Richard Maciel
2014-04-24 17:45:02 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Trousers".
The branch, master has been updated
via a575f333ff44a68343f1de300067f02780d52c27 (commit)
via 4b9f79ff64032f5874bd5ace0da3a15421ee34b1 (commit)
via f3159bee45be9d8860ef9d73477eca1d38d17e9d (commit)
via 2d48f1dca8695e6ffdc0943a8ad82ffb33ec5928 (commit)
via fc50f521384723a85bf622a90f8af9ccf70e38cb (commit)
via 11c3f5cf61e6c35a738b9fffc7ae0d9879dd9e5d (commit)
via 3e68d060ee43daec21f9b63b99777a10a7ce2aea (commit)
via 6c9dae7cf234b58798968b405123c90c5adb18e6 (commit)
via 87cd1a10010f46bcdc3838fbc253bb4261991a1f (commit)
via 5cce9e0fece2adda3457646969735a074f388975 (commit)
via 41201d2ab5f44742abac2c22bf248d6c89c46d4f (commit)
via 23563010f79814f3e51f8e146728443cca7159f3 (commit)
via 128ed16610b450de33963d6293c0235c93d3752a (commit)
via 0d926cc27fe0ba7715185ee4788a8af7e54b51fa (commit)
via c386cea62d9e00a293b7ebd1518d2c0317487e13 (commit)
via be1e5a0a04e4b8b7726004b9b7486ae7eebc1c18 (commit)
via 6462e45f8126f39adcb554cf13f19bfeb062b552 (commit)
from 1ebb613abfe0a2ebec86a5fae8694cdec1602c06 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=a575f333ff44a68343f1de300067f02780d52c27
commit a575f333ff44a68343f1de300067f02780d52c27
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Apr 24 14:31:16 2014 -0300
Added simple code to close server socket(s)
Server sockets are now properly closed before the daemon stops
executing.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
index bf4d629..1ae1636 100644
--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
@@ -54,9 +54,28 @@ struct srv_sock_info {
#define MAX_IP_PROTO 2
#define INVALID_ADDR_STR "<Invalid client address>"
+static void close_server_socks(struct srv_sock_info *socks_info)
+{
+ int i, rv;
+
+ for (i=0; i < MAX_IP_PROTO; i++) {
+ if (socks_info[i].sd != -1) {
+ do {
+ rv = close(socks_info[i].sd);
+ if (rv == -1 && errno != EINTR) {
+ LogError("Error closing server socket descriptor - %s",
+ strerror(errno));
+ continue;
+ }
+ } while (rv == -1 && errno == EINTR);
+ }
+ }
+}
+
static void
-tcsd_shutdown(void)
+tcsd_shutdown(struct srv_sock_info socks_info[])
{
+ close_server_socks(socks_info);
/* order is important here:
* allow all threads to complete their current request */
tcsd_threads_final();
@@ -218,7 +237,7 @@ reload_config(void)
return result;
}
-int setup_ipv4_socket(struct srv_sock_info *ssi)
+int setup_ipv4_socket(struct srv_sock_info ssi[])
{
struct sockaddr_in serv_addr;
int sd, opt;
@@ -466,7 +485,7 @@ main(int argc, char **argv)
if (getenv("TCSD_FOREGROUND") == NULL) {
if (daemon(0, 0) == -1) {
perror("daemon");
- tcsd_shutdown();
+ tcsd_shutdown(socks_info);
return -1;
}
}
@@ -546,6 +565,6 @@ main(int argc, char **argv)
} while (term ==0);
/* To close correctly, we must receive a SIGTERM */
- tcsd_shutdown();
+ tcsd_shutdown(socks_info);
return 0;
}
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=4b9f79ff64032f5874bd5ace0da3a15421ee34b1
commit 4b9f79ff64032f5874bd5ace0da3a15421ee34b1
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 11:53:23 2014 -0300
Removed dead code from tpm_rsp_parse function
Related to coverity CID 10288.
switch case TPM_ORD_ActivateIdentity included an if structure to check
for auth1 and auth2 values. However, auth2 was checked in a previous
if. That made the if (auth2) check the default case in the structure
and the else would never be reached.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_pbg.c b/src/tcs/tcs_pbg.c
index 507cc27..3970f22 100644
--- a/src/tcs/tcs_pbg.c
+++ b/src/tcs/tcs_pbg.c
@@ -499,8 +499,7 @@ tpm_rsp_parse(TPM_COMMAND_CODE ordinal, BYTE *b, UINT32 len, ...)
} else if (auth2) {
offset1 = offset2 = len - TSS_TPM_RSP_BLOB_AUTH_LEN;
UnloadBlob_Auth(&offset1, b, auth2);
- } else
- offset2 = len;
+ }
offset1 = TSS_TPM_TXBLOB_HDR_LEN;
offset2 -= TSS_TPM_TXBLOB_HDR_LEN;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=f3159bee45be9d8860ef9d73477eca1d38d17e9d
commit f3159bee45be9d8860ef9d73477eca1d38d17e9d
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Apr 8 17:04:53 2014 -0300
Prevents dereference of null when call TCSP_NV_ReadValueAuth_Internal
Related coverity CID 10289
tcs_wrap_NV_ReadValueAuth can call TCSP_NV_ReadValueAuth_Internal
with a null auth. However, the latter was dereferencing the pointer
var containing the auth data without checking it, which possibly could
cause a dereference null error.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcsi_nv.c b/src/tcs/tcsi_nv.c
index f19ab94..1c867ea 100644
--- a/src/tcs/tcsi_nv.c
+++ b/src/tcs/tcsi_nv.c
@@ -202,7 +202,7 @@ TCSP_NV_ReadValueAuth_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
LogDebugFn("Enter");
if ((result = ctx_verify_context(hContext)))
return result;
- if ((result = auth_mgr_check(hContext, &NVAuth->AuthHandle)))
+ if ((NVAuth != NULL) && (result = auth_mgr_check(hContext, &NVAuth->AuthHandle)))
goto done;
if ((result = tpm_rqu_build(TPM_ORD_NV_ReadValueAuth, &off_set, txBlob, hNVStore, offset,
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=2d48f1dca8695e6ffdc0943a8ad82ffb33ec5928
commit 2d48f1dca8695e6ffdc0943a8ad82ffb33ec5928
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Apr 8 12:06:28 2014 -0300
Prevents dereference of null when call TCSP_NV_WriteValueAuth_Internal
Related to coverity CID: 10290
pAuth variable could set to NULL in some cases, which, when passed
to the aforementioned function would result in a dereference of NULL.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/rpc/tcstp/rpc_nv.c b/src/tcs/rpc/tcstp/rpc_nv.c
index a44f51a..a54fb48 100644
--- a/src/tcs/rpc/tcstp/rpc_nv.c
+++ b/src/tcs/rpc/tcstp/rpc_nv.c
@@ -189,9 +189,10 @@ tcs_wrap_NV_WriteValueAuth(struct tcsd_thread_data *data)
free(rgbDataToWrite);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
- if (getData(TCSD_PACKET_TYPE_AUTH, 5, &Auth, 0, &data->comm))
- pAuth = NULL;
- else
+ if (getData(TCSD_PACKET_TYPE_AUTH, 5, &Auth, 0, &data->comm)) {
+ free(rgbDataToWrite);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ } else
pAuth = &Auth;
MUTEX_LOCK(tcsp_lock);
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=fc50f521384723a85bf622a90f8af9ccf70e38cb
commit fc50f521384723a85bf622a90f8af9ccf70e38cb
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Apr 7 13:32:37 2014 -0300
Prevents dereference of null when calling TCTP_SetCapability_Internal
Related to Coverity CID 10291
The aforementioned function dereferenced the auth parameter without
checking for NULL first.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcsi_caps_tpm.c b/src/tcs/tcsi_caps_tpm.c
index 9f05c4e..b600fe0 100644
--- a/src/tcs/tcsi_caps_tpm.c
+++ b/src/tcs/tcsi_caps_tpm.c
@@ -113,7 +113,8 @@ TCSP_SetCapability_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
if ((result = ctx_verify_context(hContext)))
goto done;
- if ((result = auth_mgr_check(hContext, &pOwnerAuth->AuthHandle)))
+ if ((pOwnerAuth != NULL) &&
+ (result = auth_mgr_check(hContext, &pOwnerAuth->AuthHandle)))
goto done;
if ((result = tpm_rqu_build(TPM_ORD_SetCapability, &offset, txBlob, capArea, subCapSize,
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=11c3f5cf61e6c35a738b9fffc7ae0d9879dd9e5d
commit 11c3f5cf61e6c35a738b9fffc7ae0d9879dd9e5d
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Mar 20 16:52:06 2014 -0300
Fixed memory leak in function Transport_TerminateHandle
Related to coverity CID 10307.
