New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 3 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 3 of 3 defect(s) ** CID 1570969: (OVERRUN) /bgpd/bgp_snmp_bgp4v2.c: 534 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 575 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 514 in bgp4v2PathAttrLookup() ________________________________________________________________________________________________________ *** CID 1570969: (OVERRUN) /bgpd/bgp_snmp_bgp4v2.c: 534 in bgp4v2PathAttrLookup() 528 /* Set OID offset for prefix type */ 529 offset = name + namelen; 530 offsetlen = *length - namelen; 531 len = offsetlen; 532 533 if (offsetlen == 0) {
CID 1570969: (OVERRUN) Overrunning array "bgp->rib" of 4 64-byte elements at element index 4 (byte offset 319) using index "afi" (which evaluates to 4).
534 dest = bgp_table_top(bgp->rib[afi][SAFI_UNICAST]); 535 safi = SAFI_UNICAST; 536 } else { 537 538 /* bgp4V2NlriAfi is already get */ 539 /* it is comming from the name parameter */ /bgpd/bgp_snmp_bgp4v2.c: 575 in bgp4v2PathAttrLookup() 569 addr->prefixlen = afi_len * 8; 570 571 offset++; 572 offsetlen--; 573 574 /* get node */
CID 1570969: (OVERRUN) Overrunning array "bgp->rib" of 4 64-byte elements at element index 4 (byte offset 319) using index "afi" (which evaluates to 4).
575 dest = bgp_node_get(bgp->rib[afi][safi], addr); 576 } 577 578 if (!dest) 579 return NULL; 580 /bgpd/bgp_snmp_bgp4v2.c: 514 in bgp4v2PathAttrLookup() 508 else 509 oid2in6_addr(offset, &su.sin6.sin6_addr); 510 511 /* bgp4V2NlriIndex currently ignored */ 512 513 /* Lookup node */
CID 1570969: (OVERRUN) Overrunning array "bgp->rib" of 4 64-byte elements at element index 4 (byte offset 319) using index "afi" (which evaluates to 4).
514 dest = bgp_node_lookup(bgp->rib[afi][safi], addr); 515 if (dest) { 516 for (path = bgp_dest_get_bgp_path_info(dest); path; 517 path = path->next) 518 if (sockunion_same(&path->peer->connection->su, 519 &su))
** CID 1570968: Memory - corruptions (OVERRUN) /bgpd/bgp_snmp_bgp4v2.c: 605 in bgp4v2PathAttrLookup() ________________________________________________________________________________________________________ *** CID 1570968: Memory - corruptions (OVERRUN) /bgpd/bgp_snmp_bgp4v2.c: 605 in bgp4v2PathAttrLookup() 599 } else { 600 /* default case start with ipv4*/ 601 if (afi == AFI_IP) 602 family = AF_INET; 603 else 604 family = AF_INET6;
CID 1570968: Memory - corruptions (OVERRUN) Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
605 memset(&paddr.ip._v4_addr, 0, sizeof(paddr.ip)); 606 } 607 608 do { 609 min = NULL; 610 min_family = 0;
** CID 1570967: (SIZEOF_MISMATCH) /bgpd/bgp_snmp_bgp4v2.c: 702 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 483 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 561 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 695 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 682 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 487 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 677 in bgp4v2PathAttrLookup() /bgpd/bgp_snmp_bgp4v2.c: 556 in bgp4v2PathAttrLookup() ________________________________________________________________________________________________________ *** CID 1570967: (SIZEOF_MISMATCH) /bgpd/bgp_snmp_bgp4v2.c: 702 in bgp4v2PathAttrLookup() 696 addr->u.prefix4 = rn_p->u.prefix4; 697 } else { 698 *offset = IANA_AFI_IPV6; 699 offset++; 700 oid_copy_in6_addr( 701 offset, &min->peer->connection->su.sin6.sin6_addr);
CID 1570967: (SIZEOF_MISMATCH) Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
