Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 39 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 39 defect(s) ** CID 1506514: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info() ________________________________________________________________________________________________________ *** CID 1506514: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info() 1232 if (!use_json) 1233 vty_out(vty, "TLV info:\n"); 1234 } else { 1235 zlog_debug(" TLV info:"); 1236 } 1237
CID 1506514: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
1238 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 1239 tlvh = TLV_HDR_NEXT(tlvh)) { 1240 switch (ntohs(tlvh->type)) { 1241 case GRACE_PERIOD_TYPE: 1242 gracePeriod = (struct grace_tlv_graceperiod *)tlvh; 1243 sum += TLV_SIZE(tlvh);
** CID 1506513: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields() ________________________________________________________________________________________________________ *** CID 1506513: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields() 154 int sum = 0; 155 156 lsah = (struct ospf6_lsa_header *)lsa->header; 157 158 length = ntohs(lsah->length) - OSPF6_LSA_HEADER_SIZE; 159
CID 1506513: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
160 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 161 tlvh = TLV_HDR_NEXT(tlvh)) { 162 switch (ntohs(tlvh->type)) { 163 case GRACE_PERIOD_TYPE: 164 gracePeriod = (struct grace_tlv_graceperiod *)tlvh; 165 *interval = ntohl(gracePeriod->interval);
** CID 1506512: (USE_AFTER_FREE) /ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list() /ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list() ________________________________________________________________________________________________________ *** CID 1506512: (USE_AFTER_FREE) /ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list() 226 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) { 227 struct ospf6_lsa *lsa_in_db = NULL; 228 229 /* Fetching the same copy of LSA form LSDB to validate the 230 * topochange. 231 */
CID 1506512: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
232 lsa_in_db = 233 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id, 234 lsa->header->adv_router, lsa->lsdb); 235 236 if (lsa_in_db && lsa_in_db->tobe_acknowledged) { 237 ospf6_lsa_unlock(lsa); /ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list() 226 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) { 227 struct ospf6_lsa *lsa_in_db = NULL; 228 229 /* Fetching the same copy of LSA form LSDB to validate the 230 * topochange. 231 */
CID 1506512: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
232 lsa_in_db = 233 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id, 234 lsa->header->adv_router, lsa->lsdb); 235 236 if (lsa_in_db && lsa_in_db->tobe_acknowledged) { 237 ospf6_lsa_unlock(lsa);
** CID 1505419: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list() /ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list() ________________________________________________________________________________________________________ *** CID 1505419: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2458 in ospf6_make_lsupdate_list() 2452 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2453 struct ospf6_lsa *lsa, *lsanext; 2454 2455 /* skip over fixed header */ 2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2457
CID 1505419: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) { 2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2460 + OSPF6_HEADER_SIZE) 2461 > ospf6_packet_max(on->ospf6_if)) { 2462 ospf6_fill_header(on->ospf6_if, (*op)->s, 2463 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list() 2453 struct ospf6_lsa *lsa, *lsanext; 2454 2455 /* skip over fixed header */ 2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2457 2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
CID 1505419: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2460 + OSPF6_HEADER_SIZE) 2461 > ospf6_packet_max(on->ospf6_if)) { 2462 ospf6_fill_header(on->ospf6_if, (*op)->s, 2463 length + OSPF6_HEADER_SIZE); 2464 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2458 in ospf6_make_lsupdate_list() 2452 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2453 struct ospf6_lsa *lsa, *lsanext; 2454 2455 /* skip over fixed header */ 2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2457
CID 1505419: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) { 2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2460 + OSPF6_HEADER_SIZE) 2461 > ospf6_packet_max(on->ospf6_if)) { 2462 ospf6_fill_header(on->ospf6_if, (*op)->s, 2463 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list() 2453 struct ospf6_lsa *lsa, *lsanext; 2454 2455 /* skip over fixed header */ 2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2457 2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
