New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 6 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 6 of 6 defect(s) ** CID 1501748: Insecure data handling (TAINTED_SCALAR) /bgpd/bgp_mplsvpn_snmp.c: 1162 in mplsL3vpnVrfRtTable() ________________________________________________________________________________________________________ *** CID 1501748: Insecure data handling (TAINTED_SCALAR) /bgpd/bgp_mplsvpn_snmp.c: 1162 in mplsL3vpnVrfRtTable() 1156 .rtlist[BGP_VPN_POLICY_DIR_FROMVPN], 1157 ECOMMUNITY_FORMAT_ROUTE_MAP, 1158 ECOMMUNITY_ROUTE_TARGET); 1159 break; 1160 case MPLSVPNVRFRTTYPEEXPORT: 1161 case MPLSVPNVRFRTTYPEBOTH:
CID 1501748: Insecure data handling (TAINTED_SCALAR) Using tainted variable "rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1162 rt_b = ecommunity_ecom2str( 1163 l3vpn_bgp->vpn_policy[rt_index] 1164 .rtlist[BGP_VPN_POLICY_DIR_TOVPN], 1165 ECOMMUNITY_FORMAT_ROUTE_MAP, 1166 ECOMMUNITY_ROUTE_TARGET); 1167 break;
** CID 1501747: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /bgpd/bgp_mplsvpn_snmp.c: 1033 in bgpL3vpnVrfRt_lookup() ________________________________________________________________________________________________________ *** CID 1501747: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /bgpd/bgp_mplsvpn_snmp.c: 1033 in bgpL3vpnVrfRt_lookup() 1027 l3vpn_bgp = bgp_lookup_by_name(vrf_name); 1028 if (l3vpn_bgp && !is_bgp_vrf_mplsvpn(l3vpn_bgp)) 1029 return NULL; 1030 if (!l3vpn_bgp) 1031 return NULL; 1032 /* check the index and type match up */
CID 1501747: Integer handling issues (CONSTANT_EXPRESSION_RESULT) The "or" condition "*rt_index != AFI_IP || *rt_index != AFI_IP6" will always be true because "*rt_index" cannot be equal to two different values at the same time, so it must be not equal to at least one of them.
1033 if ((*rt_index != AFI_IP) || (*rt_index != AFI_IP6)) 1034 return NULL; 1035 /* do we have RT config */ 1036 if (!(l3vpn_bgp->vpn_policy[*rt_index] 1037 .rtlist[BGP_VPN_POLICY_DIR_FROMVPN] 1038 || l3vpn_bgp->vpn_policy[*rt_index]
** CID 1501746: Null pointer dereferences (REVERSE_INULL) /bgpd/bgp_mplsvpn_snmp.c: 1461 in bgpL3vpnRte_lookup() ________________________________________________________________________________________________________ *** CID 1501746: Null pointer dereferences (REVERSE_INULL) /bgpd/bgp_mplsvpn_snmp.c: 1461 in bgpL3vpnRte_lookup() 1455 if (str_len == 0) { 1456 *l3vpn_bgp = bgp_lookup_by_name_next(vrf_name); 1457 } else 1458 /* otherwise lookup the one we have */ 1459 *l3vpn_bgp = bgp_lookup_by_name(vrf_name); 1460
CID 1501746: Null pointer dereferences (REVERSE_INULL) Null-checking "l3vpn_bgp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1461 if (l3vpn_bgp == NULL) 1462 return NULL; 1463 1464 pi = bgp_lookup_route_next(l3vpn_bgp, dest, &prefix, policy, 1465 &nexthop); 1466 if (pi) {
** CID 1501745: (TAINTED_SCALAR) /bgpd/bgp_mplsvpn_snmp.c: 1088 in bgpL3vpnVrfRt_lookup() /bgpd/bgp_mplsvpn_snmp.c: 1075 in bgpL3vpnVrfRt_lookup() /bgpd/bgp_mplsvpn_snmp.c: 1078 in bgpL3vpnVrfRt_lookup() ________________________________________________________________________________________________________ *** CID 1501745: (TAINTED_SCALAR) /bgpd/bgp_mplsvpn_snmp.c: 1088 in bgpL3vpnVrfRt_lookup() 1082 && !import) 1083 continue; 1084 if (*rt_type == MPLSVPNVRFRTTYPEEXPORT 1085 && !export) 1086 continue; 1087 /* ckeck for both */
CID 1501745: (TAINTED_SCALAR) Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1088 if (*rt_type == MPLSVPNVRFRTTYPEIMPORT && import 1089 && export 1090 && ecommunity_cmp( 1091 l3vpn_bgp->vpn_policy[*rt_index].rtlist 1092 [BGP_VPN_POLICY_DIR_FROMVPN], 1093 l3vpn_bgp->vpn_policy[*rt_index].rtlist /bgpd/bgp_mplsvpn_snmp.c: 1075 in bgpL3vpnVrfRt_lookup() 1069 *rt_type = 0; 1070 break; 1071 } 1072 if (*rt_type) { 1073 bool import, export; 1074
