Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 72 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 72 defect(s) ** CID 1502776: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1502776: Memory - corruptions (OVERRUN) /isisd/isis_snmp.c: 3359 in isis_snmp_lsp_error_update() 3353 * This is a special case because 3354 * it have more variables 3355 */ 3356 netsnmp_variable_list *notification_vars; 3357 long val; 3358
CID 1502776: Memory - corruptions (OVERRUN) Overrunning callee's array of size 18 by passing argument "18UL" in call to "isis_snmp_trap_throttle".
3359 if (!isis_snmp_trap_throttle(ISIS_TRAP_LSP_ERROR)) 3360 return 0; 3361 3362 notification_vars = NULL; 3363 3364 /* Put in trap value */
** CID 1502775: Null pointer dereferences (FORWARD_NULL) /isisd/isis_snmp.c: 1022 in isis_snmp_circuit_level_lookup_next() ________________________________________________________________________________________________________ *** CID 1502775: Null pointer dereferences (FORWARD_NULL) /isisd/isis_snmp.c: 1022 in isis_snmp_circuit_level_lookup_next() 1016 if (isis == NULL) 1017 return 0; 1018 1019 start = 0; 1020 1021 if (oid_idx != NULL || oid_idx_len != 0) {
CID 1502775: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "oid_idx".
1022 if (oid_idx[0] > SNMP_CIRCUITS_MAX) 1023 return 0; 1024 1025 start = oid_idx[0]; 1026 } 1027
** CID 1502774: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /isisd/isis_snmp.c: 2571 in isis_snmp_find_isadj() ________________________________________________________________________________________________________ *** CID 1502774: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /isisd/isis_snmp.c: 2571 in isis_snmp_find_isadj() 2565 2566 now_time = isis_snmp_time(); 2567 2568 if (adj->last_flap >= now_time) 2569 return SNMP_INTEGER(up_ticks); 2570
CID 1502774: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "(now_time - adj->last_flap) * 10U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2571 delta_ticks = (now_time - adj->last_flap) * 10; 2572 2573 if (up_ticks < delta_ticks) 2574 return SNMP_INTEGER(up_ticks); 2575 2576 return SNMP_INTEGER((uint32_t)(up_ticks - delta_ticks));
** CID 1502773: (USE_AFTER_FREE) /ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area() /ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area() ________________________________________________________________________________________________________ *** CID 1502773: (USE_AFTER_FREE) /ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area() 1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area)) 1113 if (!IS_AREA_STUB(area)) 1114 return; 1115 1116 /* if router is only in a stub area then purge AS-External LSAs */ 1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
CID 1502773: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) 1119 ospf6_lsdb_remove(lsa, ospf6->lsdb); 1120 } 1121 } 1122 1123 void ospf6_asbr_redistribute_add(int type, ifindex_t ifindex, /ospf6d/ospf6_asbr.c: 1117 in ospf6_asbr_remove_externals_from_area() 1111 /* skip if router is in other non-stub areas */ 1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area)) 1113 if (!IS_AREA_STUB(area)) 1114 return; 1115 1116 /* if router is only in a stub area then purge AS-External LSAs */
CID 1502773: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) { 1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) 1119 ospf6_lsdb_remove(lsa, ospf6->lsdb); 1120 } 1121 } 1122 /ospf6d/ospf6_asbr.c: 1117 in ospf6_asbr_remove_externals_from_area() 1111 /* skip if router is in other non-stub areas */ 1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area)) 1113 if (!IS_AREA_STUB(area)) 1114 return; 1115 1116 /* if router is only in a stub area then purge AS-External LSAs */
CID 1502773: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) { 1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) 1119 ospf6_lsdb_remove(lsa, ospf6->lsdb); 1120 } 1121 } 1122 /ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area() 1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area)) 1113 if (!IS_AREA_STUB(area)) 1114 return; 1115 1116 /* if router is only in a stub area then purge AS-External LSAs */ 1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
CID 1502773: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) 1119 ospf6_lsdb_remove(lsa, ospf6->lsdb); 1120 } 1121 } 1122 1123 void ospf6_asbr_redistribute_add(int type, ifindex_t ifindex,
** CID 1502772: Null pointer dereferences (FORWARD_NULL) /isisd/isis_snmp.c: 948 in isis_snmp_circuit_lookup_next() ________________________________________________________________________________________________________ *** CID 1502772: Null pointer dereferences (FORWARD_NULL) /isisd/isis_snmp.c: 948 in isis_snmp_circuit_lookup_next() 942 if (isis == NULL) 943 return 0; 944 945 start = 0; 946 947 if (oid_idx != NULL || oid_idx_len != 0) {
CID 1502772: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "oid_idx".
