[frr] New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Wed Mar 8 10:30:01 EST 2017
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
13 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)
** CID 1416033: (STRING_OVERFLOW)
/lib/libfrr.c: 53 in opt_extend()
/lib/libfrr.c: 54 in opt_extend()
________________________________________________________________________________________________________
*** CID 1416033: (STRING_OVERFLOW)
/lib/libfrr.c: 53 in opt_extend()
47 };
48
49 static void opt_extend(const struct optspec *os)
50 {
51 const struct option *lo;
52
>>> CID 1416033: (STRING_OVERFLOW)
>>> Note: This defect has an elevated risk because the source argument is a parameter of the current function.
53 strcat(comb_optstr, os->optstr);
54 strcat(comb_helpstr, os->helpstr);
55 for (lo = os->longopts; lo->name; lo++)
56 memcpy(comb_next_lo++, lo, sizeof(*lo));
57 }
58
/lib/libfrr.c: 54 in opt_extend()
48
49 static void opt_extend(const struct optspec *os)
50 {
51 const struct option *lo;
52
53 strcat(comb_optstr, os->optstr);
>>> CID 1416033: (STRING_OVERFLOW)
>>> Note: This defect has an elevated risk because the source argument is a parameter of the current function.
54 strcat(comb_helpstr, os->helpstr);
55 for (lo = os->longopts; lo->name; lo++)
56 memcpy(comb_next_lo++, lo, sizeof(*lo));
57 }
58
59
** CID 1416032: Security best practices violations (STRING_OVERFLOW)
/nhrpd/vici.c: 471 in sock_open_unix()
________________________________________________________________________________________________________
*** CID 1416032: Security best practices violations (STRING_OVERFLOW)
/nhrpd/vici.c: 471 in sock_open_unix()
465 fd = socket(AF_UNIX, SOCK_STREAM, 0);
466 if (fd < 0)
467 return -1;
468
469 memset(&addr, 0, sizeof (struct sockaddr_un));
470 addr.sun_family = AF_UNIX;
>>> CID 1416032: Security best practices violations (STRING_OVERFLOW)
>>> Note: This defect has an elevated risk because the source argument is a parameter of the current function.
471 strncpy(addr.sun_path, path, strlen (path));
472
473 ret = connect(fd, (struct sockaddr *) &addr, sizeof(addr.sun_family) + strlen(addr.sun_path));
474 if (ret < 0) {
475 close(fd);
476 return -1;
** CID 1416031: Memory - illegal accesses (OVERRUN)
/nhrpd/nhrp_peer.c: 782 in nhrp_peer_recv()
________________________________________________________________________________________________________
*** CID 1416031: Memory - illegal accesses (OVERRUN)
/nhrpd/nhrp_peer.c: 782 in nhrp_peer_recv()
776 pp.ifp = ifp;
777 pp.pkt = zb;
778 pp.hdr = hdr;
779 pp.peer = p;
780
781 afi = htons(hdr->afnum);
>>> CID 1416031: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "packet_types" of 9 24-byte elements at element index 9 (byte offset 216) using index "hdr->type" (which evaluates to 9).
782 if (hdr->type > ZEBRA_NUM_OF(packet_types) ||
783 hdr->version != NHRP_VERSION_RFC2332 ||
784 afi >= AFI_MAX ||
785 packet_types[hdr->type].type == PACKET_UNKNOWN ||
786 htons(hdr->packet_size) > realsize) {
787 zlog_info("From %s: error: packet type %d, version %d, AFI %d, size %d (real size %d)",
** CID 1416030: Memory - illegal accesses (OVERRUN)
/nhrpd/nhrp_vty.c: 77 in nhrp_vty_return()
________________________________________________________________________________________________________
*** CID 1416030: Memory - illegal accesses (OVERRUN)
/nhrpd/nhrp_vty.c: 77 in nhrp_vty_return()
71 char buf[256];
72
73 if (ret == NHRP_OK)
74 return CMD_SUCCESS;
75
76 if (ret > 0 && ret <= (int)ZEBRA_NUM_OF(errmsgs))
>>> CID 1416030: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "errmsgs" of 8 8-byte elements at element index 8 (byte offset 64) using index "ret" (which evaluates to 8).
