New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 38 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 26 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 38 defect(s) ** CID 1568213: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1568213: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_auth.c: 203 in ospf_auth_check_md5_digest() 197 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); 198 EVP_DigestFinal(ctx, digest, &md5_size); 199 EVP_MD_CTX_free(ctx); 200 #elif CRYPTO_INTERNAL 201 memset(&ctx, 0, sizeof(ctx)); 202 MD5Init(&ctx);
CID 1568213: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "length" to "md5_loop", which uses it as a loop boundary.
203 MD5Update(&ctx, ospfh, length); 204 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); 205 MD5Final(digest, &ctx); 206 #endif 207 208 /* compare the two */
** CID 1568212: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1568212: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_auth.c: 254 in ospf_auth_make_md5_digest() 248 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); 249 EVP_DigestFinal(ctx, digest, &md5_size); 250 EVP_MD_CTX_free(ctx); 251 #elif CRYPTO_INTERNAL 252 memset(&ctx, 0, sizeof(ctx)); 253 MD5Init(&ctx);
CID 1568212: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "length" to "md5_loop", which uses it as a loop boundary.
254 MD5Update(&ctx, ospfh, length); 255 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); 256 MD5Final(digest, &ctx); 257 #endif 258 259 stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
** CID 1568211: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 178 in gm_gsq_pends_del() ________________________________________________________________________________________________________ *** CID 1568211: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 178 in gm_gsq_pends_del() 172 { 173 uint32_t seed = a->s_bit ? 0x68f0eb5e : 0x156b7f19; 174 175 return jhash(&a->grp, sizeof(a->grp), seed); 176 } 177
CID 1568211: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
178 DECLARE_HASH(gm_gsq_pends, struct gm_gsq_pending, itm, gm_gsq_pending_cmp, 179 gm_gsq_pending_hash); 180 181 /* 182 * interface -> (S,G) 183 */
** CID 1568210: Integer handling issues (BAD_SHIFT) /vtysh/vtysh_config.c: 88 in config_master_hash_del() ________________________________________________________________________________________________________ *** CID 1568210: Integer handling issues (BAD_SHIFT) /vtysh/vtysh_config.c: 88 in config_master_hash_del() 82 static uint32_t config_hash(const struct config *c) 83 { 84 return string_hash_make(c->name); 85 } 86 87 DECLARE_LIST(config_master, struct config, rbt_item);
CID 1568210: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
88 DECLARE_HASH(config_master_hash, struct config, hash_item, config_cmp, 89 config_hash); 90 91 /* 92 * The config_master_head is a list for order of receipt 93 * The hash is for quick lookup under this NODE
** CID 1568209: Integer handling issues (BAD_SHIFT) /lib/event.c: 105 in cpu_records_const_next() ________________________________________________________________________________________________________ *** CID 1568209: Integer handling issues (BAD_SHIFT) /lib/event.c: 105 in cpu_records_const_next() 99 static int cpu_record_hash_cmp(const struct cpu_event_history *a, 100 const struct cpu_event_history *b) 101 { 102 return numcmp((uintptr_t)a->func, (uintptr_t)b->func); 103 } 104
CID 1568209: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
105 DECLARE_HASH(cpu_records, struct cpu_event_history, item, cpu_record_hash_cmp, 106 cpu_record_hash_key); 107 108 static struct cpu_event_history *cpu_records_get(struct event_loop *loop, 109 void (*func)(struct event *e), 110 const char *funcname)
** CID 1568208: Integer handling issues (BAD_SHIFT) /zebra/zebra_opaque.c: 54 in opq_regh_const_next() ________________________________________________________________________________________________________ *** CID 1568208: Integer handling issues (BAD_SHIFT) /zebra/zebra_opaque.c: 54 in opq_regh_const_next() 48 49 /* Registration helper prototypes */ 50 static uint32_t registration_hash(const struct opq_msg_reg *reg); 51 static int registration_compare(const struct opq_msg_reg *reg1, 52 const struct opq_msg_reg *reg2); 53
CID 1568208: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
54 DECLARE_HASH(opq_regh, struct opq_msg_reg, item, registration_compare, 55 registration_hash); 56 57 static struct opq_regh_head opq_reg_hash; 58 59 /*
** CID 1568207: Integer handling issues (BAD_SHIFT) /pathd/path_pcep_pcc.c: 139 in nbkey_map_del() ________________________________________________________________________________________________________ *** CID 1568207: Integer handling issues (BAD_SHIFT) /pathd/path_pcep_pcc.c: 139 in nbkey_map_del() 133 const struct req_map_data *b); 134 static uint32_t req_map_hash(const struct req_map_data *e); 135 136 /* Data Structure Declarations */ 137 DECLARE_HASH(plspid_map, struct plspid_map_data, mi, plspid_map_cmp, 138 plspid_map_hash);
CID 1568207: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
