Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 101 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 101 defect(s) ** CID 1500587: Security best practices violations (DC.WEAK_CRYPTO) /pathd/pathd.c: 483 in srte_candidate_add() ________________________________________________________________________________________________________ *** CID 1500587: Security best practices violations (DC.WEAK_CRYPTO) /pathd/pathd.c: 483 in srte_candidate_add() 477 candidate = XCALLOC(MTYPE_PATH_SR_CANDIDATE, sizeof(*candidate)); 478 lsp = XCALLOC(MTYPE_PATH_SR_CANDIDATE, sizeof(*lsp)); 479 480 candidate->preference = preference; 481 candidate->policy = policy; 482 candidate->type = SRTE_CANDIDATE_TYPE_UNDEFINED;
CID 1500587: Security best practices violations (DC.WEAK_CRYPTO) "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
483 candidate->discriminator = rand(); 484 485 lsp->candidate = candidate; 486 candidate->lsp = lsp; 487 488 RB_INSERT(srte_candidate_head, &policy->candidate_paths, candidate);
** CID 1500586: Null pointer dereferences (FORWARD_NULL) /pbrd/pbr_nht.c: 773 in pbr_nht_individual_nexthop_gw_update() ________________________________________________________________________________________________________ *** CID 1500586: Null pointer dereferences (FORWARD_NULL) /pbrd/pbr_nht.c: 773 in pbr_nht_individual_nexthop_gw_update() 767 break; 768 } 769 } 770 goto done; 771 } 772
CID 1500586: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "pnhi->nhr".
773 switch (pnhi->nhr->prefix.family) { 774 case AF_INET: 775 if (pnhc->nexthop.gate.ipv4.s_addr 776 != pnhi->nhr->prefix.u.prefix4.s_addr) 777 goto done; /* Unrelated change */ 778 break;
** CID 1500585: API usage errors (LOCK) /pathd/path_zebra.c: 161 in path_zebra_router_id_update() ________________________________________________________________________________________________________ *** CID 1500585: API usage errors (LOCK) /pathd/path_zebra.c: 161 in path_zebra_router_id_update() 155 } else { 156 pthread_mutex_unlock(&g_router_id_v4_mtx); 157 zlog_warn("Unexpected router ID address family for vrf %u: %u", 158 vrf_id, pref.family); 159 return 0; 160 }
CID 1500585: API usage errors (LOCK) "pthread_mutex_unlock" unlocks "g_router_id_v4_mtx" while it is unlocked.
161 pthread_mutex_unlock(&g_router_id_v4_mtx); 162 zlog_info("%s Router Id updated for VRF %u: %s", family, vrf_id, buf); 163 return 0; 164 } 165 166 /**
** CID 1499854: Error handling issues (CHECKED_RETURN) /zebra/dplane_fpm_nl.c: 1239 in fpm_process_queue() ________________________________________________________________________________________________________ *** CID 1499854: Error handling issues (CHECKED_RETURN) /zebra/dplane_fpm_nl.c: 1239 in fpm_process_queue() 1233 frr_with_mutex (&fnc->ctxqueue_mutex) { 1234 ctx = dplane_ctx_dequeue(&fnc->ctxqueue); 1235 } 1236 if (ctx == NULL) 1237 break; 1238
CID 1499854: Error handling issues (CHECKED_RETURN) Calling "fpm_nl_enqueue" without checking return value (as is done elsewhere 4 out of 5 times).
1239 fpm_nl_enqueue(fnc, ctx); 1240 1241 /* Account the processed entries. */ 1242 processed_contexts++; 1243 atomic_fetch_sub_explicit(&fnc->counters.ctxqueue_len, 1, 1244 memory_order_relaxed);
** CID 1499389: Null pointer dereferences (NULL_RETURNS) /bgpd/bgp_nb_config.c: 6295 in bgp_peer_group_peer_lookup() ________________________________________________________________________________________________________ *** CID 1499389: Null pointer dereferences (NULL_RETURNS) /bgpd/bgp_nb_config.c: 6295 in bgp_peer_group_peer_lookup() 6289 static struct peer *bgp_peer_group_peer_lookup(struct bgp *bgp, 6290 const char *peer_str) 6291 { 6292 struct peer_group *group = NULL; 6293 6294 group = peer_group_lookup(bgp, peer_str);
CID 1499389: Null pointer dereferences (NULL_RETURNS) Dereferencing "group", which is known to be "NULL".
