Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 15 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 15 of 15 defect(s) ** CID 1487027: Uninitialized variables (UNINIT) /zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect() ________________________________________________________________________________________________________ *** CID 1487027: Uninitialized variables (UNINIT) /zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect() 189 return 0; 190 } 191 len = sizeof(struct ucred); 192 ucred.pid = getpid(); 193 194 set_nonblocking(mlag_socket);
CID 1487027: Uninitialized variables (UNINIT) Using uninitialized value "ucred". Field "ucred.uid" is uninitialized when calling "setsockopt".
195 setsockopt(mlag_socket, SOL_SOCKET, SO_PEERCRED, &ucred, len); 196 197 if (IS_ZEBRA_DEBUG_MLAG) 198 zlog_debug("%s: Connection with MLAG is established ", 199 __func__); 200
** CID 1487026: (TAINTED_SCALAR) /zebra/zebra_mlag_private.c: 126 in zebra_mlag_read() /zebra/zebra_mlag_private.c: 126 in zebra_mlag_read() ________________________________________________________________________________________________________ *** CID 1487026: (TAINTED_SCALAR) /zebra/zebra_mlag_private.c: 126 in zebra_mlag_read() 120 /* This will be the actual length of the packet */ 121 tot_len = h_msglen + ZEBRA_MLAG_LEN_SIZE; 122 123 if (curr_len < tot_len) { 124 ssize_t data_len; 125
CID 1487026: (TAINTED_SCALAR) Passing tainted variable "tot_len - curr_len" to a tainted sink.
126 data_len = read(mlag_socket, mlag_rd_buffer + curr_len, 127 tot_len - curr_len); 128 if (data_len == 0 || data_len == -1) { 129 if (IS_ZEBRA_DEBUG_MLAG) 130 zlog_debug("MLAG connection closed socket : %d", 131 mlag_socket); /zebra/zebra_mlag_private.c: 126 in zebra_mlag_read() 120 /* This will be the actual length of the packet */ 121 tot_len = h_msglen + ZEBRA_MLAG_LEN_SIZE; 122 123 if (curr_len < tot_len) { 124 ssize_t data_len; 125
CID 1487026: (TAINTED_SCALAR) Passing tainted variable "tot_len - curr_len" to a tainted sink.
126 data_len = read(mlag_socket, mlag_rd_buffer + curr_len, 127 tot_len - curr_len); 128 if (data_len == 0 || data_len == -1) { 129 if (IS_ZEBRA_DEBUG_MLAG) 130 zlog_debug("MLAG connection closed socket : %d", 131 mlag_socket); /zebra/zebra_mlag_private.c: 146 in zebra_mlag_read() 140 } 141 } 142 143 if (IS_ZEBRA_DEBUG_MLAG) { 144 zlog_debug("Received a MLAG Message from socket: %d, len:%u ", 145 mlag_socket, tot_len);
CID 1487026: (TAINTED_SCALAR) Passing tainted variable "tot_len" to a tainted sink.
146 zlog_hexdump(mlag_rd_buffer, tot_len); 147 } 148 149 tot_len -= ZEBRA_MLAG_LEN_SIZE; 150 151 /* Process the packet */ /zebra/zebra_mlag_private.c: 146 in zebra_mlag_read() 140 } 141 } 142 143 if (IS_ZEBRA_DEBUG_MLAG) { 144 zlog_debug("Received a MLAG Message from socket: %d, len:%u ", 145 mlag_socket, tot_len);
CID 1487026: (TAINTED_SCALAR) Passing tainted variable "tot_len" to a tainted sink.
146 zlog_hexdump(mlag_rd_buffer, tot_len); 147 } 148 149 tot_len -= ZEBRA_MLAG_LEN_SIZE; 150 151 /* Process the packet */
** CID 1487025: (CHECKED_RETURN) /bgpd/bgp_bmp.c: 1310 in bmp_open() /bgpd/bgp_bmp.c: 1311 in bmp_open() ________________________________________________________________________________________________________ *** CID 1487025: (CHECKED_RETURN) /bgpd/bgp_bmp.c: 1310 in bmp_open() 1304 zlog_info("bmp[%s] connection refused by access-list", buf); 1305 close(bmp_sock); 1306 return NULL; 1307 } 1308 bt->cnt_accept++; 1309
CID 1487025: (CHECKED_RETURN) Calling "setsockopt(bmp_sock, 1, 9, &on, 4U)" without checking return value. This library function may fail and return an error code.
1310 setsockopt(bmp_sock, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)); 1311 setsockopt(bmp_sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)); 1312 1313 zlog_info("bmp[%s] connection established", buf); 1314 1315 /* Allocate new BMP structure and set up default values. */ /bgpd/bgp_bmp.c: 1311 in bmp_open() 1305 close(bmp_sock); 1306 return NULL; 1307 } 1308 bt->cnt_accept++; 1309 1310 setsockopt(bmp_sock, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on));
CID 1487025: (CHECKED_RETURN) Calling "setsockopt(bmp_sock, IPPROTO_TCP, 1, &on, 4U)" without checking return value. This library function may fail and return an error code.
1311 setsockopt(bmp_sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)); 1312 1313 zlog_info("bmp[%s] connection established", buf); 1314 1315 /* Allocate new BMP structure and set up default values. */ 1316 bmp = bmp_new(bt, bmp_sock);
** CID 1487024: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1487024: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_route.c: 3212 in bgp_update() 3206 3207 attr_new = bgp_attr_intern(&new_attr); 3208 3209 /* If the update is implicit withdraw. */ 3210 if (pi) { 3211 pi->uptime = bgp_clock();
CID 1487024: Null pointer dereferences (FORWARD_NULL) Passing null pointer "pi->attr" to "attrhash_cmp", which dereferences it.
3212 same_attr = attrhash_cmp(pi->attr, attr_new); 3213 3214 hook_call(bgp_process, bgp, afi, safi, rn, peer, true); 3215 3216 /* Same attribute comes in. */ 3217 if (!CHECK_FLAG(pi->flags, BGP_PATH_REMOVED)
** CID 1487023: Error handling issues (CHECKED_RETURN) /zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect() ________________________________________________________________________________________________________ *** CID 1487023: Error handling issues (CHECKED_RETURN) /zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect() 189 return 0; 190 } 191 len = sizeof(struct ucred); 192 ucred.pid = getpid(); 193 194 set_nonblocking(mlag_socket);
CID 1487023: Error handling issues (CHECKED_RETURN) Calling "setsockopt(mlag_socket, 1, 17, &ucred, len)" without checking return value. This library function may fail and return an error code.
195 setsockopt(mlag_socket, SOL_SOCKET, SO_PEERCRED, &ucred, len); 196 197 if (IS_ZEBRA_DEBUG_MLAG) 198 zlog_debug("%s: Connection with MLAG is established ", 199 __func__); 200
** CID 1485633: Null pointer dereferences (REVERSE_INULL) /zebra/zebra_vty.c: 1028 in show_route_all_table_vrf_magic() ________________________________________________________________________________________________________ *** CID 1485633: Null pointer dereferences (REVERSE_INULL) /zebra/zebra_vty.c: 1028 in show_route_all_table_vrf_magic() 1022 rib_table_info_t *info = route_table_get_info(zrt->table); 1023 1024 if (zvrf && zvrf != info->zvrf) 1025 continue; 1026 if (zrt->afi != afi || zrt->safi != SAFI_UNICAST) 1027 continue;
CID 1485633: Null pointer dereferences (REVERSE_INULL) Null-checking "zrt->table" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1028 if (zrt->table) 1029 do_show_route_helper(vty, info->zvrf, zrt->table, afi, 1030 false, 0, false, false, 1031 0, 0, !!json, zrt->tableid); 1032 } 1033 return CMD_SUCCESS;
** CID 1482189: (VARARGS) /lib/printf/glue.c: 106 in vasnprintfrr() /lib/printf/glue.c: 116 in vasnprintfrr() ________________________________________________________________________________________________________ *** CID 1482189: (VARARGS) /lib/printf/glue.c: 106 in vasnprintfrr() 100 char *ret = out; 101 102 va_copy(ap2, ap); 103 len = vbprintfrr(&fb, fmt, ap); 104 if (len < 0) 105 /* error = malformed format string => try something useful */
CID 1482189: (VARARGS) va_end was not called for "ap2".
