New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Fri Oct 8 09:10:13 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
2 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 1482152: (TAINTED_SCALAR)
/bfdd/control.c: 465 in control_read()
/bfdd/control.c: 469 in control_read()
________________________________________________________________________________________________________
*** CID 1482152: (TAINTED_SCALAR)
/bfdd/control.c: 453 in control_read()
447 /* Prepare the buffer to load the message. */
448 bcs->bcs_version = bcm.bcm_ver;
449 bcs->bcs_type = bcm.bcm_type;
450
451 bcb->bcb_pos = sizeof(bcm);
452 bcb->bcb_left = plen;
>>> CID 1482152: (TAINTED_SCALAR)
>>> Passing tainted variable "8UL + bcb->bcb_left + 1UL" to a tainted sink.
453 bcb->bcb_buf = XMALLOC(MTYPE_BFDD_NOTIFICATION,
454 sizeof(bcm) + bcb->bcb_left + 1);
455 if (bcb->bcb_buf == NULL) {
456 zlog_warn("%s: not enough memory for message size: %zu",
457 __func__, bcb->bcb_left);
458 control_free(bcs);
/bfdd/control.c: 465 in control_read()
459 return 0;
460 }
461
462 memcpy(bcb->bcb_buf, &bcm, sizeof(bcm));
463
464 /* Terminate data string with NULL for later processing. */
>>> CID 1482152: (TAINTED_SCALAR)
>>> Using tainted variable "8UL + bcb->bcb_left" as an index to pointer "(*bcb).bcb_buf".
465 bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0;
466
467 skip_header:
468 /* Download the remaining data of the message and process it. */
469 bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left);
470 if (bread == 0) {
/bfdd/control.c: 469 in control_read()
463
464 /* Terminate data string with NULL for later processing. */
465 bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0;
466
467 skip_header:
468 /* Download the remaining data of the message and process it. */
>>> CID 1482152: (TAINTED_SCALAR)
>>> Passing tainted variable "bcb->bcb_left" to a tainted sink.
469 bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left);
470 if (bread == 0) {
471 control_free(bcs);
472 return 0;
473 }
474 if (bread < 0) {
** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
/bfdd/control.c: 300 in control_queue_dequeue()
________________________________________________________________________________________________________
*** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
/bfdd/control.c: 300 in control_queue_dequeue()
294 control_queue_free(bcs, bcq);
295
296 /* Get the next buffer to send. */
297 if (TAILQ_EMPTY(&bcs->bcs_bcqueue))
298 goto empty_list;
299
>>> CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
>>> Using freed pointer "bcs->bcs_bcqueue.tqh_first".
300 bcq = TAILQ_FIRST(&bcs->bcs_bcqueue);
301 bcs->bcs_bout = &bcq->bcq_bcb;
302
303 bcs->bcs_outev = NULL;
304 thread_add_write(master, control_write, bcs, bcs->bcs_sd,
305 &bcs->bcs_outev);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3D9DE2_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTzHiCUlM-2BORBRk42Y7-2FfTq-2Fq2BuW0IiAtMLou4rM5hCnXoHAJM3JrjE96nqYH7u90fmVeEdpQ-2Bx5Yx51qUfBXqmQwEZ3sH75bqybXbOztP2wapZOt4nBoQiidC4p9IOuino-2B7LjQV24KW6xWs7TLb3x8KrxkwYBWoFF-2BtiiEpmDwA-3D-3D
More information about the dev
mailing list