch. telnet/telnet.c:723:12: 42. var_assign: Assigning: "avt" = "argv". telnet/telnet.c:723:7: 43. path: Condition "avt < argvp", taking true branch. telnet/telnet.c:724:19: 44. path: Jumping back to the beginning of the loop. telnet/telnet.c:723:7: 45. path: Condition "avt < argvp", taking false branch. telnet/telnet.c:737:3: 46. path: Condition "*argv == NULL", taking true branch. telnet/telnet.c:739:7: 47. path: Condition "name", taking false branch. telnet/telnet.c:744:9: 48. var_assign: Assigning: "avt" = "argv". telnet/telnet.c:744:4: 49. path: Condition "avt < argvp", taking true branch. telnet/telnet.c:745:23: 50. path: Jumping back to the beginning of the loop. telnet/telnet.c:744:4: 51. path: Condition "avt < argvp", taking false branch. telnet/telnet.c:748:3: 52. path: Condition "*argv", taking false branch. telnet/telnet.c:751:5: 53. leaked_storage: Variable "avt" going out of scope leaks the storage it points to. telnet/telnet.c:751:5: 54. leaked_storage: Variable "argv" going out of scope leaks the storage it points to. telnet/telnet.c:751:5: 55. leaked_storage: Variable "argvp" going out of scope leaks the storage it points to. ftpd/ftpd.c:2270:1: Type: Resource leak (RESOURCE_LEAK) ftpd/ftpd.c:2132:3: 1. path: Condition "strpbrk(whichf, "~{[*?") != NULL", taking true branch. ftpd/ftpd.c:2148:7: 2. path: Condition "glob(whichf, flags, NULL, &gl)", taking false branch. ftpd/ftpd.c:2153:12: 3. path: Condition "gl.gl_pathc == 0", taking false branch. ftpd/ftpd.c:2160:5: 4. path: Falling through to end of if statement. ftpd/ftpd.c:2169:3: 5. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:2174:3: 6. path: Condition "dirname = *dirlist++", taking true branch. ftpd/ftpd.c:2176:7: 7. path: Condition "stat(dirname, &st) < 0", taking false branch. ftpd/ftpd.c:2196:7: 8. path: Condition "(st.st_mode & 61440) == 32768", taking false branch. ftpd/ftpd.c:2209:12: 9. path: Condition "!((st.st_mode & 61440) == 16384)", taking false branch. ftpd/ftpd.c:2212:7: 10. alloc_fn: Storage is returned from allocation function "opendir". ftpd/ftpd.c:2212:7: 11. var_assign: Assigning: "dirp" = storage returned from "opendir(dirname)". ftpd/ftpd.c:2213:7: 12. path: Condition "dirp == NULL", taking false branch. ftpd/ftpd.c:2216:7: 13. noescape: Resource "dirp" is not freed or pointed-to in "readdir". ftpd/ftpd.c:2216:7: 14. path: Condition "(dir = readdir(dirp)) != NULL", taking true branch. ftpd/ftpd.c:2220:4: 15. path: Condition "dir->d_name[0] == '.'", taking true branch. ftpd/ftpd.c:2220:4: 16. path: Condition "dir->d_name[1] == 0", taking false branch. ftpd/ftpd.c:2222:4: 17. path: Condition "dir->d_name[0] == '.'", taking true branch. ftpd/ftpd.c:2222:4: 18. path: Condition "dir->d_name[1] == '.'", taking true branch. ftpd/ftpd.c:2222:4: 19. path: Condition "dir->d_name[2] == 0", taking false branch. ftpd/ftpd.c:2231:4: 20. path: Condition "simple", taking false branch. ftpd/ftpd.c:2231:4: 21. path: Condition "stat(nbuf, &st) == 0", taking true branch. ftpd/ftpd.c:2231:4: 22. path: Condition "(st.st_mode & 61440) == 32768", taking true branch. ftpd/ftpd.c:2233:8: 23. path: Condition "dout == NULL", taking true branch. ftpd/ftpd.c:2236:5: 24. path: Condition "dout == NULL", taking true branch. ftpd/ftpd.c:2237:7: 25. path: Jumping to label "out". ftpd/ftpd.c:2265:3: 26. path: Condition "freeglob", taking true branch. ftpd/ftpd.c:2270:1: 27. leaked_storage: Variable "dirp" going out of scope leaks the storage it points to. ftpd/ftpd.c:2270:1: Type: Resource leak (RESOURCE_LEAK) ftpd/ftpd.c:2132:3: 1. path: Condition "strpbrk(whichf, "~{[*?") != NULL", taking true branch. ftpd/ftpd.c:2148:7: 2. path: Condition "glob(whichf, flags, NULL, &gl)", taking false branch. ftpd/ftpd.c:2153:12: 3. path: Condition "gl.gl_pathc == 0", taking false branch. ftpd/ftpd.c:2160:5: 4. path: Falling through to end of if statement. ftpd/ftpd.c:2169:3: 5. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:2174:3: 6. path: Condition "dirname = *dirlist++", taking true branch. ftpd/ftpd.c:2176:7: 7. path: Condition "stat(dirname, &st) < 0", taking false branch. ftpd/ftpd.c:2196:7: 8. path: Condition "(st.st_mode & 61440) == 32768", taking true branch. ftpd/ftpd.c:2198:4: 9. path: Condition "dout == NULL", taking true branch. ftpd/ftpd.c:2200:8: 10. alloc_fn: Storage is returned from allocation function "dataconn". ftpd/ftpd.c:1224:3: 10.1. path: Condition "size != -1L /* (off_t)-1 */", taking true branch. ftpd/ftpd.c:1225:75: 10.2. path: Falling through to end of if statement. ftpd/ftpd.c:1228:3: 10.3. path: Condition "pdata >= 0", taking true branch. ftpd/ftpd.c:1238:7: 10.4. path: Condition "s < 0", taking false branch. ftpd/ftpd.c:1249:7: 10.5. path: Condition "from.ss_family == 2", taking true branch. ftpd/ftpd.c:1263:7: 10.6. path: Condition "type == 1", taking true branch. ftpd/ftpd.c:1265:7: 10.7. alloc_fn: Storage is returned from allocation function "fdopen". ftpd/ftpd.c:1265:7: 10.8. return_alloc_fn: Directly returning storage allocated by "fdopen". ftpd/ftpd.c:2200:8: 11. var_assign: Assigning: "dout" = storage returned from "dataconn("file list", -1L, "w")". ftpd/ftpd.c:2201:8: 12. path: Condition "dout == NULL", taking false branch. ftpd/ftpd.c:2205:4: 13. path: Condition "type == 1", taking true branch. ftpd/ftpd.c:2205:4: 14. noescape: Resource "dout" is not freed or pointed-to in "fprintf". [Note: The source code implementation of the function has been overridden by a builtin model.] ftpd/ftpd.c:2207:4: 15. path: Continuing loop. ftpd/ftpd.c:2174:3: 16. path: Condition "dirname = *dirlist++", taking true branch. ftpd/ftpd.c:2176:7: 17. path: Condition "stat(dirname, &st) < 0", taking false branch. ftpd/ftpd.c:2196:7: 18. path: Condition "(st.st_mode & 61440) == 32768", taking false branch. ftpd/ftpd.c:2209:12: 19. path: Condition "!((st.st_mode & 61440) == 16384)", taking true branch. ftpd/ftpd.c:2210:2: 20. path: Continuing loop. ftpd/ftpd.c:2174:3: 21. path: Condition "dirname = *dirlist++", taking true branch. ftpd/ftpd.c:2176:7: 22. path: Condition "stat(dirname, &st) < 0", taking true branch. ftpd/ftpd.c:2180:4: 23. path: Condition "dirname[0] == '-'", taking true branch. ftpd/ftpd.c:2180:4: 24. path: Condition "*dirlist == NULL", taking true branch. ftpd/ftpd.c:2180:4: 25. path: Condition "transflag == 0", taking true branch. ftpd/ftpd.c:2183:8: 26. path: Jumping to label "out". ftpd/ftpd.c:2265:3: 27. path: Condition "freeglob", taking true branch. ftpd/ftpd.c:2270:1: 28. leaked_storage: Variable "dout" going out of scope leaks the storage it points to. ftpd/ftpd.c:1466:7: Type: Resource leak (RESOURCE_LEAK) ftpd/ftpd.c:1326:3: 1. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:1339:3: 2. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1339:3: 3. path: Condition "file_size < 8388608", taking true branch. ftpd/ftpd.c:1339:3: 4. path: Condition "restart_point == 0", taking true branch. ftpd/ftpd.c:1342:7: 5. path: Condition "debug", taking true branch. ftpd/ftpd.c:1345:7: 6. path: Condition "curpos >= 0", taking true branch. ftpd/ftpd.c:1348:4: 7. alloc_fn: Storage is returned from allocation function "mmap". ftpd/ftpd.c:1348:4: 8. var_assign: Assigning: "buf" = storage returned from "mmap(NULL, filesize, 1, 1, filefd, curpos)". ftpd/ftpd.c:1353:3: 9. path: Switch case default. ftpd/ftpd.c:1466:7: 10. leaked_storage: Variable "buf" going out of scope leaks the storage it points to. ftp/cmds.c:2474:5: Type: Resource leak (RESOURCE_LEAK) ftp/cmds.c:2370:3: 1. alloc_fn: Storage is returned from allocation function "xmalloc". [Note: The source code implementation of the function has been overridden by a builtin model.] ftp/cmds.c:2370:3: 2. var_assign: Assigning: "buf" = storage returned from "xmalloc(buf_len)". ftp/cmds.c:2375:3: 3. path: Condition "i < 9", taking true branch. ftp/cmds.c:2378:5: 4. path: Jumping back to the beginning of the loop. ftp/cmds.c:2375:3: 5. path: Condition "i < 9", taking true branch. ftp/cmds.c:2378:5: 6. path: Jumping back to the beginning of the loop. ftp/cmds.c:2375:3: 7. path: Condition "i < 9", taking false branch. ftp/cmds.c:2382:3: 8. path: Condition "match", taking true branch. ftp/cmds.c:2382:3: 9. path: Condition "*cp1", taking true branch. ftp/cmds.c:2382:3: 10. path: Condition "*cp2", taking true branch. ftp/cmds.c:2384:7: 11. path: Switch case value "'\\'". ftp/cmds.c:2387:4: 12. path: Condition "*++cp2 != *cp1", taking true branch. ftp/cmds.c:2391:4: 13. path: Breaking from switch. ftp/cmds.c:2415:7: 14. path: Condition "match", taking false branch. ftp/cmds.c:2419:7: 15. path: Condition "match", taking false branch. ftp/cmds.c:2423:5: 16. path: Jumping back to the beginning of the loop. ftp/cmds.c:2382:3: 17. path: Condition "match", taking false branch. ftp/cmds.c:2424:3: 18. path: Condition "!match", taking true branch. ftp/cmds.c:2424:3: 19. path: Condition "*cp1", taking true branch. ftp/cmds.c:2433:3: 20. var_assign: Assigning: "cp1" = "buf". ftp/cmds.c:2436:3: 21. path: Condition "*cp2", taking true branch. ftp/cmds.c:2439:7: 22. path: Switch case value "'\\'". ftp/cmds.c:2442:4: 23. path: Condition "cp2[1]", taking true branch. ftp/cmds.c:2446:4: 24. path: Breaking from switch. ftp/cmds.c:2520:5: 25. path: Jumping back to the beginning of the loop. ftp/cmds.c:2436:3: 26. path: Condition "*cp2", taking true branch. ftp/cmds.c:2439:7: 27. path: Switch case value "'['". ftp/cmds.c:2449:4: 28. path: Condition "*++cp2 == '$'", taking true branch. ftp/cmds.c:2449:4: 29. path: Condition "*__ctype_b_loc()[(int)cp2[1]] & 2048 /* (unsigned short)_ISdigit */", taking false branch. ftp/cmds.c:2456:8: 30. path: Condition "*cp2", taking true branch. ftp/cmds.c:2456:8: 31. path: Condition "*cp2 != ','", taking true branch. ftp/cmds.c:2456:8: 32. path: Condition "*cp2 != ']'", taking true branch. ftp/cmds.c:2458:5: 33. path: Condition "*cp2 == '\\'", taking true branch. ftp/cmds.c:2461:7: 34. path: Falling through to end of if statement. ftp/cmds.c:2470:3: 35. path: Jumping back to the beginning of the loop. ftp/cmds.c:2456:8: 36. path: Condition "*cp2", taking false branch. ftp/cmds.c:2471:8: 37. path: Condition "!