New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Fri Feb 11 10:15:19 UTC 2022 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

7 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)


** CID 1511366:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1511366:    (TAINTED_SCALAR)
/ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_list()
2625     		     + OSPF6_HEADER_SIZE)
2626     		    > ospf6_packet_max(on->ospf6_if)) {
2627     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2628     					  length + OSPF6_HEADER_SIZE);
2629     			(*op)->length = length + OSPF6_HEADER_SIZE;
2630     			ospf6_fill_lsupdate_header((*op)->s, *lsa_cnt);
>>>     CID 1511366:    (TAINTED_SCALAR)
>>>     Passing tainted variable "(*op)->length" to a tainted sink.
2631     			ospf6_send_lsupdate(on, NULL, *op);
2632     
2633     			/* refresh packet */
2634     			*op = ospf6_packet_new(on->ospf6_if->ifmtu);
2635     			length = OSPF6_LS_UPD_MIN_SIZE;
2636     			*lsa_cnt = 0;
/ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_list()
2625     		     + OSPF6_HEADER_SIZE)
2626     		    > ospf6_packet_max(on->ospf6_if)) {
2627     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2628     					  length + OSPF6_HEADER_SIZE);
2629     			(*op)->length = length + OSPF6_HEADER_SIZE;
2630     			ospf6_fill_lsupdate_header((*op)->s, *lsa_cnt);
>>>     CID 1511366:    (TAINTED_SCALAR)
>>>     Passing tainted variable "(*op)->length" to a tainted sink.
2631     			ospf6_send_lsupdate(on, NULL, *op);
2632     
2633     			/* refresh packet */
2634     			*op = ospf6_packet_new(on->ospf6_if->ifmtu);
2635     			length = OSPF6_LS_UPD_MIN_SIZE;
2636     			*lsa_cnt = 0;

** CID 1511365:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1511365:    (TAINTED_SCALAR)
/ospf6d/ospf6_message.c: 2674 in ospf6_make_ls_retrans_list()
2668     			ospf6_fill_lsupdate_header((*op)->s, *lsa_cnt);
2669     			if (on->ospf6_if->state == OSPF6_INTERFACE_POINTTOPOINT)
2670     				(*op)->dst = allspfrouters6;
2671     			else
2672     				(*op)->dst = on->linklocal_addr;
2673     
>>>     CID 1511365:    (TAINTED_SCALAR)
>>>     Passing tainted variable "(*op)->length" to a tainted sink.
2674     			ospf6_fill_hdr_checksum(on->ospf6_if, *op);
2675     			ospf6_packet_add(on->ospf6_if, *op);
2676     			OSPF6_MESSAGE_WRITE_ON(on->ospf6_if);
2677     
2678     			/* refresh packet */
2679     			*op = ospf6_packet_new(on->ospf6_if->ifmtu);
/ospf6d/ospf6_message.c: 2674 in ospf6_make_ls_retrans_list()
2668     			ospf6_fill_lsupdate_header((*op)->s, *lsa_cnt);
2669     			if (on->ospf6_if->state == OSPF6_INTERFACE_POINTTOPOINT)
2670     				(*op)->dst = allspfrouters6;
2671     			else
2672     				(*op)->dst = on->linklocal_addr;
2673     
>>>     CID 1511365:    (TAINTED_SCALAR)
>>>     Passing tainted variable "(*op)->length" to a tainted sink.
2674     			ospf6_fill_hdr_checksum(on->ospf6_if, *op);
2675     			ospf6_packet_add(on->ospf6_if, *op);
2676     			OSPF6_MESSAGE_WRITE_ON(on->ospf6_if);
2677     
2678     			/* refresh packet */
2679     			*op = ospf6_packet_new(on->ospf6_if->ifmtu);
/ospf6d/ospf6_message.c: 2674 in ospf6_make_ls_retrans_list()
2668     			ospf6_fill_lsupdate_header((*op)->s, *lsa_cnt);
2669     			if (on->ospf6_if->state == OSPF6_INTERFACE_POINTTOPOINT)
2670     				(*op)->dst = allspfrouters6;
2671     			else
2672     				(*op)->dst = on->linklocal_addr;
2673     
>>>     CID 1511365:    (TAINTED_SCALAR)
>>>     Passing tainted variable "(*op)->length" to a tainted sink.
2674     			ospf6_fill_hdr_checksum(on->ospf6_if, *op);
2675     			ospf6_packet_add(on->ospf6_if, *op);
2676     			OSPF6_MESSAGE_WRITE_ON(on->ospf6_if);
2677     
2678     			/* refresh packet */
2679     			*op = ospf6_packet_new(on->ospf6_if->ifmtu);

** CID 1511364:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1511364:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_message.c: 2125 in ospf6_write()
2119     
2120     		if (oi->at_data.flags != 0) {
2121     			at_len = ospf6_auth_len_get(oi);
2122     			if (at_len) {
2123     				iovector[0].iov_len =
2124     					ntohs(oh->length) + at_len;
>>>     CID 1511364:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "iovector[0].iov_len" to a tainted sink.
2125     				ospf6_auth_digest_send(oi->linklocal_addr, oi,
2126     						       oh, at_len,
2127     						       iovector[0].iov_len);
2128     			} else {
2129     				iovector[0].iov_len = ntohs(oh->length);
2130     			}