6295 return group->conf; 6296 } 6297 6298 /* 6299 * XPath: 6300 * /frr-routing:routing/control-plane-protocols/control-plane-protocol/frr-bgp:bgp/peer-groups/peer-group
** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 620 in ospf_apiclient_handle_lsa_delete() ________________________________________________________________________________________________________ *** CID 1497888: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 620 in ospf_apiclient_handle_lsa_delete() 614 __func__, lsalen, OSPF_MAX_LSA_SIZE); 615 return; 616 } 617 618 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 619
CID 1497888: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
620 memcpy(p, &(cn->data), lsalen); 621 lsa = p; 622 623 /* Invoke registered update callback function */ 624 if (oclient->delete_notify) { 625 (oclient->delete_notify)(cn->ifaddr, cn->area_id,
** CID 1497887: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields() ________________________________________________________________________________________________________ *** CID 1497887: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields() 242 __func__, length); 243 return OSPF_GR_FAILURE; 244 } 245 246 length -= OSPF_LSA_HEADER_SIZE; 247
CID 1497887: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
248 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 249 tlvh = TLV_HDR_NEXT(tlvh)) { 250 251 /* Check TLV len against overall LSA */ 252 if (sum + TLV_SIZE(tlvh) > length) { 253 if (IS_DEBUG_OSPF_GR_HELPER)
** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 585 in ospf_apiclient_handle_lsa_update() ________________________________________________________________________________________________________ *** CID 1497886: Memory - corruptions (OVERRUN) /ospfclient/ospf_apiclient.c: 585 in ospf_apiclient_handle_lsa_update() 579 __func__, lsalen, OSPF_MAX_LSA_SIZE); 580 return; 581 } 582 583 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen); 584
CID 1497886: Memory - corruptions (OVERRUN) Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
585 memcpy(p, &(cn->data), lsalen); 586 lsa = p; 587 588 /* Invoke registered update callback function */ 589 if (oclient->update_notify) { 590 (oclient->update_notify)(cn->ifaddr, cn->area_id,
** CID 1497885: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info() ________________________________________________________________________________________________________ *** CID 1497885: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info() 1011 } 1012 1013 length -= OSPF_LSA_HEADER_SIZE; 1014 1015 vty_out(vty, " TLV info:\n"); 1016
CID 1497885: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
1017 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 1018 tlvh = TLV_HDR_NEXT(tlvh)) { 1019 /* Check TLV len */ 1020 if (sum + TLV_SIZE(tlvh) > length) { 1021 vty_out(vty, "%% Invalid TLV length: %u\n", 1022 TLV_SIZE(tlvh));
** CID 1497792: (USE_AFTER_FREE) /ospf6d/ospf6_interface.c: 1135 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 1146 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 1135 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 1146 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 1101 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 1101 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 1120 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 1120 in ospf6_interface_show() ________________________________________________________________________________________________________ *** CID 1497792: (USE_AFTER_FREE) /ospf6d/ospf6_interface.c: 1135 in ospf6_interface_show() 1129 timerstring(&res, duration, sizeof(duration)); 1130 vty_out(vty, 1131 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n", 1132 oi->lsupdate_list->count, duration, 1133 (oi->thread_send_lsupdate ? "on" : "off")); 1134 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1135 vty_out(vty, " %s\n", lsa->name); 1136 1137 timerclear(&res); 1138 if (oi->thread_send_lsack) 1139 timersub(&oi->thread_send_lsack->u.sands, &now, &res); 1140 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_interface.c: 1146 in ospf6_interface_show() 1140 timerstring(&res, duration, sizeof(duration)); 