New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 28 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 28 defect(s) ** CID 1508210: Error handling issues (CHECKED_RETURN) /zebra/zebra_script.c: 310 in lua_pushzebra_dplane_ctx() ________________________________________________________________________________________________________ *** CID 1508210: Error handling issues (CHECKED_RETURN) /zebra/zebra_script.c: 310 in lua_pushzebra_dplane_ctx() 304 case DPLANE_OP_IPSET_ADD: 305 case DPLANE_OP_IPSET_DELETE: 306 case DPLANE_OP_IPSET_ENTRY_ADD: 307 case DPLANE_OP_IPSET_ENTRY_DELETE: { 308 struct zebra_pbr_ipset ipset; 309
CID 1508210: Error handling issues (CHECKED_RETURN) Calling "dplane_ctx_get_pbr_ipset" without checking return value (as is done elsewhere 4 out of 5 times).
310 dplane_ctx_get_pbr_ipset(ctx, &ipset); 311 /* ipset */ 312 lua_newtable(L); 313 { 314 lua_pushinteger(L, ipset.sock); 315 lua_setfield(L, -2, "sock");
** CID 1506514: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info() ________________________________________________________________________________________________________ *** CID 1506514: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info() 1232 if (!use_json) 1233 vty_out(vty, "TLV info:\n"); 1234 } else { 1235 zlog_debug(" TLV info:"); 1236 } 1237
CID 1506514: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
1238 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 1239 tlvh = TLV_HDR_NEXT(tlvh)) { 1240 switch (ntohs(tlvh->type)) { 1241 case GRACE_PERIOD_TYPE: 1242 gracePeriod = (struct grace_tlv_graceperiod *)tlvh; 1243 sum += TLV_SIZE(tlvh);
** CID 1506513: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields() ________________________________________________________________________________________________________ *** CID 1506513: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields() 154 int sum = 0; 155 156 lsah = (struct ospf6_lsa_header *)lsa->header; 157 158 length = ntohs(lsah->length) - OSPF6_LSA_HEADER_SIZE; 159
CID 1506513: Insecure data handling (TAINTED_SCALAR) Using tainted variable "length" as a loop boundary.
160 for (tlvh = TLV_HDR_TOP(lsah); sum < length; 161 tlvh = TLV_HDR_NEXT(tlvh)) { 162 switch (ntohs(tlvh->type)) { 163 case GRACE_PERIOD_TYPE: 164 gracePeriod = (struct grace_tlv_graceperiod *)tlvh; 165 *interval = ntohl(gracePeriod->interval);
** CID 1506512: (USE_AFTER_FREE) /ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list() /ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list() ________________________________________________________________________________________________________ *** CID 1506512: (USE_AFTER_FREE) /ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list() 224 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) { 225 struct ospf6_lsa *lsa_in_db = NULL; 226 227 /* Fetching the same copy of LSA form LSDB to validate the 228 * topochange. 229 */
CID 1506512: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
230 lsa_in_db = 231 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id, 232 lsa->header->adv_router, lsa->lsdb); 233 234 if (lsa_in_db && lsa_in_db->tobe_acknowledged) { 235 ospf6_lsa_unlock(lsa); /ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list() 224 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) { 225 struct ospf6_lsa *lsa_in_db = NULL; 226 227 /* Fetching the same copy of LSA form LSDB to validate the 228 * topochange. 229 */
CID 1506512: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
230 lsa_in_db = 231 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id, 232 lsa->header->adv_router, lsa->lsdb); 233 234 if (lsa_in_db && lsa_in_db->tobe_acknowledged) { 235 ospf6_lsa_unlock(lsa);
** CID 1505419: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list() /ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list() ________________________________________________________________________________________________________ *** CID 1505419: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list() 2448 struct ospf6_lsa *lsa, *lsanext; 2449 2450 /* skip over fixed header */ 2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2452 2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
CID 1505419: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2455 + OSPF6_HEADER_SIZE) 2456 > ospf6_packet_max(on->ospf6_if)) { 2457 ospf6_fill_header(on->ospf6_if, (*op)->s, 2458 length + OSPF6_HEADER_SIZE); 2459 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list() 2448 struct ospf6_lsa *lsa, *lsanext; 2449 2450 /* skip over fixed header */ 2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2452 2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
