New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Fri Feb 12 21:30:11 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
6 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 1501748: Insecure data handling (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1162 in mplsL3vpnVrfRtTable()
________________________________________________________________________________________________________
*** CID 1501748: Insecure data handling (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1162 in mplsL3vpnVrfRtTable()
1156 .rtlist[BGP_VPN_POLICY_DIR_FROMVPN],
1157 ECOMMUNITY_FORMAT_ROUTE_MAP,
1158 ECOMMUNITY_ROUTE_TARGET);
1159 break;
1160 case MPLSVPNVRFRTTYPEEXPORT:
1161 case MPLSVPNVRFRTTYPEBOTH:
>>> CID 1501748: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1162 rt_b = ecommunity_ecom2str(
1163 l3vpn_bgp->vpn_policy[rt_index]
1164 .rtlist[BGP_VPN_POLICY_DIR_TOVPN],
1165 ECOMMUNITY_FORMAT_ROUTE_MAP,
1166 ECOMMUNITY_ROUTE_TARGET);
1167 break;
** CID 1501747: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/bgpd/bgp_mplsvpn_snmp.c: 1033 in bgpL3vpnVrfRt_lookup()
________________________________________________________________________________________________________
*** CID 1501747: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/bgpd/bgp_mplsvpn_snmp.c: 1033 in bgpL3vpnVrfRt_lookup()
1027 l3vpn_bgp = bgp_lookup_by_name(vrf_name);
1028 if (l3vpn_bgp && !is_bgp_vrf_mplsvpn(l3vpn_bgp))
1029 return NULL;
1030 if (!l3vpn_bgp)
1031 return NULL;
1032 /* check the index and type match up */
>>> CID 1501747: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> The "or" condition "*rt_index != AFI_IP || *rt_index != AFI_IP6" will always be true because "*rt_index" cannot be equal to two different values at the same time, so it must be not equal to at least one of them.
1033 if ((*rt_index != AFI_IP) || (*rt_index != AFI_IP6))
1034 return NULL;
1035 /* do we have RT config */
1036 if (!(l3vpn_bgp->vpn_policy[*rt_index]
1037 .rtlist[BGP_VPN_POLICY_DIR_FROMVPN]
1038 || l3vpn_bgp->vpn_policy[*rt_index]
** CID 1501746: Null pointer dereferences (REVERSE_INULL)
/bgpd/bgp_mplsvpn_snmp.c: 1461 in bgpL3vpnRte_lookup()
________________________________________________________________________________________________________
*** CID 1501746: Null pointer dereferences (REVERSE_INULL)
/bgpd/bgp_mplsvpn_snmp.c: 1461 in bgpL3vpnRte_lookup()
1455 if (str_len == 0) {
1456 *l3vpn_bgp = bgp_lookup_by_name_next(vrf_name);
1457 } else
1458 /* otherwise lookup the one we have */
1459 *l3vpn_bgp = bgp_lookup_by_name(vrf_name);
1460
>>> CID 1501746: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "l3vpn_bgp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1461 if (l3vpn_bgp == NULL)
1462 return NULL;
1463
1464 pi = bgp_lookup_route_next(l3vpn_bgp, dest, &prefix, policy,
1465 &nexthop);
1466 if (pi) {
** CID 1501745: (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1088 in bgpL3vpnVrfRt_lookup()
/bgpd/bgp_mplsvpn_snmp.c: 1075 in bgpL3vpnVrfRt_lookup()
/bgpd/bgp_mplsvpn_snmp.c: 1078 in bgpL3vpnVrfRt_lookup()
________________________________________________________________________________________________________
*** CID 1501745: (TAINTED_SCALAR)
/bgpd/bgp_mplsvpn_snmp.c: 1088 in bgpL3vpnVrfRt_lookup()
1082 && !import)
1083 continue;
1084 if (*rt_type == MPLSVPNVRFRTTYPEEXPORT
1085 && !export)
1086 continue;
1087 /* ckeck for both */
>>> CID 1501745: (TAINTED_SCALAR)
>>> Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1088 if (*rt_type == MPLSVPNVRFRTTYPEIMPORT && import
1089 && export
1090 && ecommunity_cmp(
1091 l3vpn_bgp->vpn_policy[*rt_index].rtlist
1092 [BGP_VPN_POLICY_DIR_FROMVPN],
1093 l3vpn_bgp->vpn_policy[*rt_index].rtlist
/bgpd/bgp_mplsvpn_snmp.c: 1075 in bgpL3vpnVrfRt_lookup()
1069 *rt_type = 0;
1070 break;
1071 }
1072 if (*rt_type) {
1073 bool import, export;
1074
>>> CID 1501745: (TAINTED_SCALAR)
>>> Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1075 import =
1076 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1077 [BGP_VPN_POLICY_DIR_FROMVPN]);
1078 export =
1079 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1080 [BGP_VPN_POLICY_DIR_TOVPN]);
/bgpd/bgp_mplsvpn_snmp.c: 1078 in bgpL3vpnVrfRt_lookup()
1072 if (*rt_type) {
1073 bool import, export;
1074
1075 import =
1076 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1077 [BGP_VPN_POLICY_DIR_FROMVPN]);
>>> CID 1501745: (TAINTED_SCALAR)
>>> Using tainted variable "*rt_index" as an index into an array "l3vpn_bgp->vpn_policy".
