Coverity Scan found the following issue when we submitted builds as part of nghttp2 build process:
** CID 1331205: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1331205: (TAINTED_SCALAR)
/third-party/neverbleed/neverbleed.c: 262 in expbuf_read()
256 static int expbuf_read(struct expbuf_t *buf, int fd)
257 {
258 size_t sz;
259
260 if (read_nbytes(fd, &sz, sizeof(sz)) != 0)
261 return -1;
>>> CID 1331205: (TAINTED_SCALAR)
>>> Passing tainted variable "sz" to a tainted sink.
262 expbuf_reserve(buf, sz);
263 if (read_nbytes(fd, buf->end, sz) != 0)
264 return -1;
265 buf->end += sz;
266 return 0;
267 }
/third-party/neverbleed/neverbleed.c: 263 in expbuf_read()
257 {
258 size_t sz;
259
260 if (read_nbytes(fd, &sz, sizeof(sz)) != 0)
261 return -1;
262 expbuf_reserve(buf, sz);
>>> CID 1331205: (TAINTED_SCALAR)
>>> Passing tainted variable "sz" to a tainted sink.
263 if (read_nbytes(fd, buf->end, sz) != 0)
264 return -1;
265 buf->end += sz;
266 return 0;
267 }
268
** CID 1331203: Integer handling issues (NEGATIVE_RETURNS)
/third-party/neverbleed/neverbleed.c: 664 in setuidgid_stub()
________________________________________________________________________________________________________
*** CID 1331203: Integer handling issues (NEGATIVE_RETURNS)
/third-party/neverbleed/neverbleed.c: 664 in setuidgid_stub()
658 static int setuidgid_stub(struct expbuf_t *buf)
659 {
660 const char *user;
661 size_t change_socket_ownership;
662 struct passwd pwbuf, *pw;
663 char pwstrbuf[65536]; /* should be large enough */
>>> CID 1331203: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: "ret" = a negative value.
664 int ret = -1;
665
666 if ((user = expbuf_shift_str(buf)) == NULL || expbuf_shift_num(buf, &change_socket_ownership) != 0) {
667 errno = 0;
668 warnf("%s: failed to parse request", __FUNCTION__);
669 return -1;
First issue could be non-issue, if we rely on the sender (is it ok?).
2nd issue could be a bug, since we passes -1 to size_t parameter, which results in very large value.