SAST checks

The results of the static analyzer [Svace](https://www.ispras.ru/en/technologies/svace/) are listed below:

DEREF_AFTER_NULL:
After having been compared to a NULL value at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/unix/xinetd_probe.c#L1097
pointer 'scur->protocol' is dereferenced at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/unix/xinetd_probe.c#L1144
by calling function 'strcat'.
________________________________________________________________________________________
DOUBLE_FREE:
Pointer 'packet' is passed to a free function at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/SEAP/seap-packet.c#L51 
by passing as 1st parameter to function 'SEAP_packet_free' at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/SEAP/seap.c#L220
after the referenced memory was deallocated at seap-packet.c:51 by passing as 1st parameter to function 'SEAP_packet_free' at seap.c:220. Note: the second deallocation is on another loop iteration.
________________________________________________________________________________________
OVERFLOW_AFTER_CHECK:
Accessing an element of array 'sysvals' of size 512 at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/unix/sysctl_probe.c#L252
can lead to a buffer overflow, since the index 's + 1' can have an out of range value 512, as indicated by a preceding conditional expression at https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/unix/sysctl_probe.c#L269.
________________________________________________________________________________________
OVERFLOW_UNDER_CHECK:
Accessing an element of array 's_ptr' of size 32 at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/SEAP/sexp-manip_r.c#L296 can lead to a buffer overflow, since the index 's_cur + 1' can have an out of range value 32, as indicated by a preceding conditional expression at
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/SEAP/sexp-manip_r.c#L300
________________________________________________________________________________________
DEREF_AFTER_NULL:
After having been compared to a NULL value at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/XCCDF/result.c#L1137
(may be the check '&& associated_benchmark' is optional if it's not NULL after initialisation)
pointer 'associated_benchmark' is passed as 1st parameter in call to function 'xccdf_benchmark_get_member' at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/XCCDF/result.c#L1272
where it is dereferenced at benchmark.c:738.
________________________________________________________________________________________
DEREF_OF_NULL:
Pointer 'fp', returned from function 'fopen' at
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/unix/routingtable_probe.c#L331
and
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/unix/routingtable_probe.c#L348
may be NULL and is dereferenced by calling function 'getline'.
________________________________________________________________________________________
DEREF_OF_NULL:
Return value of a function 'oscap_htable_get' is dereferenced at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/DS/rds.c#L786
without checking for NULL, but it is usually checked for this function (25/26).
For instance:
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/XCCDF_POLICY/xccdf_policy.c#L2185-L2189
or
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/XCCDF_POLICY/xccdf_policy.c#L1080-L1082

The same in 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/unix/linux/selinuxsecuritycontext_probe.c#L96
Return value of a function 'strndup' is dereferenced at without checking for NULL, but it is usually checked for this function (6/7).
Counter-example:
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/OVAL/probes/oval_fts.c#L334-L337
________________________________________________________________________________________
MEMORY_LEAK:
Dynamic memory, referenced by 'idsstr', is allocated at
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/XCCDF/rule.c#L108
by calling function 'xccdf_attribute_copy' and lost at 
https://github.com/OpenSCAP/openscap/blob/7373845aaecdd9274a1630fb54f26612b5c37fda/src/XCCDF/rule.c#L114-L117






	if (oscap_htable_get(policy->rules_found, rule_id) == NULL) {
	oscap_seterr(OSCAP_EFAMILY_XCCDF,
	"Rule '%s' not found in selected profile.", rule_id);
	oscap_htable_iterator_free(rit);
	return NULL;

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SAST checks #2257

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	if (oscap_htable_get(policy->skip_rules, rule_id) != NULL) {
	return _xccdf_policy_report_rule_result(policy, result, rule, NULL, XCCDF_RESULT_NOT_SELECTED, NULL);
	}

	ret_str = strndup(str, len);

	if (ret_str == NULL)
	return NULL;

	if (reqs->itemcount == 0) {
	oscap_list_free(reqs, NULL);
	return false;
	}

SAST checks #2257

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions