[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan
scan-admin at coverity.com
scan-admin at coverity.com
Mon May 3 20:31:04 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
12 new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
16 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1504584: (CHECKED_RETURN)
/programs/pluto/fetch.c: 107 in fetch_curl()
/programs/pluto/fetch.c: 102 in fetch_curl()
/programs/pluto/fetch.c: 109 in fetch_curl()
/programs/pluto/fetch.c: 104 in fetch_curl()
/programs/pluto/fetch.c: 111 in fetch_curl()
/programs/pluto/fetch.c: 103 in fetch_curl()
/programs/pluto/fetch.c: 105 in fetch_curl()
/programs/pluto/fetch.c: 106 in fetch_curl()
________________________________________________________________________________________________________
*** CID 1504584: (CHECKED_RETURN)
/programs/pluto/fetch.c: 107 in fetch_curl()
101
102 curl_easy_setopt(curl, CURLOPT_URL, url);
103 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
104 curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, 2L * timeout)" without checking return value. This library function may fail and return an error code.
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
108 /* work around for libcurl signal bug */
109 curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
110 if (curl_iface != NULL)
111 curl_easy_setopt(curl, CURLOPT_INTERFACE, curl_iface);
112
/programs/pluto/fetch.c: 102 in fetch_curl()
96 if (curl != NULL) {
97 if (curl_timeout > 0)
98 timeout = curl_timeout;
99
100 dbg("Trying cURL '%s' with connect timeout of %ld", url, timeout);
101
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, url)" without checking return value. This library function may fail and return an error code.
102 curl_easy_setopt(curl, CURLOPT_URL, url);
103 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
104 curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
/programs/pluto/fetch.c: 109 in fetch_curl()
103 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
104 curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
108 /* work around for libcurl signal bug */
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, 1)" without checking return value. This library function may fail and return an error code.
109 curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
110 if (curl_iface != NULL)
111 curl_easy_setopt(curl, CURLOPT_INTERFACE, curl_iface);
112
113 res = curl_easy_perform(curl);
114
/programs/pluto/fetch.c: 104 in fetch_curl()
98 timeout = curl_timeout;
99
100 dbg("Trying cURL '%s' with connect timeout of %ld", url, timeout);
101
102 curl_easy_setopt(curl, CURLOPT_URL, url);
103 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, (void *)&response)" without checking return value. This library function may fail and return an error code.
104 curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
108 /* work around for libcurl signal bug */
109 curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
/programs/pluto/fetch.c: 111 in fetch_curl()
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
108 /* work around for libcurl signal bug */
109 curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
110 if (curl_iface != NULL)
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, curl_iface)" without checking return value. This library function may fail and return an error code.
111 curl_easy_setopt(curl, CURLOPT_INTERFACE, curl_iface);
112
113 res = curl_easy_perform(curl);
114
115 if (res == CURLE_OK) {
116 /* clone from realloc(3)ed memory to pluto-allocated memory */
/programs/pluto/fetch.c: 103 in fetch_curl()
97 if (curl_timeout > 0)
98 timeout = curl_timeout;
99
100 dbg("Trying cURL '%s' with connect timeout of %ld", url, timeout);
101
102 curl_easy_setopt(curl, CURLOPT_URL, url);
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, write_buffer)" without checking return value. This library function may fail and return an error code.
103 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
104 curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
108 /* work around for libcurl signal bug */
/programs/pluto/fetch.c: 105 in fetch_curl()
99
100 dbg("Trying cURL '%s' with connect timeout of %ld", url, timeout);
101
102 curl_easy_setopt(curl, CURLOPT_URL, url);
103 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
104 curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, errorbuffer)" without checking return value. This library function may fail and return an error code.
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
108 /* work around for libcurl signal bug */
109 curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
110 if (curl_iface != NULL)
/programs/pluto/fetch.c: 106 in fetch_curl()
100 dbg("Trying cURL '%s' with connect timeout of %ld", url, timeout);
101
102 curl_easy_setopt(curl, CURLOPT_URL, url);
103 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
104 curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
105 curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
>>> CID 1504584: (CHECKED_RETURN)
>>> Calling "curl_easy_setopt(curl, _curl_opt, timeout)" without checking return value. This library function may fail and return an error code.