CID 1501745: (TAINTED_SCALAR) Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1075 import = 1076 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist 1077 [BGP_VPN_POLICY_DIR_FROMVPN]); 1078 export = 1079 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist 1080 [BGP_VPN_POLICY_DIR_TOVPN]); /bgpd/bgp_mplsvpn_snmp.c: 1078 in bgpL3vpnVrfRt_lookup() 1072 if (*rt_type) { 1073 bool import, export; 1074 1075 import = 1076 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist 1077 [BGP_VPN_POLICY_DIR_FROMVPN]);
CID 1501745: (TAINTED_SCALAR) Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1078 export = 1079 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist 1080 [BGP_VPN_POLICY_DIR_TOVPN]); 1081 if (*rt_type == MPLSVPNVRFRTTYPEIMPORT 1082 && !import) 1083 continue;
** CID 1501744: Null pointer dereferences (NULL_RETURNS) ________________________________________________________________________________________________________ *** CID 1501744: Null pointer dereferences (NULL_RETURNS) /bgpd/bgp_mplsvpn_snmp.c: 1464 in bgpL3vpnRte_lookup() 1458 /* otherwise lookup the one we have */ 1459 *l3vpn_bgp = bgp_lookup_by_name(vrf_name); 1460 1461 if (l3vpn_bgp == NULL) 1462 return NULL; 1463
CID 1501744: Null pointer dereferences (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "*l3vpn_bgp" when calling "bgp_lookup_route_next".
1464 pi = bgp_lookup_route_next(l3vpn_bgp, dest, &prefix, policy, 1465 &nexthop); 1466 if (pi) { 1467 uint8_t vrf_name_len = 1468 strnlen((*l3vpn_bgp)->name, VRF_NAMSIZ); 1469 const struct prefix *p = bgp_dest_get_prefix(*dest);
** CID 1501743: (OVERRUN) ________________________________________________________________________________________________________ *** CID 1501743: (OVERRUN) /bgpd/bgp_mplsvpn_snmp.c: 1411 in bgpL3vpnRte_lookup() 1405 oid2in_addr(&name[i], sizeof(struct in_addr), 1406 &prefix.u.prefix4); 1407 i += sizeof(struct in_addr); 1408 break; 1409 case INETADDRESSTYPEIPV6: 1410 prefix.family = AF_INET6;
CID 1501743: (OVERRUN) Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16".
1411 oid2in_addr(&name[i], sizeof(struct in6_addr), 1412 &prefix.u.prefix4); /* sic */ 1413 i += sizeof(struct in6_addr); 1414 break; 1415 } 1416 prefix.prefixlen = (uint8_t)name[i++]; /bgpd/bgp_mplsvpn_snmp.c: 1434 in bgpL3vpnRte_lookup() 1428 oid2in_addr(&name[i], sizeof(struct in_addr), 1429 &nexthop.ip._v4_addr); 1430 i += sizeof(struct in_addr); 1431 break; 1432 case INETADDRESSTYPEIPV6: 1433 nexthop.ipa_type = IPADDR_V6;
CID 1501743: (OVERRUN) Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16".
1434 oid2in_addr(&name[i], sizeof(struct in6_addr), 1435 &nexthop.ip._v4_addr); /* sic */ 1436 i += sizeof(struct in6_addr); 1437 break; 1438 } 1439 } /bgpd/bgp_mplsvpn_snmp.c: 1482 in bgpL3vpnRte_lookup() 1476 /* copy the index parameters */ 1477 oid_copy_str(&name[namelen], (*l3vpn_bgp)->name, 1478 vrf_name_len); 1479 oid_index = namelen + vrf_name_len; 1480 name[oid_index++] = 1481 v4 ? INETADDRESSTYPEIPV4 : INETADDRESSTYPEIPV6;
CID 1501743: (OVERRUN) Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "addr_len" (which evaluates to 16).
1482 oid_copy_addr(&name[oid_index], &p->u.prefix4, 1483 addr_len); 1484 oid_index += addr_len; 1485 name[oid_index++] = p->prefixlen; 1486 name[oid_index++] = *policy >> 8; 1487 name[oid_index++] = *policy & 0xff;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com