Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 6 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 6 of 6 defect(s) ** CID 1568381: Insecure data handling (TAINTED_SCALAR) /bgpd/bgp_linkstate_tlv.c: 1408 in bgp_linkstate_tlv_opaque_display() ________________________________________________________________________________________________________ *** CID 1568381: Insecure data handling (TAINTED_SCALAR) /bgpd/bgp_linkstate_tlv.c: 1408 in bgp_linkstate_tlv_opaque_display() 1402 1403 if (pnt + sub_length > lim) { 1404 vty_out(vty, "Bad length received: %u\n", sub_length); 1405 break; 1406 } 1407
CID 1568381: Insecure data handling (TAINTED_SCALAR) Using tainted variable "sub_length" as a loop boundary.
1408 for (i = 0; i < sub_length; i++) { 1409 if (i != 0 && i % 8 == 0) 1410 vty_out(vty, " "); 1411 vty_out(vty, "%02x", *pnt); 1412 } 1413 }
** CID 1568380: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1568380: Insecure data handling (TAINTED_SCALAR) /bgpd/bgp_linkstate_tlv.c: 692 in bgp_linkstate_nlri_prefix_json() 686 length = pnt_decode16(&pnt); 687 688 if (pnt + length > lim) 689 /* bad length */ 690 return; 691
CID 1568380: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "length" to "bgp_linkstate_nlri_value_display", which uses it as an offset.
692 ret = bgp_linkstate_nlri_value_display(NULL, 0, pnt, nlri_type, 693 type, length, false, 694 json_nlri); 695 696 if (!ret) 697 /* bad length */
** CID 1568379: Control flow issues (DEADCODE) /bgpd/bgp_attr.c: 784 in link_state_hash_cmp() ________________________________________________________________________________________________________ *** CID 1568379: Control flow issues (DEADCODE) /bgpd/bgp_attr.c: 784 in link_state_hash_cmp() 778 const struct bgp_attr_ls *link_state1 = p1; 779 const struct bgp_attr_ls *link_state2 = p2; 780 781 if (!link_state1 && link_state2) 782 return false; 783 if (!link_state1 && link_state2)
CID 1568379: Control flow issues (DEADCODE) Execution cannot reach this statement: "return false;".
784 return false; 785 if (!link_state1 && !link_state2) 786 return true; 787 788 if (link_state1->length != link_state2->length) 789 return false;
** CID 1568378: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1568378: (TAINTED_SCALAR) /bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display() 1741 vty_out(vty, "Bad length received: %u\n", 1742 length); 1743 break; 1744 } 1745 } 1746
CID 1568378: (TAINTED_SCALAR) Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as a loop boundary.
1747 bgp_linkstate_tlv_attribute_value_display( 1748 vty, pnt, type, length, indent, json_tlv); 1749 } /bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display() 1741 vty_out(vty, "Bad length received: %u\n", 1742 length); 1743 break; 1744 } 1745 } 1746
CID 1568378: (TAINTED_SCALAR) Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as a loop boundary.
1747 bgp_linkstate_tlv_attribute_value_display( 1748 vty, pnt, type, length, indent, json_tlv); 1749 } /bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display() 1741 vty_out(vty, "Bad length received: %u\n", 1742 length); 1743 break; 1744 } 1745 } 1746
CID 1568378: (TAINTED_SCALAR) Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as an offset.
1747 bgp_linkstate_tlv_attribute_value_display( 1748 vty, pnt, type, length, indent, json_tlv); 1749 } /bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display() 1741 vty_out(vty, "Bad length received: %u\n", 1742 length); 1743 break; 1744 } 1745 } 1746
CID 1568378: (TAINTED_SCALAR) Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as a loop boundary.
1747 bgp_linkstate_tlv_attribute_value_display( 1748 vty, pnt, type, length, indent, json_tlv); 1749 } /bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display() 1741 vty_out(vty, "Bad length received: %u\n", 1742 length); 1743 break; 1744 } 1745 } 1746
CID 1568378: (TAINTED_SCALAR) Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as an offset.
