Actions
Bug #5080
closedeve/dnp3: coverity warnings for string handling
Affected Versions:
Effort:
Difficulty:
Label:
Description
I don't think these are very serious.
** CID 1499368: (TAINTED_SCALAR) /src/output-json-dnp3-objects.c: 1391 in OutputJsonDNP3SetItem() /src/output-json-dnp3-objects.c: 1339 in OutputJsonDNP3SetItem() /src/output-json-dnp3-objects.c: 1328 in OutputJsonDNP3SetItem() ________________________________________________________________________________________________________ *** CID 1499368: (TAINTED_SCALAR) /src/output-json-dnp3-objects.c: 1391 in OutputJsonDNP3SetItem() 1385 jb_set_uint(js, "maximum_block_size", data->maximum_block_size); 1386 jb_set_uint(js, "request_id", data->request_id); 1387 if (data->filename_size > 0) { 1388 /* First create a null terminated string as not all versions 1389 * of jansson have json_stringn. */ 1390 char tmpbuf[data->filename_size + 1]; >>> CID 1499368: (TAINTED_SCALAR) >>> Passing tainted expression "data->filename_size" to "memcpy", which uses it as an offset. 1391 memcpy(tmpbuf, data->filename, data->filename_size); 1392 tmpbuf[data->filename_size] = '\0'; 1393 jb_set_string(js, "filename", tmpbuf); 1394 } else { 1395 jb_set_string(js, "filename", ""); 1396 } /src/output-json-dnp3-objects.c: 1339 in OutputJsonDNP3SetItem() 1333 } 1334 jb_set_uint(js, "data_size", data->data_size); 1335 if (data->data_size > 0) { 1336 /* First create a null terminated string as not all versions 1337 * of jansson have json_stringn. */ 1338 char tmpbuf[data->data_size + 1]; >>> CID 1499368: (TAINTED_SCALAR) >>> Passing tainted expression "data->data_size" to "memcpy", which uses it as an offset. 1339 memcpy(tmpbuf, data->data, data->data_size); 1340 tmpbuf[data->data_size] = '\0'; 1341 jb_set_string(js, "data", tmpbuf); 1342 } else { 1343 jb_set_string(js, "data", ""); 1344 } /src/output-json-dnp3-objects.c: 1328 in OutputJsonDNP3SetItem() 1322 jb_set_uint(js, "file_function_code", data->file_function_code); 1323 jb_set_uint(js, "status_code", data->status_code); 1324 if (data->filename_size > 0) { 1325 /* First create a null terminated string as not all versions 1326 * of jansson have json_stringn. */ 1327 char tmpbuf[data->filename_size + 1]; >>> CID 1499368: (TAINTED_SCALAR) >>> Passing tainted expression "data->filename_size" to "memcpy", which uses it as an offset. 1328 memcpy(tmpbuf, data->filename, data->filename_size); 1329 tmpbuf[data->filename_size] = '\0'; 1330 jb_set_string(js, "filename", tmpbuf); 1331 } else { 1332 jb_set_string(js, "filename", ""); 1333 }
Updated by Victor Julien almost 3 years ago
- Status changed from New to Closed
- Target version changed from TBD to 7.0.0-beta1
Actions