106 return qstrdup(mt, fmt); 107 108 if ((size_t)len >= outsz - 1) { 109 ret = qmalloc(mt, len + 1); 110 fb.buf = fb.pos = ret; 111 fb.len = len; /lib/printf/glue.c: 116 in vasnprintfrr() 110 fb.buf = fb.pos = ret; 111 fb.len = len; 112 113 vbprintfrr(&fb, fmt, ap2); 114 } 115 ret[len] = '\0';
CID 1482189: (VARARGS) va_end was not called for "ap2".
116 return ret; 117 } 118 119 char *asnprintfrr(struct memtype *mt, char *out, size_t outsz, const char *fmt, 120 ...) 121 {
** CID 1482185: (USE_AFTER_FREE) /isisd/isis_pdu.c: 398 in process_p2p_hello() /isisd/isis_pdu.c: 398 in process_p2p_hello() /isisd/isis_pdu.c: 398 in process_p2p_hello() /isisd/isis_pdu.c: 398 in process_p2p_hello() /isisd/isis_pdu.c: 398 in process_p2p_hello() /isisd/isis_pdu.c: 398 in process_p2p_hello() /isisd/isis_pdu.c: 398 in process_p2p_hello() ________________________________________________________________________________________________________ *** CID 1482185: (USE_AFTER_FREE) /isisd/isis_pdu.c: 398 in process_p2p_hello() 392 } 393 } else { 394 /* down - area mismatch */ 395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 396 } 397
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) { 399 lsp_regenerate_schedule(adj->circuit->area, 400 isis_adj_usage2levels(adj->adj_usage), 401 0); 402 } 403 /isisd/isis_pdu.c: 398 in process_p2p_hello() 392 } 393 } else { 394 /* down - area mismatch */ 395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 396 } 397
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) { 399 lsp_regenerate_schedule(adj->circuit->area, 400 isis_adj_usage2levels(adj->adj_usage), 401 0); 402 } 403 /isisd/isis_pdu.c: 398 in process_p2p_hello() 392 } 393 } else { 394 /* down - area mismatch */ 395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 396 } 397
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) { 399 lsp_regenerate_schedule(adj->circuit->area, 400 isis_adj_usage2levels(adj->adj_usage), 401 0); 402 } 403 /isisd/isis_pdu.c: 398 in process_p2p_hello() 392 } 393 } else { 394 /* down - area mismatch */ 395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 396 } 397
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) { 399 lsp_regenerate_schedule(adj->circuit->area, 400 isis_adj_usage2levels(adj->adj_usage), 401 0); 402 } 403 /isisd/isis_pdu.c: 398 in process_p2p_hello() 392 } 393 } else { 394 /* down - area mismatch */ 395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 396 } 397
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) { 399 lsp_regenerate_schedule(adj->circuit->area, 400 isis_adj_usage2levels(adj->adj_usage), 401 0); 402 } 403 /isisd/isis_pdu.c: 398 in process_p2p_hello() 392 } 393 } else { 394 /* down - area mismatch */ 395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 396 } 397
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) { 399 lsp_regenerate_schedule(adj->circuit->area, 400 isis_adj_usage2levels(adj->adj_usage), 401 0); 402 } 403 /isisd/isis_pdu.c: 398 in process_p2p_hello() 392 } 393 } else { 394 /* down - area mismatch */ 395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 396 } 397
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) { 399 lsp_regenerate_schedule(adj->circuit->area, 400 isis_adj_usage2levels(adj->adj_usage), 401 0); 402 } 403
