New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Sat Aug 21 09:15:57 UTC 2021 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

4 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 1506514:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 1222 in ospf6_grace_lsa_show_info()


________________________________________________________________________________________________________
*** CID 1506514:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 1222 in ospf6_grace_lsa_show_info()
1216     		if (!use_json)
1217     			vty_out(vty, "TLV info:\n");
1218     	} else {
1219     		zlog_debug("  TLV info:");
1220     	}
1221     
>>>     CID 1506514:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "length" as a loop boundary.
1222     	for (tlvh = TLV_HDR_TOP(lsah); sum < length;
1223     	     tlvh = TLV_HDR_NEXT(tlvh)) {
1224     		switch (ntohs(tlvh->type)) {
1225     		case GRACE_PERIOD_TYPE:
1226     			gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
1227     			sum += TLV_SIZE(tlvh);

** CID 1506513:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields()


________________________________________________________________________________________________________
*** CID 1506513:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields()
154     	int sum = 0;
155     
156     	lsah = (struct ospf6_lsa_header *)lsa->header;
157     
158     	length = ntohs(lsah->length) - OSPF6_LSA_HEADER_SIZE;
159     
>>>     CID 1506513:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "length" as a loop boundary.
160     	for (tlvh = TLV_HDR_TOP(lsah); sum < length;
161     	     tlvh = TLV_HDR_NEXT(tlvh)) {
162     		switch (ntohs(tlvh->type)) {
163     		case GRACE_PERIOD_TYPE:
164     			gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
165     			*interval = ntohl(gracePeriod->interval);

** CID 1506512:    (USE_AFTER_FREE)
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()


________________________________________________________________________________________________________
*** CID 1506512:    (USE_AFTER_FREE)
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()
226     	for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) {
227     		struct ospf6_lsa *lsa_in_db = NULL;
228     
229     		/* Fetching the same copy of LSA form LSDB to validate the
230     		 * topochange.
231     		 */
>>>     CID 1506512:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
232     		lsa_in_db =
233     			ospf6_lsdb_lookup(lsa->header->type, lsa->header->id,
234     					  lsa->header->adv_router, lsa->lsdb);
235     
236     		if (lsa_in_db && lsa_in_db->tobe_acknowledged)
237     			return OSPF6_TRUE;
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()
226     	for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) {
227     		struct ospf6_lsa *lsa_in_db = NULL;
228     
229     		/* Fetching the same copy of LSA form LSDB to validate the
230     		 * topochange.
231     		 */
>>>     CID 1506512:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
232     		lsa_in_db =
233     			ospf6_lsdb_lookup(lsa->header->type, lsa->header->id,
234     					  lsa->header->adv_router, lsa->lsdb);
235     
236     		if (lsa_in_db && lsa_in_db->tobe_acknowledged)
237     			return OSPF6_TRUE;

** CID 1506511:  Null pointer dereferences  (NULL_RETURNS)


________________________________________________________________________________________________________
*** CID 1506511:  Null pointer dereferences  (NULL_RETURNS)
/ospf6d/ospf6_gr_helper.c: 1163 in show_ipv6_ospf6_gr_helper_magic()
1157     	if (argv_find(argv, argc, "detail", &idx))
1158     		detail = true;
1159     
1160     	if (uj)
1161     		json = json_object_new_object();
1162     
>>>     CID 1506511:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "ospf6" when calling "show_ospf6_gr_helper_details".
1163     	show_ospf6_gr_helper_details(vty, ospf6, json, uj, detail);
1164     
1165     	if (uj) {
1166     		vty_out(vty, "%s\n",
1167     			json_object_to_json_string_ext(
1168     				json, JSON_C_TO_STRING_PRETTY));


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DG5O__O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTzfYd-2BJuoKIDQkLhdzbfPWYBftcfI71R022JPavuICXlfJM1pdDWzaB4-2FgaUDM9uiq6g7pqQFiTHUzIcUEh7NsJENOu1t3gAQGYKn-2BnIzMIsm6qDecsRjGegKqBrYjxlD-2Fy2o3mmTx1j-2BjnYMbDdvUSAi0YeoJIPMI-2F5YL4FUwRgQ-3D-3D

More information about the dev mailing list