New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Wed May 19 23:37:53 UTC 2021


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

2 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
28 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 1504898:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1504898:  Insecure data handling  (TAINTED_SCALAR)
/ospfd/ospf_dump.c: 585 in ospf_packet_dump()
579     		ospf_packet_hello_dump(s, ntohs(ospfh->length));
580     		break;
581     	case OSPF_MSG_DB_DESC:
582     		ospf_packet_db_desc_dump(s, ntohs(ospfh->length));
583     		break;
584     	case OSPF_MSG_LS_REQ:
>>>     CID 1504898:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
585     		ospf_packet_ls_req_dump(s, ntohs(ospfh->length));
586     		break;
587     	case OSPF_MSG_LS_UPD:
588     		ospf_packet_ls_upd_dump(s, ntohs(ospfh->length));
589     		break;
590     	case OSPF_MSG_LS_ACK:

** CID 1504897:  Memory - corruptions  (OVERRUN)
/ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event()


________________________________________________________________________________________________________
*** CID 1504897:  Memory - corruptions  (OVERRUN)
/ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event()
1169     	size = ntohs(msg->hdr.msglen);
1170     	if (size < OSPF_MAX_LSA_SIZE) {
1171     
1172     		apiserv->filter = XMALLOC(MTYPE_OSPF_APISERVER_MSGFILTER, size);
1173     
1174     		/* copy it over. */
>>>     CID 1504897:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type lsa_filter_type of 4 bytes by passing it to a function which accesses it at byte offset 1498 using argument "size" (which evaluates to 1499).
1175     		memcpy(apiserv->filter, &rmsg->filter, size);
1176     		rc = OSPF_API_OK;
1177     	} else
1178     		rc = OSPF_API_NOMEMORY;
1179     
1180     	/* Send a reply back to client with return code */


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3D_mD7_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTwUpQSsWVG3kSqMqy0I2aGd8pURKi4C4iBk3p7hhzmz-2F7jU51JNjN8iW46bZ-2BwxXeR-2BrPQoADnll-2B0IDmrRkzwY4-2Bg-2Fj9pKb18QlTwgYgt6t0C1EQjlJJDK-2FWMbsMRWPBSHN8KlegnfFpG62fdrKy8EGIX-2B9iRNIwEuZe8kHUjDTA-3D-3D




More information about the dev mailing list