[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget
From: |
Juaristi Álamos , Ander |
Subject: |
Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget |
Date: |
Wed, 9 Dec 2015 14:41:26 +0000 |
Darshit, could you test if these fixes pass the Coverity tests?
I'm not particularly sure of the HSTS fix.
Regards,
- AJ
On Sun, 2015-12-06 at 22:45 +0100, Darshit Shah wrote:
> ---------- Forwarded message ----------
> From: <address@hidden>
> Date: 6 December 2015 at 22:39
> Subject: New Defects reported by Coverity Scan for GNU Wget
> To: address@hidden
>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to GNU Wget
> found with Coverity Scan.
>
> 6 new defect(s) introduced to GNU Wget found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 6 of 6 defect(s)
>
>
> ** CID 1341706: (RESOURCE_LEAK)
> /src/ftp.c: 1518 in getftp()
> /src/ftp.c: 1528 in getftp()
> /src/ftp.c: 1518 in getftp()
> /src/ftp.c: 1518 in getftp()
>
>
> ________________________________________________________________________________________________________
> *** CID 1341706: (RESOURCE_LEAK)
> /src/ftp.c: 1518 in getftp()
> 1512 logputs (LOG_NOTQUIET, "Server does not want to
> resume the SSL session. Trying with a new one.\n");
> 1513 if (!ssl_connect_wget (dtsock, u->host, NULL))
> 1514 {
> 1515 fd_close (csock);
> 1516 fd_close (dtsock);
> 1517 logputs (LOG_NOTQUIET, "Could not perform SSL
> handshake.\n");
> >>> CID 1341706: (RESOURCE_LEAK)
> >>> Variable "fp" going out of scope leaks the storage it points to.
> 1518 return CONERROR;
> 1519 }
> 1520 }
> 1521 else
> 1522 logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
> /src/ftp.c: 1528 in getftp()
> 1522 logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
> 1524 if (!ssl_check_certificate (dtsock, u->host))
> 1525 {
> 1526 fd_close (csock);
> 1527 fd_close (dtsock);
> >>> CID 1341706: (RESOURCE_LEAK)
> >>> Variable "fp" going out of scope leaks the storage it points to.
> 1528 return CONERROR;
> 1529 }
> 1530 }
> 1531 #endif
> 1532
> 1533 /* Get the contents of the document. */
> /src/ftp.c: 1518 in getftp()
> 1512 logputs (LOG_NOTQUIET, "Server does not want to
> resume the SSL session. Trying with a new one.\n");
> 1513 if (!ssl_connect_wget (dtsock, u->host, NULL))
> 1514 {
> 1515 fd_close (csock);
> 1516 fd_close (dtsock);
> 1517 logputs (LOG_NOTQUIET, "Could not perform SSL
> handshake.\n");
> >>> CID 1341706: (RESOURCE_LEAK)
> >>> Variable "fp" going out of scope leaks the storage it points to.
> 1518 return CONERROR;
> 1519 }
> 1520 }
> 1521 else
> 1522 logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
> /src/ftp.c: 1518 in getftp()
> 1512 logputs (LOG_NOTQUIET, "Server does not want to
> resume the SSL session. Trying with a new one.\n");
> 1513 if (!ssl_connect_wget (dtsock, u->host, NULL))
> 1514 {
> 1515 fd_close (csock);
> 1516 fd_close (dtsock);
> 1517 logputs (LOG_NOTQUIET, "Could not perform SSL
> handshake.\n");
> >>> CID 1341706: (RESOURCE_LEAK)
> >>> Variable "fp" going out of scope leaks the storage it points to.
> 1518 return CONERROR;
> 1519 }
> 1520 }
> 1521 else
> 1522 logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
>
> ** CID 1341705: Security best practices violations (TOCTOU)
> /src/hsts.c: 479 in hsts_store_open()
>
>
> ________________________________________________________________________________________________________
> *** CID 1341705: Security best practices violations (TOCTOU)
> /src/hsts.c: 479 in hsts_store_open()
> 473
> 474 if (file_exists_p (filename))
> 475 {
> 476 if (stat (filename, &st) == 0)
> 477 store->last_mtime = st.st_mtime;
> 478
> >>> CID 1341705: Security best practices violations (TOCTOU)
> >>> Calling function "fopen" that uses "filename" after a check function.
> >>> This can cause a time-of-check, time-of-use race condition.
