bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget


From: Juaristi Álamos , Ander
Subject: Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget
Date: Wed, 9 Dec 2015 14:41:26 +0000

Darshit, could you test if these fixes pass the Coverity tests?
I'm not particularly sure of the HSTS fix.

Regards,
- AJ

On Sun, 2015-12-06 at 22:45 +0100, Darshit Shah wrote:
> ---------- Forwarded message ----------
> From:  <address@hidden>
> Date: 6 December 2015 at 22:39
> Subject: New Defects reported by Coverity Scan for GNU Wget
> To: address@hidden
> 
> 
> 
> Hi,
> 
> Please find the latest report on new defect(s) introduced to GNU Wget
> found with Coverity Scan.
> 
> 6 new defect(s) introduced to GNU Wget found with Coverity Scan.
> 
> 
> New defect(s) Reported-by: Coverity Scan
> Showing 6 of 6 defect(s)
> 
> 
> ** CID 1341706:    (RESOURCE_LEAK)
> /src/ftp.c: 1518 in getftp()
> /src/ftp.c: 1528 in getftp()
> /src/ftp.c: 1518 in getftp()
> /src/ftp.c: 1518 in getftp()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1341706:    (RESOURCE_LEAK)
> /src/ftp.c: 1518 in getftp()
> 1512                 logputs (LOG_NOTQUIET, "Server does not want to
> resume the SSL session. Trying with a new one.\n");
> 1513               if (!ssl_connect_wget (dtsock, u->host, NULL))
> 1514                 {
> 1515                   fd_close (csock);
> 1516                   fd_close (dtsock);
> 1517                   logputs (LOG_NOTQUIET, "Could not perform SSL
> handshake.\n");
> >>>     CID 1341706:    (RESOURCE_LEAK)
> >>>     Variable "fp" going out of scope leaks the storage it points to.
> 1518                   return CONERROR;
> 1519                 }
> 1520             }
> 1521           else
> 1522             logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
> /src/ftp.c: 1528 in getftp()
> 1522             logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
> 1524           if (!ssl_check_certificate (dtsock, u->host))
> 1525             {
> 1526               fd_close (csock);
> 1527               fd_close (dtsock);
> >>>     CID 1341706:    (RESOURCE_LEAK)
> >>>     Variable "fp" going out of scope leaks the storage it points to.
> 1528               return CONERROR;
> 1529             }
> 1530         }
> 1531     #endif
> 1532
> 1533       /* Get the contents of the document.  */
> /src/ftp.c: 1518 in getftp()
> 1512                 logputs (LOG_NOTQUIET, "Server does not want to
> resume the SSL session. Trying with a new one.\n");
> 1513               if (!ssl_connect_wget (dtsock, u->host, NULL))
> 1514                 {
> 1515                   fd_close (csock);
> 1516                   fd_close (dtsock);
> 1517                   logputs (LOG_NOTQUIET, "Could not perform SSL
> handshake.\n");
> >>>     CID 1341706:    (RESOURCE_LEAK)
> >>>     Variable "fp" going out of scope leaks the storage it points to.
> 1518                   return CONERROR;
> 1519                 }
> 1520             }
> 1521           else
> 1522             logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
> /src/ftp.c: 1518 in getftp()
> 1512                 logputs (LOG_NOTQUIET, "Server does not want to
> resume the SSL session. Trying with a new one.\n");
> 1513               if (!ssl_connect_wget (dtsock, u->host, NULL))
> 1514                 {
> 1515                   fd_close (csock);
> 1516                   fd_close (dtsock);
> 1517                   logputs (LOG_NOTQUIET, "Could not perform SSL
> handshake.\n");
> >>>     CID 1341706:    (RESOURCE_LEAK)
> >>>     Variable "fp" going out of scope leaks the storage it points to.
> 1518                   return CONERROR;
> 1519                 }
> 1520             }
> 1521           else
> 1522             logputs (LOG_NOTQUIET, "Resuming SSL session in data
> connection.\n");
> 1523
> 
> ** CID 1341705:  Security best practices violations  (TOCTOU)
> /src/hsts.c: 479 in hsts_store_open()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1341705:  Security best practices violations  (TOCTOU)
> /src/hsts.c: 479 in hsts_store_open()
> 473
> 474       if (file_exists_p (filename))
> 475         {
> 476           if (stat (filename, &st) == 0)
> 477             store->last_mtime = st.st_mtime;
> 478
> >>>     CID 1341705:  Security best practices violations  (TOCTOU)
> >>>     Calling function "fopen" that uses "filename" after a check function. 
> >>> This can cause a time-of-check, time-of-use race condition.
