Actions
Bug #3071
closedcoverity warning in tls wrt tainted scalars
Affected Versions:
Effort:
Difficulty:
Label:
Description
>>> CID 1373381: (TAINTED_SCALAR) >>> Passing tainted variable "input + parsed" to a tainted sink. 1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed, 1353 input_len - parsed); 1354 if (ret < 0) 1355 goto end; 1356 1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) { /src/app-layer-ssl.c: 1352 in TLSDecodeHandshakeHello() 1346 if (ret < 0) 1347 goto end; 1348 1349 parsed += ret; 1350 } 1351 >>> CID 1373381: (TAINTED_SCALAR) >>> Passing tainted variable "input + parsed" to a tainted sink. 1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed, 1353 input_len - parsed); 1354 if (ret < 0) 1355 goto end; 1356 1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) { /src/app-layer-ssl.c: 1332 in TLSDecodeHandshakeHello() 1326 if (ret < 0) 1327 goto end; 1328 1329 parsed += ret; 1330 } 1331 >>> CID 1373381: (TAINTED_SCALAR) >>> Passing tainted variable "input + parsed" to a tainted sink. 1332 ret = TLSDecodeHSHelloCipherSuites(ssl_state, input + parsed, 1333 input_len - parsed); 1334 if (ret < 0) 1335 goto end; 1336 1337 parsed += ret; /src/app-layer-ssl.c: 1324 in TLSDecodeHandshakeHello() 1318 1319 /* The session id field in the server hello record was removed in 1320 TLSv1.3 draft1, but was readded in draft22. */ 1321 if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) || 1322 ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) && 1323 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) { >>> >>> CID 1373381: (TAINTED_SCALAR) >>> Passing tainted variable "input + parsed" to a tainted sink. 1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed, 1353 input_len - parsed); 1354 if (ret < 0) 1355 goto end; 1356 1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) { /src/app-layer-ssl.c: 1352 in TLSDecodeHandshakeHello() 1346 if (ret < 0) 1347 goto end; 1348 1349 parsed += ret; 1350 } 1351 >>> CID 1373381: (TAINTED_SCALAR) >>> Passing tainted variable "input + parsed" to a tainted sink. 1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed, 1353 input_len - parsed); 1354 if (ret < 0) 1355 goto end; 1356 1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) { /src/app-layer-ssl.c: 1332 in TLSDecodeHandshakeHello() 1326 if (ret < 0) 1327 goto end; 1328 1329 parsed += ret; 1330 } 1331 >>> CID 1373381: (TAINTED_SCALAR) >>> Passing tainted variable "input + parsed" to a tainted sink. 1332 ret = TLSDecodeHSHelloCipherSuites(ssl_state, input + parsed, 1333 input_len - parsed); 1334 if (ret < 0) 1335 goto end; 1336 1337 parsed += ret; /src/app-layer-ssl.c: 1324 in TLSDecodeHandshakeHello() 1318 1319 /* The session id field in the server hello record was removed in 1320 TLSv1.3 draft1, but was readded in draft22. */ 1321 if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) || 1322 ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) && 1323 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) { >>> CID 1373381: (TAINTED_SCALAR) >>> Passing tainted variable "input + parsed" to a tainted sink. 1324 ret = TLSDecodeHSHelloSessionID(ssl_state, input + parsed, 1325 input_len - parsed); 1326 if (ret < 0) 1327 goto end; 1328 1329 parsed += ret;
It's unclear to me if this is something serious, might need to suppress them.
Updated by Andreas Herz over 5 years ago
- Assignee set to OISF Dev
I wouldn't count it as too serious but something we could try to fix nevertheless. If I look in code of other projects having the same report it took them sometime, though.
Updated by Philippe Antoine about 1 year ago
- Status changed from New to Closed
All coverity warnings have been fixed now
Actions