New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Tue Oct 13 20:09:05 UTC 2020 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

4 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 1497888:  Memory - corruptions  (OVERRUN)
/ospfclient/ospf_apiclient.c: 615 in ospf_apiclient_handle_lsa_delete()


________________________________________________________________________________________________________
*** CID 1497888:  Memory - corruptions  (OVERRUN)
/ospfclient/ospf_apiclient.c: 615 in ospf_apiclient_handle_lsa_delete()
609     			"%s: message received size: %d is greater than a LSA size: %d",
610     			__func__, lsalen, OSPF_MAX_LSA_SIZE);
611     		return;
612     	}
613     	lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
614     
>>>     CID 1497888:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
615     	memcpy(lsa, &(cn->data), lsalen);
616     
617     	/* Invoke registered update callback function */
618     	if (oclient->delete_notify) {
619     		(oclient->delete_notify)(cn->ifaddr, cn->area_id,
620     					 cn->is_self_originated, lsa);

** CID 1497887:  Insecure data handling  (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 205 in ospf_extract_grace_lsa_fields()


________________________________________________________________________________________________________
*** CID 1497887:  Insecure data handling  (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 205 in ospf_extract_grace_lsa_fields()
199     	int sum = 0;
200     
201     	lsah = (struct lsa_header *)lsa->data;
202     
203     	length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE;
204     
>>>     CID 1497887:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "length" as a loop boundary.
205     	for (tlvh = TLV_HDR_TOP(lsah); sum < length;
206     	     tlvh = TLV_HDR_NEXT(tlvh)) {
207     		switch (ntohs(tlvh->type)) {
208     		case GRACE_PERIOD_TYPE:
209     			grace_period = (struct grace_tlv_graceperiod *)tlvh;
210     			*interval = ntohl(grace_period->interval);

** CID 1497886:  Memory - corruptions  (OVERRUN)
/ospfclient/ospf_apiclient.c: 583 in ospf_apiclient_handle_lsa_update()


________________________________________________________________________________________________________
*** CID 1497886:  Memory - corruptions  (OVERRUN)
/ospfclient/ospf_apiclient.c: 583 in ospf_apiclient_handle_lsa_update()
577     			"%s: message received size: %d is greater than a LSA size: %d",
578     			__func__, lsalen, OSPF_MAX_LSA_SIZE);
579     		return;
580     	}
581     	lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
582     
>>>     CID 1497886:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
583     	memcpy(lsa, &(cn->data), lsalen);
584     
585     	/* Invoke registered update callback function */
586     	if (oclient->update_notify) {
587     		(oclient->update_notify)(cn->ifaddr, cn->area_id,
588     					 cn->is_self_originated, lsa);

** CID 1497885:  Insecure data handling  (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 936 in show_ospf_grace_lsa_info()


________________________________________________________________________________________________________
*** CID 1497885:  Insecure data handling  (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 936 in show_ospf_grace_lsa_info()
930     	lsah = (struct lsa_header *)lsa->data;
931     
932     	length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE;
933     
934     	vty_out(vty, "  TLV info:\n");
935     
>>>     CID 1497885:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "length" as a loop boundary.
936     	for (tlvh = TLV_HDR_TOP(lsah); sum < length;
937     	     tlvh = TLV_HDR_NEXT(tlvh)) {
938     		switch (ntohs(tlvh->type)) {
939     		case GRACE_PERIOD_TYPE:
940     			gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
941     			sum += TLV_SIZE(tlvh);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DV7aN_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTzNI8ICyyqtOttopBcPqDRCLriRrvD3o6-2BbpcHTQOMmFpBj36-2B0dQjSv1p4X6jqVUiw43VOqfCQa4C0vEIw-2FWr6O-2Fwe1g9MJK7F-2BJBJZ-2BTCdnLqb91lMCx2HhNoMZ5on1nTiKe5G7-2B2Sc8UCuU1rB-2BFF7FOy4Rc5HPbzPMAiN6KnAPPx8zX-2FcUiB3mK29YLOZ4-3D

More information about the dev mailing list