[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan
Andrew Cagney
andrew.cagney at gmail.com
Sun Sep 20 13:37:57 UTC 2020
I've removed the ones I think I fixed.
On Sat, 19 Sep 2020 at 18:10, <scan-admin at coverity.com> wrote:
> Hi,
>
> Please find the latest report on new defect(s) introduced to
> antonyantony/libreswan found with Coverity Scan.
>
> 13 new defect(s) introduced to antonyantony/libreswan found with Coverity
> Scan.
> 6 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 13 of 13 defect(s)
>
>
> ** CID 1497033: Null pointer dereferences (FORWARD_NULL)
> /programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497033: Null pointer dereferences (FORWARD_NULL)
> /programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()
> 519 * of the Payload header (four octets)
> 520 */
> 521 uint8_t *adj_payload_len_start =
> intermediate_auth.ptr + intermediate_auth.len - ADJ_PAYLOAD_LENGTH_SIZE;
> 522 uint16_t adj_payload_len = sk_data.len +
> SK_HEADER_SIZE;
> 523 DBG(DBG_CRYPT, DBG_log("adjusted payload length:
> %u", adj_payload_len));
> 524 adj_payload_len = (adj_payload_len << 8) |
> (adj_payload_len >> 8); /* adjust endianness */
> >>> CID 1497033: Null pointer dereferences (FORWARD_NULL)
> >>> Passing null pointer "adj_payload_len_start" to "memcpy", which
> dereferences it.
> 525 memcpy(adj_payload_len_start, &adj_payload_len,
> sizeof(uint8_t) * ADJ_PAYLOAD_LENGTH_SIZE);
> 526 /*
> 527 * Set the Adjusted Length field to the sum of
> length of IntAuth_*_A and
> 528 * IntAuth_*_P
> 529 */
> 530 uint8_t *adj_len_start = intermediate_auth.ptr +
> ADJ_LENGTH_OFFSET;
>
> ** CID 1497032: Uninitialized variables (UNINIT)
> /programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497032: Uninitialized variables (UNINIT)
> /programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()
> 982 attr = (struct rtattr *)((char *)&req +
> req.n.nlmsg_len);
> 983 attr->rta_type = XFRMA_MIGRATE;
> 984 attr->rta_len = sizeof(migrate);
> 985
> 986 set_migration_attr(sa, &migrate);
> 987
> >>> CID 1497032: Uninitialized variables (UNINIT)
> >>> Using uninitialized value "migrate". Field "migrate.reserved" is
> uninitialized when calling "memcpy".
> 988 memcpy(RTA_DATA(attr), &migrate, attr->rta_len);
> 989 attr->rta_len = RTA_LENGTH(attr->rta_len);
> 990 req.n.nlmsg_len += attr->rta_len;
> 991 }
> 992
> 993 if (sa->encap_type != NULL) {
>
>
>
> ** CID 1497029: Null pointer dereferences (FORWARD_NULL)
> /programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497029: Null pointer dereferences (FORWARD_NULL)
> /programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()
> 139 } else if (st->st_state->kind == STATE_QUICK_R0) {
> 140 /* ??? can this happen? */
> 141 /* ??? should we check that this label and first
> one match? */
> 142 DBG_log("Received sec ctx in responder state
> again: ignoring this one");
> 143 } else if (st->st_state->kind == STATE_QUICK_I1) {
> 144 dbg("initiator state received security context
> from responder state, now verifying if both are same");
> >>> CID 1497029: Null pointer dereferences (FORWARD_NULL)
> >>> Passing null pointer "st->sec_ctx->sec_ctx_value" to "strcmp",
> which dereferences it.
> 145 if (streq(st->sec_ctx->sec_ctx_value,
> uctx.sec_ctx_value)) {
> 146 DBG_log("security contexts are verified in
> the initiator state");
> 147 } else {
> 148 loglog(RC_LOG_SERIOUS, "security context
> verification failed in the initiator state (shouldn't reach here unless
> responder (or something in between) is modifying the security context");
> 149 return FALSE;
> 150 }
>
> ** CID 1497027: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497027: Memory - corruptions (OVERRUN)
> /programs/pluto/kernel_xfrm.c: 1013 in migrate_xfrm_sa()
> 1007
> 1008 memcpy(RTA_DATA(attr), &natt, sizeof(natt));
> 1009
> 1010 req.n.nlmsg_len += attr->rta_len;
> 1011 }
> 1012
> >>> CID 1497027: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a
> function which accesses it at byte offset 187 using argument
> "req.n.nlmsg_len" (which evaluates to 188).
> 1013 bool r = send_netlink_msg(&req.n, NLMSG_ERROR, &rsp,
> "mobike",
> 1014 sa->text_said);
> 1015 if (!r)
> 1016 return FALSE;
> 1017
> 1018 if (rsp.u.e.error < 0) {
>
> ** CID 1497022: (REVERSE_INULL)
> /programs/pluto/ikev1.c: 1155 in informational()
> /programs/pluto/ikev1.c: 1143 in informational()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497022: (REVERSE_INULL)
> /programs/pluto/ikev1.c: 1155 in informational()
> 1149 }
> 1150 }
> 1151 } else {
> 1152 /* warn if we didn't find any Delete or Notify
> payload in packet */
> 1153 if (md->chain[ISAKMP_NEXT_D] == NULL) {
> 1154 struct logger *logger = (st != NULL ?
> st->st_logger :
> >>> CID 1497022: (REVERSE_INULL)
> >>> Null-checking "md" suggests that it may be null, but it has
> already been dereferenced on all paths leading to the check.
> 1155 md != NULL ?
> md->md_logger :
> 1156 &failsafe_logger);
> 1157 log_message(RC_LOG_SERIOUS, logger,
> 1158 "received and ignored empty
> informational notification payload");
> 1159 }
> 1160 return STF_IGNORE;
> /programs/pluto/ikev1.c: 1143 in informational()
> 1137 close_any(&tmp_whack_sock);
> 1138 }
> 1139 return STF_IGNORE;
> 1140 default:
> 1141 {
> 1142 struct logger *logger = (st != NULL ?
> st->st_logger :
> >>> CID 1497022: (REVERSE_INULL)
> >>> Null-checking "md" suggests that it may be null, but it has
> already been dereferenced on all paths leading to the check.
> 1143 md != NULL ?
> md->md_logger :
> 1144 &failsafe_logger);
> 1145 log_message(RC_LOG_SERIOUS, logger,
> 1146 "received and ignored
> notification payload: %s",
> 1147 enum_name(&ikev1_notify_names,
> n->isan_type));
> 1148 return STF_IGNORE;
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200920/9b9f8b64/attachment.html>
More information about the Swan-dev
mailing list