gpgme static analysis findings

Michal Hlavinka mhlavink at redhat.com
Mon Jul 15 18:17:59 CEST 2024 

Hi,

we've started to run static analysis on some system components including 
gpgme where the scanner reported a few issues:


1) in src/engine.c
"""
"Error: OVERRUN (CWE-119):
src/engine.c:121: cond_between: Checking ""proto > 7UL"" implies that 
""proto"" is between 0 and 7 (inclusive) on the false branch.
src/engine.c:125: overrun-local: Overrunning array ""engine_ops"" of 7 
8-byte elements at element index 7 (byte offset 63) using index 
""proto"" (which evaluates to 7).
#  123|
#  124|     if (engine_ops[proto] && engine_ops[proto]->get_req_version)
#  125|->     return (*engine_ops[proto]->get_req_version) ();
#  126|     else
#  127|       return NULL;"
"""

121:   if (proto > DIM (engine_ops))

this checks if 'proto' is bigger than number of elements in engine_ops

DIM is defined in util.h:
44: #define DIM(v) (sizeof(v)/sizeof((v)[0]))

the above condition allows for proto = DIM(engine_ops)
which later at:
125:    return (*engine_ops[proto]->get_req_version) ();
allows to access (proto+1)th element

seems that the condition should actually be proto >= DIM(engine_ops)

the same condition check is present several times:
at engine_get_file_name (...) line 76,
at engine_get_home_dir (...) line 90,
at engine_get_version (...) line 106,
at engine_get_req_version (...) line 121,
at _gpgme_set_engine_info (...) line 406





2) in src/gpgme-tool.c
simple list assignment as used at gt_get_keylist_mode () does not 
prevent out of bound access.

"""
Error: OVERRUN (CWE-119):
src/gpgme-tool.c:1445: assignment: Assigning: ""idx"" = ""0"".
src/gpgme-tool.c:1449: incr: Incrementing ""idx"". The value of ""idx"" 
is now 1.
src/gpgme-tool.c:1451: incr: Incrementing ""idx"". The value of ""idx"" 
is now 2.
src/gpgme-tool.c:1453: incr: Incrementing ""idx"". The value of ""idx"" 
is now 3.
src/gpgme-tool.c:1455: incr: Incrementing ""idx"". The value of ""idx"" 
is now 4.
src/gpgme-tool.c:1457: incr: Incrementing ""idx"". The value of ""idx"" 
is now 5.
src/gpgme-tool.c:1459: incr: Incrementing ""idx"". The value of ""idx"" 
is now 6.
src/gpgme-tool.c:1461: incr: Incrementing ""idx"". The value of ""idx"" 
is now 7.
src/gpgme-tool.c:1463: incr: Incrementing ""idx"". The value of ""idx"" 
is now 8.
src/gpgme-tool.c:1464: overrun-local: Overrunning array ""modes"" of 7 
8-byte elements at element index 8 (byte offset 71) using index 
""idx++"" (which evaluates to 8).
# 1462|     if (mode & GPGME_KEYLIST_MODE_FORCE_EXTERN)
# 1463|       modes[idx++] = ""force_extern"";
# 1464|->   modes[idx++] = NULL;
# 1465|
# 1466|     gt_write_status (gt, STATUS_KEYLIST_MODE, modes[0], 
modes[1], modes[2],
"""


Let me know if you need more information.

Cheers,
Michal Hlavinka

More information about the Gnupg-devel mailing list