New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Tue Oct 13 20:09:05 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
4 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)
** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 615 in ospf_apiclient_handle_lsa_delete()
________________________________________________________________________________________________________
*** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 615 in ospf_apiclient_handle_lsa_delete()
609 "%s: message received size: %d is greater than a LSA size: %d",
610 __func__, lsalen, OSPF_MAX_LSA_SIZE);
611 return;
612 }
613 lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
614
>>> CID 1497888: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
615 memcpy(lsa, &(cn->data), lsalen);
616
617 /* Invoke registered update callback function */
618 if (oclient->delete_notify) {
619 (oclient->delete_notify)(cn->ifaddr, cn->area_id,
620 cn->is_self_originated, lsa);
** CID 1497887: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 205 in ospf_extract_grace_lsa_fields()
________________________________________________________________________________________________________
*** CID 1497887: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 205 in ospf_extract_grace_lsa_fields()
199 int sum = 0;
200
201 lsah = (struct lsa_header *)lsa->data;
202
203 length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE;
204
>>> CID 1497887: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
205 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
206 tlvh = TLV_HDR_NEXT(tlvh)) {
207 switch (ntohs(tlvh->type)) {
208 case GRACE_PERIOD_TYPE:
209 grace_period = (struct grace_tlv_graceperiod *)tlvh;
210 *interval = ntohl(grace_period->interval);
** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 583 in ospf_apiclient_handle_lsa_update()
________________________________________________________________________________________________________
*** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 583 in ospf_apiclient_handle_lsa_update()
577 "%s: message received size: %d is greater than a LSA size: %d",
578 __func__, lsalen, OSPF_MAX_LSA_SIZE);
579 return;
580 }
581 lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
582
>>> CID 1497886: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
583 memcpy(lsa, &(cn->data), lsalen);
584
585 /* Invoke registered update callback function */
586 if (oclient->update_notify) {
587 (oclient->update_notify)(cn->ifaddr, cn->area_id,
588 cn->is_self_originated, lsa);
** CID 1497885: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 936 in show_ospf_grace_lsa_info()
________________________________________________________________________________________________________
*** CID 1497885: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 936 in show_ospf_grace_lsa_info()
930 lsah = (struct lsa_header *)lsa->data;
931
932 length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE;
933
934 vty_out(vty, " TLV info:\n");
935
>>> CID 1497885: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
936 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
937 tlvh = TLV_HDR_NEXT(tlvh)) {
938 switch (ntohs(tlvh->type)) {
939 case GRACE_PERIOD_TYPE:
940 gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
941 sum += TLV_SIZE(tlvh);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DV7aN_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTzNI8ICyyqtOttopBcPqDRCLriRrvD3o6-2BbpcHTQOMmFpBj36-2B0dQjSv1p4X6jqVUiw43VOqfCQa4C0vEIw-2FWr6O-2Fwe1g9MJK7F-2BJBJZ-2BTCdnLqb91lMCx2HhNoMZ5on1nTiKe5G7-2B2Sc8UCuU1rB-2BFF7FOy4Rc5HPbzPMAiN6KnAPPx8zX-2FcUiB3mK29YLOZ4-3D
More information about the dev
mailing list