New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 7 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 7 of 7 defect(s) ** CID 1497792: (USE_AFTER_FREE) /ospf6d/ospf6_interface.c: 991 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 981 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 991 in ospf6_interface_show() /ospf6d/ospf6_interface.c: 981 in ospf6_interface_show() ________________________________________________________________________________________________________ *** CID 1497792: (USE_AFTER_FREE) /ospf6d/ospf6_interface.c: 991 in ospf6_interface_show() 985 timersub(&oi->thread_send_lsack->u.sands, &now, &res); 986 timerstring(&res, duration, sizeof(duration)); 987 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n", 988 oi->lsack_list->count, duration, 989 (oi->thread_send_lsack ? "on" : "off")); 990 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
991 vty_out(vty, " %s\n", lsa->name); 992 ospf6_bfd_show_info(vty, oi->bfd_info, 1); 993 return 0; 994 } 995 996 /* show interface */ /ospf6d/ospf6_interface.c: 981 in ospf6_interface_show() 975 timerstring(&res, duration, sizeof(duration)); 976 vty_out(vty, 977 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n", 978 oi->lsupdate_list->count, duration, 979 (oi->thread_send_lsupdate ? "on" : "off")); 980 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
981 vty_out(vty, " %s\n", lsa->name); 982 983 timerclear(&res); 984 if (oi->thread_send_lsack) 985 timersub(&oi->thread_send_lsack->u.sands, &now, &res); 986 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_interface.c: 991 in ospf6_interface_show() 985 timersub(&oi->thread_send_lsack->u.sands, &now, &res); 986 timerstring(&res, duration, sizeof(duration)); 987 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n", 988 oi->lsack_list->count, duration, 989 (oi->thread_send_lsack ? "on" : "off")); 990 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
991 vty_out(vty, " %s\n", lsa->name); 992 ospf6_bfd_show_info(vty, oi->bfd_info, 1); 993 return 0; 994 } 995 996 /* show interface */ /ospf6d/ospf6_interface.c: 981 in ospf6_interface_show() 975 timerstring(&res, duration, sizeof(duration)); 976 vty_out(vty, 977 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n", 978 oi->lsupdate_list->count, duration, 979 (oi->thread_send_lsupdate ? "on" : "off")); 980 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
CID 1497792: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
981 vty_out(vty, " %s\n", lsa->name); 982 983 timerclear(&res); 984 if (oi->thread_send_lsack) 985 timersub(&oi->thread_send_lsack->u.sands, &now, &res); 986 timerstring(&res, duration, sizeof(duration));
** CID 1497791: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup() /ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup() ________________________________________________________________________________________________________ *** CID 1497791: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup() 677 return SNMP_INTEGER(ospf6->lsdb->count); 678 return SNMP_INTEGER(0); 679 case OSPFv3ASSCOPELSACHECKSUMSUM: 680 if (ospf6) { 681 sum = 0; 682 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
CID 1497791: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
683 sum += ntohs(lsa->header->checksum); 684 return SNMP_INTEGER(sum); 685 } 686 return SNMP_INTEGER(0); 687 case OSPFv3ORIGINATENEWLSAS: 688 return SNMP_INTEGER( /ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup() 677 return SNMP_INTEGER(ospf6->lsdb->count); 678 return SNMP_INTEGER(0); 679 case OSPFv3ASSCOPELSACHECKSUMSUM: 680 if (ospf6) { 681 sum = 0; 682 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
CID 1497791: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
683 sum += ntohs(lsa->header->checksum); 684 return SNMP_INTEGER(sum); 685 } 686 return SNMP_INTEGER(0); 687 case OSPFv3ORIGINATENEWLSAS: 688 return SNMP_INTEGER(
** CID 1497790: (USE_AFTER_FREE) /ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area() /ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area() ________________________________________________________________________________________________________ *** CID 1497790: (USE_AFTER_FREE) /ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area() 1006 /* When an area is unstubified, flood all the external LSAs in the area */ 1007 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa) 1008 { 1009 struct ospf6_lsa *lsa, *lsanext; 1010 1011 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
CID 1497790: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1012 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) { 1013 zlog_debug("%s: Flooding AS-External LSA %s", 1014 __func__, lsa->name); 1015 ospf6_flood_area(NULL, lsa, oa); 1016 } 1017 } /ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area() 1006 /* When an area is unstubified, flood all the external LSAs in the area */ 1007 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa) 1008 { 1009 struct ospf6_lsa *lsa, *lsanext; 1010 1011 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
CID 1497790: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1012 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) { 1013 zlog_debug("%s: Flooding AS-External LSA %s", 1014 __func__, lsa->name); 1015 ospf6_flood_area(NULL, lsa, oa); 1016 } 1017 }
** CID 1497789: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry() /ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry() ________________________________________________________________________________________________________ *** CID 1497789: (USE_AFTER_FREE) /ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry() 1169 return SNMP_INTEGER(oi->cost); 1170 case OSPFv3IFLINKSCOPELSACOUNT: 1171 return SNMP_INTEGER(oi->lsdb->count); 1172 case OSPFv3IFLINKLSACKSUMSUM: 1173 sum = 0; 1174 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
CID 1497789: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1175 sum += ntohs(lsa->header->checksum); 1176 return SNMP_INTEGER(sum); 1177 case OSPFv3IFDEMANDNBRPROBE: 1178 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT: 1179 case OSPFv3IFDEMANDNBRPROBEINTERVAL: 1180 case OSPFv3IFTEDISABLED: /ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry() 1169 return SNMP_INTEGER(oi->cost); 1170 case OSPFv3IFLINKSCOPELSACOUNT: 1171 return SNMP_INTEGER(oi->lsdb->count); 1172 case OSPFv3IFLINKLSACKSUMSUM: 1173 sum = 0; 1174 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
