New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Tue Mar 16 11:38:32 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
72 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 72 defect(s)
** CID 1502776: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1502776: Memory - corruptions (OVERRUN)
/isisd/isis_snmp.c: 3359 in isis_snmp_lsp_error_update()
3353 * This is a special case because
3354 * it have more variables
3355 */
3356 netsnmp_variable_list *notification_vars;
3357 long val;
3358
>>> CID 1502776: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 18 by passing argument "18UL" in call to "isis_snmp_trap_throttle".
3359 if (!isis_snmp_trap_throttle(ISIS_TRAP_LSP_ERROR))
3360 return 0;
3361
3362 notification_vars = NULL;
3363
3364 /* Put in trap value */
** CID 1502775: Null pointer dereferences (FORWARD_NULL)
/isisd/isis_snmp.c: 1022 in isis_snmp_circuit_level_lookup_next()
________________________________________________________________________________________________________
*** CID 1502775: Null pointer dereferences (FORWARD_NULL)
/isisd/isis_snmp.c: 1022 in isis_snmp_circuit_level_lookup_next()
1016 if (isis == NULL)
1017 return 0;
1018
1019 start = 0;
1020
1021 if (oid_idx != NULL || oid_idx_len != 0) {
>>> CID 1502775: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "oid_idx".
1022 if (oid_idx[0] > SNMP_CIRCUITS_MAX)
1023 return 0;
1024
1025 start = oid_idx[0];
1026 }
1027
** CID 1502774: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/isisd/isis_snmp.c: 2571 in isis_snmp_find_isadj()
________________________________________________________________________________________________________
*** CID 1502774: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/isisd/isis_snmp.c: 2571 in isis_snmp_find_isadj()
2565
2566 now_time = isis_snmp_time();
2567
2568 if (adj->last_flap >= now_time)
2569 return SNMP_INTEGER(up_ticks);
2570
>>> CID 1502774: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "(now_time - adj->last_flap) * 10U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2571 delta_ticks = (now_time - adj->last_flap) * 10;
2572
2573 if (up_ticks < delta_ticks)
2574 return SNMP_INTEGER(up_ticks);
2575
2576 return SNMP_INTEGER((uint32_t)(up_ticks - delta_ticks));
** CID 1502773: (USE_AFTER_FREE)
/ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area()
/ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area()
________________________________________________________________________________________________________
*** CID 1502773: (USE_AFTER_FREE)
/ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area()
1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area))
1113 if (!IS_AREA_STUB(area))
1114 return;
1115
1116 /* if router is only in a stub area then purge AS-External LSAs */
1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
>>> CID 1502773: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL)
1119 ospf6_lsdb_remove(lsa, ospf6->lsdb);
1120 }
1121 }
1122
1123 void ospf6_asbr_redistribute_add(int type, ifindex_t ifindex,
/ospf6d/ospf6_asbr.c: 1117 in ospf6_asbr_remove_externals_from_area()
1111 /* skip if router is in other non-stub areas */
1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area))
1113 if (!IS_AREA_STUB(area))
1114 return;
1115
1116 /* if router is only in a stub area then purge AS-External LSAs */
>>> CID 1502773: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL)
1119 ospf6_lsdb_remove(lsa, ospf6->lsdb);
1120 }
1121 }
1122
/ospf6d/ospf6_asbr.c: 1117 in ospf6_asbr_remove_externals_from_area()
1111 /* skip if router is in other non-stub areas */
1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area))
1113 if (!IS_AREA_STUB(area))
1114 return;
1115
1116 /* if router is only in a stub area then purge AS-External LSAs */
>>> CID 1502773: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL)
1119 ospf6_lsdb_remove(lsa, ospf6->lsdb);
1120 }
1121 }
1122
/ospf6d/ospf6_asbr.c: 1118 in ospf6_asbr_remove_externals_from_area()
1112 for (ALL_LIST_ELEMENTS(ospf6->area_list, node, nnode, area))
1113 if (!IS_AREA_STUB(area))
1114 return;
1115
1116 /* if router is only in a stub area then purge AS-External LSAs */
1117 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
>>> CID 1502773: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1118 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL)
1119 ospf6_lsdb_remove(lsa, ospf6->lsdb);
1120 }
1121 }
1122
1123 void ospf6_asbr_redistribute_add(int type, ifindex_t ifindex,
** CID 1502772: Null pointer dereferences (FORWARD_NULL)
/isisd/isis_snmp.c: 948 in isis_snmp_circuit_lookup_next()
________________________________________________________________________________________________________
*** CID 1502772: Null pointer dereferences (FORWARD_NULL)
/isisd/isis_snmp.c: 948 in isis_snmp_circuit_lookup_next()
942 if (isis == NULL)
943 return 0;
944
945 start = 0;
946
947 if (oid_idx != NULL || oid_idx_len != 0) {
>>> CID 1502772: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "oid_idx".