CID 1505419: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2455 + OSPF6_HEADER_SIZE) 2456 > ospf6_packet_max(on->ospf6_if)) { 2457 ospf6_fill_header(on->ospf6_if, (*op)->s, 2458 length + OSPF6_HEADER_SIZE); 2459 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2453 in ospf6_make_lsupdate_list() 2447 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2448 struct ospf6_lsa *lsa, *lsanext; 2449 2450 /* skip over fixed header */ 2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2452
CID 1505419: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) { 2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2455 + OSPF6_HEADER_SIZE) 2456 > ospf6_packet_max(on->ospf6_if)) { 2457 ospf6_fill_header(on->ospf6_if, (*op)->s, 2458 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2453 in ospf6_make_lsupdate_list() 2447 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2448 struct ospf6_lsa *lsa, *lsanext; 2449 2450 /* skip over fixed header */ 2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2452
CID 1505419: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) { 2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2455 + OSPF6_HEADER_SIZE) 2456 > ospf6_packet_max(on->ospf6_if)) { 2457 ospf6_fill_header(on->ospf6_if, (*op)->s, 2458 length + OSPF6_HEADER_SIZE);
** CID 1505418: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq() /ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq() ________________________________________________________________________________________________________ *** CID 1505418: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2278 in ospf6_make_lsreq() 2272 uint16_t length = 0; 2273 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL; 2274 2275 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 2276 if ((length + OSPF6_HEADER_SIZE) 2277 > ospf6_packet_max(on->ospf6_if)) {
CID 1505418: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2278 ospf6_lsa_unlock(lsa); 2279 if (lsanext) 2280 ospf6_lsa_unlock(lsanext); 2281 break; 2282 } 2283 stream_putw(s, 0); /* reserved */ /ospf6d/ospf6_message.c: 2278 in ospf6_make_lsreq() 2272 uint16_t length = 0; 2273 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL; 2274 2275 for (ALL_LSDB(on->request_list, lsa, lsanext)) { 2276 if ((length + OSPF6_HEADER_SIZE) 2277 > ospf6_packet_max(on->ospf6_if)) {
CID 1505418: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2278 ospf6_lsa_unlock(lsa); 2279 if (lsanext) 2280 ospf6_lsa_unlock(lsanext); 2281 break; 2282 } 2283 stream_putw(s, 0); /* reserved */ /ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq() 2278 ospf6_lsa_unlock(lsa); 2279 if (lsanext) 2280 ospf6_lsa_unlock(lsanext); 2281 break; 2282 } 2283 stream_putw(s, 0); /* reserved */
CID 1505418: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2284 stream_putw(s, ntohs(lsa->header->type)); 2285 stream_putl(s, ntohl(lsa->header->id)); 2286 stream_putl(s, ntohl(lsa->header->adv_router)); 2287 length += sizeof(struct ospf6_lsreq_entry); 2288 last_req = lsa; 2289 } /ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq() 2278 ospf6_lsa_unlock(lsa); 2279 if (lsanext) 2280 ospf6_lsa_unlock(lsanext); 2281 break; 2282 } 2283 stream_putw(s, 0); /* reserved */
CID 1505418: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2284 stream_putw(s, ntohs(lsa->header->type)); 2285 stream_putl(s, ntohl(lsa->header->id)); 2286 stream_putl(s, ntohl(lsa->header->adv_router)); 2287 length += sizeof(struct ospf6_lsreq_entry); 2288 last_req = lsa; 2289 }
** CID 1505417: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list() /ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list() ________________________________________________________________________________________________________ *** CID 1505417: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list() 2486 struct ospf6_lsa *lsa, *lsanext; 2487 2488 /* skip over fixed header */ 2489 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2490 2491 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
CID 1505417: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2492 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2493 + OSPF6_HEADER_SIZE) 2494 > ospf6_packet_max(on->ospf6_if)) { 2495 ospf6_fill_header(on->ospf6_if, (*op)->s, 2496 length + OSPF6_HEADER_SIZE); 2497 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list() 2486 struct ospf6_lsa *lsa, *lsanext; 2487 2488 /* skip over fixed header */ 2489 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2490 2491 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
