New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 19 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 16 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 19 of 19 defect(s) ** CID 1492577: Control flow issues (DEADCODE) /zebra/zebra_nhg.c: 1478 in zebra_nhg_rib_find_nhe() ________________________________________________________________________________________________________ *** CID 1492577: Control flow issues (DEADCODE) /zebra/zebra_nhg.c: 1478 in zebra_nhg_rib_find_nhe() 1472 flog_err(EC_ZEBRA_TABLE_LOOKUP_FAILED, 1473 "No nexthop passed to %s", __func__); 1474 return NULL; 1475 } 1476 1477 if (IS_ZEBRA_DEBUG_NHG_DETAIL)
CID 1492577: Control flow issues (DEADCODE) Execution cannot reach the expression "0U" inside this statement: "zlog_debug("%s: rt_nhe %p (...".
1478 zlog_debug("%s: rt_nhe %p (%u)", 1479 __func__, rt_nhe, 1480 rt_nhe ? rt_nhe->id : 0); 1481 1482 zebra_nhe_find(&nhe, rt_nhe, NULL, rt_afi); 1483
** CID 1492576: Null pointer dereferences (FORWARD_NULL) /zebra/zebra_nhg.c: 492 in nhg_compare_nexthops() ________________________________________________________________________________________________________ *** CID 1492576: Null pointer dereferences (FORWARD_NULL) /zebra/zebra_nhg.c: 492 in nhg_compare_nexthops() 486 * -> 1.1.2.1 dummy2 (inactive) 487 * 488 * Without checking each individual one, they would hash to 489 * the same group and both have 1.1.1.1 dummy1 marked inactive. 490 * 491 */
CID 1492576: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "nh1".
492 if (CHECK_FLAG(nh1->flags, NEXTHOP_FLAG_ACTIVE) 493 != CHECK_FLAG(nh2->flags, NEXTHOP_FLAG_ACTIVE)) 494 return false; 495 496 if (!nexthop_same(nh1, nh2)) 497 return false;
** CID 1492575: Null pointer dereferences (REVERSE_INULL) /zebra/zebra_dplane.c: 1584 in dplane_ctx_route_init() ________________________________________________________________________________________________________ *** CID 1492575: Null pointer dereferences (REVERSE_INULL) /zebra/zebra_dplane.c: 1584 in dplane_ctx_route_init() 1578 /* Extract ns info - can't use pointers to 'core' structs */ 1579 zvrf = vrf_info_lookup(re->vrf_id); 1580 zns = zvrf->zns; 1581 dplane_ctx_ns_init(ctx, zns, (op == DPLANE_OP_ROUTE_UPDATE)); 1582 1583 #ifdef HAVE_NETLINK
CID 1492575: Null pointer dereferences (REVERSE_INULL) Null-checking "re->nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1584 if (re->nhe) { 1585 struct nhg_hash_entry *nhe = zebra_nhg_resolve(re->nhe); 1586 1587 ctx->u.rinfo.nhe.id = nhe->id; 1588 /* 1589 * Check if the nhe is installed/queued before doing anything
** CID 1492574: (REVERSE_INULL) /zebra/zebra_nhg.c: 1577 in zebra_nhg_free() /zebra/zebra_nhg.c: 1572 in zebra_nhg_free() ________________________________________________________________________________________________________ *** CID 1492574: (REVERSE_INULL) /zebra/zebra_nhg.c: 1577 in zebra_nhg_free() 1571 __func__, nhe, 1572 (nhe ? nhe->id : 0), 1573 (nhe ? nhe->refcnt : 0)); 1574 else 1575 zlog_debug("%s: nhe %p (%u), refcnt %d, NH %pNHv", 1576 __func__, nhe,
CID 1492574: (REVERSE_INULL) Null-checking "nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1577 (nhe ? nhe->id : 0), 1578 (nhe ? nhe->refcnt : 0), 1579 nhe->nhg.nexthop); 1580 } 1581 1582 if (nhe->refcnt) /zebra/zebra_nhg.c: 1572 in zebra_nhg_free() 1566 { 1567 if (IS_ZEBRA_DEBUG_NHG_DETAIL) { 1568 /* Group or singleton? */ 1569 if (nhe->nhg.nexthop && nhe->nhg.nexthop->next) 1570 zlog_debug("%s: nhe %p (%u), refcnt %d", 1571 __func__, nhe,
CID 1492574: (REVERSE_INULL) Null-checking "nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1572 (nhe ? nhe->id : 0), 1573 (nhe ? nhe->refcnt : 0)); 1574 else 1575 zlog_debug("%s: nhe %p (%u), refcnt %d, NH %pNHv", 1576 __func__, nhe, 1577 (nhe ? nhe->id : 0),
** CID 1492573: Incorrect expression (COPY_PASTE_ERROR) /zebra/zebra_nhg.c: 1948 in nexthop_active() ________________________________________________________________________________________________________ *** CID 1492573: Incorrect expression (COPY_PASTE_ERROR) /zebra/zebra_nhg.c: 1948 in nexthop_active() 1942 nexthop_set_resolved(afi, newhop, nexthop); 1943 resolved = 1; 1944 } 1945 if (resolved) 1946 re->nexthop_mtu = match->mtu; 1947
CID 1492573: Incorrect expression (COPY_PASTE_ERROR) "zebra_debug_rib" in "zebra_debug_rib & 2UL" looks like a copy-paste error.
1948 if (!resolved && IS_ZEBRA_DEBUG_RIB_DETAILED) 1949 zlog_debug( 1950 " %s: Recursion failed to find", 1951 __func__); 1952 return resolved; 1953 } else if (re->type == ZEBRA_ROUTE_STATIC) {
** CID 1491788: Control flow issues (DEADCODE) /nhrpd/nhrp_vty.c: 626 in show_ip_nhrp_cache() ________________________________________________________________________________________________________ *** CID 1491788: Control flow issues (DEADCODE) /nhrpd/nhrp_vty.c: 626 in show_ip_nhrp_cache() 620 sockunion2str(&c->cur.peer->vc->remote.nbma, 621 buf[1], sizeof(buf[1])); 622 else 623 snprintf(buf[1], sizeof(buf[1]), "-"); 624 625 if (json) {
CID 1491788: Control flow issues (DEADCODE) Execution cannot reach this statement: "json = json_object_new_obje...".
626 json = json_object_new_object(); 627 json_object_string_add(json, "interface", c->ifp->name); 628 json_object_string_add(json, "type", 629 nhrp_cache_type_str[c->cur.type]); 630 json_object_string_add(json, "protocol", buf[0]); 631 json_object_string_add(json, "nbma", buf[1]);
** CID 1482185: (USE_AFTER_FREE) /isisd/isis_pdu.c: 399 in process_p2p_hello() /isisd/isis_pdu.c: 399 in process_p2p_hello() /isisd/isis_pdu.c: 399 in process_p2p_hello() /isisd/isis_pdu.c: 399 in process_p2p_hello() /isisd/isis_pdu.c: 399 in process_p2p_hello() /isisd/isis_pdu.c: 399 in process_p2p_hello() /isisd/isis_pdu.c: 399 in process_p2p_hello() ________________________________________________________________________________________________________ *** CID 1482185: (USE_AFTER_FREE) /isisd/isis_pdu.c: 399 in process_p2p_hello() 393 } 394 } else { 395 /* down - area mismatch */ 396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 397 } 398
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) { 400 lsp_regenerate_schedule(adj->circuit->area, 401 isis_adj_usage2levels(adj->adj_usage), 402 0); 403 } 404 /isisd/isis_pdu.c: 399 in process_p2p_hello() 393 } 394 } else { 395 /* down - area mismatch */ 396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 397 } 398
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) { 400 lsp_regenerate_schedule(adj->circuit->area, 401 isis_adj_usage2levels(adj->adj_usage), 402 0); 403 } 404 /isisd/isis_pdu.c: 399 in process_p2p_hello() 393 } 394 } else { 395 /* down - area mismatch */ 396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 397 } 398
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) { 400 lsp_regenerate_schedule(adj->circuit->area, 401 isis_adj_usage2levels(adj->adj_usage), 402 0); 403 } 404 /isisd/isis_pdu.c: 399 in process_p2p_hello() 393 } 394 } else { 395 /* down - area mismatch */ 396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 397 } 398
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) { 400 lsp_regenerate_schedule(adj->circuit->area, 401 isis_adj_usage2levels(adj->adj_usage), 402 0); 403 } 404 /isisd/isis_pdu.c: 399 in process_p2p_hello() 393 } 394 } else { 395 /* down - area mismatch */ 396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 397 } 398
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) { 400 lsp_regenerate_schedule(adj->circuit->area, 401 isis_adj_usage2levels(adj->adj_usage), 402 0); 403 } 404 /isisd/isis_pdu.c: 399 in process_p2p_hello() 393 } 394 } else { 395 /* down - area mismatch */ 396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 397 } 398
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) { 400 lsp_regenerate_schedule(adj->circuit->area, 401 isis_adj_usage2levels(adj->adj_usage), 402 0); 403 } 404 /isisd/isis_pdu.c: 399 in process_p2p_hello() 393 } 394 } else { 395 /* down - area mismatch */ 396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch"); 397 } 398
CID 1482185: (USE_AFTER_FREE) Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) { 400 lsp_regenerate_schedule(adj->circuit->area, 401 isis_adj_usage2levels(adj->adj_usage), 402 0); 403 } 404
** CID 1482173: (STRING_NULL) /watchfrr/watchfrr.c: 646 in handle_read() /watchfrr/watchfrr.c: 634 in handle_read() ________________________________________________________________________________________________________ *** CID 1482173: (STRING_NULL) /watchfrr/watchfrr.c: 646 in handle_read() 640 641 /* We are expecting an echo response: is there any chance that the 642 response would not be returned entirely in the first read? That 643 seems inconceivable... */ 644 if ((rc != sizeof(resp)) || memcmp(buf, resp, sizeof(resp))) { 645 char why[100 + sizeof(buf)];
CID 1482173: (STRING_NULL) Passing unterminated string "buf" to "snprintf".
646 snprintf(why, sizeof(why), 647 "read returned bad echo response of %d bytes " 648 "(expecting %u): %.*s", 649 (int)rc, (unsigned int)sizeof(resp), (int)rc, buf); 650 daemon_down(dmn, why); 651 return 0; /watchfrr/watchfrr.c: 634 in handle_read() 628 if (rc == 0) { 629 daemon_down(dmn, "read returned EOF"); 630 return 0; 631 } 632 if (!dmn->echo_sent.tv_sec) { 633 char why[sizeof(buf) + 100];
CID 1482173: (STRING_NULL) Passing unterminated string "buf" to "snprintf".
634 snprintf(why, sizeof(why), 635 "unexpected read returns %d bytes: %.*s", (int)rc, 636 (int)rc, buf); 637 daemon_down(dmn, why); 638 return 0; 639 }
** CID 1482161: (TAINTED_SCALAR) /ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa() /ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa() ________________________________________________________________________________________________________ *** CID 1482161: (TAINTED_SCALAR) /ospf6d/ospf6_spf.c: 1011 in ospf6_create_single_router_lsa() 1005 zlog_debug("%s: adv_router %s not found in LSDB.", 1006 __func__, ifbuf); 1007 return NULL; 1008 } 1009 1010 /* Allocate memory for this LSA */
CID 1482161: (TAINTED_SCALAR) Passing tainted variable "total_lsa_length" to a tainted sink.
1011 new_header = XMALLOC(MTYPE_OSPF6_LSA_HEADER, total_lsa_length); 1012 1013 /* LSA information structure */ 1014 lsa = XCALLOC(MTYPE_OSPF6_LSA, sizeof(struct ospf6_lsa)); 1015 1016 lsa->header = (struct ospf6_lsa_header *)new_header; /ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa() 1025 * a valid pointer. 1026 */ 1027 assert(rtr_lsa); 1028 if (!OSPF6_LSA_IS_MAXAGE(rtr_lsa)) { 1029 /* Append first Link State ID LSA */ 1030 lsa_header = rtr_lsa->header;
CID 1482161: (TAINTED_SCALAR) Passing tainted variable "ntohs(lsa_header->length)" to a tainted sink.
1031 memcpy(new_header, lsa_header, ntohs(lsa_header->length)); 1032 /* Assign new lsa length as aggregated length. */ 1033 ((struct ospf6_lsa_header *)new_header)->length = 1034 htons(total_lsa_length); 1035 new_header += ntohs(lsa_header->length); 1036 num_lsa--; /ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa() 1055 __func__, rtr_lsa->name, 1056 ntohs(lsa_header->length), ifbuf); 1057 } 1058 1059 /* Append Next Link State ID LSA */ 1060 lsa_header = rtr_lsa->header;
CID 1482161: (TAINTED_SCALAR) Passing tainted variable "ntohs(lsa_header->length) - lsa_length" to a tainted sink.
