New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 128 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 128 defect(s) ** CID 1617478: Insecure data handling (INTEGER_OVERFLOW) ________________________________________________________________________________________________________ *** CID 1617478: Insecure data handling (INTEGER_OVERFLOW) /ospfd/ospf_api.c: 642 in new_msg_lsa_change_notify() 636 len = ntohs(data->length); 637 if (len > data_maxs) 638 len = data_maxs; 639 memcpy(nmsg_data, data, len); 640 len += sizeof(struct msg_lsa_change_notify) - sizeof(struct lsa_header); 641
CID 1617478: Insecure data handling (INTEGER_OVERFLOW) "len", which might have overflowed, is passed to "msg_new(msgtype, nmsg, seqnum, len)".
642 return msg_new(msgtype, nmsg, seqnum, len); 643 } 644 645 struct msg *new_msg_reachable_change(uint32_t seqnum, uint16_t nadd, 646 struct in_addr *add, uint16_t nremove, 647 struct in_addr *remove)
** CID 1617477: Data race undermines locking (LOCK_EVASION) /bgpd/bgpd.c: 7020 in peer_password_unset() ________________________________________________________________________________________________________ *** CID 1617477: Data race undermines locking (LOCK_EVASION) /bgpd/bgpd.c: 7020 in peer_password_unset() 7014 for (ALL_LIST_ELEMENTS(peer->group->peer, node, nnode, member)) { 7015 /* Skip peers with overridden configuration. */ 7016 if (CHECK_FLAG(member->flags_override, PEER_FLAG_PASSWORD)) 7017 continue; 7018 7019 /* Remove flag and configuration on peer-group member. */
CID 1617477: Data race undermines locking (LOCK_EVASION) Thread1 sets "flags" to a new value. Now the two threads have an inconsistent view of "flags" and updates to fields correlated with "flags" may be lost.
7020 UNSET_FLAG(member->flags, PEER_FLAG_PASSWORD); 7021 XFREE(MTYPE_PEER_PASSWORD, member->password); 7022 7023 /* Send notification or reset peer depending on state. */ 7024 if (!peer_notify_config_change(member->connection)) 7025 bgp_session_reset(member);
** CID 1617476: Insecure data handling (INTEGER_OVERFLOW) ________________________________________________________________________________________________________ *** CID 1617476: Insecure data handling (INTEGER_OVERFLOW) /ospfd/ospf_api.c: 669 in new_msg_reachable_change() 663 memcpy(&nmsg->router_ids[nadd], remove, nremove * insz); 664 665 nmsg->nadd = htons(nadd); 666 nmsg->nremove = htons(nremove); 667 len = sizeof(*nmsg) + insz * (nadd + nremove); 668
CID 1617476: Insecure data handling (INTEGER_OVERFLOW) "len", which might have overflowed, is passed to "msg_new(18, nmsg, seqnum, len)".
669 return msg_new(MSG_REACHABLE_CHANGE, nmsg, seqnum, len); 670 } 671 672 struct msg *new_msg_router_id_change(uint32_t seqnum, struct in_addr router_id) 673 { 674 struct msg_router_id_change rmsg = {.router_id = router_id};
** CID 1617475: Program hangs (LOCK) /zebra/zapi_msg.c: 1443 in zread_fec_register() ________________________________________________________________________________________________________ *** CID 1617475: Program hangs (LOCK) /zebra/zapi_msg.c: 1443 in zread_fec_register() 1437 l += 4; 1438 } else if (flags & ZEBRA_FEC_REGISTER_LABEL_INDEX) { 1439 STREAM_GETL(s, label_index); 1440 l += 4; 1441 } 1442
CID 1617475: Program hangs (LOCK) "zebra_mpls_fec_register" locks "client->obuf_mtx" while it is locked.
1443 zebra_mpls_fec_register(zvrf, &p, label, label_index, client); 1444 } 1445 1446 stream_failure: 1447 return; 1448 }
** CID 1617474: (LOCK) /bgpd/bgpd.c: 8684 in bgp_pthreads_run() /bgpd/bgpd.c: 8684 in bgp_pthreads_run() ________________________________________________________________________________________________________ *** CID 1617474: (LOCK) /bgpd/bgpd.c: 8684 in bgp_pthreads_run() 8678 frr_pthread_run(bgp_pth_io, NULL); 8679 frr_pthread_run(bgp_pth_ka, NULL); 8680 8681 /* Wait until threads are ready. */ 8682 frr_pthread_wait_running(bgp_pth_io); 8683 frr_pthread_wait_running(bgp_pth_ka);
CID 1617474: (LOCK) Returning without unlocking "bgp_pth_io->running_cond_mtx".
8684 } 8685 8686 void bgp_pthreads_finish(void) 8687 { 8688 frr_pthread_stop_all(); 8689 } /bgpd/bgpd.c: 8684 in bgp_pthreads_run() 8678 frr_pthread_run(bgp_pth_io, NULL); 8679 frr_pthread_run(bgp_pth_ka, NULL); 8680 8681 /* Wait until threads are ready. */ 8682 frr_pthread_wait_running(bgp_pth_io); 8683 frr_pthread_wait_running(bgp_pth_ka);
CID 1617474: (LOCK) Returning without unlocking "bgp_pth_ka->running_cond_mtx".
8684 } 8685 8686 void bgp_pthreads_finish(void) 8687 { 8688 frr_pthread_stop_all(); 8689 }
** CID 1617473: Program hangs (LOCK) /bgpd/rfapi/rfapi_vty.c: 976 in rfapiShowVncQueries() ________________________________________________________________________________________________________ *** CID 1617473: Program hangs (LOCK) /bgpd/rfapi/rfapi_vty.c: 976 in rfapiShowVncQueries() 970 971 fp(out, "%-15s %-15s", buf_vn, buf_un); 972 printedquerier = 1; 973 } else 974 fp(out, "%-15s %-15s", "", ""); 975 buf_remain[0] = 0;
CID 1617473: Program hangs (LOCK) "event_timer_remain_second" locks "mon_eth->timer->mtx" while it is locked.
976 rfapiFormatSeconds(event_timer_remain_second( 977 mon_eth->timer), 978 buf_remain, BUFSIZ); 979 fp(out, " %-17s %10d %-10s\n", 980 rfapi_ntop(pfx_mac.family, &pfx_mac.u.prefix, 981 buf_pfx, BUFSIZ),
** CID 1617472: Program hangs (LOCK) /bgpd/bgp_keepalives.c: 227 in bgp_keepalives_start() ________________________________________________________________________________________________________ *** CID 1617472: Program hangs (LOCK) /bgpd/bgp_keepalives.c: 227 in bgp_keepalives_start() 221 TIMEVAL_TO_TIMESPEC(&next_update, &next_update_ts); 222 } 223 224 /* clean up */ 225 pthread_cleanup_pop(1); 226
CID 1617472: Program hangs (LOCK) Returning without unlocking "fpt->running_cond_mtx".
227 return NULL; 228 } 229 230 /* --- thread external functions ------------------------------------------- */ 231 232 void bgp_keepalives_on(struct peer_connection *connection)
** CID 1617471: Program hangs (LOCK) /ospfd/ospf_lsa.c: 3210 in ospf_maxage_lsa_remover() ________________________________________________________________________________________________________ *** CID 1617471: Program hangs (LOCK) /ospfd/ospf_lsa.c: 3210 in ospf_maxage_lsa_remover() 3204 if (lsa->retransmit_counter > 0) { 3205 reschedule = 1; 3206 continue; 3207 } 3208 3209 /* TODO: maybe convert this function to a work-queue */
CID 1617471: Program hangs (LOCK) "event_should_yield" locks "event->mtx" while it is locked.
3210 if (event_should_yield(event)) { 3211 OSPF_TIMER_ON(ospf->t_maxage, 3212 ospf_maxage_lsa_remover, 0); 3213 route_unlock_node( 3214 rn); /* route_top/route_next */ 3215 return;
** CID 1617470: Insecure data handling (INTEGER_OVERFLOW) ________________________________________________________________________________________________________ *** CID 1617470: Insecure data handling (INTEGER_OVERFLOW) /ospfd/ospf_api.c: 517 in new_msg_originate_request() 511 if (omsglen > data_maxs) 512 omsglen = data_maxs; 513 memcpy(omsg_data, data, omsglen); 514 omsglen += sizeof(struct msg_originate_request) 515 - sizeof(struct lsa_header); 516
CID 1617470: Insecure data handling (INTEGER_OVERFLOW) "omsglen", which might have overflowed, is passed to "msg_new(5, omsg, seqnum, omsglen)".
