New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Thu Oct 14 09:10:17 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 1482152: (TAINTED_SCALAR)
/bfdd/control.c: 465 in control_read()
/bfdd/control.c: 469 in control_read()
________________________________________________________________________________________________________
*** CID 1482152: (TAINTED_SCALAR)
/bfdd/control.c: 453 in control_read()
447 /* Prepare the buffer to load the message. */
448 bcs->bcs_version = bcm.bcm_ver;
449 bcs->bcs_type = bcm.bcm_type;
450
451 bcb->bcb_pos = sizeof(bcm);
452 bcb->bcb_left = plen;
>>> CID 1482152: (TAINTED_SCALAR)
>>> Passing tainted variable "8UL + bcb->bcb_left + 1UL" to a tainted sink.
453 bcb->bcb_buf = XMALLOC(MTYPE_BFDD_NOTIFICATION,
454 sizeof(bcm) + bcb->bcb_left + 1);
455 if (bcb->bcb_buf == NULL) {
456 zlog_warn("%s: not enough memory for message size: %zu",
457 __func__, bcb->bcb_left);
458 control_free(bcs);
/bfdd/control.c: 465 in control_read()
459 return 0;
460 }
461
462 memcpy(bcb->bcb_buf, &bcm, sizeof(bcm));
463
464 /* Terminate data string with NULL for later processing. */
>>> CID 1482152: (TAINTED_SCALAR)
>>> Using tainted variable "8UL + bcb->bcb_left" as an index to pointer "(*bcb).bcb_buf".
465 bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0;
466
467 skip_header:
468 /* Download the remaining data of the message and process it. */
469 bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left);
470 if (bread == 0) {
/bfdd/control.c: 469 in control_read()
463
464 /* Terminate data string with NULL for later processing. */
465 bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0;
466
467 skip_header:
468 /* Download the remaining data of the message and process it. */
>>> CID 1482152: (TAINTED_SCALAR)
>>> Passing tainted variable "bcb->bcb_left" to a tainted sink.
469 bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left);
470 if (bread == 0) {
471 control_free(bcs);
472 return 0;
473 }
474 if (bread < 0) {
** CID 1480233: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1480233: Memory - corruptions (OVERRUN)
/vrrpd/vrrp_ndisc.c: 144 in vrrp_ndisc_una_build()
138 ph.dst = ip6h->ip6_dst;
139 ph.ulpl = htonl(len);
140 ph.next_hdr = IPPROTO_ICMPV6;
141
142 /* Suppress static analysis warnings about accessing icmp6 oob */
143 void *offset = icmp6h;
>>> CID 1480233: Memory - corruptions (OVERRUN)
>>> Overrunning struct type icmp6_hdr of 8 bytes by passing it to a function which accesses it at byte offset 31 using argument "len" (which evaluates to 32).
144 icmp6h->icmp6_cksum = in_cksum_with_ph6(&ph, offset, len);
145
146 return 0;
147 }
148
149 int vrrp_ndisc_una_send(struct vrrp_router *r, struct ipaddr *ip)
** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
/bfdd/control.c: 300 in control_queue_dequeue()
________________________________________________________________________________________________________
*** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
/bfdd/control.c: 300 in control_queue_dequeue()
294 control_queue_free(bcs, bcq);
295
296 /* Get the next buffer to send. */
297 if (TAILQ_EMPTY(&bcs->bcs_bcqueue))
298 goto empty_list;
299
>>> CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
>>> Using freed pointer "bcs->bcs_bcqueue.tqh_first".
300 bcq = TAILQ_FIRST(&bcs->bcs_bcqueue);
301 bcs->bcs_bout = &bcq->bcq_bcb;
302
303 bcs->bcs_outev = NULL;
304 thread_add_write(master, control_write, bcs, bcs->bcs_sd,
305 &bcs->bcs_outev);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DdE7e_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxrGS4vG4s-2FWsRhJfXcl4tSi3a1HLtq-2FNLmrAUQyZWvQ-2FejSdY-2BU9cOy3YVlsn5dVmoirTfs-2BCKxm0rL-2BO1zoXSxvN8ry3qOKrxJpqLhGpd6spU02UN5SMJyJH-2FnRScF8nu5b3h4s3Mk9UIpPvMRB-2F6-2F2qnQECdMcOr5yJfBC-2BprA-3D-3D
More information about the dev
mailing list