Writing Coverity model: pointer in struct ALWAYS points to tainted data

Asked Sep 01 '16 at 06:50

Active Oct 07 '16 at 02:08

Viewed 568 times

I reguarly check lwIP, a free TCP/IP stack with Coverity.

As a network stack, we have untrusted data coming in from the network which is stored in struct pbuf (some members omitted for clarity):

struct pbuf {
  void *payload;
  u16_t len;
  u16_t ref;
};

My questions are:

1) I want to model that "void* payload" of struct pbuf ALWAYS points to tainted data, every access to it must be untrusted. How can I do this?

2) We use refcounting (u16_t ref). Is there any way to model refcounting in Coverity?

edited Oct 06 '16 at 04:06

Gaurav Singla

asked Sep 01 '16 at 06:50

Dirk Ziegelmeier

And can I tell Coverity the len member is the length of the buffer that payload points to? I'd like to detect array out of bounds accesses. – Dirk Ziegelmeier Sep 01 '16 at 08:38

0 Answers0