New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 12 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 12 of 12 defect(s) ** CID 1467832: Null pointer dereferences (NULL_RETURNS) /pbrd/pbr_nht.c: 217 in pbr_nhgroup_add_cb() ________________________________________________________________________________________________________ *** CID 1467832: Null pointer dereferences (NULL_RETURNS) /pbrd/pbr_nht.c: 217 in pbr_nhgroup_add_cb() 211 nhgc = nhgc_find(name); 212 pnhgc = pbr_nht_add_group(name); 213 214 DEBUGD(&pbr_dbg_nht, "%s: Added nexthop-group %s", __PRETTY_FUNCTION__, 215 name); 216
CID 1467832: Null pointer dereferences (NULL_RETURNS) Dereferencing a null pointer "nhgc".
217 pbr_nht_install_nexthop_group(pnhgc, nhgc->nhg); 218 pbr_map_check_nh_group_change(name); 219 } 220 221 void pbr_nhgroup_add_nexthop_cb(const struct nexthop_group_cmd *nhgc, 222 const struct nexthop *nhop)
** CID 1467831: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1467831: Null pointer dereferences (FORWARD_NULL) /pbrd/pbr_vty_clippy.c: 148 in pbr_map_nexthop_group() 142 } 143 #if 0 /* anything that can fail? */ 144 if (_failcnt) 145 return CMD_WARNING; 146 #endif 147 #endif
CID 1467831: Null pointer dereferences (FORWARD_NULL) Passing null pointer "name" to "pbr_map_nexthop_group_magic", which dereferences it.
148 return pbr_map_nexthop_group_magic(self, vty, argc, argv, no, name); 149 } 150 151 /* pbr_map_nexthop => "[no] set nexthop <A.B.C.D|X:X::X:X>$addr [INTERFACE]$intf [nexthop-vrf NAME$name]" */ 152 DEFUN_CMD_FUNC_DECL(pbr_map_nexthop) 153 #define funcdecl_pbr_map_nexthop static int pbr_map_nexthop_magic(\
** CID 1467830: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1467830: Null pointer dereferences (FORWARD_NULL) /pbrd/pbr_vty_clippy.c: 265 in pbr_policy() 259 } 260 #if 0 /* anything that can fail? */ 261 if (_failcnt) 262 return CMD_WARNING; 263 #endif 264 #endif
CID 1467830: Null pointer dereferences (FORWARD_NULL) Passing null pointer "mapname" to "pbr_policy_magic", which dereferences it.
265 return pbr_policy_magic(self, vty, argc, argv, no, mapname); 266 } 267 268 /* show_pbr => "show pbr [json$json]" */ 269 DEFUN_CMD_FUNC_DECL(show_pbr) 270 #define funcdecl_show_pbr static int show_pbr_magic(\
** CID 1467829: Resource leaks (RESOURCE_LEAK) /pbrd/pbr_vty.c: 348 in pbr_policy_magic() ________________________________________________________________________________________________________ *** CID 1467829: Resource leaks (RESOURCE_LEAK) /pbrd/pbr_vty.c: 348 in pbr_policy_magic() 342 if (pbrm) 343 pbr_map_add_interface(pbrm, ifp); 344 } 345 } 346 } 347
CID 1467829: Resource leaks (RESOURCE_LEAK) Variable "pbr_ifp" going out of scope leaks the storage it points to.
348 return CMD_SUCCESS; 349 } 350 351 DEFPY (show_pbr, 352 show_pbr_cmd, 353 "show pbr [json$json]",
** CID 1467828: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 779 in pbr_nht_get_installed() ________________________________________________________________________________________________________ *** CID 1467828: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 779 in pbr_nht_get_installed() 773 bool pbr_nht_get_installed(const char *name) 774 { 775 struct pbr_nexthop_group_cache find; 776 struct pbr_nexthop_group_cache *pnhgc; 777 778 memset(&find, 0, sizeof(find));
CID 1467828: Security best practices violations (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "find.name" by copying "name" without checking the length.
779 strcpy(find.name, name); 780 781 pnhgc = hash_lookup(pbr_nhg_hash, &find); 782 783 if (!pnhgc) 784 return false;
** CID 1467827: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 436 in pbr_nht_change_group() ________________________________________________________________________________________________________ *** CID 1467827: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 436 in pbr_nht_change_group() 430 431 nhgc = nhgc_find(name); 432 if (!nhgc) 433 return; 434 435 memset(&find, 0, sizeof(find));
CID 1467827: Security best practices violations (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "find.name" by copying "name" without checking the length.
436 strcpy(find.name, name); 437 pnhgc = hash_lookup(pbr_nhg_hash, &find); 438 439 if (!pnhgc) { 440 DEBUGD(&pbr_dbg_nht, 441 "%s: Could not find nexthop-group cache w/ name '%s'",
** CID 1467826: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 511 in pbr_nht_delete_individual_nexthop() ________________________________________________________________________________________________________ *** CID 1467826: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 511 in pbr_nht_delete_individual_nexthop() 505 pbrm->valid = false; 506 pbrms->nhs_installed = false; 507 pbrms->installed = false; 508 pbrms->reason |= PBR_MAP_INVALID_NO_NEXTHOPS; 509 510 memset(&find, 0, sizeof(find));
CID 1467826: Security best practices violations (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "&find.name[0]" by copying "pbrms->internal_nhg_name" without checking the length.