948 if (oid_idx[0] > SNMP_CIRCUITS_MAX) 949 return 0; 950 951 start = oid_idx[0]; 952 } 953
** CID 1501743: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1501743: Memory - corruptions (OVERRUN) /bgpd/bgp_mplsvpn_snmp.c: 1483 in bgpL3vpnRte_lookup() 1477 /* copy the index parameters */ 1478 oid_copy_str(&name[namelen], (*l3vpn_bgp)->name, 1479 vrf_name_len); 1480 oid_index = namelen + vrf_name_len; 1481 name[oid_index++] = 1482 v4 ? INETADDRESSTYPEIPV4 : INETADDRESSTYPEIPV6;
CID 1501743: Memory - corruptions (OVERRUN) Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "addr_len" (which evaluates to 16).
1483 oid_copy_addr(&name[oid_index], &p->u.prefix4, 1484 addr_len); 1485 oid_index += addr_len; 1486 name[oid_index++] = p->prefixlen; 1487 name[oid_index++] = *policy >> 8; 1488 name[oid_index++] = *policy & 0xff;
** CID 1500586: Null pointer dereferences (FORWARD_NULL) /pbrd/pbr_nht.c: 758 in pbr_nht_individual_nexthop_gw_update() ________________________________________________________________________________________________________ *** CID 1500586: Null pointer dereferences (FORWARD_NULL) /pbrd/pbr_nht.c: 758 in pbr_nht_individual_nexthop_gw_update() 752 goto done; /* Unrelated change */ 753 break; 754 } 755 } 756 757 pnhi->nhr_matched = true;
CID 1500586: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "pnhi->nhr".
758 if (!pnhi->nhr->nexthop_num) { 759 is_valid = false; 760 goto done; 761 } 762 763 if (pnhc->nexthop.type == NEXTHOP_TYPE_IPV4_IFINDEX
** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete() ________________________________________________________________________________________________________ *** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete() 617 __func__, lsalen, OSPF_MAX_LSA_SIZE); 618 return; 619 } 620 621 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 622
CID 1497888: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
623 memcpy(p, &(cn->data), lsalen); 624 lsa = p; 625 626 /* Invoke registered update callback function */ 627 if (oclient->delete_notify) { 628 (oclient->delete_notify)(cn->ifaddr, cn->area_id,
** CID 1497887: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields() ________________________________________________________________________________________________________ *** CID 1497887: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields() 242 __func__, length); 243 return OSPF_GR_FAILURE; 244 } 245 246 length -= OSPF_LSA_HEADER_SIZE; 247
CID 1497887: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
248 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 249 tlvh = TLV_HDR_NEXT(tlvh)) { 250 251 /* Check TLV len against overall LSA */ 252 if (sum + TLV_SIZE(tlvh) > length) { 253 if (IS_DEBUG_OSPF_GR_HELPER)
** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update() ________________________________________________________________________________________________________ *** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update() 582 __func__, lsalen, OSPF_MAX_LSA_SIZE); 583 return; 584 } 585 586 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 587
CID 1497886: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
588 memcpy(p, &(cn->data), lsalen); 589 lsa = p; 590 591 /* Invoke registered update callback function */ 592 if (oclient->update_notify) { 593 (oclient->update_notify)(cn->ifaddr, cn->area_id,
** CID 1497885: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info() ________________________________________________________________________________________________________ *** CID 1497885: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info() 1011 } 1012 1013 length -= OSPF_LSA_HEADER_SIZE; 1014 1015 vty_out(vty, " TLV info:\n"); 1016
CID 1497885: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
1017 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 1018 tlvh = TLV_HDR_NEXT(tlvh)) { 1019 /* Check TLV len */ 1020 if (sum + TLV_SIZE(tlvh) > length) { 1021 vty_out(vty, "%% Invalid TLV length: %u\n", 1022 TLV_SIZE(tlvh));
** CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON) /lib/prefix.c: 266 in evpn_type5_prefix_match() ________________________________________________________________________________________________________ *** CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON) /lib/prefix.c: 266 in evpn_type5_prefix_match() 260 return 0; 261 262 offset = prefixlen / PNBBY; 263 shift = prefixlen % PNBBY; 264 265 if (shift)
CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON) Using "np" as an array. This might corrupt or misinterpret adjacent memory locations.
