[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan

Sun Sep 20 13:37:57 UTC 2020

I've removed the ones I think I fixed.

On Sat, 19 Sep 2020 at 18:10, <scan-admin at coverity.com> wrote:

> Hi,
>
> Please find the latest report on new defect(s) introduced to
> antonyantony/libreswan found with Coverity Scan.
>
> 13 new defect(s) introduced to antonyantony/libreswan found with Coverity
> Scan.
> 6 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 13 of 13 defect(s)
>
>
> ** CID 1497033:  Null pointer dereferences  (FORWARD_NULL)
> /programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497033:  Null pointer dereferences  (FORWARD_NULL)
> /programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()
> 519                      * of the Payload header (four octets)
> 520                      */
> 521                     uint8_t *adj_payload_len_start =
> intermediate_auth.ptr + intermediate_auth.len - ADJ_PAYLOAD_LENGTH_SIZE;
> 522                     uint16_t adj_payload_len = sk_data.len +
> SK_HEADER_SIZE;
> 523                     DBG(DBG_CRYPT, DBG_log("adjusted payload length:
> %u", adj_payload_len));
> 524                     adj_payload_len = (adj_payload_len << 8) |
> (adj_payload_len >> 8); /* adjust endianness */
> >>>     CID 1497033:  Null pointer dereferences  (FORWARD_NULL)
> >>>     Passing null pointer "adj_payload_len_start" to "memcpy", which
> dereferences it.
> 525                     memcpy(adj_payload_len_start, &adj_payload_len,
> sizeof(uint8_t) * ADJ_PAYLOAD_LENGTH_SIZE);
> 526                     /*
> 527                      * Set the Adjusted Length field to the sum of
> length of IntAuth_*_A and
> 528                      * IntAuth_*_P
> 529                      */
> 530                     uint8_t *adj_len_start = intermediate_auth.ptr +
> ADJ_LENGTH_OFFSET;
>
> ** CID 1497032:  Uninitialized variables  (UNINIT)
> /programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497032:  Uninitialized variables  (UNINIT)
> /programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()
> 982                     attr =  (struct rtattr *)((char *)&req +
> req.n.nlmsg_len);
> 983                     attr->rta_type = XFRMA_MIGRATE;
> 984                     attr->rta_len = sizeof(migrate);
> 985
> 986                     set_migration_attr(sa, &migrate);
> 987
> >>>     CID 1497032:  Uninitialized variables  (UNINIT)
> >>>     Using uninitialized value "migrate". Field "migrate.reserved" is
> uninitialized when calling "memcpy".
> 988                     memcpy(RTA_DATA(attr), &migrate, attr->rta_len);
> 989                     attr->rta_len = RTA_LENGTH(attr->rta_len);
> 990                     req.n.nlmsg_len += attr->rta_len;
> 991             }
> 992
> 993             if (sa->encap_type != NULL) {
>
>
>
> ** CID 1497029:  Null pointer dereferences  (FORWARD_NULL)
> /programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497029:  Null pointer dereferences  (FORWARD_NULL)
> /programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()
> 139             } else if (st->st_state->kind == STATE_QUICK_R0) {
> 140                     /* ??? can this happen? */
> 141                     /* ??? should we check that this label and first
> one match? */
> 142                     DBG_log("Received sec ctx in responder state
> again: ignoring this one");
> 143             } else if (st->st_state->kind == STATE_QUICK_I1) {
> 144                     dbg("initiator state received security context
> from responder state, now verifying if both are same");
> >>>     CID 1497029:  Null pointer dereferences  (FORWARD_NULL)
> >>>     Passing null pointer "st->sec_ctx->sec_ctx_value" to "strcmp",
> which dereferences it.
> 145                     if (streq(st->sec_ctx->sec_ctx_value,
> uctx.sec_ctx_value)) {
> 146                             DBG_log("security contexts are verified in
> the initiator state");
> 147                     } else {
> 148                             loglog(RC_LOG_SERIOUS, "security context
> verification failed in the initiator state (shouldn't reach here unless
> responder (or something in between) is modifying the security context");
> 149                             return FALSE;
> 150                     }
>
> ** CID 1497027:  Memory - corruptions  (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497027:  Memory - corruptions  (OVERRUN)
> /programs/pluto/kernel_xfrm.c: 1013 in migrate_xfrm_sa()
> 1007
> 1008                    memcpy(RTA_DATA(attr), &natt, sizeof(natt));
> 1009
> 1010                    req.n.nlmsg_len += attr->rta_len;
> 1011            }
> 1012
> >>>     CID 1497027:  Memory - corruptions  (OVERRUN)
> >>>     Overrunning struct type nlmsghdr of 16 bytes by passing it to a
> function which accesses it at byte offset 187 using argument
> "req.n.nlmsg_len" (which evaluates to 188).
> 1013            bool r = send_netlink_msg(&req.n, NLMSG_ERROR, &rsp,
> "mobike",
> 1014                            sa->text_said);
> 1015            if (!r)
> 1016                    return FALSE;
> 1017
> 1018            if (rsp.u.e.error < 0) {
>
> ** CID 1497022:    (REVERSE_INULL)
> /programs/pluto/ikev1.c: 1155 in informational()
> /programs/pluto/ikev1.c: 1143 in informational()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1497022:    (REVERSE_INULL)
> /programs/pluto/ikev1.c: 1155 in informational()
> 1149                    }
> 1150                    }
> 1151            } else {
> 1152                    /* warn if we didn't find any Delete or Notify
> payload in packet */
> 1153                    if (md->chain[ISAKMP_NEXT_D] == NULL) {
> 1154                            struct logger *logger = (st != NULL ?
> st->st_logger :
> >>>     CID 1497022:    (REVERSE_INULL)
> >>>     Null-checking "md" suggests that it may be null, but it has
> already been dereferenced on all paths leading to the check.
> 1155                                                     md != NULL ?
> md->md_logger :
> 1156                                                     &failsafe_logger);
> 1157                            log_message(RC_LOG_SERIOUS, logger,
> 1158                                        "received and ignored empty
> informational notification payload");
> 1159                    }
> 1160                    return STF_IGNORE;
> /programs/pluto/ikev1.c: 1143 in informational()
> 1137                                    close_any(&tmp_whack_sock);
> 1138                            }
> 1139                            return STF_IGNORE;
> 1140                    default:
> 1141                    {
> 1142                            struct logger *logger = (st != NULL ?
> st->st_logger :
> >>>     CID 1497022:    (REVERSE_INULL)
> >>>     Null-checking "md" suggests that it may be null, but it has
> already been dereferenced on all paths leading to the check.
> 1143                                                     md != NULL ?
> md->md_logger :
> 1144                                                     &failsafe_logger);
> 1145                            log_message(RC_LOG_SERIOUS, logger,
> 1146                                        "received and ignored
> notification payload: %s",
> 1147                                        enum_name(&ikev1_notify_names,
> n->isan_type));
> 1148                            return STF_IGNORE;
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200920/9b9f8b64/attachment.html>