948 if (oid_idx[0] > SNMP_CIRCUITS_MAX)
949 return 0;
950
951 start = oid_idx[0];
952 }
953
** CID 1501743: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1501743: Memory - corruptions (OVERRUN)
/bgpd/bgp_mplsvpn_snmp.c: 1483 in bgpL3vpnRte_lookup()
1477 /* copy the index parameters */
1478 oid_copy_str(&name[namelen], (*l3vpn_bgp)->name,
1479 vrf_name_len);
1480 oid_index = namelen + vrf_name_len;
1481 name[oid_index++] =
1482 v4 ? INETADDRESSTYPEIPV4 : INETADDRESSTYPEIPV6;
>>> CID 1501743: Memory - corruptions (OVERRUN)
>>> Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "addr_len" (which evaluates to 16).
1483 oid_copy_addr(&name[oid_index], &p->u.prefix4,
1484 addr_len);
1485 oid_index += addr_len;
1486 name[oid_index++] = p->prefixlen;
1487 name[oid_index++] = *policy >> 8;
1488 name[oid_index++] = *policy & 0xff;
** CID 1500586: Null pointer dereferences (FORWARD_NULL)
/pbrd/pbr_nht.c: 758 in pbr_nht_individual_nexthop_gw_update()
________________________________________________________________________________________________________
*** CID 1500586: Null pointer dereferences (FORWARD_NULL)
/pbrd/pbr_nht.c: 758 in pbr_nht_individual_nexthop_gw_update()
752 goto done; /* Unrelated change */
753 break;
754 }
755 }
756
757 pnhi->nhr_matched = true;
>>> CID 1500586: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "pnhi->nhr".
758 if (!pnhi->nhr->nexthop_num) {
759 is_valid = false;
760 goto done;
761 }
762
763 if (pnhc->nexthop.type == NEXTHOP_TYPE_IPV4_IFINDEX
** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete()
________________________________________________________________________________________________________
*** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete()
617 __func__, lsalen, OSPF_MAX_LSA_SIZE);
618 return;
619 }
620
621 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
622
>>> CID 1497888: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
623 memcpy(p, &(cn->data), lsalen);
624 lsa = p;
625
626 /* Invoke registered update callback function */
627 if (oclient->delete_notify) {
628 (oclient->delete_notify)(cn->ifaddr, cn->area_id,
** CID 1497887: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields()
________________________________________________________________________________________________________
*** CID 1497887: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields()
242 __func__, length);
243 return OSPF_GR_FAILURE;
244 }
245
246 length -= OSPF_LSA_HEADER_SIZE;
247
>>> CID 1497887: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
248 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
249 tlvh = TLV_HDR_NEXT(tlvh)) {
250
251 /* Check TLV len against overall LSA */
252 if (sum + TLV_SIZE(tlvh) > length) {
253 if (IS_DEBUG_OSPF_GR_HELPER)
** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update()
________________________________________________________________________________________________________
*** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update()
582 __func__, lsalen, OSPF_MAX_LSA_SIZE);
583 return;
584 }
585
586 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
587
>>> CID 1497886: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
588 memcpy(p, &(cn->data), lsalen);
589 lsa = p;
590
591 /* Invoke registered update callback function */
592 if (oclient->update_notify) {
593 (oclient->update_notify)(cn->ifaddr, cn->area_id,
** CID 1497885: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info()
________________________________________________________________________________________________________
*** CID 1497885: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info()
1011 }
1012
1013 length -= OSPF_LSA_HEADER_SIZE;
1014
1015 vty_out(vty, " TLV info:\n");
1016
>>> CID 1497885: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
1017 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
1018 tlvh = TLV_HDR_NEXT(tlvh)) {
1019 /* Check TLV len */
1020 if (sum + TLV_SIZE(tlvh) > length) {
1021 vty_out(vty, "%% Invalid TLV length: %u\n",
1022 TLV_SIZE(tlvh));
** CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON)
/lib/prefix.c: 266 in evpn_type5_prefix_match()
________________________________________________________________________________________________________
*** CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON)
/lib/prefix.c: 266 in evpn_type5_prefix_match()
260 return 0;
261
262 offset = prefixlen / PNBBY;
263 shift = prefixlen % PNBBY;
264
265 if (shift)
>>> CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Using "np" as an array. This might corrupt or misinterpret adjacent memory locations.