266 if (maskbit[shift] & (np[offset] ^ pp[offset])) 267 return 0; 268 269 while (offset--) 270 if (np[offset] != pp[offset]) 271 return 0;
** CID 1485637: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array() ________________________________________________________________________________________________________ *** CID 1485637: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array() 51 * 52 * Allocate space for the specified number of pointers. 53 */ 54 static inline void *qpb_alloc_ptr_array(qpb_allocator_t *allocator, 55 size_t num_ptrs) 56 {
CID 1485637: Incorrect expression (SIZEOF_MISMATCH) Passing argument "num_ptrs * 8UL /* sizeof (void *) */" to function "qpb_alloc" which returns a value of type "void *" is suspicious.
57 return qpb_alloc(allocator, num_ptrs * sizeof(void *)); 58 } 59 60 /* 61 * qpb_free 62 */
** CID 1485635: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb.h: 124 in qpb__l3_prefix__get() ________________________________________________________________________________________________________ *** CID 1485635: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb.h: 124 in qpb__l3_prefix__get() 118 uint8_t family, struct prefix *prefix) 119 { 120 121 switch (family) { 122 123 case AF_INET:
CID 1485635: Incorrect expression (SIZEOF_MISMATCH) Passing argument "prefix" of type "struct prefix *" and argument "16UL" ("sizeof (struct prefix_ipv4)") to function "memset" is suspicious because a multiple of "sizeof (struct prefix) /*48*/" is expected.
124 memset(prefix, 0, sizeof(struct prefix_ipv4)); 125 break; 126 127 case AF_INET6: 128 memset(prefix, 0, sizeof(struct prefix_ipv6)); 129 break;
** CID 1482218: Memory - illegal accesses (OVERRUN) /lib/printf/glue.c: 206 in printfrr_ext_reg() ________________________________________________________________________________________________________ *** CID 1482218: Memory - illegal accesses (OVERRUN) /lib/printf/glue.c: 206 in printfrr_ext_reg() 200 return; 201 for (o++; o <= 'Z' - 'A'; o++) 202 ext_offsets[o]++; 203 204 memmove(entries + i + 1, entries + i, 205 (MAXEXT - i - 1) * sizeof(entries[0]));
CID 1482218: Memory - illegal accesses (OVERRUN) Overrunning array of 512 bytes at byte offset 512 by dereferencing pointer "exts + i + 1".
206 memmove(exts + i + 1, exts + i, 207 (MAXEXT - i - 1) * sizeof(exts[0])); 208 209 memcpy(entries[i].fmt, ext->match, 2); 210 exts[i] = ext; 211 }
** CID 1482217: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1482217: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_packet.c: 355 in ospf_check_md5_digest() 349 EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); 350 EVP_DigestFinal(ctx, digest, &md5_size); 351 EVP_MD_CTX_free(ctx); 352 #elif CRYPTO_INTERNAL 353 memset(&ctx, 0, sizeof(ctx)); 354 MD5Init(&ctx);
CID 1482217: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "length" to a tainted sink.
