New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Sun Nov 12 00:22:25 UTC 2023
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 1570969: (OVERRUN)
/bgpd/bgp_snmp_bgp4v2.c: 534 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 575 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 514 in bgp4v2PathAttrLookup()
________________________________________________________________________________________________________
*** CID 1570969: (OVERRUN)
/bgpd/bgp_snmp_bgp4v2.c: 534 in bgp4v2PathAttrLookup()
528 /* Set OID offset for prefix type */
529 offset = name + namelen;
530 offsetlen = *length - namelen;
531 len = offsetlen;
532
533 if (offsetlen == 0) {
>>> CID 1570969: (OVERRUN)
>>> Overrunning array "bgp->rib" of 4 64-byte elements at element index 4 (byte offset 319) using index "afi" (which evaluates to 4).
534 dest = bgp_table_top(bgp->rib[afi][SAFI_UNICAST]);
535 safi = SAFI_UNICAST;
536 } else {
537
538 /* bgp4V2NlriAfi is already get */
539 /* it is comming from the name parameter */
/bgpd/bgp_snmp_bgp4v2.c: 575 in bgp4v2PathAttrLookup()
569 addr->prefixlen = afi_len * 8;
570
571 offset++;
572 offsetlen--;
573
574 /* get node */
>>> CID 1570969: (OVERRUN)
>>> Overrunning array "bgp->rib" of 4 64-byte elements at element index 4 (byte offset 319) using index "afi" (which evaluates to 4).
575 dest = bgp_node_get(bgp->rib[afi][safi], addr);
576 }
577
578 if (!dest)
579 return NULL;
580
/bgpd/bgp_snmp_bgp4v2.c: 514 in bgp4v2PathAttrLookup()
508 else
509 oid2in6_addr(offset, &su.sin6.sin6_addr);
510
511 /* bgp4V2NlriIndex currently ignored */
512
513 /* Lookup node */
>>> CID 1570969: (OVERRUN)
>>> Overrunning array "bgp->rib" of 4 64-byte elements at element index 4 (byte offset 319) using index "afi" (which evaluates to 4).
514 dest = bgp_node_lookup(bgp->rib[afi][safi], addr);
515 if (dest) {
516 for (path = bgp_dest_get_bgp_path_info(dest); path;
517 path = path->next)
518 if (sockunion_same(&path->peer->connection->su,
519 &su))
** CID 1570968: Memory - corruptions (OVERRUN)
/bgpd/bgp_snmp_bgp4v2.c: 605 in bgp4v2PathAttrLookup()
________________________________________________________________________________________________________
*** CID 1570968: Memory - corruptions (OVERRUN)
/bgpd/bgp_snmp_bgp4v2.c: 605 in bgp4v2PathAttrLookup()
599 } else {
600 /* default case start with ipv4*/
601 if (afi == AFI_IP)
602 family = AF_INET;
603 else
604 family = AF_INET6;
>>> CID 1570968: Memory - corruptions (OVERRUN)
>>> Overrunning struct type in_addr of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
605 memset(&paddr.ip._v4_addr, 0, sizeof(paddr.ip));
606 }
607
608 do {
609 min = NULL;
610 min_family = 0;
** CID 1570967: (SIZEOF_MISMATCH)
/bgpd/bgp_snmp_bgp4v2.c: 702 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 483 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 561 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 695 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 682 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 487 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 677 in bgp4v2PathAttrLookup()
/bgpd/bgp_snmp_bgp4v2.c: 556 in bgp4v2PathAttrLookup()
________________________________________________________________________________________________________
*** CID 1570967: (SIZEOF_MISMATCH)
/bgpd/bgp_snmp_bgp4v2.c: 702 in bgp4v2PathAttrLookup()
696 addr->u.prefix4 = rn_p->u.prefix4;
697 } else {
698 *offset = IANA_AFI_IPV6;
699 offset++;
700 oid_copy_in6_addr(
701 offset, &min->peer->connection->su.sin6.sin6_addr);
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
702 offset += IN6_ADDR_SIZE;
703 addr->u.prefix6 = rn_p->u.prefix6;
704 }
705
706 /* Encode bgp4V2NlriIndex*/
707
/bgpd/bgp_snmp_bgp4v2.c: 483 in bgp4v2PathAttrLookup()
477 offset++;
478
479 /* get bgp4V2NlriPrefix */
480 if (prefix_type == IANA_AFI_IPV4) {
