From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1Z6iPe-0006xZ-K5 for mharc-grub-devel@gnu.org; Sun, 21 Jun 2015 12:48:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53626) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z6iPb-0006xO-Sy for grub-devel@gnu.org; Sun, 21 Jun 2015 12:48:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z6iPY-0002c1-Nn for grub-devel@gnu.org; Sun, 21 Jun 2015 12:48:03 -0400 Received: from mail-la0-x22d.google.com ([2a00:1450:4010:c03::22d]:34787) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z6iPY-0002bx-Eu for grub-devel@gnu.org; Sun, 21 Jun 2015 12:48:00 -0400 Received: by lagx9 with SMTP id x9so9653965lag.1 for ; Sun, 21 Jun 2015 09:47:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-transfer-encoding; bh=MQSOZmnKBQ0DJh8FdE+oLxlHLbdKtc52eE0vdCeZUh0=; b=JFTRtUudCKJOWRXvtTaqA04xxsZoIgkG39VJDmQg/xxVi6qbOinXgC9BgjL1asPb29 S0lleJs/UVqqYVpkPJGGXMyuo/mp7z+tOSduUsqxmU0bH32AW72nm+/mCLxDyQZ9SNeG gdhabWrxC3mhorlTa1Q43fFUjsU+BwPeQjbRZcYHAi5DqgrrKu9ZBVYzJgjwkN12Md2P ztzvn9aCZKNbdvWjLQIjbEcnKqiLSyoN47C9Wh+rIP5crzoaK6/7As4bCvBh98yswiIx FSIdtN0k8i3bIBaS7Gl8kSjSb/DYVZ0kSS5onEd3WzE/meBxUu5/T5elcBQuJPQchEPJ YAqw== X-Received: by 10.112.85.204 with SMTP id j12mr25673799lbz.47.1434905279680; Sun, 21 Jun 2015 09:47:59 -0700 (PDT) Received: from opensuse.site (ppp91-76-14-38.pppoe.mtu-net.ru. [91.76.14.38]) by mx.google.com with ESMTPSA id ao10sm4045461lac.0.2015.06.21.09.47.58 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 21 Jun 2015 09:47:58 -0700 (PDT) Date: Sun, 21 Jun 2015 19:47:56 +0300 From: Andrei Borzenkov To: grub-devel@gnu.org Subject: Strange "while" loop in tftp_receive since commit cf8d6bbd Message-ID: <20150621194756.6d2d335c@opensuse.site> X-Mailer: Claws Mail 3.11.0 (GTK+ 2.24.28; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4010:c03::22d X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2015 16:48:04 -0000 Coverity complains about double free in this function (CID 96690). This happens here: case TFTP_DATA: ... while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0) { ... data->block++; ... grub_netbuff_free (nb_top); } As far as I can tell, data->block is always incremented so condition in while() loop can be true at most once (tftph is set outside of this loop and so does not change). But Coverity does not know it so flags it as double free. In case I miss something non-obvious - what is the reason for this loop? It had been added in cf8d6bbd but commit message does not really explain why it was done. Code in question did not really change since this commit, so even originally I do not understand what this change did.