[frr] New Defects reported by Coverity Scan for freerangerouting/frr

8 Mar 2017

      Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

13 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)

** CID 1416033:    (STRING_OVERFLOW)
/lib/libfrr.c: 53 in opt_extend()
/lib/libfrr.c: 54 in opt_extend()

________________________________________________________________________________________________________
*** CID 1416033:    (STRING_OVERFLOW)
/lib/libfrr.c: 53 in opt_extend()
47     };
48     
49     static void opt_extend(const struct optspec *os)
50     {
51     	const struct option *lo;
52
...
...
...
CID 1416033:    (STRING_OVERFLOW)
    Note: This defect has an elevated risk because the source argument is a parameter of the current function.
53     	strcat(comb_optstr, os->optstr);
54     	strcat(comb_helpstr, os->helpstr);
55     	for (lo = os->longopts; lo->name; lo++)
56     		memcpy(comb_next_lo++, lo, sizeof(*lo));
57     }
58     
/lib/libfrr.c: 54 in opt_extend()
48     
49     static void opt_extend(const struct optspec *os)
50     {
51     	const struct option *lo;
52     
53     	strcat(comb_optstr, os->optstr);
...
CID 1416033:    (STRING_OVERFLOW)
    Note: This defect has an elevated risk because the source argument is a parameter of the current function.
54     	strcat(comb_helpstr, os->helpstr);
55     	for (lo = os->longopts; lo->name; lo++)
56     		memcpy(comb_next_lo++, lo, sizeof(*lo));
57     }
58     
59
** CID 1416032:  Security best practices violations  (STRING_OVERFLOW)
/nhrpd/vici.c: 471 in sock_open_unix()

________________________________________________________________________________________________________
*** CID 1416032:  Security best practices violations  (STRING_OVERFLOW)
/nhrpd/vici.c: 471 in sock_open_unix()
465     	fd = socket(AF_UNIX, SOCK_STREAM, 0);
466     	if (fd < 0)
467     		return -1;
468     
469     	memset(&addr, 0, sizeof (struct sockaddr_un));
470     	addr.sun_family = AF_UNIX;
...
...
...
CID 1416032:  Security best practices violations  (STRING_OVERFLOW)
    Note: This defect has an elevated risk because the source argument is a parameter of the current function.
471     	strncpy(addr.sun_path, path, strlen (path));
472     
473     	ret = connect(fd, (struct sockaddr *) &addr, sizeof(addr.sun_family) + strlen(addr.sun_path));
474     	if (ret < 0) {
475     		close(fd);
476     		return -1;
** CID 1416031:  Memory - illegal accesses  (OVERRUN)
/nhrpd/nhrp_peer.c: 782 in nhrp_peer_recv()

________________________________________________________________________________________________________
*** CID 1416031:  Memory - illegal accesses  (OVERRUN)
/nhrpd/nhrp_peer.c: 782 in nhrp_peer_recv()
776     	pp.ifp = ifp;
777     	pp.pkt = zb;
778     	pp.hdr = hdr;
779     	pp.peer = p;
780     
781     	afi = htons(hdr->afnum);
...
...
...
CID 1416031:  Memory - illegal accesses  (OVERRUN)
    Overrunning array "packet_types" of 9 24-byte elements at element index 9 (byte offset 216) using index "hdr->type" (which evaluates to 9).
782     	if (hdr->type > ZEBRA_NUM_OF(packet_types) ||
783     	    hdr->version != NHRP_VERSION_RFC2332 ||
784     	    afi >= AFI_MAX ||
785     	    packet_types[hdr->type].type == PACKET_UNKNOWN ||
786     	    htons(hdr->packet_size) > realsize) {
787     		zlog_info("From %s: error: packet type %d, version %d, AFI %d, size %d (real size %d)",
** CID 1416030:  Memory - illegal accesses  (OVERRUN)
/nhrpd/nhrp_vty.c: 77 in nhrp_vty_return()

