From a2e7f72c3c879c656ff3540dcaae07bf466f2b7e Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 24 Mar 2021 15:13:53 +0100 Subject: [PATCH] Fix coverity issues for openssh (#1938831) --- openssh-6.7p1-coverity.patch | 412 +++++++++++++++++++++++++++++++++++ 1 file changed, 412 insertions(+) diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 5b75dda..f29d8cf 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -1,3 +1,79 @@ +diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c +--- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100 +@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n + if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0) + return -1; + +- if (ai == NULL || ai->ai_addr == NULL) ++ if (ai == NULL || ai->ai_addr == NULL) { ++ freeaddrinfo(ai); + return -1; ++ } + + if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, + n) == -1) { +@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char * + if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0) + return -1; + +- if (ai == NULL || ai->ai_addr == NULL) ++ if (ai == NULL || ai->ai_addr == NULL) { ++ freeaddrinfo(ai); + return -1; ++ } + + if (sa != NULL) { +- if (slen < ai->ai_addrlen) ++ if (slen < ai->ai_addrlen) { ++ freeaddrinfo(ai); + return -1; ++ } + memcpy(sa, &ai->ai_addr, ai->ai_addrlen); + } + +diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c +--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100 ++++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100 +@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, + umask(old_umask); + if (tmpfd == -1) { + logit("mkstemp(): %.100s", strerror(oerrno)); ++ free(ccname); + return oerrno; + } + +@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, + oerrno = errno; + logit("fchmod(): %.100s", strerror(oerrno)); + close(tmpfd); ++ free(ccname); + return oerrno; + } + /* make sure the KRB5CCNAME is set for non-standard location */ +diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c +--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100 +@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const + errstr = "invalid environment string"; + goto fail; + } +- if ((cp = strdup(opt)) == NULL) ++ if ((cp = strdup(opt)) == NULL) { ++ free(opt); + goto alloc_fail; ++ } + cp[tmp - opt] = '\0'; /* truncate at '=' */ + if (!valid_env_name(cp)) { + free(cp); +@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char * + return r; + } + /* success */ ++ sshbuf_free(b); + return 0; + } + diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c --- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100 @@ -16,6 +92,193 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c set_nonblock(efd); } } +@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh, + debug("channel %d: connection failed: %s", + c->self, strerror(err)); + /* Try next address, if any */ +- if ((sock = connect_next(&c->connect_ctx)) > 0) { ++ if ((sock = connect_next(&c->connect_ctx)) >= 0) { + close(c->sock); + c->sock = c->rfd = c->wfd = sock; + channel_find_maxfd(ssh->chanctxt); +@@ -3804,7 +3804,7 @@ int + channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) + { + int r, success = 0, idx = -1; +- char *host_to_connect, *listen_host, *listen_path; ++ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL; + int port_to_connect, listen_port; + + /* Send the forward request to the remote side. */ +@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct + success = 1; + if (success) { + /* Record that connection to this host/port is permitted. */ +- host_to_connect = listen_host = listen_path = NULL; + port_to_connect = listen_port = 0; + if (fwd->connect_path != NULL) { + host_to_connect = xstrdup(fwd->connect_path); +@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct + host_to_connect, port_to_connect, + listen_host, listen_path, listen_port, NULL); + } ++ free(host_to_connect); ++ free(listen_host); ++ free(listen_path); + return idx; + } + +diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c +--- openssh-8.5p1/compat.c.coverity 2021-03-24 12:03:33.768968062 +0100 ++++ openssh-8.5p1/compat.c 2021-03-24 12:03:33.783968166 +0100 +@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha + return p; + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) ++ /* coverity[overwrite_var : FALSE] */ + if ((p = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { ++ /* coverity[overwrite_var : FALSE] */ + if ((p = match_filter_denylist(p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) +diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c +--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 +@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname + &hostkey_digest_len, hostkey)) { + error("Error calculating key fingerprint."); + freerrset(fingerprints); ++ free(dnskey_digest); + return -1; + } + } +diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c +--- openssh-8.5p1/gss-genr.c.coverity 2021-03-24 13:32:05.030213908 +0100 ++++ openssh-8.5p1/gss-genr.c 2021-03-24 13:42:50.967034823 +0100 +@@ -167,7 +167,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup + enclen = __b64_ntop(digest, + ssh_digest_bytes(SSH_DIGEST_MD5), encoded, + ssh_digest_bytes(SSH_DIGEST_MD5) * 2); +- ++ /* coverity[-Wstringop-overflow: FALSE]*/ + cp = strncpy(s, kex, strlen(kex)); + for ((p = strsep(&cp, ",")); p && *p != '\0'; + (p = strsep(&cp, ","))) { +diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c +--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100 ++++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100 +@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh) + default: + fatal_f("Unexpected KEX type %d", kex->kex_type); + } +- if (r != 0) ++ if (r != 0) { ++ ssh_gssapi_delete_ctx(&ctxt); + return r; ++ } + + token_ptr = GSS_C_NO_BUFFER; + +diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c +--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100 +@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st + sshkey_free(key); + sshbuf_free(copy); + sshbuf_free(sect); ++ /* coverity[leaked_storage : FALSE] */ + return r; + } + +@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons + return r; + erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); + free(rb.blob); ++ rb.blob = NULL; /* make coverity happy */ + if (erb != NULL) { + KRL_DBG(("revoked by key SHA1")); + return SSH_ERR_KEY_REVOKED; +@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons + return r; + erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb); + free(rb.blob); ++ rb.blob = NULL; /* make coverity happy */ + if (erb != NULL) { + KRL_DBG(("revoked by key SHA256")); + return SSH_ERR_KEY_REVOKED; +@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons + return r; + erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); + free(rb.blob); ++ rb.blob = NULL; /* make coverity happy */ + if (erb != NULL) { + KRL_DBG(("revoked by explicit key")); + return SSH_ERR_KEY_REVOKED; +diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c +--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100 ++++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100 +@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li, + */ + + /* Use strncpy because we don't necessarily want null termination */ ++ /* coverity[buffer_size_warning : FALSE] */ + strncpy(ut->ut_name, li->username, + MIN_SIZEOF(ut->ut_name, li->username)); + # ifdef HAVE_HOST_IN_UTMP ++ /* coverity[buffer_size_warning : FALSE] */ + strncpy(ut->ut_host, li->hostname, + MIN_SIZEOF(ut->ut_host, li->hostname)); + # endif +@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con + + memset(&ut, 0, sizeof(ut)); + /* strncpy because we don't necessarily want nul termination */ ++ /* coverity[buffer_size_warning : FALSE] */ + strncpy(ut.ut_user, username, sizeof(ut.ut_user)); + strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line)); + +@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con + ut.ut_pid = getpid(); + + /* strncpy because we don't necessarily want nul termination */ ++ /* coverity[buffer_size_warning : FALSE] */ + strncpy(ut.ut_host, hostname, sizeof(ut.ut_host)); + + if (ssh_packet_connection_is_on_socket(ssh) && +diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c +--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100 ++++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100 +@@ -1425,6 +1425,8 @@ sanitise_stdfd(void) + } + if (nullfd > STDERR_FILENO) + close(nullfd); ++ /* coverity [leaked_handle : FALSE]*/ ++ /* coverity [leaked_handle : FALSE]*/ + } + + char * +@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou + } + if (devnull > STDERR_FILENO) + close(devnull); ++ /* coverity [leaked_handle : FALSE]*/ + return ret; + } + +diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c +--- openssh-8.5p1/moduli.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/moduli.c 2021-03-24 12:03:33.784968173 +0100 +@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t + else + logit("failed to write to checkpoint file '%s': %s", cpfile, + strerror(errno)); ++ /* coverity[leaked_storage : FALSE] */ + } + + static unsigned long diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c --- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100 @@ -28,6 +291,15 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c ; if (pmonitor->m_recvfd >= 0) +@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock, + s->ptymaster = s->ptyfd; + + debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd); +- ++ /* coverity[leaked_handle : FALSE] */ + return (0); + + error: diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c --- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100 @@ -57,6 +329,17 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open int i; if (sa == NULL) { +diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c +--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100 ++++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100 +@@ -1847,6 +1847,7 @@ parse_pubkey_algos: + } else if (r != 0) { + error("%.200s line %d: glob failed for %s.", + filename, linenum, arg2); ++ free(arg2); + return -1; + } + free(arg2); diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c --- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100 +++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100 @@ -132,6 +415,24 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != (int)tun) goto done; +diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c +--- openssh-8.5p1/session.c.coverity 2021-03-24 12:03:33.777968124 +0100 ++++ openssh-8.5p1/session.c 2021-03-24 12:03:33.786968187 +0100 +@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s + /* Environment specified by admin */ + for (i = 0; i < options.num_setenv; i++) { + cp = xstrdup(options.setenv[i]); ++ /* coverity[overwrite_var : FALSE] */ + if ((value = strchr(cp, '=')) == NULL) { + /* shouldn't happen; vars are checked in servconf.c */ + fatal("Invalid config SetEnv: %s", options.setenv[i]); + } + *value++ = '\0'; + child_set_env(&env, &envsize, cp, value); ++ free(cp); + } + + /* SSH_CLIENT deprecated */ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 @@ -144,9 +445,45 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c } _exit(1); +@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons + fflag || global_fflag) == -1) + err = -1; + } ++ free(abs_dst); ++ abs_dst = NULL; + } + + out: +@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co + if (lflag & LS_LONG_VIEW) { + if (g.gl_statv[i] == NULL) { + error("no stat information for %s", fname); ++ free(fname); + continue; + } + lname = ls_file(fname, g.gl_statv[i], 1, +diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c +--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100 +@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s + freezero(rks[i], sizeof(*rks[i])); + } + free(rks); ++ free(device); + return ret; + } + diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c --- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100 +@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro + + if (pkcs11_uri_parse(provider, uri) != 0) { + error("Failed to parse PKCS#11 URI"); ++ pkcs11_uri_cleanup(uri); + return NULL; + } + /* validate also provider from URI */ @@ -1220,8 +1220,8 @@ main(int ac, char **av) sanitise_stdfd(); @@ -158,6 +495,17 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c platform_disable_tracing(0); /* strict=no */ +diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c +--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100 ++++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100 +@@ -1746,6 +1746,7 @@ control_persist_detach(void) + close(muxserver_sock); + muxserver_sock = -1; + options.control_master = SSHCTL_MASTER_NO; ++ /* coverity[leaked_handle: FALSE]*/ + muxclient(options.control_path); + /* muxclient() doesn't return on success. */ + fatal("Failed to connect to new control master"); diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c --- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100 +++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100 @@ -183,3 +531,67 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c } /* +@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh) + if (options.rekey_limit || options.rekey_interval) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); +- ++ /* coverity[leaked_storage : FALSE]*/ + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( + ssh, list_hostkey_types()); + +@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh) + + if (newstr) + myproposal[PROPOSAL_KEX_ALGS] = newstr; +- else ++ else { + fatal("No supported key exchange algorithms"); ++ free(gss); ++ } ++ /* coverity[leaked_storage: FALSE]*/ + } + #endif + +diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c +--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100 ++++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100 +@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw, + r = ssh_krl_revoke_key_sha256(krl, blob, blen); + if (r != 0) + fatal_fr(r, "revoke key failed"); ++ freezero(blob, blen); ++ blob = NULL; ++ blen = 0; + } else { + if (strncasecmp(cp, "key:", 4) == 0) { + cp += 4; +@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c + } else if (strncmp(opts[i], "start-line=", 11) == 0) { + start_lineno = strtoul(opts[i]+11, NULL, 10); + } else if (strncmp(opts[i], "checkpoint=", 11) == 0) { ++ free(checkpoint); + checkpoint = xstrdup(opts[i]+11); + } else if (strncmp(opts[i], "generator=", 10) == 0) { + generator_wanted = (u_int32_t)strtonum( +@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c + #else /* WITH_OPENSSL */ + fatal("Moduli screening is not supported"); + #endif /* WITH_OPENSSL */ ++ free(checkpoint); ++ if (in != stdin) ++ fclose(in); + } + + static char * +diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c +--- openssh-8.5p1/sshsig.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/sshsig.c 2021-03-24 12:03:33.787968194 +0100 +@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s + oerrno = errno; + error_f("read: %s", strerror(errno)); + ssh_digest_free(ctx); ++ ctx = NULL; + errno = oerrno; + r = SSH_ERR_SYSTEM_ERROR; + goto out;