[openssl-project] Fwd: New Defects reported by Coverity Scan for openssl/openssl

Matt Caswell matt at openssl.org
Mon Apr 16 17:47:17 UTC 2018 

Can anyone enlighten me as to why I can't find half of these defects in
the coverity dashboard? None of the reported defects in the test cases
seem to exist any more (and I'm fairly sure we didn't fix them).
Actually I didn't think we scanned the tests at all, so I'm a little
confused.

Matt



-------- Forwarded Message --------
Subject: New Defects reported by Coverity Scan for openssl/openssl
Date: Sun, 15 Apr 2018 07:51:06 +0000 (UTC)
From: scan-admin at coverity.com
To: matt at openssl.org

Hi,

Please find the latest report on new defect(s) introduced to
openssl/openssl found with Coverity Scan.

5 new defect(s) introduced to openssl/openssl found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 1434551:  Code maintainability issues  (SIZEOF_MISMATCH)
/test/sslapitest.c: 3831 in create_new_vfile()


________________________________________________________________________________________________________
*** CID 1434551:  Code maintainability issues  (SIZEOF_MISMATCH)
/test/sslapitest.c: 3831 in create_new_vfile()
3825         return ret;
3826     }
3827     3828     static int create_new_vfile(char *userid, char
*password, const char *filename)
3829     {
3830         char *gNid = NULL;
>>>     CID 1434551:  Code maintainability issues  (SIZEOF_MISMATCH)
>>>     Passing argument "56UL /* sizeof (row) * (6 + 1) */" to function "CRYPTO_zalloc" and then casting the return value to "OPENSSL_STRING *" is suspicious.  In this particular case "sizeof (OPENSSL_STRING *)" happens to be equal to "sizeof (OPENSSL_STRING)", but this is not a portable assumption.
3831         OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) *
(DB_NUMBER + 1));
3832         TXT_DB *db = NULL;
3833         int ret = 0;
3834         BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
3835         size_t i;
3836
** CID 1434550:    (RESOURCE_LEAK)
/crypto/srp/srp_vfy.c: 73 in t_fromb64()
/crypto/srp/srp_vfy.c: 97 in t_fromb64()


________________________________________________________________________________________________________
*** CID 1434550:    (RESOURCE_LEAK)
/crypto/srp/srp_vfy.c: 73 in t_fromb64()
67          *  2 bytes unencoded = 3 bytes encoded
68          *  3 bytes unencoded = 4 bytes encoded
69          *  4 bytes unencoded = 6 bytes encoded
70          *  etc
71          */
72         if (padsize == 3)
>>>     CID 1434550:    (RESOURCE_LEAK)
>>>     Variable "ctx" going out of scope leaks the storage it points to.
73             return -1;
74     75         /* Valid padsize values are now 0, 1 or 2 */
76     77         EVP_DecodeInit(ctx);
78         evp_encode_ctx_set_flags(ctx, EVP_ENCODE_CTX_USE_SRP_ALPHABET);
/crypto/srp/srp_vfy.c: 97 in t_fromb64()
91         EVP_DecodeFinal(ctx, a + outl, &outl2);
92         outl += outl2;
93     94         /* Strip off the leading padding */
95         if (padsize != 0) {
96             if ((int)padsize >= outl)
>>>     CID 1434550:    (RESOURCE_LEAK)
>>>     Variable "ctx" going out of scope leaks the storage it points to.
97                 return -1;
98             /*
99              * If we added 1 byte of padding prior to encoding then
we have 2 bytes
100              * of "real" data which gets spread across 4 encoded
bytes like this:
101              *   (6 bits pad)(2 bits pad | 4 bits data)(6 bits
data)(6 bits data)
102              * So 1 byte of pre-encoding padding results in 1 full
byte of encoded