CID 1505417: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2492 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2493 + OSPF6_HEADER_SIZE) 2494 > ospf6_packet_max(on->ospf6_if)) { 2495 ospf6_fill_header(on->ospf6_if, (*op)->s, 2496 length + OSPF6_HEADER_SIZE); 2497 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505415: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505415: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2295 in ospf6_make_lsreq() 2289 } 2290 2291 if (last_req != NULL) { 2292 if (on->last_ls_req != NULL) 2293 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req); 2294
CID 1505415: (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2295 ospf6_lsa_lock(last_req); 2296 on->last_ls_req = last_req; 2297 } 2298 2299 return length; 2300 } /ospf6d/ospf6_message.c: 2295 in ospf6_make_lsreq() 2289 } 2290 2291 if (last_req != NULL) { 2292 if (on->last_ls_req != NULL) 2293 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req); 2294
CID 1505415: (USE_AFTER_FREE) Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2295 ospf6_lsa_lock(last_req); 2296 on->last_ls_req = last_req; 2297 } 2298 2299 return length; 2300 }
** CID 1505414: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505414: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2158 in ospf6_make_dbdesc() 2152 stream_putc(s, on->dbdesc_bits); 2153 stream_putl(s, on->dbdesc_seqnum); 2154 2155 /* if this is not initial one, set LSA headers in dbdesc */ 2156 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 2157 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1505414: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2158 ospf6_lsa_age_update_to_send(lsa, 2159 on->ospf6_if->transdelay); 2160 2161 /* MTU check */ 2162 if ((length + sizeof(struct ospf6_lsa_header) 2163 + OSPF6_HEADER_SIZE) /ospf6d/ospf6_message.c: 2158 in ospf6_make_dbdesc() 2152 stream_putc(s, on->dbdesc_bits); 2153 stream_putl(s, on->dbdesc_seqnum); 2154 2155 /* if this is not initial one, set LSA headers in dbdesc */ 2156 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) { 2157 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
CID 1505414: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2158 ospf6_lsa_age_update_to_send(lsa, 2159 on->ospf6_if->transdelay); 2160 2161 /* MTU check */ 2162 if ((length + sizeof(struct ospf6_lsa_header) 2163 + OSPF6_HEADER_SIZE)
** CID 1505412: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505412: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2757 in ospf6_make_lsack_interface() 2751 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi, 2752 struct ospf6_packet *op) 2753 { 2754 uint16_t length = 0; 2755 struct ospf6_lsa *lsa, *lsanext; 2756
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2757 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) { 2758 if ((length + sizeof(struct ospf6_lsa_header) 2759 + OSPF6_HEADER_SIZE) 2760 > ospf6_packet_max(oi)) { 2761 /* if we run out of packet size/space here, 2762 better to try again soon. */ /ospf6d/ospf6_message.c: 2772 in ospf6_make_lsack_interface() 2766 2767 ospf6_lsa_unlock(lsa); 2768 if (lsanext) 2769 ospf6_lsa_unlock(lsanext); 2770 break; 2771 }
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2772 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2773 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header)); 2774 length += sizeof(struct ospf6_lsa_header); 2775 2776 assert(lsa->lock == 2); 2777 ospf6_lsdb_remove(lsa, oi->lsack_list); /ospf6d/ospf6_message.c: 2767 in ospf6_make_lsack_interface() 2761 /* if we run out of packet size/space here, 2762 better to try again soon. */ 2763 THREAD_OFF(oi->thread_send_lsack); 2764 thread_add_event(master, ospf6_lsack_send_interface, oi, 2765 0, &oi->thread_send_lsack); 2766
