[CDRIVER-3061] Coverity analysis defect 112395: Untrusted value as argument Created: 01/Apr/19  Updated: 10/Feb/23

Status: Backlog
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Coverity Collector User Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Epic Link: CDRIVER-4575

 Description   

An unscrutinized value from an untrusted source used as argument to a function (for example, a buffer size)

Defect 112395 (STATIC_C)
Checker TAINTED_SCALAR (subcategory critical_argument)
File: /src/tools/mongoc-stat.c
Function mongoc_counters_new_from_pid
/src/tools/mongoc-stat.c, line: 103
Calling function "pread" taints argument "len".

       if (4 != pread (fd, &len, 4, 0)) {

/src/tools/mongoc-stat.c, line: 113
Assigning: "size" = "len". Both are now tainted.

       size = len;

/src/tools/mongoc-stat.c, line: 115
Passing tainted variable "size" to a tainted sink.

       if (MAP_FAILED == (mem = mmap (NULL, size, PROT_READ, MAP_SHARED, fd, 0))) {



 Comments   
Comment by Kevin Albertson [ 01/Apr/19 ]

mongoc-stat.c reads the first four bytes of the shared memory counter segment to get the size. But I don't think mongoc-counters.c writes the size as the first four bytes. We might have to expose mongoc_counters_calc_size.

Generated at Wed Feb 07 21:17:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.