1141 vty_out(vty, 1142 " %d Pending LSAs for LSAck in Time %s [thread %s]\n", 1143 oi->lsack_list->count, duration, 1144 (oi->thread_send_lsack ? "on" : "off")); 1145 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1146 vty_out(vty, " %s\n", lsa->name); 1147 } 1148 ospf6_bfd_show_info(vty, oi->bfd_info, 1, json_obj, use_json); 1149 return 0; 1150 } 1151 /ospf6d/ospf6_interface.c: 1135 in ospf6_interface_show() 1129 timerstring(&res, duration, sizeof(duration)); 1130 vty_out(vty, 1131 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n", 1132 oi->lsupdate_list->count, duration, 1133 (oi->thread_send_lsupdate ? "on" : "off")); 1134 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1135 vty_out(vty, " %s\n", lsa->name); 1136 1137 timerclear(&res); 1138 if (oi->thread_send_lsack) 1139 timersub(&oi->thread_send_lsack->u.sands, &now, &res); 1140 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_interface.c: 1146 in ospf6_interface_show() 1140 timerstring(&res, duration, sizeof(duration)); 1141 vty_out(vty, 1142 " %d Pending LSAs for LSAck in Time %s [thread %s]\n", 1143 oi->lsack_list->count, duration, 1144 (oi->thread_send_lsack ? "on" : "off")); 1145 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1146 vty_out(vty, " %s\n", lsa->name); 1147 } 1148 ospf6_bfd_show_info(vty, oi->bfd_info, 1, json_obj, use_json); 1149 return 0; 1150 } 1151 /ospf6d/ospf6_interface.c: 1101 in ospf6_interface_show() 1095 json_object_string_add( 1096 json_obj, "lsUpdateSendThread", 1097 (oi->thread_send_lsupdate ? "on" : "off")); 1098 1099 json_arr = json_object_new_array(); 1100 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1101 json_object_array_add( 1102 json_arr, json_object_new_string(lsa->name)); 1103 json_object_object_add(json_obj, "pendingLsaLsUpdate", 1104 json_arr); 1105 1106 timerclear(&res); /ospf6d/ospf6_interface.c: 1101 in ospf6_interface_show() 1095 json_object_string_add( 1096 json_obj, "lsUpdateSendThread", 1097 (oi->thread_send_lsupdate ? "on" : "off")); 1098 1099 json_arr = json_object_new_array(); 1100 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1101 json_object_array_add( 1102 json_arr, json_object_new_string(lsa->name)); 1103 json_object_object_add(json_obj, "pendingLsaLsUpdate", 1104 json_arr); 1105 1106 timerclear(&res); /ospf6d/ospf6_interface.c: 1120 in ospf6_interface_show() 1114 duration); 1115 json_object_string_add(json_obj, "lsAckSendThread", 1116 (oi->thread_send_lsack ? "on" : "off")); 1117 1118 json_arr = json_object_new_array(); 1119 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1120 json_object_array_add( 1121 json_arr, json_object_new_string(lsa->name)); 1122 json_object_object_add(json_obj, "pendingLsaLsAck", json_arr); 1123 1124 } else { 1125 timerclear(&res); /ospf6d/ospf6_interface.c: 1120 in ospf6_interface_show() 1114 duration); 1115 json_object_string_add(json_obj, "lsAckSendThread", 1116 (oi->thread_send_lsack ? "on" : "off")); 1117 1118 json_arr = json_object_new_array(); 1119 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1120 json_object_array_add( 1121 json_arr, json_object_new_string(lsa->name)); 1122 json_object_object_add(json_obj, "pendingLsaLsAck", json_arr); 1123 1124 } else { 1125 timerclear(&res);
** CID 1497791: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 685 in ospfv3GeneralGroup() /ospf6d/ospf6_snmp.c: 685 in ospfv3GeneralGroup() ________________________________________________________________________________________________________ *** CID 1497791: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 685 in ospfv3GeneralGroup() 679 return SNMP_INTEGER(ospf6->lsdb->count); 680 return SNMP_INTEGER(0); 681 case OSPFv3ASSCOPELSACHECKSUMSUM: 682 if (ospf6) { 683 sum = 0; 684 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
CID 1497791: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
685 sum += ntohs(lsa->header->checksum); 686 return SNMP_INTEGER(sum); 687 } 688 return SNMP_INTEGER(0); 689 case OSPFv3ORIGINATENEWLSAS: 690 return SNMP_INTEGER( /ospf6d/ospf6_snmp.c: 685 in ospfv3GeneralGroup() 679 return SNMP_INTEGER(ospf6->lsdb->count); 680 return SNMP_INTEGER(0); 681 case OSPFv3ASSCOPELSACHECKSUMSUM: 682 if (ospf6) { 683 sum = 0; 684 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