CID 1497789: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1175 sum += ntohs(lsa->header->checksum); 1176 return SNMP_INTEGER(sum); 1177 case OSPFv3IFDEMANDNBRPROBE: 1178 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT: 1179 case OSPFv3IFDEMANDNBRPROBEINTERVAL: 1180 case OSPFv3IFTEDISABLED:
** CID 1497788: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail() /ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail() ________________________________________________________________________________________________________ *** CID 1497788: (USE_AFTER_FREE) /ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail() 762 timersub(&on->thread_send_lsack->u.sands, &now, &res); 763 timerstring(&res, duration, sizeof(duration)); 764 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n", 765 on->lsack_list->count, duration, 766 (on->thread_send_lsack ? "on" : "off")); 767 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
768 vty_out(vty, " %s\n", lsa->name); 769 770 ospf6_bfd_show_info(vty, on->bfd_info, 0); 771 } 772 773 DEFUN (show_ipv6_ospf6_neighbor, /ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail() 752 timerstring(&res, duration, sizeof(duration)); 753 vty_out(vty, 754 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n", 755 on->lsupdate_list->count, duration, 756 (on->thread_send_lsupdate ? "on" : "off")); 757 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
758 vty_out(vty, " %s\n", lsa->name); 759 760 timerclear(&res); 761 if (on->thread_send_lsack) 762 timersub(&on->thread_send_lsack->u.sands, &now, &res); 763 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail() 731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res); 732 timerstring(&res, duration, sizeof(duration)); 733 vty_out(vty, " %d Pending LSAs for DbDesc in Time %s [thread %s]\n", 734 on->dbdesc_list->count, duration, 735 (on->thread_send_dbdesc ? "on" : "off")); 736 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
737 vty_out(vty, " %s\n", lsa->name); 738 739 timerclear(&res); 740 if (on->thread_send_lsreq) 741 timersub(&on->thread_send_lsreq->u.sands, &now, &res); 742 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail() 713 (CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT) ? "Master" 714 : "Slave"), 715 (unsigned long)ntohl(on->dbdesc_seqnum)); 716 717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count); 718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
719 vty_out(vty, " %s\n", lsa->name); 720 721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count); 722 for (ALL_LSDB(on->request_list, lsa, lsanext)) 723 vty_out(vty, " %s\n", lsa->name); 724 /ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail() 717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count); 718 for (ALL_LSDB(on->summary_list, lsa, lsanext)) 719 vty_out(vty, " %s\n", lsa->name); 720 721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count); 722 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
723 vty_out(vty, " %s\n", lsa->name); 724 725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count); 726 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) 727 vty_out(vty, " %s\n", lsa->name); 728 /ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail() 752 timerstring(&res, duration, sizeof(duration)); 753 vty_out(vty, 754 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n", 755 on->lsupdate_list->count, duration, 756 (on->thread_send_lsupdate ? "on" : "off")); 757 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
758 vty_out(vty, " %s\n", lsa->name); 759 760 timerclear(&res); 761 if (on->thread_send_lsack) 762 timersub(&on->thread_send_lsack->u.sands, &now, &res); 763 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail() 762 timersub(&on->thread_send_lsack->u.sands, &now, &res); 763 timerstring(&res, duration, sizeof(duration)); 764 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n", 765 on->lsack_list->count, duration, 766 (on->thread_send_lsack ? "on" : "off")); 767 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
768 vty_out(vty, " %s\n", lsa->name); 769 770 ospf6_bfd_show_info(vty, on->bfd_info, 0); 771 } 772 773 DEFUN (show_ipv6_ospf6_neighbor, /ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail() 721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count); 722 for (ALL_LSDB(on->request_list, lsa, lsanext)) 723 vty_out(vty, " %s\n", lsa->name); 724 725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count); 726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
727 vty_out(vty, " %s\n", lsa->name); 728 729 timerclear(&res); 730 if (on->thread_send_dbdesc) 731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res); 732 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail() 713 (CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT) ? "Master" 714 : "Slave"), 715 (unsigned long)ntohl(on->dbdesc_seqnum)); 716 717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count); 718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
719 vty_out(vty, " %s\n", lsa->name); 720 721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count); 722 for (ALL_LSDB(on->request_list, lsa, lsanext)) 723 vty_out(vty, " %s\n", lsa->name); 724 /ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail() 731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res); 732 timerstring(&res, duration, sizeof(duration)); 733 vty_out(vty, " %d Pending LSAs for DbDesc in Time %s [thread %s]\n", 734 on->dbdesc_list->count, duration, 735 (on->thread_send_dbdesc ? "on" : "off")); 736 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
737 vty_out(vty, " %s\n", lsa->name); 738 739 timerclear(&res); 740 if (on->thread_send_lsreq) 741 timersub(&on->thread_send_lsreq->u.sands, &now, &res); 742 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail() 741 timersub(&on->thread_send_lsreq->u.sands, &now, &res); 742 timerstring(&res, duration, sizeof(duration)); 743 vty_out(vty, " %d Pending LSAs for LSReq in Time %s [thread %s]\n", 744 on->request_list->count, duration, 745 (on->thread_send_lsreq ? "on" : "off")); 746 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
747 vty_out(vty, " %s\n", lsa->name); 748 749 timerclear(&res); 750 if (on->thread_send_lsupdate) 751 timersub(&on->thread_send_lsupdate->u.sands, &now, &res); 752 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail() 721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count); 722 for (ALL_LSDB(on->request_list, lsa, lsanext)) 723 vty_out(vty, " %s\n", lsa->name); 724 725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count); 726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
727 vty_out(vty, " %s\n", lsa->name); 728 729 timerclear(&res); 730 if (on->thread_send_dbdesc) 731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res); 732 timerstring(&res, duration, sizeof(duration)); /ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail() 717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count); 718 for (ALL_LSDB(on->summary_list, lsa, lsanext)) 719 vty_out(vty, " %s\n", lsa->name); 720 721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count); 722 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
723 vty_out(vty, " %s\n", lsa->name); 724 725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count); 726 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) 727 vty_out(vty, " %s\n", lsa->name); 728 /ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail() 741 timersub(&on->thread_send_lsreq->u.sands, &now, &res); 742 timerstring(&res, duration, sizeof(duration)); 743 vty_out(vty, " %d Pending LSAs for LSReq in Time %s [thread %s]\n", 744 on->request_list->count, duration, 745 (on->thread_send_lsreq ? "on" : "off")); 746 for (ALL_LSDB(on->request_list, lsa, lsanext))
CID 1497788: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
747 vty_out(vty, " %s\n", lsa->name); 748 749 timerclear(&res); 750 if (on->thread_send_lsupdate) 751 timersub(&on->thread_send_lsupdate->u.sands, &now, &res); 752 timerstring(&res, duration, sizeof(duration));
** CID 1497787: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() ________________________________________________________________________________________________________ *** CID 1497787: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() 1941 > ospf6_packet_max(on->ospf6_if)) { 1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p;
CID 1497787: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type; 1948 e->id = lsa->header->id; 1949 e->adv_router = lsa->header->adv_router; 1950 p += sizeof(struct ospf6_lsreq_entry); 1951 last_req = lsa; 1952 } /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() 1936 /* set Request entries in lsreq */ 1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 1939 /* MTU check */ 1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry) 1941 > ospf6_packet_max(on->ospf6_if)) {
CID 1497787: (USE_AFTER_FREE) Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p; 1947 e->type = lsa->header->type; /ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send() 1941 > ospf6_packet_max(on->ospf6_if)) { 1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p;
CID 1497787: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type; 1948 e->id = lsa->header->id; 1949 e->adv_router = lsa->header->adv_router; 1950 p += sizeof(struct ospf6_lsreq_entry); 1951 last_req = lsa; 1952 } /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() 1936 /* set Request entries in lsreq */ 1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 1939 /* MTU check */ 1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry) 1941 > ospf6_packet_max(on->ospf6_if)) {
CID 1497787: (USE_AFTER_FREE) Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p; 1947 e->type = lsa->header->type; /ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send() 1936 /* set Request entries in lsreq */ 1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); 1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 1939 /* MTU check */ 1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry) 1941 > ospf6_packet_max(on->ospf6_if)) {
CID 1497787: (USE_AFTER_FREE) Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
1942 ospf6_lsdb_lsa_unlock(lsa); 1943 break; 1944 } 1945 1946 e = (struct ospf6_lsreq_entry *)p; 1947 e->type = lsa->header->type;
** CID 1497786: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1497786: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send() 1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum); 1832 1833 /* if this is not initial one, set LSA headers in dbdesc */ 1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc)); 1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1497786: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa, 1838 on->ospf6_if->transdelay); 1839 1840 /* MTU check */ 1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 1842 > ospf6_packet_max(on->ospf6_if)) { /ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send() 1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum); 1832 1833 /* if this is not initial one, set LSA headers in dbdesc */ 1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc)); 1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1497786: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa, 1838 on->ospf6_if->transdelay); 1839 1840 /* MTU check */ 1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header) 1842 > ospf6_packet_max(on->ospf6_if)) {
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com