481 oid2in_addr(offset, IN_ADDR_SIZE, &addr->u.prefix4);
482 addr->family = AF_INET;
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
483 offset += IN_ADDR_SIZE;
484 } else if (prefix_type == IANA_AFI_IPV6) {
485 oid2in6_addr(offset, &addr->u.prefix6);
486 addr->family = AF_INET6;
487 offset += IN6_ADDR_SIZE;
488 }
/bgpd/bgp_snmp_bgp4v2.c: 561 in bgp4v2PathAttrLookup()
555 addr->family = AF_INET;
556 offset += IN_ADDR_SIZE;
557 offsetlen -= IN_ADDR_SIZE;
558 } else if (prefix_type == IANA_AFI_IPV6) {
559 oid2in6_addr(offset, &addr->u.prefix6);
560 addr->family = AF_INET6;
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
561 offset += IN6_ADDR_SIZE;
562 offsetlen -= IN6_ADDR_SIZE;
563 }
564
565 /* get bgp4V2NlriPrefixLen */
566 if (offsetlen > 0)
/bgpd/bgp_snmp_bgp4v2.c: 695 in bgp4v2PathAttrLookup()
689 /* Encode bgp4V2PeerRemoteAddr */
690 if (min_family == AF_INET) {
691 *offset = IANA_AFI_IPV4;
692 offset++;
693 oid_copy_in_addr(offset,
694 &min->peer->connection->su.sin.sin_addr);
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
695 offset += IN_ADDR_SIZE;
696 addr->u.prefix4 = rn_p->u.prefix4;
697 } else {
698 *offset = IANA_AFI_IPV6;
699 offset++;
700 oid_copy_in6_addr(
/bgpd/bgp_snmp_bgp4v2.c: 682 in bgp4v2PathAttrLookup()
676 oid_copy_in_addr(offset, &rn_p->u.prefix4);
677 offset += IN_ADDR_SIZE;
678 } else {
679 *offset = IANA_AFI_IPV6;
680 offset++;
681 oid_copy_in6_addr(offset, &rn_p->u.prefix6);
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
682 offset += IN6_ADDR_SIZE;
683 }
684 /* encode bgp4V2NlriPrefixLen into index*/
685 *offset = rn_p->prefixlen;
686 offset++;
687
/bgpd/bgp_snmp_bgp4v2.c: 487 in bgp4v2PathAttrLookup()
481 oid2in_addr(offset, IN_ADDR_SIZE, &addr->u.prefix4);
482 addr->family = AF_INET;
483 offset += IN_ADDR_SIZE;
484 } else if (prefix_type == IANA_AFI_IPV6) {
485 oid2in6_addr(offset, &addr->u.prefix6);
486 addr->family = AF_INET6;
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "16UL /* sizeof (struct in6_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in6_addr)" is extraneous and should be replaced with 1.
487 offset += IN6_ADDR_SIZE;
488 }
489
490 /* get bgp4V2NlriPrefixLen */
491 addr->prefixlen = *offset;
492 offset++;
/bgpd/bgp_snmp_bgp4v2.c: 677 in bgp4v2PathAttrLookup()
671 /* encode bgp4V2NlriPrefixType into index*/
672 /* encode bgp4V2NlriPrefix into index */
673 if (rn_p->family == AF_INET) {
674 *offset = IANA_AFI_IPV4;
675 offset++;
676 oid_copy_in_addr(offset, &rn_p->u.prefix4);
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
677 offset += IN_ADDR_SIZE;
678 } else {
679 *offset = IANA_AFI_IPV6;
680 offset++;
681 oid_copy_in6_addr(offset, &rn_p->u.prefix6);
682 offset += IN6_ADDR_SIZE;
/bgpd/bgp_snmp_bgp4v2.c: 556 in bgp4v2PathAttrLookup()
550 prefix_type = *offset;
551 offset++;
552 /* get bgp4V2NlriPrefix */
553 if (prefix_type == IANA_AFI_IPV4) {
554 oid2in_addr(offset, IN_ADDR_SIZE, &addr->u.prefix4);
555 addr->family = AF_INET;
>>> CID 1570967: (SIZEOF_MISMATCH)
>>> Adding "4UL /* sizeof (struct in_addr) */" to pointer "offset" of type "oid *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 8 bytes, of the pointed-to type, "oid". Most likely, "sizeof (struct in_addr)" is extraneous and should be replaced with 1.
556 offset += IN_ADDR_SIZE;
557 offsetlen -= IN_ADDR_SIZE;
558 } else if (prefix_type == IANA_AFI_IPV6) {
559 oid2in6_addr(offset, &addr->u.prefix6);
560 addr->family = AF_INET6;
561 offset += IN6_ADDR_SIZE;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BoAJF92cCodBN9BBnDbw-2FFg-3DU_Ia_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxbSrSGLqVG7446ed-2FSoWnFt98BdYOOR4rX-2FlhsQ5LtcB5p3aofQdfqCXzg-2BsdosY0fXWDw6I-2BxHqMq1jBrjOIQ9BK3Arp6chWkkB0h1bNYE4VRdxWGgybX9dxQmAG9p5sgdTr5rZDYhAk3S56LGL3pzNOzAd6grVp28VuQw856yQ-3D-3D
More information about the dev
mailing list