CID 1497791: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
685 sum += ntohs(lsa->header->checksum); 686 return SNMP_INTEGER(sum); 687 } 688 return SNMP_INTEGER(0); 689 case OSPFv3ORIGINATENEWLSAS: 690 return SNMP_INTEGER(
** CID 1497790: (USE_AFTER_FREE) /ospf6d/ospf6_asbr.c: 1090 in ospf6_asbr_send_externals_to_area() /ospf6d/ospf6_asbr.c: 1090 in ospf6_asbr_send_externals_to_area() ________________________________________________________________________________________________________ *** CID 1497790: (USE_AFTER_FREE) /ospf6d/ospf6_asbr.c: 1090 in ospf6_asbr_send_externals_to_area() 1084 /* When an area is unstubified, flood all the external LSAs in the area */ 1085 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa) 1086 { 1087 struct ospf6_lsa *lsa, *lsanext; 1088 1089 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
CID 1497790: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1090 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) { 1091 zlog_debug("%s: Flooding AS-External LSA %s", 1092 __func__, lsa->name); 1093 ospf6_flood_area(NULL, lsa, oa); 1094 } 1095 } /ospf6d/ospf6_asbr.c: 1090 in ospf6_asbr_send_externals_to_area() 1084 /* When an area is unstubified, flood all the external LSAs in the area */ 1085 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa) 1086 { 1087 struct ospf6_lsa *lsa, *lsanext; 1088 1089 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
CID 1497790: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1090 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) { 1091 zlog_debug("%s: Flooding AS-External LSA %s", 1092 __func__, lsa->name); 1093 ospf6_flood_area(NULL, lsa, oa); 1094 } 1095 }
** CID 1497789: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 1184 in ospfv3IfEntry() /ospf6d/ospf6_snmp.c: 1184 in ospfv3IfEntry() ________________________________________________________________________________________________________ *** CID 1497789: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 1184 in ospfv3IfEntry() 1178 return SNMP_INTEGER(oi->cost); 1179 case OSPFv3IFLINKSCOPELSACOUNT: 1180 return SNMP_INTEGER(oi->lsdb->count); 1181 case OSPFv3IFLINKLSACKSUMSUM: 1182 sum = 0; 1183 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
CID 1497789: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1184 sum += ntohs(lsa->header->checksum); 1185 return SNMP_INTEGER(sum); 1186 case OSPFv3IFDEMANDNBRPROBE: 1187 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT: 1188 case OSPFv3IFDEMANDNBRPROBEINTERVAL: 1189 case OSPFv3IFTEDISABLED: /ospf6d/ospf6_snmp.c: 1184 in ospfv3IfEntry() 1178 return SNMP_INTEGER(oi->cost); 1179 case OSPFv3IFLINKSCOPELSACOUNT: 1180 return SNMP_INTEGER(oi->lsdb->count); 1181 case OSPFv3IFLINKLSACKSUMSUM: 1182 sum = 0; 1183 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
CID 1497789: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1184 sum += ntohs(lsa->header->checksum); 1185 return SNMP_INTEGER(sum); 1186 case OSPFv3IFDEMANDNBRPROBE: 1187 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT: 1188 case OSPFv3IFDEMANDNBRPROBEINTERVAL: 1189 case OSPFv3IFTEDISABLED:
** CID 1497788: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 835 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 782 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 909 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 835 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 855 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 818 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 818 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 791 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 872 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 782 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 800 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 872 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 855 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 800 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 791 in ospf6_neighbor_show_detail() ________________________________________________________________________________________________________ *** CID 1497788: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 835 in ospf6_neighbor_show_detail() 829 json_object_string_add(json_neighbor, "pendingLsaLsReqTime", 830 duration); 831 json_object_string_add(json_neighbor, "lsReqSendThread", 832 (on->thread_send_lsreq ? "on" : "off")); 833 json_array = json_object_new_array(); 834 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
835 json_object_array_add( 836 json_array, json_object_new_string(lsa->name)); 837 json_object_object_add(json_neighbor, "pendingLsaLsReq", 838 json_array); 839 840 /ospf6d/ospf6_neighbor.c: 782 in ospf6_neighbor_show_detail() 776 (unsigned long)ntohl(on->dbdesc_seqnum)); 777 778 json_array = json_object_new_array(); 779 json_object_int_add(json_neighbor, "summaryListCount", 780 on->summary_list->count); 781 for (ALL_LSDB(on->summary_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
782 json_object_array_add( 783 json_array, json_object_new_string(lsa->name)); 784 json_object_object_add(json_neighbor, "summaryListLsa", 785 json_array); 786 787 json_array = json_object_new_array(); /ospf6d/ospf6_neighbor.c: 909 in ospf6_neighbor_show_detail() 903 : "Slave"), 904 (unsigned long)ntohl(on->dbdesc_seqnum)); 905 906 vty_out(vty, " Summary-List: %d LSAs\n", 907 on->summary_list->count); 908 for (ALL_LSDB(on->summary_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
909 vty_out(vty, " %s\n", lsa->name); 910 911 vty_out(vty, " Request-List: %d LSAs\n", 912 on->request_list->count); 913 for (ALL_LSDB(on->request_list, lsa, lsanext)) 914 vty_out(vty, " %s\n", lsa->name); /ospf6d/ospf6_neighbor.c: 835 in ospf6_neighbor_show_detail() 829 json_object_string_add(json_neighbor, "pendingLsaLsReqTime", 830 duration); 831 json_object_string_add(json_neighbor, "lsReqSendThread", 832 (on->thread_send_lsreq ? "on" : "off")); 833 json_array = json_object_new_array(); 834 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
835 json_object_array_add( 836 json_array, json_object_new_string(lsa->name)); 837 json_object_object_add(json_neighbor, "pendingLsaLsReq", 838 json_array); 839 840 /ospf6d/ospf6_neighbor.c: 855 in ospf6_neighbor_show_detail() 849 duration); 850 json_object_string_add( 851 json_neighbor, "lsUpdateSendThread", 852 (on->thread_send_lsupdate ? "on" : "off")); 853 json_array = json_object_new_array(); 854 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
855 json_object_array_add( 856 json_array, json_object_new_string(lsa->name)); 857 json_object_object_add(json_neighbor, "pendingLsaLsUpdate", 858 json_array); 859 860 timerclear(&res); /ospf6d/ospf6_neighbor.c: 818 in ospf6_neighbor_show_detail() 812 json_object_string_add(json_neighbor, "pendingLsaDbDescTime", 813 duration); 814 json_object_string_add(json_neighbor, "dbDescSendThread", 815 (on->thread_send_dbdesc ? "on" : "off")); 816 json_array = json_object_new_array(); 817 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
818 json_object_array_add( 819 json_array, json_object_new_string(lsa->name)); 820 json_object_object_add(json_neighbor, "pendingLsaDbDesc", 821 json_array); 822 823 timerclear(&res); /ospf6d/ospf6_neighbor.c: 818 in ospf6_neighbor_show_detail() 812 json_object_string_add(json_neighbor, "pendingLsaDbDescTime", 813 duration); 814 json_object_string_add(json_neighbor, "dbDescSendThread", 815 (on->thread_send_dbdesc ? "on" : "off")); 816 json_array = json_object_new_array(); 817 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
818 json_object_array_add( 819 json_array, json_object_new_string(lsa->name)); 820 json_object_object_add(json_neighbor, "pendingLsaDbDesc", 821 json_array); 822 823 timerclear(&res); /ospf6d/ospf6_neighbor.c: 791 in ospf6_neighbor_show_detail() 785 json_array); 786 787 json_array = json_object_new_array(); 788 json_object_int_add(json_neighbor, "requestListCount", 789 on->request_list->count); 790 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
