New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 26 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 16 of 16 defect(s) ** CID 1472239: (RESOURCE_LEAK) /bgpd/bgp_flowspec_vty.c: 361 in route_vty_out_flowspec() /bgpd/bgp_flowspec_vty.c: 361 in route_vty_out_flowspec() ________________________________________________________________________________________________________ *** CID 1472239: (RESOURCE_LEAK) /bgpd/bgp_flowspec_vty.c: 361 in route_vty_out_flowspec() 355 unit++; 356 } 357 if (unit) 358 vty_out(vty, ")"); 359 vty_out(vty, "\n"); 360 list_delete_all_node(list_bpm);
CID 1472239: (RESOURCE_LEAK) Variable "list_bpm" going out of scope leaks the storage it points to.
361 } else 362 vty_out(vty, "\tnot installed in PBR\n"); 363 } 364 } 365 366 int bgp_show_table_flowspec(struct vty *vty, struct bgp *bgp, afi_t afi, /bgpd/bgp_flowspec_vty.c: 361 in route_vty_out_flowspec() 355 unit++; 356 } 357 if (unit) 358 vty_out(vty, ")"); 359 vty_out(vty, "\n"); 360 list_delete_all_node(list_bpm);
CID 1472239: (RESOURCE_LEAK) Variable "list_bpm" going out of scope leaks the storage it points to.
361 } else 362 vty_out(vty, "\tnot installed in PBR\n"); 363 } 364 } 365 366 int bgp_show_table_flowspec(struct vty *vty, struct bgp *bgp, afi_t afi,
** CID 1472238: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2831 in no_bgp_evpn_advertise_default_vni_gw() ________________________________________________________________________________________________________ *** CID 1472238: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2831 in no_bgp_evpn_advertise_default_vni_gw() 2825 VTY_DECLVAR_CONTEXT_SUB(bgpevpn, vpn); 2826 2827 if (!bgp) 2828 return CMD_WARNING; 2829 2830 if (!vpn)
CID 1472238: Control flow issues (DEADCODE) Execution cannot reach this statement: "return 1;".
2831 return CMD_WARNING; 2832 2833 evpn_unset_advertise_default_gw(bgp, vpn); 2834 2835 return CMD_SUCCESS; 2836 }
** CID 1472237: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_table.c: 160 in bgp_table_range_lookup() ________________________________________________________________________________________________________ *** CID 1472237: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_table.c: 160 in bgp_table_range_lookup() 154 break; 155 } 156 node = bgp_node_from_rnode(node->link[prefix_bit( 157 &p->u.prefix, node->p.prefixlen)]); 158 } 159
CID 1472237: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "node".
160 if ((matched == NULL && node->p.prefixlen > maxlen) || !node->parent) 161 return; 162 else if (matched == NULL) 163 matched = node = bgp_node_from_rnode(node->parent); 164 165 if (matched->info) {
** CID 1472236: (NEGATIVE_RETURNS) ________________________________________________________________________________________________________ *** CID 1472236: (NEGATIVE_RETURNS) /zebra/kernel_netlink.c: 1086 in kernel_init() 1080 if (fcntl(zns->netlink_cmd.sock, F_SETFL, O_NONBLOCK) < 0) 1081 zlog_err("Can't set %s socket error: %s(%d)", 1082 zns->netlink_cmd.name, safe_strerror(errno), errno); 1083 1084 /* Set receive buffer size if it's set from command line */ 1085 if (nl_rcvbufsize)
CID 1472236: (NEGATIVE_RETURNS) "zns->netlink.sock" is passed to a parameter that cannot be negative.
1086 netlink_recvbuf(&zns->netlink, nl_rcvbufsize); 1087 1088 netlink_install_filter(zns->netlink.sock, 1089 zns->netlink_cmd.snl.nl_pid); 1090 zns->t_netlink = NULL; 1091 /zebra/kernel_netlink.c: 1088 in kernel_init() 1082 zns->netlink_cmd.name, safe_strerror(errno), errno); 1083 1084 /* Set receive buffer size if it's set from command line */ 1085 if (nl_rcvbufsize) 1086 netlink_recvbuf(&zns->netlink, nl_rcvbufsize); 1087
CID 1472236: (NEGATIVE_RETURNS) "zns->netlink.sock" is passed to a parameter that cannot be negative.