106 curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
107 curl_easy_setopt(curl, CURLOPT_TIMEOUT, 2 * timeout);
108 /* work around for libcurl signal bug */
109 curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
110 if (curl_iface != NULL)
111 curl_easy_setopt(curl, CURLOPT_INTERFACE, curl_iface);
** CID 1504583: Low impact security (SENSITIVE_DATA_LEAK)
________________________________________________________________________________________________________
*** CID 1504583: Low impact security (SENSITIVE_DATA_LEAK)
/programs/whack/whack.c: 2844 in main()
2838 case RC_ENTERSECRET:
2839 if (!gotxauthpass) {
2840 xauthpasslen = whack_get_secret(
2841 xauthpass,
2842 sizeof(xauthpass));
2843 }
>>> CID 1504583: Low impact security (SENSITIVE_DATA_LEAK)
>>> Leaking sensitive data. Passing "xauthpass" to "send_reply" stores it to the filesystem.
2844 send_reply(sock,
2845 xauthpass,
2846 xauthpasslen);
2847 break;
2848
2849 case RC_USERPROMPT:
** CID 1504582: Low impact security (SENSITIVE_DATA_LEAK)
________________________________________________________________________________________________________
*** CID 1504582: Low impact security (SENSITIVE_DATA_LEAK)
/lib/libipsecconf/starterwhack.c: 162 in starter_whack_read_reply()
156 xauthpasslen =
157 XAUTH_MAX_PASS_LENGTH;
158 starter_log(LOG_LEVEL_ERR,
159 "xauth password cannot be >= %d chars",
160 XAUTH_MAX_PASS_LENGTH);
161 }
>>> CID 1504582: Low impact security (SENSITIVE_DATA_LEAK)
>>> Leaking sensitive data. Passing "*xauthpass" to "send_reply" stores it to the filesystem.
162 ret = send_reply(sock, xauthpass,
163 xauthpasslen);
164 if (ret != 0)
165 return ret;
166
167 break;
** CID 1504581: Incorrect expression (COPY_PASTE_ERROR)
/testing/programs/ipcheck/ip_range_check.c: 395 in check_range_op_range()
________________________________________________________________________________________________________
*** CID 1504581: Incorrect expression (COPY_PASTE_ERROR)
/testing/programs/ipcheck/ip_range_check.c: 395 in check_range_op_range()
389 FAIL("ttorange(%s) failed: %s", t->R, oops); \
390 } \
391 } else { \
392 l = unset_range; \
393 }
394 TT(l);
>>> CID 1504581: Incorrect expression (COPY_PASTE_ERROR)
>>> "l" in "l = unset_range" looks like a copy-paste error.
395 TT(r);
396 #undef TT
397
398 #define T(OP,L,R) \
399 { \
400 bool cond = OP(L,R); \
** CID 1504580: (UNREACHABLE)
/testing/programs/ipcheck/ip_address_check.c: 396 in check_addresses_to()
/testing/programs/ipcheck/ip_address_check.c: 403 in check_addresses_to()
________________________________________________________________________________________________________
*** CID 1504580: (UNREACHABLE)
/testing/programs/ipcheck/ip_address_check.c: 396 in check_addresses_to()
390 const struct ip_info *type = IP_TYPE(t->family);
391
392 ip_address lo;
393 oops = ttoaddress_num(shunk1(t->lo), type, &lo);
394 if (oops != NULL) {
395 FAIL("ttoaddress_num(lo=%s) failed: %s", t->lo, oops);
>>> CID 1504580: (UNREACHABLE)
>>> This code cannot be reached: "continue;".
396 continue;
397 }
398
399 ip_address hi;
400 oops = ttoaddress_num(shunk1(t->hi), type, &hi);
401 if (oops != NULL) {
/testing/programs/ipcheck/ip_address_check.c: 403 in check_addresses_to()
397 }
398
399 ip_address hi;
400 oops = ttoaddress_num(shunk1(t->hi), type, &hi);
401 if (oops != NULL) {
402 FAIL("ttoaddress_num(hi=%s) failed: %s", t->hi, oops);
>>> CID 1504580: (UNREACHABLE)
>>> This code cannot be reached: "continue;".
403 continue;
404 }
405
406 ip_subnet s;
407 oops = addresses_to_nonzero_subnet(lo, hi, &s);
408 subnet_buf sb;
** CID 1504579: Control flow issues (DEADCODE)
/programs/pluto/ikev2_cookie.c: 161 in v2_rejected_initiator_cookie()
________________________________________________________________________________________________________
*** CID 1504579: Control flow issues (DEADCODE)
/programs/pluto/ikev2_cookie.c: 161 in v2_rejected_initiator_cookie()
155 return true; /* reject cookie */
156 }
157
158 /* done: !me_want_cookie && cookie_digest == NULL */
159 /* done: me_want_cookie && cookie_digest == NULL */
160 if (!pexpect(cookie_digest != NULL)) {
>>> CID 1504579: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return true;".