Pointer handles got memory allocated for it, but that memory is never
freed at the end of the function.
Note that since obj_context_transport_execute can also allocate memory
(through the same parameter handles), it's necessary to keep track of
both the address which goes in and the address which cames out.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tspi/tsp_auth.c b/src/tspi/tsp_auth.c
index 5ee6f5d..d538079 100755
--- a/src/tspi/tsp_auth.c
+++ b/src/tspi/tsp_auth.c
@@ -1211,7 +1211,7 @@ Transport_TerminateHandle(TSS_HCONTEXT tspContext, /* in */
TCS_AUTHHANDLE handle) /* in */
{
TSS_RESULT result;
- TCS_HANDLE handlesLen = 0, *handles;
+ TCS_HANDLE handlesLen = 0, *handles, *handles_track;
/* Call ExecuteTransport */
handlesLen = 1;
@@ -1221,10 +1221,18 @@ Transport_TerminateHandle(TSS_HCONTEXT tspContext, /* in */
}
*handles = handle;
+ handles_track = handles;
+ // Since the call tree of this function can possibly alloc memory
+ // (check RPC_ExecuteTransport_TP function), its better to keep track of
+ // the handle.
result = obj_context_transport_execute(tspContext, TPM_ORD_Terminate_Handle, 0, NULL,
NULL, &handlesLen, &handles, NULL, NULL, NULL, NULL);
+ free(handles);
+ handles = NULL;
+ free(handles_track);
+
return result;
}
#endif
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=3e68d060ee43daec21f9b63b99777a10a7ce2aea
commit 3e68d060ee43daec21f9b63b99777a10a7ce2aea
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Mar 20 13:42:58 2014 -0300
Release delfamily_list lock in the case the object found is the tpm one.
Related to coverity CID 10298.
If function obj_delfamily_find_by_familyid code execution path is
the one where an object found is of the TPM type, then the
delfamily_list lock is never released.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tspi/obj_delfamily.c b/src/tspi/obj_delfamily.c
index 340bd59..a2fed27 100644
--- a/src/tspi/obj_delfamily.c
+++ b/src/tspi/obj_delfamily.c
@@ -95,8 +95,10 @@ obj_delfamily_find_by_familyid(TSS_HOBJECT hObject, UINT32 familyID, TSS_HDELFAM
*hFamily = NULL_HDELFAMILY;
if (obj_is_tpm(hObject)) {
- if (obj_tpm_get_tsp_context((TSS_HTPM)hObject, &hContext))
+ if (obj_tpm_get_tsp_context((TSS_HTPM)hObject, &hContext)) {
+ pthread_mutex_unlock(&list->lock);
return;
+ }
} else
hContext = (TSS_HCONTEXT)hObject;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=6c9dae7cf234b58798968b405123c90c5adb18e6
commit 6c9dae7cf234b58798968b405123c90c5adb18e6
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Mar 20 11:40:18 2014 -0300
Removing possibility of NULL-dereferencing pointer
Related to coverity CID 10304.
There was a possible code execution path, in function context_destroy
that have toKill pointer var with the NULL value.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_context.c b/src/tcs/tcs_context.c
index 905567b..2072bdc 100644
--- a/src/tcs/tcs_context.c
+++ b/src/tcs/tcs_context.c
@@ -134,7 +134,7 @@ destroy_context(TCS_CONTEXT_HANDLE handle)
#ifdef TSS_BUILD_TRANSPORT
/* Free existing transport session if necessary */
- if (toKill->transHandle)
+ if (toKill != NULL && toKill->transHandle)
TCSP_FlushSpecific_Common(toKill->transHandle, TPM_RT_TRANS);
#endif
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=87cd1a10010f46bcdc3838fbc253bb4261991a1f
commit 87cd1a10010f46bcdc3838fbc253bb4261991a1f
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Mar 17 16:54:48 2014 -0300
Removed dangled global var sd and fixed test that wrongfully used it
Related to coverity CID 10302
A global variable sd (which shouldn't exist, thus was removed) was
used as a consequence of a programming typo. The right variable to
be used is sd6.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
index 807d1ea..bf4d629 100644
--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
@@ -44,7 +44,6 @@ struct tcsd_config tcsd_options;
struct tpm_properties tpm_metrics;
static volatile int hup = 0, term = 0;
extern char *optarg;
-int sd;
char *tcsd_config_file = NULL;
struct srv_sock_info {
@@ -72,7 +71,6 @@ static void
tcsd_signal_term(int signal)
{
term = 1;
- close(sd);
}
void
@@ -324,7 +322,7 @@ int setup_ipv6_socket(struct srv_sock_info *ssi)
return 0;
err:
- if (sd != -1)
+ if (sd6 != -1)
close(sd6);
return -1;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=5cce9e0fece2adda3457646969735a074f388975
commit 5cce9e0fece2adda3457646969735a074f388975
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Mar 17 16:52:17 2014 -0300
Fixed memory leak in tcs_wrap_KeyControlOwner
Related to coverity CID 10310.
rgbPublicKey member wasn't being released after the return of the
function (success or failure paths).