CID 1505419: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2460 + OSPF6_HEADER_SIZE) 2461 > ospf6_packet_max(on->ospf6_if)) { 2462 ospf6_fill_header(on->ospf6_if, (*op)->s, 2463 length + OSPF6_HEADER_SIZE); 2464 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505418: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq() /ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq() ________________________________________________________________________________________________________ *** CID 1505418: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2282 in ospf6_make_lsreq() 2276 uint16_t length = 0; 2277 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL; 2278 2279 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 2280 if ((length + OSPF6_HEADER_SIZE) 2281 > ospf6_packet_max(on->ospf6_if)) {
CID 1505418: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2282 ospf6_lsa_unlock(lsa); 2283 if (lsanext) 2284 ospf6_lsa_unlock(lsanext); 2285 break; 2286 } 2287 stream_putw(s, 0); /* reserved */ /ospf6d/ospf6_message.c: 2282 in ospf6_make_lsreq() 2276 uint16_t length = 0; 2277 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL; 2278 2279 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 2280 if ((length + OSPF6_HEADER_SIZE) 2281 > ospf6_packet_max(on->ospf6_if)) {
CID 1505418: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2282 ospf6_lsa_unlock(lsa); 2283 if (lsanext) 2284 ospf6_lsa_unlock(lsanext); 2285 break; 2286 } 2287 stream_putw(s, 0); /* reserved */ /ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq() 2282 ospf6_lsa_unlock(lsa); 2283 if (lsanext) 2284 ospf6_lsa_unlock(lsanext); 2285 break; 2286 } 2287 stream_putw(s, 0); /* reserved */
CID 1505418: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2288 stream_putw(s, ntohs(lsa->header->type)); 2289 stream_putl(s, ntohl(lsa->header->id)); 2290 stream_putl(s, ntohl(lsa->header->adv_router)); 2291 length += sizeof(struct ospf6_lsreq_entry); 2292 last_req = lsa; 2293 } /ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq() 2282 ospf6_lsa_unlock(lsa); 2283 if (lsanext) 2284 ospf6_lsa_unlock(lsanext); 2285 break; 2286 } 2287 stream_putw(s, 0); /* reserved */
CID 1505418: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2288 stream_putw(s, ntohs(lsa->header->type)); 2289 stream_putl(s, ntohl(lsa->header->id)); 2290 stream_putl(s, ntohl(lsa->header->adv_router)); 2291 length += sizeof(struct ospf6_lsreq_entry); 2292 last_req = lsa; 2293 }
** CID 1505417: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list() /ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list() ________________________________________________________________________________________________________ *** CID 1505417: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list() 2491 struct ospf6_lsa *lsa, *lsanext; 2492 2493 /* skip over fixed header */ 2494 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2495 2496 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
CID 1505417: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2497 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2498 + OSPF6_HEADER_SIZE) 2499 > ospf6_packet_max(on->ospf6_if)) { 2500 ospf6_fill_header(on->ospf6_if, (*op)->s, 2501 length + OSPF6_HEADER_SIZE); 2502 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list() 2491 struct ospf6_lsa *lsa, *lsanext; 2492 2493 /* skip over fixed header */ 2494 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2495 2496 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
CID 1505417: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2497 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2498 + OSPF6_HEADER_SIZE) 2499 > ospf6_packet_max(on->ospf6_if)) { 2500 ospf6_fill_header(on->ospf6_if, (*op)->s, 2501 length + OSPF6_HEADER_SIZE); 2502 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505415: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505415: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2299 in ospf6_make_lsreq() 2293 } 2294 2295 if (last_req != NULL) { 2296 if (on->last_ls_req != NULL) 2297 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req); 2298
CID 1505415: (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2299 ospf6_lsa_lock(last_req); 2300 on->last_ls_req = last_req; 2301 } 2302 2303 return length; 2304 } /ospf6d/ospf6_message.c: 2299 in ospf6_make_lsreq() 2293 } 2294 2295 if (last_req != NULL) { 2296 if (on->last_ls_req != NULL) 2297 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req); 2298
CID 1505415: (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2299 ospf6_lsa_lock(last_req); 2300 on->last_ls_req = last_req; 2301 } 2302 2303 return length; 2304 }