** CID 1482174: Null pointer dereferences (REVERSE_INULL) /pimd/pim_bsm.c: 293 in pim_bsm_proc_free() ________________________________________________________________________________________________________ *** CID 1482174: Null pointer dereferences (REVERSE_INULL) /pimd/pim_bsm.c: 293 in pim_bsm_proc_free() 287 bsgrp = rn->info; 288 if (!bsgrp) 289 continue; 290 pim_free_bsgrp_data(bsgrp); 291 } 292
CID 1482174: Null pointer dereferences (REVERSE_INULL) Null-checking "pim->global_scope.bsrp_table" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
293 if (pim->global_scope.bsrp_table) 294 route_table_finish(pim->global_scope.bsrp_table); 295 } 296 297 static bool is_hold_time_elapsed(void *data) 298 {
** CID 1482173: (STRING_NULL) /watchfrr/watchfrr.c: 636 in handle_read() /watchfrr/watchfrr.c: 648 in handle_read() ________________________________________________________________________________________________________ *** CID 1482173: (STRING_NULL) /watchfrr/watchfrr.c: 636 in handle_read() 630 if (rc == 0) { 631 daemon_down(dmn, "read returned EOF"); 632 return 0; 633 } 634 if (!dmn->echo_sent.tv_sec) { 635 char why[sizeof(buf) + 100];
CID 1482173: (STRING_NULL) Passing unterminated string "buf" to "snprintf".
636 snprintf(why, sizeof(why), 637 "unexpected read returns %d bytes: %.*s", (int)rc, 638 (int)rc, buf); 639 daemon_down(dmn, why); 640 return 0; 641 } /watchfrr/watchfrr.c: 648 in handle_read() 642 643 /* We are expecting an echo response: is there any chance that the 644 response would not be returned entirely in the first read? That 645 seems inconceivable... */ 646 if ((rc != sizeof(resp)) || memcmp(buf, resp, sizeof(resp))) { 647 char why[100 + sizeof(buf)];
CID 1482173: (STRING_NULL) Passing unterminated string "buf" to "snprintf".
648 snprintf(why, sizeof(why), 649 "read returned bad echo response of %d bytes " 650 "(expecting %u): %.*s", 651 (int)rc, (unsigned int)sizeof(resp), (int)rc, buf); 652 daemon_down(dmn, why); 653 return 0;
** CID 1482170: Memory - corruptions (OVERRUN) /lib/command_parse.c: 1379 in cmd_yyparse() ________________________________________________________________________________________________________ *** CID 1482170: Memory - corruptions (OVERRUN) /lib/command_parse.c: 1379 in cmd_yyparse() 1373 yyvsp = yyvs + yysize - 1; 1374 yylsp = yyls + yysize - 1; 1375 1376 YYDPRINTF ((stderr, "Stack size increased to %lu\n", 1377 (unsigned long int) yystacksize)); 1378
CID 1482170: Memory - corruptions (OVERRUN) "yyss + yystacksize - 1" evaluates to an address that is at byte offset 19998 of an array of 16 bytes.
1379 if (yyss + yystacksize - 1 <= yyssp) 1380 YYABORT; 1381 } 1382 1383 YYDPRINTF ((stderr, "Entering state %d\n", yystate)); 1384
** CID 1482161: (TAINTED_SCALAR) /ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa() /ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa() ________________________________________________________________________________________________________ *** CID 1482161: (TAINTED_SCALAR) /ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa() 1025 * a valid pointer. 1026 */ 1027 assert(rtr_lsa); 1028 if (!OSPF6_LSA_IS_MAXAGE(rtr_lsa)) { 1029 /* Append first Link State ID LSA */ 1030 lsa_header = (struct ospf6_lsa_header *)rtr_lsa->header;
CID 1482161: (TAINTED_SCALAR) Passing tainted variable "ntohs(lsa_header->length)" to a tainted sink.