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/rpc/tcstp/rpc_key.c b/src/tcs/rpc/tcstp/rpc_key.c
index 43d4bb8..144da83 100644
--- a/src/tcs/rpc/tcstp/rpc_key.c
+++ b/src/tcs/rpc/tcstp/rpc_key.c
@@ -430,7 +430,7 @@ tcs_wrap_KeyControlOwner(struct tcsd_thread_data *data)
TCS_CONTEXT_HANDLE hContext;
TCS_KEY_HANDLE hKey;
UINT32 ulPublicKeyLength;
- BYTE* rgbPublicKey;
+ BYTE* rgbPublicKey = NULL;
UINT32 attribName;
TSS_BOOL attribValue;
TPM_AUTH ownerAuth;
@@ -481,13 +481,18 @@ tcs_wrap_KeyControlOwner(struct tcsd_thread_data *data)
if (result == TSS_SUCCESS) {
initData(&data->comm, 2);
- if (setData(TCSD_PACKET_TYPE_AUTH, 0, &ownerAuth, 0, &data->comm))
+ if (setData(TCSD_PACKET_TYPE_AUTH, 0, &ownerAuth, 0, &data->comm)) {
+ free(rgbPublicKey);
return TCSERR(TSS_E_INTERNAL_ERROR);
- if (setData(TCSD_PACKET_TYPE_UUID, 1, &uuidData, 0, &data->comm))
+ }
+ if (setData(TCSD_PACKET_TYPE_UUID, 1, &uuidData, 0, &data->comm)) {
+ free(rgbPublicKey);
return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
} else
done: initData(&data->comm, 0);
+ free(rgbPublicKey);
data->comm.hdr.u.result = result;
return TSS_SUCCESS;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=41201d2ab5f44742abac2c22bf248d6c89c46d4f
commit 41201d2ab5f44742abac2c22bf248d6c89c46d4f
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Mar 17 15:01:47 2014 -0300
Fixed memory leak in ima_get_entry and fixed memset boundaries
Related to coverity CID 10311.
In some error cases the memory allocated wasn't being properly released,
so I grouped all the release in the end of the function and make error
cases point to the label there.
Also fixed a memset call which used a size 1-byte less than the
correct amount.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_evlog_imaem.c b/src/tcs/tcs_evlog_imaem.c
index d905381..d158330 100644
--- a/src/tcs/tcs_evlog_imaem.c
+++ b/src/tcs/tcs_evlog_imaem.c
@@ -244,14 +244,16 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
memcpy(&pcr_value, &page[ptr], sizeof(int));
if (pcr_index == (UINT32)pcr_value) {
- event = calloc(1, sizeof(TSS_PCR_EVENT));
- event->ulPcrIndex = pcr_value;
ptr += sizeof(int);
/* This is the case where we're looking for a specific event number in a
* specific PCR index. When we've reached the correct event, malloc
* space for it, copy it in, then break out of the while loop */
if (ppEvent && seen_indices == *num) {
/* grab this entry */
+ event = calloc(1, sizeof(TSS_PCR_EVENT));
+ event->ulPcrIndex = pcr_value;
+ event->rgbPcrValue = NULL;
+ event->rgbEvent = NULL;
event->ulPcrValueLength = 20;
event->rgbPcrValue = malloc(event->ulPcrValueLength);
if (event->rgbPcrValue == NULL) {
@@ -270,26 +272,22 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
char digest[20];
if (fread(&len, 1, sizeof(len), fp) != sizeof(len)) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
if (len > EVLOG_FILENAME_MAXSIZE) {
- free(event);
LogError("Event log file name too big! Max size is %d", EVLOG_FILENAME_MAXSIZE);
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
memset(name, 0, EVLOG_FILENAME_MAXSIZE);
if (fread(name, 1, len, fp) != len) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
if (fread(digest, 1, sizeof(digest), fp) != sizeof(digest)) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
@@ -297,24 +295,19 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
}
/* Get the template data namelen and data */
if (fread(&event->ulEventLength, 1, sizeof(int), fp) != sizeof(int)) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
event->rgbEvent = malloc(event->ulEventLength + 1);
if (event->rgbEvent == NULL) {
- free(event->rgbPcrValue);
LogError("malloc of %u bytes failed.",
event->ulEventLength);
- free(event);
result = TCSERR(TSS_E_OUTOFMEMORY);
goto done;
}
- memset(event->rgbEvent, 0, event->ulEventLength);
+ memset(event->rgbEvent, 0, event->ulEventLength + 1);
if (fread(event->rgbEvent, 1, event->ulEventLength, fp) != event->ulEventLength ) {
- free(event->rgbPcrValue);
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
@@ -326,16 +319,12 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
}
}
if (fread(&len, 1, sizeof(len), fp) != sizeof(len)) {
- free(event->rgbPcrValue);
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
fseek(fp, len + 20, SEEK_CUR);
if (fread(&len, 1, sizeof(len), fp) != sizeof(len)) {
- free(event->rgbPcrValue);
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
@@ -344,6 +333,15 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
seen_indices++;
}
done:
+ if (result != TSS_SUCCESS) {
+ if (event != NULL) {
+ free(event->rgbPcrValue);
+ free(event->rgbEvent);
+ }
+ free(event);
+ event = NULL;
+ }
+
if (ppEvent == NULL)
*num = seen_indices;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=23563010f79814f3e51f8e146728443cca7159f3
commit 23563010f79814f3e51f8e146728443cca7159f3
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Fri Mar 14 09:42:50 2014 -0300
Added check to prevent buffer overflow in name buffer.
Since the size of the name could be read from a file, but the buffer
to contain it was fixed size, a check was needed to ensure that
the fread doesn't overrun the buffer.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_evlog_imaem.c b/src/tcs/tcs_evlog_imaem.c
index 1771dbc..d905381 100644
--- a/src/tcs/tcs_evlog_imaem.c
+++ b/src/tcs/tcs_evlog_imaem.c
@@ -50,6 +50,8 @@
#ifdef EVLOG_SOURCE_IMA
+#define EVLOG_FILENAME_MAXSIZE 255
+
struct ext_log_source ima_source = {
ima_open,
ima_get_entries_by_pcr,
@@ -84,7 +86,7 @@ ima_get_entries_by_pcr(FILE *handle, UINT32 pcr_index, UINT32 first,
TSS_RESULT result = TCSERR(TSS_E_INTERNAL_ERROR);
FILE *fp = (FILE *) handle;
uint len;
- char name[255];
+ char name[EVLOG_FILENAME_MAXSIZE];
if (!fp) {
LogError("File handle is NULL!\n");
@@ -132,8 +134,12 @@ ima_get_entries_by_pcr(FILE *handle, UINT32 pcr_index, UINT32 first,
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto free_list;
}
-
- memset(name, 0, sizeof name);
+ if (len > EVLOG_FILENAME_MAXSIZE) {
+ LogError("Event log file name too big! Max size is %d", EVLOG_FILENAME_MAXSIZE);
+ result = TCSERR(TSS_E_INTERNAL_ERROR);
+ goto free_list;
+ }
+ memset(name, 0, EVLOG_FILENAME_MAXSIZE);
if (fread(name, 1, len, fp) != len) {
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
@@ -229,7 +235,7 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
TSS_RESULT result = TCSERR(TSS_E_INTERNAL_ERROR);
TSS_PCR_EVENT *event = NULL;
FILE *fp = (FILE *) handle;
- char name[255];
+ char name[EVLOG_FILENAME_MAXSIZE];
rewind(fp);
while (fread(page, 24, 1, fp)) {
@@ -269,7 +275,13 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
- memset(name, 0, sizeof name);
+ if (len > EVLOG_FILENAME_MAXSIZE) {
+ free(event);
+ LogError("Event log file name too big! Max size is %d", EVLOG_FILENAME_MAXSIZE);
+ result = TCSERR(TSS_E_INTERNAL_ERROR);
+ goto done;
+ }
+ memset(name, 0, EVLOG_FILENAME_MAXSIZE);
if (fread(name, 1, len, fp) != len) {
free(event);
LogError("Failed to read event log file");
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=128ed16610b450de33963d6293c0235c93d3752a
commit 128ed16610b450de33963d6293c0235c93d3752a
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 15:18:00 2014 -0300
Fixed code reading data from freed pointer.