** CID 1505414: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505414: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2162 in ospf6_make_dbdesc() 2156 stream_putc(s, on->dbdesc_bits); 2157 stream_putl(s, on->dbdesc_seqnum); 2158 2159 /* if this is not initial one, set LSA headers in dbdesc */ 2160 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 2161 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1505414: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2162 ospf6_lsa_age_update_to_send(lsa, 2163 on->ospf6_if->transdelay); 2164 2165 /* MTU check */ 2166 if ((length + sizeof(struct ospf6_lsa_header) 2167 + OSPF6_HEADER_SIZE) /ospf6d/ospf6_message.c: 2162 in ospf6_make_dbdesc() 2156 stream_putc(s, on->dbdesc_bits); 2157 stream_putl(s, on->dbdesc_seqnum); 2158 2159 /* if this is not initial one, set LSA headers in dbdesc */ 2160 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 2161 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1505414: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2162 ospf6_lsa_age_update_to_send(lsa, 2163 on->ospf6_if->transdelay); 2164 2165 /* MTU check */ 2166 if ((length + sizeof(struct ospf6_lsa_header) 2167 + OSPF6_HEADER_SIZE)
** CID 1505412: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505412: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2765 in ospf6_make_lsack_interface() 2759 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi, 2760 struct ospf6_packet *op) 2761 { 2762 uint16_t length = 0; 2763 struct ospf6_lsa *lsa, *lsanext; 2764
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2765 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) { 2766 if ((length + sizeof(struct ospf6_lsa_header) 2767 + OSPF6_HEADER_SIZE) 2768 > ospf6_packet_max(oi)) { 2769 /* if we run out of packet size/space here, 2770 better to try again soon. */ /ospf6d/ospf6_message.c: 2775 in ospf6_make_lsack_interface() 2769 /* if we run out of packet size/space here, 2770 better to try again soon. */ 2771 THREAD_OFF(oi->thread_send_lsack); 2772 thread_add_event(master, ospf6_lsack_send_interface, oi, 2773 0, &oi->thread_send_lsack); 2774
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2775 ospf6_lsa_unlock(lsa); 2776 if (lsanext) 2777 ospf6_lsa_unlock(lsanext); 2778 break; 2779 } 2780 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); /ospf6d/ospf6_message.c: 2780 in ospf6_make_lsack_interface() 2774 2775 ospf6_lsa_unlock(lsa); 2776 if (lsanext) 2777 ospf6_lsa_unlock(lsanext); 2778 break; 2779 }
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2780 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2781 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header)); 2782 length += sizeof(struct ospf6_lsa_header); 2783 2784 assert(lsa->lock == 2); 2785 ospf6_lsdb_remove(lsa, oi->lsack_list); /ospf6d/ospf6_message.c: 2780 in ospf6_make_lsack_interface() 2774 2775 ospf6_lsa_unlock(lsa); 2776 if (lsanext) 2777 ospf6_lsa_unlock(lsanext); 2778 break; 2779 }
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2780 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2781 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header)); 2782 length += sizeof(struct ospf6_lsa_header); 2783 2784 assert(lsa->lock == 2); 2785 ospf6_lsdb_remove(lsa, oi->lsack_list); /ospf6d/ospf6_message.c: 2765 in ospf6_make_lsack_interface() 2759 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi, 2760 struct ospf6_packet *op) 2761 { 2762 uint16_t length = 0; 2763 struct ospf6_lsa *lsa, *lsanext; 2764
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2765 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) { 2766 if ((length + sizeof(struct ospf6_lsa_header) 2767 + OSPF6_HEADER_SIZE) 2768 > ospf6_packet_max(oi)) { 2769 /* if we run out of packet size/space here, 2770 better to try again soon. */
** CID 1505410: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface() /ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface() ________________________________________________________________________________________________________ *** CID 1505410: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2637 in ospf6_make_lsupdate_interface() 2631 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2632 struct ospf6_lsa *lsa, *lsanext; 2633 2634 /* skip over fixed header */ 2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2636
CID 1505410: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) { 2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2639 + OSPF6_HEADER_SIZE 2640 > ospf6_packet_max(oi)) { 2641 ospf6_fill_header(oi, (*op)->s, 2642 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2637 in ospf6_make_lsupdate_interface() 2631 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2632 struct ospf6_lsa *lsa, *lsanext; 2633 2634 /* skip over fixed header */ 2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2636