> 479 fp = fopen (filename, "r");
> 480 if (!fp || !hsts_read_database (store, fp, false))
> 481 {
> 482 /* abort! */
> 483 hsts_store_close (store);
> 484 xfree (store);
>
> ** CID 1273467: API usage errors (BUFFER_SIZE)
> /lib/md5.c: 291 in md5_process_bytes()
>
>
> ________________________________________________________________________________________________________
> *** CID 1273467: API usage errors (BUFFER_SIZE)
> /lib/md5.c: 291 in md5_process_bytes()
> 285 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
> 286 left_over += len;
> 287 if (left_over >= 64)
> 288 {
> 289 md5_process_block (ctx->buffer, 64, ctx);
> 290 left_over -= 64;
> >>> CID 1273467: API usage errors (BUFFER_SIZE)
> >>> The source buffer "&ctx->buffer[16]" potentially overlaps with the
> >>> destination buffer "ctx->buffer", which results in undefined behavior for
> >>> memcpy.
> 291 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
> 292 }
> 293 ctx->buflen = left_over;
> 294 }
> 295 }
> 296
>
> ** CID 1273466: API usage errors (BUFFER_SIZE)
> /lib/sha256.c: 411 in sha256_process_bytes()
>
>
> ________________________________________________________________________________________________________
> *** CID 1273466: API usage errors (BUFFER_SIZE)
> /lib/sha256.c: 411 in sha256_process_bytes()
> 405 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
> 406 left_over += len;
> 407 if (left_over >= 64)
> 408 {
> 409 sha256_process_block (ctx->buffer, 64, ctx);
> 410 left_over -= 64;
> >>> CID 1273466: API usage errors (BUFFER_SIZE)
> >>> The source buffer "&ctx->buffer[16]" potentially overlaps with the
> >>> destination buffer "ctx->buffer", which results in undefined behavior for
> >>> memcpy.
> 411 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
> 412 }
> 413 ctx->buflen = left_over;
> 414 }
> 415 }
> 416
>
> ** CID 1273463: API usage errors (BUFFER_SIZE)
> /lib/sha1.c: 278 in sha1_process_bytes()
>
>
> ________________________________________________________________________________________________________
> *** CID 1273463: API usage errors (BUFFER_SIZE)
> /lib/sha1.c: 278 in sha1_process_bytes()
> 272 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
> 273 left_over += len;
> 274 if (left_over >= 64)
> 275 {
> 276 sha1_process_block (ctx->buffer, 64, ctx);
> 277 left_over -= 64;
> >>> CID 1273463: API usage errors (BUFFER_SIZE)
> >>> The source buffer "&ctx->buffer[16]" potentially overlaps with the
> >>> destination buffer "ctx->buffer", which results in undefined behavior for
> >>> memcpy.
> 278 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
> 279 }
> 280 ctx->buflen = left_over;
> 281 }
> 282 }
> 283
>
> ** CID 420711: Insecure data handling (INTEGER_OVERFLOW)
> /lib/str-two-way.h: 221 in critical_factorization()
>
>
> ________________________________________________________________________________________________________
> *** CID 420711: Insecure data handling (INTEGER_OVERFLOW)
> /lib/str-two-way.h: 221 in critical_factorization()
> 215 lexicographic suffix of 'a' works for 'bba', but not 'ab' for
> 216 'aab'. The shorter suffix of the two will always be a critical
> 217 factorization. */
> 218 if (max_suffix_rev + 1 < max_suffix + 1)
> 219 return max_suffix + 1;
> 220 *period = p;
> >>> CID 420711: Insecure data handling (INTEGER_OVERFLOW)
> >>> Overflowed or truncated value (or a value computed from an overflowed
> >>> or truncated value) "max_suffix_rev + 1UL" used as return value.
> 221 return max_suffix_rev + 1;
> 222 }
> 223
> 224 /* Return the first location of non-empty NEEDLE within HAYSTACK, or
> 225 NULL. HAYSTACK_LEN is the minimum known length of HAYSTACK. This
> 226 method is optimized for NEEDLE_LEN < LONG_NEEDLE_THRESHOLD.
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> https://scan.coverity.com/projects/gnu-wget?tab=overview
>
> To manage Coverity Scan email notifications for "address@hidden",
> click
> https://scan.coverity.com/subscriptions/edit?email=darnir%40gmail.com&token=a247cf0e017fe1ea3e52680a7e0c1fcf
>
>
>
0001-Fix-Coverity-issues.patch
Description: 0001-Fix-Coverity-issues.patch