F20 CVE version range checking: fix and dead code removal #1165
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)**
What is the current behavior? (You can also link to an open issue here)**
dhcp:4.3.6
returns CVE-2018-5733 but that version is excluded.CVE_VER_END_INCL
)What is the new behavior (if this is a feature change)? If possible add a screenshot.
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
No
Tests
f20-test.zip
This test that can be run before and after merging the PR to demonstrate the bug and fixes. This part of F20
code is so error-prone that I made this test to make sure it runs fine.
There are two files:
f20-test.sh
CVE-2024-0000.json
emba_root/f20-test/nvd-test
This is not proper unit testing but demonstrate the issue nevertheless.
"Inconsequent" errors
In F20, when checking a binary version against vulnerable ranges, the combinatory nature of 'if' conditions is very error prone.
Indeed, on top of above bugs, there were a few errors that happened to make no difference in execution. Given the pattern that initially occurred four times:
The last condition actually means "if zero or one of B or C is defined", but the intent was most probably "if none of B or C is defined" which would be consistent with the code and debug output inside the 'if' code. In that case, it should have been
if not (B OR C)
instead (equivalent toif (not B) and (not C)
)As another easy error, the first one (original line 725) also checked
B and A
instead ofB and C
, whileA
was obviously true at that point:Those error did not cause any misbehavior because at that point (in each of the the four occurrences) B and C are both undefined, and the total condition was always true.
Dead code removal
The above also mean that those conditions are not necessary. They were removed in this PR.
Also, the "second half" of cases (checking for end versions first) is only reached when there are no starting version (neither including nor excluding). Therefore, 'if' condition checking for those are always false and the dead code was thus removed.
The remaining code in the second half could be made a bit shorter by flipping some conditions, but everything was left as-is, namely the debug output, to keep changes clearer.