*cp2", taking true branch. ftp/cmds.c:2474:5: 38. leaked_storage: Variable "cp1" going out of scope leaks the storage it points to. ftp/cmds.c:2474:5: 39. leaked_storage: Variable "buf" going out of scope leaks the storage it points to. ftp/cmds.c:2492:5: Type: Resource leak (RESOURCE_LEAK) ftp/cmds.c:2370:3: 1. alloc_fn: Storage is returned from allocation function "xmalloc". [Note: The source code implementation of the function has been overridden by a builtin model.] ftp/cmds.c:2370:3: 2. var_assign: Assigning: "buf" = storage returned from "xmalloc(buf_len)". ftp/cmds.c:2375:3: 3. path: Condition "i < 9", taking true branch. ftp/cmds.c:2378:5: 4. path: Jumping back to the beginning of the loop. ftp/cmds.c:2375:3: 5. path: Condition "i < 9", taking true branch. ftp/cmds.c:2378:5: 6. path: Jumping back to the beginning of the loop. ftp/cmds.c:2375:3: 7. path: Condition "i < 9", taking false branch. ftp/cmds.c:2382:3: 8. path: Condition "match", taking true branch. ftp/cmds.c:2382:3: 9. path: Condition "*cp1", taking true branch. ftp/cmds.c:2382:3: 10. path: Condition "*cp2", taking true branch. ftp/cmds.c:2384:7: 11. path: Switch case value "'\\'". ftp/cmds.c:2387:4: 12. path: Condition "*++cp2 != *cp1", taking true branch. ftp/cmds.c:2391:4: 13. path: Breaking from switch. ftp/cmds.c:2415:7: 14. path: Condition "match", taking false branch. ftp/cmds.c:2419:7: 15. path: Condition "match", taking false branch. ftp/cmds.c:2423:5: 16. path: Jumping back to the beginning of the loop. ftp/cmds.c:2382:3: 17. path: Condition "match", taking false branch. ftp/cmds.c:2424:3: 18. path: Condition "!match", taking true branch. ftp/cmds.c:2424:3: 19. path: Condition "*cp1", taking true branch. ftp/cmds.c:2433:3: 20. var_assign: Assigning: "cp1" = "buf". ftp/cmds.c:2436:3: 21. path: Condition "*cp2", taking true branch. ftp/cmds.c:2439:7: 22. path: Switch case value "'\\'". ftp/cmds.c:2442:4: 23. path: Condition "cp2[1]", taking true branch. ftp/cmds.c:2446:4: 24. path: Breaking from switch. ftp/cmds.c:2520:5: 25. path: Jumping back to the beginning of the loop. ftp/cmds.c:2436:3: 26. path: Condition "*cp2", taking true branch. ftp/cmds.c:2439:7: 27. path: Switch case value "'['". ftp/cmds.c:2449:4: 28. path: Condition "*++cp2 == '$'", taking true branch. ftp/cmds.c:2449:4: 29. path: Condition "*__ctype_b_loc()[(int)cp2[1]] & 2048 /* (unsigned short)_ISdigit */", taking false branch. ftp/cmds.c:2456:8: 30. path: Condition "*cp2", taking true branch. ftp/cmds.c:2456:8: 31. path: Condition "*cp2 != ','", taking true branch. ftp/cmds.c:2456:8: 32. path: Condition "*cp2 != ']'", taking true branch. ftp/cmds.c:2458:5: 33. path: Condition "*cp2 == '\\'", taking true branch. ftp/cmds.c:2461:7: 34. path: Falling through to end of if statement. ftp/cmds.c:2470:3: 35. path: Jumping back to the beginning of the loop. ftp/cmds.c:2456:8: 36. path: Condition "*cp2", taking true branch. ftp/cmds.c:2456:8: 37. path: Condition "*cp2 != ','", taking true branch. ftp/cmds.c:2456:8: 38. path: Condition "*cp2 != ']'", taking false branch. ftp/cmds.c:2471:8: 39. path: Condition "!*cp2", taking false branch. ftp/cmds.c:2479:4: 40. path: Condition "match", taking true branch. ftp/cmds.c:2482:8: 41. path: Condition "*++cp2", taking true branch. ftp/cmds.c:2482:8: 42. path: Condition "*cp2 != ']'", taking true branch. ftp/cmds.c:2484:5: 43. path: Condition "*cp2 == '\\'", taking true branch. ftp/cmds.c:2484:5: 44. path: Condition "cp2[1]", taking true branch. ftp/cmds.c:2488:3: 45. path: Jumping back to the beginning of the loop. ftp/cmds.c:2482:8: 46. path: Condition "*++cp2", taking false branch. ftp/cmds.c:2489:8: 47. path: Condition "!*cp2", taking true branch. ftp/cmds.c:2492:5: 48. leaked_storage: Variable "cp1" going out of scope leaks the storage it points to. ftp/cmds.c:2492:5: 49. leaked_storage: Variable "buf" going out of scope leaks the storage it points to. src/syslogd.c:1506:5: Type: Resource leak (RESOURCE_LEAK) src/syslogd.c:1336:3: 1. path: Condition "f->f_type == 6", taking false branch. src/syslogd.c:1357:3: 2. path: Condition "f->f_prevhost", taking true branch. src/syslogd.c:1367:3: 3. path: Condition "msg", taking true branch. src/syslogd.c:1371:5: 4. path: Falling through to end of if statement. src/syslogd.c:1388:3: 5. path: Switch case value "7". src/syslogd.c:1397:7: 6. path: Condition "fwd_suspend >= 180", taking true branch. src/syslogd.c:1401:4: 7. path: Jumping to label "f_forw". src/syslogd.c:1457:7: 8. path: Condition "strcasecmp(from, LocalHostName)", taking true branch. src/syslogd.c:1457:7: 9. path: Condition "NoHops", taking false branch. src/syslogd.c:1459:12: 10. path: Condition "NoForward", taking false branch. src/syslogd.c:1465:4: 11. path: Condition "f->f_un.f_forw.f_addr.ss_family == 2", taking true branch. src/syslogd.c:1466:32: 12. path: Falling through to end of if statement. src/syslogd.c:1472:4: 13. path: Condition "temp_finet < 0", taking true branch. src/syslogd.c:1485:8: 14. path: Condition "err", taking false branch. src/syslogd.c:1491:8: 15. open_fn: Returning handle opened by "socket". src/syslogd.c:1491:8: 16. var_assign: Assigning: "temp_finet" = handle returned from "socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol)". src/syslogd.c:1493:8: 17. path: Condition "temp_finet < 0", taking false branch. src/syslogd.c:1500:8: 18. noescape: Resource "temp_finet" is not freed or pointed-to in "bind". src/syslogd.c:1502:8: 19. path: Condition "err", taking true branch. src/syslogd.c:1506:5: 20. path: Breaking from switch. src/syslogd.c:1506:5: 21. leaked_handle: Handle variable "temp_finet" going out of scope leaks the handle. ftp/ftp.c:1132:8: Type: Resource leak (RESOURCE_LEAK) ftp/ftp.c:925:3: 1. path: Condition "strcmp(cmd, "RETR") == 0", taking true branch. ftp/ftp.c:926:3: 2. path: Condition "is_retr", taking true branch. ftp/ftp.c:926:3: 3. path: Condition "verbose", taking true branch. ftp/ftp.c:926:3: 4. path: Condition "printnames", taking true branch. ftp/ftp.c:928:7: 5. path: Condition "local", taking true branch. ftp/ftp.c:928:7: 6. path: Condition "*local != '-'", taking true branch. ftp/ftp.c:930:7: 7. path: Condition "remote", taking true branch. ftp/ftp.c:933:3: 8. path: Condition "proxy", taking false branch. ftp/ftp.c:941:3: 9. path: Condition "!crflag", taking true branch. ftp/ftp.c:941:3: 10. path: Condition "is_retr", taking true branch. ftp/ftp.c:942:3: 11. path: Condition "setjmp(recvabort)", taking false branch. ftp/ftp.c:959:3: 12. path: Condition "strcmp(local, "-")", taking true branch. ftp/ftp.c:959:3: 13. path: Condition "*local != '|'", taking true branch. ftp/ftp.c:961:7: 14. path: Condition "runique", taking true branch. ftp/ftp.c:961:7: 15. path: Condition "(local = gunique(local)) == NULL", taking false branch. ftp/ftp.c:968:3: 16. path: Condition "!is_retr", taking false branch. ftp/ftp.c:973:8: 17. path: Condition "curtype != type", taking true branch. ftp/ftp.c:975:3: 18. path: Condition "initconn()", taking false branch. ftp/ftp.c:981:3: 19. path: Condition "setjmp(recvabort)", taking false branch. ftp/ftp.c:983:3: 20. path: Condition "is_retr", taking true branch. ftp/ftp.c:983:3: 21. path: Condition "restart_point", taking true branch. ftp/ftp.c:983:3: 22. path: Condition "command("REST %jd", (intmax_t)restart_point) != 3", taking false branch. ftp/ftp.c:986:3: 23. path: Condition "remote", taking true branch. ftp/ftp.c:988:7: 24. path: Condition "command("%s %s", cmd, remote) != 1", taking false branch. ftp/ftp.c:993:5: 25. path: Falling through to end of if statement. ftp/ftp.c:1002:3: 26. alloc_fn: Storage is returned from allocation function "dataconn". ftp/ftp.c:1599:3: 26.1. path: Condition "passivemode", taking true branch. ftp/ftp.c:1600:5: 26.2. alloc_fn: Storage is returned from allocation function "fdopen". ftp/ftp.c:1600:5: 26.3. return_alloc_fn: Directly returning storage allocated by "fdopen". ftp/ftp.c:1002:3: 27. var_assign: Assigning: "din" = storage returned from "dataconn("r")". ftp/ftp.c:1003:3: 28. path: Condition "din == NULL", taking false branch. ftp/ftp.c:1006:3: 29. path: Condition "strcmp(local, "-") == 0", taking true branch. ftp/ftp.c:1007:18: 30. path: Falling through to end of if statement. ftp/ftp.c:1033:3: 31. path: Condition "blksize > bufsize", taking true branch. ftp/ftp.c:1037:7: 32. path: Condition "buf == NULL", taking false branch. ftp/ftp.c:1047:3: 33. path: Switch case value "1". ftp/ftp.c:1099:7: 34. path: Condition "restart_point", taking true branch. ftp/ftp.c:1106:4: 35. path: Condition "fseeko(fout, 0L, 0) < 0", taking false branch. ftp/ftp.c:1109:4: 36. path: Condition "i++ < n", taking true branch. ftp/ftp.c:1111:8: 37. path: Condition "(ch = getc(fout)) == -1", taking false branch. ftp/ftp.c:1113:8: 38. path: Condition "ch == 10", taking true branch. ftp/ftp.c:1115:6: 39. path: Jumping back to the beginning of the loop. ftp/ftp.c:1109:4: 40. path: Condition "i++ < n", taking true branch. ftp/ftp.c:1111:8: 41. path: Condition "(ch = getc(fout)) == -1", taking false branch. ftp/ftp.c:1113:8: 42. path: Condition "ch == 10", taking true branch. ftp/ftp.c:1115:6: 43. path: Jumping back to the beginning of the loop. ftp/ftp.c:1109:4: 44. path: Condition "i++ < n", taking true branch. ftp/ftp.c:1111:8: 45. path: Condition "(ch = getc(fout)) == -1", taking false branch. ftp/ftp.c:1113:8: 46. path: Condition "ch == 10", taking false branch. ftp/ftp.c:1115:6: 47. path: Jumping back to the beginning of the loop. ftp/ftp.c:1109:4: 48. path: Condition "i++ < n", taking true branch. ftp/ftp.c:1111:8: 49. path: Condition "(ch = getc(fout)) == -1", taking true branch. ftp/ftp.c:1112:3: 50. path: Jumping to label "done". ftp/ftp.c:1124:8: 51. path: Condition "ch == -1", taking true branch. ftp/ftp.c:1126:31: 52. path: Falling through to end of if statement. ftp/ftp.c:1130:8: 53. path: Condition "closefunc != NULL", taking false branch. ftp/ftp.c:1132:8: 54. leaked_storage: Variable "din" going out of scope leaks the storage it points to. telnet/commands.c:2695:4: Type: Resource leak (RESOURCE_LEAK) telnet/commands.c:2486:3: 1. path: Condition "connected", taking false branch. telnet/commands.c:2491:3: 2. path: Condition "argc < 2", taking true branch. telnet/commands.c:2495:7: 3. path: Condition "fgets(&line[strlen(line)], 256UL /* sizeof (line) */ - strlen(line), stdin)", taking true branch. telnet/commands.c:2501:2: 4. path: Falling through to end of if statement. telnet/commands.c:2508:3: 5. path: Condition "argc", taking true branch. telnet/commands.c:2510:7: 6. path: Condition "strcmp(*argv, "help") == 0", taking false branch. telnet/commands.c:2510:7: 7. path: Condition "isprefix(*argv, "?")", taking false branch. telnet/commands.c:2512:7: 8. path: Condition "strcmp(*argv, "-l") == 0", taking false branch. telnet/commands.c:2522:7: 9. path: Condition "strcmp(*argv, "-b") == 0", taking false branch. telnet/commands.c:2532:7: 10. path: Condition "strcmp(*argv, "-a") == 0", taking