From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Cc: Sean Edmond <seanedmond@microsoft.com>
Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Mon, 8 May 2023 16:20:20 -0400 [thread overview]
Message-ID: <20230508202020.GI2398826@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 11377 bytes --]
Here's the latest defect report:
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, May 8, 2023, 2:29 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
/cmd/net.c: 279 in netboot_update_env()
________________________________________________________________________________________________________
*** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
/cmd/net.c: 279 in netboot_update_env()
273
274 if (IS_ENABLED(CONFIG_IPV6)) {
275 if (!ip6_is_unspecified_addr(&net_ip6) ||
276 net_prefix_length != 0) {
277 sprintf(tmp, "%pI6c", &net_ip6);
278 if (net_prefix_length != 0)
>>> CID 453851: Memory - corruptions (OVERLAPPING_COPY)
>>> In the call to function "sprintf", the arguments "tmp" and "tmp"
may point to the same object.
279 sprintf(tmp, "%s/%d", tmp,
net_prefix_length);
280
281 env_set("ip6addr", tmp);
282 }
283
284 if (!ip6_is_unspecified_addr(&net_server_ip6)) {
** CID 450971: Insecure data handling (TAINTED_SCALAR)
/net/ndisc.c: 391 in process_ra()
________________________________________________________________________________________________________
*** CID 450971: Insecure data handling (TAINTED_SCALAR)
/net/ndisc.c: 391 in process_ra()
385 /* Ignore the packet if router lifetime is 0. */
386 if (!icmp->icmp6_rt_lifetime)
387 return -EOPNOTSUPP;
388
389 /* Processing the options */
390 option = msg->opt;
>>> CID 450971: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "remaining_option_len" as a loop boundary.
391 while (remaining_option_len > 0) {
392 /* The 2nd byte of the option is its length. */
393 option_len = option[1];
394 /* All included options should have a positive
length. */
395 if (option_len == 0)
396 return -EINVAL;
** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
/net/ndisc.c: 209 in ip6_send_rs()
________________________________________________________________________________________________________
*** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
/net/ndisc.c: 209 in ip6_send_rs()
203 icmp_len, PROT_ICMPV6, pcsum);
204 msg->icmph.icmp6_cksum = csum;
205 pkt += icmp_len;
206
207 /* Wait up to 1 second if it is the first try to get the RA
*/
208 if (retry_count == 0)
>>> CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
209 udelay(((unsigned int)rand() % 1000000) *
MAX_SOLICITATION_DELAY);
210
211 /* send it! */
212 net_send_packet(net_tx_packet, (pkt - net_tx_packet));
213
214 retry_count++;
** CID 436282: (DC.WEAK_CRYPTO)
/net/dhcpv6.c: 621 in dhcp6_state_machine()
/net/dhcpv6.c: 627 in dhcp6_state_machine()
/net/dhcpv6.c: 628 in dhcp6_state_machine()
/net/dhcpv6.c: 662 in dhcp6_state_machine()
/net/dhcpv6.c: 613 in dhcp6_state_machine()
________________________________________________________________________________________________________
*** CID 436282: (DC.WEAK_CRYPTO)
/net/dhcpv6.c: 621 in dhcp6_state_machine()
615 /* handle state machine entry conditions */
616 if (sm_params.curr_state != sm_params.next_state) {
617 sm_params.retry_cnt = 0;
618
619 if (sm_params.next_state == DHCP6_SOLICIT) {
620 /* delay a random ammount (special for
SOLICIT) */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
622 /* init timestamp variables after SOLICIT
delay */
623 sm_params.dhcp6_start_ms = get_timer(0);
624 sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625 sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626 /* init transaction and ia_id */
/net/dhcpv6.c: 627 in dhcp6_state_machine()
621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
622 /* init timestamp variables after SOLICIT
delay */
623 sm_params.dhcp6_start_ms = get_timer(0);
624 sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625 sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626 /* init transaction and ia_id */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
627 sm_params.trans_id = rand() & 0xFFFFFF;
628 sm_params.ia_id = rand();
629 /* initialize retransmission parameters */
630 sm_params.irt_ms = SOL_TIMEOUT_MS;
631 sm_params.mrt_ms = updated_sol_max_rt_ms;
632 /* RFCs default MRC is be 0 (try infinitely)
/net/dhcpv6.c: 628 in dhcp6_state_machine()
622 /* init timestamp variables after SOLICIT
delay */
623 sm_params.dhcp6_start_ms = get_timer(0);