** CID 1434549:  Error handling issues  (CHECKED_RETURN)
/test/evp_test.c: 1553 in encode_test_run()


________________________________________________________________________________________________________
*** CID 1434549:  Error handling issues  (CHECKED_RETURN)
/test/evp_test.c: 1553 in encode_test_run()
1547             if (!TEST_ptr(encode_ctx = EVP_ENCODE_CTX_new())
1548                     || !TEST_ptr(encode_out =
1549
OPENSSL_malloc(EVP_ENCODE_LENGTH(expected->input_len))))
1550                 goto err;
1551     1552             EVP_EncodeInit(encode_ctx);
>>>     CID 1434549:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "EVP_EncodeUpdate" without checking return value (as is done elsewhere 4 out of 5 times).
1553             EVP_EncodeUpdate(encode_ctx, encode_out, &chunk_len,
1554                              expected->input, expected->input_len);
1555             output_len = chunk_len;
1556     1557             EVP_EncodeFinal(encode_ctx, encode_out +
chunk_len, &chunk_len);
1558             output_len += chunk_len;

** CID 1434548:  Error handling issues  (CHECKED_RETURN)
/test/drbgtest.c: 800 in run_multi_thread_test()


________________________________________________________________________________________________________
*** CID 1434548:  Error handling issues  (CHECKED_RETURN)
/test/drbgtest.c: 800 in run_multi_thread_test()
794         private = RAND_DRBG_get0_private();
795         RAND_DRBG_set_reseed_time_interval(public, 1);
796         RAND_DRBG_set_reseed_time_interval(private, 1);
797     798         do {
799             RAND_bytes(buf, sizeof(buf));
>>>     CID 1434548:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "RAND_priv_bytes" without checking return value (as is done elsewhere 16 out of 18 times).
800             RAND_priv_bytes(buf, sizeof(buf));
801         }
802         while(time(NULL) - start < 5);
803     }
804     805     # if defined(OPENSSL_SYS_WINDOWS)

** CID 1420020:  Error handling issues  (CHECKED_RETURN)
/crypto/rand/drbg_lib.c: 872 in drbg_setup()


________________________________________________________________________________________________________
*** CID 1420020:  Error handling issues  (CHECKED_RETURN)
/crypto/rand/drbg_lib.c: 872 in drbg_setup()
866         /*
867          * Ignore instantiation error so support just-in-time
instantiation.
868          *
869          * The state of the drbg will be checked in
RAND_DRBG_generate() and
870          * an automatic recovery is attempted.
871          */
>>>     CID 1420020:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "RAND_DRBG_instantiate" without checking return value (as is done elsewhere 12 out of 15 times).
872         RAND_DRBG_instantiate(drbg,
873                               (const unsigned char *) ossl_pers_string,
874                               sizeof(ossl_pers_string) - 1);
875         return drbg;
876     877     err:


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUE4H-2Fm-2BeoDOl8jw7bf4Z78hw-3D-3D_jrN6Mkpcg292t2HUi6j2dOVH2S6heGK5ZBOjbNfqPH352dQ5xl0pmJRAY1ip5LVafcjoehH47QcmnVMVCHS75-2Ffv-2B94fTDmxchItGwcKtjA-2BglyL1TseBRnNUMhRjRykmFEkv8zDqkoLWEz-2BDl-2BBvfjUa-2BIbV1PG73z2fX3eGyKo-2FakWQ9j6MYAOjEEj-2BsmLXZo1rKLb3gaoucm4fJc-2FHQ-3D-3D

  To manage Coverity Scan email notifications for "matt at openssl.org",
click
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4XSSb7qvu4FGGtzK9WuNy1Lsp-2BrdaVsnhVj6c7TxZVrqIhf5NIcqyR2fY4BU0Ynocxg3sT5sVvEU3dzDXH7yZ8-2B3X-2BdloVx0HAWCGstNd5pk-3D_jrN6Mkpcg292t2HUi6j2dOVH2S6heGK5ZBOjbNfqPH352dQ5xl0pmJRAY1ip5LVaVaWmJmxMmT9A4rVYbckAU8jCnfVpDJqTWh7nUQks-2B649caFtImdjTQSntJYbRcLOQVS7nByix-2FIyHIS5piFXlYFU2c-2B3EVLKT1nlqloFoR24XYbeGsz9a0RKTdAUfY5uTegMqMm2s0pXbOLbDll9hw-3D-3D

More information about the openssl-project mailing list