search

intel / intel-ipsec-mb

Intel(R) Multi-Buffer Crypto for IPSec
BSD 3-Clause "New" or "Revised" License
288 stars 87 forks source link

Uninitialized pointer reads on arrays pSrcData and pDstData #54

Closed ColinIanKing closed 4 years ago

ColinIanKing commented 4 years ago

Potential free's of uninitialized array elements in zuc_test(), test/zuc_test.c

Static analysis is reporting that accesses to arrays pSrcData and pDstData may be referencing elements that have not been initialized on the freePtrArray calls:

187int zuc_test(struct IMB_MGR *mb_mgr)
188{
189
190        const uint32_t numBuffs[] = {4, 8, 9, 16, 17};
191        uint32_t i;
192        uint32_t status = PASS_STATUS;
193        uint8_t *pKeys[MAXBUFS];
194        uint8_t *pIV[MAXBUFS];
195        uint8_t *pSrcData[MAXBUFS];
   1. var_decl: Declaring variable pDstData without initializer.

196        uint8_t *pDstData[MAXBUFS];
197
198        printf("Running Functional Tests\n");
199        fflush(stdout);
200
201        /*Create test data buffers + populate with random data*/
   2. Condition createData(pSrcData, 17), taking false branch.

202        if (createData(pSrcData, MAXBUFS)) {
203                printf("createData() error\n");
204                return FAIL_STATUS;
205        }
   3. Condition createData(pDstData, 17), taking false branch.

206        if (createData(pDstData, MAXBUFS)) {
207                printf("createData() error\n");
208                return FAIL_STATUS;
209        }
210
211        /*Create random keys and vectors*/
   4. Condition createKeyVecData(16, pKeys, 16, pIV, 17), taking true branch.

212        if (createKeyVecData(ZUC_KEY_LEN_IN_BYTES, pKeys, ZUC_IV_LEN_IN_BYTES,
213                             pIV, MAXBUFS)) {
214                printf("createKeyVecData() error\n");
   CID 99600: Uninitialized pointer read (UNINIT)

215                freePtrArray(pSrcData, MAXBUFS);
   CID 99597 (#1 of 1): Uninitialized scalar variable (UNINIT)5. uninit_use_in_call: Using uninitialized element of array pDstData when calling freePtrArray.

216                freePtrArray(pDstData, MAXBUFS);
217                return FAIL_STATUS;
218        }

I suspect memset'ing these arrays at the start of the function is a simple fix.

pablodelara commented 4 years ago

Thanks for reporting it, @ColinIanKing. Will fix this shortly

ColinIanKing commented 4 years ago

Thanks!