Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 15 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 16 of 16 defect(s) ** CID 1496644: Null pointer dereferences (REVERSE_INULL) /zebra/zebra_evpn_neigh.c: 722 in zebra_evpn_proc_sync_neigh_update() ________________________________________________________________________________________________________ *** CID 1496644: Null pointer dereferences (REVERSE_INULL) /zebra/zebra_evpn_neigh.c: 722 in zebra_evpn_proc_sync_neigh_update() 716 if (old_bgp_ready) { 717 zebra_evpn_neigh_send_del_to_client( 718 zevpn->vni, &n->ip, &n->emac, n->flags, 719 n->state, false /*force*/); 720 old_bgp_ready = false; 721 }
CID 1496644: Null pointer dereferences (REVERSE_INULL) Null-checking "n->mac" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
722 if (n->mac) 723 zebra_evpn_local_neigh_deref_mac( 724 n, false /*send_mac_update*/); 725 } 726 /* clear old fwd info */ 727 n->rem_seq = 0;
** CID 1496643: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1496643: Null pointer dereferences (FORWARD_NULL) /zebra/zebra_evpn_mh.c: 362 in zebra_evpn_es_evi_show_vni() 356 vty_out(vty, "%-8s %-30s %-4s\n", "VNI", "ESI", "Type"); 357 } 358 } else { 359 if (!uj) 360 vty_out(vty, "VNI %d doesn't exist\n", vni); 361 }
CID 1496643: Null pointer dereferences (FORWARD_NULL) Passing null pointer "zevpn" to "zebra_evpn_es_evi_show_one_evpn", which dereferences it.
362 zebra_evpn_es_evi_show_one_evpn(zevpn, vty, json, detail); 363 } 364 365 /* Initialize the ES tables maintained per-L2_VNI */ 366 void zebra_evpn_evpn_es_init(zebra_evpn_t *zevpn) 367 {
** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 486 in seqnumber_mismatch() 480 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT); 481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT); 482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT); 483 484 ospf6_lsdb_remove_all(on->summary_list); 485 ospf6_lsdb_remove_all(on->request_list);
CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
486 for (ALL_LSDB(on->retrans_list, lsa)) { 487 ospf6_decrement_retrans_count(lsa); 488 ospf6_lsdb_remove(lsa, on->retrans_list); 489 } 490 491 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2306 in ospf6_lsack_send_neighbor() 2300 2301 memset(sendbuf, 0, iobuflen); 2302 oh = (struct ospf6_header *)sendbuf; 2303 2304 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 2305
CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2306 for (ALL_LSDB(on->lsack_list, lsa)) { 2307 /* MTU check */ 2308 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 2309 > ospf6_packet_max(on->ospf6_if)) { 2310 /* if we run out of packet size/space here, 2311 better to try again soon. */
** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2223 in ospf6_lsupdate_send_interface() 2217 lsupdate = (struct ospf6_lsupdate *)((caddr_t)oh 2218 + sizeof(struct ospf6_header)); 2219 2220 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate)); 2221 lsa_cnt = 0; 2222
CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2223 for (ALL_LSDB(oi->lsupdate_list, lsa)) { 2224 /* MTU check */ 2225 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header))) 2226 > ospf6_packet_max(oi)) { 2227 if (lsa_cnt) { 2228 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 306 in ospf6_lsdb_remove_all() 300 { 301 struct ospf6_lsa *lsa; 302 303 if (lsdb == NULL) 304 return; 305
CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
306 for (ALL_LSDB(lsdb, lsa)) 307 ospf6_lsdb_remove(lsa, lsdb); 308 } 309 310 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa) 311 {
** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 125 in ospf6_neighbor_delete() 119 void ospf6_neighbor_delete(struct ospf6_neighbor *on) 120 { 121 struct ospf6_lsa *lsa; 122 123 ospf6_lsdb_remove_all(on->summary_list); 124 ospf6_lsdb_remove_all(on->request_list);
CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
125 for (ALL_LSDB(on->retrans_list, lsa)) { 126 ospf6_decrement_retrans_count(lsa); 127 ospf6_lsdb_remove(lsa, on->retrans_list); 128 } 129 130 ospf6_lsdb_remove_all(on->dbdesc_list);
** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1872 in ospf6_dbdesc_send_newone() 1866 ospf6_lsdb_remove_all(on->dbdesc_list); 1867 1868 /* move LSAs from summary_list to dbdesc_list (within neighbor 1869 structure) 1870 so that ospf6_send_dbdesc () can send those LSAs */ 1871 size = sizeof(struct ospf6_lsa_header) + sizeof(struct ospf6_dbdesc);
CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