161 return true; /* reject cookie */
162 }
163
164 /*
165 * Check that the cookie notification is well constructed.
166 * Mainly for own sanity.
** CID 1504578: (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1504578: (FORWARD_NULL)
/programs/pluto/keys.c: 529 in authsig_and_log_using_pubkey()
523 stop = try_all_keys("preloaded", pluto_pubkeys, &s);
524 }
525
526 if (s.fatal_diag != NULL) {
527 LLOG_JAMBUF(RC_LOG_SERIOUS, ike->sa.st_logger, buf) {
528 jam(buf, "authentication aborted: problem with '");
>>> CID 1504578: (FORWARD_NULL)
>>> Passing null pointer "&s.key->id" to "jam_id", which dereferences it.
529 jam_id(buf, &s.key->id, jam_sanitized_bytes);
530 jam(buf, "': ");
531 jam_diag(buf, s.fatal_diag);
532 pfree_diag(&s.fatal_diag);
533 }
534 return STF_FATAL;
/programs/pluto/keys.c: 529 in authsig_and_log_using_pubkey()
523 stop = try_all_keys("preloaded", pluto_pubkeys, &s);
524 }
525
526 if (s.fatal_diag != NULL) {
527 LLOG_JAMBUF(RC_LOG_SERIOUS, ike->sa.st_logger, buf) {
528 jam(buf, "authentication aborted: problem with '");
>>> CID 1504578: (FORWARD_NULL)
>>> Passing null pointer "&s.key->id" to "jam_id", which dereferences it.
529 jam_id(buf, &s.key->id, jam_sanitized_bytes);
530 jam(buf, "': ");
531 jam_diag(buf, s.fatal_diag);
532 pfree_diag(&s.fatal_diag);
533 }
534 return STF_FATAL;
** CID 1504577: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 1504577: Uninitialized variables (UNINIT)
/programs/pluto/kernel.c: 2297 in setup_half_ipsec_sa()
2291 proto_info[i].mode =
2292 st->st_ah.attrs.mode;
2293 proto_info[i].reqid = reqid_ah(c->spd.reqid);
2294 i++;
2295 }
2296
>>> CID 1504577: Uninitialized variables (UNINIT)
>>> Using uninitialized value "proto_info[0].proto" when calling "DBG_log".
2297 dbg("%s() before proto %d", __func__, proto_info[0].proto);
2298 /* ??? setting .proto to 0, an invalid value. See /usr/include/linux/in.h. */
2299 proto_info[i].proto = 0;
2300
2301 /*
2302 * ??? why is mode overwritten ONLY if true
** CID 1504576: (FORWARD_NULL)
/programs/pluto/host_pair.c: 179 in find_host_pair()
/programs/pluto/host_pair.c: 189 in find_host_pair()
/programs/pluto/host_pair.c: 167 in find_host_pair()
________________________________________________________________________________________________________
*** CID 1504576: (FORWARD_NULL)
/programs/pluto/host_pair.c: 179 in find_host_pair()
173 /* now try to match */
174
175 if (address_is_specified(remote) &&
176 address_eq_address(remote, hp->remote)) {
177 connection_buf cb;
178 address_buf lb, rb;
>>> CID 1504576: (FORWARD_NULL)
>>> Dereferencing null pointer "hp->connections".
179 dbg("host_pair: %s->%s exactly matches connection "PRI_CONNECTION,
180 str_address(&local, &lb), str_address(&remote, &rb),
181 pri_connection(hp->connections, &cb));
182 return hp;
183 }
184
/programs/pluto/host_pair.c: 189 in find_host_pair()
183 }
184
185 if (!address_is_specified(remote) &&
186 !address_is_specified(hp->remote)) {
187 connection_buf cb;
188 address_buf lb, rb;
>>> CID 1504576: (FORWARD_NULL)
>>> Dereferencing null pointer "hp->connections".
189 dbg("host_pair: %s->%s any matched connection="PRI_CONNECTION,
190 str_address(&local, &lb), str_address(&remote, &rb),
191 pri_connection(hp->connections, &cb));
192 return hp;
193 }
194 }
/programs/pluto/host_pair.c: 167 in find_host_pair()
161 continue;
162 }
163
164 if (!address_eq_address(hp->local, local)) {
165 address_buf lb;
166 connection_buf cb;
>>> CID 1504576: (FORWARD_NULL)
>>> Dereferencing null pointer "hp->connections".
167 dbg("host_pair: local %s does not match connection="PRI_CONNECTION,
168 str_address(&local, &lb),
169 pri_connection(hp->connections, &cb));
170 continue;
171 }
172
** CID 1504575: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1504575: Null pointer dereferences (FORWARD_NULL)
/programs/pluto/ikev2_parent.c: 2278 in ikev2_in_IKE_SA_INIT_R_or_IKE_INTERMEDIATE_R_out_IKE_AUTH_I_signature_continue()
2272 * generate NO_PPK_AUTH as well as PPK-based AUTH payload
2273 */
2274 if (ike->sa.st_seen_ppk) {
2275 chunk_t *ppk_id;
2276 get_connection_ppk(ike->sa.st_connection, &ppk_id);
2277 struct ppk_id_payload ppk_id_p = { .type = 0, };
>>> CID 1504575: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "ppk_id" to "create_ppk_id_payload", which dereferences it.
2278 create_ppk_id_payload(ppk_id, &ppk_id_p);
2279 if (DBGP(DBG_BASE)) {
2280 DBG_log("ppk type: %d", (int) ppk_id_p.type);
2281 DBG_dump_hunk("ppk_id from payload:", ppk_id_p.ppk_id);
2282 }
2283
** CID 1504574: Control flow issues (DEADCODE)
/programs/pluto/unpack.c: 99 in unpack_peer_id()
________________________________________________________________________________________________________
*** CID 1504574: Control flow issues (DEADCODE)
/programs/pluto/unpack.c: 99 in unpack_peer_id()
93
94 /* ident types mostly match between IKEv1 and IKEv2 */
95 case ID_IPV4_ADDR:
96 case ID_IPV6_ADDR:
97 {
98 /* failure mode for initaddr is probably inappropriate address length */
>>> CID 1504574: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "NULL" inside this statement: "afi = ((kind == ID_IPV4_ADD...".
99 const struct ip_info *afi = (kind == ID_IPV4_ADDR ? &ipv4_info :
100 kind == ID_IPV6_ADDR ? &ipv6_info :
101 NULL);
102 struct pbs_in in_pbs = *id_pbs;
103 diag_t d = pbs_in_address(&in_pbs, &peer->ip_addr, afi, "peer ID");
104 if (d != NULL) {
** CID 1504573: Possible Control flow issues (DEADCODE)
/programs/pluto/kernel_xfrm.c: 1761 in netlink_acquire()
________________________________________________________________________________________________________
*** CID 1504573: Possible Control flow issues (DEADCODE)
/programs/pluto/kernel_xfrm.c: 1761 in netlink_acquire()
1755 llog(RC_LOG, logger,
1756 "Acquire message for unknown sec_label LSM %d; ignoring Acquire message",
1757 xuctx->ctx_alg);
1758 return;
1759 }
1760 if (uctx != NULL) {
>>> CID 1504573: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "llog(RC_LOG, logger, "Secon...".
1761 llog(RC_LOG, logger,
1762 "Second sec_label in a single Acquire message; ignoring Acquire message");
1763 return;
1764 }
1765
1766 /*
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq8aBKViEpsZ9KPFMeJd7kKMDjyzu82COVFw1h1aYx-2FtFrefiPxkohPqZgI7DsTRPR5L954NuJuE0J6c4ee-2B5kYDzpO_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ3-2FChWXBFJ4mUEaB-2BFweUkEp7UOUR04UaOaf1H6xfwxbkzVUlr7fRta-2Fya38vcPgQoKauTCdtW7AmmXPflYVh1QRPOKbhDVA152RQRFAjWjOWV7UXJaYmTdOz7efiZc2LQbxzor2Y9-2BOzt2i8H6hbTCy-2FJFFVEtuthuTgViKyRx2U5BTSQ9N6dlZW4y0iwfKUU0-3D
To manage Coverity Scan email notifications for "swan-dev at lists.libreswan.org", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxUzCfl-2FUi6sRJtnGH1-2FWXEIl9xkb2JliKiAkqgdujeIgWYvUCIHO1g-2Ba8I-2B0nANYHmrw9-2B13a9hJ7YOPZRdlHcEQfoMvDvjqsfrRNzFQ8lscduvXP5RLkPig71dIKudxirM6S_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ3-2FChWXBFJ4mUEaB-2BFweUkEp7UOUR04UaOaf1H6xfwxbk3V9Rta2p3RjzAzH3zPgn5UpGretUHV7WFfmmtn6bwKSeu4wTLgWumoqXo6JtD7ahAAYsLtDyquq-2B-2FZpGlA34SWyeo3gTJqV7k461kTnrW7aSSrypfPra59pxlb8FDK7EUNKMxe63cZO3-2FLxS44PEOQ-3D
More information about the Swan-dev
mailing list