139 DECLARE_HASH(nbkey_map, struct nbkey_map_data, mi, nbkey_map_cmp, 140 nbkey_map_hash); 141 DECLARE_HASH(req_map, struct req_map_data, mi, req_map_cmp, req_map_hash); 142 143 static inline int req_entry_compare(const struct req_entry *a, 144 const struct req_entry *b)
** CID 1568206: Integer handling issues (BAD_SHIFT) /lib/event.c: 105 in cpu_records_del() ________________________________________________________________________________________________________ *** CID 1568206: Integer handling issues (BAD_SHIFT) /lib/event.c: 105 in cpu_records_del() 99 static int cpu_record_hash_cmp(const struct cpu_event_history *a, 100 const struct cpu_event_history *b) 101 { 102 return numcmp((uintptr_t)a->func, (uintptr_t)b->func); 103 } 104
CID 1568206: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
105 DECLARE_HASH(cpu_records, struct cpu_event_history, item, cpu_record_hash_cmp, 106 cpu_record_hash_key); 107 108 static struct cpu_event_history *cpu_records_get(struct event_loop *loop, 109 void (*func)(struct event *e), 110 const char *funcname)
** CID 1568205: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 197 in bmp_qhash_del() ________________________________________________________________________________________________________ *** CID 1568205: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 197 in bmp_qhash_del() 191 + PSIZE(e->rd.prefixlen), 192 key); 193 194 return key; 195 } 196
CID 1568205: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
197 DECLARE_HASH(bmp_qhash, struct bmp_queue_entry, bhi, 198 bmp_qhash_cmp, bmp_qhash_hkey); 199 200 static int bmp_active_cmp(const struct bmp_active *a, 201 const struct bmp_active *b) 202 {
** CID 1568204: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 80 in bmp_bgph_const_next() ________________________________________________________________________________________________________ *** CID 1568204: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 80 in bmp_bgph_const_next() 74 75 static uint32_t bmp_bgp_hash(const struct bmp_bgp *e) 76 { 77 return jhash(&e->bgp, sizeof(e->bgp), 0x55aa5a5a); 78 } 79
CID 1568204: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
80 DECLARE_HASH(bmp_bgph, struct bmp_bgp, bbi, bmp_bgp_cmp, bmp_bgp_hash); 81 82 struct bmp_bgph_head bmp_bgph; 83 84 static int bmp_bgp_peer_cmp(const struct bmp_bgp_peer *a, 85 const struct bmp_bgp_peer *b)
** CID 1568203: Integer handling issues (BAD_SHIFT) /zebra/zebra_opaque.c: 54 in opq_regh_del() ________________________________________________________________________________________________________ *** CID 1568203: Integer handling issues (BAD_SHIFT) /zebra/zebra_opaque.c: 54 in opq_regh_del() 48 49 /* Registration helper prototypes */ 50 static uint32_t registration_hash(const struct opq_msg_reg *reg); 51 static int registration_compare(const struct opq_msg_reg *reg1, 52 const struct opq_msg_reg *reg2); 53
CID 1568203: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
54 DECLARE_HASH(opq_regh, struct opq_msg_reg, item, registration_compare, 55 registration_hash); 56 57 static struct opq_regh_head opq_reg_hash; 58 59 /*
** CID 1568202: Integer handling issues (BAD_SHIFT) /pathd/path_pcep_pcc.c: 137 in plspid_map_const_next() ________________________________________________________________________________________________________ *** CID 1568202: Integer handling issues (BAD_SHIFT) /pathd/path_pcep_pcc.c: 137 in plspid_map_const_next() 131 static uint32_t nbkey_map_hash(const struct nbkey_map_data *e); 132 static int req_map_cmp(const struct req_map_data *a, 133 const struct req_map_data *b); 134 static uint32_t req_map_hash(const struct req_map_data *e); 135 136 /* Data Structure Declarations */
CID 1568202: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
137 DECLARE_HASH(plspid_map, struct plspid_map_data, mi, plspid_map_cmp, 138 plspid_map_hash); 139 DECLARE_HASH(nbkey_map, struct nbkey_map_data, mi, nbkey_map_cmp, 140 nbkey_map_hash); 141 DECLARE_HASH(req_map, struct req_map_data, mi, req_map_cmp, req_map_hash); 142
** CID 1568201: Integer handling issues (BAD_SHIFT) /lib/qobj.c: 32 in qobj_nodes_del() ________________________________________________________________________________________________________ *** CID 1568201: Integer handling issues (BAD_SHIFT) /lib/qobj.c: 32 in qobj_nodes_del() 26 return -1; 27 if (na->nid > nb->nid) 28 return 1; 29 return 0; 30 } 31
CID 1568201: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
32 DECLARE_HASH(qobj_nodes, struct qobj_node, nodehash, 33 qobj_cmp, qobj_hash); 34 35 static pthread_rwlock_t nodes_lock; 36 static struct qobj_nodes_head nodes = { }; 37