511 strcpy(&find.name[0], pbrms->internal_nhg_name); 512 pnhgc = hash_lookup(pbr_nhg_hash, &find); 513 514 nh = pbrms->nhg->nexthop; 515 nh_afi = nh->type; 516 lup.nexthop = nh;
** CID 1467825: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 760 in pbr_nht_get_table() ________________________________________________________________________________________________________ *** CID 1467825: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 760 in pbr_nht_get_table() 754 uint32_t pbr_nht_get_table(const char *name) 755 { 756 struct pbr_nexthop_group_cache find; 757 struct pbr_nexthop_group_cache *pnhgc; 758 759 memset(&find, 0, sizeof(find));
CID 1467825: Security best practices violations (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "find.name" by copying "name" without checking the length.
760 strcpy(find.name, name); 761 pnhgc = hash_lookup(pbr_nhg_hash, &find); 762 763 if (!pnhgc) { 764 DEBUGD(&pbr_dbg_nht, 765 "%s: Could not find nexthop-group cache w/ name '%s'",
** CID 1467824: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 605 in pbr_nht_nexthop_group_valid() ________________________________________________________________________________________________________ *** CID 1467824: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 605 in pbr_nht_nexthop_group_valid() 599 { 600 struct pbr_nexthop_group_cache *pnhgc; 601 struct pbr_nexthop_group_cache lookup; 602 603 DEBUGD(&pbr_dbg_nht, "%s: %s", __PRETTY_FUNCTION__, name); 604
CID 1467824: Security best practices violations (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "lookup.name" by copying "name" without checking the length.
605 strcpy(lookup.name, name); 606 pnhgc = hash_get(pbr_nhg_hash, &lookup, NULL); 607 if (!pnhgc) 608 return false; 609 DEBUGD(&pbr_dbg_nht, "%s: \t%d %d", __PRETTY_FUNCTION__, pnhgc->valid, 610 pnhgc->installed);
** CID 1467823: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 546 in pbr_nht_add_group() ________________________________________________________________________________________________________ *** CID 1467823: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_nht.c: 546 in pbr_nht_add_group() 540 if (!nhgc) { 541 zlog_warn("%s: Could not find group %s to add", 542 __PRETTY_FUNCTION__, name); 543 return NULL; 544 } 545
CID 1467823: Security best practices violations (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "lookup.name" by copying "name" without checking the length.
546 strcpy(lookup.name, name); 547 pnhgc = hash_get(pbr_nhg_hash, &lookup, pbr_nhgc_alloc); 548 DEBUGD(&pbr_dbg_nht, "%s: Retrieved NHGC @ %p", __PRETTY_FUNCTION__, 549 pnhgc); 550 551 for (ALL_NEXTHOPS(nhgc->nhg, nhop)) {
** CID 1467822: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_map.c: 271 in pbrms_get() ________________________________________________________________________________________________________ *** CID 1467822: Security best practices violations (STRING_OVERFLOW) /pbrd/pbr_map.c: 271 in pbrms_get() 265 struct pbr_map_sequence *pbrms; 266 struct listnode *node; 267 268 pbrm = pbrm_find(name); 269 if (!pbrm) { 270 pbrm = XCALLOC(MTYPE_PBR_MAP, sizeof(*pbrm));
CID 1467822: Security best practices violations (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "pbrm->name" by copying "name" without checking the length.
271 strcpy(pbrm->name, name); 272 273 pbrm->seqnumbers = list_new(); 274 pbrm->seqnumbers->cmp = 275 (int (*)(void *, void *))pbr_map_sequence_compare; 276 pbrm->seqnumbers->del =
** CID 1467821: (STRING_OVERFLOW) /pbrd/pbr_vty.c: 332 in pbr_policy_magic() /pbrd/pbr_vty.c: 341 in pbr_policy_magic() ________________________________________________________________________________________________________ *** CID 1467821: (STRING_OVERFLOW) /pbrd/pbr_vty.c: 332 in pbr_policy_magic() 326 327 if (pbrm) 328 pbr_map_interface_delete(pbrm, ifp); 329 } 330 } else { 331 if (strcmp(pbr_ifp->mapname, "") == 0) {
CID 1467821: (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "pbr_ifp->mapname" by copying "mapname" without checking the length.
332 strcpy(pbr_ifp->mapname, mapname); 333 334 if (pbrm) 335 pbr_map_add_interface(pbrm, ifp); 336 } else { 337 if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) { /pbrd/pbr_vty.c: 341 in pbr_policy_magic() 335 pbr_map_add_interface(pbrm, ifp); 336 } else { 337 if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) { 338 old_pbrm = pbrm_find(pbr_ifp->mapname); 339 if (old_pbrm) 340 pbr_map_interface_delete(old_pbrm, ifp);
CID 1467821: (STRING_OVERFLOW) You might overrun the 100-character fixed-size string "pbr_ifp->mapname" by copying "mapname" without checking the length.
341 strcpy(pbr_ifp->mapname, mapname); 342 if (pbrm) 343 pbr_map_add_interface(pbrm, ifp); 344 } 345 } 346 }
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
participants (1)
-
scan-admin@coverity.com