The results of the static analyzer Svace are listed below:
DEREF_AFTER_NULL:
After having been compared to a NULL value at
|
if (scur->protocol == NULL) { |
pointer 'scur->protocol' is dereferenced at
|
strcat(st_key, scur->protocol); |
by calling function 'strcat'.
DOUBLE_FREE:
Pointer 'packet' is passed to a free function at
by passing as 1st parameter to function 'SEAP_packet_free' at
|
SEAP_packet_free (packet); |
after the referenced memory was deallocated at seap-packet.c:51 by passing as 1st parameter to function 'SEAP_packet_free' at seap.c:220. Note: the second deallocation is on another loop iteration.
OVERFLOW_AFTER_CHECK:
Accessing an element of array 'sysvals' of size 512 at
|
for(s = 0, i = 0; i < l && s < sizeof sysvals/sizeof(char *) - 1; ++i) { |
can lead to a buffer overflow, since the index 's + 1' can have an out of range value 512, as indicated by a preceding conditional expression at
.
OVERFLOW_UNDER_CHECK:
Accessing an element of array 's_ptr' of size 32 at
|
while (s_ptr[s_cur] != NULL) { |
can lead to a buffer overflow, since the index 's_cur + 1' can have an out of range value 32, as indicated by a preceding conditional expression at
|
s_ptr[++s_cur] = va_arg (alist, SEXP_t *); |
DEREF_AFTER_NULL:
After having been compared to a NULL value at
|
if (xccdf_version_cmp(xccdf_item_get_schema_version(XITEM(result)), "1.2") >= 0 && associated_benchmark) { |
(may be the check '&& associated_benchmark' is optional if it's not NULL after initialisation)
pointer 'associated_benchmark' is passed as 1st parameter in call to function 'xccdf_benchmark_get_member' at
|
const struct xccdf_item *item = xccdf_benchmark_get_member(associated_benchmark, XCCDF_RULE, idref); |
where it is dereferenced at benchmark.c:738.
DEREF_OF_NULL:
Pointer 'fp', returned from function 'fopen' at
|
fp = fopen("/proc/net/route", "r"); |
and
|
fp = fopen("/proc/net/ipv6_route", "r"); |
may be NULL and is dereferenced by calling function 'getline'.
DEREF_OF_NULL:
Return value of a function 'oscap_htable_get' is dereferenced at
|
struct oscap_source *oval_source = oscap_htable_get(oval_result_sources, report_file); |
without checking for NULL, but it is usually checked for this function (25/26).
For instance:
|
if (oscap_htable_get(policy->rules_found, rule_id) == NULL) { |
|
oscap_seterr(OSCAP_EFAMILY_XCCDF, |
|
"Rule '%s' not found in selected profile.", rule_id); |
|
oscap_htable_iterator_free(rit); |
|
return NULL; |
or
|
if (oscap_htable_get(policy->skip_rules, rule_id) != NULL) { |
|
return _xccdf_policy_report_rule_result(policy, result, rule, NULL, XCCDF_RESULT_NOT_SELECTED, NULL); |
|
} |
The same in
|
level = strndup(range, range_split - range); |
Return value of a function 'strndup' is dereferenced at without checking for NULL, but it is usually checked for this function (6/7).
Counter-example:
|
ret_str = strndup(str, len); |
|
|
|
if (ret_str == NULL) |
|
return NULL; |
MEMORY_LEAK:
Dynamic memory, referenced by 'idsstr', is allocated at
|
char *ids = xccdf_attribute_copy(reader, XCCDFA_IDREF), *idsstr = ids, *id; |
by calling function 'xccdf_attribute_copy' and lost at
|
if (reqs->itemcount == 0) { |
|
oscap_list_free(reqs, NULL); |
|
return false; |
|
} |
The results of the static analyzer Svace are listed below:
DEREF_AFTER_NULL:
After having been compared to a NULL value at
openscap/src/OVAL/probes/unix/xinetd_probe.c
Line 1097 in 7373845
pointer 'scur->protocol' is dereferenced at
openscap/src/OVAL/probes/unix/xinetd_probe.c
Line 1144 in 7373845
by calling function 'strcat'.
DOUBLE_FREE:
Pointer 'packet' is passed to a free function at
openscap/src/OVAL/probes/SEAP/seap-packet.c
Line 51 in 7373845
by passing as 1st parameter to function 'SEAP_packet_free' at
openscap/src/OVAL/probes/SEAP/seap.c
Line 220 in 7373845
after the referenced memory was deallocated at seap-packet.c:51 by passing as 1st parameter to function 'SEAP_packet_free' at seap.c:220. Note: the second deallocation is on another loop iteration.
OVERFLOW_AFTER_CHECK:
Accessing an element of array 'sysvals' of size 512 at
openscap/src/OVAL/probes/unix/sysctl_probe.c
Line 252 in 7373845
can lead to a buffer overflow, since the index 's + 1' can have an out of range value 512, as indicated by a preceding conditional expression at
openscap/src/OVAL/probes/unix/sysctl_probe.c
Line 269 in 7373845
OVERFLOW_UNDER_CHECK:
Accessing an element of array 's_ptr' of size 32 at
openscap/src/OVAL/probes/SEAP/sexp-manip_r.c
Line 296 in 7373845
openscap/src/OVAL/probes/SEAP/sexp-manip_r.c
Line 300 in 7373845
DEREF_AFTER_NULL:
After having been compared to a NULL value at
openscap/src/XCCDF/result.c
Line 1137 in 7373845
(may be the check '&& associated_benchmark' is optional if it's not NULL after initialisation)
pointer 'associated_benchmark' is passed as 1st parameter in call to function 'xccdf_benchmark_get_member' at
openscap/src/XCCDF/result.c
Line 1272 in 7373845
where it is dereferenced at benchmark.c:738.
DEREF_OF_NULL:
Pointer 'fp', returned from function 'fopen' at
openscap/src/OVAL/probes/unix/routingtable_probe.c
Line 331 in 7373845
and
openscap/src/OVAL/probes/unix/routingtable_probe.c
Line 348 in 7373845
may be NULL and is dereferenced by calling function 'getline'.
DEREF_OF_NULL:
Return value of a function 'oscap_htable_get' is dereferenced at
openscap/src/DS/rds.c
Line 786 in 7373845
without checking for NULL, but it is usually checked for this function (25/26).
For instance:
openscap/src/XCCDF_POLICY/xccdf_policy.c
Lines 2185 to 2189 in 7373845
or
openscap/src/XCCDF_POLICY/xccdf_policy.c
Lines 1080 to 1082 in 7373845
The same in
openscap/src/OVAL/probes/unix/linux/selinuxsecuritycontext_probe.c
Line 96 in 7373845
Return value of a function 'strndup' is dereferenced at without checking for NULL, but it is usually checked for this function (6/7).
Counter-example:
openscap/src/OVAL/probes/oval_fts.c
Lines 334 to 337 in 7373845
MEMORY_LEAK:
Dynamic memory, referenced by 'idsstr', is allocated at
openscap/src/XCCDF/rule.c
Line 108 in 7373845
by calling function 'xccdf_attribute_copy' and lost at
openscap/src/XCCDF/rule.c
Lines 114 to 117 in 7373845