New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 15 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 15 of 15 defect(s) ** CID 1472631: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1472631: Null pointer dereferences (FORWARD_NULL) /bfdd/bfdd_vty_clippy.c: 522 in bfd_show_peer() 516 } 517 #if 1 /* anything that can fail? */ 518 if (_failcnt) 519 return CMD_WARNING; 520 #endif 521 #endif
CID 1472631: Null pointer dereferences (FORWARD_NULL) Passing null pointer "peer_str" to "bfd_show_peer_magic", which dereferences it.
522 return bfd_show_peer_magic(self, vty, argc, argv, label, peer, peer_str, local, local_str, ifname, vrfname);
** CID 1472630: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 1472630: Uninitialized variables (UNINIT) /bfdd/bfd_packet.c: 990 in bfd_recv_cb() 984 peer.family = AF_INET; 985 strcpy(peer_addr, inet_ntoa(sin.sin_addr)); 986 #endif 987 988 /* Implement RFC 5880 6.8.6 */ 989 if (mlen < BFD_PKT_LEN) {
CID 1472630: Uninitialized variables (UNINIT) Using uninitialized element of array "port" when calling "cp_debug".
990 cp_debug(is_mhop, &peer, &local, port, vrfname, 991 "too small (%ld bytes)", mlen); 992 return 0; 993 } 994 995 /*
** CID 1472629: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1472629: Memory - corruptions (OVERRUN) /bfdd/bfd_packet.c: 302 in ptm_bfd_echo_pkt_create() 296 297 /* Construct Echo packet information */ 298 ep.data.ver = BFD_ECHO_VERSION; 299 ep.data.len = BFD_ECHO_PKT_LEN; 300 ep.data.my_discr = htonl(bfd->discrs.my_discr); 301 #ifdef BFD_LINUX
CID 1472629: Memory - corruptions (OVERRUN) Overrunning struct type udphdr of 8 bytes by passing it to a function which accesses it at byte offset 31 using argument "32".
302 ep.udp.check = 303 #endif /* BFD_LINUX */ 304 #ifdef BFD_BSD 305 ep.udp.uh_sum = 306 #endif /* BFD_BSD */ 307 udp4_checksum(&ep.ip, (uint8_t *)&ep.udp,
** CID 1472628: Security best practices violations (DC.WEAK_CRYPTO) /bfdd/bfd.c: 113 in ptm_bfd_start_xmt_timer() ________________________________________________________________________________________________________ *** CID 1472628: Security best practices violations (DC.WEAK_CRYPTO) /bfdd/bfd.c: 113 in ptm_bfd_start_xmt_timer() 107 * between 108 * 75% and 100% of nominal value, unless detect_mult is 1, then should 109 * be 110 * between 75% and 90%. 111 */ 112 maxpercent = (bfd->detect_mult == 1) ? 16 : 26;
CID 1472628: Security best practices violations (DC.WEAK_CRYPTO) "random" should not be used for security related applications, as linear congruential algorithms are too easy to break.
113 jitter = (xmt_TO * (75 + (random() % maxpercent))) / 100; 114 /* XXX remove that division above */ 115 116 if (is_echo) 117 bfd_echo_xmttimer_update(bfd, jitter); 118 else
** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE) /bfdd/control.c: 322 in control_queue_dequeue() ________________________________________________________________________________________________________ *** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE) /bfdd/control.c: 322 in control_queue_dequeue() 316 control_queue_free(bcs, bcq); 317 318 /* Get the next buffer to send. */ 319 if (TAILQ_EMPTY(&bcs->bcs_bcqueue)) 320 goto empty_list; 321
CID 1472627: Memory - illegal accesses (USE_AFTER_FREE) Using freed pointer "bcs->bcs_bcqueue.tqh_first".
322 bcq = TAILQ_FIRST(&bcs->bcs_bcqueue); 323 bcs->bcs_bout = &bcq->bcq_bcb; 324 325 bcs->bcs_outev = NULL; 326 thread_add_write(master, control_write, bcs, bcs->bcs_sd, 327 &bcs->bcs_outev);
** CID 1472626: Memory - corruptions (OVERRUN) /bfdd/ptm_adapter.c: 387 in _ptm_msg_read() ________________________________________________________________________________________________________ *** CID 1472626: Memory - corruptions (OVERRUN) /bfdd/ptm_adapter.c: 387 in _ptm_msg_read() 381 return -1; 382 } 383 384 bpc->bpc_has_localif = ifnamelen > 0; 385 if (bpc->bpc_has_localif) { 386 STREAM_GET(bpc->bpc_localif, msg, ifnamelen);
CID 1472626: Memory - corruptions (OVERRUN) Overrunning array "bpc->bpc_localif" of 33 bytes at byte offset 33 using index "ifnamelen" (which evaluates to 33).
