New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 28 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 16 of 16 defect(s) ** CID 1492504: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /bgpd/bgp_routemap.c: 2588 in route_set_ecommunity_lb() ________________________________________________________________________________________________________ *** CID 1492504: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /bgpd/bgp_routemap.c: 2588 in route_set_ecommunity_lb() 2582 } else if (rels->lb_type == RMAP_ECOMM_LB_SET_NUM_MPATH) { 2583 2584 /* process this only for the best path. */ 2585 if (!CHECK_FLAG(path->flags, BGP_PATH_SELECTED)) 2586 return RMAP_OKAY; 2587
CID 1492504: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "peer->bgp->lb_ref_bw * 1000U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2588 bw_bytes = ((uint64_t)(peer->bgp->lb_ref_bw * 1000 * 1000))/8; 2589 mpath_count = bgp_path_info_mpath_count(path) + 1; 2590 bw_bytes *= mpath_count; 2591 } 2592 2593 encode_lb_extcomm(as, bw_bytes, rels->non_trans, &lb_eval);
** CID 1492503: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /bgpd/bgp_routemap.c: 2572 in route_set_ecommunity_lb() ________________________________________________________________________________________________________ *** CID 1492503: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /bgpd/bgp_routemap.c: 2572 in route_set_ecommunity_lb() 2566 if (!peer || !peer->bgp) 2567 return RMAP_ERROR; 2568 2569 /* Build link bandwidth extended community */ 2570 as = (peer->bgp->as > BGP_AS_MAX) ? BGP_AS_TRANS : peer->bgp->as; 2571 if (rels->lb_type == RMAP_ECOMM_LB_SET_VALUE) {
CID 1492503: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "rels->bw * 1000U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2572 bw_bytes = ((uint64_t)(rels->bw * 1000 * 1000))/8; 2573 } else if (rels->lb_type == RMAP_ECOMM_LB_SET_CUMUL) { 2574 /* process this only for the best path. */ 2575 if (!CHECK_FLAG(path->flags, BGP_PATH_SELECTED)) 2576 return RMAP_OKAY; 2577
** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 494 in seqnumber_mismatch() 488 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT); 489 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT); 490 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT); 491 492 ospf6_lsdb_remove_all(on->summary_list); 493 ospf6_lsdb_remove_all(on->request_list);
CID 1486267: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
494 for (ALL_LSDB(on->retrans_list, lsa)) { 495 ospf6_decrement_retrans_count(lsa); 496 ospf6_lsdb_remove(lsa, on->retrans_list); 497 } 498 499 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486266: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2343 in ospf6_lsack_send_neighbor() 2337 p = (uint8_t *)((caddr_t)oh 2338 + sizeof(struct ospf6_header)); 2339 lsa_cnt = 0; 2340 } 2341 } 2342
CID 1486266: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2343 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2344 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); 2345 p += sizeof(struct ospf6_lsa_header); 2346 2347 assert(lsa->lock == 1); 2348 ospf6_lsdb_remove(lsa, on->lsack_list); /ospf6d/ospf6_message.c: 2343 in ospf6_lsack_send_neighbor() 2337 p = (uint8_t *)((caddr_t)oh 2338 + sizeof(struct ospf6_header)); 2339 lsa_cnt = 0; 2340 } 2341 } 2342
CID 1486266: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2343 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2344 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); 2345 p += sizeof(struct ospf6_lsa_header); 2346 2347 assert(lsa->lock == 1); 2348 ospf6_lsdb_remove(lsa, on->lsack_list);
** CID 1486265: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface() /ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface() ________________________________________________________________________________________________________ *** CID 1486265: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface() 2229 lsa_cnt = 0; 2230 2231 for (iterend = ospf6_lsdb_head(oi->lsupdate_list, 0, 0, 0, &lsa); lsa; 2232 lsa = lsa_next) { 2233 lsa_next = ospf6_lsdb_next(iterend, lsa); 2234 /* MTU check */
CID 1486265: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2235 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header))) 2236 > ospf6_packet_max(oi)) { 2237 if (lsa_cnt) { 2238 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE; 2239 oh->length = htons(p - sendbuf); 2240 lsupdate->lsa_number = htonl(lsa_cnt); /ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface() 2229 lsa_cnt = 0; 2230 2231 for (iterend = ospf6_lsdb_head(oi->lsupdate_list, 0, 0, 0, &lsa); lsa; 2232 lsa = lsa_next) { 2233 lsa_next = ospf6_lsdb_next(iterend, lsa); 2234 /* MTU check */
CID 1486265: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2235 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header))) 2236 > ospf6_packet_max(oi)) { 2237 if (lsa_cnt) { 2238 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE; 2239 oh->length = htons(p - sendbuf); 2240 lsupdate->lsa_number = htonl(lsa_cnt);
** CID 1486264: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486264: (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 310 in ospf6_lsdb_remove_all() 304 if (lsdb == NULL) 305 return; 306 307 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa; 308 lsa = lsa_next) { 309 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486264: (USE_AFTER_FREE) Calling "ospf6_lsdb_remove" dereferences freed pointer "lsa".
