[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan
scan-admin at coverity.com
scan-admin at coverity.com
Sat Sep 19 22:09:00 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
13 new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)
** CID 1497033: Null pointer dereferences (FORWARD_NULL)
/programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()
________________________________________________________________________________________________________
*** CID 1497033: Null pointer dereferences (FORWARD_NULL)
/programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()
519 * of the Payload header (four octets)
520 */
521 uint8_t *adj_payload_len_start = intermediate_auth.ptr + intermediate_auth.len - ADJ_PAYLOAD_LENGTH_SIZE;
522 uint16_t adj_payload_len = sk_data.len + SK_HEADER_SIZE;
523 DBG(DBG_CRYPT, DBG_log("adjusted payload length: %u", adj_payload_len));
524 adj_payload_len = (adj_payload_len << 8) | (adj_payload_len >> 8); /* adjust endianness */
>>> CID 1497033: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "adj_payload_len_start" to "memcpy", which dereferences it.
525 memcpy(adj_payload_len_start, &adj_payload_len, sizeof(uint8_t) * ADJ_PAYLOAD_LENGTH_SIZE);
526 /*
527 * Set the Adjusted Length field to the sum of length of IntAuth_*_A and
528 * IntAuth_*_P
529 */
530 uint8_t *adj_len_start = intermediate_auth.ptr + ADJ_LENGTH_OFFSET;
** CID 1497032: Uninitialized variables (UNINIT)
/programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()
________________________________________________________________________________________________________
*** CID 1497032: Uninitialized variables (UNINIT)
/programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()
982 attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
983 attr->rta_type = XFRMA_MIGRATE;
984 attr->rta_len = sizeof(migrate);
985
986 set_migration_attr(sa, &migrate);
987
>>> CID 1497032: Uninitialized variables (UNINIT)
>>> Using uninitialized value "migrate". Field "migrate.reserved" is uninitialized when calling "memcpy".
988 memcpy(RTA_DATA(attr), &migrate, attr->rta_len);
989 attr->rta_len = RTA_LENGTH(attr->rta_len);
990 req.n.nlmsg_len += attr->rta_len;
991 }
992
993 if (sa->encap_type != NULL) {
** CID 1497031: Error handling issues (NEGATIVE_RETURNS)
/lib/libswan/realtime.c: 70 in realnow()
________________________________________________________________________________________________________
*** CID 1497031: Error handling issues (NEGATIVE_RETURNS)
/lib/libswan/realtime.c: 70 in realnow()
64 /*
65 * This code assumes clock_gettime() always succeeds -
66 * if it were expected to fail then there'd either be
67 * a logger and/or a way to return the failure to the
68 * caller.
69 */
>>> CID 1497031: Error handling issues (NEGATIVE_RETURNS)
>>> "e" is passed to a parameter that cannot be negative.
70 PASSERT_FAIL("clock_gettime(%d,...) call in realnow() failed. "PRI_ERRNO,
71 realtime_clockid(), pri_errno(e));
72 }
73 realtime_t t = {
74 .rt = {
75 .tv_sec = ts.tv_sec,
** CID 1497030: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1497030: Null pointer dereferences (FORWARD_NULL)
/lib/libswan/secrets.c: 1491 in lsw_process_secrets_file()
1485 case 0:
1486 /* success */
1487 /* for each file... */
1488 for (char **fnp = globbuf.gl_pathv; fnp != NULL && *fnp != NULL; fnp++) {
1489 if (lexopen(&pos, *fnp, false, logger)) {
1490 log_message(RC_LOG, logger, "loading secrets from \"%s\"", *fnp);
>>> CID 1497030: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "flp" to "flushline", which dereferences it.
1491 flushline(flp, "file starts with indentation (continuation notation)");
1492 lsw_process_secret_records(psecrets, logger);
1493 lexclose();
1494 }
1495 }
1496 break;
** CID 1497029: Null pointer dereferences (FORWARD_NULL)
/programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()
________________________________________________________________________________________________________
*** CID 1497029: Null pointer dereferences (FORWARD_NULL)
/programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()
139 } else if (st->st_state->kind == STATE_QUICK_R0) {
140 /* ??? can this happen? */
141 /* ??? should we check that this label and first one match? */
142 DBG_log("Received sec ctx in responder state again: ignoring this one");
143 } else if (st->st_state->kind == STATE_QUICK_I1) {
144 dbg("initiator state received security context from responder state, now verifying if both are same");
>>> CID 1497029: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "st->sec_ctx->sec_ctx_value" to "strcmp", which dereferences it.
