New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 8 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 29 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 8 of 8 defect(s) ** CID 1519848: Null pointer dereferences (FORWARD_NULL) /pimd/pim6_mld.c: 2253 in gm_ifp_update() ________________________________________________________________________________________________________ *** CID 1519848: Null pointer dereferences (FORWARD_NULL) /pimd/pim6_mld.c: 2253 in gm_ifp_update() 2247 } 2248 2249 if (!pim_ifp->mld) 2250 gm_start(ifp); 2251 2252 gm_ifp = pim_ifp->mld;
CID 1519848: Null pointer dereferences (FORWARD_NULL) Passing null pointer "&gm_ifp->cur_ll_lowest" to "memcmp", which dereferences it.
2253 if (IPV6_ADDR_CMP(&pim_ifp->ll_lowest, &gm_ifp->cur_ll_lowest)) 2254 gm_update_ll(ifp); 2255 2256 unsigned int cfg_query_intv = pim_ifp->gm_default_query_interval * 1000; 2257 2258 if (gm_ifp->cur_query_intv != cfg_query_intv) {
** CID 1519847: Insecure data handling (TAINTED_SCALAR) /pimd/pim6_mld.c: 844 in gm_handle_v2_report() ________________________________________________________________________________________________________ *** CID 1519847: Insecure data handling (TAINTED_SCALAR) /pimd/pim6_mld.c: 844 in gm_handle_v2_report() 838 pkt->iface = gm_ifp; 839 pkt->subscriber = gm_subscriber_findref(gm_ifp, pkt_src->sin6_addr); 840 841 n_records = ntohs(hdr->n_records); 842 843 /* validate & remove state in v2_pass1() */
CID 1519847: Insecure data handling (TAINTED_SCALAR) Using tainted variable "n_records" as a loop boundary.
844 for (i = 0; i < n_records; i++) { 845 struct mld_v2_rec_hdr *rechdr; 846 size_t n_src, record_size; 847 848 if (len < sizeof(*rechdr)) { 849 zlog_warn(log_pkt_src(
** CID 1519846: (TAINTED_SCALAR) /pimd/pim6_mld.c: 688 in gm_handle_v2_pass1() ________________________________________________________________________________________________________ *** CID 1519846: (TAINTED_SCALAR) /pimd/pim6_mld.c: 682 in gm_handle_v2_pass1() 676 * of blocked sources from full group state records 677 */ 678 return; 679 } 680 681 if (subscriber)
CID 1519846: (TAINTED_SCALAR) Passing tainted expression "n_src" to "gm_packet_sg_remove_sources", which uses it as a loop boundary.
682 gm_packet_sg_remove_sources(pkt->iface, subscriber, 683 rechdr->grp, rechdr->srcs, 684 n_src, GM_SUB_POS); 685 return; 686 } 687 /pimd/pim6_mld.c: 688 in gm_handle_v2_pass1() 682 gm_packet_sg_remove_sources(pkt->iface, subscriber, 683 rechdr->grp, rechdr->srcs, 684 n_src, GM_SUB_POS); 685 return; 686 } 687
CID 1519846: (TAINTED_SCALAR) Using tainted variable "n_src" as a loop boundary.
688 for (j = 0; j < n_src; j++) { 689 struct gm_sg *sg; 690 691 sg = gm_sg_find(pkt->iface, rechdr->grp, rechdr->srcs[j]); 692 if (!sg) 693 sg = gm_sg_make(pkt->iface, rechdr->grp, /pimd/pim6_mld.c: 661 in gm_handle_v2_pass1() 655 } 656 break; 657 658 case MLD_RECTYPE_ALLOW_NEW_SOURCES: 659 if (old_grp) { 660 /* remove S,Gs from EXCLUDE, and then we're done */
CID 1519846: (TAINTED_SCALAR) Passing tainted expression "n_src" to "gm_packet_sg_remove_sources", which uses it as a loop boundary.
661 gm_packet_sg_remove_sources(pkt->iface, subscriber, 662 rechdr->grp, rechdr->srcs, 663 n_src, GM_SUB_NEG); 664 return; 665 } 666 /* in INCLUDE mode => ALLOW_NEW_SOURCES is functionally
** CID 1519845: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 188 in gm_gsq_pends_add() ________________________________________________________________________________________________________ *** CID 1519845: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 188 in gm_gsq_pends_add() 182 { 183 uint32_t seed = a->s_bit ? 0x68f0eb5e : 0x156b7f19; 184 185 return jhash(&a->grp, sizeof(a->grp), seed); 186 } 187
CID 1519845: Integer handling issues (BAD_SHIFT) In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior. The shift amount, "33 - h->hh.tabshift", is 33.
