search

mouse07410 / asn1c

The ASN.1 Compiler
http://lionet.info/asn1c/
BSD 2-Clause "Simplified" License
91 stars 69 forks source link

Several defects detected by coverity #186

Open pespin opened 3 months ago

pespin commented 3 months ago

I recently updated the generated asn1 code in osmo-cbc [1] using current branch mouse07410/vlm_master (https://github.com/mouse07410/asn1c/commit/12b8e555b971c745ea715cb247f39120fa15f7f0).

osmo-cbc is being monitored by Coverity as part of the osmocom project [2].

The as1nc generated code changes to osmo-cbc triggered a new scan from coverity with the following new defects reported below. I paste the email report as I received it to my email.

[1] https://gitea.osmocom.org/cellular-infrastructure/osmo-cbc/commit/538bc4c69943cd031a4dc2c74ad6f30d5e5cd0b6 [2] https://scan.coverity.com/projects/osmocom

Hi,

Please find the latest report on new defect(s) introduced to Osmocom found with Coverity Scan.

3 new defect(s) introduced to Osmocom found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)

** CID 356785:  Integer handling issues  (BAD_SHIFT)
/source-Osmocom/osmo-cbc/src/sbcap/gen/aper_support.c: 345 in aper_put_constrained_whole_number()

________________________________________________________________________________________________________
*** CID 356785:  Integer handling issues  (BAD_SHIFT)
/source-Osmocom/osmo-cbc/src/sbcap/gen/aper_support.c: 345 in aper_put_constrained_whole_number()
339     
340             /* X.691 2002 10.5.7.4 - The indefinite length case. */
341             /* since we limit input to be 'long' we don't handle all numbers */
342             /* and so length determinant is stored as X.691 2002 10.9.3.3 */
343             /* number of bytes to store the range */
344             for (range_len = 3; ; range_len++) {
>>>     CID 356785:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "1 << 8 * range_len", left shifting by more than 31 bits has undefined behavior.  The shift amount, "8 * range_len", is 32.
345                     int bits = 1 << (8 * range_len);
346                     if (range - 1 < bits)
347                             break;
348             }
349             /* number of bytes to store the value */
350             for (value_len = 1; ; value_len++) {

** CID 356784:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/source-Osmocom/osmo-cbc/src/sbcap/gen/INTEGER.c: 421 in asn_INTEGER2int64()

________________________________________________________________________________________________________
*** CID 356784:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/source-Osmocom/osmo-cbc/src/sbcap/gen/INTEGER.c: 421 in asn_INTEGER2int64()
415         return asn_imax2INTEGER(st, value);
416     }
417     
418     int asn_INTEGER2int64(const INTEGER_t *st, int64_t *value) {
419         intmax_t v;
420         if(asn_INTEGER2imax(st, &v) == 0) {
>>>     CID 356784:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "v < -9223372036854775808L /* -9223372036854775807L - 1 */" is always false regardless of the values of its operands. This occurs as the logical first operand of "||".
421             if(v < INT64_MIN || v > INT64_MAX) {
422                 errno = ERANGE;
423                 return -1;
424             }
425             *value = v;
426             return 0;

** CID 356783:  Integer handling issues  (BAD_SHIFT)
/source-Osmocom/osmo-cbc/src/sbcap/gen/aper_support.c: 272 in aper_put_nsnnwn()

________________________________________________________________________________________________________
*** CID 356783:  Integer handling issues  (BAD_SHIFT)
/source-Osmocom/osmo-cbc/src/sbcap/gen/aper_support.c: 272 in aper_put_nsnnwn()
266                     len = 1;
267             } else if (number < 65536) {
268                     len = 2;
269             } else { /* number > 64K */
270                     int i;
271                     for (i = 3; ; i++) {
>>>     CID 356783:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "1 << 8 * i", left shifting by more than 31 bits has undefined behavior.  The shift amount, "8 * i", is 32.
272                             int bits = 1 << (8 * i);
273                             if (number < bits)
274                                     break;
275                     }
276                     len = i;
277             }
mouse07410 commented 1 month ago

Any suggestion how to fix those potential range problems?