________________________________________________________________________________________________________
*** CID 1416030:  Memory - illegal accesses  (OVERRUN)
/nhrpd/nhrp_vty.c: 77 in nhrp_vty_return()
71     	char buf[256];
72     
73     	if (ret == NHRP_OK)
74     		return CMD_SUCCESS;
75     
76     	if (ret > 0 && ret <= (int)ZEBRA_NUM_OF(errmsgs))
...
...
...
CID 1416030:  Memory - illegal accesses  (OVERRUN)
    Overrunning array "errmsgs" of 8 8-byte elements at element index 8 (byte offset 64) using index "ret" (which evaluates to 8).
77     		if (errmsgs[ret])
78     			str = errmsgs[ret];
79     
80     	if (!str) {
81     		str = buf;
82     		snprintf(buf, sizeof(buf), "Unknown error %d", ret);
** CID 1416029:  Integer handling issues  (NEGATIVE_RETURNS)
/nhrpd/netlink_arp.c: 231 in netlink_set_nflog_group()

________________________________________________________________________________________________________
*** CID 1416029:  Integer handling issues  (NEGATIVE_RETURNS)
/nhrpd/netlink_arp.c: 231 in netlink_set_nflog_group()
225     		THREAD_OFF(netlink_log_thread);
226     		close(netlink_log_fd);
227     		netlink_log_fd = -1;
228     	}
229     	netlink_nflog_group = nlgroup;
230     	if (nlgroup) {
...
...
...
CID 1416029:  Integer handling issues  (NEGATIVE_RETURNS)
    Assigning: signed variable "netlink_log_fd" = "znl_open".
231     		netlink_log_fd = znl_open(NETLINK_NETFILTER,  0);
232     		netlink_log_register(netlink_log_fd, nlgroup);
233     		THREAD_READ_ON(master, netlink_log_thread, netlink_log_recv, 0, netlink_log_fd);
234     	}
235     }
236
** CID 1416028:  Control flow issues  (MISSING_BREAK)
/nhrpd/nhrp_packet.c: 247 in nhrp_ext_reply()

________________________________________________________________________________________________________
*** CID 1416028:  Control flow issues  (MISSING_BREAK)
/nhrpd/nhrp_packet.c: 247 in nhrp_ext_reply()
241     		if (!cie) goto err;
242     		cie->holding_time = htons(ad->holdtime);
243     		break;
244     	default:
245     		if (type & NHRP_EXTENSION_FLAG_COMPULSORY)
246     			goto err;
...
...
...
CID 1416028:  Control flow issues  (MISSING_BREAK)
    The above case falls through to this one.
247     	case NHRP_EXTENSION_FORWARD_TRANSIT_NHS:
248     	case NHRP_EXTENSION_REVERSE_TRANSIT_NHS:
249     		/* Supported compulsory extensions, and any
250     		 * non-compulsory that is not explicitly handled,
251     		 * should be just copied. */
252     		zbuf_copy(zb, extpayload, zbuf_used(extpayload));
** CID 1416027:  Control flow issues  (MISSING_BREAK)
/nhrpd/nhrp_peer.c: 689 in nhrp_peer_forward()

________________________________________________________________________________________________________
*** CID 1416027:  Control flow issues  (MISSING_BREAK)
/nhrpd/nhrp_peer.c: 689 in nhrp_peer_forward()
683     			break;
684     		default:
685     			if (htons(ext->type) & NHRP_EXTENSION_FLAG_COMPULSORY)
686     				/* FIXME: RFC says to just copy, but not
687     				 * append our selves to the transit NHS list */
688     				goto err;
...
...
...
CID 1416027:  Control flow issues  (MISSING_BREAK)
    The above case falls through to this one.
689     		case NHRP_EXTENSION_RESPONDER_ADDRESS:
690     			/* Supported compulsory extensions, and any
691     			 * non-compulsory that is not explicitly handled,
692     			 * should be just copied. */
693     			zbuf_copy(zb, &extpl, len);
694     			break;
** CID 1416026:  Control flow issues  (DEADCODE)
/nhrpd/vici.c: 363 in vici_submit_request()

