New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Thu Oct 14 09:10:17 UTC 2021 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

3 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 1482152:    (TAINTED_SCALAR)
/bfdd/control.c: 465 in control_read()
/bfdd/control.c: 469 in control_read()


________________________________________________________________________________________________________
*** CID 1482152:    (TAINTED_SCALAR)
/bfdd/control.c: 453 in control_read()
447     	/* Prepare the buffer to load the message. */
448     	bcs->bcs_version = bcm.bcm_ver;
449     	bcs->bcs_type = bcm.bcm_type;
450     
451     	bcb->bcb_pos = sizeof(bcm);
452     	bcb->bcb_left = plen;
>>>     CID 1482152:    (TAINTED_SCALAR)
>>>     Passing tainted variable "8UL + bcb->bcb_left + 1UL" to a tainted sink.
453     	bcb->bcb_buf = XMALLOC(MTYPE_BFDD_NOTIFICATION,
454     			       sizeof(bcm) + bcb->bcb_left + 1);
455     	if (bcb->bcb_buf == NULL) {
456     		zlog_warn("%s: not enough memory for message size: %zu",
457     			  __func__, bcb->bcb_left);
458     		control_free(bcs);
/bfdd/control.c: 465 in control_read()
459     		return 0;
460     	}
461     
462     	memcpy(bcb->bcb_buf, &bcm, sizeof(bcm));
463     
464     	/* Terminate data string with NULL for later processing. */
>>>     CID 1482152:    (TAINTED_SCALAR)
>>>     Using tainted variable "8UL + bcb->bcb_left" as an index to pointer "(*bcb).bcb_buf".
465     	bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0;
466     
467     skip_header:
468     	/* Download the remaining data of the message and process it. */
469     	bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left);
470     	if (bread == 0) {
/bfdd/control.c: 469 in control_read()
463     
464     	/* Terminate data string with NULL for later processing. */
465     	bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0;
466     
467     skip_header:
468     	/* Download the remaining data of the message and process it. */
>>>     CID 1482152:    (TAINTED_SCALAR)
>>>     Passing tainted variable "bcb->bcb_left" to a tainted sink.
469     	bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left);
470     	if (bread == 0) {
471     		control_free(bcs);
472     		return 0;
473     	}
474     	if (bread < 0) {

** CID 1480233:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1480233:  Memory - corruptions  (OVERRUN)
/vrrpd/vrrp_ndisc.c: 144 in vrrp_ndisc_una_build()
138     	ph.dst = ip6h->ip6_dst;
139     	ph.ulpl = htonl(len);
140     	ph.next_hdr = IPPROTO_ICMPV6;
141     
142     	/* Suppress static analysis warnings about accessing icmp6 oob */
143     	void *offset = icmp6h;
>>>     CID 1480233:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type icmp6_hdr of 8 bytes by passing it to a function which accesses it at byte offset 31 using argument "len" (which evaluates to 32).
144     	icmp6h->icmp6_cksum = in_cksum_with_ph6(&ph, offset, len);
145     
146     	return 0;
147     }
148     
149     int vrrp_ndisc_una_send(struct vrrp_router *r, struct ipaddr *ip)

** CID 1472627:  Memory - illegal accesses  (USE_AFTER_FREE)
/bfdd/control.c: 300 in control_queue_dequeue()


________________________________________________________________________________________________________
*** CID 1472627:  Memory - illegal accesses  (USE_AFTER_FREE)
/bfdd/control.c: 300 in control_queue_dequeue()
294     	control_queue_free(bcs, bcq);
295     
296     	/* Get the next buffer to send. */
297     	if (TAILQ_EMPTY(&bcs->bcs_bcqueue))
298     		goto empty_list;
299     
>>>     CID 1472627:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Using freed pointer "bcs->bcs_bcqueue.tqh_first".
300     	bcq = TAILQ_FIRST(&bcs->bcs_bcqueue);
301     	bcs->bcs_bout = &bcq->bcq_bcb;
302     
303     	bcs->bcs_outev = NULL;
304     	thread_add_write(master, control_write, bcs, bcs->bcs_sd,
305     			 &bcs->bcs_outev);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DdE7e_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxrGS4vG4s-2FWsRhJfXcl4tSi3a1HLtq-2FNLmrAUQyZWvQ-2FejSdY-2BU9cOy3YVlsn5dVmoirTfs-2BCKxm0rL-2BO1zoXSxvN8ry3qOKrxJpqLhGpd6spU02UN5SMJyJH-2FnRScF8nu5b3h4s3Mk9UIpPvMRB-2F6-2F2qnQECdMcOr5yJfBC-2BprA-3D-3D

More information about the dev mailing list