517 return msg_new(MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen); 518 } 519 520 struct msg *new_msg_delete_request(uint32_t seqnum, struct in_addr addr, 521 uint8_t lsa_type, uint8_t opaque_type, 522 uint32_t opaque_id, uint8_t flags)
** CID 1617469: Program hangs (ORDER_REVERSAL) /bgpd/bgp_fsm.c: 1504 in bgp_stop() ________________________________________________________________________________________________________ *** CID 1617469: Program hangs (ORDER_REVERSAL) /bgpd/bgp_fsm.c: 1504 in bgp_stop() 1498 EVENT_OFF(connection->t_connect); 1499 EVENT_OFF(connection->t_holdtime); 1500 EVENT_OFF(connection->t_routeadv); 1501 EVENT_OFF(connection->t_delayopen); 1502 1503 /* Clear input and output buffer. */
CID 1617469: Program hangs (ORDER_REVERSAL) Calling "_frr_mtx_lock" acquires lock "peer_connection.io_mtx" while holding lock "event_loop.mtx" (count: 5 / 51).
1504 frr_with_mutex (&connection->io_mtx) { 1505 if (connection->ibuf) 1506 stream_fifo_clean(connection->ibuf); 1507 if (connection->obuf) 1508 stream_fifo_clean(connection->obuf); 1509
** CID 1617468: Integer handling issues (INTEGER_OVERFLOW) /lib/bitfield.h: 204 in bf_find_next_clear_bit_wrap() ________________________________________________________________________________________________________ *** CID 1617468: Integer handling issues (INTEGER_OVERFLOW) /lib/bitfield.h: 204 in bf_find_next_clear_bit_wrap() 198 199 /* 200 * start looking for a clear bit at the start of the bitfield and 201 * stop when we reach start_index 202 */ 203 scanbits = WORD_SIZE;
CID 1617468: Integer handling issues (INTEGER_OVERFLOW) Expression "start_index - 1U", where "start_index" is known to be equal to 0, underflows the type of "start_index - 1U", which is type "unsigned int".
204 index_max = bf_index(start_index - 1); 205 for (i = 0; i <= index_max; ++i) { 206 if (i == index_max) 207 scanbits = ((start_index - 1) % WORD_SIZE) + 1; 208 for (offset = start_bit; offset < scanbits; ++offset) { 209 if (!((v->data[i] >> offset) & 1))
** CID 1617467: Program hangs (LOCK) /pathd/path_pcep_controller.c: 200 in pcep_ctrl_initialize() ________________________________________________________________________________________________________ *** CID 1617467: Program hangs (LOCK) /pathd/path_pcep_controller.c: 200 in pcep_ctrl_initialize() 194 ctrl_state->pcc_opts->addr.ipa_type = IPADDR_NONE; 195 ctrl_state->pcc_opts->port = PCEP_DEFAULT_PORT; 196 197 /* Keep the state reference for events */ 198 set_ctrl_state(*fpt, ctrl_state); 199
CID 1617467: Program hangs (LOCK) Returning without unlocking "(*fpt)->running_cond_mtx".
200 return ret; 201 } 202 203 int pcep_ctrl_finalize(struct frr_pthread **fpt) 204 { 205 assert(fpt != NULL);
** CID 1617466: Concurrent data access violations (MISSING_LOCK) /zebra/zebra_fpm.c: 1760 in zfpm_show_stats() ________________________________________________________________________________________________________ *** CID 1617466: Concurrent data access violations (MISSING_LOCK) /zebra/zebra_fpm.c: 1760 in zfpm_show_stats() 1754 ZFPM_SHOW_STAT(nop_deletes_skipped); 1755 ZFPM_SHOW_STAT(route_adds); 1756 ZFPM_SHOW_STAT(route_dels); 1757 ZFPM_SHOW_STAT(updates_triggered); 1758 ZFPM_SHOW_STAT(redundant_triggers); 1759 ZFPM_SHOW_STAT(dests_del_after_update);
CID 1617466: Concurrent data access violations (MISSING_LOCK) Accessing "zfpm_g->last_ivl_stats.t_conn_down_starts" without holding lock "event_loop.mtx". Elsewhere, "zfpm_stats.t_conn_down_starts" is written to with "event_loop.mtx" held 1 out of 1 times.
