New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 21 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 16 of 16 defect(s) ** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 480 in seqnumber_mismatch() 474 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT); 475 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT); 476 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT); 477 478 ospf6_lsdb_remove_all(on->summary_list); 479 ospf6_lsdb_remove_all(on->request_list);
CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
480 for (ALL_LSDB(on->retrans_list, lsa)) { 481 ospf6_decrement_retrans_count(lsa); 482 ospf6_lsdb_remove(lsa, on->retrans_list); 483 } 484 485 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2315 in ospf6_lsack_send_neighbor() 2309 2310 memset(sendbuf, 0, iobuflen); 2311 oh = (struct ospf6_header *)sendbuf; 2312 2313 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 2314
CID 1486266: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2315 for (ALL_LSDB(on->lsack_list, lsa)) { 2316 /* MTU check */ 2317 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 2318 > ospf6_packet_max(on->ospf6_if)) { 2319 /* if we run out of packet size/space here, 2320 better to try again soon. */
** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2231 in ospf6_lsupdate_send_interface() 2225 lsupdate = (struct ospf6_lsupdate *)((caddr_t)oh 2226 + sizeof(struct ospf6_header)); 2227 2228 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate)); 2229 lsa_cnt = 0; 2230
CID 1486265: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2231 for (ALL_LSDB(oi->lsupdate_list, lsa)) { 2232 /* MTU check */ 2233 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header))) 2234 > ospf6_packet_max(oi)) { 2235 if (lsa_cnt) { 2236 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 306 in ospf6_lsdb_remove_all() 300 { 301 struct ospf6_lsa *lsa; 302 303 if (lsdb == NULL) 304 return; 305
CID 1486264: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
306 for (ALL_LSDB(lsdb, lsa)) 307 ospf6_lsdb_remove(lsa, lsdb); 308 } 309 310 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa) 311 {
** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 119 in ospf6_neighbor_delete() 113 void ospf6_neighbor_delete(struct ospf6_neighbor *on) 114 { 115 struct ospf6_lsa *lsa; 116 117 ospf6_lsdb_remove_all(on->summary_list); 118 ospf6_lsdb_remove_all(on->request_list);
CID 1486263: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
119 for (ALL_LSDB(on->retrans_list, lsa)) { 120 ospf6_decrement_retrans_count(lsa); 121 ospf6_lsdb_remove(lsa, on->retrans_list); 122 } 123 124 ospf6_lsdb_remove_all(on->dbdesc_list);
** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone() 1873 ospf6_lsdb_remove_all(on->dbdesc_list); 1874 1875 /* move LSAs from summary_list to dbdesc_list (within neighbor 1876 structure) 1877 so that ospf6_send_dbdesc () can send those LSAs */ 1878 size = sizeof(struct ospf6_lsa_header) + sizeof(struct ospf6_dbdesc);
CID 1486262: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
1879 for (ALL_LSDB(on->summary_list, lsa)) { 1880 if (size + sizeof(struct ospf6_lsa_header) 1881 > ospf6_packet_max(on->ospf6_if)) { 1882 ospf6_lsdb_lsa_unlock(lsa); 1883 break; 1884 }
** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 517 in bad_lsreq() 511 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT); 512 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT); 513 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT); 514 515 ospf6_lsdb_remove_all(on->summary_list); 516 ospf6_lsdb_remove_all(on->request_list);
CID 1486261: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
517 for (ALL_LSDB(on->retrans_list, lsa)) { 518 ospf6_decrement_retrans_count(lsa); 519 ospf6_lsdb_remove(lsa, on->retrans_list); 520 } 521 522 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 304 in negotiation_done() 298 if (IS_OSPF6_DEBUG_NEIGHBOR(EVENT)) 299 zlog_debug("Neighbor Event %s: *NegotiationDone*", on->name); 300 301 /* clear ls-list */ 302 ospf6_lsdb_remove_all(on->summary_list); 303 ospf6_lsdb_remove_all(on->request_list);
CID 1486260: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
304 for (ALL_LSDB(on->retrans_list, lsa)) { 305 ospf6_decrement_retrans_count(lsa); 306 ospf6_lsdb_remove(lsa, on->retrans_list); 307 } 308 309 /* Interface scoped LSAs */
** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 324 in ospf6_lsdb_maxage_remover() 318 319 int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb) 320 { 321 int reschedule = 0; 322 struct ospf6_lsa *lsa; 323
CID 1486259: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
324 for (ALL_LSDB(lsdb, lsa)) { 325 if (!OSPF6_LSA_IS_MAXAGE(lsa)) 326 continue; 327 if (lsa->retrans_count != 0) { 328 reschedule = 1; 329 continue;
** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2394 in ospf6_lsack_send_interface() 2388 2389 memset(sendbuf, 0, iobuflen); 2390 oh = (struct ospf6_header *)sendbuf; 2391 2392 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 2393
CID 1486258: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2394 for (ALL_LSDB(oi->lsack_list, lsa)) { 2395 /* MTU check */ 2396 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 2397 > ospf6_packet_max(oi)) { 2398 /* if we run out of packet size/space here, 2399 better to try again soon. */
** CID 1486257: Incorrect expression (MISSING_COMMA) /bgpd/bgp_fsm.c: 551 in () ________________________________________________________________________________________________________ *** CID 1486257: Incorrect expression (MISSING_COMMA) /bgpd/bgp_fsm.c: 551 in () 545 "Passive config change", 546 "Multihop config change", 547 "NSF peer closed the session", 548 "Intf peering v6only config change", 549 "BFD down received", 550 "Interface down",
CID 1486257: Incorrect expression (MISSING_COMMA) In the initialization of "peer_down_str", a suspicious concatenated string ""Neighbor address lostWaiting for NHT"" is produced due to a missing comma between lines.