188 DECLARE_HASH(gm_gsq_pends, struct gm_gsq_pending, itm, gm_gsq_pending_cmp, 189 gm_gsq_pending_hash); 190 191 /* 192 * interface -> (S,G) 193 */
** CID 1519844: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1519844: Insecure data handling (TAINTED_SCALAR) /pimd/pim6_mld.c: 1505 in gm_handle_query() 1499 gm_handle_q_general(gm_ifp, &timers); 1500 gm_ifp->stats.rx_query_new_general++; 1501 } else if (!ntohs(hdr->n_src)) { 1502 gm_handle_q_group(gm_ifp, &timers, hdr->grp); 1503 gm_ifp->stats.rx_query_new_group++; 1504 } else {
CID 1519844: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "ntohs(hdr->n_src)" to "gm_handle_q_groupsrc", which uses it as a loop boundary.
1505 gm_handle_q_groupsrc(gm_ifp, &timers, hdr->grp, hdr->srcs, 1506 ntohs(hdr->n_src)); 1507 gm_ifp->stats.rx_query_new_groupsrc++; 1508 } 1509 } 1510
** CID 1519843: (UNINIT) ________________________________________________________________________________________________________ *** CID 1519843: (UNINIT) /pimd/pim6_mld.c: 1715 in gm_t_recv() 1709 if (pktlen < sizeof(struct icmp6_plain_hdr)) { 1710 zlog_warn(log_pkt_src("truncated packet")); 1711 gm_ifp->stats.rx_drop_malformed++; 1712 goto out_free; 1713 } 1714
CID 1519843: (UNINIT) Using uninitialized value "pkt_src->sin6_addr" when calling "gm_rx_process".
1715 gm_rx_process(gm_ifp, pkt_src, &pktinfo->ipi6_addr, iov->iov_base, 1716 pktlen); 1717 1718 out_free: 1719 if (iov->iov_base != rxbuf) 1720 XFREE(MTYPE_GM_PACKET, iov->iov_base); /pimd/pim6_mld.c: 1647 in gm_t_recv() 1641 pim->gm_rx_drop_sys++; 1642 goto out_free; 1643 } 1644 1645 struct interface *ifp; 1646
CID 1519843: (UNINIT) Using uninitialized value "pkt_src->sin6_scope_id" when calling "if_lookup_by_index".
1647 ifp = if_lookup_by_index(pkt_src->sin6_scope_id, pim->vrf->vrf_id); 1648 if (!ifp || !ifp->info) 1649 goto out_free; 1650 1651 struct pim_interface *pim_ifp = ifp->info; 1652 struct gm_if *gm_ifp = pim_ifp->mld;
** CID 1519842: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 261 in gm_subscribers_add() ________________________________________________________________________________________________________ *** CID 1519842: Integer handling issues (BAD_SHIFT) /pimd/pim6_mld.c: 261 in gm_subscribers_add() 255 256 static uint32_t gm_subscriber_hash(const struct gm_subscriber *a) 257 { 258 return jhash(&a->addr, sizeof(a->addr), 0xd0e94ad4); 259 } 260
CID 1519842: Integer handling issues (BAD_SHIFT) In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior. The shift amount, "33 - h->hh.tabshift", is 33.
261 DECLARE_HASH(gm_subscribers, struct gm_subscriber, itm, gm_subscriber_cmp, 262 gm_subscriber_hash); 263 264 static struct gm_subscriber *gm_subscriber_findref(struct gm_if *gm_ifp, 265 pim_addr addr) 266 {
** CID 1519841: Error handling issues (CHECKED_RETURN) /vrrpd/vrrp.c: 1248 in vrrp_socket() ________________________________________________________________________________________________________ *** CID 1519841: Error handling issues (CHECKED_RETURN) /vrrpd/vrrp.c: 1248 in vrrp_socket() 1242 r->vr->vrid, family2str(r->family)); 1243 failed = true; 1244 goto done; 1245 } 1246 1247 /* Turn off multicast loop on Tx */
CID 1519841: Error handling issues (CHECKED_RETURN) Calling "setsockopt_ipv6_multicast_loop" without checking return value (as is done elsewhere 4 out of 5 times).
1248 setsockopt_ipv6_multicast_loop(r->sock_tx, 0); 1249 1250 /* Bind Rx socket to exact interface */ 1251 frr_with_privs(&vrrp_privs) { 1252 ret = setsockopt(r->sock_rx, SOL_SOCKET, 1253 SO_BINDTODEVICE, r->vr->ifp->name,
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com