791 json_object_array_add( 792 json_array, json_object_new_string(lsa->name)); 793 json_object_object_add(json_neighbor, "requestListLsa", 794 json_array); 795 796 json_array = json_object_new_array(); /ospf6d/ospf6_neighbor.c: 872 in ospf6_neighbor_show_detail() 866 json_object_string_add(json_neighbor, "pendingLsaLsAckTime", 867 duration); 868 json_object_string_add(json_neighbor, "lsAckSendThread", 869 (on->thread_send_lsack ? "on" : "off")); 870 json_array = json_object_new_array(); 871 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
872 json_object_array_add( 873 json_array, json_object_new_string(lsa->name)); 874 json_object_object_add(json_neighbor, "pendingLsaLsAck", 875 json_array); 876 877 ospf6_bfd_show_info(vty, on->bfd_info, 0, json_neighbor, /ospf6d/ospf6_neighbor.c: 782 in ospf6_neighbor_show_detail() 776 (unsigned long)ntohl(on->dbdesc_seqnum)); 777 778 json_array = json_object_new_array(); 779 json_object_int_add(json_neighbor, "summaryListCount", 780 on->summary_list->count); 781 for (ALL_LSDB(on->summary_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
782 json_object_array_add( 783 json_array, json_object_new_string(lsa->name)); 784 json_object_object_add(json_neighbor, "summaryListLsa", 785 json_array); 786 787 json_array = json_object_new_array(); /ospf6d/ospf6_neighbor.c: 800 in ospf6_neighbor_show_detail() 794 json_array); 795 796 json_array = json_object_new_array(); 797 json_object_int_add(json_neighbor, "reTransListCount", 798 on->retrans_list->count); 799 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
800 json_object_array_add( 801 json_array, json_object_new_string(lsa->name)); 802 json_object_object_add(json_neighbor, "reTransListLsa", 803 json_array); 804 805 /ospf6d/ospf6_neighbor.c: 872 in ospf6_neighbor_show_detail() 866 json_object_string_add(json_neighbor, "pendingLsaLsAckTime", 867 duration); 868 json_object_string_add(json_neighbor, "lsAckSendThread", 869 (on->thread_send_lsack ? "on" : "off")); 870 json_array = json_object_new_array(); 871 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
872 json_object_array_add( 873 json_array, json_object_new_string(lsa->name)); 874 json_object_object_add(json_neighbor, "pendingLsaLsAck", 875 json_array); 876 877 ospf6_bfd_show_info(vty, on->bfd_info, 0, json_neighbor, /ospf6d/ospf6_neighbor.c: 855 in ospf6_neighbor_show_detail() 849 duration); 850 json_object_string_add( 851 json_neighbor, "lsUpdateSendThread", 852 (on->thread_send_lsupdate ? "on" : "off")); 853 json_array = json_object_new_array(); 854 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
855 json_object_array_add( 856 json_array, json_object_new_string(lsa->name)); 857 json_object_object_add(json_neighbor, "pendingLsaLsUpdate", 858 json_array); 859 860 timerclear(&res); /ospf6d/ospf6_neighbor.c: 800 in ospf6_neighbor_show_detail() 794 json_array); 795 796 json_array = json_object_new_array(); 797 json_object_int_add(json_neighbor, "reTransListCount", 798 on->retrans_list->count); 799 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
800 json_object_array_add( 801 json_array, json_object_new_string(lsa->name)); 802 json_object_object_add(json_neighbor, "reTransListLsa", 803 json_array); 804 805 /ospf6d/ospf6_neighbor.c: 791 in ospf6_neighbor_show_detail() 785 json_array); 786 787 json_array = json_object_new_array(); 788 json_object_int_add(json_neighbor, "requestListCount", 789 on->request_list->count); 790 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
791 json_object_array_add( 792 json_array, json_object_new_string(lsa->name)); 793 json_object_object_add(json_neighbor, "requestListLsa", 794 json_array); 795 796 json_array = json_object_new_array();
** CID 1497787: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() ________________________________________________________________________________________________________ *** CID 1497787: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() 1936 /* set Request entries in lsreq */ 1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 1939 /* MTU check */ 1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry) 1941 > ospf6_packet_max(on->ospf6_if)) {
CID 1497787: (USE_AFTER_FREE) Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p; 1947 e->type = lsa->header->type; /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() 1936 /* set Request entries in lsreq */ 1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 1939 /* MTU check */ 1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry) 1941 > ospf6_packet_max(on->ospf6_if)) {
