From a2ace4cc8e716a9648984ce53e3d3bd16e6f6788 Mon Sep 17 00:00:00 2001 From: HuangHaitao Date: Thu, 20 Mar 2025 00:48:43 +0800 Subject: [PATCH 1/4] coverity 472861: http2: deal with zero length data without overflow merge https://github.com/warmcat/libwebsockets/commit/7333fcc Signed-off-by: HuangHaitao --- lib/roles/h2/http2.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c index 9cccdbcd..0376b107 100644 --- a/lib/roles/h2/http2.c +++ b/lib/roles/h2/http2.c @@ -2322,12 +2322,14 @@ lws_h2_parser(struct lws *wsi, unsigned char *in, lws_filepos_t _inlen, (unsigned int)h2n->count, (unsigned int)h2n->length); - in += (unsigned int)n - 1; - h2n->inside += (unsigned int)n; - h2n->count += (unsigned int)n - 1; + if (n) { + in += (unsigned int)n - 1; + h2n->inside += (unsigned int)n; + h2n->count += (unsigned int)n - 1; - h2n->swsi->txc.peer_tx_cr_est -= n; - wsi->txc.peer_tx_cr_est -= n; + h2n->swsi->txc.peer_tx_cr_est -= n; + wsi->txc.peer_tx_cr_est -= n; + } do_windows: -- Gitee From e771d6dd055f08e5c22de7ea14923ff25fffdfd9 Mon Sep 17 00:00:00 2001 From: HuangHaitao Date: Thu, 20 Mar 2025 00:50:48 +0800 Subject: [PATCH 2/4] coverity 472863: cookies: length check order wrong merge https://github.com/warmcat/libwebsockets/commit/b81b24d Signed-off-by: HuangHaitao --- lib/roles/http/cookie.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/roles/http/cookie.c b/lib/roles/http/cookie.c index 1860e87d..44ad6eb9 100644 --- a/lib/roles/http/cookie.c +++ b/lib/roles/http/cookie.c @@ -160,11 +160,13 @@ lws_cookie_rm_sws(const char **buf_p, size_t *len_p) buf = *buf_p; len = *len_p; + while (buf[0] == ' ' && len > 0) { buf++; len--; } - while (buf[len - 1] == ' ' && len > 0) + + while (len && buf[len - 1] == ' ') len--; *buf_p = buf; -- Gitee From 2f1364012c80cc184f7fac0e258d397f32440262 Mon Sep 17 00:00:00 2001 From: HuangHaitao Date: Thu, 20 Mar 2025 00:52:52 +0800 Subject: [PATCH 3/4] coverity 872858: hash gen overflow false positive Help it ignore that we use the MS 7 bits in the next part of the operation and discard it in the first part. merge https://github.com/warmcat/libwebsockets/commit/5a34404 Signed-off-by: HuangHaitao --- lib/core/lws_map.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/core/lws_map.c b/lib/core/lws_map.c index d149d867..91f5a36d 100644 --- a/lib/core/lws_map.c +++ b/lib/core/lws_map.c @@ -88,7 +88,10 @@ lws_map_hash_from_key_default(const lws_map_key_t key, size_t kl) const uint8_t *u = (const uint8_t *)key; while (kl--) - h = ((((h << 7) | (h >> 25)) + 0xa1b2c3d4) ^ (*u++)) ^ h; + h = (( + (((h & 0x1fffffff /* coverity */ ) << 7) | + (h >> 25)) + + 0xa1b2c3d4) ^ (*u++)) ^ h; return h; } -- Gitee From e24598c2e436e37030f3e0ece621d451284a447b Mon Sep 17 00:00:00 2001 From: HuangHaitao Date: Thu, 20 Mar 2025 00:56:47 +0800 Subject: [PATCH 4/4] coverity 472862: cookiejar overflow merge https://github.com/warmcat/libwebsockets/commit/fce734f Signed-off-by: HuangHaitao --- lib/misc/cache-ttl/file.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/lib/misc/cache-ttl/file.c b/lib/misc/cache-ttl/file.c index 3307faf8..dad23d88 100644 --- a/lib/misc/cache-ttl/file.c +++ b/lib/misc/cache-ttl/file.c @@ -163,7 +163,11 @@ nscookiejar_iterate(lws_cache_nscookiejar_t *cache, int fd, lwsl_debug("%s: n %d, m %d\n", __func__, n, m); read: - n1 = (int)read(fd, temp + n, sizeof(temp) - (size_t)n); + if ((size_t)n >= sizeof(temp) - 1) + /* there's no space left in temp */ + n1 = 0; + else + n1 = (int)read(fd, temp + n, sizeof(temp) - (size_t)n); lwsl_debug("%s: n1 %d\n", __func__, n1); @@ -171,12 +175,18 @@ read: eof = 1; if (m == n) continue; - } else + } else { n += n1; + if ((size_t)n > sizeof(temp)) { /* coverity */ + ret = -1; + goto bail; + } + } + while (m < n) { - m++; + m++; /* m can == n nw then */ if (temp[m - 1] != '\n') continue; @@ -197,6 +207,13 @@ read: * cb can classify it even if it can't get all the * value part in one go */ + + /* coverity: we will blow up if m > n */ + if (m > n) { + ret = -1; + goto bail; + } + memmove(temp, temp + m, (size_t)(n - m)); n -= m; m = 0; -- Gitee