New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Fri Feb 12 21:30:11 UTC 2021 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

6 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)


** CID 1501748:  Insecure data handling  (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1162 in mplsL3vpnVrfRtTable()


________________________________________________________________________________________________________
*** CID 1501748:  Insecure data handling  (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1162 in mplsL3vpnVrfRtTable()
1156     					.rtlist[BGP_VPN_POLICY_DIR_FROMVPN],
1157     				ECOMMUNITY_FORMAT_ROUTE_MAP,
1158     				ECOMMUNITY_ROUTE_TARGET);
1159     			break;
1160     		case MPLSVPNVRFRTTYPEEXPORT:
1161     		case MPLSVPNVRFRTTYPEBOTH:
>>>     CID 1501748:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1162     			rt_b = ecommunity_ecom2str(
1163     				l3vpn_bgp->vpn_policy[rt_index]
1164     					.rtlist[BGP_VPN_POLICY_DIR_TOVPN],
1165     				ECOMMUNITY_FORMAT_ROUTE_MAP,
1166     				ECOMMUNITY_ROUTE_TARGET);
1167     			break;

** CID 1501747:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/bgpd/bgp_mplsvpn_snmp.c: 1033 in bgpL3vpnVrfRt_lookup()


________________________________________________________________________________________________________
*** CID 1501747:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/bgpd/bgp_mplsvpn_snmp.c: 1033 in bgpL3vpnVrfRt_lookup()
1027     		l3vpn_bgp = bgp_lookup_by_name(vrf_name);
1028     		if (l3vpn_bgp && !is_bgp_vrf_mplsvpn(l3vpn_bgp))
1029     			return NULL;
1030     		if (!l3vpn_bgp)
1031     			return NULL;
1032     		/* check the index and type match up */
>>>     CID 1501747:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     The "or" condition "*rt_index != AFI_IP || *rt_index != AFI_IP6" will always be true because "*rt_index" cannot be equal to two different values at the same time, so it must be not equal to at least one of them.
1033     		if ((*rt_index != AFI_IP) || (*rt_index != AFI_IP6))
1034     			return NULL;
1035     		/* do we have RT config */
1036     		if (!(l3vpn_bgp->vpn_policy[*rt_index]
1037     			      .rtlist[BGP_VPN_POLICY_DIR_FROMVPN]
1038     		      || l3vpn_bgp->vpn_policy[*rt_index]

** CID 1501746:  Null pointer dereferences  (REVERSE_INULL)
/bgpd/bgp_mplsvpn_snmp.c: 1461 in bgpL3vpnRte_lookup()


________________________________________________________________________________________________________
*** CID 1501746:  Null pointer dereferences  (REVERSE_INULL)
/bgpd/bgp_mplsvpn_snmp.c: 1461 in bgpL3vpnRte_lookup()
1455     		if (str_len == 0) {
1456     			*l3vpn_bgp = bgp_lookup_by_name_next(vrf_name);
1457     		} else
1458     			/* otherwise lookup the one we have */
1459     			*l3vpn_bgp = bgp_lookup_by_name(vrf_name);
1460     
>>>     CID 1501746:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "l3vpn_bgp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1461     		if (l3vpn_bgp == NULL)
1462     			return NULL;
1463     
1464     		pi = bgp_lookup_route_next(l3vpn_bgp, dest, &prefix, policy,
1465     					   &nexthop);
1466     		if (pi) {

** CID 1501745:    (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1088 in bgpL3vpnVrfRt_lookup()
/bgpd/bgp_mplsvpn_snmp.c: 1075 in bgpL3vpnVrfRt_lookup()
/bgpd/bgp_mplsvpn_snmp.c: 1078 in bgpL3vpnVrfRt_lookup()


________________________________________________________________________________________________________
*** CID 1501745:    (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1088 in bgpL3vpnVrfRt_lookup()
1082     				    && !import)
1083     					continue;
1084     				if (*rt_type == MPLSVPNVRFRTTYPEEXPORT
1085     				    && !export)
1086     					continue;
1087     				/* ckeck for both */
>>>     CID 1501745:    (TAINTED_SCALAR)
>>>     Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1088     				if (*rt_type == MPLSVPNVRFRTTYPEIMPORT && import
1089     				    && export
1090     				    && ecommunity_cmp(
1091     					    l3vpn_bgp->vpn_policy[*rt_index].rtlist
1092     						    [BGP_VPN_POLICY_DIR_FROMVPN],
1093     					    l3vpn_bgp->vpn_policy[*rt_index].rtlist
/bgpd/bgp_mplsvpn_snmp.c: 1075 in bgpL3vpnVrfRt_lookup()
1069     				*rt_type = 0;
1070     				break;
1071     			}
1072     			if (*rt_type) {
1073     				bool import, export;
1074     
>>>     CID 1501745:    (TAINTED_SCALAR)
>>>     Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1075     				import =
1076     					(!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1077     						   [BGP_VPN_POLICY_DIR_FROMVPN]);
1078     				export =
1079     					(!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1080     						   [BGP_VPN_POLICY_DIR_TOVPN]);
/bgpd/bgp_mplsvpn_snmp.c: 1078 in bgpL3vpnVrfRt_lookup()
1072     			if (*rt_type) {
1073     				bool import, export;
1074     
1075     				import =
1076     					(!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1077     						   [BGP_VPN_POLICY_DIR_FROMVPN]);
>>>     CID 1501745:    (TAINTED_SCALAR)
>>>     Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1078     				export =
1079     					(!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1080     						   [BGP_VPN_POLICY_DIR_TOVPN]);
1081     				if (*rt_type == MPLSVPNVRFRTTYPEIMPORT
1082     				    && !import)
1083     					continue;

