diff options
| author | Olivier Dugeon <olivier.dugeon@orange.com> | 2021-04-06 12:09:25 +0200 |
|---|---|---|
| committer | Olivier Dugeon <olivier.dugeon@orange.com> | 2021-05-19 09:48:54 +0200 |
| commit | 8db278b5e3e2b1a8b2d8ac85789565d5dd268ac6 (patch) | |
| tree | e36fe5d6cb6329b2b649f0360554213fa78979dc /ospfd/ospf_lsa.h | |
| parent | Merge pull request #8688 from idryzhov/bgp-vrf-bind-priv (diff) | |
| download | frr-8db278b5e3e2b1a8b2d8ac85789565d5dd268ac6.tar.xz frr-8db278b5e3e2b1a8b2d8ac85789565d5dd268ac6.zip | |
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
Diffstat (limited to 'ospfd/ospf_lsa.h')
| -rw-r--r-- | ospfd/ospf_lsa.h | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/ospfd/ospf_lsa.h b/ospfd/ospf_lsa.h index 3c1f94e62..3808700cc 100644 --- a/ospfd/ospf_lsa.h +++ b/ospfd/ospf_lsa.h @@ -84,8 +84,9 @@ struct ospf_lsa { #define OSPF_LSA_PREMATURE_AGE 0x40 #define OSPF_LSA_IN_MAXAGE 0x80 - /* LSA data. */ + /* LSA data. and size */ struct lsa_header *data; + size_t size; /* Received time stamp. */ struct timeval tv_recv; @@ -168,7 +169,7 @@ struct router_lsa { uint8_t flags; uint8_t zero; uint16_t links; - struct { + struct router_link { struct in_addr link_id; struct in_addr link_data; uint8_t type; @@ -199,7 +200,7 @@ struct summary_lsa { struct as_external_lsa { struct lsa_header header; struct in_addr mask; - struct { + struct as_route { uint8_t tos; uint8_t metric[3]; struct in_addr fwd_addr; |