Skip to content

CID 453470: Use after free in lib/ns/client.c

Coverity Scan claims use after free in lib/ns/client.c.

    1. Switch case value ns_cookiealg_aes.
1146        switch (client->manager->sctx->cookiealg) {
1147        case ns_cookiealg_siphash24: {
1148                unsigned char input[16 + 16] ISC_NONSTRING = { 0 };
1149                size_t inputlen = 0;
1150                isc_netaddr_t netaddr;
1151                unsigned char *cp;
1152
1153                cp = isc_buffer_used(buf);
1154                isc_buffer_putmem(buf, client->cookie, 8);
1155                isc_buffer_putuint8(buf, NS_COOKIE_VERSION_1);
1156                isc_buffer_putuint8(buf, 0);  /* Reserved */
1157                isc_buffer_putuint16(buf, 0); /* Reserved */
1158                isc_buffer_putuint32(buf, when);
1159
      CID 453470 (2) (#1-3 of 4): Use after free (USE_AFTER_FREE) [select issue]
1160                memmove(input, cp, 16);
1161
1162                isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
1163                switch (netaddr.family) {
1164                case AF_INET:
1165                        cp = (unsigned char *)&netaddr.type.in;
1166                        memmove(input + 16, cp, 4);
1167                        inputlen = 20;
1168                        break;
1169                case AF_INET6:
1170                        cp = (unsigned char *)&netaddr.type.in6;
1171                        memmove(input + 16, cp, 16);
1172                        inputlen = 32;
1173                        break;
1174                default:
1175                        UNREACHABLE();
1176                }
1177
1178                isc_siphash24(secret, input, inputlen, true, digest);
1179                isc_buffer_putmem(buf, digest, 8);
1180                break;
1181        }
1182        case ns_cookiealg_aes: {
1183                unsigned char input[4 + 4 + 16] ISC_NONSTRING = { 0 };
1184                isc_netaddr_t netaddr;
1185                unsigned char *cp;
1186                unsigned int i;
1187
    2. assign: Assigning: cp = (void *)((unsigned char *)buf->base + buf->used).
1188                cp = isc_buffer_used(buf);
1189                isc_buffer_putmem(buf, client->cookie, 8);
1190                isc_buffer_putuint32(buf, nonce);
    3. freed_arg: isc_buffer_putuint32 frees buf->base. [show details]
1191                isc_buffer_putuint32(buf, when);
    CID 453470 (#2-4 of 4): Use after free (USE_AFTER_FREE)
    deref_arg: Calling memmove dereferences freed pointer cp. [Note: The source code implementation of the function has been overridden by a builtin model.]
1192                memmove(input, cp, 16);

Note that it might not be a new issue, but something the new Coverity Scan 2022.12 detected.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information