702 offset += IN6_ADDR_SIZE; 703 addr->u.prefix6 = rn_p->u.prefix6; 704 } 705 706 /* Encode bgp4V2NlriIndex*/ 707 /bgpd/bgp_snmp_bgp4v2.c: 483 in bgp4v2PathAttrLookup() 477 offset++; 478 479 /* get bgp4V2NlriPrefix */ 480 if (prefix_type == IANA_AFI_IPV4) { 481 oid2in_addr(offset, IN_ADDR_SIZE, &addr->u.prefix4); 482 addr->family = AF_INET;
CID 1570967: (SIZEOF_MISMATCH) Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
483 offset += IN_ADDR_SIZE; 484 } else if (prefix_type == IANA_AFI_IPV6) { 485 oid2in6_addr(offset, &addr->u.prefix6); 486 addr->family = AF_INET6; 487 offset += IN6_ADDR_SIZE; 488 } /bgpd/bgp_snmp_bgp4v2.c: 561 in bgp4v2PathAttrLookup() 555 addr->family = AF_INET; 556 offset += IN_ADDR_SIZE; 557 offsetlen -= IN_ADDR_SIZE; 558 } else if (prefix_type == IANA_AFI_IPV6) { 559 oid2in6_addr(offset, &addr->u.prefix6); 560 addr->family = AF_INET6;
CID 1570967: (SIZEOF_MISMATCH) Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
561 offset += IN6_ADDR_SIZE; 562 offsetlen -= IN6_ADDR_SIZE; 563 } 564 565 /* get bgp4V2NlriPrefixLen */ 566 if (offsetlen > 0) /bgpd/bgp_snmp_bgp4v2.c: 695 in bgp4v2PathAttrLookup() 689 /* Encode bgp4V2PeerRemoteAddr */ 690 if (min_family == AF_INET) { 691 *offset = IANA_AFI_IPV4; 692 offset++; 693 oid_copy_in_addr(offset, 694 &min->peer->connection->su.sin.sin_addr);
CID 1570967: (SIZEOF_MISMATCH) Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
695 offset += IN_ADDR_SIZE; 696 addr->u.prefix4 = rn_p->u.prefix4; 697 } else { 698 *offset = IANA_AFI_IPV6; 699 offset++; 700 oid_copy_in6_addr( /bgpd/bgp_snmp_bgp4v2.c: 682 in bgp4v2PathAttrLookup() 676 oid_copy_in_addr(offset, &rn_p->u.prefix4); 677 offset += IN_ADDR_SIZE; 678 } else { 679 *offset = IANA_AFI_IPV6; 680 offset++; 681 oid_copy_in6_addr(offset, &rn_p->u.prefix6);
CID 1570967: (SIZEOF_MISMATCH) Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
682 offset += IN6_ADDR_SIZE; 683 } 684 /* encode bgp4V2NlriPrefixLen into index*/ 685 *offset = rn_p->prefixlen; 686 offset++; 687 /bgpd/bgp_snmp_bgp4v2.c: 487 in bgp4v2PathAttrLookup() 481 oid2in_addr(offset, IN_ADDR_SIZE, &addr->u.prefix4); 482 addr->family = AF_INET; 483 offset += IN_ADDR_SIZE; 484 } else if (prefix_type == IANA_AFI_IPV6) { 485 oid2in6_addr(offset, &addr->u.prefix6); 486 addr->family = AF_INET6;
CID 1570967: (SIZEOF_MISMATCH) Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
487 offset += IN6_ADDR_SIZE; 488 } 489 490 /* get bgp4V2NlriPrefixLen */ 491 addr->prefixlen = *offset; 492 offset++; /bgpd/bgp_snmp_bgp4v2.c: 677 in bgp4v2PathAttrLookup() 671 /* encode bgp4V2NlriPrefixType into index*/ 672 /* encode bgp4V2NlriPrefix into index */ 673 if (rn_p->family == AF_INET) { 674 *offset = IANA_AFI_IPV4; 675 offset++; 676 oid_copy_in_addr(offset, &rn_p->u.prefix4);
CID 1570967: (SIZEOF_MISMATCH) Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
677 offset += IN_ADDR_SIZE; 678 } else { 679 *offset = IANA_AFI_IPV6; 680 offset++; 681 oid_copy_in6_addr(offset, &rn_p->u.prefix6); 682 offset += IN6_ADDR_SIZE; /bgpd/bgp_snmp_bgp4v2.c: 556 in bgp4v2PathAttrLookup() 550 prefix_type = *offset; 551 offset++; 552 /* get bgp4V2NlriPrefix */ 553 if (prefix_type == IANA_AFI_IPV4) { 554 oid2in_addr(offset, IN_ADDR_SIZE, &addr->u.prefix4); 555 addr->family = AF_INET;
CID 1570967: (SIZEOF_MISMATCH) Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
556 offset += IN_ADDR_SIZE; 557 offsetlen -= IN_ADDR_SIZE; 558 } else if (prefix_type == IANA_AFI_IPV6) { 559 oid2in6_addr(offset, &addr->u.prefix6); 560 addr->family = AF_INET6; 561 offset += IN6_ADDR_SIZE;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com