New Defects reported by Coverity Scan for freerangerouting/frr

Wed Feb 9 10:15:38 UTC 2022

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

3 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)

** CID 1511348:  Null pointer dereferences  (FORWARD_NULL)

________________________________________________________________________________________________________
*** CID 1511348:  Null pointer dereferences  (FORWARD_NULL)
/bgpd/bgp_attr_evpn.c: 58 in bgp_add_routermac_ecom()
52     	memset(&routermac_ecom, 0, sizeof(struct ecommunity_val));
53     	routermac_ecom.val[0] = ECOMMUNITY_ENCODE_EVPN;
54     	routermac_ecom.val[1] = ECOMMUNITY_EVPN_SUBTYPE_ROUTERMAC;
55     	memcpy(&routermac_ecom.val[2], routermac->octet, ETH_ALEN);
56     	if (!ecomm)
57     		bgp_attr_set_ecommunity(attr, ecommunity_new());
>>>     CID 1511348:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "ecomm" to "ecommunity_add_val", which dereferences it.
58     	ecommunity_add_val(ecomm, &routermac_ecom, false, false);
59     	ecommunity_str(ecomm);
60     }
61     
62     /* converts to an esi
63      * returns 1 on success, 0 otherwise

** CID 1511347:  Null pointer dereferences  (REVERSE_INULL)
/bgpd/rfapi/rfapi_vty.c: 476 in rfapiPrintAttrPtrs()

________________________________________________________________________________________________________
*** CID 1511347:  Null pointer dereferences  (REVERSE_INULL)
/bgpd/rfapi/rfapi_vty.c: 476 in rfapiPrintAttrPtrs()
470     	struct ecommunity *ecomm = bgp_attr_get_ecommunity(attr);
471     
472     	if (rfapiStream2Vty(stream, &fp, &vty, &out, &vty_newline) == 0)
473     		return;
474     
475     	fp(out, "Attr[%p]:%s", attr, HVTYNL);
>>>     CID 1511347:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "attr" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
476     	if (!attr)
477     		return;
478     
479     	/* IPv4 Nexthop */
480     	inet_ntop(AF_INET, &attr->nexthop, buf, BUFSIZ);
481     	fp(out, "  nexthop=%s%s", buf, HVTYNL);

** CID 1210465:  Insecure data handling  (TAINTED_SCALAR)
/babeld/message.c: 375 in parse_packet()

________________________________________________________________________________________________________
*** CID 1210465:  Insecure data handling  (TAINTED_SCALAR)
/babeld/message.c: 375 in parse_packet()
369             return;
370         }
371     
372         DO_NTOHS(bodylen, packet + 2);
373     
374         i = 0;
>>>     CID 1210465:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "bodylen" as a loop boundary.
375         while(i < bodylen) {
376             message = packet + 4 + i;
377             type = message[0];
378             if(type == MESSAGE_PAD1) {
379                 debugf(BABEL_DEBUG_COMMON,"Received pad1 from %s on %s.",
380                        format_address(from), ifp->name);

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DXXms_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTwxgFLTOaTTW9HnBzvOG9AXWdUW9bY07zCmjxkgBVUago0xmDQYrq7fAWmvNbtIt1iJAh7zuGo8aoprnlqfwvY71SlRgwGlTON0xscIMjebjjuI3QDwCrapPGE-2Fq-2FoUnGdr5LYuFKxIkMlpDxF2TDmZ4o-2FIFQL8sjWW1CQRbyvxzT-2FDsvIumOHoPGPAJXinRDM-3D