** CID 1568200: Integer handling issues (BAD_SHIFT) /staticd/static_zebra.c: 69 in static_nht_hash_del() ________________________________________________________________________________________________________ *** CID 1568200: Integer handling issues (BAD_SHIFT) /staticd/static_zebra.c: 69 in static_nht_hash_del() 63 unsigned int key = 0; 64 65 key = prefix_hash_key(&nhtd->nh); 66 return jhash_2words(nhtd->nh_vrf_id, nhtd->safi, key); 67 } 68
CID 1568200: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
69 DECLARE_HASH(static_nht_hash, struct static_nht_data, itm, static_nht_data_cmp, 70 static_nht_data_hash); 71 72 static struct static_nht_hash_head static_nht_hash[1]; 73 74 /* Zebra structure to hold current status. */
** CID 1568199: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 249 in gm_subscribers_const_next() ________________________________________________________________________________________________________ *** CID 1568199: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 249 in gm_subscribers_const_next() 243 244 static uint32_t gm_subscriber_hash(const struct gm_subscriber *a) 245 { 246 return jhash(&a->addr, sizeof(a->addr), 0xd0e94ad4); 247 } 248
CID 1568199: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
249 DECLARE_HASH(gm_subscribers, struct gm_subscriber, itm, gm_subscriber_cmp, 250 gm_subscriber_hash); 251 252 static struct gm_subscriber *gm_subscriber_findref(struct gm_if *gm_ifp, 253 pim_addr addr) 254 {
** CID 1568198: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 99 in bmp_peerh_const_next() ________________________________________________________________________________________________________ *** CID 1568198: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 99 in bmp_peerh_const_next() 93 94 static uint32_t bmp_bgp_peer_hash(const struct bmp_bgp_peer *e) 95 { 96 return e->peerid; 97 } 98
CID 1568198: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
99 DECLARE_HASH(bmp_peerh, struct bmp_bgp_peer, bpi, 100 bmp_bgp_peer_cmp, bmp_bgp_peer_hash); 101 102 struct bmp_peerh_head bmp_peerh; 103 104 DECLARE_LIST(bmp_mirrorq, struct bmp_mirrorq, bmi);
** CID 1568197: Integer handling issues (BAD_SHIFT) /lib/table.c: 28 in rn_hash_node_del() ________________________________________________________________________________________________________ *** CID 1568197: Integer handling issues (BAD_SHIFT) /lib/table.c: 28 in rn_hash_node_del() 22 static int route_table_hash_cmp(const struct route_node *a, 23 const struct route_node *b) 24 { 25 return prefix_cmp(&a->p, &b->p); 26 } 27
CID 1568197: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
28 DECLARE_HASH(rn_hash_node, struct route_node, nodehash, route_table_hash_cmp, 29 prefix_hash_key); 30 /* 31 * route_table_init_with_delegate 32 */ 33 struct route_table *
** CID 1568196: Integer handling issues (BAD_SHIFT) /lib/routemap.c: 49 in rmap_cmd_name_const_next() ________________________________________________________________________________________________________ *** CID 1568196: Integer handling issues (BAD_SHIFT) /lib/routemap.c: 49 in rmap_cmd_name_const_next() 43 44 static uint32_t rmap_cmd_name_hash(const struct route_map_rule_cmd_proxy *item) 45 { 46 return jhash(item->cmd->str, strlen(item->cmd->str), 0xbfd69320); 47 } 48
CID 1568196: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
49 DECLARE_HASH(rmap_cmd_name, struct route_map_rule_cmd_proxy, itm, 50 rmap_cmd_name_cmp, rmap_cmd_name_hash); 51 52 static struct rmap_cmd_name_head rmap_match_cmds[1] = { 53 INIT_HASH(rmap_match_cmds[0]), 54 };
** CID 1568195: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 99 in bmp_peerh_del() ________________________________________________________________________________________________________ *** CID 1568195: Integer handling issues (BAD_SHIFT) /bgpd/bgp_bmp.c: 99 in bmp_peerh_del() 93 94 static uint32_t bmp_bgp_peer_hash(const struct bmp_bgp_peer *e) 95 { 96 return e->peerid; 97 } 98
CID 1568195: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
99 DECLARE_HASH(bmp_peerh, struct bmp_bgp_peer, bpi, 100 bmp_bgp_peer_cmp, bmp_bgp_peer_hash); 101 102 struct bmp_peerh_head bmp_peerh; 103 104 DECLARE_LIST(bmp_mirrorq, struct bmp_mirrorq, bmi);
** CID 1568194: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 178 in gm_gsq_pends_const_next() ________________________________________________________________________________________________________ *** CID 1568194: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 178 in gm_gsq_pends_const_next() 172 { 173 uint32_t seed = a->s_bit ? 0x68f0eb5e : 0x156b7f19; 174 175 return jhash(&a->grp, sizeof(a->grp), seed); 176 } 177
CID 1568194: Integer handling issues (BAD_SHIFT) In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
178 DECLARE_HASH(gm_gsq_pends, struct gm_gsq_pending, itm, gm_gsq_pending_cmp, 179 gm_gsq_pending_hash); 180 181 /* 182 * interface -> (S,G) 183 */
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com