CID 1505410: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) { 2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2639 + OSPF6_HEADER_SIZE 2640 > ospf6_packet_max(oi)) { 2641 ospf6_fill_header(oi, (*op)->s, 2642 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface() 2632 struct ospf6_lsa *lsa, *lsanext; 2633 2634 /* skip over fixed header */ 2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2636 2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
CID 1505410: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2639 + OSPF6_HEADER_SIZE 2640 > ospf6_packet_max(oi)) { 2641 ospf6_fill_header(oi, (*op)->s, 2642 length + OSPF6_HEADER_SIZE); 2643 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface() 2632 struct ospf6_lsa *lsa, *lsanext; 2633 2634 /* skip over fixed header */ 2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2636 2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
CID 1505410: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2639 + OSPF6_HEADER_SIZE 2640 > ospf6_packet_max(oi)) { 2641 ospf6_fill_header(oi, (*op)->s, 2642 length + OSPF6_HEADER_SIZE); 2643 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505407: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505407: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2313 in ospf6_make_lsack_neighbor() 2307 struct ospf6_packet **op) 2308 { 2309 uint16_t length = 0; 2310 struct ospf6_lsa *lsa, *lsanext; 2311 int lsa_cnt = 0; 2312
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2313 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) { 2314 if ((length + sizeof(struct ospf6_lsa_header) 2315 + OSPF6_HEADER_SIZE) 2316 > ospf6_packet_max(on->ospf6_if)) { 2317 /* if we run out of packet size/space here, 2318 better to try again soon. */ /ospf6d/ospf6_message.c: 2313 in ospf6_make_lsack_neighbor() 2307 struct ospf6_packet **op) 2308 { 2309 uint16_t length = 0; 2310 struct ospf6_lsa *lsa, *lsanext; 2311 int lsa_cnt = 0; 2312
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2313 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) { 2314 if ((length + sizeof(struct ospf6_lsa_header) 2315 + OSPF6_HEADER_SIZE) 2316 > ospf6_packet_max(on->ospf6_if)) { 2317 /* if we run out of packet size/space here, 2318 better to try again soon. */ /ospf6d/ospf6_message.c: 2335 in ospf6_make_lsack_neighbor() 2329 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK, 2330 on->ospf6_if, (*op)->s); 2331 length = 0; 2332 lsa_cnt = 0; 2333 } 2334 }
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2335 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2336 stream_put((*op)->s, lsa->header, 2337 sizeof(struct ospf6_lsa_header)); 2338 length += sizeof(struct ospf6_lsa_header); 2339 2340 assert(lsa->lock == 2); /ospf6d/ospf6_message.c: 2335 in ospf6_make_lsack_neighbor() 2329 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK, 2330 on->ospf6_if, (*op)->s); 2331 length = 0; 2332 lsa_cnt = 0; 2333 } 2334 }
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2335 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2336 stream_put((*op)->s, lsa->header, 2337 sizeof(struct ospf6_lsa_header)); 2338 length += sizeof(struct ospf6_lsa_header); 2339 2340 assert(lsa->lock == 2);
** CID 1504898: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1504898: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_dump.c: 585 in ospf_packet_dump() 579 ospf_packet_hello_dump(s, ntohs(ospfh->length)); 580 break; 581 case OSPF_MSG_DB_DESC: 582 ospf_packet_db_desc_dump(s, ntohs(ospfh->length)); 583 break; 584 case OSPF_MSG_LS_REQ:
CID 1504898: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
585 ospf_packet_ls_req_dump(s, ntohs(ospfh->length)); 586 break; 587 case OSPF_MSG_LS_UPD: 588 ospf_packet_ls_upd_dump(s, ntohs(ospfh->length)); 589 break; 590 case OSPF_MSG_LS_ACK:
** CID 1504897: Memory - corruptions (OVERRUN) /ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event() ________________________________________________________________________________________________________ *** CID 1504897: Memory - corruptions (OVERRUN) /ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event() 1169 size = ntohs(msg->hdr.msglen); 1170 if (size < OSPF_MAX_LSA_SIZE) { 1171 1172 apiserv->filter = XMALLOC(MTYPE_OSPF_APISERVER_MSGFILTER, size); 1173 1174 /* copy it over. */
CID 1504897: Memory - corruptions (OVERRUN) Overrunning struct type lsa_filter_type of 4 bytes by passing it to a function which accesses it at byte offset 1498 using argument "size" (which evaluates to 1499).