false branch. telnet/commands.c:2539:7: 11. path: Condition "strcmp(*argv, "-6") == 0", taking false branch. telnet/commands.c:2550:7: 12. path: Condition "strcmp(*argv, "-4") == 0", taking false branch. telnet/commands.c:2559:7: 13. path: Condition "hostp == NULL", taking true branch. telnet/commands.c:2563:4: 14. path: Continuing loop. telnet/commands.c:2508:3: 15. path: Condition "argc", taking false branch. telnet/commands.c:2575:3: 16. path: Condition "hostp == NULL", taking false branch. telnet/commands.c:2578:3: 17. path: Condition "!portp", taking true branch. telnet/commands.c:2582:5: 18. path: Falling through to end of if statement. telnet/commands.c:2615:3: 19. path: Condition "!hostname", taking false branch. telnet/commands.c:2628:5: 20. path: Condition "p", taking false branch. telnet/commands.c:2650:3: 21. path: Condition "srchostp", taking false branch. telnet/commands.c:2662:3: 22. alloc_arg: "getaddrinfo" allocates memory that is stored into "result". telnet/commands.c:2663:3: 23. path: Condition "err", taking false branch. telnet/commands.c:2676:3: 24. var_assign: Assigning: "aip" = "result". telnet/commands.c:2684:7: 25. path: Condition "err", taking true branch. telnet/commands.c:2689:4: 26. path: Condition "err == -11", taking true branch. telnet/commands.c:2690:31: 27. path: Falling through to end of if statement. telnet/commands.c:2695:4: 28. leaked_storage: Variable "aip" going out of scope leaks the storage it points to. telnet/commands.c:2695:4: 29. leaked_storage: Variable "result" going out of scope leaks the storage it points to. telnet/commands.c:2704:4: Type: Resource leak (RESOURCE_LEAK) telnet/commands.c:2486:3: 1. path: Condition "connected", taking false branch. telnet/commands.c:2491:3: 2. path: Condition "argc < 2", taking true branch. telnet/commands.c:2495:7: 3. path: Condition "fgets(&line[strlen(line)], 256UL /* sizeof (line) */ - strlen(line), stdin)", taking true branch. telnet/commands.c:2501:2: 4. path: Falling through to end of if statement. telnet/commands.c:2508:3: 5. path: Condition "argc", taking true branch. telnet/commands.c:2510:7: 6. path: Condition "strcmp(*argv, "help") == 0", taking false branch. telnet/commands.c:2510:7: 7. path: Condition "isprefix(*argv, "?")", taking false branch. telnet/commands.c:2512:7: 8. path: Condition "strcmp(*argv, "-l") == 0", taking false branch. telnet/commands.c:2522:7: 9. path: Condition "strcmp(*argv, "-b") == 0", taking false branch. telnet/commands.c:2532:7: 10. path: Condition "strcmp(*argv, "-a") == 0", taking false branch. telnet/commands.c:2539:7: 11. path: Condition "strcmp(*argv, "-6") == 0", taking false branch. telnet/commands.c:2550:7: 12. path: Condition "strcmp(*argv, "-4") == 0", taking false branch. telnet/commands.c:2559:7: 13. path: Condition "hostp == NULL", taking true branch. telnet/commands.c:2563:4: 14. path: Continuing loop. telnet/commands.c:2508:3: 15. path: Condition "argc", taking false branch. telnet/commands.c:2575:3: 16. path: Condition "hostp == NULL", taking false branch. telnet/commands.c:2578:3: 17. path: Condition "!portp", taking true branch. telnet/commands.c:2582:5: 18. path: Falling through to end of if statement. telnet/commands.c:2615:3: 19. path: Condition "!hostname", taking false branch. telnet/commands.c:2628:5: 20. path: Condition "p", taking false branch. telnet/commands.c:2650:3: 21. path: Condition "srchostp", taking false branch. telnet/commands.c:2662:3: 22. alloc_arg: "getaddrinfo" allocates memory that is stored into "result". telnet/commands.c:2663:3: 23. path: Condition "err", taking false branch. telnet/commands.c:2676:3: 24. var_assign: Assigning: "aip" = "result". telnet/commands.c:2684:7: 25. path: Condition "err", taking false branch. telnet/commands.c:2701:7: 26. path: Condition "net < 0", taking true branch. telnet/commands.c:2704:4: 27. leaked_storage: Variable "aip" going out of scope leaks the storage it points to. telnet/commands.c:2704:4: 28. leaked_storage: Variable "result" going out of scope leaks the storage it points to. telnet/commands.c:2736:4: Type: Resource leak (RESOURCE_LEAK) telnet/commands.c:2486:3: 1. path: Condition "connected", taking false branch. telnet/commands.c:2491:3: 2. path: Condition "argc < 2", taking true branch. telnet/commands.c:2495:7: 3. path: Condition "fgets(&line[strlen(line)], 256UL /* sizeof (line) */ - strlen(line), stdin)", taking true branch. telnet/commands.c:2501:2: 4. path: Falling through to end of if statement. telnet/commands.c:2508:3: 5. path: Condition "argc", taking true branch. telnet/commands.c:2510:7: 6. path: Condition "strcmp(*argv, "help") == 0", taking false branch. telnet/commands.c:2510:7: 7. path: Condition "isprefix(*argv, "?")", taking false branch. telnet/commands.c:2512:7: 8. path: Condition "strcmp(*argv, "-l") == 0", taking false branch. telnet/commands.c:2522:7: 9. path: Condition "strcmp(*argv, "-b") == 0", taking false branch. telnet/commands.c:2532:7: 10. path: Condition "strcmp(*argv, "-a") == 0", taking false branch. telnet/commands.c:2539:7: 11. path: Condition "strcmp(*argv, "-6") == 0", taking false branch. telnet/commands.c:2550:7: 12. path: Condition "strcmp(*argv, "-4") == 0", taking false branch. telnet/commands.c:2559:7: 13. path: Condition "hostp == NULL", taking true branch. telnet/commands.c:2563:4: 14. path: Continuing loop. telnet/commands.c:2508:3: 15. path: Condition "argc", taking false branch. telnet/commands.c:2575:3: 16. path: Condition "hostp == NULL", taking false branch. telnet/commands.c:2578:3: 17. path: Condition "!portp", taking true branch. telnet/commands.c:2582:5: 18. path: Falling through to end of if statement. telnet/commands.c:2615:3: 19. path: Condition "!hostname", taking false branch. telnet/commands.c:2628:5: 20. path: Condition "p", taking false branch. telnet/commands.c:2650:3: 21. path: Condition "srchostp", taking false branch. telnet/commands.c:2662:3: 22. alloc_arg: "getaddrinfo" allocates memory that is stored into "result". telnet/commands.c:2663:3: 23. path: Condition "err", taking false branch. telnet/commands.c:2676:3: 24. var_assign: Assigning: "aip" = "result". telnet/commands.c:2684:7: 25. path: Condition "err", taking false branch. telnet/commands.c:2701:7: 26. path: Condition "net < 0", taking false branch. telnet/commands.c:2707:7: 27. path: Condition "srchostp", taking false branch. telnet/commands.c:2717:7: 28. path: Condition "debug", taking true branch. telnet/commands.c:2720:4: 29. path: Condition "err < 0", taking false branch. telnet/commands.c:2725:7: 30. path: Condition "err < 0", taking true branch. telnet/commands.c:2727:4: 31. path: Condition "aip->ai_next", taking false branch. telnet/commands.c:2736:4: 32. leaked_storage: Variable "aip" going out of scope leaks the storage it points to. telnet/commands.c:2736:4: 33. leaked_storage: Variable "result" going out of scope leaks the storage it points to. ftp/ftp.c:881:7: Type: Resource leak (RESOURCE_LEAK) ftp/ftp.c:622:3: 1. path: Condition "verbose", taking true branch. ftp/ftp.c:622:3: 2. path: Condition "printnames", taking true branch. ftp/ftp.c:624:7: 3. path: Condition "local", taking true branch. ftp/ftp.c:624:7: 4. path: Condition "*local != '-'", taking true branch. ftp/ftp.c:626:7: 5. path: Condition "remote", taking true branch. ftp/ftp.c:629:3: 6. path: Condition "proxy", taking false branch. ftp/ftp.c:634:3: 7. path: Condition "curtype != type", taking true branch. ftp/ftp.c:640:3: 8. path: Condition "setjmp(sendabort)", taking false branch. ftp/ftp.c:659:3: 9. path: Condition "strcmp(local, "-") == 0", taking false branch. ftp/ftp.c:661:8: 10. path: Condition "*local == '|'", taking true branch. ftp/ftp.c:664:7: 11. alloc_fn: Storage is returned from allocation function "popen". ftp/ftp.c:664:7: 12. var_assign: Assigning: "fin" = storage returned from "popen(local + 1, "r")". ftp/ftp.c:665:7: 13. path: Condition "fin == NULL", taking false branch. ftp/ftp.c:674:5: 14. path: Falling through to end of if statement. ftp/ftp.c:696:3: 15. path: Condition "initconn()", taking false branch. ftp/ftp.c:706:3: 16. path: Condition "setjmp(sendabort)", taking false branch. ftp/ftp.c:709:3: 17. path: Condition "restart_point", taking true branch. ftp/ftp.c:709:3: 18. path: Condition "strcmp(cmd, "STOR") == 0", taking true branch. ftp/ftp.c:714:7: 19. path: Switch case value "1". ftp/ftp.c:717:4: 20. noescape: Resource "fin" is not freed or pointed-to in "fseeko". ftp/ftp.c:718:4: 21. path: Breaking from switch. ftp/ftp.c:724:7: 22. path: Condition "rc < 0", taking false branch. ftp/ftp.c:734:7: 23. path: Condition "command("REST %jd", (intmax_t)restart_point) != 3", taking false branch. ftp/ftp.c:744:3: 24. path: Condition "remote", taking true branch. ftp/ftp.c:746:7: 25. path: Condition "command("%s %s", cmd, remote) != 1", taking false branch. ftp/ftp.c:755:5: 26. path: Falling through to end of if statement. ftp/ftp.c:766:3: 27. path: Condition "dout == NULL", taking true branch. ftp/ftp.c:767:5: 28. path: Jumping to label "abort". ftp/ftp.c:876:3: 29. path: Condition "oldintp", taking true branch. ftp/ftp.c:878:3: 30. path: Condition "!cpend", taking true branch. ftp/ftp.c:881:7: 31. leaked_storage: Variable "fin" going out of scope leaks the storage it points to. ftp/ftp.c:881:7: Type: Resource leak (RESOURCE_LEAK) ftp/ftp.c:622:3: 1. path: Condition "verbose", taking true branch. ftp/ftp.c:622:3: 2. path: Condition "printnames", taking true branch. ftp/ftp.c:624:7: 3. path: Condition "local", taking true branch. ftp/ftp.c:624:7: 4. path: Condition "*local != '-'", taking true branch. ftp/ftp.c:626:7: 5. path: Condition "remote", taking true branch. ftp/ftp.c:629:3: 6. path: Condition "proxy", taking false branch. ftp/ftp.c:634:3: 7. path: Condition "curtype != type", taking true branch. ftp/ftp.c:640:3: 8. path: Condition "setjmp(sendabort)", taking false branch. ftp/ftp.c:659:3: 9. path: Condition "strcmp(local, "-") == 0", taking false branch. ftp/ftp.c:661:8: 10. path: Condition "*local == '|'", taking false branch. ftp/ftp.c:677:7: 11. alloc_fn: Storage is returned from allocation function "fopen". ftp/ftp.c:677:7: 12. var_assign: Assigning: "fin" = storage returned from "fopen(local, "r")". ftp/ftp.c:678:7: 13. path: Condition "fin == NULL", taking false branch. ftp/ftp.c:686:7: 14. noescape: Resource "fin" is not freed or pointed-to in "fileno". ftp/ftp.c:686:7: 15. path: Condition "fstat(fileno(fin), &st) < 0", taking false branch. ftp/ftp.c:686:7: 16. path: Condition "(st.st_mode & 61440) != 32768", taking false branch. ftp/ftp.c:696:3: 17. path: Condition "initconn()", taking false branch. ftp/ftp.c:706:3: 18. path: Condition "setjmp(sendabort)", taking false branch. ftp/ftp.c:709:3: 19. path: Condition "restart_point", taking true branch. ftp/ftp.c:709:3: 20. path: Condition "strcmp(cmd, "STOR") == 0", taking true branch. ftp/ftp.c:714:7: 21. path: Switch case value "1". ftp/ftp.c:717:4: 22. noescape: Resource "fin" is not freed or pointed-to in "fseeko". ftp/ftp.c:718:4: 23. path: Breaking from switch. ftp/ftp.c:724:7: 24. path: Condition "rc < 0", taking false branch. ftp/ftp.c:734:7: 25. path: Condition "command("REST %jd", (intmax_t)restart_point) != 3", taking false branch. ftp/ftp.c:744:3: 26. path: Condition "remote", taking true branch. ftp/ftp.c:746:7: 27. path: Condition "command("%s %s", cmd, remote) != 1", taking false branch. ftp/ftp.c:755:5: 28. path: Falling through to end of if statement. ftp/ftp.c:766:3: 29. path: Condition "dout == NULL", taking true branch. ftp/ftp.c:767:5: 30. path: Jumping to label "abort". ftp/ftp.c:876:3: 31. path: Condition "oldintp", taking false branch. ftp/ftp.c:878:3: 32. path: Condition "!cpend", taking true branch. ftp/ftp.c:881:7: 33. leaked_storage: Variable "fin" going out of scope leaks the storage it points to. ftpd/ftpd.c:992:4: Type: Pointer to local outside scope (RETURN_LOCAL) ftpd/ftpd.c:973:3: 1. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:983:7: 2. local_ptr_assign_local: Assigning: "name" = "line" (address of local variable "line"). ftpd/ftpd.c:986:5: 3. out_of_scope: Variable "line" goes out of scope. ftpd/ftpd.c:988:3: 4. path: Condition "fin == NULL", taking true branch. ftpd/ftpd.c:990:7: 5. path: Condition "*__errno_location() != 0", taking true branch. ftpd/ftpd.c:992:4: 6. use_invalid: Using "name", which points to an out-of-scope variable "line". ifconfig/changeif.c:279:3: Type: Pointer to local outside scope (RETURN_LOCAL) ifconfig/changeif.c:260:3: 1. path: Condition "!ether", taking true branch. ifconfig/changeif.c:265:7: 2. path: Condition "err", taking false branch. ifconfig/changeif.c:271:2: 3. local_ptr_assign_local: Assigning: "ether" = "&addr" (address of local variable "addr"). ifconfig/changeif.c:272:5: 4. out_of_scope: Variable "addr" goes out of scope. ifconfig/changeif.c:279:3: 5. use_invalid: Using "ether", which points to an out-of-scope variable "addr". ftp/cmds.c:1769:4: Type: Pointer to local outside scope (RETURN_LOCAL) ftp/cmds.c:1730:3: 1. path: Condition "argc < 2", taking true branch. ftp/cmds.c:1732:3: 2. path: Condition "argc < 2", taking false branch. ftp/cmds.c:1732:3: 3. path: Condition "argc > 4", taking false branch. ftp/cmds.c:1739:3: 4. path: Condition "n == 3", taking true branch. ftp/cmds.c:1746:7: 5. path: Condition "code == 336", taking true branch. ftp/cmds.c:1746:7: 6. path: Condition "!verbose", taking true branch. ftp/cmds.c:1751:7: 7. path: Condition "argc < 3", taking true branch. ftp/cmds.c:1753:7: 8. path: Condition "argc < 3", taking true branch. ftp/cmds.c:1756:7: 9. path: Condition "argv[2]", taking true branch. ftp/cmds.c:1759:3: 10. path: Condition "n == 3", taking true branch. ftp/cmds.c:1761:7: 11. path: Condition "argc < 4", taking true branch. ftp/cmds.c:1765:4: 12. path: Condition "fgets(acct, 79 /* sizeof (acct) - 1 */, stdin)", taking true branch. ftp/cmds.c:1766:36: 13. path: Falling through to end of if statement. ftp/cmds.c:1769:4: 14. escape_local_addr: Returning, through "argv[3]", the address of stack variable "acct". ftp/cmds.c:1775:3: 15. path: Condition "n != 2", taking true branch. ftp/cmds.c:1778:7: 16. return: Returning here. ftp/cmds.c:1769:4: Type: Pointer to local outside scope (RETURN_LOCAL) ftp/cmds.c:1730:3: 1. path: Condition "argc < 2", taking true branch. ftp/cmds.c:1732:3: 2. path: Condition "argc < 2", taking false branch. ftp/cmds.c:1732:3: 3. path: Condition "argc > 4", taking false branch. ftp/cmds.c:1739:3: 4. path: Condition "n == 3", taking true branch. ftp/cmds.c:1746:7: 5. path: Condition "code == 336", taking true branch. ftp/cmds.c:1746:7: 6. path: Condition "!verbose", taking true branch. ftp/cmds.c:1751:7: 7. path: Condition "argc < 3", taking true branch. ftp/cmds.c:1753:7: 8. path: Condition "argc < 3", taking true branch. ftp/cmds.c:1756:7: 9. path: Condition "argv[2]", taking true branch. ftp/cmds.c:1759:3: 10. path: Condition "n == 3", taking true branch. ftp/cmds.c:1761:7: 11. path: Condition "argc < 4", taking true branch. ftp/cmds.c:1765:4: 12. path: Condition "fgets(acct, 79 /* sizeof (acct) - 1 */, stdin)", taking true branch. ftp/cmds.c:1766:36: 13. path: Falling through to end of if statement. ftp/cmds.c:1769:4: 14. escape_local_addr: Returning, through "argv[3]", the address of stack variable "acct". ftp/cmds.c:1775:3: 15. path: Condition "n != 2", taking false branch. ftp/cmds.c:1780:3: 16. path: Condition "!aflag", taking false branch. ftp/cmds.c:1784:1: 17. return: Returning here. ftpd/ftpd.c:1036:6: Type: Pointer to local outside scope (RETURN_LOCAL) ftpd/ftpd.c:973:3: 1. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:983:7: 2. local_ptr_assign_local: Assigning: "name" = "line" (address of local variable "line"). ftpd/ftpd.c:986:5: 3. out_of_scope: Variable "line" goes out of scope. ftpd/ftpd.c:988:3: 4. path: Condition "fin == NULL", taking false branch. ftpd/ftpd.c:1001:3: 5. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:1006:8: 6. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:1009:3: 7. path: Condition "restart_point", taking true branch. ftpd/ftpd.c:1011:7: 8. path: Condition "type == 1", taking false branch. ftpd/ftpd.c:1033:12: 9. path: Condition "lseek(fileno(fin), restart_point, 0) < 0", taking true branch. ftpd/ftpd.c:1035:4: 10. path: Condition "*__errno_location() == 22", taking true branch. ftpd/ftpd.c:1036:6: 11. use_invalid: Using "name", which points to an out-of-scope variable "line". ftpd/ftpd.c:1039:6: Type: Pointer to local outside scope (RETURN_LOCAL) ftpd/ftpd.c:973:3: 1. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:983:7: 2. local_ptr_assign_local: Assigning: "name" = "line" (address of local variable "line"). ftpd/ftpd.c:986:5: 3. out_of_scope: Variable "line" goes out of scope. ftpd/ftpd.c:988:3: 4. path: Condition "fin == NULL", taking false branch. ftpd/ftpd.c:1001:3: 5. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:1006:8: 6. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:1009:3: 7. path: Condition "restart_point", taking true branch. ftpd/ftpd.c:1011:7: 8. path: Condition "type == 1", taking false branch. ftpd/ftpd.c:1033:12: 9. path: Condition "lseek(fileno(fin), restart_point, 0) < 0", taking true branch. ftpd/ftpd.c:1035:4: 10. path: Condition "*__errno_location() == 22", taking false branch. ftpd/ftpd.c:1039:6: 11. use_invalid: Using "name", which points to an out-of-scope variable "line". ftpd/ftpd.c:1043:3: Type: Pointer to local outside scope (RETURN_LOCAL) ftpd/ftpd.c:973:3: 1. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:983:7: 2. local_ptr_assign_local: Assigning: "name" = "line" (address of local variable "line"). ftpd/ftpd.c:986:5: 3. out_of_scope: Variable "line" goes out of scope. ftpd/ftpd.c:988:3: 4. path: Condition "fin == NULL", taking false branch. ftpd/ftpd.c:1001:3: 5. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:1006:8: 6. path: Condition "cmd == NULL", taking false branch. ftpd/ftpd.c:1009:3: 7. path: Condition "restart_point", taking true branch. ftpd/ftpd.c:1011:7: 8. path: Condition "type == 1", taking true branch. ftpd/ftpd.c:1018:4: 9. path: Condition "i++ < n", taking true branch. ftpd/ftpd.c:1021:8: 10. path: Condition "c == -1", taking false branch. ftpd/ftpd.c:1029:8: 11. path: Condition "c == 10", taking true branch. ftpd/ftpd.c:1031:6: 12. path: Jumping back to the beginning of the loop. ftpd/ftpd.c:1018:4: 13. path: Condition "i++ < n", taking false branch. ftpd/ftpd.c:1032:2: 14. path: Falling through to end of if statement. ftpd/ftpd.c:1043:3: 15. use_invalid: Using "name", which points to an out-of-scope variable "line". ifconfig/options.c:443:7: Type: Dereference before null check (REVERSE_INULL) ifconfig/options.c:441:23: deref_ptr: Directly dereferencing pointer "frm". ifconfig/options.c:443:7: check_after_deref: Null-checking "frm" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. libinetutils/kcmd.c:326:11: Type: Dereference before null check (REVERSE_INULL) libinetutils/kcmd.c:157:3: alias: Assigning: "ai" = "res". libinetutils/kcmd.c:160:21: deref_ptr: Directly dereferencing pointer "ai". libinetutils/kcmd.c:326:11: check_after_deref: Null-checking "res" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. libinetutils/kcmd.c:342:7: Type: Dereference before null check (REVERSE_INULL) libinetutils/kcmd.c:157:3: alias: Assigning: "ai" = "res". libinetutils/kcmd.c:160:21: deref_ptr: Directly dereferencing pointer "ai". libinetutils/kcmd.c:342:7: check_after_deref: Null-checking "res" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. ftp/cmds.c:1047:7: Type: Insecure temporary file (SECURE_TEMP) ftp/cmds.c:1016:3: 1. path: Condition "!mflag", taking false branch. ftp/cmds.c:1032:3: 2. path: Condition "!doglob", taking false branch. ftp/cmds.c:1040:3: 3. path: Condition "ftemp == NULL", taking true branch. ftp/cmds.c:1047:7: 4. secure_temp: Calling "mkstemp" without securely setting umask first. ftp/cmds.c:2099:3: Type: Cleartext sensitive data in a file (SENSITIVE_DATA_LEAK) ftp/cmds.c:2081:3: Sensitive data flows to a sensitive data sink 1. path: Condition "argc > 1", taking false branch. ftp/cmds.c:2097:7: 2. tainted_return_value: Function "getpass" returns tainted data. ftp/cmds.c:2097:7: 3. var_assign: Assigning: "ap" = "getpass("Account:")", which taints "ap". ftp/cmds.c:2099:3: 4. sensitive_data_leak: Leaking sensitive data. Passing "*ap" to "command" stores it to the filesystem. ftp/cmds.c:2099:3: 5. remediation: Do not leak this data to the filesystem. ftp/cmds.c:1755:7: Type: Cleartext sensitive data in a file (SENSITIVE_DATA_LEAK) ftp/cmds.c:1730:3: Sensitive data flows to a sensitive data sink 1. path: Condition "argc < 2", taking true branch. ftp/cmds.c:1732:3: 2. path: Condition "argc < 2", taking false branch. ftp/cmds.c:1732:3: 3. path: Condition "argc > 4", taking false branch. ftp/cmds.c:1739:3: 4. path: Condition "n == 3", taking true branch. ftp/cmds.c:1746:7: 5. path: Condition "code == 336", taking true branch. ftp/cmds.c:1746:7: 6. path: Condition "!verbose", taking true branch. ftp/cmds.c:1751:7: 7. path: Condition "argc < 3", taking