[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan
scan-admin at coverity.com
scan-admin at coverity.com
Fri Nov 11 13:50:58 EET 2022
Hi,
Please find the latest report on new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
4 new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)
** CID 1527292: (FORWARD_NULL)
/programs/pluto/ikev2_liveness.c: 251 in liveness_check()
________________________________________________________________________________________________________
*** CID 1527292: (FORWARD_NULL)
/programs/pluto/ikev2_liveness.c: 251 in liveness_check()
245 (child == NULL ? NULL :
246 child->sa.st_esp.present ? &child->sa.st_esp :
247 child->sa.st_ah.present ? &child->sa.st_ah :
248 child->sa.st_ipcomp.present ? &child->sa.st_ipcomp :
249 NULL);
250 if (get_ipsec_traffic(&child->sa, first_ipsec_proto, ENCAP_DIRECTION_INBOUND)) {
>>> CID 1527292: (FORWARD_NULL)
>>> Dereferencing null pointer "first_ipsec_proto".
251 if (recent_last_contact(child, now,
252 first_ipsec_proto->inbound.last_used,
253 "recent IPsec traffic")) {
254 return;
255 }
256 }
/programs/pluto/ikev2_liveness.c: 250 in liveness_check()
244 struct ipsec_proto_info *const first_ipsec_proto =
245 (child == NULL ? NULL :
246 child->sa.st_esp.present ? &child->sa.st_esp :
247 child->sa.st_ah.present ? &child->sa.st_ah :
248 child->sa.st_ipcomp.present ? &child->sa.st_ipcomp :
249 NULL);
>>> CID 1527292: (FORWARD_NULL)
>>> Passing null pointer "first_ipsec_proto" to "get_ipsec_traffic", which dereferences it.
250 if (get_ipsec_traffic(&child->sa, first_ipsec_proto, ENCAP_DIRECTION_INBOUND)) {
251 if (recent_last_contact(child, now,
252 first_ipsec_proto->inbound.last_used,
253 "recent IPsec traffic")) {
254 return;
255 }
** CID 1527291: Null pointer dereferences (REVERSE_INULL)
/programs/pluto/state.c: 956 in delete_state_tail()
________________________________________________________________________________________________________
*** CID 1527291: Null pointer dereferences (REVERSE_INULL)
/programs/pluto/state.c: 956 in delete_state_tail()
950 IS_CHILD_SA_ESTABLISHED(st)) {
951 /*
952 * XXX: should be iterating over ESP, AH, and IPCOMP
953 * fetching any that matter.
954 */
955 struct ipsec_proto_info *const first_ipsec_proto =
>>> CID 1527291: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "st" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
956 (st == NULL ? NULL :
957 st->st_esp.present ? &st->st_esp :
958 st->st_ah.present ? &st->st_ah :
959 st->st_ipcomp.present ? &st->st_ipcomp :
960 NULL);
961 passert(first_ipsec_proto != NULL);
** CID 1527290: Control flow issues (DEADCODE)
/programs/pluto/ikev2_liveness.c: 244 in liveness_check()
________________________________________________________________________________________________________
*** CID 1527290: Control flow issues (DEADCODE)
/programs/pluto/ikev2_liveness.c: 244 in liveness_check()
238 * XXX: But is this useful? Liveness should be checking
239 * round-trip but this is just looking at incoming data -
240 * outgoing data could lost and this traffic is all
241 * re-transmit requests ...
242 */
243
>>> CID 1527290: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "NULL" inside this statement: "first_ipsec_proto = ((child...".
244 struct ipsec_proto_info *const first_ipsec_proto =
245 (child == NULL ? NULL :
246 child->sa.st_esp.present ? &child->sa.st_esp :
247 child->sa.st_ah.present ? &child->sa.st_ah :
248 child->sa.st_ipcomp.present ? &child->sa.st_ipcomp :
249 NULL);
** CID 1527289: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1527289: Memory - corruptions (OVERRUN)
/programs/pluto/kernel_xfrm.c: 2258 in xfrm_get_kernel_state()
2252 req.id.family = address_info(sa->src.address)->af;
2253 req.id.proto = sa->proto->ipproto;
2254
2255 req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
2256
2257 int recv_errno;
>>> CID 1527289: Memory - corruptions (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 39 using argument "req.n.nlmsg_len" (which evaluates to 40).
2258 if (!sendrecv_xfrm_msg(&req.n, XFRM_MSG_NEWSA, &rsp,
2259 "Get SA", sa->story,
2260 &recv_errno, logger)) {
2261 return false;
2262 }
2263
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq8aBKViEpsZ9KPFMeJd7kKMDjyzu82COVFw1h1aYx-2FtFrefiPxkohPqZgI7DsTRPR5L954NuJuE0J6c4ee-2B5kY7XlD_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ3-2F0N3ggBsZEgw-2B01OIW-2FTwuR1EpBpMQmWv8C8U6f6M-2BoqWY2pRA6-2BrnnGaGmhR4tvBTARRyyR069OZWGct9waA-2FbkMpQm66vEI6gkqWhS71ykPiRzua3jZovY-2Fk9Kl-2FT8iPHlBL7VOUVRuqVIwlt0qdZCsnbCSlPSQAF60uMOHLTNtLDz5R63UH4Lv48n4LOkE-3D
To manage Coverity Scan email notifications for "swan-dev at lists.libreswan.org", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxUzCfl-2FUi6sRJtnGH1-2FWXEIl9xkb2JliKiAkqgdujeIgWYvUCIHO1g-2Ba8I-2B0nANYHmrw9-2B13a9hJ7YOPZRdlHcEQfoMvDvjqsfrRNzFQ8lscduvXP5RLkPig71dIKudxiJGlU_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ3-2F0N3ggBsZEgw-2B01OIW-2FTwuR1EpBpMQmWv8C8U6f6M-2BoiI8CHgUVQG-2FfGzH-2Ffz35W7P-2B41ypC4iAl-2F-2FdPTf5NwF8XRp4VoNQJjv2mb7FqekJC7vYqOX64raVZ-2FKWKtxDoQFgUfmJAwvUGCmPNS-2FwDm4YT6NRa-2Fpw9y3MKgyK7BNjmZ0-2BNaj9nREo-2FlGm2q3f4o-3D
More information about the Swan-dev
mailing list