Project

General

Profile

Actions

Bug #3071

open

coverity warning in tls wrt tainted scalars

Added by Victor Julien about 3 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

>>>     CID 1373381:    (TAINTED_SCALAR)
>>>     Passing tainted variable "input + parsed" to a tainted sink.
1352         ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353                                          input_len - parsed);
1354         if (ret < 0)
1355             goto end;
1356     
1357         if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1352 in TLSDecodeHandshakeHello()
1346             if (ret < 0)
1347                 goto end;
1348     
1349             parsed += ret;
1350         }
1351     
>>>     CID 1373381:    (TAINTED_SCALAR)
>>>     Passing tainted variable "input + parsed" to a tainted sink.
1352         ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353                                          input_len - parsed);
1354         if (ret < 0)
1355             goto end;
1356     
1357         if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1332 in TLSDecodeHandshakeHello()
1326             if (ret < 0)
1327                 goto end;
1328     
1329             parsed += ret;
1330         }
1331     
>>>     CID 1373381:    (TAINTED_SCALAR)
>>>     Passing tainted variable "input + parsed" to a tainted sink.
1332         ret = TLSDecodeHSHelloCipherSuites(ssl_state, input + parsed,
1333                                            input_len - parsed);
1334         if (ret < 0)
1335             goto end;
1336     
1337         parsed += ret;
/src/app-layer-ssl.c: 1324 in TLSDecodeHandshakeHello()
1318     
1319         /* The session id field in the server hello record was removed in
1320            TLSv1.3 draft1, but was readded in draft22. */
1321         if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) ||
1322                 ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
1323                 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) {
>>> >>>     CID 1373381:    (TAINTED_SCALAR)
>>>     Passing tainted variable "input + parsed" to a tainted sink.
1352         ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353                                          input_len - parsed);
1354         if (ret < 0)
1355             goto end;
1356     
1357         if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1352 in TLSDecodeHandshakeHello()
1346             if (ret < 0)
1347                 goto end;
1348     
1349             parsed += ret;
1350         }
1351     
>>>     CID 1373381:    (TAINTED_SCALAR)
>>>     Passing tainted variable "input + parsed" to a tainted sink.
1352         ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353                                          input_len - parsed);
1354         if (ret < 0)
1355             goto end;
1356     
1357         if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1332 in TLSDecodeHandshakeHello()
1326             if (ret < 0)
1327                 goto end;
1328     
1329             parsed += ret;
1330         }
1331     
>>>     CID 1373381:    (TAINTED_SCALAR)
>>>     Passing tainted variable "input + parsed" to a tainted sink.
1332         ret = TLSDecodeHSHelloCipherSuites(ssl_state, input + parsed,
1333                                            input_len - parsed);
1334         if (ret < 0)
1335             goto end;
1336     
1337         parsed += ret;
/src/app-layer-ssl.c: 1324 in TLSDecodeHandshakeHello()
1318     
1319         /* The session id field in the server hello record was removed in
1320            TLSv1.3 draft1, but was readded in draft22. */
1321         if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) ||
1322                 ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
1323                 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) {
>>>     CID 1373381:    (TAINTED_SCALAR)
>>>     Passing tainted variable "input + parsed" to a tainted sink.
1324             ret = TLSDecodeHSHelloSessionID(ssl_state, input + parsed,
1325                                             input_len - parsed);
1326             if (ret < 0)
1327                 goto end;
1328     
1329             parsed += ret;

It's unclear to me if this is something serious, might need to suppress them.

Actions #1

Updated by Andreas Herz about 3 years ago

  • Assignee set to OISF Dev

I wouldn't count it as too serious but something we could try to fix nevertheless. If I look in code of other projects having the same report it took them sometime, though.

Actions

Also available in: Atom PDF