curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: coverity warnings (Y2K38_SAFETY and OOB access)

From: Daniel Stenberg via curl-library <>
Date: Mon, 25 Sep 2023 13:51:51 +0200 (CEST)

On Mon, 25 Sep 2023, Sergey Bronnikov via curl-library wrote:

> 1. 1568154 Use of 32-bit time_t
> The time value stored in this integer will represent a different, but
> possibly valid, time.
> In Curl_hostcache_prune: A 64-bit time_t value is stored in a smaller
> width integer. (CWE-197)

This is a false positive. The timeout there is the relative time from last use
until now - in seconds - which is likely to always fit in an int, even in the
most extreme cases.

It could possibly be rewritten to aovid triggering Coverity.

> 2. 1568144 Out-of-bounds access
> Access of memory not owned by this buffer may cause crashes or incorrect
> computations.
> In Curl_sock_assign_addr: Out-of-bounds access to a buffer (CWE-119)
> Relevant part of source code, ./lib/cf-socket.c:250:
> <snipped>
>   dest->addrlen = ai->ai_addrlen;
>   if(dest->addrlen > sizeof(struct Curl_sockaddr_storage))
>     dest->addrlen = sizeof(struct Curl_sockaddr_storage);
>   memcpy(&dest->sa_addr, ai->ai_addr, dest->addrlen);
> ^^^^^^^^

This is a false positive. Because 'dest->sa_addr' is here is part of a union,
where the only other union member is a 'struct Curl_sockaddr_storage' and thus
it will not overwrite memory outside the struct.

This too could be rewritten to avoid the warning, but would probably instead
need more typecasts.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features

Received on 2023-09-25