145 if (streq(st->sec_ctx->sec_ctx_value, uctx.sec_ctx_value)) {
146 DBG_log("security contexts are verified in the initiator state");
147 } else {
148 loglog(RC_LOG_SERIOUS, "security context verification failed in the initiator state (shouldn't reach here unless responder (or something in between) is modifying the security context");
149 return FALSE;
150 }
** CID 1497028: Error handling issues (NEGATIVE_RETURNS)
/programs/pluto/pluto_timing.c: 42 in wall_clock()
________________________________________________________________________________________________________
*** CID 1497028: Error handling issues (NEGATIVE_RETURNS)
/programs/pluto/pluto_timing.c: 42 in wall_clock()
36 static struct timespec wall_clock(void)
37 {
38 struct timespec now;
39 /* assume never suspended; CLOCK_BOOTTIME is linux specific */
40 int e = clock_gettime(CLOCK_MONOTONIC, &now);
41 if (e != 0) {
>>> CID 1497028: Error handling issues (NEGATIVE_RETURNS)
>>> "e_" is passed to a parameter that cannot be negative.
42 FATAL_ERRNO(e, "clock_gettime(CLOCK_MONOTONIC,...) failed in %s()",
43 __func__);
44 }
45 return now;
46 }
47
** CID 1497027: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1497027: Memory - corruptions (OVERRUN)
/programs/pluto/kernel_xfrm.c: 1013 in migrate_xfrm_sa()
1007
1008 memcpy(RTA_DATA(attr), &natt, sizeof(natt));
1009
1010 req.n.nlmsg_len += attr->rta_len;
1011 }
1012
>>> CID 1497027: Memory - corruptions (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 187 using argument "req.n.nlmsg_len" (which evaluates to 188).
1013 bool r = send_netlink_msg(&req.n, NLMSG_ERROR, &rsp, "mobike",
1014 sa->text_said);
1015 if (!r)
1016 return FALSE;
1017
1018 if (rsp.u.e.error < 0) {
** CID 1497026: (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1497026: (FORWARD_NULL)
/programs/pluto/ikev2_message.c: 1025 in record_outbound_fragment()
1019 };
1020 if (!out_struct(&e, &ikev2_skf_desc, &rbody, &skf.pbs))
1021 return false;
1022
1023 /* emit IV and save location */
1024
>>> CID 1497026: (FORWARD_NULL)
>>> Passing "&skf" to "emit_v2SK_iv", which dereferences null "skf.logger".
1025 if (!emit_v2SK_iv(&skf)) {
1026 log_message(RC_LOG, logger,
1027 "error initializing IV for encrypted %s message",
1028 desc);
1029 return false;
1030 }
/programs/pluto/ikev2_message.c: 1042 in record_outbound_fragment()
1036 /* output the fragment */
1037
1038 if (!pbs_out_hunk(*fragment, &skf.pbs,
1039 "cleartext fragment"))
1040 return false;
1041
>>> CID 1497026: (FORWARD_NULL)
>>> Passing "&skf" to "close_v2SK_payload", which dereferences null "skf.logger".
1042 if (!close_v2SK_payload(&skf)) {
1043 return false;
1044 }
1045
1046 close_output_pbs(&rbody);
1047 close_output_pbs(&frag_stream);
/programs/pluto/ikev2_message.c: 1049 in record_outbound_fragment()
1043 return false;
1044 }
1045
1046 close_output_pbs(&rbody);
1047 close_output_pbs(&frag_stream);
1048
>>> CID 1497026: (FORWARD_NULL)
>>> Passing "&skf" to "encrypt_v2SK_payload", which dereferences null "skf.logger".
1049 stf_status ret = encrypt_v2SK_payload(&skf);
1050 if (ret != STF_OK) {
1051 log_message(RC_LOG, logger, "error encrypting fragment %u", number);
1052 return false;
1053 }
1054
** CID 1497025: Error handling issues (NEGATIVE_RETURNS)
/lib/libswan/monotime.c: 58 in mononow()
________________________________________________________________________________________________________
*** CID 1497025: Error handling issues (NEGATIVE_RETURNS)
/lib/libswan/monotime.c: 58 in mononow()
52 /*
53 * This code assumes clock_gettime() always succeeds -
54 * if it were expected to fail then there'd either be
55 * a logger and/or a way to return the failure to the
56 * caller.
57 */
>>> CID 1497025: Error handling issues (NEGATIVE_RETURNS)
>>> "e" is passed to a parameter that cannot be negative.
58 PASSERT_FAIL("clock_gettime(%d,...) in mononow() failed. "PRI_ERRNO,
59 monotime_clockid(), pri_errno(e));
60 }
61 /* OK */
62 return (monotime_t) {
63 .mt = {
** CID 1497024: Error handling issues (NEGATIVE_RETURNS)
/programs/pluto/pluto_timing.c: 31 in thread_clock()
________________________________________________________________________________________________________
*** CID 1497024: Error handling issues (NEGATIVE_RETURNS)
/programs/pluto/pluto_timing.c: 31 in thread_clock()
25 static struct timespec thread_clock(void)
26 {
27 static const clockid_t clock_id = CLOCK_THREAD_CPUTIME_ID;
28 struct timespec now;
29 int e = clock_gettime(clock_id, &now);
30 if (e != 0) {
>>> CID 1497024: Error handling issues (NEGATIVE_RETURNS)
>>> "e_" is passed to a parameter that cannot be negative.