1747 bgp_linkstate_tlv_attribute_value_display( 1748 vty, pnt, type, length, indent, json_tlv); 1749 } /bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display() 1741 vty_out(vty, "Bad length received: %u\n", 1742 length); 1743 break; 1744 } 1745 } 1746
CID 1568378: (TAINTED_SCALAR) Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as an offset.
1747 bgp_linkstate_tlv_attribute_value_display( 1748 vty, pnt, type, length, indent, json_tlv); 1749 }
** CID 1568377: (OVERRUN) /bgpd/bgp_linkstate_tlv.c: 156 in bgp_ls_tlv_check_size() /bgpd/bgp_linkstate_tlv.c: 165 in bgp_ls_tlv_check_size() /bgpd/bgp_linkstate_tlv.c: 161 in bgp_ls_tlv_check_size() /bgpd/bgp_linkstate_tlv.c: 163 in bgp_ls_tlv_check_size() ________________________________________________________________________________________________________ *** CID 1568377: (OVERRUN) /bgpd/bgp_linkstate_tlv.c: 156 in bgp_ls_tlv_check_size() 150 }; 151 /* clang-format on */ 152 153 /* Return the TLV length is valid for the TLV type */ 154 static bool bgp_ls_tlv_check_size(enum bgp_linkstate_tlv type, size_t length) 155 {
CID 1568377: (OVERRUN) Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
156 if (type > BGP_LS_TLV_MAX || 157 bgp_linkstate_tlv_infos[type].descr == NULL) 158 /* TLV type is not defined. Cannot check size */ 159 return false; 160 161 if (bgp_linkstate_tlv_infos[type].min_size > length) /bgpd/bgp_linkstate_tlv.c: 165 in bgp_ls_tlv_check_size() 159 return false; 160 161 if (bgp_linkstate_tlv_infos[type].min_size > length) 162 return false; 163 if (bgp_linkstate_tlv_infos[type].max_size < length) 164 return false;
CID 1568377: (OVERRUN) Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
165 if (length % bgp_linkstate_tlv_infos[type].multiple != 0) 166 return false; 167 168 return true; 169 } 170 /bgpd/bgp_linkstate_tlv.c: 161 in bgp_ls_tlv_check_size() 155 { 156 if (type > BGP_LS_TLV_MAX || 157 bgp_linkstate_tlv_infos[type].descr == NULL) 158 /* TLV type is not defined. Cannot check size */ 159 return false; 160
CID 1568377: (OVERRUN) Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
161 if (bgp_linkstate_tlv_infos[type].min_size > length) 162 return false; 163 if (bgp_linkstate_tlv_infos[type].max_size < length) 164 return false; 165 if (length % bgp_linkstate_tlv_infos[type].multiple != 0) 166 return false; /bgpd/bgp_linkstate_tlv.c: 163 in bgp_ls_tlv_check_size() 157 bgp_linkstate_tlv_infos[type].descr == NULL) 158 /* TLV type is not defined. Cannot check size */ 159 return false; 160 161 if (bgp_linkstate_tlv_infos[type].min_size > length) 162 return false;
CID 1568377: (OVERRUN) Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
163 if (bgp_linkstate_tlv_infos[type].max_size < length) 164 return false; 165 if (length % bgp_linkstate_tlv_infos[type].multiple != 0) 166 return false; 167 168 return true;
** CID 1568376: Null pointer dereferences (REVERSE_INULL) /bgpd/bgp_attr.c: 4985 in bgp_packet_attribute() ________________________________________________________________________________________________________ *** CID 1568376: Null pointer dereferences (REVERSE_INULL) /bgpd/bgp_attr.c: 4985 in bgp_packet_attribute() 4979 /* VNC attribute */ 4980 bgp_packet_mpattr_tea(bgp, peer, s, attr, BGP_ATTR_VNC); 4981 #endif 4982 } 4983 4984 /* BGP Link-State */
CID 1568376: Null pointer dereferences (REVERSE_INULL) Null-checking "attr" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4985 if (attr && attr->link_state) { 4986 stream_putc(s, BGP_ATTR_FLAG_OPTIONAL); 4987 stream_putc(s, BGP_ATTR_LINK_STATE); 4988 stream_putc(s, attr->link_state->length); 4989 stream_put(s, attr->link_state->data, attr->link_state->length); 4990 }
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...