** CID 1501744:  Null pointer dereferences  (NULL_RETURNS)


________________________________________________________________________________________________________
*** CID 1501744:  Null pointer dereferences  (NULL_RETURNS)
/bgpd/bgp_mplsvpn_snmp.c: 1464 in bgpL3vpnRte_lookup()
1458     			/* otherwise lookup the one we have */
1459     			*l3vpn_bgp = bgp_lookup_by_name(vrf_name);
1460     
1461     		if (l3vpn_bgp == NULL)
1462     			return NULL;
1463     
>>>     CID 1501744:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "*l3vpn_bgp" when calling "bgp_lookup_route_next".
1464     		pi = bgp_lookup_route_next(l3vpn_bgp, dest, &prefix, policy,
1465     					   &nexthop);
1466     		if (pi) {
1467     			uint8_t vrf_name_len =
1468     				strnlen((*l3vpn_bgp)->name, VRF_NAMSIZ);
1469     			const struct prefix *p = bgp_dest_get_prefix(*dest);

** CID 1501743:    (OVERRUN)


________________________________________________________________________________________________________
*** CID 1501743:    (OVERRUN)
/bgpd/bgp_mplsvpn_snmp.c: 1411 in bgpL3vpnRte_lookup()
1405     			oid2in_addr(&name[i], sizeof(struct in_addr),
1406     				    &prefix.u.prefix4);
1407     			i += sizeof(struct in_addr);
1408     			break;
1409     		case INETADDRESSTYPEIPV6:
1410     			prefix.family = AF_INET6;
>>>     CID 1501743:    (OVERRUN)
>>>     Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16".
1411     			oid2in_addr(&name[i], sizeof(struct in6_addr),
1412     				    &prefix.u.prefix4); /* sic */
1413     			i += sizeof(struct in6_addr);
1414     			break;
1415     		}
1416     		prefix.prefixlen = (uint8_t)name[i++];
/bgpd/bgp_mplsvpn_snmp.c: 1434 in bgpL3vpnRte_lookup()
1428     			oid2in_addr(&name[i], sizeof(struct in_addr),
1429     				    &nexthop.ip._v4_addr);
1430     			i += sizeof(struct in_addr);
1431     			break;
1432     		case INETADDRESSTYPEIPV6:
1433     			nexthop.ipa_type = IPADDR_V6;
>>>     CID 1501743:    (OVERRUN)
>>>     Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16".
1434     			oid2in_addr(&name[i], sizeof(struct in6_addr),
1435     				    &nexthop.ip._v4_addr); /* sic */
1436     			i += sizeof(struct in6_addr);
1437     			break;
1438     		}
1439     	}
/bgpd/bgp_mplsvpn_snmp.c: 1482 in bgpL3vpnRte_lookup()
1476     			/* copy the index parameters */
1477     			oid_copy_str(&name[namelen], (*l3vpn_bgp)->name,
1478     				     vrf_name_len);
1479     			oid_index = namelen + vrf_name_len;
1480     			name[oid_index++] =
1481     				v4 ? INETADDRESSTYPEIPV4 : INETADDRESSTYPEIPV6;
>>>     CID 1501743:    (OVERRUN)
>>>     Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "addr_len" (which evaluates to 16).
1482     			oid_copy_addr(&name[oid_index], &p->u.prefix4,
1483     				      addr_len);
1484     			oid_index += addr_len;
1485     			name[oid_index++] = p->prefixlen;
1486     			name[oid_index++] = *policy >> 8;
1487     			name[oid_index++] = *policy & 0xff;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Da-QW_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxgrHnc5v4vnVu-2F0-2F9S9Me-2BNCNiN8JOImPNF7Jkrq4zqUom-2FPcZmvtNjiYag075XIDQD5JU1a0Y2J7KRoO2Gz-2BrcEp1g6QZi1M-2B1il23wPLTzakdsk5BtqY7nNdRNdWwcKWJiwqu5Pe8MOo0YRdleoUDOtoSC5whJQGeH4rgkxfhv737v8jhAhI-2B5l-2F69HurmQ-3D

More information about the dev mailing list