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2767 ospf6_lsa_unlock(lsa); 2768 if (lsanext) 2769 ospf6_lsa_unlock(lsanext); 2770 break; 2771 } 2772 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); /ospf6d/ospf6_message.c: 2757 in ospf6_make_lsack_interface() 2751 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi, 2752 struct ospf6_packet *op) 2753 { 2754 uint16_t length = 0; 2755 struct ospf6_lsa *lsa, *lsanext; 2756
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2757 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) { 2758 if ((length + sizeof(struct ospf6_lsa_header) 2759 + OSPF6_HEADER_SIZE) 2760 > ospf6_packet_max(oi)) { 2761 /* if we run out of packet size/space here, 2762 better to try again soon. */ /ospf6d/ospf6_message.c: 2772 in ospf6_make_lsack_interface() 2766 2767 ospf6_lsa_unlock(lsa); 2768 if (lsanext) 2769 ospf6_lsa_unlock(lsanext); 2770 break; 2771 }
CID 1505412: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2772 ospf6_lsa_age_update_to_send(lsa, oi->transdelay); 2773 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header)); 2774 length += sizeof(struct ospf6_lsa_header); 2775 2776 assert(lsa->lock == 2); 2777 ospf6_lsdb_remove(lsa, oi->lsack_list);
** CID 1505410: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface() /ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface() ________________________________________________________________________________________________________ *** CID 1505410: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2630 in ospf6_make_lsupdate_interface() 2624 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2625 struct ospf6_lsa *lsa, *lsanext; 2626 2627 /* skip over fixed header */ 2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2629
CID 1505410: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) { 2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2632 + OSPF6_HEADER_SIZE 2633 > ospf6_packet_max(oi)) { 2634 ospf6_fill_header(oi, (*op)->s, 2635 length + OSPF6_HEADER_SIZE); /ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface() 2625 struct ospf6_lsa *lsa, *lsanext; 2626 2627 /* skip over fixed header */ 2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2629 2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
CID 1505410: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2632 + OSPF6_HEADER_SIZE 2633 > ospf6_packet_max(oi)) { 2634 ospf6_fill_header(oi, (*op)->s, 2635 length + OSPF6_HEADER_SIZE); 2636 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface() 2625 struct ospf6_lsa *lsa, *lsanext; 2626 2627 /* skip over fixed header */ 2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2629 2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
CID 1505410: (USE_AFTER_FREE) Dereferencing freed pointer "lsa".
2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2632 + OSPF6_HEADER_SIZE 2633 > ospf6_packet_max(oi)) { 2634 ospf6_fill_header(oi, (*op)->s, 2635 length + OSPF6_HEADER_SIZE); 2636 (*op)->length = length + OSPF6_HEADER_SIZE; /ospf6d/ospf6_message.c: 2630 in ospf6_make_lsupdate_interface() 2624 uint16_t length = OSPF6_LS_UPD_MIN_SIZE; 2625 struct ospf6_lsa *lsa, *lsanext; 2626 2627 /* skip over fixed header */ 2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE); 2629
CID 1505410: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) { 2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header) 2632 + OSPF6_HEADER_SIZE 2633 > ospf6_packet_max(oi)) { 2634 ospf6_fill_header(oi, (*op)->s, 2635 length + OSPF6_HEADER_SIZE);
** CID 1505407: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1505407: (USE_AFTER_FREE) /ospf6d/ospf6_message.c: 2309 in ospf6_make_lsack_neighbor() 2303 struct ospf6_packet **op) 2304 { 2305 uint16_t length = 0; 2306 struct ospf6_lsa *lsa, *lsanext; 2307 int lsa_cnt = 0; 2308
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2309 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) { 2310 if ((length + sizeof(struct ospf6_lsa_header) 2311 + OSPF6_HEADER_SIZE) 2312 > ospf6_packet_max(on->ospf6_if)) { 2313 /* if we run out of packet size/space here, 2314 better to try again soon. */ /ospf6d/ospf6_message.c: 2331 in ospf6_make_lsack_neighbor() 2325 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK, 2326 on->ospf6_if, (*op)->s); 2327 length = 0; 2328 lsa_cnt = 0; 2329 } 2330 }
