1445221: length is checked for consistency with packet length;
annotated.
1448175: pulled the checksum validation into the block declaring
udp_len, to make it clear that it *is* range checked.
Annotated anyway, because coverity hasn't noticed other
such clear range checks.
1448175: len is range checked just before the call to memcpy(),
which is what coverity says should be done. Annotated.
1503937: the check of p effectively sanity checks count; annotated.
1503954: before the fr_pair_tlvs_from_network() call, option_len
is indeed checked; annotated.
1503968: length is checked; perhaps coverity doesn't recognize
that (option + 4 + length) > end is equivalent to
length > end - (option + 4). Annotated.
Co-authored-by: Alan DeKok <aland@freeradius.org>
return;
}
#endif
- }
- if ((version == 4) && conf->verify_udp_checksum) {
- uint16_t expected;
-
- expected = fr_udp_checksum((uint8_t const *) udp, ntohs(udp->len), udp->checksum,
- ip->ip_src, ip->ip_dst);
- if (udp->checksum != expected) {
- REDEBUG("UDP checksum invalid, packet: 0x%04hx calculated: 0x%04hx",
- ntohs(udp->checksum), ntohs(expected));
+ if ((version == 4) && conf->verify_udp_checksum) {
+ uint16_t expected;
+
+ /* coverity[tainted_data] */
+ expected = fr_udp_checksum((uint8_t const *) udp, udp_len, udp->checksum,
+ ip->ip_src, ip->ip_dst);
+ if (udp->checksum != expected) {
+ REDEBUG("UDP checksum invalid, packet: 0x%04hx calculated: 0x%04hx",
+ ntohs(udp->checksum), ntohs(expected));
/* Not a fatal error */
+ }
}
}
p += sizeof(udp_header_t);
client_id = fr_dhcpv6_option_find(request->packet->data + 4, request->packet->data + request->packet->data_len, attr_client_id->attr);
if (client_id) {
- size_t len = (client_id[2] << 8) | client_id[3];
+ size_t len = fr_nbo_to_uint16(client_id + 2);
if ((data_len + 4 + len) <= buffer_len) {
+ /* coverity[tainted_data} */
memcpy(buffer + data_len, client_id, 4 + len);
data_len += 4 + len;
}
}
p++;
+ /* coverity[tainted_data] */
len = fr_pair_tlvs_from_network(ctx, out, vendor, p, option_len, decode_ctx, decode_option, verify_tlvs, false);
if (len <= 0) return len;
break;
}
+ /* coverity[tainted_data] */
print_hex_data(fp, option + 4, length, depth + 3);
if ((option[0] == 0) && (option[1] == attr_relay_message->attr)) {
dhcpv6_print_hex(fp, option + 4, length, depth + 2);
count = fr_nbo_to_uint16(counter);
FR_PROTO_TRACE("Decoding %u of %s", count, attr->name);
+ /* coverity[tainted_data] */
for (i = 0; i < count; i++) {
ssize_t slen;
fprintf(fp, "\t\t%08x %04x ", id, length);
+ /* coverity[tainted_data] */
print_hex_data(attr + 6, length - 6, 3);
}
}
projects / thirdparty / freeradius-server.git / commitdiff
