<div dir="ltr"><div dir="ltr">I've removed the ones I think I fixed.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 19 Sep 2020 at 18:10, <<a href="mailto:scan-admin@coverity.com">scan-admin@coverity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
Please find the latest report on new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.<br>
<br>
13 new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.<br>
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.<br>
<br>
New defect(s) Reported-by: Coverity Scan<br>
Showing 13 of 13 defect(s)<br>
<br>
<br>
** CID 1497033:  Null pointer dereferences  (FORWARD_NULL)<br>
/programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1497033:  Null pointer dereferences  (FORWARD_NULL)<br>
/programs/pluto/ikev2_message.c: 525 in encrypt_v2SK_payload()<br>
519                      * of the Payload header (four octets)<br>
520                      */<br>
521                     uint8_t *adj_payload_len_start = intermediate_auth.ptr + intermediate_auth.len - ADJ_PAYLOAD_LENGTH_SIZE;<br>
522                     uint16_t adj_payload_len = sk_data.len + SK_HEADER_SIZE;<br>
523                     DBG(DBG_CRYPT, DBG_log("adjusted payload length: %u", adj_payload_len));<br>
524                     adj_payload_len = (adj_payload_len << 8) | (adj_payload_len >> 8); /* adjust endianness */<br>
>>>     CID 1497033:  Null pointer dereferences  (FORWARD_NULL)<br>
>>>     Passing null pointer "adj_payload_len_start" to "memcpy", which dereferences it.<br>
525                     memcpy(adj_payload_len_start, &adj_payload_len, sizeof(uint8_t) * ADJ_PAYLOAD_LENGTH_SIZE);<br>
526                     /*<br>
527                      * Set the Adjusted Length field to the sum of length of IntAuth_*_A and<br>
528                      * IntAuth_*_P<br>
529                      */<br>
530                     uint8_t *adj_len_start = intermediate_auth.ptr + ADJ_LENGTH_OFFSET;<br>
<br>
** CID 1497032:  Uninitialized variables  (UNINIT)<br>
/programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1497032:  Uninitialized variables  (UNINIT)<br>
/programs/pluto/kernel_xfrm.c: 988 in migrate_xfrm_sa()<br>
982                     attr =  (struct rtattr *)((char *)&req + req.n.nlmsg_len);<br>
983                     attr->rta_type = XFRMA_MIGRATE;<br>
984                     attr->rta_len = sizeof(migrate);<br>
985     <br>
986                     set_migration_attr(sa, &migrate);<br>
987     <br>
>>>     CID 1497032:  Uninitialized variables  (UNINIT)<br>
>>>     Using uninitialized value "migrate". Field "migrate.reserved" is uninitialized when calling "memcpy".<br>
988                     memcpy(RTA_DATA(attr), &migrate, attr->rta_len);<br>
989                     attr->rta_len = RTA_LENGTH(attr->rta_len);<br>
990                     req.n.nlmsg_len += attr->rta_len;<br>
991             }<br>
992     <br>
993             if (sa->encap_type != NULL) {<br>
<br><br>
<br>
** CID 1497029:  Null pointer dereferences  (FORWARD_NULL)<br>
/programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1497029:  Null pointer dereferences  (FORWARD_NULL)<br>
/programs/pluto/ikev1_spdb_struct.c: 145 in parse_secctx_attr()<br>
139             } else if (st->st_state->kind == STATE_QUICK_R0) {<br>
140                     /* ??? can this happen? */<br>
141                     /* ??? should we check that this label and first one match? */<br>
142                     DBG_log("Received sec ctx in responder state again: ignoring this one");<br>
143             } else if (st->st_state->kind == STATE_QUICK_I1) {<br>
144                     dbg("initiator state received security context from responder state, now verifying if both are same");<br>
>>>     CID 1497029:  Null pointer dereferences  (FORWARD_NULL)<br>
>>>     Passing null pointer "st->sec_ctx->sec_ctx_value" to "strcmp", which dereferences it.<br>
145                     if (streq(st->sec_ctx->sec_ctx_value, uctx.sec_ctx_value)) {<br>
146                             DBG_log("security contexts are verified in the initiator state");<br>
147                     } else {<br>
148                             loglog(RC_LOG_SERIOUS, "security context verification failed in the initiator state (shouldn't reach here unless responder (or something in between) is modifying the security context");<br>
149                             return FALSE;<br>
150                     }<br><br>
** CID 1497027:  Memory - corruptions  (OVERRUN)<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1497027:  Memory - corruptions  (OVERRUN)<br>
/programs/pluto/kernel_xfrm.c: 1013 in migrate_xfrm_sa()<br>
1007     <br>
1008                    memcpy(RTA_DATA(attr), &natt, sizeof(natt));<br>
1009     <br>
1010                    req.n.nlmsg_len += attr->rta_len;<br>
1011            }<br>
1012     <br>
>>>     CID 1497027:  Memory - corruptions  (OVERRUN)<br>
>>>     Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 187 using argument "req.n.nlmsg_len" (which evaluates to 188).<br>
1013            bool r = send_netlink_msg(&req.n, NLMSG_ERROR, &rsp, "mobike",<br>
1014                            sa->text_said);<br>
1015            if (!r)<br>
1016                    return FALSE;<br>
1017     <br>
1018            if (rsp.u.e.error < 0) {<br><br>
** CID 1497022:    (REVERSE_INULL)<br>
/programs/pluto/ikev1.c: 1155 in informational()<br>
/programs/pluto/ikev1.c: 1143 in informational()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1497022:    (REVERSE_INULL)<br>
/programs/pluto/ikev1.c: 1155 in informational()<br>
1149                    }<br>
1150                    }<br>
1151            } else {<br>
1152                    /* warn if we didn't find any Delete or Notify payload in packet */<br>
1153                    if (md->chain[ISAKMP_NEXT_D] == NULL) {<br>
1154                            struct logger *logger = (st != NULL ? st->st_logger :<br>
>>>     CID 1497022:    (REVERSE_INULL)<br>
>>>     Null-checking "md" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.<br>
1155                                                     md != NULL ? md->md_logger :<br>
1156                                                     &failsafe_logger);<br>
1157                            log_message(RC_LOG_SERIOUS, logger,<br>
1158                                        "received and ignored empty informational notification payload");<br>
1159                    }<br>
1160                    return STF_IGNORE;<br>
/programs/pluto/ikev1.c: 1143 in informational()<br>
1137                                    close_any(&tmp_whack_sock);<br>
1138                            }<br>
1139                            return STF_IGNORE;<br>
1140                    default:<br>
1141                    {<br>
1142                            struct logger *logger = (st != NULL ? st->st_logger :<br>
>>>     CID 1497022:    (REVERSE_INULL)<br>
>>>     Null-checking "md" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.<br>
1143                                                     md != NULL ? md->md_logger :<br>
1144                                                     &failsafe_logger);<br>
1145                            log_message(RC_LOG_SERIOUS, logger,<br>
1146                                        "received and ignored notification payload: %s",<br>
1147                                        enum_name(&ikev1_notify_names, n->isan_type));<br>
1148                            return STF_IGNORE;<br><br>
</blockquote></div></div>