Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Title: Overrunning Struct Type Sockaddr of 16 Bytes by Passing It to a Function Which Accesses It at Byte Offset 27 Using Argument "U->socklen" (Which [...]

Defect Dojo link: https://defectdojo.stage.prodsec.redhat.com/finding/1420912 (1420912)

Severity: High

Due Date: July 24, 2024

CWE: CWE-119

CVE: Unknown

Product/Engagement/Test: PSSECAUT-455 / TEST / csmock Scan (SARIF)

Source File: nginx-1.20.1/src/core/ngx_inet.c

Source Line: 1102

Description:
*Result message:* Overrunning struct type sockaddr of 16 bytes by passing it to a function which accesses it at byte offset 27 using argument "u->socklen" (which evaluates to 28).
*Snippet:*
```Problem detected in this context:
1100| u->family = AF_INET6;
1101|
1102|~~> return ngx_inet_add_addr(pool, u, &u~~>sockaddr.sockaddr, u->socklen, 1);
1103|
1104| #else```
*Code flow:*
1. nginx-1.20.1/src/core/ngx_inet.c:L997:C5
Assigning: "u->socklen" = "28U".
2. nginx-1.20.1/src/core/ngx_inet.c:L1007:C5
Condition "p == NULL", taking false branch.
3. nginx-1.20.1/src/core/ngx_inet.c:L1016:C5
Condition "uri", taking false branch.
4. nginx-1.20.1/src/core/ngx_inet.c:L1028:C5
Condition "port < last", taking true branch.
5. nginx-1.20.1/src/core/ngx_inet.c:L1029:C9
Condition "*port != 58", taking false branch.
6. nginx-1.20.1/src/core/ngx_inet.c:L1038:C9
Condition "u->listen", taking true branch.
7. nginx-1.20.1/src/core/ngx_inet.c:L1041:C13
Condition "dash", taking false branch.
8. nginx-1.20.1/src/core/ngx_inet.c:L1059:C9
Condition "n < 1", taking false branch.
9. nginx-1.20.1/src/core/ngx_inet.c:L1059:C9
Condition "n > 65535", taking false branch.
10. nginx-1.20.1/src/core/ngx_inet.c:L1064:C9
Condition "u->last_port", taking true branch.
11. nginx-1.20.1/src/core/ngx_inet.c:L1064:C9
Condition "n > u->last_port", taking false branch.
12. nginx-1.20.1/src/core/ngx_inet.c:L1075:C5
Falling through to end of if statement.
13. nginx-1.20.1/src/core/ngx_inet.c:L1083:C5
Condition "len == 0", taking false branch.
14. nginx-1.20.1/src/core/ngx_inet.c:L1091:C5
Condition "ngx_inet6_addr(host, len, sin6->sin6_addr._in6_u._u6_addr8) != 0", taking false branch.
15. nginx-1.20.1/src/core/ngx_inet.c:L1096:C9
Condition "_a->in6_u._u6_addr32[0] == 0", taking true branch.
16. nginx-1.20.1/src/core/ngx_inet.c:L1096:C9
Condition "_a->in6_u._u6_addr32[1] == 0", taking true branch.
17. nginx-1.20.1/src/core/ngx_inet.c:L1096:C9
Condition "_a->in6_u._u6_addr32[2] == 0", taking true branch.
18. nginx-1.20.1/src/core/ngx_inet.c:L1096:C9
Condition "_a->in6_u._u6_addr32[3] == 0", taking true branch.
19. nginx-1.20.1/src/core/ngx_inet.c:L1096:C5
Condition "(

{...; __a->__in6_u.__u6_addr32[0] == 0 && __a->__in6_u.__u6_addr32[1] == 0 && __a->__in6_u.__u6_addr32[2] == 0 && __a->__in6_u.__u6_addr32[3] == 0;}

)", taking true branch.
20. nginx-1.20.1/src/core/ngx_inet.c:L1102:C5
Overrunning struct type sockaddr of 16 bytes by passing it to a function which accesses it at byte offset 27 using argument "u->socklen" (which evaluates to 28).

References:
https://cwe.mitre.org/data/definitions/119.html

Reporter: Camilo Cota (ccota) (ccota@redhat.com)

Assignee:: Unassigned

Reporter:: Defect Dojo (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Due:: 2024/07/24

Created:: 2024/06/27 1:25 PM

Updated:: 2024/06/27 1:26 PM

Resolved:: 2024/06/27 1:26 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates