New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 7 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 7 of 7 defect(s) ** CID 1617729: API usage errors (PRINTF_ARGS) ________________________________________________________________________________________________________ *** CID 1617729: API usage errors (PRINTF_ARGS) /lib/mgmt_be_client.c: 624 in mgmt_be_txn_cfg_prepare() 618 } 619 } 620 621 mgmt_be_send_cfgdata_create_reply(client_ctx, txn->txn_id, 622 error ? false : true, error ? err_buf : NULL); 623
CID 1617729: API usage errors (PRINTF_ARGS) Length modifier "L" not applicable to conversion specifier in "%Lu".
624 debug_be_client("Avg-nb-edit-duration %Lu uSec, nb-prep-duration %lu (avg: %Lu) uSec, batch size %u", 625 client_ctx->avg_edit_nb_cfg_tm, prep_nb_cfg_tm, 626 client_ctx->avg_prep_nb_cfg_tm, (uint32_t)num_processed); 627 628 if (error) 629 mgmt_be_txn_cfg_abort(txn);
** CID 1617728: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1617728: Insecure data handling (TAINTED_SCALAR) /zebra/dplane_fpm_nl.c: 726 in fpm_read() 720 * enqueue it to zebra for processing. 721 */ 722 ctx = dplane_ctx_alloc(); 723 dplane_ctx_route_init(ctx, DPLANE_OP_ROUTE_NOTIFY, NULL, 724 NULL); 725
CID 1617728: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "hdr->rta_len" to "netlink_route_notify_read_ctx", which uses it as a loop boundary.
726 if (netlink_route_notify_read_ctx(hdr, 0, ctx) >= 0) { 727 /* In the FPM encoding, the vrfid is present */ 728 ival = dplane_ctx_get_table(ctx); 729 dplane_ctx_set_vrf(ctx, ival); 730 dplane_ctx_set_table(ctx, 731 ZEBRA_ROUTE_TABLE_UNKNOWN);
** CID 1617727: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1617727: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_vty.c: 6016 in no_neighbor_capability_enhe() 6010 argv[idx_peer]->arg); 6011 return CMD_WARNING_CONFIG_FAILED; 6012 } 6013 6014 ret = peer_flag_unset_vty(vty, argv[idx_peer]->arg, PEER_FLAG_CAPABILITY_ENHE); 6015
CID 1617727: Null pointer dereferences (FORWARD_NULL) Passing null pointer "peer" to "bgp_capability_send", which dereferences it.
6016 bgp_capability_send(peer, AFI_IP, SAFI_UNICAST, CAPABILITY_CODE_ENHE, 6017 CAPABILITY_ACTION_UNSET); 6018 6019 return ret; 6020 } 6021
** CID 1617726: API usage errors (PRINTF_ARGS) ________________________________________________________________________________________________________ *** CID 1617726: API usage errors (PRINTF_ARGS) /lib/mgmt_be_client.c: 791 in mgmt_be_txn_proc_cfgapply() 785 mgmt_be_batches_del(&txn->apply_cfgs, batch); 786 mgmt_be_batches_add_tail(&txn->cfg_batches, batch); 787 } 788 789 mgmt_be_send_apply_reply(client_ctx, txn->txn_id, true, NULL); 790
CID 1617726: API usage errors (PRINTF_ARGS) Length modifier "L" not applicable to conversion specifier in "%Lu".
791 debug_be_client("Nb-apply-duration %lu (avg: %Lu) uSec", apply_nb_cfg_tm, 792 client_ctx->avg_apply_nb_cfg_tm); 793 794 return 0; 795 } 796
** CID 1617725: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1617725: Memory - illegal accesses (USE_AFTER_FREE) /lib/northbound_notif.c: 670 in nb_notif_terminate() 664 665 EVENT_OFF(nb_notif_timer); 666 667 if (nb_notif_walk) { 668 nb_oper_cancel_walk(nb_notif_walk); 669 /* need to free the group that's in the walk */
CID 1617725: Memory - illegal accesses (USE_AFTER_FREE) Calling "nb_oper_walk_finish_arg" dereferences freed pointer "nb_notif_walk".
