New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Thu Sep 28 12:38:11 UTC 2023
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
6 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 1568381: Insecure data handling (TAINTED_SCALAR)
/bgpd/bgp_linkstate_tlv.c: 1408 in bgp_linkstate_tlv_opaque_display()
________________________________________________________________________________________________________
*** CID 1568381: Insecure data handling (TAINTED_SCALAR)
/bgpd/bgp_linkstate_tlv.c: 1408 in bgp_linkstate_tlv_opaque_display()
1402
1403 if (pnt + sub_length > lim) {
1404 vty_out(vty, "Bad length received: %u\n", sub_length);
1405 break;
1406 }
1407
>>> CID 1568381: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "sub_length" as a loop boundary.
1408 for (i = 0; i < sub_length; i++) {
1409 if (i != 0 && i % 8 == 0)
1410 vty_out(vty, " ");
1411 vty_out(vty, "%02x", *pnt);
1412 }
1413 }
** CID 1568380: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1568380: Insecure data handling (TAINTED_SCALAR)
/bgpd/bgp_linkstate_tlv.c: 692 in bgp_linkstate_nlri_prefix_json()
686 length = pnt_decode16(&pnt);
687
688 if (pnt + length > lim)
689 /* bad length */
690 return;
691
>>> CID 1568380: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "bgp_linkstate_nlri_value_display", which uses it as an offset.
692 ret = bgp_linkstate_nlri_value_display(NULL, 0, pnt, nlri_type,
693 type, length, false,
694 json_nlri);
695
696 if (!ret)
697 /* bad length */
** CID 1568379: Control flow issues (DEADCODE)
/bgpd/bgp_attr.c: 784 in link_state_hash_cmp()
________________________________________________________________________________________________________
*** CID 1568379: Control flow issues (DEADCODE)
/bgpd/bgp_attr.c: 784 in link_state_hash_cmp()
778 const struct bgp_attr_ls *link_state1 = p1;
779 const struct bgp_attr_ls *link_state2 = p2;
780
781 if (!link_state1 && link_state2)
782 return false;
783 if (!link_state1 && link_state2)
>>> CID 1568379: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return false;".
784 return false;
785 if (!link_state1 && !link_state2)
786 return true;
787
788 if (link_state1->length != link_state2->length)
789 return false;
** CID 1568378: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1568378: (TAINTED_SCALAR)
/bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display()
1741 vty_out(vty, "Bad length received: %u\n",
1742 length);
1743 break;
1744 }
1745 }
1746
>>> CID 1568378: (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as a loop boundary.
1747 bgp_linkstate_tlv_attribute_value_display(
1748 vty, pnt, type, length, indent, json_tlv);
1749 }
/bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display()
1741 vty_out(vty, "Bad length received: %u\n",
1742 length);
1743 break;
1744 }
1745 }
1746
>>> CID 1568378: (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as a loop boundary.
1747 bgp_linkstate_tlv_attribute_value_display(
1748 vty, pnt, type, length, indent, json_tlv);
1749 }
/bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display()
1741 vty_out(vty, "Bad length received: %u\n",
1742 length);
1743 break;
1744 }
1745 }
1746
>>> CID 1568378: (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as an offset.
1747 bgp_linkstate_tlv_attribute_value_display(
1748 vty, pnt, type, length, indent, json_tlv);
1749 }
/bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display()
1741 vty_out(vty, "Bad length received: %u\n",
1742 length);
1743 break;
1744 }
1745 }
1746
>>> CID 1568378: (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as a loop boundary.
1747 bgp_linkstate_tlv_attribute_value_display(
1748 vty, pnt, type, length, indent, json_tlv);
1749 }
/bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display()
1741 vty_out(vty, "Bad length received: %u\n",
1742 length);
1743 break;
1744 }
1745 }
1746
>>> CID 1568378: (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as an offset.
1747 bgp_linkstate_tlv_attribute_value_display(
1748 vty, pnt, type, length, indent, json_tlv);
1749 }
/bgpd/bgp_linkstate_tlv.c: 1747 in bgp_linkstate_tlv_attribute_display()
1741 vty_out(vty, "Bad length received: %u\n",
1742 length);
1743 break;
1744 }
1745 }
1746
>>> CID 1568378: (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "bgp_linkstate_tlv_attribute_value_display", which uses it as an offset.