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2331 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2332 stream_put((*op)->s, lsa->header, 2333 sizeof(struct ospf6_lsa_header)); 2334 length += sizeof(struct ospf6_lsa_header); 2335 2336 assert(lsa->lock == 2); /ospf6d/ospf6_message.c: 2331 in ospf6_make_lsack_neighbor() 2325 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK, 2326 on->ospf6_if, (*op)->s); 2327 length = 0; 2328 lsa_cnt = 0; 2329 } 2330 }
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2331 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay); 2332 stream_put((*op)->s, lsa->header, 2333 sizeof(struct ospf6_lsa_header)); 2334 length += sizeof(struct ospf6_lsa_header); 2335 2336 assert(lsa->lock == 2); /ospf6d/ospf6_message.c: 2309 in ospf6_make_lsack_neighbor() 2303 struct ospf6_packet **op) 2304 { 2305 uint16_t length = 0; 2306 struct ospf6_lsa *lsa, *lsanext; 2307 int lsa_cnt = 0; 2308
CID 1505407: (USE_AFTER_FREE) Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2309 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) { 2310 if ((length + sizeof(struct ospf6_lsa_header) 2311 + OSPF6_HEADER_SIZE) 2312 > ospf6_packet_max(on->ospf6_if)) { 2313 /* if we run out of packet size/space here, 2314 better to try again soon. */
** CID 1504898: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1504898: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_dump.c: 591 in ospf_packet_dump() 585 ospf_packet_hello_dump(s, ntohs(ospfh->length)); 586 break; 587 case OSPF_MSG_DB_DESC: 588 ospf_packet_db_desc_dump(s, ntohs(ospfh->length)); 589 break; 590 case OSPF_MSG_LS_REQ:
CID 1504898: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
591 ospf_packet_ls_req_dump(s, ntohs(ospfh->length)); 592 break; 593 case OSPF_MSG_LS_UPD: 594 ospf_packet_ls_upd_dump(s, ntohs(ospfh->length)); 595 break; 596 case OSPF_MSG_LS_ACK:
** CID 1504897: Memory - corruptions (OVERRUN) /ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event() ________________________________________________________________________________________________________ *** CID 1504897: Memory - corruptions (OVERRUN) /ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event() 1169 size = ntohs(msg->hdr.msglen); 1170 if (size < OSPF_MAX_LSA_SIZE) { 1171 1172 apiserv->filter = XMALLOC(MTYPE_OSPF_APISERVER_MSGFILTER, size); 1173 1174 /* copy it over. */
CID 1504897: Memory - corruptions (OVERRUN) Overrunning struct type lsa_filter_type of 4 bytes by passing it to a function which accesses it at byte offset 1498 using argument "size" (which evaluates to 1499).
1175 memcpy(apiserv->filter, &rmsg->filter, size); 1176 rc = OSPF_API_OK; 1177 } else 1178 rc = OSPF_API_NOMEMORY; 1179 1180 /* Send a reply back to client with return code */
** CID 1482217: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1482217: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_packet.c: 355 in ospf_check_md5_digest() 349 EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); 350 EVP_DigestFinal(ctx, digest, &md5_size); 351 EVP_MD_CTX_free(ctx); 352 #elif CRYPTO_INTERNAL 353 memset(&ctx, 0, sizeof(ctx)); 354 MD5Init(&ctx);
CID 1482217: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "length" to a tainted sink.
355 MD5Update(&ctx, ospfh, length); 356 MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); 357 MD5Final(digest, &ctx); 358 #endif 359 360 /* compare the two */
** CID 1482211: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1482211: Insecure data handling (TAINTED_SCALAR) /ospfd/ospf_packet.c: 430 in ospf_make_md5_digest() 424 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); 425 EVP_DigestFinal(ctx, digest, &md5_size); 426 EVP_MD_CTX_free(ctx); 427 #elif CRYPTO_INTERNAL 428 memset(&ctx, 0, sizeof(ctx)); 429 MD5Init(&ctx);
CID 1482211: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
430 MD5Update(&ctx, ibuf, ntohs(ospfh->length)); 431 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); 432 MD5Final(digest, &ctx); 433 #endif 434 435 /* Append md5 digest to the end of the stream. */
** CID 1482199: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1482199: Memory - corruptions (OVERRUN) /babeld/message.c: 1277 in flushupdates() 1271 update_source(route->src, seqno, metric); 1272 last_prefix = route->src->prefix; 1273 last_plen = route->src->plen; 1274 } else { 1275 /* There's no route for this prefix. This can happen shortly 1276 after an xroute has been retracted, so send a retraction. */
CID 1482199: Memory - corruptions (OVERRUN) Overrunning array "b[i].prefix" of 16 bytes by passing it to a function which accesses it at byte offset 27.