77 if (errmsgs[ret])
78 str = errmsgs[ret];
79
80 if (!str) {
81 str = buf;
82 snprintf(buf, sizeof(buf), "Unknown error %d", ret);
** CID 1416029: Integer handling issues (NEGATIVE_RETURNS)
/nhrpd/netlink_arp.c: 231 in netlink_set_nflog_group()
________________________________________________________________________________________________________
*** CID 1416029: Integer handling issues (NEGATIVE_RETURNS)
/nhrpd/netlink_arp.c: 231 in netlink_set_nflog_group()
225 THREAD_OFF(netlink_log_thread);
226 close(netlink_log_fd);
227 netlink_log_fd = -1;
228 }
229 netlink_nflog_group = nlgroup;
230 if (nlgroup) {
>>> CID 1416029: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "netlink_log_fd" = "znl_open".
231 netlink_log_fd = znl_open(NETLINK_NETFILTER, 0);
232 netlink_log_register(netlink_log_fd, nlgroup);
233 THREAD_READ_ON(master, netlink_log_thread, netlink_log_recv, 0, netlink_log_fd);
234 }
235 }
236
** CID 1416028: Control flow issues (MISSING_BREAK)
/nhrpd/nhrp_packet.c: 247 in nhrp_ext_reply()
________________________________________________________________________________________________________
*** CID 1416028: Control flow issues (MISSING_BREAK)
/nhrpd/nhrp_packet.c: 247 in nhrp_ext_reply()
241 if (!cie) goto err;
242 cie->holding_time = htons(ad->holdtime);
243 break;
244 default:
245 if (type & NHRP_EXTENSION_FLAG_COMPULSORY)
246 goto err;
>>> CID 1416028: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
247 case NHRP_EXTENSION_FORWARD_TRANSIT_NHS:
248 case NHRP_EXTENSION_REVERSE_TRANSIT_NHS:
249 /* Supported compulsory extensions, and any
250 * non-compulsory that is not explicitly handled,
251 * should be just copied. */
252 zbuf_copy(zb, extpayload, zbuf_used(extpayload));
** CID 1416027: Control flow issues (MISSING_BREAK)
/nhrpd/nhrp_peer.c: 689 in nhrp_peer_forward()
________________________________________________________________________________________________________
*** CID 1416027: Control flow issues (MISSING_BREAK)
/nhrpd/nhrp_peer.c: 689 in nhrp_peer_forward()
683 break;
684 default:
685 if (htons(ext->type) & NHRP_EXTENSION_FLAG_COMPULSORY)
686 /* FIXME: RFC says to just copy, but not
687 * append our selves to the transit NHS list */
688 goto err;
>>> CID 1416027: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
689 case NHRP_EXTENSION_RESPONDER_ADDRESS:
690 /* Supported compulsory extensions, and any
691 * non-compulsory that is not explicitly handled,
692 * should be just copied. */
693 zbuf_copy(zb, &extpl, len);
694 break;
** CID 1416026: Control flow issues (DEADCODE)
/nhrpd/vici.c: 363 in vici_submit_request()
________________________________________________________________________________________________________
*** CID 1416026: Control flow issues (DEADCODE)
/nhrpd/vici.c: 363 in vici_submit_request()
357 case VICI_KEY_VALUE:
358 vici_zbuf_puts(obuf, va_arg(va, const char *));
359 len = va_arg(va, size_t);
360 zbuf_put_be16(obuf, len);
361 zbuf_put(obuf, va_arg(va, void *), len);
362 break;
>>> CID 1416026: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "case VICI_END:".