310 ospf6_lsdb_remove(lsa, lsdb); 311 } 312 } 313 314 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa) 315 { /ospf6d/ospf6_lsdb.c: 310 in ospf6_lsdb_remove_all() 304 if (lsdb == NULL) 305 return; 306 307 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa; 308 lsa = lsa_next) { 309 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486264: (USE_AFTER_FREE) Calling "ospf6_lsdb_remove" dereferences freed pointer "lsa".
310 ospf6_lsdb_remove(lsa, lsdb); 311 } 312 } 313 314 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa) 315 {
** CID 1486263: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486263: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 130 in ospf6_neighbor_delete() 124 ospf6_lsdb_remove_all(on->summary_list); 125 ospf6_lsdb_remove_all(on->request_list); 126 127 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 128 lsa = lsa_next) { 129 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486263: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
130 ospf6_decrement_retrans_count(lsa); 131 ospf6_lsdb_remove(lsa, on->retrans_list); 132 } 133 134 ospf6_lsdb_remove_all(on->dbdesc_list); 135 ospf6_lsdb_remove_all(on->lsupdate_list); /ospf6d/ospf6_neighbor.c: 130 in ospf6_neighbor_delete() 124 ospf6_lsdb_remove_all(on->summary_list); 125 ospf6_lsdb_remove_all(on->request_list); 126 127 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 128 lsa = lsa_next) { 129 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486263: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
130 ospf6_decrement_retrans_count(lsa); 131 ospf6_lsdb_remove(lsa, on->retrans_list); 132 } 133 134 ospf6_lsdb_remove_all(on->dbdesc_list); 135 ospf6_lsdb_remove_all(on->lsupdate_list);
** CID 1486262: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone() ________________________________________________________________________________________________________ *** CID 1486262: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1883 in ospf6_dbdesc_send_newone() 1877 if (size + sizeof(struct ospf6_lsa_header) 1878 > ospf6_packet_max(on->ospf6_if)) { 1879 ospf6_lsdb_lsa_unlock(lsa); 1880 break; 1881 } 1882
CID 1486262: (USE_AFTER_FREE) Calling "ospf6_lsa_copy" dereferences freed pointer "lsa".
1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list); 1884 ospf6_lsdb_remove(lsa, on->summary_list); 1885 size += sizeof(struct ospf6_lsa_header); 1886 } 1887 1888 if (on->summary_list->count == 0) /ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone() 1873 1874 for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa; 1875 lsa = lsa_next) { 1876 lsa_next = ospf6_lsdb_next(iterend, lsa); 1877 if (size + sizeof(struct ospf6_lsa_header) 1878 > ospf6_packet_max(on->ospf6_if)) {
CID 1486262: (USE_AFTER_FREE) Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
1879 ospf6_lsdb_lsa_unlock(lsa); 1880 break; 1881 } 1882 1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list); 1884 ospf6_lsdb_remove(lsa, on->summary_list); /ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone() 1873 1874 for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa; 1875 lsa = lsa_next) { 1876 lsa_next = ospf6_lsdb_next(iterend, lsa); 1877 if (size + sizeof(struct ospf6_lsa_header) 1878 > ospf6_packet_max(on->ospf6_if)) {
CID 1486262: (USE_AFTER_FREE) Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1879 ospf6_lsdb_lsa_unlock(lsa); 1880 break; 1881 } 1882 1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list); 1884 ospf6_lsdb_remove(lsa, on->summary_list); /ospf6d/ospf6_message.c: 1883 in ospf6_dbdesc_send_newone() 1877 if (size + sizeof(struct ospf6_lsa_header) 1878 > ospf6_packet_max(on->ospf6_if)) { 1879 ospf6_lsdb_lsa_unlock(lsa); 1880 break; 1881 } 1882
CID 1486262: (USE_AFTER_FREE) Calling "ospf6_lsa_copy" dereferences freed pointer "lsa".