________________________________________________________________________________________________________
*** CID 1416026:  Control flow issues  (DEADCODE)
/nhrpd/vici.c: 363 in vici_submit_request()
357     		case VICI_KEY_VALUE:
358     			vici_zbuf_puts(obuf, va_arg(va, const char *));
359     			len = va_arg(va, size_t);
360     			zbuf_put_be16(obuf, len);
361     			zbuf_put(obuf, va_arg(va, void *), len);
362     			break;
...
...
...
CID 1416026:  Control flow issues  (DEADCODE)
    Execution cannot reach this statement: "case VICI_END:".
363     		case VICI_END:
364     			break;
365     		default:
366     			break;
367     		}
368     	}
** CID 1416025:    (CHECKED_RETURN)
/nhrpd/znl.c: 144 in znl_open()
/nhrpd/znl.c: 145 in znl_open()

________________________________________________________________________________________________________
*** CID 1416025:    (CHECKED_RETURN)
/nhrpd/znl.c: 144 in znl_open()
138     	int fd, buf = 128 * 1024;
139     
140     	fd = socket(AF_NETLINK, SOCK_RAW, protocol);
141     	if (fd < 0)
142     		return -1;
143
...
...
...
CID 1416025:    (CHECKED_RETURN)
    Calling "fcntl(fd, 4, fcntl(fd, 3, 0) | 0x800)" without checking return value. This library function may fail and return an error code.
144     	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
145     	fcntl(fd, F_SETFD, FD_CLOEXEC);
146     	if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &buf, sizeof(buf)) < 0)
147     		goto error;
148     
149     	memset(&addr, 0, sizeof(addr));
/nhrpd/znl.c: 145 in znl_open()
139     
140     	fd = socket(AF_NETLINK, SOCK_RAW, protocol);
141     	if (fd < 0)
142     		return -1;
143     
144     	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
...
CID 1416025:    (CHECKED_RETURN)
    Calling "fcntl(fd, 2, 1)" without checking return value. This library function may fail and return an error code.
145     	fcntl(fd, F_SETFD, FD_CLOEXEC);
146     	if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &buf, sizeof(buf)) < 0)
147     		goto error;
148     
149     	memset(&addr, 0, sizeof(addr));
150     	addr.nl_family = AF_NETLINK;
** CID 1416024:    (CHECKED_RETURN)
/nhrpd/nhrp_event.c: 62 in evmgr_recv_message()
/nhrpd/nhrp_event.c: 63 in evmgr_recv_message()

________________________________________________________________________________________________________
*** CID 1416024:    (CHECKED_RETURN)
/nhrpd/nhrp_event.c: 62 in evmgr_recv_message()
56     		if (len >= sizeof(buf)-1)
57     			continue;
58     		memcpy(buf, zbuf_pulln(&zl, len), len);
59     		buf[len] = 0;
60     
61     		debugf(NHRP_DEBUG_EVENT, "evmgr: msg: %s", buf);
...
...
...
CID 1416024:    (CHECKED_RETURN)
    Calling "sscanf" without checking return value (as is done elsewhere 30 out of 35 times).
62     		sscanf(buf, "eventid=%d", &eventid);
63     		sscanf(buf, "result=%63s", result);
64     	}
65     	debugf(NHRP_DEBUG_EVENT, "evmgr: received: eventid=%d result=%s", eventid, result);
66     	if (eventid && result[0]) {
67     		struct nhrp_reqid *r = nhrp_reqid_lookup(&nhrp_event_reqid, eventid);
/nhrpd/nhrp_event.c: 63 in evmgr_recv_message()
57     			continue;
58     		memcpy(buf, zbuf_pulln(&zl, len), len);
59     		buf[len] = 0;
60     
61     		debugf(NHRP_DEBUG_EVENT, "evmgr: msg: %s", buf);
62     		sscanf(buf, "eventid=%d", &eventid);
...
CID 1416024:    (CHECKED_RETURN)
    Calling "sscanf" without checking return value (as is done elsewhere 30 out of 35 times).
63     		sscanf(buf, "result=%63s", result);
64     	}
65     	debugf(NHRP_DEBUG_EVENT, "evmgr: received: eventid=%d result=%s", eventid, result);
66     	if (eventid && result[0]) {
67     		struct nhrp_reqid *r = nhrp_reqid_lookup(&nhrp_event_reqid, eventid);
68     		if (r) r->cb(r, result);
** CID 1416023:    (CHECKED_RETURN)
/nhrpd/vici.c: 185 in parse_sa_message()
/nhrpd/vici.c: 195 in parse_sa_message()

