[SERVER-50244] Coverity analysis defect 111435: Out-of-bounds access Created: 11/Aug/20  Updated: 27/Oct/23  Resolved: 03/Sep/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Coverity Collector User Assignee: Mark Benvenuto
Resolution: Works as Designed Votes: 0
Labels: coverity
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Sprint: Security 2020-09-07
Participants:

 Description   

Out-of-bounds access

Memory not owned by this buffer will be accessed, causing memory corruption or incorrect computations. Access of memory past the end of a memory buffer
/src/mongo/util/net/ssl/detail/buffered_handshake_op.hpp:37: ARRAY_VS_SINGLETON 111435 Taking address with "this->buffers_" yields a singleton pointer.



 Comments   
Comment by Mark Benvenuto [ 03/Sep/20 ]

Here is the analysis from Coverity as to why it complained.

For In asio::​ssl::​detail::​buffered_handshake_op<asio::​mutable_buffers_1>::​operator ()(asio::​ssl::​detail::​engine &, std::​error_code &, unsigned long &): Access of memory past the end of a memory buffer (CWE-119)

53    engine::want process(engine& eng,
54                         asio::error_code& ec,
55                         std::size_t& bytes_transferred,
56                         Iterator begin,
57                         Iterator end) const {
  	1. var_assign_parm: Assigning: iter = begin.
58        Iterator iter = begin;
59        std::size_t accumulated_size = 0;
60
  	2. Condition true, taking true branch.
61        for (;;) {
62            engine::want want = eng.handshake(type_, ec);
  	3. Condition want != asio::ssl::detail::engine::want_input_and_retry, taking false branch.
  	4. Condition bytes_transferred == this->total_buffer_size_, taking false branch.
63            if (want != engine::want_input_and_retry || bytes_transferred == total_buffer_size_)
64                return want;
65
66            // Find the next buffer piece to be fed to the engine.
  	5. Condition iter != end, taking true branch.
67            while (iter != end) {
68                const_buffer buffer(*iter);
69
70                // Skip over any buffers which have already been consumed by the engine.
  	6. Condition bytes_transferred >= accumulated_size + buffer.size(), taking true branch.
71                if (bytes_transferred >= accumulated_size + buffer.size()) {
72                    accumulated_size += buffer.size();
  	7. ptr_arith: Performing pointer arithmetic on iter in expression ++iter.
73                    ++iter;
74                    continue;
75                }
76
77                // The current buffer may have been partially consumed by the engine on
78                // a previous iteration. If so, adjust the buffer to point to the
79                // unused portion.
80                if (bytes_transferred > accumulated_size)
81                    buffer = buffer + (bytes_transferred - accumulated_size);
82
83                // Pass the buffer to the engine, and update the bytes transferred to
84                // reflect the total number of bytes consumed so far.
85                bytes_transferred += buffer.size();
86                buffer = eng.put_input(buffer);
87                bytes_transferred -= buffer.size();
88                break;
89            }
90        }
91    }

It complains that line 73 is accessing a singleton pointer. It is not. It is accessing a member variable and the the continue on 74 will ensure that the check on 67 is run before iter is touched again. This way, there is never any out of bounds access made to the value of iter.

Generated at Thu Feb 08 05:22:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.