1061 memcpy(new_header, (OSPF6_LSA_HEADER_END(rtr_lsa->header) + 4), 1062 (ntohs(lsa_header->length) - lsa_length)); 1063 new_header += (ntohs(lsa_header->length) - lsa_length); 1064 num_lsa--; 1065 1066 rtr_lsa = ospf6_lsdb_next(end, rtr_lsa);
** CID 1479711: Error handling issues (CHECKED_RETURN) /pimd/pim_zebra.c: 650 in igmp_source_forward_start() ________________________________________________________________________________________________________ *** CID 1479711: Error handling issues (CHECKED_RETURN) /pimd/pim_zebra.c: 650 in igmp_source_forward_start() 644 grp.u.prefix4 = sg.grp; 645 646 up = pim_upstream_find(pim, &sg); 647 if (up) { 648 memcpy(&nexthop, &up->rpf.source_nexthop, 649 sizeof(struct pim_nexthop));
CID 1479711: Error handling issues (CHECKED_RETURN) Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
650 pim_ecmp_nexthop_lookup(pim, &nexthop, &src, 651 &grp, 0); 652 if (nexthop.interface) 653 input_iface_vif_index = 654 pim_if_find_vifindex_by_ifindex( 655 pim,
** CID 1479155: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 1479155: Uninitialized variables (UNINIT) /pimd/pim_cmd.c: 8110 in pim_test_sg_keepalive_magic() 8104 8105 if (!pim) { 8106 vty_out(vty, "%% Unable to find pim instance\n"); 8107 return CMD_WARNING; 8108 } 8109
CID 1479155: Uninitialized variables (UNINIT) Using uninitialized value "sg". Field "sg.family" is uninitialized when calling "pim_upstream_find".
8110 up = pim_upstream_find(pim, &sg); 8111 if (!up) { 8112 vty_out(vty, "%% Unable to find %s specified\n", 8113 pim_str_sg_dump(&sg)); 8114 return CMD_WARNING; 8115 }
** CID 1479142: Memory - illegal accesses (OVERRUN) /zebra/zebra_rib.c: 2098 in rib_meta_queue_add() ________________________________________________________________________________________________________ *** CID 1479142: Memory - illegal accesses (OVERRUN) /zebra/zebra_rib.c: 2098 in rib_meta_queue_add() 2092 "rn %p is already queued in sub-queue %u", 2093 (void *)rn, qindex); 2094 return -1; 2095 } 2096 2097 SET_FLAG(rib_dest_from_rnode(rn)->flags, RIB_ROUTE_QUEUED(qindex));
CID 1479142: Memory - illegal accesses (OVERRUN) Overrunning array "mq->subq" of 6 8-byte elements at element index 6 (byte offset 55) using index "qindex" (which evaluates to 6).
2098 listnode_add(mq->subq[qindex], rn); 2099 route_lock_node(rn); 2100 mq->size++; 2101 2102 if (IS_ZEBRA_DEBUG_RIB_DETAILED) 2103 rnode_debug(rn, re->vrf_id, "queued rn %p into sub-queue %u",
** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 889 in phase_check() ________________________________________________________________________________________________________ *** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 889 in phase_check() 883 return; 884 885 /* startup complete, everything out of INIT */ 886 gs.phase = PHASE_NONE; 887 for (dmn = gs.daemons; dmn; dmn = dmn->next) 888 if (dmn->state == DAEMON_DOWN) {
CID 1475948: Security best practices violations (DC.WEAK_CRYPTO) "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
889 SET_WAKEUP_DOWN(dmn); 890 try_restart(dmn); 891 } 892 break; 893 case PHASE_STOPS_PENDING: 894 if (gs.numpids)
** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 581 in restart_done() ________________________________________________________________________________________________________ *** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO) /watchfrr/watchfrr.c: 581 in restart_done() 575 dmn->name, state_str[dmn->state]); 576 return; 577 } 578 if (dmn->t_wakeup) 579 THREAD_OFF(dmn->t_wakeup); 580 if (try_connect(dmn) < 0)
CID 1475944: Security best practices violations (DC.WEAK_CRYPTO) "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
581 SET_WAKEUP_DOWN(dmn); 582 } 583 584 static void daemon_down(struct daemon *dmn, const char *why) 585 { 586 if (IS_UP(dmn) || (dmn->state == DAEMON_INIT))
** CID 1420264: Null pointer dereferences (NULL_RETURNS) ________________________________________________________________________________________________________ *** CID 1420264: Null pointer dereferences (NULL_RETURNS) /pimd/pim_nht.c: 791 in pim_parse_nexthop_update() 785 nexthop->gate.ipv4 = 786 pnc->rpf.rpf_addr.u.prefix4; 787 break; 788 case NEXTHOP_TYPE_IPV6_IFINDEX: 789 ifp1 = if_lookup_by_index(nexthop->ifindex, 790 pim->vrf_id);
CID 1420264: Null pointer dereferences (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "ifp1" when calling "pim_neighbor_find_if".