1747 bgp_linkstate_tlv_attribute_value_display(
1748 vty, pnt, type, length, indent, json_tlv);
1749 }
** CID 1568377: (OVERRUN)
/bgpd/bgp_linkstate_tlv.c: 156 in bgp_ls_tlv_check_size()
/bgpd/bgp_linkstate_tlv.c: 165 in bgp_ls_tlv_check_size()
/bgpd/bgp_linkstate_tlv.c: 161 in bgp_ls_tlv_check_size()
/bgpd/bgp_linkstate_tlv.c: 163 in bgp_ls_tlv_check_size()
________________________________________________________________________________________________________
*** CID 1568377: (OVERRUN)
/bgpd/bgp_linkstate_tlv.c: 156 in bgp_ls_tlv_check_size()
150 };
151 /* clang-format on */
152
153 /* Return the TLV length is valid for the TLV type */
154 static bool bgp_ls_tlv_check_size(enum bgp_linkstate_tlv type, size_t length)
155 {
>>> CID 1568377: (OVERRUN)
>>> Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
156 if (type > BGP_LS_TLV_MAX ||
157 bgp_linkstate_tlv_infos[type].descr == NULL)
158 /* TLV type is not defined. Cannot check size */
159 return false;
160
161 if (bgp_linkstate_tlv_infos[type].min_size > length)
/bgpd/bgp_linkstate_tlv.c: 165 in bgp_ls_tlv_check_size()
159 return false;
160
161 if (bgp_linkstate_tlv_infos[type].min_size > length)
162 return false;
163 if (bgp_linkstate_tlv_infos[type].max_size < length)
164 return false;
>>> CID 1568377: (OVERRUN)
>>> Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
165 if (length % bgp_linkstate_tlv_infos[type].multiple != 0)
166 return false;
167
168 return true;
169 }
170
/bgpd/bgp_linkstate_tlv.c: 161 in bgp_ls_tlv_check_size()
155 {
156 if (type > BGP_LS_TLV_MAX ||
157 bgp_linkstate_tlv_infos[type].descr == NULL)
158 /* TLV type is not defined. Cannot check size */
159 return false;
160
>>> CID 1568377: (OVERRUN)
>>> Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
161 if (bgp_linkstate_tlv_infos[type].min_size > length)
162 return false;
163 if (bgp_linkstate_tlv_infos[type].max_size < length)
164 return false;
165 if (length % bgp_linkstate_tlv_infos[type].multiple != 0)
166 return false;
/bgpd/bgp_linkstate_tlv.c: 163 in bgp_ls_tlv_check_size()
157 bgp_linkstate_tlv_infos[type].descr == NULL)
158 /* TLV type is not defined. Cannot check size */
159 return false;
160
161 if (bgp_linkstate_tlv_infos[type].min_size > length)
162 return false;
>>> CID 1568377: (OVERRUN)
>>> Overrunning array "bgp_linkstate_tlv_infos" of 1253 16-byte elements at element index 1253 (byte offset 20063) using index "type" (which evaluates to 1253).
163 if (bgp_linkstate_tlv_infos[type].max_size < length)
164 return false;
165 if (length % bgp_linkstate_tlv_infos[type].multiple != 0)
166 return false;
167
168 return true;
** CID 1568376: Null pointer dereferences (REVERSE_INULL)
/bgpd/bgp_attr.c: 4985 in bgp_packet_attribute()
________________________________________________________________________________________________________
*** CID 1568376: Null pointer dereferences (REVERSE_INULL)
/bgpd/bgp_attr.c: 4985 in bgp_packet_attribute()
4979 /* VNC attribute */
4980 bgp_packet_mpattr_tea(bgp, peer, s, attr, BGP_ATTR_VNC);
4981 #endif
4982 }
4983
4984 /* BGP Link-State */
>>> CID 1568376: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "attr" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4985 if (attr && attr->link_state) {
4986 stream_putc(s, BGP_ATTR_FLAG_OPTIONAL);
4987 stream_putc(s, BGP_ATTR_LINK_STATE);
4988 stream_putc(s, attr->link_state->length);
4989 stream_put(s, attr->link_state->data, attr->link_state->length);
4990 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DUrVo_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTx0wS3YdU1ymKLMlLrUJrKkZByLK-2FZIf2axKwOT5eVkKyaCka-2Fq8MJ77eDeCmH851gZ6kX3DY73fsGd7o4mj47R0PRgkYdEEj9l9GwX-2FLTjn1BIra00TE1InN5sTBGa9tZOnA8R2o7g59ULqtJhkhro4AlFVlZuxOJzz4fineIIoQ-3D-3D
More information about the dev
mailing list