1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list); 1884 ospf6_lsdb_remove(lsa, on->summary_list); 1885 size += sizeof(struct ospf6_lsa_header); 1886 } 1887 1888 if (on->summary_list->count == 0) /ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone() 1873 1874 for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa; 1875 lsa = lsa_next) { 1876 lsa_next = ospf6_lsdb_next(iterend, lsa); 1877 if (size + sizeof(struct ospf6_lsa_header) 1878 > ospf6_packet_max(on->ospf6_if)) {
CID 1486262: (USE_AFTER_FREE) Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1879 ospf6_lsdb_lsa_unlock(lsa); 1880 break; 1881 } 1882 1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list); 1884 ospf6_lsdb_remove(lsa, on->summary_list);
** CID 1486261: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486261: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 536 in bad_lsreq() 530 ospf6_lsdb_remove_all(on->summary_list); 531 ospf6_lsdb_remove_all(on->request_list); 532 533 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 534 lsa = lsa_next) { 535 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486261: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
536 ospf6_decrement_retrans_count(lsa); 537 ospf6_lsdb_remove(lsa, on->retrans_list); 538 } 539 540 THREAD_OFF(on->thread_send_dbdesc); 541 on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */ /ospf6d/ospf6_neighbor.c: 536 in bad_lsreq() 530 ospf6_lsdb_remove_all(on->summary_list); 531 ospf6_lsdb_remove_all(on->request_list); 532 533 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 534 lsa = lsa_next) { 535 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486261: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
536 ospf6_decrement_retrans_count(lsa); 537 ospf6_lsdb_remove(lsa, on->retrans_list); 538 } 539 540 THREAD_OFF(on->thread_send_dbdesc); 541 on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */
** CID 1486260: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486260: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 319 in negotiation_done() 313 ospf6_lsdb_remove_all(on->summary_list); 314 ospf6_lsdb_remove_all(on->request_list); 315 316 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 317 lsa = lsa_next) { 318 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486260: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
319 ospf6_decrement_retrans_count(lsa); 320 ospf6_lsdb_remove(lsa, on->retrans_list); 321 } 322 323 /* Interface scoped LSAs */ 324 for (ALL_LSDB(on->ospf6_if->lsdb, lsa)) { /ospf6d/ospf6_neighbor.c: 319 in negotiation_done() 313 ospf6_lsdb_remove_all(on->summary_list); 314 ospf6_lsdb_remove_all(on->request_list); 315 316 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 317 lsa = lsa_next) { 318 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486260: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
319 ospf6_decrement_retrans_count(lsa); 320 ospf6_lsdb_remove(lsa, on->retrans_list); 321 } 322 323 /* Interface scoped LSAs */ 324 for (ALL_LSDB(on->ospf6_if->lsdb, lsa)) {
** CID 1486259: (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover() /ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover() ________________________________________________________________________________________________________ *** CID 1486259: (USE_AFTER_FREE) /ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover() 326 struct ospf6_lsa *lsa, *lsa_next; 327 const struct route_node *iterend; 328 329 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa; 330 lsa = lsa_next) { 331 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486259: (USE_AFTER_FREE) Passing freed pointer "lsa" as an argument to "ospf6_lsa_age_current".
332 if (!OSPF6_LSA_IS_MAXAGE(lsa)) 333 continue; 334 if (lsa->retrans_count != 0) { 335 reschedule = 1; 336 continue; 337 } /ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover() 326 struct ospf6_lsa *lsa, *lsa_next; 327 const struct route_node *iterend; 328 329 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa; 330 lsa = lsa_next) { 331 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486259: (USE_AFTER_FREE) Passing freed pointer "lsa" as an argument to "ospf6_lsa_age_current".
