New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 13 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 13 of 13 defect(s) ** CID 1505419: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list() /ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list() ________________________________________________________________________________________________________ *** CID 1505419: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2365 in ospf6_make_lsupdate_list() 2359 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2360 struct ospf6_lsa *lsa, *lsanext; 2361 2362 /* skip over fixed header */ 2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2364
CID 1505419: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) { 2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2367 + OSPF6_HEADER_SIZE) 2368 > ospf6_packet_max(on->ospf6_if)) { 2369 ospf6_fill_header(on->ospf6_if, (*op)->s, 2370 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list() 2360 struct ospf6_lsa *lsa, *lsanext; 2361 2362 /* skip over fixed header */ 2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2364 2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
CID 1505419: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2367 + OSPF6_HEADER_SIZE) 2368 > ospf6_packet_max(on->ospf6_if)) { 2369 ospf6_fill_header(on->ospf6_if, (*op)->s, 2370 length + OSPF6_HEADER_SIZE); 2371 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2365 in ospf6_make_lsupdate_list() 2359 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2360 struct ospf6_lsa *lsa, *lsanext; 2361 2362 /* skip over fixed header */ 2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2364
CID 1505419: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) { 2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2367 + OSPF6_HEADER_SIZE) 2368 > ospf6_packet_max(on->ospf6_if)) { 2369 ospf6_fill_header(on->ospf6_if, (*op)->s, 2370 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list() 2360 struct ospf6_lsa *lsa, *lsanext; 2361 2362 /* skip over fixed header */ 2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2364 2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
CID 1505419: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2367 + OSPF6_HEADER_SIZE) 2368 > ospf6_packet_max(on->ospf6_if)) { 2369 ospf6_fill_header(on->ospf6_if, (*op)->s, 2370 length + OSPF6_HEADER_SIZE); 2371 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505418: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq() /ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq() ________________________________________________________________________________________________________ *** CID 1505418: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq() 2201 ospf6_lsa_unlock(lsa); 2202 if (lsanext) 2203 ospf6_lsa_unlock(lsanext); 2204 break; 2205 } 2206 stream_putw(s, 0); /* reserved */
CID 1505418: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2207 stream_putw(s, ntohs(lsa->header->type)); 2208 stream_putl(s, ntohl(lsa->header->id)); 2209 stream_putl(s, ntohl(lsa->header->adv_router)); 2210 length += sizeof(struct ospf6_lsreq_entry); 2211 last_req = lsa; 2212 } /ospf6d/ospf6_message.c: 2201 in ospf6_make_lsreq() 2195 uint16_t length = 0; 2196 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL; 2197 2198 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 2199 if ((length + OSPF6_HEADER_SIZE) 2200 > ospf6_packet_max(on->ospf6_if)) {
CID 1505418: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2201 ospf6_lsa_unlock(lsa); 2202 if (lsanext) 2203 ospf6_lsa_unlock(lsanext); 2204 break; 2205 } 2206 stream_putw(s, 0); /* reserved */ /ospf6d/ospf6_message.c: 2201 in ospf6_make_lsreq() 2195 uint16_t length = 0; 2196 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL; 2197 2198 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 2199 if ((length + OSPF6_HEADER_SIZE) 2200 > ospf6_packet_max(on->ospf6_if)) {
CID 1505418: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2201 ospf6_lsa_unlock(lsa); 2202 if (lsanext) 2203 ospf6_lsa_unlock(lsanext); 2204 break; 2205 } 2206 stream_putw(s, 0); /* reserved */ /ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq() 2201 ospf6_lsa_unlock(lsa); 2202 if (lsanext) 2203 ospf6_lsa_unlock(lsanext); 2204 break; 2205 } 2206 stream_putw(s, 0); /* reserved */
CID 1505418: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2207 stream_putw(s, ntohs(lsa->header->type)); 2208 stream_putl(s, ntohl(lsa->header->id)); 2209 stream_putl(s, ntohl(lsa->header->adv_router)); 2210 length += sizeof(struct ospf6_lsreq_entry); 2211 last_req = lsa; 2212 }
** CID 1505417: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list() /ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list() ________________________________________________________________________________________________________ *** CID 1505417: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list() 2398 struct ospf6_lsa *lsa, *lsanext; 2399 2400 /* skip over fixed header */ 2401 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2402 2403 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
CID 1505417: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2404 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2405 + OSPF6_HEADER_SIZE) 2406 > ospf6_packet_max(on->ospf6_if)) { 2407 ospf6_fill_header(on->ospf6_if, (*op)->s, 2408 length + OSPF6_HEADER_SIZE); 2409 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list() 2398 struct ospf6_lsa *lsa, *lsanext; 2399 2400 /* skip over fixed header */ 2401 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2402 2403 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
CID 1505417: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2404 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2405 + OSPF6_HEADER_SIZE) 2406 > ospf6_packet_max(on->ospf6_if)) { 2407 ospf6_fill_header(on->ospf6_if, (*op)->s, 2408 length + OSPF6_HEADER_SIZE); 2409 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505416: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /ospf6d/ospf6_message.c: 1949 in ospf6_write() ________________________________________________________________________________________________________ *** CID 1505416: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /ospf6d/ospf6_message.c: 1949 in ospf6_write() 1943 monotime(×tamp); 1944 if (oi->hello_out) 1945 latency = monotime_since(&oi->last_hello, NULL) 1946 - (oi->hello_interval * 1000000); 1947 1948 /* log if latency exceeds the hello period */
CID 1505416: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "oi->hello_interval * 1000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_int64_t" (64 bits, signed).
1949 if (latency > (oi->hello_interval * 1000000)) 1950 zlog_warn("%s hello TX high latency %" PRId64 1951 "us.", 1952 __func__, latency); 1953 oi->last_hello = timestamp; 1954 oi->hello_out++;
** CID 1505415: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505415: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2218 in ospf6_make_lsreq() 2212 } 2213 2214 if (last_req != NULL) { 2215 if (on->last_ls_req != NULL) 2216 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req); 2217
CID 1505415: (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2218 ospf6_lsa_lock(last_req); 2219 on->last_ls_req = last_req; 2220 } 2221 2222 return length; 2223 } /ospf6d/ospf6_message.c: 2218 in ospf6_make_lsreq() 2212 } 2213 2214 if (last_req != NULL) { 2215 if (on->last_ls_req != NULL) 2216 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req); 2217
CID 1505415: (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2218 ospf6_lsa_lock(last_req); 2219 on->last_ls_req = last_req; 2220 } 2221 2222 return length; 2223 }
** CID 1505414: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505414: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2081 in ospf6_make_dbdesc() 2075 stream_putc(s, on->dbdesc_bits); 2076 stream_putl(s, on->dbdesc_seqnum); 2077 2078 /* if this is not initial one, set LSA headers in dbdesc */ 2079 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 2080 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1505414: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2081 ospf6_lsa_age_update_to_send(lsa, 2082 on->ospf6_if->transdelay); 2083 2084 /* MTU check */ 2085 if ((length + sizeof(struct ospf6_lsa_header) 2086 + OSPF6_HEADER_SIZE) /ospf6d/ospf6_message.c: 2081 in ospf6_make_dbdesc() 2075 stream_putc(s, on->dbdesc_bits); 2076 stream_putl(s, on->dbdesc_seqnum); 2077 2078 /* if this is not initial one, set LSA headers in dbdesc */ 2079 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 2080 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1505414: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2081 ospf6_lsa_age_update_to_send(lsa, 2082 on->ospf6_if->transdelay); 2083 2084 /* MTU check */ 2085 if ((length + sizeof(struct ospf6_lsa_header) 2086 + OSPF6_HEADER_SIZE)
** CID 1505413: Null pointer dereferences (REVERSE_INULL) /bgpd/bgp_evpn_vty.c: 67 in argv_find_and_parse_oly_idx() ________________________________________________________________________________________________________ *** CID 1505413: Null pointer dereferences (REVERSE_INULL) /bgpd/bgp_evpn_vty.c: 67 in argv_find_and_parse_oly_idx() 61 62 int argv_find_and_parse_oly_idx(struct cmd_token **argv, int argc, int *oly_idx, 63 enum overlay_index_type *oly) 64 { 65 *oly = OVERLAY_INDEX_TYPE_NONE; 66 if (argv_find(argv, argc, "gateway-ip", oly_idx)) {
CID 1505413: Null pointer dereferences (REVERSE_INULL) Null-checking "oly" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
67 if (oly) 68 *oly = OVERLAY_INDEX_GATEWAY_IP; 69 } 70 return 1; 71 } 72
** CID 1505412: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505412: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2672 in ospf6_make_lsack_interface() 2666 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi, 2667 struct ospf6_packet *op) 2668 { 2669 uint16_t length = 0; 2670 struct ospf6_lsa *lsa, *lsanext; 2671
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2672 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) { 2673 if ((length + sizeof(struct ospf6_lsa_header) 2674 + OSPF6_HEADER_SIZE) 2675 > ospf6_packet_max(oi)) { 2676 /* if we run out of packet size/space here, 2677 better to try again soon. */ /ospf6d/ospf6_message.c: 2687 in ospf6_make_lsack_interface() 2681 2682 ospf6_lsa_unlock(lsa); 2683 if (lsanext) 2684 ospf6_lsa_unlock(lsanext); 2685 break; 2686 }
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2687 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2688 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header)); 2689 length += sizeof(struct ospf6_lsa_header); 2690 2691 assert(lsa->lock == 2); 2692 ospf6_lsdb_remove(lsa, oi->lsack_list); /ospf6d/ospf6_message.c: 2687 in ospf6_make_lsack_interface() 2681 2682 ospf6_lsa_unlock(lsa); 2683 if (lsanext) 2684 ospf6_lsa_unlock(lsanext); 2685 break; 2686 }
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2687 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2688 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header)); 2689 length += sizeof(struct ospf6_lsa_header); 2690 2691 assert(lsa->lock == 2); 2692 ospf6_lsdb_remove(lsa, oi->lsack_list); /ospf6d/ospf6_message.c: 2682 in ospf6_make_lsack_interface() 2676 /* if we run out of packet size/space here, 2677 better to try again soon. */ 2678 THREAD_OFF(oi->thread_send_lsack); 2679 thread_add_event(master, ospf6_lsack_send_interface, oi, 2680 0, &oi->thread_send_lsack); 2681
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2682 ospf6_lsa_unlock(lsa); 2683 if (lsanext) 2684 ospf6_lsa_unlock(lsanext); 2685 break; 2686 } 2687 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); /ospf6d/ospf6_message.c: 2672 in ospf6_make_lsack_interface() 2666 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi, 2667 struct ospf6_packet *op) 2668 { 2669 uint16_t length = 0; 2670 struct ospf6_lsa *lsa, *lsanext; 2671
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2672 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) { 2673 if ((length + sizeof(struct ospf6_lsa_header) 2674 + OSPF6_HEADER_SIZE) 2675 > ospf6_packet_max(oi)) { 2676 /* if we run out of packet size/space here, 2677 better to try again soon. */
** CID 1505411: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /ospf6d/ospf6_message.c: 449 in ospf6_hello_recv() ________________________________________________________________________________________________________ *** CID 1505411: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /ospf6d/ospf6_message.c: 449 in ospf6_hello_recv() 443 444 /* check latency against hello period */ 445 if (on->hello_in) 446 latency = monotime_since(&on->last_hello, NULL) 447 - (oi->hello_interval * 1000000); 448 /* log if latency exceeds the hello period */
CID 1505411: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "oi->hello_interval * 1000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_int64_t" (64 bits, signed).
449 if (latency > (oi->hello_interval * 1000000)) 450 zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__, 451 &on->router_id, latency); 452 on->last_hello = timestamp; 453 on->hello_in++; 454
** CID 1505410: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface() /ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface() ________________________________________________________________________________________________________ *** CID 1505410: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2544 in ospf6_make_lsupdate_interface() 2538 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2539 struct ospf6_lsa *lsa, *lsanext; 2540 2541 /* skip over fixed header */ 2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2543
CID 1505410: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) { 2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2546 + OSPF6_HEADER_SIZE 2547 > ospf6_packet_max(oi)) { 2548 ospf6_fill_header(oi, (*op)->s, 2549 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2544 in ospf6_make_lsupdate_interface() 2538 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2539 struct ospf6_lsa *lsa, *lsanext; 2540 2541 /* skip over fixed header */ 2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2543
CID 1505410: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) { 2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2546 + OSPF6_HEADER_SIZE 2547 > ospf6_packet_max(oi)) { 2548 ospf6_fill_header(oi, (*op)->s, 2549 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface() 2539 struct ospf6_lsa *lsa, *lsanext; 2540 2541 /* skip over fixed header */ 2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2543 2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
CID 1505410: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2546 + OSPF6_HEADER_SIZE 2547 > ospf6_packet_max(oi)) { 2548 ospf6_fill_header(oi, (*op)->s, 2549 length + OSPF6_HEADER_SIZE); 2550 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface() 2539 struct ospf6_lsa *lsa, *lsanext; 2540 2541 /* skip over fixed header */ 2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2543 2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
CID 1505410: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2546 + OSPF6_HEADER_SIZE 2547 > ospf6_packet_max(oi)) { 2548 ospf6_fill_header(oi, (*op)->s, 2549 length + OSPF6_HEADER_SIZE); 2550 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505409: (SIGN_EXTENSION) /ospf6d/ospf6_message.c: 1946 in ospf6_write() /ospf6d/ospf6_message.c: 1949 in ospf6_write() ________________________________________________________________________________________________________ *** CID 1505409: (SIGN_EXTENSION) /ospf6d/ospf6_message.c: 1946 in ospf6_write() 1940 } 1941 switch (oh->type) { 1942 case OSPF6_MESSAGE_TYPE_HELLO: 1943 monotime(×tamp); 1944 if (oi->hello_out) 1945 latency = monotime_since(&oi->last_hello, NULL)