true branch. ftp/cmds.c:1752:2: 8. tainted_return_value: Function "getpass" returns tainted data. ftp/cmds.c:1753:7: 9. path: Condition "argc < 3", taking true branch. ftp/cmds.c:1755:7: 10. sensitive_data_leak: Leaking sensitive data. Passing "*argv[2]" to "command" stores it to the filesystem. ftp/cmds.c:1755:7: 11. remediation: Do not leak this data to the filesystem. ftp/ftp.c:365:7: Type: Cleartext sensitive data in a file (SENSITIVE_DATA_LEAK) ftp/ftp.c:306:3: Sensitive data flows to a sensitive data sink 1. path: Condition "remote_userpass(host, &user, &pass, &acct) < 0", taking false branch. ftp/ftp.c:313:3: 2. path: Condition "user == NULL", taking true branch. ftp/ftp.c:313:3: 3. path: Condition "p", taking true branch. ftp/ftp.c:313:3: 4. path: Condition "p != host", taking true branch. ftp/ftp.c:313:3: 5. path: Condition "*__ctype_b_loc()[(int)p[1]] & 16384 /* (unsigned short)_ISprint */", taking true branch. ftp/ftp.c:320:3: 6. path: Condition "user == NULL", taking true branch. ftp/ftp.c:324:7: 7. path: Condition "myname == NULL", taking true branch. ftp/ftp.c:328:4: 8. path: Condition "pp != NULL", taking true branch. ftp/ftp.c:331:7: 9. path: Condition "myname", taking true branch. ftp/ftp.c:332:41: 10. path: Falling through to end of if statement. ftp/ftp.c:335:7: 11. path: Condition "fgets(tmp, 79 /* sizeof (tmp) - 1 */, stdin)", taking true branch. ftp/ftp.c:342:2: 12. path: Falling through to end of if statement. ftp/ftp.c:345:7: 13. path: Condition "*tmp == 0", taking true branch. ftp/ftp.c:346:15: 14. path: Falling through to end of if statement. ftp/ftp.c:349:5: 15. path: Jumping back to the beginning of the loop. ftp/ftp.c:320:3: 16. path: Condition "user == NULL", taking false branch. ftp/ftp.c:351:3: 17. path: Condition "n == 3", taking true branch. ftp/ftp.c:358:7: 18. path: Condition "code == 336", taking true branch. ftp/ftp.c:358:7: 19. path: Condition "!verbose", taking true branch. ftp/ftp.c:363:7: 20. path: Condition "pass == NULL", taking false branch. ftp/ftp.c:363:7: 21. path: Condition "code == 336", taking true branch. ftp/ftp.c:364:2: 22. tainted_return_value: Function "getpass" returns tainted data. ftp/ftp.c:364:2: 23. var_assign: Assigning: "pass" = "getpass("Password: ")", which taints "pass". ftp/ftp.c:365:7: 24. sensitive_data_leak: Leaking sensitive data. Passing "*pass" to "command" stores it to the filesystem. ftp/ftp.c:365:7: 25. remediation: Do not leak this data to the filesystem. ftp/ftp.c:373:7: Type: Cleartext sensitive data in a file (SENSITIVE_DATA_LEAK) ftp/ftp.c:306:3: Sensitive data flows to a sensitive data sink 1. path: Condition "remote_userpass(host, &user, &pass, &acct) < 0", taking false branch. ftp/ftp.c:313:3: 2. path: Condition "user == NULL", taking true branch. ftp/ftp.c:313:3: 3. path: Condition "p", taking true branch. ftp/ftp.c:313:3: 4. path: Condition "p != host", taking true branch. ftp/ftp.c:313:3: 5. path: Condition "*__ctype_b_loc()[(int)p[1]] & 16384 /* (unsigned short)_ISprint */", taking true branch. ftp/ftp.c:320:3: 6. path: Condition "user == NULL", taking true branch. ftp/ftp.c:324:7: 7. path: Condition "myname == NULL", taking true branch. ftp/ftp.c:328:4: 8. path: Condition "pp != NULL", taking true branch. ftp/ftp.c:331:7: 9. path: Condition "myname", taking true branch. ftp/ftp.c:332:41: 10. path: Falling through to end of if statement. ftp/ftp.c:335:7: 11. path: Condition "fgets(tmp, 79 /* sizeof (tmp) - 1 */, stdin)", taking true branch. ftp/ftp.c:342:2: 12. path: Falling through to end of if statement. ftp/ftp.c:345:7: 13. path: Condition "*tmp == 0", taking true branch. ftp/ftp.c:346:15: 14. path: Falling through to end of if statement. ftp/ftp.c:349:5: 15. path: Jumping back to the beginning of the loop. ftp/ftp.c:320:3: 16. path: Condition "user == NULL", taking false branch. ftp/ftp.c:351:3: 17. path: Condition "n == 3", taking true branch. ftp/ftp.c:358:7: 18. path: Condition "code == 336", taking true branch. ftp/ftp.c:358:7: 19. path: Condition "!verbose", taking true branch. ftp/ftp.c:363:7: 20. path: Condition "pass == NULL", taking false branch. ftp/ftp.c:363:7: 21. path: Condition "code == 336", taking true branch. ftp/ftp.c:366:7: 22. path: Condition "pass", taking true branch. ftp/ftp.c:369:3: 23. path: Condition "n == 3", taking true branch. ftp/ftp.c:372:7: 24. tainted_return_value: Function "getpass" returns tainted data. ftp/ftp.c:372:7: 25. var_assign: Assigning: "acct" = "getpass("Account: ")", which taints "acct". ftp/ftp.c:373:7: 26. sensitive_data_leak: Leaking sensitive data. Passing "*acct" to "command" stores it to the filesystem. ftp/ftp.c:373:7: 27. remediation: Do not leak this data to the filesystem. talkd/talkd.c:174:7: Type: String not null terminated (STRING_NULL) talkd/talkd.c:156:3: 1. path: Condition "1", taking true branch. talkd/talkd.c:167:7: 2. path: Condition "rc != 84UL /* sizeof (msg) */", taking true branch. talkd/talkd.c:169:4: 3. path: Condition "rc < 0", taking true branch. talkd/talkd.c:169:4: 4. path: Condition "*__errno_location() != 4", taking true branch. talkd/talkd.c:169:4: 5. path: Condition "logging", taking true branch. talkd/talkd.c:171:4: 6. path: Continuing loop. talkd/talkd.c:156:3: 7. path: Condition "1", taking true branch. talkd/talkd.c:165:7: 8. string_null_source: Function "recvfrom" does not terminate string "msg". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/talkd.c:167:7: 9. path: Condition "rc != 84UL /* sizeof (msg) */", taking false branch. talkd/talkd.c:174:7: 10. string_null: Passing unterminated string "msg.r_name" to "process_request", which expects a null-terminated string. talkd/process.c:35:3: 10.1. path: Condition "msg->vers != 1", taking false branch. talkd/process.c:50:3: 10.2. path: Condition "msg->addr.sa_family != 2", taking false branch. talkd/process.c:59:3: 10.3. path: Condition "msg->ctl_addr.sa_family != 2", taking false branch. talkd/process.c:69:3: 10.4. path: Condition "acl_match(msg, sa_in) == 1", taking false branch. talkd/process.c:86:3: 10.5. path: Condition "debug", taking true branch. talkd/process.c:88:7: 10.6. string_null: Passing unterminated string "msg->r_name" to "print_request", which expects a null-terminated string. talkd/print.c:63:3: 10.6.1. string_null: Passing unterminated string "mp->r_name" to "syslog", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/talkd.c:174:7: Type: String not null terminated (STRING_NULL) talkd/talkd.c:156:3: 1. path: Condition "1", taking true branch. talkd/talkd.c:167:7: 2. path: Condition "rc != 84UL /* sizeof (msg) */", taking true branch. talkd/talkd.c:169:4: 3. path: Condition "rc < 0", taking true branch. talkd/talkd.c:169:4: 4. path: Condition "*__errno_location() != 4", taking true branch. talkd/talkd.c:169:4: 5. path: Condition "logging", taking true branch. talkd/talkd.c:171:4: 6. path: Continuing loop. talkd/talkd.c:156:3: 7. path: Condition "1", taking true branch. talkd/talkd.c:165:7: 8. string_null_source: Function "recvfrom" does not terminate string "msg". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/talkd.c:167:7: 9. path: Condition "rc != 84UL /* sizeof (msg) */", taking false branch. talkd/talkd.c:174:7: 10. string_null: Passing unterminated string "msg.r_tty" to "process_request", which expects a null-terminated string. talkd/process.c:35:3: 10.1. path: Condition "msg->vers != 1", taking false branch. talkd/process.c:50:3: 10.2. path: Condition "msg->addr.sa_family != 2", taking false branch. talkd/process.c:59:3: 10.3. path: Condition "msg->ctl_addr.sa_family != 2", taking false branch. talkd/process.c:69:3: 10.4. path: Condition "acl_match(msg, sa_in) == 1", taking false branch. talkd/process.c:86:3: 10.5. path: Condition "debug", taking true branch. talkd/process.c:88:7: 10.6. string_null: Passing unterminated string "msg->r_tty" to "print_request", which expects a null-terminated string. talkd/print.c:63:3: 10.6.1. string_null: Passing unterminated string "mp->r_tty" to "syslog", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/talkd.c:174:7: Type: String not null terminated (STRING_NULL) talkd/talkd.c:156:3: 1. path: Condition "1", taking true branch. talkd/talkd.c:167:7: 2. path: Condition "rc != 84UL /* sizeof (msg) */", taking true branch. talkd/talkd.c:169:4: 3. path: Condition "rc < 0", taking true branch. talkd/talkd.c:169:4: 4. path: Condition "*__errno_location() != 4", taking true branch. talkd/talkd.c:169:4: 5. path: Condition "logging", taking true branch. talkd/talkd.c:171:4: 6. path: Continuing loop. talkd/talkd.c:156:3: 7. path: Condition "1", taking true branch. talkd/talkd.c:165:7: 8. string_null_source: Function "recvfrom" does not terminate string "msg". [Note: The source code implementation of the function has been overridden by a builtin model.] talkd/talkd.c:167:7: 9. path: Condition "rc != 84UL /* sizeof (msg) */", taking false branch. talkd/talkd.c:174:7: 10. string_null: Passing unterminated string "msg.l_name" to "process_request", which expects a null-terminated string. talkd/process.c:35:3: 10.1. path: Condition "msg->vers != 1", taking false branch. talkd/process.c:50:3: 10.2. path: Condition "msg->addr.sa_family != 2", taking false branch. talkd/process.c:59:3: 10.3. path: Condition "msg->ctl_addr.sa_family != 2", taking false branch. talkd/process.c:69:3: 10.4. path: Condition "acl_match(msg, sa_in) == 1", taking true branch. talkd/process.c:75:7: 10.5. path: Condition "logging", taking true branch. talkd/process.c:75:7: 10.6. path: Condition "msg->type == 1", taking true branch. talkd/process.c:76:2: 10.7. string_null: Passing unterminated string "msg->l_name" to "syslog", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.] ftp/cmds.c:1911:3: Type: Copy into fixed size buffer (STRING_OVERFLOW) ftp/cmds.c:1911:3: 1. fixed_size_dest: You might overrun the 8192-character fixed-size string "buf" by copying "initial" without checking the length. ftp/cmds.c:1911:3: 2. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. ftp/cmds.c:1915:7: Type: Copy into fixed size buffer (STRING_OVERFLOW) ftp/cmds.c:1912:3: 1. path: Condition "argc > 1", taking true branch. ftp/cmds.c:1915:7: 2. fixed_size_dest: You might overrun the 8192-character fixed-size string "&buf[len]" by copying "argv[1]" without checking the length. ftp/cmds.c:1919:4: Type: Copy into fixed size buffer (STRING_OVERFLOW) ftp/cmds.c:1912:3: 1. path: Condition "argc > 1", taking true branch. ftp/cmds.c:1916:7: 2. path: Condition "i < argc", taking true branch. ftp/cmds.c:1919:4: 3. fixed_size_dest: You might overrun the 8192-character fixed-size string "&buf[len]" by copying "argv[i]" without checking the length. ftp/cmds.c:432:7: Type: Copy into fixed size buffer (STRING_OVERFLOW) ftp/cmds.c:396:3: 1. path: Condition "argc > 2", taking false branch. ftp/cmds.c:411:3: 2. path: Condition "argc < 2", taking false branch. ftp/cmds.c:417:3: 3. path: Condition "p->t_name", taking true branch. ftp/cmds.c:418:5: 4. path: Condition "strcmp(argv[1], p->t_name) == 0", taking true branch. ftp/cmds.c:419:7: 5. path: Breaking from loop. ftp/cmds.c:420:3: 6. path: Condition "p->t_name == NULL", taking false branch. ftp/cmds.c:426:3: 7. path: Condition "p->t_arg != NULL", taking true branch. ftp/cmds.c:426:3: 8. path: Condition "*p->t_arg != 0", taking true branch. ftp/cmds.c:427:57: 9. path: Falling through to end of if statement. ftp/cmds.c:430:3: 10. path: Condition "comret == 2", taking true branch. ftp/cmds.c:432:7: 11. fixed_size_dest: You might overrun the 32-character fixed-size string "typename" by copying "p->t_name" without checking the length. ifconfig/system/linux.c:981:9: Type: Copy into fixed size buffer (STRING_OVERFLOW) ifconfig/system/linux.c:936:3: 1. path: Condition "fd < 0", taking false branch. ifconfig/system/linux.c:941:3: 2. path: Condition "content == NULL", taking false branch. ifconfig/system/linux.c:953:15: 3. path: Condition "it", taking true branch. ifconfig/system/linux.c:953:15: 4. path: Condition "it", taking true branch. ifconfig/system/linux.c:953:15: 5. path: Condition "it", taking false branch. ifconfig/system/linux.c:956:5: 6. path: Condition "idx == NULL", taking false branch. ifconfig/system/linux.c:966:3: 7. path: Condition "it", taking true branch. ifconfig/system/linux.c:972:7: 8. path: Condition "*start != ' '", taking true branch. ifconfig/system/linux.c:972:7: 9. path: Condition "*start != 10", taking true branch. ifconfig/system/linux.c:973:16: 10. path: Jumping back to the beginning of the loop. ifconfig/system/linux.c:972:7: 11. path: Condition "*start != ' '", taking true branch. ifconfig/system/linux.c:972:7: 12. path: Condition "*start != 10", taking false branch. ifconfig/system/linux.c:981:9: 13. fixed_size_dest: You might overrun the 16-character fixed-size string "cur.ifr_ifrn.ifrn_name" by copying "idx[index].if_name" without checking the length. src/inetd.c:1966:4: Type: Unbounded source buffer (STRING_SIZE) src/inetd.c:1923:23: 1. string_size_argv: "argv" contains strings with unknown size. src/inetd.c:1933:3: 2. path: Condition "envp == NULL", taking true branch. src/inetd.c:1935:3: 3. path: Condition "*envp", taking true branch. src/inetd.c:1936:11: 4. path: Jumping back to the beginning of the loop. src/inetd.c:1935:3: 5. path: Condition "*envp", taking false branch. src/inetd.c:1943:3: 6. path: Condition "resolve_option", taking true branch. src/inetd.c:1946:3: 7. path: Condition "index < argc", taking true branch. src/inetd.c:1950:7: 8. path: Condition "index < argc", taking true branch. src/inetd.c:1953:2: 9. path: Jumping back to the beginning of the loop. src/inetd.c:1950:7: 10. path: Condition "index < argc", taking true branch. src/inetd.c:1953:2: 11. path: Jumping back to the beginning of the loop. src/inetd.c:1950:7: 12. path: Condition "index < argc", taking false branch. src/inetd.c:1954:5: 13. path: Falling through to end of if statement. src/inetd.c:1962:3: 14. path: Condition "!debug", taking true branch. src/inetd.c:1964:7: 15. path: Condition "daemon(0, 0) < 0", taking true branch. src/inetd.c:1966:4: 16. string_size: Passing string "argv[0]" of unknown size to "syslog". ftpd/ftpd.c:1780:3: Type: Time of check time of use (TOCTOU) ftpd/ftpd.c:1779:3: 1. path: Condition "logging > 1", taking true branch. ftpd/ftpd.c:1779:3: 2. path: Condition "*name == '/'", taking true branch. ftpd/ftpd.c:1780:3: 3. fs_check_call: Calling function "stat" to perform check on "name". ftpd/ftpd.c:1780:3: 4. path: Condition "stat(name, &st) < 0", taking false branch. ftpd/ftpd.c:1785:3: 5. path: Condition "(st.st_mode & 61440) == 16384", taking true branch. ftpd/ftpd.c:1787:7: 6. toctou: Calling function "rmdir" that uses "name" after a check function. This can cause a time-of-check, time-of-use race condition. src/inetd.c:1412:7: Type: Time of check time of use (TOCTOU) src/inetd.c:1405:3: 1. path: Condition "sep", taking true branch. src/inetd.c:1406:24: 2. path: Jumping back to the beginning of the loop. src/inetd.c:1405:3: 3. path: Condition "sep", taking false branch. src/inetd.c:1408:3: 4. path: Condition "config_files[i]", taking true branch. src/inetd.c:1412:7: 5. fs_check_call: Calling function "stat" to perform check on "config_files[i]". src/inetd.c:1412:7: 6. path: Condition "stat(config_files[i], &statbuf) == 0", taking true branch. src/inetd.c:1414:4: 7. path: Condition "(statbuf.st_mode & 61440) == 16384", taking true branch. src/inetd.c:1416:8: 8. toctou: Calling function "opendir" that uses "config_files[i]" after a check function. This can cause a time-of-check, time-of-use race condition. ftpd/ftpd.c:1063:3: Type: Time of check time of use (TOCTOU) ftpd/ftpd.c:1063:3: 1. path: Condition "unique", taking true branch. ftpd/ftpd.c:1063:3: 2. fs_check_call: Calling function "stat" to perform check on "name". ftpd/ftpd.c:1063:3: 3. path: Condition "stat(name, &st) == 0", taking true branch. ftpd/ftpd.c:1067:7: 4. path: Condition "name_unique", taking true branch. ftpd/ftpd.c:1068:27: 5. path: Falling through to end of if statement. ftpd/ftpd.c:1076:3: 6. path: Condition "restart_point", taking true branch. ftpd/ftpd.c:1078:3: 7. toctou: Calling function "fopen" that uses "name" after a check function. This can cause a time-of-check, time-of-use race condition. ftpd/ftpd.c:1780:3: Type: Time of check time of use (TOCTOU) ftpd/ftpd.c:1779:3: 1. path: Condition "logging > 1", taking true branch. ftpd/ftpd.c:1779:3: 2. path: Condition "*name == '/'", taking true branch. ftpd/ftpd.c:1780:3: 3. fs_check_call: Calling function "stat" to perform check on "name". ftpd/ftpd.c:1780:3: 4. path: Condition "stat(name, &st) < 0", taking false branch. ftpd/ftpd.c:1785:3: 5. path: Condition "(st.st_mode & 61440) == 16384", taking false branch. ftpd/ftpd.c:1794:3: 6. toctou: Calling function "unlink" that uses "name" after a check function. This can cause a time-of-check, time-of-use race condition. ftpd/ftpd.c:2176:7: Type: Time of check time of use (TOCTOU) ftpd/ftpd.c:2132:3: 1. path: Condition "strpbrk(whichf, "~{[*?") != NULL", taking true branch. ftpd/ftpd.c:2148:7: 2. path: Condition "glob(whichf, flags, NULL, &gl)", taking false branch. ftpd/ftpd.c:2153:12: 3. path: Condition "gl.gl_pathc == 0", taking false branch. ftpd/ftpd.c:2160:5: 4. path: Falling through to end of if statement. ftpd/ftpd.c:2169:3: 5. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:2174:3: 6. path: Condition "dirname = *dirlist++", taking true branch. ftpd/ftpd.c:2176:7: 7. path: Condition "stat(dirname, &st) < 0", taking false branch. ftpd/ftpd.c:2196:7: 8. path: Condition "(st.st_mode & 61440) == 32768", taking true branch. ftpd/ftpd.c:2198:4: 9. path: Condition "dout == NULL", taking true branch. ftpd/ftpd.c:2201:8: 10. path: Condition "dout == NULL", taking false branch. ftpd/ftpd.c:2205:4: 11. path: Condition "type == 1", taking true branch. ftpd/ftpd.c:2207:4: 12. path: Continuing loop. ftpd/ftpd.c:2174:3: 13. path: Condition "dirname = *dirlist++", taking true branch. ftpd/ftpd.c:2176:7: 14. fs_check_call: Calling function "stat" to perform check on "dirname". ftpd/ftpd.c:2176:7: 15. path: Condition "stat(dirname, &st) < 0", taking false branch. ftpd/ftpd.c:2196:7: 16. path: Condition "(st.st_mode & 61440) == 32768", taking false branch. ftpd/ftpd.c:2209:12: 17. path: Condition "!((st.st_mode & 61440) == 16384)", taking false branch. ftpd/ftpd.c:2212:7: 18. toctou: Calling function "opendir" that uses "dirname" after a check function. This can cause a time-of-check, time-of-use race condition. ftpd/ftpcmd.y:640:8: Type: Time of check time of use (TOCTOU) ftpd/ftpcmd.c:1425:3: 1. path: Jumping to label "yysetstate". ftpd/ftpcmd.c:1442:3: 2. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 3. path: Condition "yyss + yystacksize - 1 <= yyssp", taking true branch. ftpd/ftpcmd.c:1477:7: 4. path: Condition "10000 <= yystacksize", taking false branch. ftpd/ftpcmd.c:1480:7: 5. path: Condition "10000 < yystacksize", taking false branch. ftpd/ftpcmd.c:1488:9: 6. path: Condition "!yyptr", taking false branch. ftpd/ftpcmd.c:1493:9: 7. path: Condition "yyss1 != yyssa", taking true branch. ftpd/ftpcmd.c:1506:7: 8. path: Condition "yyss + yystacksize - 1 <= yyssp", taking false branch. ftpd/ftpcmd.c:1511:3: 9. path: Condition "yystate == 2", taking false branch. ftpd/ftpcmd.c:1514:3: 10. path: Jumping to label "yybackup". ftpd/ftpcmd.c:1526:3: 11. path: Condition "yyn == -106", taking true branch. ftpd/ftpcmd.c:1527:5: 12. path: Jumping to label "yydefault". ftpd/ftpcmd.c:1596:3: 13. path: Condition "yyn == 0", taking true branch. ftpd/ftpcmd.c:1597:5: 14. path: Jumping to label "yyerrlab". ftpd/ftpcmd.c:2994:3: 15. path: Condition "yychar == -2", taking true branch. ftpd/ftpcmd.c:2996:3: 16. path: Condition "!yyerrstatus", taking true branch. ftpd/ftpcmd.c:3002:3: 17. path: Condition "yyerrstatus == 3", taking false branch. ftpd/ftpcmd.c:3023:3: 18. path: Jumping to label "yyerrlab1". ftpd/ftpcmd.c:3051:3: 19. path: Condition "true", taking true branch. ftpd/ftpcmd.c:3054:7: 20. path: Condition "!(yyn == -106)", taking true branch. ftpd/ftpcmd.c:3057:11: 21. path: Condition "0 <= yyn", taking true branch. ftpd/ftpcmd.c:3057:11: 22. path: Condition "yyn <= 319", taking true branch. ftpd/ftpcmd.c:3057:11: 23. path: Condition "yycheck[yyn] == YYSYMBOL_YYerror", taking true branch. ftpd/ftpcmd.c:3060:15: 24. path: Condition "0 < yyn", taking true branch. ftpd/ftpcmd.c:3061:17: 25. path: Breaking from loop. ftpd/ftpcmd.c:3086:3: 26. path: Jumping to label "yynewstate". ftpd/ftpcmd.c:1442:3: 27. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 28. path: Condition "yyss + yystacksize - 1 <= yyssp", taking true branch. ftpd/ftpcmd.c:1477:7: 29. path: Condition "10000 <= yystacksize", taking false branch. ftpd/ftpcmd.c:1480:7: 30. path: Condition "10000 < yystacksize", taking false branch. ftpd/ftpcmd.c:1488:9: 31. path: Condition "!yyptr", taking false branch. ftpd/ftpcmd.c:1493:9: 32. path: Condition "yyss1 != yyssa", taking true branch. ftpd/ftpcmd.c:1506:7: 33. path: Condition "yyss + yystacksize - 1 <= yyssp", taking false branch. ftpd/ftpcmd.c:1511:3: 34. path: Condition "yystate == 2", taking false branch. ftpd/ftpcmd.c:1514:3: 35. path: Jumping to label "yybackup". ftpd/ftpcmd.c:1526:3: 36. path: Condition "yyn == -106", taking true branch. ftpd/ftpcmd.c:1527:5: 37. path: Jumping to label "yydefault". ftpd/ftpcmd.c:1596:3: 38. path: Condition "yyn == 0", taking true branch. ftpd/ftpcmd.c:1597:5: 39. path: Jumping to label "yyerrlab". ftpd/ftpcmd.c:2994:3: 40. path: Condition "yychar == -2", taking true branch. ftpd/ftpcmd.c:2996:3: 41. path: Condition "!yyerrstatus", taking false branch. ftpd/ftpcmd.c:3002:3: 42. path: Condition "yyerrstatus == 3", taking true branch. ftpd/ftpcmd.c:3007:7: 43. path: Condition "yychar <= 0", taking true branch. ftpd/ftpcmd.c:3010:11: 44. path: Condition "yychar == 0", taking false branch. ftpd/ftpcmd.c:3012:9: 45. path: Falling through to end of if statement. ftpd/ftpcmd.c:3023:3: 46. path: Jumping to label "yyerrlab1". ftpd/ftpcmd.c:3051:3: 47. path: Condition "true", taking true branch. ftpd/ftpcmd.c:3054:7: 48. path: Condition "!(yyn == -106)", taking true branch. ftpd/ftpcmd.c:3057:11: 49. path: Condition "0 <= yyn", taking true branch. ftpd/ftpcmd.c:3057:11: 50. path: Condition "yyn <= 319", taking true branch. ftpd/ftpcmd.c:3057:11: 51. path: Condition "yycheck[yyn] == YYSYMBOL_YYerror", taking true branch. ftpd/ftpcmd.c:3060:15: 52. path: Condition "0 < yyn", taking true branch. ftpd/ftpcmd.c:3061:17: 53. path: Breaking from loop. ftpd/ftpcmd.c:3086:3: 54. path: Jumping to label "yynewstate". ftpd/ftpcmd.c:1442:3: 55. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 56. path: Condition "yyss + yystacksize - 1 <= yyssp", taking true branch. ftpd/ftpcmd.c:1477:7: 57. path: Condition "10000 <= yystacksize", taking false branch. ftpd/ftpcmd.c:1480:7: 58. path: Condition "10000 < yystacksize", taking true branch. ftpd/ftpcmd.c:1488:9: 59. path: Condition "!yyptr", taking false branch. ftpd/ftpcmd.c:1493:9: 60. path: Condition "yyss1 != yyssa", taking true branch. ftpd/ftpcmd.c:1506:7: 61. path: Condition "yyss + yystacksize - 1 <= yyssp", taking false branch. ftpd/ftpcmd.c:1511:3: 62. path: Condition "yystate == 2", taking false branch. ftpd/ftpcmd.c:1514:3: 63. path: Jumping to label "yybackup". ftpd/ftpcmd.c:1526:3: 64. path: Condition "yyn == -106", taking true branch. ftpd/ftpcmd.c:1527:5: 65. path: Jumping to label "yydefault". ftpd/ftpcmd.c:1596:3: 66. path: Condition "yyn == 0", taking false branch. ftpd/ftpcmd.c:1598:3: 67. path: Jumping to label "yyreduce". ftpd/ftpcmd.c:1620:3: 68. path: Switch case value "3". ftpd/ftpcmd.c:1630:5: 69. path: Breaking from switch. ftpd/ftpcmd.c:2980:5: 70. path: Condition "0 <= yyi", taking true branch. ftpd/ftpcmd.c:2980:5: 71. path: Condition "yyi <= 319", taking true branch. ftpd/ftpcmd.c:2980:5: 72. path: Condition "yycheck[yyi] == *yyssp", taking true branch. ftpd/ftpcmd.c:2985:3: 73. path: Jumping to label "yynewstate". ftpd/ftpcmd.c:1442:3: 74. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 75. path: Condition "yyss + yystacksize - 1 <= yyssp", taking false branch. ftpd/ftpcmd.c:1511:3: 76. path: Condition "yystate == 2", taking false branch. ftpd/ftpcmd.c:1514:3: 77. path: Jumping to label "yybackup". ftpd/ftpcmd.c:1526:3: 78. path: Condition "yyn == -106", taking true branch. ftpd/ftpcmd.c:1527:5: 79. path: Jumping to label "yydefault". ftpd/ftpcmd.c:1596:3: 80. path: Condition "yyn == 0", taking true branch. ftpd/ftpcmd.c:1597:5: 81. path: Jumping to label "yyerrlab". ftpd/ftpcmd.c:2994:3: 82. path: Condition "yychar == -2", taking true branch. ftpd/ftpcmd.c:2996:3: 83. path: Condition "!yyerrstatus", taking false branch. ftpd/ftpcmd.c:3002:3: 84. path: Condition "yyerrstatus == 3", taking true branch. ftpd/ftpcmd.c:3007:7: 85. path: Condition "yychar <= 0", taking true branch. ftpd/ftpcmd.c:3010:11: 86. path: Condition "yychar == 0", taking false branch. ftpd/ftpcmd.c:3012:9: 87. path: Falling through to end of if statement. ftpd/ftpcmd.c:3023:3: 88. path: Jumping to label "yyerrlab1". ftpd/ftpcmd.c:3051:3: 89. path: Condition "true", taking true branch. ftpd/ftpcmd.c:3054:7: 90. path: Condition "!(yyn == -106)", taking true branch. ftpd/ftpcmd.c:3057:11: 91. path: Condition "0 <= yyn", taking true branch. ftpd/ftpcmd.c:3057:11: 92. path: Condition "yyn <= 319", taking true branch. ftpd/ftpcmd.c:3057:11: 93. path: Condition "yycheck[yyn] == YYSYMBOL_YYerror", taking true branch. ftpd/ftpcmd.c:3060:15: 94. path: Condition "0 < yyn", taking false branch. ftpd/ftpcmd.c:3066:7: 95. path: Condition "yyssp == yyss", taking false branch. ftpd/ftpcmd.c:3075:5: 96. path: Jumping back to the beginning of the loop. ftpd/ftpcmd.c:3051:3: 97. path: Condition "true", taking true branch. ftpd/ftpcmd.c:3054:7: 98. path: Condition "!(yyn == -106)", taking true branch. ftpd/ftpcmd.c:3057:11: 99. path: Condition "0 <= yyn", taking true branch. ftpd/ftpcmd.c:3057:11: 100. path: Condition "yyn <= 319", taking true branch. ftpd/ftpcmd.c:3057:11: 101. path: Condition "yycheck[yyn] == YYSYMBOL_YYerror", taking true branch. ftpd/ftpcmd.c:3060:15: 102. path: Condition "0 < yyn", taking true branch. ftpd/ftpcmd.c:3061:17: 103. path: Breaking from loop. ftpd/ftpcmd.c:3086:3: 104. path: Jumping to label "yynewstate". ftpd/ftpcmd.c:1442:3: 105. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 106. path: Condition "yyss + yystacksize - 1 <= yyssp", taking false branch. ftpd/ftpcmd.c:1511:3: 107. path: Condition "yystate == 2", taking false branch. ftpd/ftpcmd.c:1514:3: 108. path: Jumping to label "yybackup". ftpd/ftpcmd.c:1526:3: 109. path: Condition "yyn == -106", taking true branch. ftpd/ftpcmd.c:1527:5: 110. path: Jumping to label "yydefault". ftpd/ftpcmd.c:1596:3: 111. path: Condition "yyn == 0", taking false branch. ftpd/ftpcmd.c:1598:3: 112. path: Jumping to label "yyreduce". ftpd/ftpcmd.c:1620:3: 113. path: Switch case value "49". ftpd/ftpcmd.y:636:4: 114. path: Condition "yyvsp[-3].i", taking true branch. ftpd/ftpcmd.y:636:4: 115. path: Condition "yyvsp[-1].s != NULL", taking true branch. ftpd/ftpcmd.y:640:8: 116. fs_check_call: Calling function "stat" to perform check on "yyvsp[-1].s". ftpd/ftpcmd.y:640:8: 117. path: Condition "stat(yyvsp[-1].s, &stbuf) < 0", taking true branch. ftpd/ftpcmd.y:641:64: 118. path: Falling through to end of if statement. ftpd/ftpcmd.c:2251:5: 119. path: Breaking from switch. ftpd/ftpcmd.c:2980:5: 120. path: Condition "0 <= yyi", taking true branch. ftpd/ftpcmd.c:2980:5: 121. path: Condition "yyi <= 319", taking true branch. ftpd/ftpcmd.c:2980:5: 122. path: Condition "yycheck[yyi] == *yyssp", taking true branch. ftpd/ftpcmd.c:2985:3: 123. path: Jumping to label "yynewstate". ftpd/ftpcmd.c:1442:3: 124. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 125. path: Condition "yyss + yystacksize - 1 <= yyssp", taking false branch. ftpd/ftpcmd.c:1511:3: 126. path: Condition "yystate == 2", taking false branch. ftpd/ftpcmd.c:1514:3: 127. path: Jumping to label "yybackup". ftpd/ftpcmd.c:1526:3: 128. path: Condition "yyn == -106", taking true branch. ftpd/ftpcmd.c:1527:5: 129. path: Jumping to label "yydefault". ftpd/ftpcmd.c:1596:3: 130. path: Condition "yyn == 0", taking false branch. ftpd/ftpcmd.c:1598:3: 131. path: Jumping to label "yyreduce". ftpd/ftpcmd.c:1620:3: 132. path: Switch case value "43". ftpd/ftpcmd.y:533:4: 133. path: Condition "yyvsp[-5].i", taking true branch. ftpd/ftpcmd.y:533:4: 134. path: Condition "yyvsp[-1].s != NULL", taking true branch. ftpd/ftpcmd.y:535:8: 135. path: Condition "yyvsp[-3].i > 511", taking false branch. ftpd/ftpcmd.y:538:13: 136. toctou: Calling function "chmod" that uses "yyvsp[-1].s" after a check function. This can cause a time-of-check, time-of-use race condition. libinetutils/setsig.c:37:3: Type: Uninitialized scalar variable (UNINIT) libinetutils/setsig.c:33:3: 1. var_decl: Declaring variable "sa" without initializer. libinetutils/setsig.c:37:3: 2. uninit_use: Using uninitialized value "sa.sa_flags". libinetutils/utmp_logout.c:77:3: Type: Uninitialized scalar variable (UNINIT) libinetutils/utmp_logout.c:70:3: 1. var_decl: Declaring variable "utx" without initializer. libinetutils/utmp_logout.c:77:3: 2. uninit_use_in_call: Using uninitialized value "utx". Field "utx.ut_type" is uninitialized when calling "getutxline". talkd/talkd.c:182:4: Type: Uninitialized scalar variable (UNINIT) talkd/talkd.c:156:3: 1. path: Condition "1", taking true branch. talkd/talkd.c:167:7: 2. path: Condition "rc != 84UL /* sizeof (msg) */", taking true branch. talkd/talkd.c:169:4: 3. path: Condition "rc < 0", taking false branch. talkd/talkd.c:171:4: 4. path: Continuing loop. talkd/talkd.c:156:3: 5. path: Condition "1", taking true branch. talkd/talkd.c:161:7: 6. var_decl: Declaring variable "resp" without initializer. talkd/talkd.c:167:7: 7. path: Condition "rc != 84UL /* sizeof (msg) */", taking false branch. talkd/talkd.c:174:7: 8. path: Condition "process_request(&msg, &sa_in, &resp) == 0", taking true branch. talkd/talkd.c:182:4: 9. uninit_use_in_call: Using uninitialized value "resp". Field "resp.pad" is uninitialized when calling "sendto". libtelnet/kerberos5.c:238:7: Type: Uninitialized scalar variable (UNINIT) libtelnet/kerberos5.c:206:3: 1. path: Condition "!UserNameRequested", taking false branch. libtelnet/kerberos5.c:212:3: 2. path: Condition "r = krb5_cc_default(telnet_context, &ccache)", taking false branch. libtelnet/kerberos5.c:219:3: 3. path: Condition "r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host", 3, &creds.server)", taking false branch. libtelnet/kerberos5.c:226:3: 4. path: Condition "dest_realm", taking true branch. libtelnet/kerberos5.c:228:7: 5. var_decl: Declaring variable "rdata" without initializer. libtelnet/kerberos5.c:232:7: 6. path: Condition "rdata.data == NULL", taking false branch. libtelnet/kerberos5.c:238:7: 7. uninit_use: Using uninitialized value "rdata". Field "rdata.magic" is uninitialized. ftpd/ftpd.c:1358:7: Type: Uninitialized scalar variable (UNINIT) ftpd/ftpd.c:1322:3: 1. var_decl: Declaring variable "curpos" without initializer. ftpd/ftpd.c:1326:3: 2. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:1339:3: 3. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1339:3: 4. path: Condition "file_size < 8388608", taking true branch. ftpd/ftpd.c:1339:3: 5. path: Condition "restart_point == 0", taking false branch. ftpd/ftpd.c:1353:3: 6. path: Switch case value "1". ftpd/ftpd.c:1358:7: 7. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1358:7: 8. uninit_use: Using uninitialized value "curpos". ftpd/ftpd.c:1363:4: Type: Uninitialized scalar variable (UNINIT) ftpd/ftpd.c:1323:3: 1. var_decl: Declaring variable "filesize" without initializer. ftpd/ftpd.c:1326:3: 2. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:1339:3: 3. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1339:3: 4. path: Condition "file_size < 8388608", taking true branch. ftpd/ftpd.c:1339:3: 5. path: Condition "restart_point == 0", taking false branch. ftpd/ftpd.c:1353:3: 6. path: Switch case value "1". ftpd/ftpd.c:1358:7: 7. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1358:7: 8. path: Condition "curpos >= 0", taking true branch. ftpd/ftpd.c:1358:7: 9. path: Condition "buf != (void *)0xffffffffffffffff", taking true branch. ftpd/ftpd.c:1360:4: 10. path: Condition "debug", taking true branch. ftpd/ftpd.c:1363:4: 11. uninit_use: Using uninitialized value "filesize". lib/argp-help.c:496:15: Type: Uninitialized scalar variable (UNINIT) lib/argp-help.c:449:3: 1. path: Condition "hol", taking true branch. lib/argp-help.c:449:3: 2. path: Falling through to end of if statement. lib/argp-help.c:454:3: 3. path: Condition "opts", taking true branch. lib/argp-help.c:459:7: 4. path: Condition "!(opts->flags & 4)", taking true branch. lib/argp-help.c:459:7: 5. path: Falling through to end of if statement. lib/argp-help.c:462:7: 6. path: Condition "!_option_is_end(o)", taking true branch. lib/argp-help.c:464:11: 7. path: Condition "!(o->flags & 4)", taking true branch. lib/argp-help.c:466:11: 8. path: Condition "_option_is_short(o)", taking false branch. lib/argp-help.c:468:9: 9. path: Jumping back to the beginning of the loop. lib/argp-help.c:462:7: 10. path: Condition "!_option_is_end(o)", taking false branch. lib/argp-help.c:471:7: 11. alloc_fn: Calling "malloc" which returns uninitialized memory. lib/argp-help.c:471:7: 12. assign: Assigning: "hol->short_options" = "malloc(num_short_options + 1U)", which points to uninitialized data. lib/argp-help.c:473:7: 13. path: Condition "hol->entries", taking true branch. lib/argp-help.c:473:7: 14. path: Condition "hol->short_options", taking true branch. lib/argp-help.c:473:7: 15. path: Falling through to end of if statement. lib/argp-help.c:474:7: 16. path: Condition "0 /* (size_t)-1 <= 2147483647 * 2U + 1U */", taking false branch. lib/argp-help.c:479:7: 17. path: Condition "!_option_is_end(o)", taking true branch. lib/argp-help.c:484:11: 18. path: Condition "o->group", taking true branch. lib/argp-help.c:496:15: 19. path: Condition "_option_is_short(o)", taking false branch. lib/argp-help.c:501:43: 20. path: Condition "!_option_is_end(o)", taking true branch. lib/argp-help.c:501:43: 21. path: Condition "o->flags & 4", taking true branch. lib/argp-help.c:496:15: 22. path: Condition "_option_is_short(o)", taking false branch. lib/argp-help.c:501:43: 23. path: Condition "!_option_is_end(o)", taking true branch. lib/argp-help.c:501:43: 24. path: Condition "o->flags & 4", taking true branch. lib/argp-help.c:496:15: 25. path: Condition "_option_is_short(o)", taking false branch. lib/argp-help.c:501:43: 26. path: Condition "!_option_is_end(o)", taking true branch. lib/argp-help.c:501:43: 27. path: Condition "o->flags & 4", taking true branch. lib/argp-help.c:496:15: 28. path: Condition "_option_is_short(o)", taking false branch. lib/argp-help.c:501:43: 29. path: Condition "!_option_is_end(o)", taking true branch. lib/argp-help.c:501:43: 30. path: Condition "o->flags & 4", taking true branch. lib/argp-help.c:496:15: 31. path: Condition "_option_is_short(o)", taking true branch. lib/argp-help.c:496:15: 32. uninit_use_in_call: Using uninitialized value "*hol->short_options" when calling "find_char". lib/argp-help.c:347:3: 32.1. path: Condition "beg < end", taking true branch. lib/argp-help.c:348:5: 32.2. read_value: Reading value "*beg". lib/argp-help.c:348:5: 32.3. path: Condition "*beg == ch", taking true branch. ftpd/ftpd.c:1409:7: Type: Uninitialized scalar variable (UNINIT) ftpd/ftpd.c:1322:3: 1. var_decl: Declaring variable "curpos" without initializer. ftpd/ftpd.c:1326:3: 2. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:1339:3: 3. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1339:3: 4. path: Condition "file_size < 8388608", taking true branch. ftpd/ftpd.c:1339:3: 5. path: Condition "restart_point == 0", taking false branch. ftpd/ftpd.c:1353:3: 6. path: Switch case value "3". ftpd/ftpd.c:1409:7: 7. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1409:7: 8. uninit_use: Using uninitialized value "curpos". ftpd/ftpcmd.c:1491:9: Type: Uninitialized scalar variable (UNINIT) ftpd/ftpcmd.c:1401:5: 1. var_decl: Declaring variable "yyvsa" without initializer. ftpd/ftpcmd.c:1402:5: 2. assign: Assigning: "yyvs" = "yyvsa", which points to uninitialized data. ftpd/ftpcmd.c:1425:3: 3. path: Jumping to label "yysetstate". ftpd/ftpcmd.c:1442:3: 4. path: Condition "0", taking false branch. ftpd/ftpcmd.c:1448:3: 5. path: Condition "yyss + yystacksize - 1 <= yyssp", taking true branch. ftpd/ftpcmd.c:1477:7: 6. path: Condition "10000 <= yystacksize", taking false branch. ftpd/ftpcmd.c:1480:7: 7. path: Condition "10000 < yystacksize", taking false branch. ftpd/ftpcmd.c:1488:9: 8. path: Condition "!yyptr", taking false branch. ftpd/ftpcmd.c:1491:9: 9. uninit_use_in_call: Using uninitialized value "*yyvs" when calling "__builtin_memcpy". ftpd/ftpd.c:1414:4: Type: Uninitialized scalar variable (UNINIT) ftpd/ftpd.c:1323:3: 1. var_decl: Declaring variable "filesize" without initializer. ftpd/ftpd.c:1326:3: 2. path: Condition "setjmp(urgcatch)", taking false branch. ftpd/ftpd.c:1339:3: 3. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1339:3: 4. path: Condition "file_size < 8388608", taking true branch. ftpd/ftpd.c:1339:3: 5. path: Condition "restart_point == 0", taking false branch. ftpd/ftpd.c:1353:3: 6. path: Switch case value "3". ftpd/ftpd.c:1409:7: 7. path: Condition "file_size > 0", taking true branch. ftpd/ftpd.c:1409:7: 8. path: Condition "curpos >= 0", taking true branch. ftpd/ftpd.c:1409:7: 9. path: Condition "buf != (void *)0xffffffffffffffff", taking true branch. ftpd/ftpd.c:1411:4: 10. path: Condition "debug", taking true branch. ftpd/ftpd.c:1414:4: 11. uninit_use: Using uninitialized value "filesize". ftp/ftp.c:724:7: Type: Uninitialized scalar variable (UNINIT) ftp/ftp.c:622:3: 1. path: Condition "verbose", taking true branch. ftp/ftp.c:622:3: 2. path: Condition "printnames", taking true branch. ftp/ftp.c:624:7: 3. path: Condition "local", taking true branch. ftp/ftp.c:624:7: 4. path: Condition "*local != '-'", taking true branch. ftp/ftp.c:626:7: 5. path: Condition "remote", taking true branch. ftp/ftp.c:629:3: 6. path: Condition "proxy", taking false branch. ftp/ftp.c:634:3: 7. path: Condition "curtype != type", taking true branch. ftp/ftp.c:640:3: 8. path: Condition "setjmp(sendabort)", taking false branch. ftp/ftp.c:659:3: 9. path: Condition "strcmp(local, "-") == 0", taking true branch. ftp/ftp.c:660:16: 10. path: Falling through to end of if statement. ftp/ftp.c:696:3: 11. path: Condition "initconn()", taking false branch. ftp/ftp.c:706:3: 12. path: Condition "setjmp(sendabort)", taking false branch. ftp/ftp.c:709:3: 13. path: Condition "restart_point", taking true branch. ftp/ftp.c:709:3: 14. path: Condition "strcmp(cmd, "STOR") == 0", taking true branch. ftp/ftp.c:712:7: 15. var_decl: Declaring variable "rc" without initializer. ftp/ftp.c:714:7: 16. path: Switch case default. ftp/ftp.c:724:7: 17. uninit_use: Using uninitialized value "rc". libinetutils/kerberos5.c:163:3: Type: Uninitialized scalar variable (UNINIT) libinetutils/kerberos5.c:41:3: 1. var_decl: Declaring variable "outlen" without initializer. libinetutils/kerberos5.c:59:3: 2. path: Condition "krb5_sname_to_principal(*ctx, sname, "host", 3, &server)", taking false branch. libinetutils/kerberos5.c:64:3: 3. path: Condition "realm == NULL", taking true branch. libinetutils/kerberos5.c:86:3: 4. path: Condition "auth", taking false branch. libinetutils/kerberos5.c:102:3: 5. path: Condition "verbose", taking true branch. libinetutils/kerberos5.c:111:3: 6. path: Condition "!tmpserver", taking false branch. libinetutils/kerberos5.c:118:3: 7. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 8. path: Condition "p", taking false branch. libinetutils/kerberos5.c:126:3: 9. path: Condition "!realm", taking false branch. libinetutils/kerberos5.c:139:3: 10. path: Condition "strncmp(cmd, "-x ", 3) == 0", taking true branch. libinetutils/kerberos5.c:148:3: 11. path: Condition "rc == -1765328177L", taking false branch. libinetutils/kerberos5.c:163:3: 12. uninit_use: Using uninitialized value "outlen". libinetutils/kerberos5.c:169:3: Type: Uninitialized pointer read (UNINIT) libinetutils/kerberos5.c:40:3: 1. var_decl: Declaring variable "out" without initializer. libinetutils/kerberos5.c:59:3: 2. path: Condition "krb5_sname_to_principal(*ctx, sname, "host", 3, &server)", taking false branch. libinetutils/kerberos5.c:64:3: 3. path: Condition "realm == NULL", taking true branch. libinetutils/kerberos5.c:86:3: 4. path: Condition "auth", taking false branch. libinetutils/kerberos5.c:102:3: 5. path: Condition "verbose", taking true branch. libinetutils/kerberos5.c:111:3: 6. path: Condition "!tmpserver", taking false branch. libinetutils/kerberos5.c:118:3: 7. path: Condition "p", taking false branch. libinetutils/kerberos5.c:121:5: 8. path: Condition "p", taking false branch. libinetutils/kerberos5.c:126:3: 9. path: Condition "!realm", taking false branch. libinetutils/kerberos5.c:139:3: 10. path: Condition "strncmp(cmd, "-x ", 3) == 0", taking true branch. libinetutils/kerberos5.c:148:3: 11. path: Condition "rc == -1765328177L", taking false branch. libinetutils/kerberos5.c:169:3: 12. uninit_use_in_call: Using uninitialized value "out" when calling "write". src/logger.c:269:7: Type: Structurally dead code (UNREACHABLE) src/logger.c:269:7: unreachable: This code cannot be reached: "socklen = 16U;". src/syslogd.c:964:9: Type: Unused value (UNUSED_VALUE) src/syslogd.c:947:12: value_overwrite: Overwriting previous write to "fd" with value from "socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)". src/syslogd.c:964:9: assigned_value: Assigning value "-1" to "fd" here, but that stored value is overwritten before it can be used. ftp/cmds.c:2511:11: Type: Unused value (UNUSED_VALUE) ftp/cmds.c:2438:15: value_overwrite: Overwriting previous write to "match" with value "0". ftp/cmds.c:2511:11: assigned_value: Assigning value "1" to "match" here, but that stored value is overwritten before it can be used.