363 case VICI_END:
364 break;
365 default:
366 break;
367 }
368 }
** CID 1416025: (CHECKED_RETURN)
/nhrpd/znl.c: 144 in znl_open()
/nhrpd/znl.c: 145 in znl_open()
________________________________________________________________________________________________________
*** CID 1416025: (CHECKED_RETURN)
/nhrpd/znl.c: 144 in znl_open()
138 int fd, buf = 128 * 1024;
139
140 fd = socket(AF_NETLINK, SOCK_RAW, protocol);
141 if (fd < 0)
142 return -1;
143
>>> CID 1416025: (CHECKED_RETURN)
>>> Calling "fcntl(fd, 4, fcntl(fd, 3, 0) | 0x800)" without checking return value. This library function may fail and return an error code.
144 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
145 fcntl(fd, F_SETFD, FD_CLOEXEC);
146 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &buf, sizeof(buf)) < 0)
147 goto error;
148
149 memset(&addr, 0, sizeof(addr));
/nhrpd/znl.c: 145 in znl_open()
139
140 fd = socket(AF_NETLINK, SOCK_RAW, protocol);
141 if (fd < 0)
142 return -1;
143
144 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
>>> CID 1416025: (CHECKED_RETURN)
>>> Calling "fcntl(fd, 2, 1)" without checking return value. This library function may fail and return an error code.
145 fcntl(fd, F_SETFD, FD_CLOEXEC);
146 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &buf, sizeof(buf)) < 0)
147 goto error;
148
149 memset(&addr, 0, sizeof(addr));
150 addr.nl_family = AF_NETLINK;
** CID 1416024: (CHECKED_RETURN)
/nhrpd/nhrp_event.c: 62 in evmgr_recv_message()
/nhrpd/nhrp_event.c: 63 in evmgr_recv_message()
________________________________________________________________________________________________________
*** CID 1416024: (CHECKED_RETURN)
/nhrpd/nhrp_event.c: 62 in evmgr_recv_message()
56 if (len >= sizeof(buf)-1)
57 continue;
58 memcpy(buf, zbuf_pulln(&zl, len), len);
59 buf[len] = 0;
60
61 debugf(NHRP_DEBUG_EVENT, "evmgr: msg: %s", buf);
>>> CID 1416024: (CHECKED_RETURN)
>>> Calling "sscanf" without checking return value (as is done elsewhere 30 out of 35 times).
62 sscanf(buf, "eventid=%d", &eventid);
63 sscanf(buf, "result=%63s", result);
64 }
65 debugf(NHRP_DEBUG_EVENT, "evmgr: received: eventid=%d result=%s", eventid, result);
66 if (eventid && result[0]) {
67 struct nhrp_reqid *r = nhrp_reqid_lookup(&nhrp_event_reqid, eventid);
/nhrpd/nhrp_event.c: 63 in evmgr_recv_message()
57 continue;
58 memcpy(buf, zbuf_pulln(&zl, len), len);
59 buf[len] = 0;
60
61 debugf(NHRP_DEBUG_EVENT, "evmgr: msg: %s", buf);
62 sscanf(buf, "eventid=%d", &eventid);
>>> CID 1416024: (CHECKED_RETURN)
>>> Calling "sscanf" without checking return value (as is done elsewhere 30 out of 35 times).
63 sscanf(buf, "result=%63s", result);
64 }
65 debugf(NHRP_DEBUG_EVENT, "evmgr: received: eventid=%d result=%s", eventid, result);
66 if (eventid && result[0]) {
67 struct nhrp_reqid *r = nhrp_reqid_lookup(&nhrp_event_reqid, eventid);
68 if (r) r->cb(r, result);
** CID 1416023: (CHECKED_RETURN)
/nhrpd/vici.c: 185 in parse_sa_message()
/nhrpd/vici.c: 195 in parse_sa_message()
________________________________________________________________________________________________________
*** CID 1416023: (CHECKED_RETURN)
/nhrpd/vici.c: 185 in parse_sa_message()
179 break;
180 default:
181 switch (key->ptr[0]) {
182 case 'l':
183 if (blob_equal(key, "local-host") && ctx->nsections == 1) {
184 if (blob2buf(val, buf, sizeof(buf)))
>>> CID 1416023: (CHECKED_RETURN)
>>> Calling "str2sockunion" without checking return value (as is done elsewhere 29 out of 31 times).
