Actions
Bug #3071
closedcoverity warning in tls wrt tainted scalars
Affected Versions:
Effort:
Difficulty:
Label:
Description
>>> CID 1373381: (TAINTED_SCALAR)
>>> Passing tainted variable "input + parsed" to a tainted sink.
1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353 input_len - parsed);
1354 if (ret < 0)
1355 goto end;
1356
1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1352 in TLSDecodeHandshakeHello()
1346 if (ret < 0)
1347 goto end;
1348
1349 parsed += ret;
1350 }
1351
>>> CID 1373381: (TAINTED_SCALAR)
>>> Passing tainted variable "input + parsed" to a tainted sink.
1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353 input_len - parsed);
1354 if (ret < 0)
1355 goto end;
1356
1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1332 in TLSDecodeHandshakeHello()
1326 if (ret < 0)
1327 goto end;
1328
1329 parsed += ret;
1330 }
1331
>>> CID 1373381: (TAINTED_SCALAR)
>>> Passing tainted variable "input + parsed" to a tainted sink.
1332 ret = TLSDecodeHSHelloCipherSuites(ssl_state, input + parsed,
1333 input_len - parsed);
1334 if (ret < 0)
1335 goto end;
1336
1337 parsed += ret;
/src/app-layer-ssl.c: 1324 in TLSDecodeHandshakeHello()
1318
1319 /* The session id field in the server hello record was removed in
1320 TLSv1.3 draft1, but was readded in draft22. */
1321 if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) ||
1322 ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
1323 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) {
>>> >>> CID 1373381: (TAINTED_SCALAR)
>>> Passing tainted variable "input + parsed" to a tainted sink.
1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353 input_len - parsed);
1354 if (ret < 0)
1355 goto end;
1356
1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1352 in TLSDecodeHandshakeHello()
1346 if (ret < 0)
1347 goto end;
1348
1349 parsed += ret;
1350 }
1351
>>> CID 1373381: (TAINTED_SCALAR)
>>> Passing tainted variable "input + parsed" to a tainted sink.
1352 ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1353 input_len - parsed);
1354 if (ret < 0)
1355 goto end;
1356
1357 if (ssl_config.enable_ja3 && ssl_state->curr_connp->ja3_hash == NULL) {
/src/app-layer-ssl.c: 1332 in TLSDecodeHandshakeHello()
1326 if (ret < 0)
1327 goto end;
1328
1329 parsed += ret;
1330 }
1331
>>> CID 1373381: (TAINTED_SCALAR)
>>> Passing tainted variable "input + parsed" to a tainted sink.
1332 ret = TLSDecodeHSHelloCipherSuites(ssl_state, input + parsed,
1333 input_len - parsed);
1334 if (ret < 0)
1335 goto end;
1336
1337 parsed += ret;
/src/app-layer-ssl.c: 1324 in TLSDecodeHandshakeHello()
1318
1319 /* The session id field in the server hello record was removed in
1320 TLSv1.3 draft1, but was readded in draft22. */
1321 if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) ||
1322 ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
1323 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) {
>>> CID 1373381: (TAINTED_SCALAR)
>>> Passing tainted variable "input + parsed" to a tainted sink.
1324 ret = TLSDecodeHSHelloSessionID(ssl_state, input + parsed,
1325 input_len - parsed);
1326 if (ret < 0)
1327 goto end;
1328
1329 parsed += ret;
It's unclear to me if this is something serious, might need to suppress them.
Updated by Andreas Herz over 6 years ago
- Assignee set to OISF Dev
I wouldn't count it as too serious but something we could try to fix nevertheless. If I look in code of other projects having the same report it took them sometime, though.
Updated by Philippe Antoine almost 2 years ago
- Status changed from New to Closed
All coverity warnings have been fixed now
Actions