1277 really_send_update(ifp, myid, b[i].prefix, b[i].plen, 1278 myseqno, INFINITY, NULL, -1); 1279 } 1280 } 1281 schedule_flush_now(ifp); 1282 done:
** CID 1482187: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1482187: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_message.c: 1580 in ospf6_lsupdate_recv() 1574 1575 /* Process LSAs */ 1576 for (p = (char *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate)); 1577 p < OSPF6_MESSAGE_END(oh) 1578 && p + OSPF6_LSA_SIZE(p) <= OSPF6_MESSAGE_END(oh); 1579 p += OSPF6_LSA_SIZE(p)) {
CID 1482187: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "((struct ospf6_lsa_header *)p)->length" to a tainted sink.
1580 ospf6_receive_lsa(on, (struct ospf6_lsa_header *)p); 1581 } 1582 1583 assert(p == OSPF6_MESSAGE_END(oh)); 1584 } 1585
** CID 1482175: (TAINTED_SCALAR) /ospfd/ospf_apiserver.c: 2107 in ospf_apiserver_show_info() /ospfd/ospf_apiserver.c: 2094 in ospf_apiserver_show_info() ________________________________________________________________________________________________________ *** CID 1482175: (TAINTED_SCALAR) /ospfd/ospf_apiserver.c: 2107 in ospf_apiserver_show_info() 2101 " Added using OSPF API: %u octets of opaque data %s", 2102 opaquelen, 2103 VALID_OPAQUE_INFO_LEN(lsa->data) ? "" 2104 : "(Invalid length?)"); 2105 zlog_debug(" Opaque data: "); 2106
CID 1482175: (TAINTED_SCALAR) Using tainted variable "opaquelen" as a loop boundary.
2107 for (i = 0; i < opaquelen; i++) { 2108 zlog_debug("0x%x ", olsa->data[i]); 2109 } 2110 } 2111 return; 2112 } /ospfd/ospf_apiserver.c: 2094 in ospf_apiserver_show_info() 2088 " Added using OSPF API: %u octets of opaque data %s\n", 2089 opaquelen, 2090 VALID_OPAQUE_INFO_LEN(lsa->data) ? "" 2091 : "(Invalid length?)"); 2092 vty_out(vty, " Opaque data: "); 2093
CID 1482175: (TAINTED_SCALAR) Using tainted variable "opaquelen" as a loop boundary.
2094 for (i = 0; i < opaquelen; i++) { 2095 vty_out(vty, "0x%x ", olsa->data[i]); 2096 } 2097 vty_out(vty, "\n"); 2098 } else { 2099 int i;
** CID 1482165: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_lsa.c: 251 in ospf6_lsa_is_changed() ________________________________________________________________________________________________________ *** CID 1482165: Insecure data handling (TAINTED_SCALAR) /ospf6d/ospf6_lsa.c: 251 in ospf6_lsa_is_changed() 245 length = OSPF6_LSA_SIZE(lsa1->header) - sizeof(struct ospf6_lsa_header); 246 /* Once upper layer verifies LSAs received, length underrun should 247 * become a warning. */ 248 if (length <= 0) 249 return 0; 250
CID 1482165: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "length" to a tainted sink.
251 return memcmp(OSPF6_LSA_HEADER_END(lsa1->header), 252 OSPF6_LSA_HEADER_END(lsa2->header), length); 253 } 254 255 /* ospf6 age functions */ 256 /* calculate birth */
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com