332 if (!OSPF6_LSA_IS_MAXAGE(lsa)) 333 continue; 334 if (lsa->retrans_count != 0) { 335 reschedule = 1; 336 continue; 337 }
** CID 1486258: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface() ________________________________________________________________________________________________________ *** CID 1486258: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface() 2405 /* if we run out of packet size/space here, 2406 better to try again soon. */ 2407 THREAD_OFF(oi->thread_send_lsack); 2408 thread_add_event(master, ospf6_lsack_send_interface, oi, 2409 0, &oi->thread_send_lsack); 2410
CID 1486258: (USE_AFTER_FREE) Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
2411 ospf6_lsdb_lsa_unlock(lsa); 2412 break; 2413 } 2414 2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); /ospf6d/ospf6_message.c: 2415 in ospf6_lsack_send_interface() 2409 0, &oi->thread_send_lsack); 2410 2411 ospf6_lsdb_lsa_unlock(lsa); 2412 break; 2413 } 2414
CID 1486258: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); 2417 p += sizeof(struct ospf6_lsa_header); 2418 2419 assert(lsa->lock == 1); 2420 ospf6_lsdb_remove(lsa, oi->lsack_list); /ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface() 2405 /* if we run out of packet size/space here, 2406 better to try again soon. */ 2407 THREAD_OFF(oi->thread_send_lsack); 2408 thread_add_event(master, ospf6_lsack_send_interface, oi, 2409 0, &oi->thread_send_lsack); 2410
CID 1486258: (USE_AFTER_FREE) Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
2411 ospf6_lsdb_lsa_unlock(lsa); 2412 break; 2413 } 2414 2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); /ospf6d/ospf6_message.c: 2415 in ospf6_lsack_send_interface() 2409 0, &oi->thread_send_lsack); 2410 2411 ospf6_lsdb_lsa_unlock(lsa); 2412 break; 2413 } 2414
CID 1486258: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); 2417 p += sizeof(struct ospf6_lsa_header); 2418 2419 assert(lsa->lock == 1); 2420 ospf6_lsdb_remove(lsa, oi->lsack_list);
** CID 1486256: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor() /ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor() ________________________________________________________________________________________________________ *** CID 1486256: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor() 2043 /* lsupdate_list lists those LSA which doesn't need to be 2044 retransmitted. remove those from the list */ 2045 for (iterend = ospf6_lsdb_head(on->lsupdate_list, 0, 0, 0, &lsa); lsa; 2046 lsa = lsa_next) { 2047 lsa_next = ospf6_lsdb_next(iterend, lsa); 2048 /* MTU check */
CID 1486256: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2049 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header)) 2050 > ospf6_packet_max(on->ospf6_if)) { 2051 if (lsa_cnt) { 2052 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE; 2053 oh->length = htons(p - sendbuf); 2054 lsupdate->lsa_number = htonl(lsa_cnt); /ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor() 2043 /* lsupdate_list lists those LSA which doesn't need to be 2044 retransmitted. remove those from the list */ 2045 for (iterend = ospf6_lsdb_head(on->lsupdate_list, 0, 0, 0, &lsa); lsa; 2046 lsa = lsa_next) { 2047 lsa_next = ospf6_lsdb_next(iterend, lsa); 2048 /* MTU check */
CID 1486256: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2049 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header)) 2050 > ospf6_packet_max(on->ospf6_if)) { 2051 if (lsa_cnt) { 2052 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE; 2053 oh->length = htons(p - sendbuf); 2054 lsupdate->lsa_number = htonl(lsa_cnt);
** CID 1486255: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486255: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 574 in oneway_received() 568 569 ospf6_lsdb_remove_all(on->summary_list); 570 ospf6_lsdb_remove_all(on->request_list); 571 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 572 lsa = lsa_next) { 573 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486255: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
574 ospf6_decrement_retrans_count(lsa); 575 ospf6_lsdb_remove(lsa, on->retrans_list); 576 } 577 578 THREAD_OFF(on->thread_send_dbdesc); 579 THREAD_OFF(on->thread_send_lsreq); /ospf6d/ospf6_neighbor.c: 574 in oneway_received() 568 569 ospf6_lsdb_remove_all(on->summary_list); 570 ospf6_lsdb_remove_all(on->request_list); 571 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; 572 lsa = lsa_next) { 573 lsa_next = ospf6_lsdb_next(iterend, lsa);
CID 1486255: (USE_AFTER_FREE) Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
574 ospf6_decrement_retrans_count(lsa); 575 ospf6_lsdb_remove(lsa, on->retrans_list); 576 } 577 578 THREAD_OFF(on->thread_send_dbdesc); 579 THREAD_OFF(on->thread_send_lsreq);
** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 463 in adj_ok() 457 458 } else if (on->state >= OSPF6_NEIGHBOR_EXSTART && !need_adjacency(on)) { 459 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_TWOWAY, on, 460 OSPF6_NEIGHBOR_EVENT_ADJ_OK); 461 ospf6_lsdb_remove_all(on->summary_list); 462 ospf6_lsdb_remove_all(on->request_list);
CID 1486253: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
463 for (ALL_LSDB(on->retrans_list, lsa)) { 464 ospf6_decrement_retrans_count(lsa); 465 ospf6_lsdb_remove(lsa, on->retrans_list); 466 } 467 } 468
** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1954 in ospf6_lsreq_send() 1948 } 1949 1950 if (last_req != NULL) { 1951 if (on->last_ls_req != NULL) { 1952 ospf6_lsa_unlock(on->last_ls_req); 1953 }
CID 1221460: Memory - illegal accesses (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
1954 ospf6_lsa_lock(last_req); 1955 on->last_ls_req = last_req; 1956 } 1957 1958 oh->type = OSPF6_MESSAGE_TYPE_LSREQ; 1959 oh->length = htons(p - sendbuf);
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklA...
participants (1)
-
scan-admin@coverity.com