CID 1497787: (USE_AFTER_FREE) Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p; 1947 e->type = lsa->header->type; /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() 1936 /* set Request entries in lsreq */ 1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 1939 /* MTU check */ 1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry) 1941 > ospf6_packet_max(on->ospf6_if)) {
CID 1497787: (USE_AFTER_FREE) Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p; 1947 e->type = lsa->header->type; /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() 1941 > ospf6_packet_max(on->ospf6_if)) { 1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p;
CID 1497787: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type; 1948 e->id = lsa->header->id; 1949 e->adv_router = lsa->header->adv_router; 1950 p += sizeof(struct ospf6_lsreq_entry); 1951 last_req = lsa; 1952 } /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() 1941 > ospf6_packet_max(on->ospf6_if)) { 1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p;
CID 1497787: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type; 1948 e->id = lsa->header->id; 1949 e->adv_router = lsa->header->adv_router; 1950 p += sizeof(struct ospf6_lsreq_entry); 1951 last_req = lsa; 1952 }
** CID 1497786: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1497786: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send() 1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum); 1832 1833 /* if this is not initial one, set LSA headers in dbdesc */ 1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc)); 1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1497786: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa, 1838 on->ospf6_if->transdelay); 1839 1840 /* MTU check */ 1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 1842 > ospf6_packet_max(on->ospf6_if)) { /ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send() 1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum); 1832 1833 /* if this is not initial one, set LSA headers in dbdesc */ 1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc)); 1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1497786: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa, 1838 on->ospf6_if->transdelay); 1839 1840 /* MTU check */ 1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 1842 > ospf6_packet_max(on->ospf6_if)) {
** CID 1496729: Integer handling issues (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 268 in ecommunity_dup() ________________________________________________________________________________________________________ *** CID 1496729: Integer handling issues (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 268 in ecommunity_dup() 262 struct ecommunity *new; 263 264 new = XCALLOC(MTYPE_ECOMMUNITY, sizeof(struct ecommunity)); 265 new->size = ecom->size; 266 new->unit_size = ecom->unit_size; 267 if (new->size) {
CID 1496729: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
268 new->val = XMALLOC(MTYPE_ECOMMUNITY_VAL, 269 ecom->size * ecom->unit_size); 270 memcpy(new->val, ecom->val, 271 (size_t)ecom->size * (size_t)ecom->unit_size); 272 } else 273 new->val = NULL;
** CID 1496726: Integer handling issues (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 1259 in ecommunity_strip() ________________________________________________________________________________________________________ *** CID 1496726: Integer handling issues (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 1259 in ecommunity_strip() 1253 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val); 1254 ecom->size = 0; 1255 return true; 1256 } 1257 1258 /* Strip matching ext community(ies). */
CID 1496726: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - found) * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - found) * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1259 new = XMALLOC(MTYPE_ECOMMUNITY_VAL, 1260 (ecom->size - found) * ecom->unit_size); 1261 q = new; 1262 for (c = 0, p = ecom->val; c < ecom->size; c++, p += ecom->unit_size) { 1263 if (!(p[0] == type && p[1] == subtype)) { 1264 memcpy(q, p, ecom->unit_size);
