[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan

scan-admin at coverity.com scan-admin at coverity.com
Fri Aug 12 01:51:08 EEST 2022 

Hi,

Please find the latest report on new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.

5 new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 1519489:  Memory - corruptions  (OVERRUN)
/programs/pluto/connections.c: 3833 in show_one_connection()


________________________________________________________________________________________________________
*** CID 1519489:  Memory - corruptions  (OVERRUN)
/programs/pluto/connections.c: 3833 in show_one_connection()
3827     	char instance[32];
3828     	char mtustr[8];
3829     	char sapriostr[13];
3830     	char satfcstr[13];
3831     	char nflogstr[8];
3832     	char markstr[2 * (2 * strlen("0xffffffff") + strlen("/")) + strlen(", ") ];
>>>     CID 1519489:  Memory - corruptions  (OVERRUN)
>>>     Allocating insufficient memory for the terminating null of the string.
3833     	char bytesbuf[strlen(" 18446744073709551616 ") + strlen(" Ki B ")];
3834     	char packetsbuf[sizeof(bytesbuf)];
3835     
3836     	if (oriented(c)) {
3837     		if (c->xfrmi != NULL && c->xfrmi->name != NULL) {
3838     			char *n = jam_str(ifnstr, sizeof(ifnstr),

** CID 1519488:  Security best practices violations  (DC.WEAK_CRYPTO)
/programs/pluto/rekeyfuzz.c: 32 in fuzz_margin()


________________________________________________________________________________________________________
*** CID 1519488:  Security best practices violations  (DC.WEAK_CRYPTO)
/programs/pluto/rekeyfuzz.c: 32 in fuzz_margin()
26     	 * Important policy lies buried here. For example, we favour the
27     	 * initiator over the responder by making the initiator start
28     	 * rekeying sooner.
29     	 */
30     
31     	if (initiator) {
>>>     CID 1519488:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
32     		marg += marg * fuzz / 100.E0 * (rand() / (RAND_MAX + 1.E0));
33     	} else {
34     		marg /= 2;
35     	}
36     
37     	return marg;

** CID 1519487:  Memory - corruptions  (OVERRUN)
/programs/pluto/state.c: 2072 in jam_state_traffic()


________________________________________________________________________________________________________
*** CID 1519487:  Memory - corruptions  (OVERRUN)
/programs/pluto/state.c: 2072 in jam_state_traffic()
2066     		unsigned outb = (st->st_esp.present ? st->st_esp.peer_bytes :
2067     				 st->st_ah.present ? st->st_ah.peer_bytes :
2068     				 st->st_ipcomp.present ? st->st_ipcomp.peer_bytes : 0);
2069     		jam(buf, ", outBytes=%u", outb);
2070     
2071     		if (c->sa_ipsec_max_bytes != 0) {
>>>     CID 1519487:  Memory - corruptions  (OVERRUN)
>>>     Allocating insufficient memory for the terminating null of the string.
2072     			char bytesbuf[strlen(" 18446744073709551616 ") + strlen(" Ki B ")];
2073     			readable_humber(c->sa_ipsec_max_bytes, bytesbuf, bytesbuf + sizeof(bytesbuf), "", "B");
2074     			jam(buf, ", maxBytes=%s", bytesbuf);
2075     		}
2076     	}
2077     

** CID 1519486:  Null pointer dereferences  (FORWARD_NULL)
/lib/libswan/pubkey_ecdsa.c: 83 in ECDSA_ipseckey_rdata_to_pubkey_content()


________________________________________________________________________________________________________
*** CID 1519486:  Null pointer dereferences  (FORWARD_NULL)
/lib/libswan/pubkey_ecdsa.c: 83 in ECDSA_ipseckey_rdata_to_pubkey_content()
77     		 * The raw IPSECKEY_PUBKEY, which could come from the
78     		 * internet or a config file, can include the
79     		 * EC_POINT_FORM_UNCOMPRESSED prefix.
80     		 *
81     		 * Allow for and strip that off when necessary.
82     		 */
>>>     CID 1519486:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "group".
83     		if (group->nss_adds_ec_point_form_uncompressed &&
84     		    ipseckey_pubkey.len == (*e)->bytes + 1 &&
85     		    ipseckey_pubkey_ptr[0] == EC_POINT_FORM_UNCOMPRESSED) {
86     			/* ignore prefix */
87     			raw = shunk2(ipseckey_pubkey_ptr + 1, ipseckey_pubkey.len - 1);
88     			group = (*e);

** CID 1491589:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1491589:  Memory - corruptions  (OVERRUN)
/programs/pluto/kernel_xfrm.c: 2016 in netlink_policy_expire()
2010     	req.id.index = upe->pol.index;
2011     	req.n.nlmsg_flags = NLM_F_REQUEST;
2012     	req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
2013     	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
2014     
2015     	int recv_errno;
>>>     CID 1491589:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 79 using argument "req.n.nlmsg_len" (which evaluates to 80).
2016     	if (!sendrecv_xfrm_msg(&req.n, XFRM_MSG_NEWPOLICY, &rsp,
2017     			       "Get policy", "?",
2018     			       &recv_errno, logger)) {
2019     		dbg("netlink_policy_expire: policy died on us: dir=%d, index=%d",
2020     		    req.id.dir, req.id.index);
2021     	} else if (rsp.n.nlmsg_len < NLMSG_LENGTH(sizeof(rsp.u.pol))) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq8aBKViEpsZ9KPFMeJd7kKMDjyzu82COVFw1h1aYx-2FtFrefiPxkohPqZgI7DsTRPR5L954NuJuE0J6c4ee-2B5kY-eB-_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ39-2FHIeKX8QxWi96mkoitjeTyxisBX8MHGQJqWKUyRpIAgu3iW8QlFURJfaM3IMHn-2BRtBgG7Lqq-2BOlkHoFBy0-2BW-2BIYv-2BL2WXXjCrtsqhRzm45CjVsgWff8Ehe6XpLighldXahP3M4Tr8U19he3nzE1kBpnqFGYdXJ5e0DElhqo1n97i6Yu9y3fQ8DxSDM0W-2BwGk-3D

  To manage Coverity Scan email notifications for "swan-dev at lists.libreswan.org", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxUzCfl-2FUi6sRJtnGH1-2FWXEIl9xkb2JliKiAkqgdujeIgWYvUCIHO1g-2Ba8I-2B0nANYHmrw9-2B13a9hJ7YOPZRdlHcEQfoMvDvjqsfrRNzFQ8lscduvXP5RLkPig71dIKudxizikG_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ39-2FHIeKX8QxWi96mkoitjeTyxisBX8MHGQJqWKUyRpIArxLNotudWUlaTyHiy5RMCV-2FloF7JJzGIyoOemnfvS56p6LtpupAmcmPAYZ6unD2SmS7RjMOaRI-2FuOcEcKSSWdJWaqMs12A3lSEMlW4IjgC-2F7tyJSGVV1ReFv0pK-2BzTOCeeyG1DNM2QFlz0YtP1RkaU-3D

More information about the Swan-dev mailing list