1031 memcpy(new_header, lsa_header, ntohs(lsa_header->length)); 1032 /* Assign new lsa length as aggregated length. */ 1033 ((struct ospf6_lsa_header *)new_header)->length = 1034 htons(total_lsa_length); 1035 new_header += ntohs(lsa_header->length); 1036 num_lsa--; /ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa() 1055 __PRETTY_FUNCTION__, rtr_lsa->name, 1056 ntohs(lsa_header->length), ifbuf); 1057 } 1058 1059 /* Append Next Link State ID LSA */ 1060 lsa_header = (struct ospf6_lsa_header *)rtr_lsa->header;
CID 1482161: (TAINTED_SCALAR) Passing tainted variable "ntohs(lsa_header->length) - lsa_length" to a tainted sink.
1061 memcpy(new_header, (OSPF6_LSA_HEADER_END(rtr_lsa->header) + 4), 1062 (ntohs(lsa_header->length) - lsa_length)); 1063 new_header += (ntohs(lsa_header->length) - lsa_length); 1064 num_lsa--; 1065 1066 rtr_lsa = ospf6_lsdb_next(end, rtr_lsa); /ospf6d/ospf6_spf.c: 1011 in ospf6_create_single_router_lsa() 1005 zlog_debug("%s: adv_router %s not found in LSDB.", 1006 __PRETTY_FUNCTION__, ifbuf); 1007 return NULL; 1008 } 1009 1010 /* Allocate memory for this LSA */
CID 1482161: (TAINTED_SCALAR) Passing tainted variable "total_lsa_length" to a tainted sink.
1011 new_header = XMALLOC(MTYPE_OSPF6_LSA_HEADER, total_lsa_length); 1012 1013 /* LSA information structure */ 1014 lsa = XCALLOC(MTYPE_OSPF6_LSA, sizeof(struct ospf6_lsa)); 1015 1016 lsa->header = (struct ospf6_lsa_header *)new_header;
** CID 1479142: Memory - illegal accesses (OVERRUN) /zebra/zebra_rib.c: 2191 in rib_meta_queue_add() ________________________________________________________________________________________________________ *** CID 1479142: Memory - illegal accesses (OVERRUN) /zebra/zebra_rib.c: 2191 in rib_meta_queue_add() 2185 "rn %p is already queued in sub-queue %u", 2186 (void *)rn, qindex); 2187 return; 2188 } 2189 2190 SET_FLAG(rib_dest_from_rnode(rn)->flags, RIB_ROUTE_QUEUED(qindex));
CID 1479142: Memory - illegal accesses (OVERRUN) Overrunning array "mq->subq" of 5 8-byte elements at element index 5 (byte offset 47) using index "qindex" (which evaluates to 5).
2191 listnode_add(mq->subq[qindex], rn); 2192 route_lock_node(rn); 2193 mq->size++; 2194 2195 if (IS_ZEBRA_DEBUG_RIB_DETAILED) 2196 rnode_debug(rn, re->vrf_id, "queued rn %p into sub-queue %u",
** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 891 in phase_check() ________________________________________________________________________________________________________ *** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 891 in phase_check() 885 return; 886 887 /* startup complete, everything out of INIT */ 888 gs.phase = PHASE_NONE; 889 for (dmn = gs.daemons; dmn; dmn = dmn->next) 890 if (dmn->state == DAEMON_DOWN) {
CID 1475948: Security best practices violations (DC.WEAK_CRYPTO) "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
891 SET_WAKEUP_DOWN(dmn); 892 try_restart(dmn); 893 } 894 break; 895 case PHASE_STOPS_PENDING: 896 if (gs.numpids)
** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 583 in restart_done() ________________________________________________________________________________________________________ *** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 583 in restart_done() 577 dmn->name, state_str[dmn->state]); 578 return; 579 } 580 if (dmn->t_wakeup) 581 THREAD_OFF(dmn->t_wakeup); 582 if (try_connect(dmn) < 0)
CID 1475944: Security best practices violations (DC.WEAK_CRYPTO) "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
583 SET_WAKEUP_DOWN(dmn); 584 } 585 586 static void daemon_down(struct daemon *dmn, const char *why) 587 { 588 if (IS_UP(dmn) || (dmn->state == DAEMON_INIT))
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...