185 str2sockunion(buf, &sactx->local.host);
186 } else if (blob_equal(key, "local-id") && ctx->nsections == 1) {
187 sactx->local.id = *val;
188 } else if (blob_equal(key, "local-cert-data") && ctx->nsections == 1) {
189 sactx->local.cert = *val;
190 }
/nhrpd/vici.c: 195 in parse_sa_message()
189 sactx->local.cert = *val;
190 }
191 break;
192 case 'r':
193 if (blob_equal(key, "remote-host") && ctx->nsections == 1) {
194 if (blob2buf(val, buf, sizeof(buf)))
>>> CID 1416023: (CHECKED_RETURN)
>>> Calling "str2sockunion" without checking return value (as is done elsewhere 29 out of 31 times).
195 str2sockunion(buf, &sactx->remote.host);
196 } else if (blob_equal(key, "remote-id") && ctx->nsections == 1) {
197 sactx->remote.id = *val;
198 } else if (blob_equal(key, "remote-cert-data") && ctx->nsections == 1) {
199 sactx->remote.cert = *val;
200 }
** CID 1416022: Error handling issues (CHECKED_RETURN)
/nhrpd/vici.c: 479 in sock_open_unix()
________________________________________________________________________________________________________
*** CID 1416022: Error handling issues (CHECKED_RETURN)
/nhrpd/vici.c: 479 in sock_open_unix()
473 ret = connect(fd, (struct sockaddr *) &addr, sizeof(addr.sun_family) + strlen(addr.sun_path));
474 if (ret < 0) {
475 close(fd);
476 return -1;
477 }
478
>>> CID 1416022: Error handling issues (CHECKED_RETURN)
>>> Calling "fcntl(fd, 4, fcntl(fd, 3, 0) | 0x800)" without checking return value. This library function may fail and return an error code.
479 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
480
481 return fd;
** CID 1416021: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/nhrpd/linux.c: 108 in linux_configure_arp()
________________________________________________________________________________________________________
*** CID 1416021: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/nhrpd/linux.c: 108 in linux_configure_arp()
102 }
103
104 static int linux_configure_arp(const char *iface, int on)
105 {
106 struct ifreq ifr;
107
>>> CID 1416021: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated.
108 strncpy(ifr.ifr_name, iface, IFNAMSIZ);
109 if (ioctl(nhrp_socket_fd, SIOCGIFFLAGS, &ifr))
110 return -1;
111
112 if (on)
113 ifr.ifr_flags &= ~IFF_NOARP;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeHs8691VOJpZofPkpp-2BRBqc-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJl3EIJ9UwO71vWsX88UI1rPb-2ByTLNz2z-2FAK4NHQcWG-2Bw3-2F281BZugty8F3viq6haJdVAQjjy0jsOiSggYA6x7vMNlYwZMwqvhEj3Eiknzl7vlxYdXA3dtOPmkPgu4C1IqBMoJsyTqL8Ku0sgrs-2BHuRjOdnMYSoix8pcKUSOWFD0Cw-3D-3D
To manage Coverity Scan email notifications for "frr at lists.nox.tf", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4lcTWm1Zma8LQDNpOYqrETKrqBiM18kcBcL8b08LzBPOYJYGySZ4Vv7d5QYcnSbGxl3QyORKgEmDxh-2BE2mj6dp1V4JSs2jbMZuLnEQJOW0Z0-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJl3EIJ9UwO71vWsX88UI1rPCN5wEsAXa5uKZcYT8jE0iAIFLQ606kJ8KIFVKRP658LGy3ySqlfRY2y4F6HSu6mQC90EHX5H21roZMt9kUZb59wNC46Eo4HdODKpMFAAuzTU3QO7zlwzPiic2uLr7LpUcuk7ZNE-2FM5yn-2BAvlPCwmTQ-3D-3D
More information about the dev
mailing list