266 if (maskbit[shift] & (np[offset] ^ pp[offset]))
267 return 0;
268
269 while (offset--)
270 if (np[offset] != pp[offset])
271 return 0;
** CID 1485637: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array()
________________________________________________________________________________________________________
*** CID 1485637: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array()
51 *
52 * Allocate space for the specified number of pointers.
53 */
54 static inline void *qpb_alloc_ptr_array(qpb_allocator_t *allocator,
55 size_t num_ptrs)
56 {
>>> CID 1485637: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "num_ptrs * 8UL /* sizeof (void *) */" to function "qpb_alloc" which returns a value of type "void *" is suspicious.
57 return qpb_alloc(allocator, num_ptrs * sizeof(void *));
58 }
59
60 /*
61 * qpb_free
62 */
** CID 1485635: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb.h: 124 in qpb__l3_prefix__get()
________________________________________________________________________________________________________
*** CID 1485635: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb.h: 124 in qpb__l3_prefix__get()
118 uint8_t family, struct prefix *prefix)
119 {
120
121 switch (family) {
122
123 case AF_INET:
>>> CID 1485635: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "prefix" of type "struct prefix *" and argument "16UL" ("sizeof (struct prefix_ipv4)") to function "memset" is suspicious because a multiple of "sizeof (struct prefix) /*48*/" is expected.
124 memset(prefix, 0, sizeof(struct prefix_ipv4));
125 break;
126
127 case AF_INET6:
128 memset(prefix, 0, sizeof(struct prefix_ipv6));
129 break;
** CID 1482218: Memory - illegal accesses (OVERRUN)
/lib/printf/glue.c: 206 in printfrr_ext_reg()
________________________________________________________________________________________________________
*** CID 1482218: Memory - illegal accesses (OVERRUN)
/lib/printf/glue.c: 206 in printfrr_ext_reg()
200 return;
201 for (o++; o <= 'Z' - 'A'; o++)
202 ext_offsets[o]++;
203
204 memmove(entries + i + 1, entries + i,
205 (MAXEXT - i - 1) * sizeof(entries[0]));
>>> CID 1482218: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 512 bytes at byte offset 512 by dereferencing pointer "exts + i + 1".
206 memmove(exts + i + 1, exts + i,
207 (MAXEXT - i - 1) * sizeof(exts[0]));
208
209 memcpy(entries[i].fmt, ext->match, 2);
210 exts[i] = ext;
211 }
** CID 1482217: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1482217: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_packet.c: 355 in ospf_check_md5_digest()
349 EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
350 EVP_DigestFinal(ctx, digest, &md5_size);
351 EVP_MD_CTX_free(ctx);
352 #elif CRYPTO_INTERNAL
353 memset(&ctx, 0, sizeof(ctx));
354 MD5Init(&ctx);
>>> CID 1482217: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "length" to a tainted sink.
