New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 4 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 4 of 4 defect(s) ** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 615 in ospf_apiclient_handle_lsa_delete() ________________________________________________________________________________________________________ *** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 615 in ospf_apiclient_handle_lsa_delete() 609 "%s: message received size: %d is greater than a LSA size: %d", 610 __func__, lsalen, OSPF_MAX_LSA_SIZE); 611 return; 612 } 613 lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 614
CID 1497888: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
615 memcpy(lsa, &(cn->data), lsalen); 616 617 /* Invoke registered update callback function */ 618 if (oclient->delete_notify) { 619 (oclient->delete_notify)(cn->ifaddr, cn->area_id, 620 cn->is_self_originated, lsa);
** CID 1497887: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 205 in ospf_extract_grace_lsa_fields() ________________________________________________________________________________________________________ *** CID 1497887: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 205 in ospf_extract_grace_lsa_fields() 199 int sum = 0; 200 201 lsah = (struct lsa_header *)lsa->data; 202 203 length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE; 204
CID 1497887: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
205 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 206 tlvh = TLV_HDR_NEXT(tlvh)) { 207 switch (ntohs(tlvh->type)) { 208 case GRACE_PERIOD_TYPE: 209 grace_period = (struct grace_tlv_graceperiod *)tlvh; 210 *interval = ntohl(grace_period->interval);
** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 583 in ospf_apiclient_handle_lsa_update() ________________________________________________________________________________________________________ *** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 583 in ospf_apiclient_handle_lsa_update() 577 "%s: message received size: %d is greater than a LSA size: %d", 578 __func__, lsalen, OSPF_MAX_LSA_SIZE); 579 return; 580 } 581 lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 582
CID 1497886: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
583 memcpy(lsa, &(cn->data), lsalen); 584 585 /* Invoke registered update callback function */ 586 if (oclient->update_notify) { 587 (oclient->update_notify)(cn->ifaddr, cn->area_id, 588 cn->is_self_originated, lsa);
** CID 1497885: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 936 in show_ospf_grace_lsa_info() ________________________________________________________________________________________________________ *** CID 1497885: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 936 in show_ospf_grace_lsa_info() 930 lsah = (struct lsa_header *)lsa->data; 931 932 length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE; 933 934 vty_out(vty, " TLV info:\n"); 935
CID 1497885: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
936 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 937 tlvh = TLV_HDR_NEXT(tlvh)) { 938 switch (ntohs(tlvh->type)) { 939 case GRACE_PERIOD_TYPE: 940 gracePeriod = (struct grace_tlv_graceperiod *)tlvh; 941 sum += TLV_SIZE(tlvh);
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com