[Swan-dev] Coverty detects apparent problem with ikev2_send_cert

Andrew Cagney andrew.cagney at gmail.com
Tue May 18 03:19:25 UTC 2021 

On Sat, 8 May 2021 at 23:14, D. Hugh Redelmeier <hugh at mimosa.com> wrote:

> This report appears accurate.
>
> | 1234          const struct cert *mycert = c->spd.this.cert.nss_cert !=
> NULL ? &c->spd.this.cert : NULL;
>
> It sure looks as if can leave mycert == NULL.
>
> | 1240                  SECItem *pkcs7 = nss_pkcs7_blob(mycert,
> send_full_chain);
>
> This passes mycert to nss_pkcs7_blob.  That routine unconditionally
> dereferences that argument.
>

Here's some more context:

        if (impair.send_pkcs7_thingie) {
                llog(RC_LOG, outpbs->outs_logger, "IMPAIR: sending cert as
PKCS7 blob");
                SECItem *pkcs7 = nss_pkcs7_blob(mycert, send_full_chain);
                if (!pexpect(pkcs7 != NULL)) {
                        return STF_INTERNAL_ERROR;
                }

so yes, it could NPE but only after whack --impair send-pkcs7-thingie.  I
added a passert().


> I don't know the right fix -- I don't understand the code.
>
> | From: scan-admin at coverity.com
> | Date: Fri, 07 May 2021 22:08:57 +0000 (UTC)
> | Subject: New Defects reported by Coverity Scan for antonyantony/libreswan
>
> | ** CID 1504631:  Null pointer dereferences  (FORWARD_NULL)
> |
> |
> |
> ________________________________________________________________________________________________________
> | *** CID 1504631:  Null pointer dereferences  (FORWARD_NULL)
> | /programs/pluto/x509.c: 1240 in ikev2_send_cert()
> | 1234          const struct cert *mycert = c->spd.this.cert.nss_cert !=
> NULL ? &c->spd.this.cert : NULL;
> | 1235          bool send_authcerts = c->send_ca != CA_SEND_NONE;
> | 1236          bool send_full_chain = send_authcerts && c->send_ca ==
> CA_SEND_ALL;
> | 1237
> | 1238          if (impair.send_pkcs7_thingie) {
> | 1239                  llog(RC_LOG, outpbs->outs_logger, "IMPAIR: sending
> cert as PKCS7 blob");
> | >>>     CID 1504631:  Null pointer dereferences  (FORWARD_NULL)
> | >>>     Passing null pointer "mycert" to "nss_pkcs7_blob", which
> dereferences it.
> | 1240                  SECItem *pkcs7 = nss_pkcs7_blob(mycert,
> send_full_chain);
> | 1241                  if (!pexpect(pkcs7 != NULL)) {
> | 1242                          return STF_INTERNAL_ERROR;
> | 1243                  }
> | 1244                  struct ikev2_cert pkcs7_hdr = {
> | 1245                          .isac_critical =
> build_ikev2_critical(false, outpbs->outs_logger),
> |
> |
> |
> ________________________________________________________________________________________________________
> | To view the defects in Coverity Scan visit,
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq8aBKViEpsZ9KPFMeJd7kKMDjyzu82COVFw1h1aYx-2FtFrefiPxkohPqZgI7DsTRPR5L954NuJuE0J6c4ee-2B5kYpPdq_2TvXW9olEOZQJUSgjFohZZ3vBgori70OQNQ3CwYJqcIDeI1iUgoVPFi7HHLu9-2FPedpNlH1Tpn4KtbY0nphVzP6bA8wuRjc0Joacc-2FEG7BNuQ2YIjtZ6iOn4G42XasEDdf2ZUzs3twzYUzB1gz2QWkibZaEKVE6zMX4zivDHP9q0HxWeR0lu8wKLq2gVLKtxFXFASlTr-2Fv1N-2BfFDgmoRsqA-3D-3D
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210517/324ad29c/attachment.html>

More information about the Swan-dev mailing list