Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 2 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 2 of 2 defect(s) ** CID 1482152: (TAINTED_SCALAR) /bfdd/control.c: 465 in control_read() /bfdd/control.c: 469 in control_read() ________________________________________________________________________________________________________ *** CID 1482152: (TAINTED_SCALAR) /bfdd/control.c: 453 in control_read() 447 /* Prepare the buffer to load the message. */ 448 bcs->bcs_version = bcm.bcm_ver; 449 bcs->bcs_type = bcm.bcm_type; 450 451 bcb->bcb_pos = sizeof(bcm); 452 bcb->bcb_left = plen;

...

...

CID 1482152: (TAINTED_SCALAR) Passing tainted variable "8UL + bcb->bcb_left + 1UL" to a tainted sink.

453 bcb->bcb_buf = XMALLOC(MTYPE_BFDD_NOTIFICATION, 454 sizeof(bcm) + bcb->bcb_left + 1); 455 if (bcb->bcb_buf == NULL) { 456 zlog_warn("%s: not enough memory for message size: %zu", 457 __func__, bcb->bcb_left); 458 control_free(bcs); /bfdd/control.c: 465 in control_read() 459 return 0; 460 } 461 462 memcpy(bcb->bcb_buf, &bcm, sizeof(bcm)); 463 464 /* Terminate data string with NULL for later processing. */

...

CID 1482152: (TAINTED_SCALAR) Using tainted variable "8UL + bcb->bcb_left" as an index to pointer "(*bcb).bcb_buf".

465 bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0; 466 467 skip_header: 468 /* Download the remaining data of the message and process it. */ 469 bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left); 470 if (bread == 0) { /bfdd/control.c: 469 in control_read() 463 464 /* Terminate data string with NULL for later processing. */ 465 bcb->bcb_buf[sizeof(bcm) + bcb->bcb_left] = 0; 466 467 skip_header: 468 /* Download the remaining data of the message and process it. */

...

CID 1482152: (TAINTED_SCALAR) Passing tainted variable "bcb->bcb_left" to a tainted sink.

469 bread = read(sd, &bcb->bcb_buf[bcb->bcb_pos], bcb->bcb_left); 470 if (bread == 0) { 471 control_free(bcs); 472 return 0; 473 } 474 if (bread < 0) {

** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE) /bfdd/control.c: 300 in control_queue_dequeue() ________________________________________________________________________________________________________ *** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE) /bfdd/control.c: 300 in control_queue_dequeue() 294 control_queue_free(bcs, bcq); 295 296 /* Get the next buffer to send. */ 297 if (TAILQ_EMPTY(&bcs->bcs_bcqueue)) 298 goto empty_list; 299

...

...

CID 1472627: Memory - illegal accesses (USE_AFTER_FREE) Using freed pointer "bcs->bcs_bcqueue.tqh_first".

300 bcq = TAILQ_FIRST(&bcs->bcs_bcqueue); 301 bcs->bcs_bout = &bcq->bcq_bcb; 302 303 bcs->bcs_outev = NULL; 304 thread_add_write(master, control_write, bcs, bcs->bcs_sd, 305 &bcs->bcs_outev);

________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...