1872 for (ALL_LSDB(on->summary_list, lsa)) { 1873 if (size + sizeof(struct ospf6_lsa_header) 1874 > ospf6_packet_max(on->ospf6_if)) { 1875 ospf6_lsdb_lsa_unlock(lsa); 1876 break; 1877 }
** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 523 in bad_lsreq() 517 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT); 518 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT); 519 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT); 520 521 ospf6_lsdb_remove_all(on->summary_list); 522 ospf6_lsdb_remove_all(on->request_list);
CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
523 for (ALL_LSDB(on->retrans_list, lsa)) { 524 ospf6_decrement_retrans_count(lsa); 525 ospf6_lsdb_remove(lsa, on->retrans_list); 526 } 527 528 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 310 in negotiation_done() 304 if (IS_OSPF6_DEBUG_NEIGHBOR(EVENT)) 305 zlog_debug("Neighbor Event %s: *NegotiationDone*", on->name); 306 307 /* clear ls-list */ 308 ospf6_lsdb_remove_all(on->summary_list); 309 ospf6_lsdb_remove_all(on->request_list);
CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
310 for (ALL_LSDB(on->retrans_list, lsa)) { 311 ospf6_decrement_retrans_count(lsa); 312 ospf6_lsdb_remove(lsa, on->retrans_list); 313 } 314 315 /* Interface scoped LSAs */
** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 324 in ospf6_lsdb_maxage_remover() 318 319 int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb) 320 { 321 int reschedule = 0; 322 struct ospf6_lsa *lsa; 323
CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
324 for (ALL_LSDB(lsdb, lsa)) { 325 if (!OSPF6_LSA_IS_MAXAGE(lsa)) 326 continue; 327 if (lsa->retrans_count != 0) { 328 reschedule = 1; 329 continue;
** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2385 in ospf6_lsack_send_interface() 2379 2380 memset(sendbuf, 0, iobuflen); 2381 oh = (struct ospf6_header *)sendbuf; 2382 2383 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 2384
CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2385 for (ALL_LSDB(oi->lsack_list, lsa)) { 2386 /* MTU check */ 2387 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 2388 > ospf6_packet_max(oi)) { 2389 /* if we run out of packet size/space here, 2390 better to try again soon. */
** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2040 in ospf6_lsupdate_send_neighbor() 2034 2035 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate)); 2036 lsa_cnt = 0; 2037 2038 /* lsupdate_list lists those LSA which doesn't need to be 2039 retransmitted. remove those from the list */
CID 1486256: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2040 for (ALL_LSDB(on->lsupdate_list, lsa)) { 2041 /* MTU check */ 2042 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header)) 2043 > ospf6_packet_max(on->ospf6_if)) { 2044 if (lsa_cnt) { 2045 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 558 in oneway_received() 552 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_INIT, on, 553 OSPF6_NEIGHBOR_EVENT_ONEWAY_RCVD); 554 thread_add_event(master, neighbor_change, on->ospf6_if, 0, NULL); 555 556 ospf6_lsdb_remove_all(on->summary_list); 557 ospf6_lsdb_remove_all(on->request_list);
CID 1486255: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
558 for (ALL_LSDB(on->retrans_list, lsa)) { 559 ospf6_decrement_retrans_count(lsa); 560 ospf6_lsdb_remove(lsa, on->retrans_list); 561 } 562 563 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 455 in adj_ok() 449 450 } else if (on->state >= OSPF6_NEIGHBOR_EXSTART && !need_adjacency(on)) { 451 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_TWOWAY, on, 452 OSPF6_NEIGHBOR_EVENT_ADJ_OK); 453 ospf6_lsdb_remove_all(on->summary_list); 454 ospf6_lsdb_remove_all(on->request_list);
CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
455 for (ALL_LSDB(on->retrans_list, lsa)) { 456 ospf6_decrement_retrans_count(lsa); 457 ospf6_lsdb_remove(lsa, on->retrans_list); 458 } 459 } 460
** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1950 in ospf6_lsreq_send() 1944 } 1945 1946 if (last_req != NULL) { 1947 if (on->last_ls_req != NULL) 1948 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req); 1949
CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
1950 ospf6_lsa_lock(last_req); 1951 on->last_ls_req = last_req; 1952 } 1953 1954 oh->type = OSPF6_MESSAGE_TYPE_LSREQ; 1955 oh->length = htons(p - sendbuf);
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...