1088 netlink_install_filter(zns->netlink.sock, 1089 zns->netlink_cmd.snl.nl_pid); 1090 zns->t_netlink = NULL; 1091 1092 thread_add_read(zebrad.master, kernel_read, zns, 1093 zns->netlink.sock, &zns->t_netlink);
** CID 1472235: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1472235: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_debug_clippy.c: 114 in no_debug_bgp_update_prefix_afi_safi() 108 } 109 #if 0 /* anything that can fail? */ 110 if (_failcnt) 111 return CMD_WARNING; 112 #endif 113 #endif
CID 1472235: Null pointer dereferences (FORWARD_NULL) Passing null pointer "afi" to "no_debug_bgp_update_prefix_afi_safi_magic", which dereferences it.
114 return no_debug_bgp_update_prefix_afi_safi_magic(self, vty, argc, argv, afi, safi, mac, ip);
** CID 1472234: Error handling issues (CHECKED_RETURN) /pimd/pim_rp.c: 855 in pim_rp_g() ________________________________________________________________________________________________________ *** CID 1472234: Error handling issues (CHECKED_RETURN) /pimd/pim_rp.c: 855 in pim_rp_g() 849 prefix2str(&g, buf1, sizeof(buf1)); 850 zlog_debug( 851 "%s: Nexthop cache not found for RP %s grp %s register with Zebra", 852 __PRETTY_FUNCTION__, buf, buf1); 853 } 854 pim_rpf_set_refresh_time(pim);
CID 1472234: Error handling issues (CHECKED_RETURN) Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 6 out of 7 times).
855 pim_ecmp_nexthop_lookup(pim, 856 &rp_info->rp.source_nexthop, 857 &nht_p, &rp_info->group, 1); 858 } 859 return (&rp_info->rp); 860 }
** CID 1472233: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1472233: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_debug_clippy.c: 56 in debug_bgp_update_prefix_afi_safi() 50 } 51 #if 0 /* anything that can fail? */ 52 if (_failcnt) 53 return CMD_WARNING; 54 #endif 55 #endif
CID 1472233: Null pointer dereferences (FORWARD_NULL) Passing null pointer "afi" to "debug_bgp_update_prefix_afi_safi_magic", which dereferences it.
56 return debug_bgp_update_prefix_afi_safi_magic(self, vty, argc, argv, afi, safi, mac, ip); 57 } 58 59 /* no_debug_bgp_update_prefix_afi_safi => "no debug bgp updates prefix <l2vpn>$afi <evpn>$safi type <macip mac WORD [ip WORD]|multicast ip WORD |prefix ip WORD>" */ 60 DEFUN_CMD_FUNC_DECL(no_debug_bgp_update_prefix_afi_safi) 61 #define funcdecl_no_debug_bgp_update_prefix_afi_safi static int no_debug_bgp_update_prefix_afi_safi_magic(\
** CID 1472232: Error handling issues (CHECKED_RETURN) /bgpd/bgp_route.c: 5204 in bgp_static_set_safi() ________________________________________________________________________________________________________ *** CID 1472232: Error handling issues (CHECKED_RETURN) /bgpd/bgp_route.c: 5204 in bgp_static_set_safi() 5198 sizeof(struct eth_segment_id)); 5199 str2esi(esi, bgp_static->eth_s_id); 5200 } 5201 if (routermac) { 5202 bgp_static->router_mac = 5203 XCALLOC(MTYPE_ATTR, ETH_ALEN + 1);
CID 1472232: Error handling issues (CHECKED_RETURN) Calling "prefix_str2mac" without checking return value (as is done elsewhere 6 out of 7 times).
5204 prefix_str2mac(routermac, 5205 bgp_static->router_mac); 5206 } 5207 if (gwip) 5208 prefix_copy(&bgp_static->gatewayIp, &gw_ip); 5209 }
** CID 1472231: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2811 in bgp_evpn_advertise_default_gw_vni() ________________________________________________________________________________________________________ *** CID 1472231: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2811 in bgp_evpn_advertise_default_gw_vni() 2805 VTY_DECLVAR_CONTEXT_SUB(bgpevpn, vpn); 2806 2807 if (!bgp) 2808 return CMD_WARNING; 2809 2810 if (!vpn)
CID 1472231: Control flow issues (DEADCODE) Execution cannot reach this statement: "return 1;".