> 479           fp = fopen (filename, "r");
> 480           if (!fp || !hsts_read_database (store, fp, false))
> 481             {
> 482               /* abort! */
> 483               hsts_store_close (store);
> 484               xfree (store);
> 
> ** CID 1273467:  API usage errors  (BUFFER_SIZE)
> /lib/md5.c: 291 in md5_process_bytes()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1273467:  API usage errors  (BUFFER_SIZE)
> /lib/md5.c: 291 in md5_process_bytes()
> 285           memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
> 286           left_over += len;
> 287           if (left_over >= 64)
> 288             {
> 289               md5_process_block (ctx->buffer, 64, ctx);
> 290               left_over -= 64;
> >>>     CID 1273467:  API usage errors  (BUFFER_SIZE)
> >>>     The source buffer "&ctx->buffer[16]" potentially overlaps with the 
> >>> destination buffer "ctx->buffer", which results in undefined behavior for 
> >>> memcpy.
> 291               memcpy (ctx->buffer, &ctx->buffer[16], left_over);
> 292             }
> 293           ctx->buflen = left_over;
> 294         }
> 295     }
> 296
> 
> ** CID 1273466:  API usage errors  (BUFFER_SIZE)
> /lib/sha256.c: 411 in sha256_process_bytes()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1273466:  API usage errors  (BUFFER_SIZE)
> /lib/sha256.c: 411 in sha256_process_bytes()
> 405           memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
> 406           left_over += len;
> 407           if (left_over >= 64)
> 408             {
> 409               sha256_process_block (ctx->buffer, 64, ctx);
> 410               left_over -= 64;
> >>>     CID 1273466:  API usage errors  (BUFFER_SIZE)
> >>>     The source buffer "&ctx->buffer[16]" potentially overlaps with the 
> >>> destination buffer "ctx->buffer", which results in undefined behavior for 
> >>> memcpy.
> 411               memcpy (ctx->buffer, &ctx->buffer[16], left_over);
> 412             }
> 413           ctx->buflen = left_over;
> 414         }
> 415     }
> 416
> 
> ** CID 1273463:  API usage errors  (BUFFER_SIZE)
> /lib/sha1.c: 278 in sha1_process_bytes()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1273463:  API usage errors  (BUFFER_SIZE)
> /lib/sha1.c: 278 in sha1_process_bytes()
> 272           memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
> 273           left_over += len;
> 274           if (left_over >= 64)
> 275             {
> 276               sha1_process_block (ctx->buffer, 64, ctx);
> 277               left_over -= 64;
> >>>     CID 1273463:  API usage errors  (BUFFER_SIZE)
> >>>     The source buffer "&ctx->buffer[16]" potentially overlaps with the 
> >>> destination buffer "ctx->buffer", which results in undefined behavior for 
> >>> memcpy.
> 278               memcpy (ctx->buffer, &ctx->buffer[16], left_over);
> 279             }
> 280           ctx->buflen = left_over;
> 281         }
> 282     }
> 283
> 
> ** CID 420711:  Insecure data handling  (INTEGER_OVERFLOW)
> /lib/str-two-way.h: 221 in critical_factorization()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 420711:  Insecure data handling  (INTEGER_OVERFLOW)
> /lib/str-two-way.h: 221 in critical_factorization()
> 215          lexicographic suffix of 'a' works for 'bba', but not 'ab' for
> 216          'aab'.  The shorter suffix of the two will always be a critical
> 217          factorization.  */
> 218       if (max_suffix_rev + 1 < max_suffix + 1)
> 219         return max_suffix + 1;
> 220       *period = p;
> >>>     CID 420711:  Insecure data handling  (INTEGER_OVERFLOW)
> >>>     Overflowed or truncated value (or a value computed from an overflowed 
> >>> or truncated value) "max_suffix_rev + 1UL" used as return value.
> 221       return max_suffix_rev + 1;
> 222     }
> 223
> 224     /* Return the first location of non-empty NEEDLE within HAYSTACK, or
> 225        NULL.  HAYSTACK_LEN is the minimum known length of HAYSTACK.  This
> 226        method is optimized for NEEDLE_LEN < LONG_NEEDLE_THRESHOLD.
> 
> 
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> https://scan.coverity.com/projects/gnu-wget?tab=overview
> 
> To manage Coverity Scan email notifications for "address@hidden",
> click 
> https://scan.coverity.com/subscriptions/edit?email=darnir%40gmail.com&token=a247cf0e017fe1ea3e52680a7e0c1fcf
> 
> 
> 

Attachment: 0001-Fix-Coverity-issues.patch
Description: 0001-Fix-Coverity-issues.patch


reply via email to

[Prev in Thread] Current Thread [Next in Thread]