________________________________________________________________________________________________________
*** CID 1416023:    (CHECKED_RETURN)
/nhrpd/vici.c: 185 in parse_sa_message()
179     		break;
180     	default:
181     		switch (key->ptr[0]) {
182     		case 'l':
183     			if (blob_equal(key, "local-host") && ctx->nsections == 1) {
184     				if (blob2buf(val, buf, sizeof(buf)))
...
...
...
CID 1416023:    (CHECKED_RETURN)
    Calling "str2sockunion" without checking return value (as is done elsewhere 29 out of 31 times).
185     					str2sockunion(buf, &sactx->local.host);
186     			} else if (blob_equal(key, "local-id") && ctx->nsections == 1) {
187     				sactx->local.id = *val;
188     			} else if (blob_equal(key, "local-cert-data") && ctx->nsections == 1) {
189     				sactx->local.cert = *val;
190     			}
/nhrpd/vici.c: 195 in parse_sa_message()
189     				sactx->local.cert = *val;
190     			}
191     			break;
192     		case 'r':
193     			if (blob_equal(key, "remote-host") && ctx->nsections == 1) {
194     				if (blob2buf(val, buf, sizeof(buf)))
...
CID 1416023:    (CHECKED_RETURN)
    Calling "str2sockunion" without checking return value (as is done elsewhere 29 out of 31 times).
195     					str2sockunion(buf, &sactx->remote.host);
196     			} else if (blob_equal(key, "remote-id") && ctx->nsections == 1) {
197     				sactx->remote.id = *val;
198     			} else if (blob_equal(key, "remote-cert-data") && ctx->nsections == 1) {
199     				sactx->remote.cert = *val;
200     			}
** CID 1416022:  Error handling issues  (CHECKED_RETURN)
/nhrpd/vici.c: 479 in sock_open_unix()

________________________________________________________________________________________________________
*** CID 1416022:  Error handling issues  (CHECKED_RETURN)
/nhrpd/vici.c: 479 in sock_open_unix()
473     	ret = connect(fd, (struct sockaddr *) &addr, sizeof(addr.sun_family) + strlen(addr.sun_path));
474     	if (ret < 0) {
475     		close(fd);
476     		return -1;
477     	}
478
...
...
...
CID 1416022:  Error handling issues  (CHECKED_RETURN)
    Calling "fcntl(fd, 4, fcntl(fd, 3, 0) | 0x800)" without checking return value. This library function may fail and return an error code.
479     	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
480     
481     	return fd;
** CID 1416021:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/nhrpd/linux.c: 108 in linux_configure_arp()

________________________________________________________________________________________________________
*** CID 1416021:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/nhrpd/linux.c: 108 in linux_configure_arp()
102     }
103     
104     static int linux_configure_arp(const char *iface, int on)
105     {
106     	struct ifreq ifr;
107
...
...
...
CID 1416021:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
    Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated.
108     	strncpy(ifr.ifr_name, iface, IFNAMSIZ);
109     	if (ioctl(nhrp_socket_fd, SIOCGIFFLAGS, &ifr))
110     		return -1;
111     
112     	if (on)
113     		ifr.ifr_flags &= ~IFF_NOARP;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...

To manage Coverity Scan email notifications for "frr@lists.nox.tf", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...

scan-admin＠coverity.com

tags

participants (1)