Related to coverit CID 10331.
free call being executed over pointer, before the
LogError which used it.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_evlog_imaem.c b/src/tcs/tcs_evlog_imaem.c
index 5cb8d20..1771dbc 100644
--- a/src/tcs/tcs_evlog_imaem.c
+++ b/src/tcs/tcs_evlog_imaem.c
@@ -293,9 +293,9 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
event->rgbEvent = malloc(event->ulEventLength + 1);
if (event->rgbEvent == NULL) {
free(event->rgbPcrValue);
- free(event);
LogError("malloc of %u bytes failed.",
event->ulEventLength);
+ free(event);
result = TCSERR(TSS_E_OUTOFMEMORY);
goto done;
}
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=0d926cc27fe0ba7715185ee4788a8af7e54b51fa
commit 0d926cc27fe0ba7715185ee4788a8af7e54b51fa
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 15:16:45 2014 -0300
Fixed modules where unitialized pointers could be freed
Related to coverit CIDs 10326 and 10323
In both cases proper pointer initialization was not
made, so, in some cases, the code could free the value of a
unitialized pointer.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcsi_ps.c b/src/tcs/tcsi_ps.c
index 87db219..e7f6245 100644
--- a/src/tcs/tcsi_ps.c
+++ b/src/tcs/tcsi_ps.c
@@ -610,6 +610,8 @@ TCSP_GetRegisteredKeyByPublicInfo_Internal(TCS_CONTEXT_HANDLE tcsContext, /* in
TCPA_STORE_PUBKEY pubKey;
TSS_RESULT result = TCSERR(TSS_E_FAIL);
+ pubKey.key = NULL;
+
if ((result = ctx_verify_context(tcsContext)))
return result;
diff --git a/src/tspi/rpc/tcstp/rpc.c b/src/tspi/rpc/tcstp/rpc.c
index afe1844..b54ca2f 100644
--- a/src/tspi/rpc/tcstp/rpc.c
+++ b/src/tspi/rpc/tcstp/rpc.c
@@ -462,7 +462,7 @@ TSS_RESULT
get_socket(struct host_table_entry *hte, int *sd)
{
char port_str[TCP_PORT_STR_MAX_LEN]; // To accomodate string 65535
- struct addrinfo hints, *res, *p;
+ struct addrinfo hints, *p, *res=NULL;
int rv;
TSS_RESULT result = TSS_SUCCESS;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=c386cea62d9e00a293b7ebd1518d2c0317487e13
commit c386cea62d9e00a293b7ebd1518d2c0317487e13
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 13:31:13 2014 -0300
Inserted missing va_end
Related to coverit CIDs 10332 and 10333.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_pbg.c b/src/tcs/tcs_pbg.c
index e15365c..507cc27 100644
--- a/src/tcs/tcs_pbg.c
+++ b/src/tcs/tcs_pbg.c
@@ -918,6 +918,7 @@ tpm_rsp_parse(TPM_COMMAND_CODE ordinal, BYTE *b, UINT32 len, ...)
default:
LogError("Unknown ordinal: 0x%x", ordinal);
result = TCSERR(TSS_E_INTERNAL_ERROR);
+ va_end(ap);
break;
}
@@ -2197,6 +2198,7 @@ tpm_rqu_build(TPM_COMMAND_CODE ordinal, UINT64 *outOffset, BYTE *out_blob, ...)
}
#endif
default:
+ va_end(ap);
LogError("Unknown ordinal: 0x%x", ordinal);
break;
}
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=be1e5a0a04e4b8b7726004b9b7486ae7eebc1c18
commit be1e5a0a04e4b8b7726004b9b7486ae7eebc1c18
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Mar 11 10:17:29 2014 -0300
memcmp result was being trunc'ed before the test
Related to coverit CID 10255.
Return value of memcmp was being converted to TSS_BOOL type before
being tested, thus possibly missing information (since it can return
an integer value != of zero, depending on the differences found).
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tspi/tsp_auth.c b/src/tspi/tsp_auth.c
index 4a57ae7..5ee6f5d 100755
--- a/src/tspi/tsp_auth.c
+++ b/src/tspi/tsp_auth.c
@@ -359,7 +359,7 @@ validateReturnAuth(BYTE *secret, BYTE *hash, TPM_AUTH *auth)
memcpy(digest, &auth->HMAC, 20);
HMAC_Auth(secret, hash, auth);
- return ((TSS_BOOL) memcmp(digest, &auth->HMAC, 20) != 0);
+ return ((TSS_BOOL) (memcmp(digest, &auth->HMAC, 20) != 0));
}
void
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=6462e45f8126f39adcb554cf13f19bfeb062b552
commit 6462e45f8126f39adcb554cf13f19bfeb062b552
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Mar 11 09:06:35 2014 -0300
Unload_KM_KEYINFO called UnloadBlob_BYTE passing parameters in wrong order
Related to coverit CID 10254.
Blob parameter is the last one instead of the middle one.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/rpc/tcstp/rpc_ps.c b/src/tcs/rpc/tcstp/rpc_ps.c
index cd44e66..46b07ef 100644
--- a/src/tcs/rpc/tcstp/rpc_ps.c
+++ b/src/tcs/rpc/tcstp/rpc_ps.c
@@ -505,7 +505,7 @@ UnloadBlob_KM_KEYINFO(UINT64 *offset, BYTE *blob, TSS_KM_KEYINFO *info)
UnloadBlob_VERSION(offset, blob, (TPM_VERSION *)&(info->versionInfo));
UnloadBlob_UUID(offset, blob, &info->keyUUID);
UnloadBlob_UUID(offset, blob, &info->parentKeyUUID);
- UnloadBlob_BYTE(offset, blob, &info->bAuthDataUsage);
+ UnloadBlob_BYTE(offset, &info->bAuthDataUsage, blob);
UnloadBlob_BOOL(offset, &info->fIsLoaded, blob);
UnloadBlob_UINT32(offset, &info->ulVendorDataLength, blob);
UnloadBlob(offset, info->ulVendorDataLength, info->rgbVendorData, blob);
-----------------------------------------------------------------------
Summary of changes:
src/tcs/rpc/tcstp/rpc_key.c | 11 +++++++--
src/tcs/rpc/tcstp/rpc_nv.c | 7 +++--
src/tcs/rpc/tcstp/rpc_ps.c | 2 +-
src/tcs/tcs_context.c | 2 +-
src/tcs/tcs_evlog_imaem.c | 50 +++++++++++++++++++++++++-----------------
src/tcs/tcs_pbg.c | 5 ++-
src/tcs/tcsi_caps_tpm.c | 3 +-
src/tcs/tcsi_nv.c | 2 +-
src/tcs/tcsi_ps.c | 2 +
src/tcsd/svrside.c | 31 ++++++++++++++++++++------
src/tspi/obj_delfamily.c | 4 ++-
src/tspi/rpc/tcstp/rpc.c | 2 +-
src/tspi/tsp_auth.c | 12 ++++++++-
13 files changed, 90 insertions(+), 43 deletions(-)
hooks/post-receive
generated because a ref change was pushed to the repository containing
the project "Trousers".