670 args = nb_oper_walk_finish_arg(nb_notif_walk); 671 if (args) 672 op_changes_group_free(args->group); 673 nb_notif_walk = NULL; 674 } 675
** CID 1617724: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1617724: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_vty.c: 5988 in neighbor_capability_enhe() 5982 peer = peer_and_group_lookup_vty(vty, argv[idx_peer]->arg); 5983 if (peer && peer->conf_if) 5984 return CMD_SUCCESS; 5985 5986 ret = peer_flag_set_vty(vty, argv[idx_peer]->arg, PEER_FLAG_CAPABILITY_ENHE); 5987
CID 1617724: Null pointer dereferences (FORWARD_NULL) Passing null pointer "peer" to "bgp_capability_send", which dereferences it.
5988 bgp_capability_send(peer, AFI_IP, SAFI_UNICAST, CAPABILITY_CODE_ENHE, CAPABILITY_ACTION_SET); 5989 5990 return ret; 5991 } 5992 5993 DEFUN (no_neighbor_capability_enhe,
** CID 1617723: (PRINTF_ARGS) ________________________________________________________________________________________________________ *** CID 1617723: (PRINTF_ARGS) /mgmtd/mgmt_fe_adapter.c: 1669 in fe_adapter_handle_notify_select() 1663 // [ ] Keep a local tree to optimize sending selectors to BE? 1664 // [*] Or just KISS and fanout the original message to BEs? 1665 // mgmt_remove_add_notify_selectors(session->notify_xpaths, selectors); 1666 new = darr_append_nz(session->notify_xpaths, darr_len(selectors)); 1667 memcpy(new, selectors, darr_len(selectors) * sizeof(*selectors)); 1668 } else {
CID 1617723: (PRINTF_ARGS) Length modifier "L" not applicable to conversion specifier in "%Lu".
1669 __log_err("Invalid msg from session-id: %Lu: no selectors present in non-replace msg", 1670 session->session_id); 1671 darr_free_free(selectors); 1672 selectors = NULL; 1673 goto done; 1674 } /mgmtd/mgmt_fe_adapter.c: 1698 in fe_adapter_handle_notify_select() 1692 clients = mgmt_be_interested_clients("/", MGMT_BE_XPATH_SUBSCR_TYPE_OPER); 1693 } else { 1694 darr_foreach_p (selectors, sp) 1695 clients |= mgmt_be_interested_clients(*sp, MGMT_BE_XPATH_SUBSCR_TYPE_OPER); 1696 } 1697 if (!clients) {
CID 1617723: (PRINTF_ARGS) Length modifier "L" not applicable to conversion specifier in "%Lu".
1698 __dbg("No backends provide oper for notify selectors: '%s' txn-id %Lu session-id: %Lu", 1699 selstr, session->txn_id, session->session_id); 1700 goto done; 1701 } 1702 1703 /* We don't use a transaction for this, just send the message */ /mgmtd/mgmt_fe_adapter.c: 1680 in fe_adapter_handle_notify_select() 1674 } 1675 1676 1677 if (session->notify_xpaths && DEBUG_MODE_CHECK(&mgmt_debug_fe, DEBUG_MODE_ALL)) { 1678 const char **sel = session->notify_xpaths; 1679 char *s = frrstr_join(sel, darr_len(sel), ", ");
CID 1617723: (PRINTF_ARGS) Length modifier "L" not applicable to conversion specifier in "%Lu".
1680 __dbg("New NOTIF %d selectors '%s' (replace: %d) txn-id: %Lu for session-id: %Lu", 1681 darr_len(sel), s, msg->replace, session->cfg_txn_id, session->session_id); 1682 XFREE(MTYPE_TMP, s); 1683 } 1684 1685 /* Add the new selectors to the global tree */
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/freerangerouting-frr?tab=overview
participants (1)
-
scan-admin@coverity.com