31 FATAL_ERRNO(e, "clock_gettime(%d,... failed in %s()", clock_id, __func__);
32 }
33 return now;
34 }
35
36 static struct timespec wall_clock(void)
** CID 1497023: Null pointer dereferences (FORWARD_NULL)
/programs/pluto/ikev2_message.c: 284 in open_v2SK_payload()
________________________________________________________________________________________________________
*** CID 1497023: Null pointer dereferences (FORWARD_NULL)
/programs/pluto/ikev2_message.c: 284 in open_v2SK_payload()
278 }
279
280 /* save cleartext start */
281
282 sk.cleartext.ptr = sk.pbs.cur;
283 passert(sk.iv.ptr <= sk.cleartext.ptr);
>>> CID 1497023: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "sk.pbs.container".
284 passert(sk.pbs.container->name == container->name);
285
286 return sk;
287 }
288
289 bool close_v2SK_payload(v2SK_payload_t *sk)
** CID 1497022: (REVERSE_INULL)
/programs/pluto/ikev1.c: 1155 in informational()
/programs/pluto/ikev1.c: 1143 in informational()
________________________________________________________________________________________________________
*** CID 1497022: (REVERSE_INULL)
/programs/pluto/ikev1.c: 1155 in informational()
1149 }
1150 }
1151 } else {
1152 /* warn if we didn't find any Delete or Notify payload in packet */
1153 if (md->chain[ISAKMP_NEXT_D] == NULL) {
1154 struct logger *logger = (st != NULL ? st->st_logger :
>>> CID 1497022: (REVERSE_INULL)
>>> Null-checking "md" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1155 md != NULL ? md->md_logger :
1156 &failsafe_logger);
1157 log_message(RC_LOG_SERIOUS, logger,
1158 "received and ignored empty informational notification payload");
1159 }
1160 return STF_IGNORE;
/programs/pluto/ikev1.c: 1143 in informational()
1137 close_any(&tmp_whack_sock);
1138 }
1139 return STF_IGNORE;
1140 default:
1141 {
1142 struct logger *logger = (st != NULL ? st->st_logger :
>>> CID 1497022: (REVERSE_INULL)
>>> Null-checking "md" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1143 md != NULL ? md->md_logger :
1144 &failsafe_logger);
1145 log_message(RC_LOG_SERIOUS, logger,
1146 "received and ignored notification payload: %s",
1147 enum_name(&ikev1_notify_names, n->isan_type));
1148 return STF_IGNORE;
** CID 1497021: Null pointer dereferences (FORWARD_NULL)
/lib/libswan/ip_selector.c: 226 in pexpect_selector()
________________________________________________________________________________________________________
*** CID 1497021: Null pointer dereferences (FORWARD_NULL)
/lib/libswan/ip_selector.c: 226 in pexpect_selector()
220 {
221 return subnetishost(l) && subnetishost(r) && sameaddr(&l->addr, &r->addr);
222 }
223
224 void pexpect_selector(const ip_selector *s, const char *t, where_t where)
225 {
>>> CID 1497021: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "s".
226 if (s != NULL || s->addr.version != 0) {
227 if (s->is_subnet == true ||
228 s->is_selector == false) {
229 address_buf b;
230 dbg("EXPECTATION FAILED: %s is not a selector; "PRI_SUBNET" "PRI_WHERE,
231 t, pri_subnet(s, &b), pri_where(where));
232 }
233 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq8aBKViEpsZ9KPFMeJd7kKMDjyzu82COVFw1h1aYx-2FtFrefiPxkohPqZgI7DsTRPR5L954NuJuE0J6c4ee-2B5kYQ11U_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ39p7OF3ikUwmW-2Bf3xLEhZ2o5dMRNuUiwMvN8i3LgChrmoC-2FQFaFOlqS5FVPTa2yYR2FudWg3c3R1WJSCBc2x1GmRH6kR8F-2FrQXHN5RFJBnL08dzWV-2FzokEhh2zFbUZA3gPfVNnsFBGDNrmv9iBOQTDgQ9zh8KxAbMGrRJfdJDxj3NZ2NU8IO2DsOv3qYGcLNGM-3D
To manage Coverity Scan email notifications for "swan-dev at lists.libreswan.org", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxUzCfl-2FUi6sRJtnGH1-2FWXEIl9xkb2JliKiAkqgdujeIgWYvUCIHO1g-2Ba8I-2B0nANYHmrw9-2B13a9hJ7YOPZRdlHcEQfoMvDvjqsfrRNzFQ8lscduvXP5RLkPig71dIKudxi4RXy_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ39p7OF3ikUwmW-2Bf3xLEhZ2o5dMRNuUiwMvN8i3LgChrmpaKfCbCKu5WmRgTLL-2B1p-2FBLv-2Fmz-2BhQHzAK87bUrpDqQSQypP8VelWfBCIRE5NkaA74TRoNM-2F2-2Brg5ebeO8Fd0AVNYox-2FqkpiUh0WeCgfuCQwLsKr9f58zWkLyxT2U5J4XUU-2FpllYDbc48EgGOziWAI-3D
More information about the Swan-dev
mailing list