The branch, master has been updated
via a575f333ff44a68343f1de300067f02780d52c27 (commit)
via 4b9f79ff64032f5874bd5ace0da3a15421ee34b1 (commit)
via f3159bee45be9d8860ef9d73477eca1d38d17e9d (commit)
via 2d48f1dca8695e6ffdc0943a8ad82ffb33ec5928 (commit)
via fc50f521384723a85bf622a90f8af9ccf70e38cb (commit)
via 11c3f5cf61e6c35a738b9fffc7ae0d9879dd9e5d (commit)
via 3e68d060ee43daec21f9b63b99777a10a7ce2aea (commit)
via 6c9dae7cf234b58798968b405123c90c5adb18e6 (commit)
via 87cd1a10010f46bcdc3838fbc253bb4261991a1f (commit)
via 5cce9e0fece2adda3457646969735a074f388975 (commit)
via 41201d2ab5f44742abac2c22bf248d6c89c46d4f (commit)
via 23563010f79814f3e51f8e146728443cca7159f3 (commit)
via 128ed16610b450de33963d6293c0235c93d3752a (commit)
via 0d926cc27fe0ba7715185ee4788a8af7e54b51fa (commit)
via c386cea62d9e00a293b7ebd1518d2c0317487e13 (commit)
via be1e5a0a04e4b8b7726004b9b7486ae7eebc1c18 (commit)
via 6462e45f8126f39adcb554cf13f19bfeb062b552 (commit)
from 1ebb613abfe0a2ebec86a5fae8694cdec1602c06 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=a575f333ff44a68343f1de300067f02780d52c27
commit a575f333ff44a68343f1de300067f02780d52c27
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Apr 24 14:31:16 2014 -0300
Added simple code to close server socket(s)
Server sockets are now properly closed before the daemon stops
executing.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
index bf4d629..1ae1636 100644
--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
@@ -54,9 +54,28 @@ struct srv_sock_info {
#define MAX_IP_PROTO 2
#define INVALID_ADDR_STR "<Invalid client address>"
+static void close_server_socks(struct srv_sock_info *socks_info)
+{
+ int i, rv;
+
+ for (i=0; i < MAX_IP_PROTO; i++) {
+ if (socks_info[i].sd != -1) {
+ do {
+ rv = close(socks_info[i].sd);
+ if (rv == -1 && errno != EINTR) {
+ LogError("Error closing server socket descriptor - %s",
+ strerror(errno));
+ continue;
+ }
+ } while (rv == -1 && errno == EINTR);
+ }
+ }
+}
+
static void
-tcsd_shutdown(void)
+tcsd_shutdown(struct srv_sock_info socks_info[])
{
+ close_server_socks(socks_info);
/* order is important here:
* allow all threads to complete their current request */
tcsd_threads_final();
@@ -218,7 +237,7 @@ reload_config(void)
return result;
}
-int setup_ipv4_socket(struct srv_sock_info *ssi)
+int setup_ipv4_socket(struct srv_sock_info ssi[])
{
struct sockaddr_in serv_addr;
int sd, opt;
@@ -466,7 +485,7 @@ main(int argc, char **argv)
if (getenv("TCSD_FOREGROUND") == NULL) {
if (daemon(0, 0) == -1) {
perror("daemon");
- tcsd_shutdown();
+ tcsd_shutdown(socks_info);
return -1;
}
}
@@ -546,6 +565,6 @@ main(int argc, char **argv)
} while (term ==0);
/* To close correctly, we must receive a SIGTERM */
- tcsd_shutdown();
+ tcsd_shutdown(socks_info);
return 0;
}
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=4b9f79ff64032f5874bd5ace0da3a15421ee34b1
commit 4b9f79ff64032f5874bd5ace0da3a15421ee34b1
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 11:53:23 2014 -0300
Removed dead code from tpm_rsp_parse function
Related to coverity CID 10288.
switch case TPM_ORD_ActivateIdentity included an if structure to check
for auth1 and auth2 values. However, auth2 was checked in a previous
if. That made the if (auth2) check the default case in the structure
and the else would never be reached.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_pbg.c b/src/tcs/tcs_pbg.c
index 507cc27..3970f22 100644
--- a/src/tcs/tcs_pbg.c
+++ b/src/tcs/tcs_pbg.c
@@ -499,8 +499,7 @@ tpm_rsp_parse(TPM_COMMAND_CODE ordinal, BYTE *b, UINT32 len, ...)
} else if (auth2) {
offset1 = offset2 = len - TSS_TPM_RSP_BLOB_AUTH_LEN;
UnloadBlob_Auth(&offset1, b, auth2);
- } else
- offset2 = len;
+ }
offset1 = TSS_TPM_TXBLOB_HDR_LEN;
offset2 -= TSS_TPM_TXBLOB_HDR_LEN;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=f3159bee45be9d8860ef9d73477eca1d38d17e9d
commit f3159bee45be9d8860ef9d73477eca1d38d17e9d
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Apr 8 17:04:53 2014 -0300
Prevents dereference of null when call TCSP_NV_ReadValueAuth_Internal
Related coverity CID 10289
tcs_wrap_NV_ReadValueAuth can call TCSP_NV_ReadValueAuth_Internal
with a null auth. However, the latter was dereferencing the pointer
var containing the auth data without checking it, which possibly could
cause a dereference null error.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcsi_nv.c b/src/tcs/tcsi_nv.c
index f19ab94..1c867ea 100644
--- a/src/tcs/tcsi_nv.c
+++ b/src/tcs/tcsi_nv.c
@@ -202,7 +202,7 @@ TCSP_NV_ReadValueAuth_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
LogDebugFn("Enter");
if ((result = ctx_verify_context(hContext)))
return result;
- if ((result = auth_mgr_check(hContext, &NVAuth->AuthHandle)))
+ if ((NVAuth != NULL) && (result = auth_mgr_check(hContext, &NVAuth->AuthHandle)))
goto done;
if ((result = tpm_rqu_build(TPM_ORD_NV_ReadValueAuth, &off_set, txBlob, hNVStore, offset,
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=2d48f1dca8695e6ffdc0943a8ad82ffb33ec5928
commit 2d48f1dca8695e6ffdc0943a8ad82ffb33ec5928
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Apr 8 12:06:28 2014 -0300
Prevents dereference of null when call TCSP_NV_WriteValueAuth_Internal
Related to coverity CID: 10290
pAuth variable could set to NULL in some cases, which, when passed
to the aforementioned function would result in a dereference of NULL.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/rpc/tcstp/rpc_nv.c b/src/tcs/rpc/tcstp/rpc_nv.c
index a44f51a..a54fb48 100644
--- a/src/tcs/rpc/tcstp/rpc_nv.c
+++ b/src/tcs/rpc/tcstp/rpc_nv.c
@@ -189,9 +189,10 @@ tcs_wrap_NV_WriteValueAuth(struct tcsd_thread_data *data)
free(rgbDataToWrite);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
- if (getData(TCSD_PACKET_TYPE_AUTH, 5, &Auth, 0, &data->comm))
- pAuth = NULL;
- else
+ if (getData(TCSD_PACKET_TYPE_AUTH, 5, &Auth, 0, &data->comm)) {
+ free(rgbDataToWrite);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ } else
pAuth = &Auth;
MUTEX_LOCK(tcsp_lock);
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=fc50f521384723a85bf622a90f8af9ccf70e38cb
commit fc50f521384723a85bf622a90f8af9ccf70e38cb
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Apr 7 13:32:37 2014 -0300
Prevents dereference of null when calling TCTP_SetCapability_Internal
Related to Coverity CID 10291
The aforementioned function dereferenced the auth parameter without
checking for NULL first.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcsi_caps_tpm.c b/src/tcs/tcsi_caps_tpm.c
index 9f05c4e..b600fe0 100644
--- a/src/tcs/tcsi_caps_tpm.c
+++ b/src/tcs/tcsi_caps_tpm.c
@@ -113,7 +113,8 @@ TCSP_SetCapability_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
if ((result = ctx_verify_context(hContext)))
goto done;
- if ((result = auth_mgr_check(hContext, &pOwnerAuth->AuthHandle)))
+ if ((pOwnerAuth != NULL) &&
+ (result = auth_mgr_check(hContext, &pOwnerAuth->AuthHandle)))
goto done;
if ((result = tpm_rqu_build(TPM_ORD_SetCapability, &offset, txBlob, capArea, subCapSize,
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=11c3f5cf61e6c35a738b9fffc7ae0d9879dd9e5d
commit 11c3f5cf61e6c35a738b9fffc7ae0d9879dd9e5d
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Mar 20 16:52:06 2014 -0300
Fixed memory leak in function Transport_TerminateHandle
Related to coverity CID 10307.