CID 1505409: (SIGN_EXTENSION) Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1946 - (oi->hello_interval * 1000000); 1947 1948 /* log if latency exceeds the hello period */ 1949 if (latency > (oi->hello_interval * 1000000)) 1950 zlog_warn("%s hello TX high latency %" PRId64 1951 "us.", /ospf6d/ospf6_message.c: 1949 in ospf6_write() 1943 monotime(×tamp); 1944 if (oi->hello_out) 1945 latency = monotime_since(&oi->last_hello, NULL) 1946 - (oi->hello_interval * 1000000); 1947 1948 /* log if latency exceeds the hello period */
CID 1505409: (SIGN_EXTENSION) Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1949 if (latency > (oi->hello_interval * 1000000)) 1950 zlog_warn("%s hello TX high latency %" PRId64 1951 "us.", 1952 __func__, latency); 1953 oi->last_hello = timestamp; 1954 oi->hello_out++;
** CID 1505408: (SIGN_EXTENSION) /ospf6d/ospf6_message.c: 447 in ospf6_hello_recv() /ospf6d/ospf6_message.c: 449 in ospf6_hello_recv() ________________________________________________________________________________________________________ *** CID 1505408: (SIGN_EXTENSION) /ospf6d/ospf6_message.c: 447 in ospf6_hello_recv() 441 on->priority = hello->priority; 442 } 443 444 /* check latency against hello period */ 445 if (on->hello_in) 446 latency = monotime_since(&on->last_hello, NULL)
CID 1505408: (SIGN_EXTENSION) Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
447 - (oi->hello_interval * 1000000); 448 /* log if latency exceeds the hello period */ 449 if (latency > (oi->hello_interval * 1000000)) 450 zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__, 451 &on->router_id, latency); 452 on->last_hello = timestamp; /ospf6d/ospf6_message.c: 449 in ospf6_hello_recv() 443 444 /* check latency against hello period */ 445 if (on->hello_in) 446 latency = monotime_since(&on->last_hello, NULL) 447 - (oi->hello_interval * 1000000); 448 /* log if latency exceeds the hello period */
CID 1505408: (SIGN_EXTENSION) Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
449 if (latency > (oi->hello_interval * 1000000)) 450 zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__, 451 &on->router_id, latency); 452 on->last_hello = timestamp; 453 on->hello_in++; 454
** CID 1505407: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505407: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2232 in ospf6_make_lsack_neighbor() 2226 struct ospf6_packet **op) 2227 { 2228 uint16_t length = 0; 2229 struct ospf6_lsa *lsa, *lsanext; 2230 int lsa_cnt = 0; 2231
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2232 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) { 2233 if ((length + sizeof(struct ospf6_lsa_header) 2234 + OSPF6_HEADER_SIZE) 2235 > ospf6_packet_max(on->ospf6_if)) { 2236 /* if we run out of packet size/space here, 2237 better to try again soon. */ /ospf6d/ospf6_message.c: 2232 in ospf6_make_lsack_neighbor() 2226 struct ospf6_packet **op) 2227 { 2228 uint16_t length = 0; 2229 struct ospf6_lsa *lsa, *lsanext; 2230 int lsa_cnt = 0; 2231
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2232 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) { 2233 if ((length + sizeof(struct ospf6_lsa_header) 2234 + OSPF6_HEADER_SIZE) 2235 > ospf6_packet_max(on->ospf6_if)) { 2236 /* if we run out of packet size/space here, 2237 better to try again soon. */ /ospf6d/ospf6_message.c: 2254 in ospf6_make_lsack_neighbor() 2248 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK, 2249 on->ospf6_if, (*op)->s); 2250 length = 0; 2251 lsa_cnt = 0; 2252 } 2253 }
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2254 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2255 stream_put((*op)->s, lsa->header, 2256 sizeof(struct ospf6_lsa_header)); 2257 length += sizeof(struct ospf6_lsa_header); 2258 2259 assert(lsa->lock == 2); /ospf6d/ospf6_message.c: 2254 in ospf6_make_lsack_neighbor() 2248 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK, 2249 on->ospf6_if, (*op)->s); 2250 length = 0; 2251 lsa_cnt = 0; 2252 } 2253 }
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2254 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2255 stream_put((*op)->s, lsa->header, 2256 sizeof(struct ospf6_lsa_header)); 2257 length += sizeof(struct ospf6_lsa_header); 2258 2259 assert(lsa->lock == 2);
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com