2811 return CMD_WARNING; 2812 2813 evpn_set_advertise_default_gw(bgp, vpn); 2814 2815 return CMD_SUCCESS; 2816 }
** CID 1472230: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2976 in bgp_evpn_advertise_vni_subnet() ________________________________________________________________________________________________________ *** CID 1472230: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2976 in bgp_evpn_advertise_vni_subnet() 2970 VTY_DECLVAR_CONTEXT_SUB(bgpevpn, vpn); 2971 2972 if (!bgp) 2973 return CMD_WARNING; 2974 2975 if (!vpn)
CID 1472230: Control flow issues (DEADCODE) Execution cannot reach this statement: "return 1;".
2976 return CMD_WARNING; 2977 2978 bgp_vrf = bgp_lookup_by_vrf_id(vpn->tenant_vrf_id); 2979 if (!bgp_vrf) 2980 return CMD_WARNING; 2981
** CID 1472229: (RETURN_LOCAL) /bgpd/bgp_updgrp_adv.c: 766 in subgroup_default_originate() /bgpd/bgp_updgrp_adv.c: 771 in subgroup_default_originate() /bgpd/bgp_updgrp_adv.c: 792 in subgroup_default_originate() ________________________________________________________________________________________________________ *** CID 1472229: (RETURN_LOCAL) /bgpd/bgp_updgrp_adv.c: 766 in subgroup_default_originate() 760 UNSET_FLAG(subgrp->sflags, SUBGRP_STATUS_DEFAULT_ORIGINATE); 761 } else { 762 if (!CHECK_FLAG(subgrp->sflags, 763 SUBGRP_STATUS_DEFAULT_ORIGINATE)) { 764 765 if (bgp_flag_check(bgp, BGP_FLAG_GRACEFUL_SHUTDOWN)) {
CID 1472229: (RETURN_LOCAL) Using "info", which points to an out-of-scope variable "tmp_info".
766 bgp_attr_add_gshut_community(info->attr); 767 } 768 769 SET_FLAG(subgrp->sflags, 770 SUBGRP_STATUS_DEFAULT_ORIGINATE); 771 subgroup_default_update_packet(subgrp, info->attr, /bgpd/bgp_updgrp_adv.c: 771 in subgroup_default_originate() 765 if (bgp_flag_check(bgp, BGP_FLAG_GRACEFUL_SHUTDOWN)) { 766 bgp_attr_add_gshut_community(info->attr); 767 } 768 769 SET_FLAG(subgrp->sflags, 770 SUBGRP_STATUS_DEFAULT_ORIGINATE);
CID 1472229: (RETURN_LOCAL) Using "info", which points to an out-of-scope variable "tmp_info".
771 subgroup_default_update_packet(subgrp, info->attr, 772 from); 773 774 /* The 'neighbor x.x.x.x default-originate' default will 775 * act as an 776 * implicit withdraw for any previous UPDATEs sent for /bgpd/bgp_updgrp_adv.c: 792 in subgroup_default_originate() 786 &p, NULL); 787 bgp_adj_out_unset_subgroup( 788 rn, subgrp, 0, 789 BGP_ADDPATH_TX_ID_FOR_DEFAULT_ORIGINATE); 790 } 791 }
CID 1472229: (RETURN_LOCAL) Using "info", which points to an out-of-scope variable "tmp_info".
792 aspath_unintern(&info->attr->aspath); 793 } 794 795 /* 796 * Announce the BGP table to a subgroup. 797 *
** CID 1472228: (RESOURCE_LEAK) /bgpd/bgp_debug.c: 1504 in no_debug_bgp_update_prefix_afi_safi_magic() /bgpd/bgp_debug.c: 1533 in no_debug_bgp_update_prefix_afi_safi_magic() /bgpd/bgp_debug.c: 1533 in no_debug_bgp_update_prefix_afi_safi_magic() ________________________________________________________________________________________________________ *** CID 1472228: (RESOURCE_LEAK) /bgpd/bgp_debug.c: 1504 in no_debug_bgp_update_prefix_afi_safi_magic() 1498 safiz = safi ? bgp_vty_safi_from_str(safi) : SAFI_UNICAST; 1499 1500 /* check for evpn route type */ 1501 if (afiz == AFI_L2VPN && safiz == SAFI_EVPN) { 1502 ret = bgp_debug_parse_evpn_prefix(vty, argv, argc, &argv_p); 1503 if (ret != CMD_SUCCESS)
CID 1472228: (RESOURCE_LEAK) Variable "argv_p" going out of scope leaks the storage it points to.