1078 export =
1079 (!!l3vpn_bgp->vpn_policy[*rt_index].rtlist
1080 [BGP_VPN_POLICY_DIR_TOVPN]);
1081 if (*rt_type == MPLSVPNVRFRTTYPEIMPORT
1082 && !import)
1083 continue;
** CID 1501744: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 1501744: Null pointer dereferences (NULL_RETURNS)
/bgpd/bgp_mplsvpn_snmp.c: 1464 in bgpL3vpnRte_lookup()
1458 /* otherwise lookup the one we have */
1459 *l3vpn_bgp = bgp_lookup_by_name(vrf_name);
1460
1461 if (l3vpn_bgp == NULL)
1462 return NULL;
1463
>>> CID 1501744: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "*l3vpn_bgp" when calling "bgp_lookup_route_next".
1464 pi = bgp_lookup_route_next(l3vpn_bgp, dest, &prefix, policy,
1465 &nexthop);
1466 if (pi) {
1467 uint8_t vrf_name_len =
1468 strnlen((*l3vpn_bgp)->name, VRF_NAMSIZ);
1469 const struct prefix *p = bgp_dest_get_prefix(*dest);
** CID 1501743: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1501743: (OVERRUN)
/bgpd/bgp_mplsvpn_snmp.c: 1411 in bgpL3vpnRte_lookup()
1405 oid2in_addr(&name[i], sizeof(struct in_addr),
1406 &prefix.u.prefix4);
1407 i += sizeof(struct in_addr);
1408 break;
1409 case INETADDRESSTYPEIPV6:
1410 prefix.family = AF_INET6;
>>> CID 1501743: (OVERRUN)
>>> Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16".
1411 oid2in_addr(&name[i], sizeof(struct in6_addr),
1412 &prefix.u.prefix4); /* sic */
1413 i += sizeof(struct in6_addr);
1414 break;
1415 }
1416 prefix.prefixlen = (uint8_t)name[i++];
/bgpd/bgp_mplsvpn_snmp.c: 1434 in bgpL3vpnRte_lookup()
1428 oid2in_addr(&name[i], sizeof(struct in_addr),
1429 &nexthop.ip._v4_addr);
1430 i += sizeof(struct in_addr);
1431 break;
1432 case INETADDRESSTYPEIPV6:
1433 nexthop.ipa_type = IPADDR_V6;
>>> CID 1501743: (OVERRUN)
>>> Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16".
1434 oid2in_addr(&name[i], sizeof(struct in6_addr),
1435 &nexthop.ip._v4_addr); /* sic */
1436 i += sizeof(struct in6_addr);
1437 break;
1438 }
1439 }
/bgpd/bgp_mplsvpn_snmp.c: 1482 in bgpL3vpnRte_lookup()
1476 /* copy the index parameters */
1477 oid_copy_str(&name[namelen], (*l3vpn_bgp)->name,
1478 vrf_name_len);
1479 oid_index = namelen + vrf_name_len;
1480 name[oid_index++] =
1481 v4 ? INETADDRESSTYPEIPV4 : INETADDRESSTYPEIPV6;
>>> CID 1501743: (OVERRUN)
>>> Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "addr_len" (which evaluates to 16).
1482 oid_copy_addr(&name[oid_index], &p->u.prefix4,
1483 addr_len);
1484 oid_index += addr_len;
1485 name[oid_index++] = p->prefixlen;
1486 name[oid_index++] = *policy >> 8;
1487 name[oid_index++] = *policy & 0xff;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Da-QW_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxgrHnc5v4vnVu-2F0-2F9S9Me-2BNCNiN8JOImPNF7Jkrq4zqUom-2FPcZmvtNjiYag075XIDQD5JU1a0Y2J7KRoO2Gz-2BrcEp1g6QZi1M-2B1il23wPLTzakdsk5BtqY7nNdRNdWwcKWJiwqu5Pe8MOo0YRdleoUDOtoSC5whJQGeH4rgkxfhv737v8jhAhI-2B5l-2F69HurmQ-3D
More information about the dev
mailing list