791 nbr = pim_neighbor_find_if(ifp1); 792 /* Overwrite with Nbr address as NH addr */ 793 if (nbr) 794 nexthop->gate.ipv4 = nbr->source_addr; 795 else { 796 // Mark nexthop address to 0 until PIM
** CID 1302468: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1302468: Memory - corruptions (ARRAY_VS_SINGLETON) /zebra/zebra_snmp.c: 371 in get_fwtable_route_node() 365 /* For exact: search matching entry in rib table. */ 366 367 if (exact) { 368 if (policy) /* Not supported (yet?) */ 369 return; 370 for (*np = route_top(table); *np; *np = route_next(*np)) {
CID 1302468: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
371 if (!in_addr_cmp(&(*np)->p.u.prefix, 372 (uint8_t *)&dest)) { 373 RNODE_FOREACH_RE (*np, *re) { 374 if (!in_addr_cmp((uint8_t *)&(*re)->nhe 375 ->nhg.nexthop 376 ->gate.ipv4,
** CID 1302467: (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1302467: (ARRAY_VS_SINGLETON) /zebra/zebra_snmp.c: 271 in check_replace() 265 *re = re2; 266 return; 267 } 268 269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0) 270 return;
CID 1302467: (ARRAY_VS_SINGLETON) Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) { 272 *np = np2; 273 *re = re2; 274 return; 275 } 276 /zebra/zebra_snmp.c: 269 in check_replace() 263 if (!*np) { 264 *np = np2; 265 *re = re2; 266 return; 267 } 268
CID 1302467: (ARRAY_VS_SINGLETON) Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0) 270 return; 271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) { 272 *np = np2; 273 *re = re2; 274 return;
** CID 1302466: (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1302466: (ARRAY_VS_SINGLETON) /zebra/zebra_snmp.c: 397 in get_fwtable_route_node() 391 /* Check destination first */ 392 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest) > 0) 393 RNODE_FOREACH_RE (np2, re2) { 394 check_replace(np2, re2, np, re); 395 } 396
CID 1302466: (ARRAY_VS_SINGLETON) Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
397 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest) 398 == 0) { /* have to look at each re individually */ 399 RNODE_FOREACH_RE (np2, re2) { 400 int proto2, policy2; 401 402 proto2 = proto_trans(re2->type); /zebra/zebra_snmp.c: 392 in get_fwtable_route_node() 386 387 /* Search next best entry */ 388 389 for (np2 = route_top(table); np2; np2 = route_next(np2)) { 390 391 /* Check destination first */
CID 1302466: (ARRAY_VS_SINGLETON) Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
392 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest) > 0) 393 RNODE_FOREACH_RE (np2, re2) { 394 check_replace(np2, re2, np, re); 395 } 396 397 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest)
** CID 1302465: (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1302465: (ARRAY_VS_SINGLETON) /zebra/zebra_snmp.c: 269 in check_replace() 263 if (!*np) { 264 *np = np2; 265 *re = re2; 266 return; 267 } 268
CID 1302465: (ARRAY_VS_SINGLETON) Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0) 270 return; 271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) { 272 *np = np2; 273 *re = re2; 274 return; /zebra/zebra_snmp.c: 271 in check_replace() 265 *re = re2; 266 return; 267 } 268 269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0) 270 return;
CID 1302465: (ARRAY_VS_SINGLETON) Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) { 272 *np = np2; 273 *re = re2; 274 return; 275 } 276
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklA...
participants (1)
-
scan-admin@coverity.com