1504 return ret; 1505 } else { 1506 (void)str2prefix(argv[idx_ipv4_ipv6_prefixlen]->arg, argv_p); 1507 apply_mask(argv_p); 1508 } 1509 /bgpd/bgp_debug.c: 1533 in no_debug_bgp_update_prefix_afi_safi_magic() 1527 vty_out(vty, "BGP updates debugging is off for %s\n", 1528 argv[idx_ipv4_ipv6_prefixlen]->arg); 1529 else 1530 vty_out(vty, "BGP updates debugging was not enabled for %s\n", 1531 argv[idx_ipv4_ipv6_prefixlen]->arg); 1532
CID 1472228: (RESOURCE_LEAK) Variable "argv_p" going out of scope leaks the storage it points to.
1533 return CMD_SUCCESS; 1534 } 1535 1536 1537 DEFUN (debug_bgp_update_prefix, 1538 debug_bgp_update_prefix_cmd, /bgpd/bgp_debug.c: 1533 in no_debug_bgp_update_prefix_afi_safi_magic() 1527 vty_out(vty, "BGP updates debugging is off for %s\n", 1528 argv[idx_ipv4_ipv6_prefixlen]->arg); 1529 else 1530 vty_out(vty, "BGP updates debugging was not enabled for %s\n", 1531 argv[idx_ipv4_ipv6_prefixlen]->arg); 1532
CID 1472228: (RESOURCE_LEAK) Variable "argv_p" going out of scope leaks the storage it points to.
1533 return CMD_SUCCESS; 1534 } 1535 1536 1537 DEFUN (debug_bgp_update_prefix, 1538 debug_bgp_update_prefix_cmd,
** CID 1472227: (DEADCODE) /ospfd/ospf_lsa.c: 1899 in ospf_translated_nssa_refresh() /ospfd/ospf_lsa.c: 1912 in ospf_translated_nssa_refresh() /ospfd/ospf_lsa.c: 1921 in ospf_translated_nssa_refresh() ________________________________________________________________________________________________________ *** CID 1472227: (DEADCODE) /ospfd/ospf_lsa.c: 1899 in ospf_translated_nssa_refresh() 1893 return NULL; 1894 } 1895 1896 /* do we have valid translated type5? */ 1897 if (type5 == NULL || !CHECK_FLAG(type5->flags, OSPF_LSA_LOCAL_XLT)) { 1898 if (IS_DEBUG_OSPF_NSSA)
CID 1472227: (DEADCODE) Execution cannot reach the expression ""(null)"" inside this statement: "zlog_debug("ospf_translated...".
1899 zlog_debug( 1900 "ospf_translated_nssa_refresh(): No translated Type-5 " 1901 "found for Type-7 with Id %s", 1902 type7 ? inet_ntoa(type7->data->id) : "(null)"); 1903 return NULL; 1904 } /ospfd/ospf_lsa.c: 1912 in ospf_translated_nssa_refresh() 1906 /* Delete LSA from neighbor retransmit-list. */ 1907 ospf_ls_retransmit_delete_nbr_as(ospf, type5); 1908 1909 /* create new translated LSA */ 1910 if ((new = ospf_lsa_translated_nssa_new(ospf, type7)) == NULL) { 1911 if (IS_DEBUG_OSPF_NSSA)
CID 1472227: (DEADCODE) Execution cannot reach the expression ""(null)"" inside this statement: "zlog_debug("ospf_translated...".
1912 zlog_debug( 1913 "ospf_translated_nssa_refresh(): Could not translate " 1914 "Type-7 for %s to Type-5", 1915 type7 ? inet_ntoa(type7->data->id) : "(null)"); 1916 return NULL; 1917 } /ospfd/ospf_lsa.c: 1921 in ospf_translated_nssa_refresh() 1915 type7 ? inet_ntoa(type7->data->id) : "(null)"); 1916 return NULL; 1917 } 1918 1919 if (!(new = ospf_lsa_install(ospf, NULL, new))) { 1920 if (IS_DEBUG_OSPF_NSSA)
CID 1472227: (DEADCODE) Execution cannot reach the expression ""(null)"" inside this statement: "zlog_debug("ospf_translated...".