355 MD5Update(&ctx, ospfh, length);
356 MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
357 MD5Final(digest, &ctx);
358 #endif
359
360 /* compare the two */
** CID 1482215: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_message.c: 2257 in ospf6_lsupdate_send_interface()
________________________________________________________________________________________________________
*** CID 1482215: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_message.c: 2257 in ospf6_lsupdate_send_interface()
2251 ospf6_lsupdate));
2252 lsa_cnt = 0;
2253 }
2254 }
2255
2256 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
>>> CID 1482215: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(((struct ospf6_lsa_header *)lsa->header)->length)" to a tainted sink.
2257 memcpy(p, lsa->header, OSPF6_LSA_SIZE(lsa->header));
2258 p += OSPF6_LSA_SIZE(lsa->header);
2259 lsa_cnt++;
2260
2261 assert(lsa->lock == 2);
2262 ospf6_lsdb_remove(lsa, oi->lsupdate_list);
** CID 1482211: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1482211: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_packet.c: 430 in ospf_make_md5_digest()
424 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
425 EVP_DigestFinal(ctx, digest, &md5_size);
426 EVP_MD_CTX_free(ctx);
427 #elif CRYPTO_INTERNAL
428 memset(&ctx, 0, sizeof(ctx));
429 MD5Init(&ctx);
>>> CID 1482211: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
430 MD5Update(&ctx, ibuf, ntohs(ospfh->length));
431 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
432 MD5Final(digest, &ctx);
433 #endif
434
435 /* Append md5 digest to the end of the stream. */
** CID 1482210: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_vty.c: 6286 in show_network_lsa_detail()
________________________________________________________________________________________________________
*** CID 1482210: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_vty.c: 6286 in show_network_lsa_detail()
6280 else
6281 json_object_int_add(json, "networkMask",
6282 ip_masklen(nl->mask));
6283
6284 length = ntohs(lsa->data->length) - OSPF_LSA_HEADER_SIZE - 4;
6285
>>> CID 1482210: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
6286 for (i = 0; length > 0; i++, length -= 4)
6287 if (!json) {
6288 vty_out(vty, " Attached Router: %pI4\n",
6289 &nl->routers[i]);
6290 vty_out(vty, "\n");
6291 } else {
** CID 1482203: (TAINTED_SCALAR)
/ospfd/ospf_api.c: 422 in msg_write()
________________________________________________________________________________________________________
*** CID 1482203: (TAINTED_SCALAR)
/ospfd/ospf_api.c: 425 in msg_write()
419
420 /* Make contiguous memory buffer for message */
421 memcpy(buf, &msg->hdr, sizeof(struct apimsghdr));
422 memcpy(buf + sizeof(struct apimsghdr), STREAM_DATA(msg->s),
423 ntohs(msg->hdr.msglen));
424
>>> CID 1482203: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
425 wlen = writen(fd, buf, l);
426 if (wlen < 0) {
427 zlog_warn("msg_write: writen %s", safe_strerror(errno));
428 return -1;
429 } else if (wlen == 0) {
430 zlog_warn("msg_write: Connection closed by peer");
/ospfd/ospf_api.c: 422 in msg_write()
416
417 /* Length of message including header */
418 l = sizeof(struct apimsghdr) + ntohs(msg->hdr.msglen);
419
420 /* Make contiguous memory buffer for message */
421 memcpy(buf, &msg->hdr, sizeof(struct apimsghdr));
>>> CID 1482203: (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(msg->hdr.msglen)" to a tainted sink.
422 memcpy(buf + sizeof(struct apimsghdr), STREAM_DATA(msg->s),
423 ntohs(msg->hdr.msglen));
424
425 wlen = writen(fd, buf, l);
426 if (wlen < 0) {
427 zlog_warn("msg_write: writen %s", safe_strerror(errno));
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Dbhr5_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTzKxF2FgdItSW87IJuxPFG4qzy-2B2FbZf68Dyr-2FBu927aaesWWHhdZraBAzkNGtDajLLNC6-2BAvhfzvm4sCwcDI9QMuEj0NqOX6d8g5SOTbGo-2BLCbozwvSvW6UolI79QxNAWQvi6yzr0hdiF0vI8EUF3cE0VYNUr8xNIT0oYYafOpHioJAjkmPhhVsQl5BM1K1rA-3D
More information about the dev
mailing list