Skip to content

Commit

Permalink
Fix Coverity TAINTED_SCALAR issue
Browse files Browse the repository at this point in the history 
The info.name_length variable was not being checked to see if it was less than the size of name when passed into read_data. This was a simple fix.

Fixes:
```
lib/pkg_editor/src/pkg_editor.c:1632:5:
  Type: Untrusted value as argument (TAINTED_SCALAR)

lib/pkg_editor/src/pkg_editor.c:1591:3: Tainted data flows to a taint sink
  1. path: Condition "buffer != NULL", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1596:5:
  2. path: Condition "input != NULL", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1596:5:
  3. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1601:3:
  4. path: Condition "ret != 0", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1612:3:
  5. path: Condition "z_info.strm.avail_in > 0", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1612:3:
  6. path: Condition "input != NULL", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1612:3:
  7. path: Condition "!feof(input)", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
  8. path: Condition "!read_data(&info, 20UL /* sizeof (info) */, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1619:5:
  9. path: Condition "info.magic != 3203399403U", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1627:5:
  10. path: Condition "info.kind == PACK_END", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1632:5:
  11. path: Condition "!read_data(name, info.name_length, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1642:5:
  12. path: Condition "out_dir_length + 2 > 12288UL /* 3 * 4096 */", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1652:5:
  13. path: Condition "info.kind == PACK_DIR", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1654:5:
  14. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1711:3:
  15. path: Jumping back to the beginning of the loop.
lib/pkg_editor/src/pkg_editor.c:1612:3:
  16. path: Condition "z_info.strm.avail_in > 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
  17. path: Condition "!read_data(&info, 20UL /* sizeof (info) */, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1619:5:
  18. path: Condition "info.magic != 3203399403U", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1627:5:
  19. path: Condition "info.kind == PACK_END", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1632:5:
  20. path: Condition "!read_data(name, info.name_length, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1642:5:
  21. path: Condition "out_dir_length + 2 > 12288UL /* 3 * 4096 */", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1652:5:
  22. path: Condition "info.kind == PACK_DIR", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1654:5:
  23. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1711:3:
  24. path: Jumping back to the beginning of the loop.
lib/pkg_editor/src/pkg_editor.c:1612:3:
  25. path: Condition "z_info.strm.avail_in > 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
  26. tainted_argument: Calling function "read_data" taints argument "info".
lib/pkg_editor/src/pkg_editor.c:1530:3: Tainted data flows to a taint sink
  26.1. var_assign_parm: Assigning: "z_info->strm.next_out" = "data".
lib/pkg_editor/src/pkg_editor.c:1534:5:
  26.2. path: Condition "z_info->strm.avail_in == 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
  26.3. path: Condition "in_fd == NULL", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
  26.4. path: Condition "feof(in_fd)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1541:7:
  26.5. tainted_data_argument: Calling function "fread" taints parameter "*z_info->buffer". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/pkg_editor/src/pkg_editor.c:1542:7:
  26.6. path: Condition "count < 1", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1547:7:
  26.7. var_assign_alias: Assigning: "z_info->strm.next_in" = "z_info->buffer", which taints "z_info->strm.next_in".
lib/pkg_editor/src/pkg_editor.c:1550:5:
  26.8. tainted_data_transitive: Calling function "inflate" with tainted argument "*z_info->strm.next_in" taints "*z_info->strm.next_out".
lib/pkg_editor/src/pkg_editor.c:1551:5:
  26.9. path: Condition "ret != -2", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1551:5:
  26.10. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1552:5:
  26.11. path: Condition "ret == 1", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1554:7:
  26.12. path: Condition "z_info->strm.avail_out == 0", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
  27. path: Condition "!read_data(&info, 20UL /* sizeof (info) */, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1619:5:
  28. path: Condition "info.magic != 3203399403U", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1627:5:
  29. path: Condition "info.kind == PACK_END", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1632:5:
  30. tainted_data: Passing tainted expression "info.name_length" to "read_data", which uses it as an offset.
lib/pkg_editor/src/pkg_editor.c:1531:3: Tainted data flows to a taint sink
  30.1. var_assign_parm: Assigning: "z_info->strm.avail_out" = "size", which taints "z_info->strm.avail_out".
lib/pkg_editor/src/pkg_editor.c:1534:5:
  30.2. path: Condition "z_info->strm.avail_in == 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
  30.3. path: Condition "in_fd == NULL", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
  30.4. path: Condition "feof(in_fd)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1542:7:
  30.5. path: Condition "count < 1", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1550:5:
  30.6. taint_sink_lv_call: Passing tainted expression "z_info->strm.avail_out" to taint sink "inflate".
lib/pkg_editor/src/pkg_editor.c:1632:5:
  31. remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
```
  • Loading branch information
@IlanTruanovsky
IlanTruanovsky committed Feb 8, 2023
1 parent 2d33310 commit 0eabaa9
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions lib/pkg_editor/src/pkg_editor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1628,6 +1628,14 @@ static int acl_pkg_unpack_buffer_or_file(const char *buffer, size_t buffer_size,
break;
}

// Make sure info.name_length bytes fit into our name buffer
if (info.name_length > NAME_LEN) {
fprintf(stderr, "%s: File name too long: %u\n", routine_name,
info.name_length);
inflateEnd(&z_info.strm);
return 0;
}

// Read the filename.
if (!read_data(name, info.name_length, &z_info, input)) {
fprintf(stderr, "%s: Error reading file name from buffer\n",
Expand Down

0 comments on commit 0eabaa9

Please # to comment.