1760 ZFPM_SHOW_STAT(t_conn_down_starts); 1761 ZFPM_SHOW_STAT(t_conn_down_dests_processed); 1762 ZFPM_SHOW_STAT(t_conn_down_yields); 1763 ZFPM_SHOW_STAT(t_conn_down_finishes); 1764 ZFPM_SHOW_STAT(t_conn_up_starts); 1765 ZFPM_SHOW_STAT(t_conn_up_dests_processed);
** CID 1617465: Data race undermines locking (LOCK_EVASION) /zebra/zserv.c: 721 in zserv_close_client() ________________________________________________________________________________________________________ *** CID 1617465: Data race undermines locking (LOCK_EVASION) /zebra/zserv.c: 721 in zserv_close_client() 715 event_cancel_event(zrouter.master, client); 716 EVENT_OFF(client->t_cleanup); 717 EVENT_OFF(client->t_process); 718 719 /* destroy pthread */ 720 frr_pthread_destroy(client->pthread);
CID 1617465: Data race undermines locking (LOCK_EVASION) Thread1 sets "pthread" to a new value. Now the two threads have an inconsistent view of "pthread" and updates to fields of "pthread" or fields correlated with "pthread" may be lost.
721 client->pthread = NULL; 722 } 723 724 /* 725 * Final check in case the client struct is in use in another 726 * pthread: if not in-use, continue and free the client
** CID 1617464: Concurrent data access violations (MISSING_LOCK) /zebra/zebra_fpm.c: 1764 in zfpm_show_stats() ________________________________________________________________________________________________________ *** CID 1617464: Concurrent data access violations (MISSING_LOCK) /zebra/zebra_fpm.c: 1764 in zfpm_show_stats() 1758 ZFPM_SHOW_STAT(redundant_triggers); 1759 ZFPM_SHOW_STAT(dests_del_after_update); 1760 ZFPM_SHOW_STAT(t_conn_down_starts); 1761 ZFPM_SHOW_STAT(t_conn_down_dests_processed); 1762 ZFPM_SHOW_STAT(t_conn_down_yields); 1763 ZFPM_SHOW_STAT(t_conn_down_finishes);
CID 1617464: Concurrent data access violations (MISSING_LOCK) Accessing "zfpm_g->last_ivl_stats.t_conn_up_starts" without holding lock "event_loop.mtx". Elsewhere, "zfpm_stats.t_conn_up_starts" is written to with "event_loop.mtx" held 1 out of 1 times.
1764 ZFPM_SHOW_STAT(t_conn_up_starts); 1765 ZFPM_SHOW_STAT(t_conn_up_dests_processed); 1766 ZFPM_SHOW_STAT(t_conn_up_yields); 1767 ZFPM_SHOW_STAT(t_conn_up_aborts); 1768 ZFPM_SHOW_STAT(t_conn_up_finishes); 1769
** CID 1617463: (INTEGER_OVERFLOW) /lib/ptm_lib.c: 320 in _ptm_lib_read_ptm_socket() /lib/ptm_lib.c: 307 in _ptm_lib_read_ptm_socket() ________________________________________________________________________________________________________ *** CID 1617463: (INTEGER_OVERFLOW) /lib/ptm_lib.c: 320 in _ptm_lib_read_ptm_socket() 314 if (retries++ < 2) { 315 usleep(10000); 316 continue; 317 } 318 DLOG("max retries - recv error(%d - %s) bytes read %d (%d)\n", errno, 319 strerror(errno), bytes_read, len);
CID 1617463: (INTEGER_OVERFLOW) "bytes_read", which might have overflowed, is returned from the function.
320 return (bytes_read); 321 } else { 322 bytes_read += rc; 323 } 324 } 325 /lib/ptm_lib.c: 307 in _ptm_lib_read_ptm_socket() 301 static int _ptm_lib_read_ptm_socket(int fd, char *buf, int len) 302 { 303 int retries = 0, rc; 304 int bytes_read = 0; 305 306 while (bytes_read != len) {
CID 1617463: (INTEGER_OVERFLOW) "len - bytes_read", which might have underflowed, is passed to "recv(fd, (void *)(buf + bytes_read), len - bytes_read, MSG_DONTWAIT)".
307 rc = recv(fd, (void *)(buf + bytes_read), (len - bytes_read), 308 MSG_DONTWAIT); 309 if (rc < 0 && (errno != EAGAIN) && (errno != EWOULDBLOCK)) { 310 ERRLOG("fatal recv error(%s), closing connection, rc %d\n", strerror(errno), 311 rc); 312 return (rc);
** CID 1617462: Program hangs (ORDER_REVERSAL) ________________________________________________________________________________________________________ *** CID 1617462: Program hangs (ORDER_REVERSAL) /zebra/zebra_pw.c: 239 in zebra_pw_install_failure() 233 234 /* schedule to retry later */ 235 EVENT_OFF(pw->install_retry_timer); 236 event_add_timer(zrouter.master, zebra_pw_install_retry, pw, 237 PW_INSTALL_RETRY_INTERVAL, &pw->install_retry_timer); 238
CID 1617462: Program hangs (ORDER_REVERSAL) Calling "zebra_pw_update_status" acquires lock "zserv.obuf_mtx" while holding lock "event_loop.mtx" (count: 1 / 2).
239 zebra_pw_update_status(pw, pwstatus); 240 } 241 242 static void zebra_pw_install_retry(struct event *thread) 243 { 244 struct zebra_pw *pw = EVENT_ARG(thread);
** CID 1617461: Memory - corruptions (USE_AFTER_FREE) /bgpd/bgp_route.c: 9317 in bgp_redistribute_add() ________________________________________________________________________________________________________ *** CID 1617461: Memory - corruptions (USE_AFTER_FREE) /bgpd/bgp_route.c: 9317 in bgp_redistribute_add() 9311 bgp->peer_self, new_attr, bn); 9312 SET_FLAG(new->flags, BGP_PATH_VALID); 9313 9314 bgp_aggregate_increment(bgp, p, new, afi, SAFI_UNICAST); 9315 bgp_path_info_add(bn, new); 9316 bgp_dest_unlock_node(bn);
CID 1617461: Memory - corruptions (USE_AFTER_FREE) Dereferencing freed pointer "bn".
9317 SET_FLAG(bn->flags, BGP_NODE_FIB_INSTALLED); 9318 bgp_process(bgp, bn, new, afi, SAFI_UNICAST); 9319 9320 if ((bgp->inst_type == BGP_INSTANCE_TYPE_VRF) 9321 || (bgp->inst_type == BGP_INSTANCE_TYPE_DEFAULT)) { 9322
** CID 1617460: Program hangs (ORDER_REVERSAL) ________________________________________________________________________________________________________ *** CID 1617460: Program hangs (ORDER_REVERSAL) /bgpd/bgpd.c: 1291 in peer_free() 1285 1286 if (peer->change_local_as_pretty) 1287 XFREE(MTYPE_BGP_NAME, peer->change_local_as_pretty); 1288 if (peer->as_pretty) 1289 XFREE(MTYPE_BGP_NAME, peer->as_pretty); 1290
CID 1617460: Program hangs (ORDER_REVERSAL) Calling "bgp_peer_connection_free" acquires lock "peer_connection.io_mtx" while holding lock "event_loop.mtx" (count: 5 / 51).
1291 bgp_peer_connection_free(&peer->connection); 1292 1293 bgp_unlock(peer->bgp); 1294 1295 stream_free(peer->last_reset_cause); 1296
** CID 1617459: Data race undermines locking (LOCK_EVASION) /ospf6d/ospf6_network.c: 89 in ospf6_serv_sock() ________________________________________________________________________________________________________ *** CID 1617459: Data race undermines locking (LOCK_EVASION) /ospf6d/ospf6_network.c: 89 in ospf6_serv_sock() 83 ospf6_set_reuseaddr(); 84 #endif /*1*/ 85 ospf6_reset_mcastloop(ospf6_sock); 86 ospf6_set_pktinfo(ospf6_sock); 87 ospf6_set_transport_class(ospf6_sock); 88
CID 1617459: Data race undermines locking (LOCK_EVASION) Thread1 sets "fd" to a new value. Now the two threads have an inconsistent view of "fd" and updates to fields correlated with "fd" may be lost.
89 ospf6->fd = ospf6_sock; 90 /* setup global in6_addr, allspf6 and alldr6 for later use */ 91 inet_pton(AF_INET6, ALLSPFROUTERS6, &allspfrouters6); 92 inet_pton(AF_INET6, ALLDROUTERS6, &alldrouters6); 93 94 return 0;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/freerangerouting-frr?tab=overview
participants (1)
-
scan-admin@coverity.com