** CID 1511363:    (DEADCODE)
/ospf6d/ospf6_auth_trailer.c: 275 in ospf6_hash_hmac_sha_digest()
/ospf6d/ospf6_auth_trailer.c: 274 in ospf6_hash_hmac_sha_digest()


________________________________________________________________________________________________________
*** CID 1511363:    (DEADCODE)
/ospf6d/ospf6_auth_trailer.c: 275 in ospf6_hash_hmac_sha_digest()
269     	case KEYCHAIN_ALGO_HMAC_SHA512:
270     #ifdef CRYPTO_OPENSSL
271     		sha512_digest(mes, len, digest);
272     #endif
273     		break;
274     	case KEYCHAIN_ALGO_NULL:
>>>     CID 1511363:    (DEADCODE)
>>>     Execution cannot reach this statement: "case KEYCHAIN_ALGO_MAX:".
275     	case KEYCHAIN_ALGO_MAX:
276     	default:
277     		/* no action */
278     		break;
279     	}
280     }
/ospf6d/ospf6_auth_trailer.c: 274 in ospf6_hash_hmac_sha_digest()
268     		break;
269     	case KEYCHAIN_ALGO_HMAC_SHA512:
270     #ifdef CRYPTO_OPENSSL
271     		sha512_digest(mes, len, digest);
272     #endif
273     		break;
>>>     CID 1511363:    (DEADCODE)
>>>     Execution cannot reach this statement: "case KEYCHAIN_ALGO_NULL:".
274     	case KEYCHAIN_ALGO_NULL:
275     	case KEYCHAIN_ALGO_MAX:
276     	default:
277     		/* no action */
278     		break;
279     	}

** CID 1511362:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1511362:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_auth_trailer.c: 541 in ospf6_auth_check_digest()
535     
536     	auth_len = ntohs(ospf6_auth->length);
537     
538     	memcpy(temp_hash, ospf6_auth->data, hash_len);
539     	memcpy(ospf6_auth->data, apad, hash_len);
540     
>>>     CID 1511362:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "oh_len + auth_len + lls_block_len" to a tainted sink.
541     	ospf6_auth_update_digest(oi, oh, ospf6_auth, auth_str,
542     				 (oh_len + auth_len + lls_block_len),
543     				 hash_algo);
544     
545     #ifdef CRYPTO_OPENSSL
546     	ret = CRYPTO_memcmp(temp_hash, ospf6_auth->data, hash_len);

** CID 1511361:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_auth_trailer.c: 124 in ospf6_auth_hdr_dump_recv()


________________________________________________________________________________________________________
*** CID 1511361:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_auth_trailer.c: 124 in ospf6_auth_hdr_dump_recv()
118     	at_len = length - (oh_len + lls_len);
119     	if (at_len > 0) {
120     		ospf6_at_hdr =
121     			(struct ospf6_auth_hdr *)((uint8_t *)ospfh + oh_len);
122     		at_hdr_len = ntohs(ospf6_at_hdr->length);
123     		hash_len = at_hdr_len - OSPF6_AUTH_HDR_MIN_SIZE;
>>>     CID 1511361:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "hash_len" to a tainted sink.
124     		memcpy(temp, ospf6_at_hdr->data, hash_len);
125     		temp[hash_len] = '\0';
126     		zlog_debug("OSPF6 Authentication Trailer");
127     		zlog_debug("  Type %d", ntohs(ospf6_at_hdr->type));
128     		zlog_debug("  Length %d", at_hdr_len);
129     		zlog_debug("  Reserved %d", ospf6_at_hdr->reserved);

** CID 1482146:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1482146:  Insecure data handling  (TAINTED_SCALAR)
/ospf6d/ospf6_message.c: 2787 in ospf6_lsupdate_send_neighbor_now()
2781     
2782     	if (IS_OSPF6_DEBUG_FLOODING
2783     	    || IS_OSPF6_DEBUG_MESSAGE(OSPF6_MESSAGE_TYPE_LSUPDATE, SEND_HDR))
2784     		zlog_debug("%s: Send lsupdate with lsa %s (age %u)", __func__,
2785     			   lsa->name, ntohs(lsa->header->age));
2786     
>>>     CID 1482146:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "op->length" to a tainted sink.
2787     	ospf6_send_lsupdate(on, NULL, op);
2788     
2789     	return 0;
2790     }
2791     
2792     static uint16_t ospf6_make_lsupdate_interface(struct ospf6_interface *oi,


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3D1p4G_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTw9dXdNV9ZUPzcRSmNPhgBe6zPmJu6MA77uC96dbkZBcsbyit1-2FE-2F3a5uzm-2BmWZesBu65XNvkDz-2FwbRjm3seIH0T942-2FjBVdjXabWmEvLMRwcGU3v6z4vcQhtMnZWNVb1lRVqqq4BlIsZ8TRqoVVKpxSK97qZiOQ2oIPd8HOGIIPA-3D-3D

More information about the dev mailing list