551 "Neighbor address lost" 552 "Waiting for NHT", 553 "Waiting for Peer IPv6 Addr", 554 "Waiting for VRF to be initialized"}; 555 556 static int bgp_graceful_restart_timer_expire(struct thread *thread)
** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2047 in ospf6_lsupdate_send_neighbor() 2041 2042 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate)); 2043 lsa_cnt = 0; 2044 2045 /* lsupdate_list lists those LSA which doesn't need to be 2046 retransmitted. remove those from the list */
CID 1486256: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2047 for (ALL_LSDB(on->lsupdate_list, lsa)) { 2048 /* MTU check */ 2049 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header)) 2050 > ospf6_packet_max(on->ospf6_if)) { 2051 if (lsa_cnt) { 2052 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 552 in oneway_received() 546 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_INIT, on, 547 OSPF6_NEIGHBOR_EVENT_ONEWAY_RCVD); 548 thread_add_event(master, neighbor_change, on->ospf6_if, 0, NULL); 549 550 ospf6_lsdb_remove_all(on->summary_list); 551 ospf6_lsdb_remove_all(on->request_list);
CID 1486255: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
552 for (ALL_LSDB(on->retrans_list, lsa)) { 553 ospf6_decrement_retrans_count(lsa); 554 ospf6_lsdb_remove(lsa, on->retrans_list); 555 } 556 557 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486254: Null pointer dereferences (NULL_RETURNS) ________________________________________________________________________________________________________ *** CID 1486254: Null pointer dereferences (NULL_RETURNS) /eigrpd/eigrpd.c: 162 in eigrp_new() 156 157 /* init internal data structures */ 158 eigrp->eiflist = list_new(); 159 eigrp->passive_interface_default = EIGRP_IF_ACTIVE; 160 eigrp->networks = eigrp_topology_new(); 161
CID 1486254: Null pointer dereferences (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "vrf_lookup_by_id(vrf_id)" when calling "eigrp_sock_init".
162 eigrp->fd = eigrp_sock_init(vrf_lookup_by_id(vrf_id)); 163 164 if (eigrp->fd < 0) { 165 flog_err_sys( 166 EC_LIB_SOCKET, 167 "eigrp_new: fatal error: eigrp_sock_init was unable to open a socket");
** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 449 in adj_ok() 443 444 } else if (on->state >= OSPF6_NEIGHBOR_EXSTART && !need_adjacency(on)) { 445 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_TWOWAY, on, 446 OSPF6_NEIGHBOR_EVENT_ADJ_OK); 447 ospf6_lsdb_remove_all(on->summary_list); 448 ospf6_lsdb_remove_all(on->request_list);
CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
449 for (ALL_LSDB(on->retrans_list, lsa)) { 450 ospf6_decrement_retrans_count(lsa); 451 ospf6_lsdb_remove(lsa, on->retrans_list); 452 } 453 } 454
** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1957 in ospf6_lsreq_send() 1951 } 1952 1953 if (last_req != NULL) { 1954 if (on->last_ls_req != NULL) { 1955 ospf6_lsa_unlock(on->last_ls_req); 1956 }
CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
1957 ospf6_lsa_lock(last_req); 1958 on->last_ls_req = last_req; 1959 } 1960 1961 oh->type = OSPF6_MESSAGE_TYPE_LSREQ; 1962 oh->length = htons(p - sendbuf);
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
participants (1)
-
scan-admin@coverity.com