Pointer handles got memory allocated for it, but that memory is never
freed at the end of the function.
Note that since obj_context_transport_execute can also allocate memory
(through the same parameter handles), it's necessary to keep track of
both the address which goes in and the address which cames out.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tspi/tsp_auth.c b/src/tspi/tsp_auth.c
index 5ee6f5d..d538079 100755
--- a/src/tspi/tsp_auth.c
+++ b/src/tspi/tsp_auth.c
@@ -1211,7 +1211,7 @@ Transport_TerminateHandle(TSS_HCONTEXT tspContext, /* in */
TCS_AUTHHANDLE handle) /* in */
{
TSS_RESULT result;
- TCS_HANDLE handlesLen = 0, *handles;
+ TCS_HANDLE handlesLen = 0, *handles, *handles_track;
/* Call ExecuteTransport */
handlesLen = 1;
@@ -1221,10 +1221,18 @@ Transport_TerminateHandle(TSS_HCONTEXT tspContext, /* in */
}
*handles = handle;
+ handles_track = handles;
+ // Since the call tree of this function can possibly alloc memory
+ // (check RPC_ExecuteTransport_TP function), its better to keep track of
+ // the handle.
result = obj_context_transport_execute(tspContext, TPM_ORD_Terminate_Handle, 0, NULL,
NULL, &handlesLen, &handles, NULL, NULL, NULL, NULL);
+ free(handles);
+ handles = NULL;
+ free(handles_track);
+
return result;
}
#endif
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=3e68d060ee43daec21f9b63b99777a10a7ce2aea
commit 3e68d060ee43daec21f9b63b99777a10a7ce2aea
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Mar 20 13:42:58 2014 -0300
Release delfamily_list lock in the case the object found is the tpm one.
Related to coverity CID 10298.
If function obj_delfamily_find_by_familyid code execution path is
the one where an object found is of the TPM type, then the
delfamily_list lock is never released.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tspi/obj_delfamily.c b/src/tspi/obj_delfamily.c
index 340bd59..a2fed27 100644
--- a/src/tspi/obj_delfamily.c
+++ b/src/tspi/obj_delfamily.c
@@ -95,8 +95,10 @@ obj_delfamily_find_by_familyid(TSS_HOBJECT hObject, UINT32 familyID, TSS_HDELFAM
*hFamily = NULL_HDELFAMILY;
if (obj_is_tpm(hObject)) {
- if (obj_tpm_get_tsp_context((TSS_HTPM)hObject, &hContext))
+ if (obj_tpm_get_tsp_context((TSS_HTPM)hObject, &hContext)) {
+ pthread_mutex_unlock(&list->lock);
return;
+ }
} else
hContext = (TSS_HCONTEXT)hObject;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=6c9dae7cf234b58798968b405123c90c5adb18e6
commit 6c9dae7cf234b58798968b405123c90c5adb18e6
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Thu Mar 20 11:40:18 2014 -0300
Removing possibility of NULL-dereferencing pointer
Related to coverity CID 10304.
There was a possible code execution path, in function context_destroy
that have toKill pointer var with the NULL value.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_context.c b/src/tcs/tcs_context.c
index 905567b..2072bdc 100644
--- a/src/tcs/tcs_context.c
+++ b/src/tcs/tcs_context.c
@@ -134,7 +134,7 @@ destroy_context(TCS_CONTEXT_HANDLE handle)
#ifdef TSS_BUILD_TRANSPORT
/* Free existing transport session if necessary */
- if (toKill->transHandle)
+ if (toKill != NULL && toKill->transHandle)
TCSP_FlushSpecific_Common(toKill->transHandle, TPM_RT_TRANS);
#endif
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=87cd1a10010f46bcdc3838fbc253bb4261991a1f
commit 87cd1a10010f46bcdc3838fbc253bb4261991a1f
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Mar 17 16:54:48 2014 -0300
Removed dangled global var sd and fixed test that wrongfully used it
Related to coverity CID 10302
A global variable sd (which shouldn't exist, thus was removed) was
used as a consequence of a programming typo. The right variable to
be used is sd6.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
index 807d1ea..bf4d629 100644
--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
@@ -44,7 +44,6 @@ struct tcsd_config tcsd_options;
struct tpm_properties tpm_metrics;
static volatile int hup = 0, term = 0;
extern char *optarg;
-int sd;
char *tcsd_config_file = NULL;
struct srv_sock_info {
@@ -72,7 +71,6 @@ static void
tcsd_signal_term(int signal)
{
term = 1;
- close(sd);
}
void
@@ -324,7 +322,7 @@ int setup_ipv6_socket(struct srv_sock_info *ssi)
return 0;
err:
- if (sd != -1)
+ if (sd6 != -1)
close(sd6);
return -1;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=5cce9e0fece2adda3457646969735a074f388975
commit 5cce9e0fece2adda3457646969735a074f388975
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Mar 17 16:52:17 2014 -0300
Fixed memory leak in tcs_wrap_KeyControlOwner
Related to coverity CID 10310.
rgbPublicKey member wasn't being released after the return of the
function (success or failure paths).
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/rpc/tcstp/rpc_key.c b/src/tcs/rpc/tcstp/rpc_key.c
index 43d4bb8..144da83 100644
--- a/src/tcs/rpc/tcstp/rpc_key.c
+++ b/src/tcs/rpc/tcstp/rpc_key.c
@@ -430,7 +430,7 @@ tcs_wrap_KeyControlOwner(struct tcsd_thread_data *data)
TCS_CONTEXT_HANDLE hContext;
TCS_KEY_HANDLE hKey;
UINT32 ulPublicKeyLength;
- BYTE* rgbPublicKey;
+ BYTE* rgbPublicKey = NULL;
UINT32 attribName;
TSS_BOOL attribValue;
TPM_AUTH ownerAuth;
@@ -481,13 +481,18 @@ tcs_wrap_KeyControlOwner(struct tcsd_thread_data *data)
if (result == TSS_SUCCESS) {
initData(&data->comm, 2);
- if (setData(TCSD_PACKET_TYPE_AUTH, 0, &ownerAuth, 0, &data->comm))
+ if (setData(TCSD_PACKET_TYPE_AUTH, 0, &ownerAuth, 0, &data->comm)) {
+ free(rgbPublicKey);
return TCSERR(TSS_E_INTERNAL_ERROR);
- if (setData(TCSD_PACKET_TYPE_UUID, 1, &uuidData, 0, &data->comm))
+ }
+ if (setData(TCSD_PACKET_TYPE_UUID, 1, &uuidData, 0, &data->comm)) {
+ free(rgbPublicKey);
return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
} else
done: initData(&data->comm, 0);
+ free(rgbPublicKey);
data->comm.hdr.u.result = result;
return TSS_SUCCESS;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=41201d2ab5f44742abac2c22bf248d6c89c46d4f
commit 41201d2ab5f44742abac2c22bf248d6c89c46d4f
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Mon Mar 17 15:01:47 2014 -0300
Fixed memory leak in ima_get_entry and fixed memset boundaries
Related to coverity CID 10311.