1175 memcpy(apiserv->filter, &rmsg->filter, size); 1176 rc = OSPF_API_OK; 1177 } else 1178 rc = OSPF_API_NOMEMORY; 1179 1180 /* Send a reply back to client with return code */
** CID 1504585: Insecure data handling (TAINTED_SCALAR) /ospfclient/ospf_apiclient.c: 334 in ospf_apiclient_send_request() ________________________________________________________________________________________________________ *** CID 1504585: Insecure data handling (TAINTED_SCALAR) /ospfclient/ospf_apiclient.c: 334 in ospf_apiclient_send_request() 328 /* Wait for reply */ /* NB: New "msg" is allocated by "msg_read()". */ 329 msg = msg_read(oclient->fd_sync); 330 if (!msg) 331 return -1; 332 333 assert(msg->hdr.msgtype == MSG_REPLY);
CID 1504585: Insecure data handling (TAINTED_SCALAR) Using tainted variable "reqseq" as a loop boundary.
334 assert(ntohl(msg->hdr.msgseq) == reqseq); 335 336 msgreply = (struct msg_reply *)STREAM_DATA(msg->s); 337 rc = msgreply->errcode; 338 msg_free(msg); 339
** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete() ________________________________________________________________________________________________________ *** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete() 617 __func__, lsalen, OSPF_MAX_LSA_SIZE); 618 return; 619 } 620 621 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 622
CID 1497888: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
623 memcpy(p, &(cn->data), lsalen); 624 lsa = p; 625 626 /* Invoke registered update callback function */ 627 if (oclient->delete_notify) { 628 (oclient->delete_notify)(cn->ifaddr, cn->area_id,
** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update() ________________________________________________________________________________________________________ *** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update() 582 __func__, lsalen, OSPF_MAX_LSA_SIZE); 583 return; 584 } 585 586 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 587
CID 1497886: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
588 memcpy(p, &(cn->data), lsalen); 589 lsa = p; 590 591 /* Invoke registered update callback function */ 592 if (oclient->update_notify) { 593 (oclient->update_notify)(cn->ifaddr, cn->area_id,
** CID 1485637: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array() ________________________________________________________________________________________________________ *** CID 1485637: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array() 51 * 52 * Allocate space for the specified number of pointers. 53 */ 54 static inline void *qpb_alloc_ptr_array(qpb_allocator_t *allocator, 55 size_t num_ptrs) 56 {
CID 1485637: Incorrect expression (SIZEOF_MISMATCH) Passing argument "num_ptrs * 8UL /* sizeof (void *) */" to function "qpb_alloc" which returns a value of type "void *" is suspicious.
57 return qpb_alloc(allocator, num_ptrs * sizeof(void *)); 58 } 59 60 /* 61 * qpb_free 62 */
** CID 1485635: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb.h: 124 in qpb__l3_prefix__get() ________________________________________________________________________________________________________ *** CID 1485635: Incorrect expression (SIZEOF_MISMATCH) /qpb/qpb.h: 124 in qpb__l3_prefix__get() 118 uint8_t family, struct prefix *prefix) 119 { 120 121 switch (family) { 122 123 case AF_INET:
CID 1485635: Incorrect expression (SIZEOF_MISMATCH) Passing argument "prefix" of type "struct prefix *" and argument "16UL" ("sizeof (struct prefix_ipv4)") to function "memset" is suspicious because a multiple of "sizeof (struct prefix) /*48*/" is expected.
124 memset(prefix, 0, sizeof(struct prefix_ipv4)); 125 break; 126 127 case AF_INET6: 128 memset(prefix, 0, sizeof(struct prefix_ipv6)); 129 break;
** CID 1482217: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1482217: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_packet.c: 355 in ospf_check_md5_digest() 349 EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); 350 EVP_DigestFinal(ctx, digest, &md5_size); 351 EVP_MD_CTX_free(ctx); 352 #elif CRYPTO_INTERNAL 353 memset(&ctx, 0, sizeof(ctx)); 354 MD5Init(&ctx);
CID 1482217: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "length" to a tainted sink.
355 MD5Update(&ctx, ospfh, length); 356 MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); 357 MD5Final(digest, &ctx); 358 #endif 359 360 /* compare the two */
** CID 1482211: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1482211: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_packet.c: 430 in ospf_make_md5_digest() 424 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); 425 EVP_DigestFinal(ctx, digest, &md5_size); 426 EVP_MD_CTX_free(ctx); 427 #elif CRYPTO_INTERNAL 428 memset(&ctx, 0, sizeof(ctx)); 429 MD5Init(&ctx);
CID 1482211: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
430 MD5Update(&ctx, ibuf, ntohs(ospfh->length)); 431 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); 432 MD5Final(digest, &ctx); 433 #endif 434 435 /* Append md5 digest to the end of the stream. */
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...