[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan
scan-admin at coverity.com
scan-admin at coverity.com
Fri Aug 12 01:51:08 EEST 2022
Hi,
Please find the latest report on new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
5 new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 1519489: Memory - corruptions (OVERRUN)
/programs/pluto/connections.c: 3833 in show_one_connection()
________________________________________________________________________________________________________
*** CID 1519489: Memory - corruptions (OVERRUN)
/programs/pluto/connections.c: 3833 in show_one_connection()
3827 char instance[32];
3828 char mtustr[8];
3829 char sapriostr[13];
3830 char satfcstr[13];
3831 char nflogstr[8];
3832 char markstr[2 * (2 * strlen("0xffffffff") + strlen("/")) + strlen(", ") ];
>>> CID 1519489: Memory - corruptions (OVERRUN)
>>> Allocating insufficient memory for the terminating null of the string.
3833 char bytesbuf[strlen(" 18446744073709551616 ") + strlen(" Ki B ")];
3834 char packetsbuf[sizeof(bytesbuf)];
3835
3836 if (oriented(c)) {
3837 if (c->xfrmi != NULL && c->xfrmi->name != NULL) {
3838 char *n = jam_str(ifnstr, sizeof(ifnstr),
** CID 1519488: Security best practices violations (DC.WEAK_CRYPTO)
/programs/pluto/rekeyfuzz.c: 32 in fuzz_margin()
________________________________________________________________________________________________________
*** CID 1519488: Security best practices violations (DC.WEAK_CRYPTO)
/programs/pluto/rekeyfuzz.c: 32 in fuzz_margin()
26 * Important policy lies buried here. For example, we favour the
27 * initiator over the responder by making the initiator start
28 * rekeying sooner.
29 */
30
31 if (initiator) {
>>> CID 1519488: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
32 marg += marg * fuzz / 100.E0 * (rand() / (RAND_MAX + 1.E0));
33 } else {
34 marg /= 2;
35 }
36
37 return marg;
** CID 1519487: Memory - corruptions (OVERRUN)
/programs/pluto/state.c: 2072 in jam_state_traffic()
________________________________________________________________________________________________________
*** CID 1519487: Memory - corruptions (OVERRUN)
/programs/pluto/state.c: 2072 in jam_state_traffic()
2066 unsigned outb = (st->st_esp.present ? st->st_esp.peer_bytes :
2067 st->st_ah.present ? st->st_ah.peer_bytes :
2068 st->st_ipcomp.present ? st->st_ipcomp.peer_bytes : 0);
2069 jam(buf, ", outBytes=%u", outb);
2070
2071 if (c->sa_ipsec_max_bytes != 0) {
>>> CID 1519487: Memory - corruptions (OVERRUN)
>>> Allocating insufficient memory for the terminating null of the string.
2072 char bytesbuf[strlen(" 18446744073709551616 ") + strlen(" Ki B ")];
2073 readable_humber(c->sa_ipsec_max_bytes, bytesbuf, bytesbuf + sizeof(bytesbuf), "", "B");
2074 jam(buf, ", maxBytes=%s", bytesbuf);
2075 }
2076 }
2077
** CID 1519486: Null pointer dereferences (FORWARD_NULL)
/lib/libswan/pubkey_ecdsa.c: 83 in ECDSA_ipseckey_rdata_to_pubkey_content()
________________________________________________________________________________________________________
*** CID 1519486: Null pointer dereferences (FORWARD_NULL)
/lib/libswan/pubkey_ecdsa.c: 83 in ECDSA_ipseckey_rdata_to_pubkey_content()
77 * The raw IPSECKEY_PUBKEY, which could come from the
78 * internet or a config file, can include the
79 * EC_POINT_FORM_UNCOMPRESSED prefix.
80 *
81 * Allow for and strip that off when necessary.
82 */
>>> CID 1519486: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "group".
83 if (group->nss_adds_ec_point_form_uncompressed &&
84 ipseckey_pubkey.len == (*e)->bytes + 1 &&
85 ipseckey_pubkey_ptr[0] == EC_POINT_FORM_UNCOMPRESSED) {
86 /* ignore prefix */
87 raw = shunk2(ipseckey_pubkey_ptr + 1, ipseckey_pubkey.len - 1);
88 group = (*e);
** CID 1491589: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1491589: Memory - corruptions (OVERRUN)
/programs/pluto/kernel_xfrm.c: 2016 in netlink_policy_expire()
2010 req.id.index = upe->pol.index;
2011 req.n.nlmsg_flags = NLM_F_REQUEST;
2012 req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
2013 req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
2014
2015 int recv_errno;
>>> CID 1491589: Memory - corruptions (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 79 using argument "req.n.nlmsg_len" (which evaluates to 80).
2016 if (!sendrecv_xfrm_msg(&req.n, XFRM_MSG_NEWPOLICY, &rsp,
2017 "Get policy", "?",
2018 &recv_errno, logger)) {
2019 dbg("netlink_policy_expire: policy died on us: dir=%d, index=%d",
2020 req.id.dir, req.id.index);
2021 } else if (rsp.n.nlmsg_len < NLMSG_LENGTH(sizeof(rsp.u.pol))) {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq8aBKViEpsZ9KPFMeJd7kKMDjyzu82COVFw1h1aYx-2FtFrefiPxkohPqZgI7DsTRPR5L954NuJuE0J6c4ee-2B5kY-eB-_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ39-2FHIeKX8QxWi96mkoitjeTyxisBX8MHGQJqWKUyRpIAgu3iW8QlFURJfaM3IMHn-2BRtBgG7Lqq-2BOlkHoFBy0-2BW-2BIYv-2BL2WXXjCrtsqhRzm45CjVsgWff8Ehe6XpLighldXahP3M4Tr8U19he3nzE1kBpnqFGYdXJ5e0DElhqo1n97i6Yu9y3fQ8DxSDM0W-2BwGk-3D
To manage Coverity Scan email notifications for "swan-dev at lists.libreswan.org", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxUzCfl-2FUi6sRJtnGH1-2FWXEIl9xkb2JliKiAkqgdujeIgWYvUCIHO1g-2Ba8I-2B0nANYHmrw9-2B13a9hJ7YOPZRdlHcEQfoMvDvjqsfrRNzFQ8lscduvXP5RLkPig71dIKudxizikG_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ39-2FHIeKX8QxWi96mkoitjeTyxisBX8MHGQJqWKUyRpIArxLNotudWUlaTyHiy5RMCV-2FloF7JJzGIyoOemnfvS56p6LtpupAmcmPAYZ6unD2SmS7RjMOaRI-2FuOcEcKSSWdJWaqMs12A3lSEMlW4IjgC-2F7tyJSGVV1ReFv0pK-2BzTOCeeyG1DNM2QFlz0YtP1RkaU-3D
More information about the Swan-dev
mailing list