In some error cases the memory allocated wasn't being properly released,
so I grouped all the release in the end of the function and make error
cases point to the label there.
Also fixed a memset call which used a size 1-byte less than the
correct amount.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_evlog_imaem.c b/src/tcs/tcs_evlog_imaem.c
index d905381..d158330 100644
--- a/src/tcs/tcs_evlog_imaem.c
+++ b/src/tcs/tcs_evlog_imaem.c
@@ -244,14 +244,16 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
memcpy(&pcr_value, &page[ptr], sizeof(int));
if (pcr_index == (UINT32)pcr_value) {
- event = calloc(1, sizeof(TSS_PCR_EVENT));
- event->ulPcrIndex = pcr_value;
ptr += sizeof(int);
/* This is the case where we're looking for a specific event number in a
* specific PCR index. When we've reached the correct event, malloc
* space for it, copy it in, then break out of the while loop */
if (ppEvent && seen_indices == *num) {
/* grab this entry */
+ event = calloc(1, sizeof(TSS_PCR_EVENT));
+ event->ulPcrIndex = pcr_value;
+ event->rgbPcrValue = NULL;
+ event->rgbEvent = NULL;
event->ulPcrValueLength = 20;
event->rgbPcrValue = malloc(event->ulPcrValueLength);
if (event->rgbPcrValue == NULL) {
@@ -270,26 +272,22 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
char digest[20];
if (fread(&len, 1, sizeof(len), fp) != sizeof(len)) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
if (len > EVLOG_FILENAME_MAXSIZE) {
- free(event);
LogError("Event log file name too big! Max size is %d", EVLOG_FILENAME_MAXSIZE);
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
memset(name, 0, EVLOG_FILENAME_MAXSIZE);
if (fread(name, 1, len, fp) != len) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
if (fread(digest, 1, sizeof(digest), fp) != sizeof(digest)) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
@@ -297,24 +295,19 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
}
/* Get the template data namelen and data */
if (fread(&event->ulEventLength, 1, sizeof(int), fp) != sizeof(int)) {
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
event->rgbEvent = malloc(event->ulEventLength + 1);
if (event->rgbEvent == NULL) {
- free(event->rgbPcrValue);
LogError("malloc of %u bytes failed.",
event->ulEventLength);
- free(event);
result = TCSERR(TSS_E_OUTOFMEMORY);
goto done;
}
- memset(event->rgbEvent, 0, event->ulEventLength);
+ memset(event->rgbEvent, 0, event->ulEventLength + 1);
if (fread(event->rgbEvent, 1, event->ulEventLength, fp) != event->ulEventLength ) {
- free(event->rgbPcrValue);
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
@@ -326,16 +319,12 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
}
}
if (fread(&len, 1, sizeof(len), fp) != sizeof(len)) {
- free(event->rgbPcrValue);
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
fseek(fp, len + 20, SEEK_CUR);
if (fread(&len, 1, sizeof(len), fp) != sizeof(len)) {
- free(event->rgbPcrValue);
- free(event);
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
@@ -344,6 +333,15 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
seen_indices++;
}
done:
+ if (result != TSS_SUCCESS) {
+ if (event != NULL) {
+ free(event->rgbPcrValue);
+ free(event->rgbEvent);
+ }
+ free(event);
+ event = NULL;
+ }
+
if (ppEvent == NULL)
*num = seen_indices;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=23563010f79814f3e51f8e146728443cca7159f3
commit 23563010f79814f3e51f8e146728443cca7159f3
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Fri Mar 14 09:42:50 2014 -0300
Added check to prevent buffer overflow in name buffer.
Since the size of the name could be read from a file, but the buffer
to contain it was fixed size, a check was needed to ensure that
the fread doesn't overrun the buffer.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_evlog_imaem.c b/src/tcs/tcs_evlog_imaem.c
index 1771dbc..d905381 100644
--- a/src/tcs/tcs_evlog_imaem.c
+++ b/src/tcs/tcs_evlog_imaem.c
@@ -50,6 +50,8 @@
#ifdef EVLOG_SOURCE_IMA
+#define EVLOG_FILENAME_MAXSIZE 255
+
struct ext_log_source ima_source = {
ima_open,
ima_get_entries_by_pcr,
@@ -84,7 +86,7 @@ ima_get_entries_by_pcr(FILE *handle, UINT32 pcr_index, UINT32 first,
TSS_RESULT result = TCSERR(TSS_E_INTERNAL_ERROR);
FILE *fp = (FILE *) handle;
uint len;
- char name[255];
+ char name[EVLOG_FILENAME_MAXSIZE];
if (!fp) {
LogError("File handle is NULL!\n");
@@ -132,8 +134,12 @@ ima_get_entries_by_pcr(FILE *handle, UINT32 pcr_index, UINT32 first,
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto free_list;
}
-
- memset(name, 0, sizeof name);
+ if (len > EVLOG_FILENAME_MAXSIZE) {
+ LogError("Event log file name too big! Max size is %d", EVLOG_FILENAME_MAXSIZE);
+ result = TCSERR(TSS_E_INTERNAL_ERROR);
+ goto free_list;
+ }
+ memset(name, 0, EVLOG_FILENAME_MAXSIZE);
if (fread(name, 1, len, fp) != len) {
LogError("Failed to read event log file");
result = TCSERR(TSS_E_INTERNAL_ERROR);
@@ -229,7 +235,7 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
TSS_RESULT result = TCSERR(TSS_E_INTERNAL_ERROR);
TSS_PCR_EVENT *event = NULL;
FILE *fp = (FILE *) handle;
- char name[255];
+ char name[EVLOG_FILENAME_MAXSIZE];
rewind(fp);
while (fread(page, 24, 1, fp)) {
@@ -269,7 +275,13 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
result = TCSERR(TSS_E_INTERNAL_ERROR);
goto done;
}
- memset(name, 0, sizeof name);
+ if (len > EVLOG_FILENAME_MAXSIZE) {
+ free(event);
+ LogError("Event log file name too big! Max size is %d", EVLOG_FILENAME_MAXSIZE);
+ result = TCSERR(TSS_E_INTERNAL_ERROR);
+ goto done;
+ }
+ memset(name, 0, EVLOG_FILENAME_MAXSIZE);
if (fread(name, 1, len, fp) != len) {
free(event);
LogError("Failed to read event log file");
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=128ed16610b450de33963d6293c0235c93d3752a
commit 128ed16610b450de33963d6293c0235c93d3752a
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 15:18:00 2014 -0300
Fixed code reading data from freed pointer.