1921 zlog_debug( 1922 "ospf_translated_nssa_refresh(): Could not install " 1923 "translated LSA, Id %s", 1924 type7 ? inet_ntoa(type7->data->id) : "(null)"); 1925 return NULL; 1926 }
** CID 1472226: (RESOURCE_LEAK) /bgpd/bgp_debug.c: 1436 in debug_bgp_update_prefix_afi_safi_magic() /bgpd/bgp_debug.c: 1449 in debug_bgp_update_prefix_afi_safi_magic() /bgpd/bgp_debug.c: 1462 in debug_bgp_update_prefix_afi_safi_magic() ________________________________________________________________________________________________________ *** CID 1472226: (RESOURCE_LEAK) /bgpd/bgp_debug.c: 1436 in debug_bgp_update_prefix_afi_safi_magic() 1430 safiz = safi ? bgp_vty_safi_from_str(safi) : SAFI_UNICAST; 1431 1432 /* check for evpn route type */ 1433 if (afiz == AFI_L2VPN && safiz == SAFI_EVPN) { 1434 ret = bgp_debug_parse_evpn_prefix(vty, argv, argc, &argv_p); 1435 if (ret != CMD_SUCCESS)
CID 1472226: (RESOURCE_LEAK) Variable "argv_p" going out of scope leaks the storage it points to.
1436 return ret; 1437 } else { 1438 (void)str2prefix(argv[idx_ipv4_ipv6_prefixlen]->arg, argv_p); 1439 apply_mask(argv_p); 1440 } 1441 /bgpd/bgp_debug.c: 1449 in debug_bgp_update_prefix_afi_safi_magic() 1443 bgp_debug_update_prefixes = list_new(); 1444 1445 if (bgp_debug_list_has_entry(bgp_debug_update_prefixes, NULL, argv_p)) { 1446 vty_out(vty, 1447 "BGP updates debugging is already enabled for %s\n", 1448 argv[idx_ipv4_ipv6_prefixlen]->arg);
CID 1472226: (RESOURCE_LEAK) Variable "argv_p" going out of scope leaks the storage it points to.
1449 return CMD_SUCCESS; 1450 } 1451 1452 bgp_debug_list_add_entry(bgp_debug_update_prefixes, NULL, argv_p); 1453 1454 if (vty->node == CONFIG_NODE) { /bgpd/bgp_debug.c: 1462 in debug_bgp_update_prefix_afi_safi_magic() 1456 } else { 1457 TERM_DEBUG_ON(update, UPDATE_PREFIX); 1458 vty_out(vty, "BGP updates debugging is on for %s\n", 1459 argv[idx_ipv4_ipv6_prefixlen]->arg); 1460 } 1461
CID 1472226: (RESOURCE_LEAK) Variable "argv_p" going out of scope leaks the storage it points to.
1462 return CMD_SUCCESS; 1463 } 1464 1465 DEFPY (no_debug_bgp_update_prefix_afi_safi, 1466 no_debug_bgp_update_prefix_afi_safi_cmd, 1467 "no debug bgp updates prefix <l2vpn>$afi <evpn>$safi type <macip mac WORD [ip WORD]|multicast ip WORD |prefix ip WORD>",
** CID 1472225: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2999 in no_bgp_evpn_advertise_vni_subnet() ________________________________________________________________________________________________________ *** CID 1472225: Control flow issues (DEADCODE) /bgpd/bgp_evpn_vty.c: 2999 in no_bgp_evpn_advertise_vni_subnet() 2993 VTY_DECLVAR_CONTEXT_SUB(bgpevpn, vpn); 2994 2995 if (!bgp) 2996 return CMD_WARNING; 2997 2998 if (!vpn)
CID 1472225: Control flow issues (DEADCODE) Execution cannot reach this statement: "return 1;".
2999 return CMD_WARNING; 3000 3001 evpn_unset_advertise_subnet(bgp, vpn); 3002 return CMD_SUCCESS; 3003 } 3004
** CID 1302499: Control flow issues (DEADCODE) /ospfd/ospf_lsa.c: 1889 in ospf_translated_nssa_refresh() ________________________________________________________________________________________________________ *** CID 1302499: Control flow issues (DEADCODE) /ospfd/ospf_lsa.c: 1889 in ospf_translated_nssa_refresh() 1883 } 1884 } 1885 1886 /* do we have type7? */ 1887 if (!type7) { 1888 if (IS_DEBUG_OSPF_NSSA)
CID 1302499: Control flow issues (DEADCODE) Execution cannot reach the expression ""(null)"" inside this statement: "zlog_debug("ospf_translated...".
1889 zlog_debug( 1890 "ospf_translated_nssa_refresh(): no Type-7 found for " 1891 "Type-5 LSA Id %s", 1892 type5 ? inet_ntoa(type5->data->id) : "(null)"); 1893 return NULL; 1894 }
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
participants (1)
-
scan-admin@coverity.com