** CID 1496724: (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 1300 in ecommunity_del_val() /bgpd/bgp_ecommunity.c: 1298 in ecommunity_del_val() /bgpd/bgp_ecommunity.c: 1304 in ecommunity_del_val() ________________________________________________________________________________________________________ *** CID 1496724: (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 1300 in ecommunity_del_val() 1294 return false; 1295 1296 /* Delete the selected value */ 1297 ecom->size--; 1298 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size); 1299 if (c != 0)
CID 1496724: (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "c * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "c * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1300 memcpy(p, ecom->val, c * ecom->unit_size); 1301 if ((ecom->size - c) != 0) 1302 memcpy(p + (c)*ecom->unit_size, 1303 ecom->val + (c + 1) * ecom->unit_size, 1304 (ecom->size - c) * ecom->unit_size); 1305 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val); /bgpd/bgp_ecommunity.c: 1298 in ecommunity_del_val() 1292 } 1293 if (found == 0) 1294 return false; 1295 1296 /* Delete the selected value */ 1297 ecom->size--;
CID 1496724: (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1298 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size); 1299 if (c != 0) 1300 memcpy(p, ecom->val, c * ecom->unit_size); 1301 if ((ecom->size - c) != 0) 1302 memcpy(p + (c)*ecom->unit_size, 1303 ecom->val + (c + 1) * ecom->unit_size, /bgpd/bgp_ecommunity.c: 1304 in ecommunity_del_val() 1298 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size); 1299 if (c != 0) 1300 memcpy(p, ecom->val, c * ecom->unit_size); 1301 if ((ecom->size - c) != 0) 1302 memcpy(p + (c)*ecom->unit_size, 1303 ecom->val + (c + 1) * ecom->unit_size,
CID 1496724: (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - c) * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - c) * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1304 (ecom->size - c) * ecom->unit_size); 1305 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val); 1306 ecom->val = p; 1307 return true; 1308 } 1309
** CID 1496723: (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 158 in ecommunity_add_val_internal() /bgpd/bgp_ecommunity.c: 164 in ecommunity_add_val_internal() /bgpd/bgp_ecommunity.c: 106 in ecommunity_add_val_internal() ________________________________________________________________________________________________________ *** CID 1496723: (SIGN_EXTENSION) /bgpd/bgp_ecommunity.c: 158 in ecommunity_add_val_internal() 152 153 if (ins_idx == -1) 154 ins_idx = c; 155 156 /* Add the value to the structure with numerical sorting. */ 157 ecom->size++;
CID 1496723: (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
158 ecom->val = XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom->val, 159 ecom_length_size(ecom, ecom_size)); 160 161 162 memmove(ecom->val + ((ins_idx + 1) * ecom_size), 163 ecom->val + (ins_idx * ecom_size), /bgpd/bgp_ecommunity.c: 164 in ecommunity_add_val_internal() 158 ecom->val = XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom->val, 159 ecom_length_size(ecom, ecom_size)); 160 161 162 memmove(ecom->val + ((ins_idx + 1) * ecom_size), 163 ecom->val + (ins_idx * ecom_size),
CID 1496723: (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - 1 - ins_idx) * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - 1 - ins_idx) * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
164 (ecom->size - 1 - ins_idx) * ecom_size); 165 memcpy(ecom->val + (ins_idx * ecom_size), 166 eval, ecom_size); 167 168 return true; 169 } /bgpd/bgp_ecommunity.c: 106 in ecommunity_add_val_internal() 100 const struct ecommunity_val_ipv6 *eval6 = 101 (struct ecommunity_val_ipv6 *)eval; 102 103 /* When this is fist value, just add it. */ 104 if (ecom->val == NULL) { 105 ecom->size = 1;
CID 1496723: (SIGN_EXTENSION) Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
106 ecom->val = XMALLOC(MTYPE_ECOMMUNITY_VAL, 107 ecom_length_size(ecom, ecom_size)); 108 memcpy(ecom->val, eval, ecom_size); 109 return true; 110 } 111
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...