Related to coverit CID 10331.
free call being executed over pointer, before the
LogError which used it.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_evlog_imaem.c b/src/tcs/tcs_evlog_imaem.c
index 5cb8d20..1771dbc 100644
--- a/src/tcs/tcs_evlog_imaem.c
+++ b/src/tcs/tcs_evlog_imaem.c
@@ -293,9 +293,9 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
event->rgbEvent = malloc(event->ulEventLength + 1);
if (event->rgbEvent == NULL) {
free(event->rgbPcrValue);
- free(event);
LogError("malloc of %u bytes failed.",
event->ulEventLength);
+ free(event);
result = TCSERR(TSS_E_OUTOFMEMORY);
goto done;
}
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=0d926cc27fe0ba7715185ee4788a8af7e54b51fa
commit 0d926cc27fe0ba7715185ee4788a8af7e54b51fa
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 15:16:45 2014 -0300
Fixed modules where unitialized pointers could be freed
Related to coverit CIDs 10326 and 10323
In both cases proper pointer initialization was not
made, so, in some cases, the code could free the value of a
unitialized pointer.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcsi_ps.c b/src/tcs/tcsi_ps.c
index 87db219..e7f6245 100644
--- a/src/tcs/tcsi_ps.c
+++ b/src/tcs/tcsi_ps.c
@@ -610,6 +610,8 @@ TCSP_GetRegisteredKeyByPublicInfo_Internal(TCS_CONTEXT_HANDLE tcsContext, /* in
TCPA_STORE_PUBKEY pubKey;
TSS_RESULT result = TCSERR(TSS_E_FAIL);
+ pubKey.key = NULL;
+
if ((result = ctx_verify_context(tcsContext)))
return result;
diff --git a/src/tspi/rpc/tcstp/rpc.c b/src/tspi/rpc/tcstp/rpc.c
index afe1844..b54ca2f 100644
--- a/src/tspi/rpc/tcstp/rpc.c
+++ b/src/tspi/rpc/tcstp/rpc.c
@@ -462,7 +462,7 @@ TSS_RESULT
get_socket(struct host_table_entry *hte, int *sd)
{
char port_str[TCP_PORT_STR_MAX_LEN]; // To accomodate string 65535
- struct addrinfo hints, *res, *p;
+ struct addrinfo hints, *p, *res=NULL;
int rv;
TSS_RESULT result = TSS_SUCCESS;
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=c386cea62d9e00a293b7ebd1518d2c0317487e13
commit c386cea62d9e00a293b7ebd1518d2c0317487e13
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Wed Apr 9 13:31:13 2014 -0300
Inserted missing va_end
Related to coverit CIDs 10332 and 10333.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/tcs_pbg.c b/src/tcs/tcs_pbg.c
index e15365c..507cc27 100644
--- a/src/tcs/tcs_pbg.c
+++ b/src/tcs/tcs_pbg.c
@@ -918,6 +918,7 @@ tpm_rsp_parse(TPM_COMMAND_CODE ordinal, BYTE *b, UINT32 len, ...)
default:
LogError("Unknown ordinal: 0x%x", ordinal);
result = TCSERR(TSS_E_INTERNAL_ERROR);
+ va_end(ap);
break;
}
@@ -2197,6 +2198,7 @@ tpm_rqu_build(TPM_COMMAND_CODE ordinal, UINT64 *outOffset, BYTE *out_blob, ...)
}
#endif
default:
+ va_end(ap);
LogError("Unknown ordinal: 0x%x", ordinal);
break;
}
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=be1e5a0a04e4b8b7726004b9b7486ae7eebc1c18
commit be1e5a0a04e4b8b7726004b9b7486ae7eebc1c18
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Mar 11 10:17:29 2014 -0300
memcmp result was being trunc'ed before the test
Related to coverit CID 10255.
Return value of memcmp was being converted to TSS_BOOL type before
being tested, thus possibly missing information (since it can return
an integer value != of zero, depending on the differences found).
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tspi/tsp_auth.c b/src/tspi/tsp_auth.c
index 4a57ae7..5ee6f5d 100755
--- a/src/tspi/tsp_auth.c
+++ b/src/tspi/tsp_auth.c
@@ -359,7 +359,7 @@ validateReturnAuth(BYTE *secret, BYTE *hash, TPM_AUTH *auth)
memcpy(digest, &auth->HMAC, 20);
HMAC_Auth(secret, hash, auth);
- return ((TSS_BOOL) memcmp(digest, &auth->HMAC, 20) != 0);
+ return ((TSS_BOOL) (memcmp(digest, &auth->HMAC, 20) != 0));
}
void
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=6462e45f8126f39adcb554cf13f19bfeb062b552
commit 6462e45f8126f39adcb554cf13f19bfeb062b552
Author: Richard Maciel <***@linux.vnet.ibm.com>
Date: Tue Mar 11 09:06:35 2014 -0300
Unload_KM_KEYINFO called UnloadBlob_BYTE passing parameters in wrong order
Related to coverit CID 10254.
Blob parameter is the last one instead of the middle one.
Signed-off-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/src/tcs/rpc/tcstp/rpc_ps.c b/src/tcs/rpc/tcstp/rpc_ps.c
index cd44e66..46b07ef 100644
--- a/src/tcs/rpc/tcstp/rpc_ps.c
+++ b/src/tcs/rpc/tcstp/rpc_ps.c
@@ -505,7 +505,7 @@ UnloadBlob_KM_KEYINFO(UINT64 *offset, BYTE *blob, TSS_KM_KEYINFO *info)
UnloadBlob_VERSION(offset, blob, (TPM_VERSION *)&(info->versionInfo));
UnloadBlob_UUID(offset, blob, &info->keyUUID);
UnloadBlob_UUID(offset, blob, &info->parentKeyUUID);
- UnloadBlob_BYTE(offset, blob, &info->bAuthDataUsage);
+ UnloadBlob_BYTE(offset, &info->bAuthDataUsage, blob);
UnloadBlob_BOOL(offset, &info->fIsLoaded, blob);
UnloadBlob_UINT32(offset, &info->ulVendorDataLength, blob);
UnloadBlob(offset, info->ulVendorDataLength, info->rgbVendorData, blob);
-----------------------------------------------------------------------
Summary of changes:
src/tcs/rpc/tcstp/rpc_key.c | 11 +++++++--
src/tcs/rpc/tcstp/rpc_nv.c | 7 +++--
src/tcs/rpc/tcstp/rpc_ps.c | 2 +-
src/tcs/tcs_context.c | 2 +-
src/tcs/tcs_evlog_imaem.c | 50 +++++++++++++++++++++++++-----------------
src/tcs/tcs_pbg.c | 5 ++-
src/tcs/tcsi_caps_tpm.c | 3 +-
src/tcs/tcsi_nv.c | 2 +-
src/tcs/tcsi_ps.c | 2 +
src/tcsd/svrside.c | 31 ++++++++++++++++++++------
src/tspi/obj_delfamily.c | 4 ++-
src/tspi/rpc/tcstp/rpc.c | 2 +-
src/tspi/tsp_auth.c | 12 ++++++++-
13 files changed, 90 insertions(+), 43 deletions(-)
hooks/post-receive
--
Trousers
Trousers