355 MD5Update(&ctx, ospfh, length); 356 MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); 357 MD5Final(digest, &ctx); 358 #endif 359 360 /* compare the two */
** CID 1482215: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_message.c: 2257 in ospf6_lsupdate_send_interface() ________________________________________________________________________________________________________ *** CID 1482215: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_message.c: 2257 in ospf6_lsupdate_send_interface() 2251 ospf6_lsupdate)); 2252 lsa_cnt = 0; 2253 } 2254 } 2255 2256 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
CID 1482215: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "ntohs(((struct ospf6_lsa_header *)lsa->header)->length)" to a tainted sink.
2257 memcpy(p, lsa->header, OSPF6_LSA_SIZE(lsa->header)); 2258 p += OSPF6_LSA_SIZE(lsa->header); 2259 lsa_cnt++; 2260 2261 assert(lsa->lock == 2); 2262 ospf6_lsdb_remove(lsa, oi->lsupdate_list);
** CID 1482211: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1482211: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_packet.c: 430 in ospf_make_md5_digest() 424 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); 425 EVP_DigestFinal(ctx, digest, &md5_size); 426 EVP_MD_CTX_free(ctx); 427 #elif CRYPTO_INTERNAL 428 memset(&ctx, 0, sizeof(ctx)); 429 MD5Init(&ctx);
CID 1482211: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
430 MD5Update(&ctx, ibuf, ntohs(ospfh->length)); 431 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); 432 MD5Final(digest, &ctx); 433 #endif 434 435 /* Append md5 digest to the end of the stream. */
** CID 1482210: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_vty.c: 6286 in show_network_lsa_detail() ________________________________________________________________________________________________________ *** CID 1482210: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_vty.c: 6286 in show_network_lsa_detail() 6280 else 6281 json_object_int_add(json, "networkMask", 6282 ip_masklen(nl->mask)); 6283 6284 length = ntohs(lsa->data->length) - OSPF_LSA_HEADER_SIZE - 4; 6285
CID 1482210: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
6286 for (i = 0; length > 0; i++, length -= 4) 6287 if (!json) { 6288 vty_out(vty, " Attached Router: %pI4\n", 6289 &nl->routers[i]); 6290 vty_out(vty, "\n"); 6291 } else {
** CID 1482203: (TAINTED_SCALAR) /ospfd/ospf_api.c: 422 in msg_write() ________________________________________________________________________________________________________ *** CID 1482203: (TAINTED_SCALAR) /ospfd/ospf_api.c: 425 in msg_write() 419 420 /* Make contiguous memory buffer for message */ 421 memcpy(buf, &msg->hdr, sizeof(struct apimsghdr)); 422 memcpy(buf + sizeof(struct apimsghdr), STREAM_DATA(msg->s), 423 ntohs(msg->hdr.msglen)); 424
CID 1482203: (TAINTED_SCALAR) Passing tainted variable "l" to a tainted sink.
425 wlen = writen(fd, buf, l); 426 if (wlen < 0) { 427 zlog_warn("msg_write: writen %s", safe_strerror(errno)); 428 return -1; 429 } else if (wlen == 0) { 430 zlog_warn("msg_write: Connection closed by peer"); /ospfd/ospf_api.c: 422 in msg_write() 416 417 /* Length of message including header */ 418 l = sizeof(struct apimsghdr) + ntohs(msg->hdr.msglen); 419 420 /* Make contiguous memory buffer for message */ 421 memcpy(buf, &msg->hdr, sizeof(struct apimsghdr));
CID 1482203: (TAINTED_SCALAR) Passing tainted variable "ntohs(msg->hdr.msglen)" to a tainted sink.
422 memcpy(buf + sizeof(struct apimsghdr), STREAM_DATA(msg->s), 423 ntohs(msg->hdr.msglen)); 424 425 wlen = writen(fd, buf, l); 426 if (wlen < 0) { 427 zlog_warn("msg_write: writen %s", safe_strerror(errno));
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...