624 sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625 sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626 /* init transaction and ia_id */
627 sm_params.trans_id = rand() & 0xFFFFFF;
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
628 sm_params.ia_id = rand();
629 /* initialize retransmission parameters */
630 sm_params.irt_ms = SOL_TIMEOUT_MS;
631 sm_params.mrt_ms = updated_sol_max_rt_ms;
632 /* RFCs default MRC is be 0 (try infinitely)
633 * give up after CONFIG_NET_RETRY_COUNT
number of tries (same as DHCPv4)
/net/dhcpv6.c: 662 in dhcp6_state_machine()
656 (sm_params.mrd_ms != 0 &&
657 ((sm_params.dhcp6_retry_ms -
sm_params.dhcp6_retry_start_ms) >= sm_params.mrd_ms))) {
658 sm_params.next_state = DHCP6_FAIL;
659 }
660
661 /* calculate retransmission timeout (RT) */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
662 rand_minus_plus_100 = ((rand() % 200) - 100);
663 if (sm_params.retry_cnt == 0) {
664 sm_params.rt_ms = sm_params.irt_ms +
665 ((sm_params.irt_ms *
rand_minus_plus_100) / 1000);
666 } else {
667 sm_params.rt_ms = (2 * sm_params.rt_prev_ms) +
/net/dhcpv6.c: 613 in dhcp6_state_machine()
607 * Proceed anyway to proceed DONE/FAIL actions
608 */
609 debug("Unexpected DHCP6 state : %d\n",
sm_params.curr_state);
610 break;
611 }
612 /* re-seed the RNG */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
613 srand(get_ticks() + rand());
614
615 /* handle state machine entry conditions */
616 if (sm_params.curr_state != sm_params.next_state) {
617 sm_params.retry_cnt = 0;
618
** CID 436278: (TAINTED_SCALAR)
/net/dhcpv6.c: 321 in dhcp6_parse_options()
________________________________________________________________________________________________________
*** CID 436278: (TAINTED_SCALAR)
/net/dhcpv6.c: 376 in dhcp6_parse_options()
370 if (sm_params.curr_state ==
DHCP6_SOLICIT)
371 sm_params.mrt_ms =
updated_sol_max_rt_ms;
372 }
373 break;
374 case DHCP6_OPTION_OPT_BOOTFILE_URL:
375 debug("DHCP6_OPTION_OPT_BOOTFILE_URL
FOUND\n");
>>> CID 436278: (TAINTED_SCALAR)
>>> Passing tainted expression "option_len + 1" to "copy_filename",
which uses it as a loop boundary.
376 copy_filename(net_boot_file_name,
option_ptr, option_len + 1);
377 debug("net_boot_file_name: %s\n",
net_boot_file_name);
378
379 /* copy server_ip6 (required for PXE) */
380 s = strchr(net_boot_file_name, '[');
381 e = strchr(net_boot_file_name, ']');
/net/dhcpv6.c: 321 in dhcp6_parse_options()
315 while (option_hdr < (struct dhcp6_option_hdr *)(rx_pkt +
len)) {
316 option_ptr = ((uchar *)option_hdr) + sizeof(struct
dhcp6_hdr);
317 option_len = ntohs(option_hdr->option_len);
318
319 switch (ntohs(option_hdr->option_id)) {
320 case DHCP6_OPTION_CLIENTID:
>>> CID 436278: (TAINTED_SCALAR)
>>> Passing tainted expression "option_len" to "memcmp", which uses it
as an offset. [Note: The source code implementation of the function has
been overridden by a builtin model.]
321 if (memcmp(option_ptr, sm_params.duid,
option_len)
322 != 0) {
323 debug("CLIENT ID DOESN'T MATCH\n");
324 } else {
325 debug("CLIENT ID FOUND and
MATCHES\n");
326 sm_params.rx_status.client_id_match
= true;
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next reply other threads:[~2023-05-08 20:20 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 20:20 Tom Rini [this message]
2023-05-15 21:59 ` Fwd: New Defects reported by Coverity Scan for Das U-Boot Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
-- strict thread matches above, loose matches on Subject: below --
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
2023-02-14 14:26 Tom Rini
2022-11-21 19:43 Tom Rini
2022-11-09 15:40 Tom Rini
[not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
2022-07-26 4:22 ` Heinrich Schuchardt
[not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
2021-08-17 5:21 ` Heinrich Schuchardt
2021-08-17 15:17 ` Tom Rini
[not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
2021-04-24 4:52 ` Heinrich Schuchardt
[not found] <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>
[not found] ` <CA+M6bX=AmT+SyM0Snt2POLy0-vpD__6CD4j6ifqMqh63yYJBLA@mail.gmail.com>
[not found] ` <8ea1ca2f-2826-58f2-4b6b-ed5cfe977467@gmx.de>
[not found] ` <20200526184027.GJ12717@bill-the-cat>
2020-05-26 20:02 ` Heinrich Schuchardt
2020-05-26 20:10 ` Tom Rini
2020-05-26 20:36 ` Heinrich Schuchardt
2020-05-26 20:48 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230508202020.GI2398826@bill-the-cat \
--to=trini@konsulko.com \
--cc=seanedmond@microsoft.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox