New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 58 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 58 defect(s) ** CID 1496712: Incorrect expression (IDENTICAL_BRANCHES) /ospfd/ospf_ext.c: 589 in ospf_ext_link_delete_adj_sid() ________________________________________________________________________________________________________ *** CID 1496712: Incorrect expression (IDENTICAL_BRANCHES) /ospfd/ospf_ext.c: 589 in ospf_ext_link_delete_adj_sid() 583 { 584 /* Process only (LAN)Adjacency-SID Type */ 585 if (exti->stype != ADJ_SID && exti->stype != LAN_ADJ_SID) 586 return; 587 588 /* Release Primary & Backup Labels from Label Manager */
CID 1496712: Incorrect expression (IDENTICAL_BRANCHES) The same code is executed regardless of whether "exti->stype == ADJ_SID" is true, because the 'then' and 'else' branches are identical. Should one of the branches be modified, or the entire 'if' statement replaced?
589 if (exti->stype == ADJ_SID) { 590 ospf_sr_local_block_release_label(exti->adj_sid[0].value); 591 ospf_sr_local_block_release_label(exti->adj_sid[1].value); 592 } else { 593 ospf_sr_local_block_release_label(exti->adj_sid[0].value); 594 ospf_sr_local_block_release_label(exti->adj_sid[1].value);
** CID 1496711: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1496711: Null pointer dereferences (FORWARD_NULL) /ospfd/ospf_sr.c: 2319 in no_sr_node_msd() 2313 OspfSR.msd = 0; 2314 if (OspfSR.self != NULL) 2315 OspfSR.self->msd = 0; 2316 2317 /* Set Router Information parameters if SR is UP */ 2318 if (OspfSR.status == SR_UP)
CID 1496711: Null pointer dereferences (FORWARD_NULL) Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2319 ospf_router_info_update_sr(true, OspfSR.self); 2320 2321 return CMD_SUCCESS; 2322 } 2323 2324 DEFUN (sr_prefix_sid,
** CID 1496710: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1496710: Null pointer dereferences (FORWARD_NULL) /ospfd/ospf_sr.c: 2078 in update_srgb() 2072 OspfSR.srgb.reserved = true; 2073 2074 osr_debug("SR(%s): Got new SRGB [%u/%u]", __func__, OspfSR.srgb.start, 2075 OspfSR.srgb.start + OspfSR.srgb.size - 1); 2076 2077 /* SRGB is reserved, set Router Information parameters */
CID 1496710: Null pointer dereferences (FORWARD_NULL) Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2078 ospf_router_info_update_sr(true, OspfSR.self); 2079 2080 /* and update NHLFE entries */ 2081 hash_iterate(OspfSR.neighbors, 2082 (void (*)(struct hash_bucket *, void *))update_in_nhlfe, 2083 NULL);
** CID 1496709: Control flow issues (DEADCODE) /bgpd/bgp_vty.c: 12806 in bgp_show_all_instances_neighbors_vty() ________________________________________________________________________________________________________ *** CID 1496709: Control flow issues (DEADCODE) /bgpd/bgp_vty.c: 12806 in bgp_show_all_instances_neighbors_vty() 12800 json = NULL; 12801 } 12802 12803 if (use_json) { 12804 vty_out(vty, "}\n"); 12805 if (json)
CID 1496709: Control flow issues (DEADCODE) Execution cannot reach this statement: "json_object_free(json);".
12806 json_object_free(json); 12807 } 12808 else if (!nbr_output) 12809 vty_out(vty, "%% BGP instance not found\n"); 12810 } 12811
** CID 1496708: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1496708: Null pointer dereferences (FORWARD_NULL) /ospfd/ospf_sr.c: 2254 in no_sr_local_label_range() 2248 2249 /* SRLB is reserved, Update Self SR-Node and Router Information LSA */ 2250 if (OspfSR.self != NULL) { 2251 OspfSR.self->srlb.lower_bound = DEFAULT_SRLB_LABEL; 2252 OspfSR.self->srlb.range_size = DEFAULT_SRLB_SIZE; 2253 }
CID 1496708: Null pointer dereferences (FORWARD_NULL) Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2254 ospf_router_info_update_sr(true, OspfSR.self); 2255 2256 /* and update (LAN)-Adjacency SID */ 2257 ospf_ext_link_srlb_update(); 2258 2259 return CMD_SUCCESS;
** CID 1496707: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1496707: Null pointer dereferences (FORWARD_NULL) /ospfd/ospf_sr.c: 2295 in sr_node_msd() 2289 OspfSR.msd = msd; 2290 if (OspfSR.self != NULL) 2291 OspfSR.self->msd = msd; 2292 2293 /* Set Router Information parameters if SR is UP */ 2294 if (OspfSR.status == SR_UP)
CID 1496707: Null pointer dereferences (FORWARD_NULL) Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2295 ospf_router_info_update_sr(true, OspfSR.self); 2296 2297 return CMD_SUCCESS; 2298 } 2299 2300 DEFUN (no_sr_node_msd,
** CID 1496706: Performance inefficiencies (PASS_BY_VALUE) /ospfd/ospf_ri.c: 576 in is_mandated_params_set() ________________________________________________________________________________________________________ *** CID 1496706: Performance inefficiencies (PASS_BY_VALUE) /ospfd/ospf_ri.c: 576 in is_mandated_params_set() 570 | PCE_CAP_ADDITIVE | PCE_CAP_MULTIPLE_REQ; 571 set_pce_cap_flag(cap, &ori->pce_info); 572 573 return; 574 } 575
CID 1496706: Performance inefficiencies (PASS_BY_VALUE) Passing parameter ori of type "struct ospf_router_info" (size 136 bytes) by value.
576 static int is_mandated_params_set(struct ospf_router_info ori) 577 { 578 int rc = 0; 579 580 if (ntohs(ori.router_cap.header.type) == 0) 581 return rc;
** CID 1496643: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1496643: Null pointer dereferences (FORWARD_NULL) /zebra/zebra_evpn_mh.c: 362 in zebra_evpn_es_evi_show_vni() 356 vty_out(vty, "%-8s %-30s %-4s\n", "VNI", "ESI", "Type"); 357 } 358 } else { 359 if (!uj) 360 vty_out(vty, "VNI %d doesn't exist\n", vni); 361 }
CID 1496643: Null pointer dereferences (FORWARD_NULL) Passing null pointer "zevpn" to "zebra_evpn_es_evi_show_one_evpn", which dereferences it.
362 zebra_evpn_es_evi_show_one_evpn(zevpn, vty, json, detail); 363 } 364 365 /* Initialize the ES tables maintained per-L2_VNI */ 366 void zebra_evpn_evpn_es_init(zebra_evpn_t *zevpn) 367 {
** CID 1496642: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1496642: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_route.c: 3073 in bgp_filtered_routes_count() 3067 3068 for (dest = bgp_table_top(table); dest; dest = bgp_route_next(dest)) { 3069 for (ain = dest->adj_in; ain; ain = ain->next) { 3070 const struct prefix *rn_p = bgp_dest_get_prefix(dest); 3071 struct attr attr = {}; 3072
CID 1496642: Null pointer dereferences (FORWARD_NULL) Passing "&attr" to "bgp_input_filter", which dereferences null "attr.aspath".
3073 if (bgp_input_filter(peer, rn_p, &attr, afi, safi) 3074 == FILTER_DENY) 3075 filtered = true; 3076 3077 if (bgp_input_modifier( 3078 peer, rn_p, &attr, afi, safi,
** CID 1496617: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1496617: Memory - illegal accesses (USE_AFTER_FREE) /zebra/zebra_evpn_mh.c: 1690 in zebra_evpn_es_cleanup() 1684 struct zebra_evpn_es *es; 1685 struct zebra_evpn_es *es_next; 1686 1687 RB_FOREACH_SAFE(es, zebra_es_rb_head, 1688 &zmh_info->es_rb_tree, es_next) { 1689 zebra_evpn_local_es_del(es);
CID 1496617: Memory - illegal accesses (USE_AFTER_FREE) Calling "zebra_evpn_remote_es_flush" dereferences freed pointer "es".
1690 zebra_evpn_remote_es_flush(es); 1691 } 1692 } 1693 1694 /* Only certain types of access ports can be setup as an Ethernet Segment */ 1695 bool zebra_evpn_is_if_es_capable(struct zebra_if *zif)
** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 486 in seqnumber_mismatch() 480 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT); 481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT); 482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT); 483 484 ospf6_lsdb_remove_all(on->summary_list); 485 ospf6_lsdb_remove_all(on->request_list);
CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
486 for (ALL_LSDB(on->retrans_list, lsa)) { 487 ospf6_decrement_retrans_count(lsa); 488 ospf6_lsdb_remove(lsa, on->retrans_list); 489 } 490 491 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2306 in ospf6_lsack_send_neighbor() 2300 2301 memset(sendbuf, 0, iobuflen); 2302 oh = (struct ospf6_header *)sendbuf; 2303 2304 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 2305
CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2306 for (ALL_LSDB(on->lsack_list, lsa)) { 2307 /* MTU check */ 2308 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 2309 > ospf6_packet_max(on->ospf6_if)) { 2310 /* if we run out of packet size/space here, 2311 better to try again soon. */
** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2223 in ospf6_lsupdate_send_interface() 2217 lsupdate = (struct ospf6_lsupdate *)((caddr_t)oh 2218 + sizeof(struct ospf6_header)); 2219 2220 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate)); 2221 lsa_cnt = 0; 2222
CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2223 for (ALL_LSDB(oi->lsupdate_list, lsa)) { 2224 /* MTU check */ 2225 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header))) 2226 > ospf6_packet_max(oi)) { 2227 if (lsa_cnt) { 2228 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 306 in ospf6_lsdb_remove_all() 300 { 301 struct ospf6_lsa *lsa; 302 303 if (lsdb == NULL) 304 return; 305
CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
306 for (ALL_LSDB(lsdb, lsa)) 307 ospf6_lsdb_remove(lsa, lsdb); 308 } 309 310 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa) 311 {
** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 125 in ospf6_neighbor_delete() 119 void ospf6_neighbor_delete(struct ospf6_neighbor *on) 120 { 121 struct ospf6_lsa *lsa; 122 123 ospf6_lsdb_remove_all(on->summary_list); 124 ospf6_lsdb_remove_all(on->request_list);
CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
125 for (ALL_LSDB(on->retrans_list, lsa)) { 126 ospf6_decrement_retrans_count(lsa); 127 ospf6_lsdb_remove(lsa, on->retrans_list); 128 } 129 130 ospf6_lsdb_remove_all(on->dbdesc_list);
** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1872 in ospf6_dbdesc_send_newone() 1866 ospf6_lsdb_remove_all(on->dbdesc_list); 1867 1868 /* move LSAs from summary_list to dbdesc_list (within neighbor 1869 structure) 1870 so that ospf6_send_dbdesc () can send those LSAs */ 1871 size = sizeof(struct ospf6_lsa_header) + sizeof(struct ospf6_dbdesc);
CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
1872 for (ALL_LSDB(on->summary_list, lsa)) { 1873 if (size + sizeof(struct ospf6_lsa_header) 1874 > ospf6_packet_max(on->ospf6_if)) { 1875 ospf6_lsdb_lsa_unlock(lsa); 1876 break; 1877 }
** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 523 in bad_lsreq() 517 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT); 518 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT); 519 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT); 520 521 ospf6_lsdb_remove_all(on->summary_list); 522 ospf6_lsdb_remove_all(on->request_list);
CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
523 for (ALL_LSDB(on->retrans_list, lsa)) { 524 ospf6_decrement_retrans_count(lsa); 525 ospf6_lsdb_remove(lsa, on->retrans_list); 526 } 527 528 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 310 in negotiation_done() 304 if (IS_OSPF6_DEBUG_NEIGHBOR(EVENT)) 305 zlog_debug("Neighbor Event %s: *NegotiationDone*", on->name); 306 307 /* clear ls-list */ 308 ospf6_lsdb_remove_all(on->summary_list); 309 ospf6_lsdb_remove_all(on->request_list);
CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
310 for (ALL_LSDB(on->retrans_list, lsa)) { 311 ospf6_decrement_retrans_count(lsa); 312 ospf6_lsdb_remove(lsa, on->retrans_list); 313 } 314 315 /* Interface scoped LSAs */
** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 324 in ospf6_lsdb_maxage_remover() 318 319 int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb) 320 { 321 int reschedule = 0; 322 struct ospf6_lsa *lsa; 323
CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
324 for (ALL_LSDB(lsdb, lsa)) { 325 if (!OSPF6_LSA_IS_MAXAGE(lsa)) 326 continue; 327 if (lsa->retrans_count != 0) { 328 reschedule = 1; 329 continue;
** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2385 in ospf6_lsack_send_interface() 2379 2380 memset(sendbuf, 0, iobuflen); 2381 oh = (struct ospf6_header *)sendbuf; 2382 2383 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 2384
CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2385 for (ALL_LSDB(oi->lsack_list, lsa)) { 2386 /* MTU check */ 2387 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 2388 > ospf6_packet_max(oi)) { 2389 /* if we run out of packet size/space here, 2390 better to try again soon. */
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com