New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Tue Mar 1 10:14:02 UTC 2022 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

4 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 1514597:  Memory - illegal accesses  (OVERRUN)
/vtysh/vtysh.c: 3594 in vtysh_log_print()


________________________________________________________________________________________________________
*** CID 1514597:  Memory - illegal accesses  (OVERRUN)
/vtysh/vtysh.c: 3594 in vtysh_log_print()
3588     		vis = &visual_prios[hdr->prio];
3589     
3590     	localtime_r(&ts, &tm);
3591     	strftime(ts_buf, sizeof(ts_buf), "%Y-%m-%d %H:%M:%S", &tm);
3592     
3593     	if (!stderr_tty) {
>>>     CID 1514597:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 128 bytes at byte offset 128 by dereferencing pointer "vis".
3594     		const char *label = vis->label + strlen(vis->label) - 4;
3595     
3596     		fprintf(stderr, "%s.%03u [%s] %s: %.*s\n", ts_buf,
3597     			hdr->ts_nsec / 1000000U, label, vclient->name,
3598     			(int)textlen, text);
3599     		return;

** CID 1514596:  Control flow issues  (UNEXPECTED_CONTROL_FLOW)
/vtysh/vtysh.c: 222 in vtysh_client_receive()


________________________________________________________________________________________________________
*** CID 1514596:  Control flow issues  (UNEXPECTED_CONTROL_FLOW)
/vtysh/vtysh.c: 222 in vtysh_client_receive()
216     	cmh->cmsg_len = CMSG_LEN(sizeof(int));
217     	memset(CMSG_DATA(cmh), -1, sizeof(int));
218     
219     	do {
220     		ret = recvmsg(vclient->fd, &mh, 0);
221     		if (ret < 0 && (errno == EINTR || errno == EAGAIN))
>>>     CID 1514596:  Control flow issues  (UNEXPECTED_CONTROL_FLOW)
>>>     A "continue" statement within a "do ... while (...)" loop only continues execution of the loop body if the loop continuation condition is still true.  Since the condition will never be true in a "do ... while (false)" loop, the "continue"statement has the same effect as a "break" statement.  Did you intend execution to continue at the top of the loop?
222     			continue;
223     	} while (false);
224     
225     	if (cmh->cmsg_len == CMSG_LEN(sizeof(int))) {
226     		int fd;
227     

** CID 1514595:    (STRING_NULL)
/vtysh/vtysh.c: 3657 in vtysh_log_read()


________________________________________________________________________________________________________
*** CID 1514595:    (STRING_NULL)
/vtysh/vtysh.c: 3682 in vtysh_log_read()
3676     		puts("\r");
3677     #endif
3678     		fflush(stdout);
3679     	}
3680     
3681     	text = buf.text + sizeof(buf.hdr.argpos[0]) * buf.hdr.n_argpos;
>>>     CID 1514595:    (STRING_NULL)
>>>     Passing unterminated string "text" to "vtysh_log_print", which expects a null-terminated string.
3682     	vtysh_log_print(vclient, &buf.hdr, text);
3683     
3684     	if (stderr_stdout_same)
3685     		rl_forced_update_display();
3686     
3687     	return;
/vtysh/vtysh.c: 3657 in vtysh_log_read()
3651     			snprintfrr(buf.text, sizeof(buf.text),
3652     				   "log monitor connection error: %m");
3653     		else
3654     			snprintfrr(
3655     				buf.text, sizeof(buf.text),
3656     				"log monitor connection closed unexpectedly");
>>>     CID 1514595:    (STRING_NULL)
>>>     Passing unterminated string "buf.text" to "strlen", which expects a null-terminated string.
3657     		buf.hdr.textlen = strlen(buf.text);
3658     
3659     		THREAD_OFF(vclient->log_reader);
3660     		close(vclient->log_fd);
3661     		vclient->log_fd = -1;
3662     

** CID 1514594:  Memory - corruptions  (OVERRUN)
/lib/yang_wrappers.c: 719 in yang_dnode_get_binary_buf()


________________________________________________________________________________________________________
*** CID 1514594:  Memory - corruptions  (OVERRUN)
/lib/yang_wrappers.c: 719 in yang_dnode_get_binary_buf()
713     	char *value_str;
714     	struct base64_decodestate s;
715     
716     	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
717     	cannon_len = strlen(canon);
718     	decode_len = cannon_len;
>>>     CID 1514594:  Memory - corruptions  (OVERRUN)
>>>     Allocating insufficient memory for the terminating null of the string.
719     	value_str = (char *)malloc(decode_len);
720     	base64_init_decodestate(&s);
721     	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
722     
723     	ret_len = size > cnt ? cnt : size;
724     	memcpy(buf, value_str, ret_len);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DIoh9_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxRMG4916d9Bw3KOakyvH5AvPu1pS2zV9hBX3S0-2BUhdhv4AxTi6jL5RW9883tckxqcZ8uOEdFqyLjHm5fcjjO5onGhoCbjzrBDEPiAzgfAV88ALQMkOARJE8UI1i6LYKoh4tLhE1xfuTB-2FDA9jEefF31fJ2FeU3-2BQCdd-2FHM4sPWdA-3D-3D

More information about the dev mailing list