387 bpc->bpc_localif[ifnamelen] = 0; 388 } 389 } 390 391 /* Sanity check: peer and local address must match IP types. */ 392 if (bpc->bpc_local.sa_sin.sin_family != 0
** CID 1472625: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1472625: Null pointer dereferences (FORWARD_NULL) /bfdd/bfdd_vty_clippy.c: 399 in bfd_no_peer() 393 } 394 #if 1 /* anything that can fail? */ 395 if (_failcnt) 396 return CMD_WARNING; 397 #endif 398 #endif
CID 1472625: Null pointer dereferences (FORWARD_NULL) Passing null pointer "peer_str" to "bfd_no_peer_magic", which dereferences it.
399 return bfd_no_peer_magic(self, vty, argc, argv, peer, peer_str, local, local_str, ifname, vrfname); 400 } 401 402 /* bfd_show_peers => "show bfd peers [json]" */ 403 DEFUN_CMD_FUNC_DECL(bfd_show_peers) 404 #define funcdecl_bfd_show_peers static int bfd_show_peers_magic(\
** CID 1472624: Control flow issues (DEADCODE) /bfdd/bfdd_vty.c: 728 in bfd_configure_peer() ________________________________________________________________________________________________________ *** CID 1472624: Control flow issues (DEADCODE) /bfdd/bfdd_vty.c: 728 in bfd_configure_peer() 722 bpc->bpc_local = *local; 723 724 if (peer) { 725 bpc->bpc_peer = *peer; 726 } else { 727 /* Peer configuration is mandatory. */
CID 1472624: Control flow issues (DEADCODE) Execution cannot reach this statement: "snprintf(ebuf, ebuflen, "no...".
728 snprintf(ebuf, ebuflen, "no peer configured"); 729 return -1; 730 } 731 732 bpc->bpc_mhop = mhop; 733
** CID 1472623: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 1472623: Uninitialized variables (UNINIT) /bfdd/bfd_packet.c: 990 in bfd_recv_cb() 984 peer.family = AF_INET; 985 strcpy(peer_addr, inet_ntoa(sin.sin_addr)); 986 #endif 987 988 /* Implement RFC 5880 6.8.6 */ 989 if (mlen < BFD_PKT_LEN) {
CID 1472623: Uninitialized variables (UNINIT) Using uninitialized element of array "vrfname" when calling "cp_debug".
990 cp_debug(is_mhop, &peer, &local, port, vrfname, 991 "too small (%ld bytes)", mlen); 992 return 0; 993 } 994 995 /*
** CID 1472622: (UNINIT) /bfdd/control.c: 517 in control_read() ________________________________________________________________________________________________________ *** CID 1472622: (UNINIT) /bfdd/control.c: 517 in control_read() 511 bcb->bcb_pos += bread; 512 bcb->bcb_left -= bread; 513 /* We need more data, return to wait more. */ 514 if (bcb->bcb_left > 0) 515 goto schedule_next_read; 516
CID 1472622: (UNINIT) Using uninitialized value "bcm.bcm_type".
517 switch (bcm.bcm_type) { 518 case BMT_REQUEST_ADD: 519 control_handle_request_add(bcs, bcb->bcb_bcm); 520 break; 521 case BMT_REQUEST_DEL: 522 control_handle_request_del(bcs, bcb->bcb_bcm); /bfdd/control.c: 537 in control_read() 531 control_handle_notify_del(bcs, bcb->bcb_bcm); 532 break; 533 534 default: 535 log_debug("%s: unhandled message type: %d", __func__, 536 bcm.bcm_type);
CID 1472622: (UNINIT) Using uninitialized value "bcm.bcm_id" when calling "control_response".
537 control_response(bcs, bcm.bcm_id, BCM_RESPONSE_ERROR, 538 "invalid message type"); 539 break; 540 } 541 542 bcs->bcs_version = 0;
** CID 1472621: Possible Control flow issues (DEADCODE) /bfdd/bfd_packet.c: 340 in ptm_bfd_echo_snd() ________________________________________________________________________________________________________ *** CID 1472621: Possible Control flow issues (DEADCODE) /bfdd/bfd_packet.c: 340 in ptm_bfd_echo_snd() 334 ep->ip.ip_sum = 0; 335 ep->ip.ip_sum = checksum((uint16_t *)&ep->ip, IP_HDR_LEN); 336 #endif /* BFD_BSD */ 337 } 338 339 if (use_layer2) {
CID 1472621: Possible Control flow issues (DEADCODE) Execution cannot reach this statement: "pkt = bfd->echo_pkt;".
340 pkt = bfd->echo_pkt; 341 pktlen = BFD_ECHO_PKT_TOT_LEN; 342 } else { 343 pkt = &bfd->echo_pkt[ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN]; 344 pktlen = BFD_ECHO_PKT_TOT_LEN 345 - (ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN);
** CID 1472620: Possible Control flow issues (DEADCODE) /bfdd/bfd_packet.c: 1035 in bfd_recv_cb() ________________________________________________________________________________________________________ *** CID 1472620: Possible Control flow issues (DEADCODE) /bfdd/bfd_packet.c: 1035 in bfd_recv_cb() 1029 cp_debug(is_mhop, &peer, &local, port, vrfname, 1030 "no session found"); 1031 return 0; 1032 } 1033 1034 /* Handle VxLAN cases. */
CID 1472620: Possible Control flow issues (DEADCODE) Execution cannot reach the expression "ptm_bfd_validate_vxlan_pkt(bfd, &vxlan_info)" inside this statement: "if (is_vxlan && !ptm_bfd_va...".
1035 if (is_vxlan && !ptm_bfd_validate_vxlan_pkt(bfd, &vxlan_info)) 1036 return 0; 1037 1038 bfd->stats.rx_ctrl_pkt++; 1039 1040 /*
** CID 1472619: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1472619: Null pointer dereferences (FORWARD_NULL) /bfdd/bfdd_vty_clippy.c: 319 in bfd_peer_label() 313 } 314 #if 0 /* anything that can fail? */ 315 if (_failcnt) 316 return CMD_WARNING; 317 #endif 318 #endif
CID 1472619: Null pointer dereferences (FORWARD_NULL) Passing null pointer "label" to "bfd_peer_label_magic", which dereferences it.
319 return bfd_peer_label_magic(self, vty, argc, argv, label); 320 } 321 322 /* bfd_no_peer => "no peer <A.B.C.D|X:X::X:X>$peer [{multihop|local-address <A.B.C.D|X:X::X:X>$local|interface IFNAME$ifname|vrf NAME$vrfname}]" */ 323 DEFUN_CMD_FUNC_DECL(bfd_no_peer) 324 #define funcdecl_bfd_no_peer static int bfd_no_peer_magic(\
** CID 1399484: Null pointer dereferences (NULL_RETURNS) /tools/permutations.c: 39 in main() ________________________________________________________________________________________________________ *** CID 1399484: Null pointer dereferences (NULL_RETURNS) /tools/permutations.c: 39 in main() 33 { 34 if (argc < 2) { 35 fprintf(stdout, USAGE "\n"); 36 exit(EXIT_SUCCESS); 37 } 38 struct cmd_element *cmd = calloc(1, sizeof(struct cmd_element));
CID 1399484: Null pointer dereferences (NULL_RETURNS) Dereferencing a null pointer "cmd".
39 cmd->string = strdup(argv[1]); 40 41 struct graph *graph = graph_new(); 42 struct cmd_token *token = 43 cmd_token_new(START_TKN, cmd->attr, NULL, NULL); 44 graph_new_node(graph, token, NULL);
** CID 1399196: Error handling issues (CHECKED_RETURN) /tools/start-stop-daemon.c: 1028 in main() ________________________________________________________________________________________________________ *** CID 1399196: Error handling issues (CHECKED_RETURN) /tools/start-stop-daemon.c: 1028 in main() 1022 /* now close all extra fds */ 1023 for (i = getdtablesize() - 1; i >= 0; --i) 1024 close(i); 1025 /* change tty */ 1026 fd = open("/dev/tty", O_RDWR); 1027 if (fd >= 0) {
CID 1399196: Error handling issues (CHECKED_RETURN) Calling "ioctl" without checking return value (as is done elsewhere 8 out of 10 times).
1028 ioctl(fd, TIOCNOTTY, 0); 1029 close(fd); 1030 } 1031 chdir("/"); 1032 umask(022); /* set a default for dumb programs */ 1033 setpgid(0, 0); /* set the process group */
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
participants (1)
-
scan-admin@coverity.com