New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 11 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 11 of 11 defect(s) ** CID 1479721: Null pointer dereferences (FORWARD_NULL) /ripngd/ripng_interface.c: 187 in ripng_if_down() ________________________________________________________________________________________________________ *** CID 1479721: Null pointer dereferences (FORWARD_NULL) /ripngd/ripng_interface.c: 187 in ripng_if_down() 181 182 if (ri->running) { 183 if (IS_RIPNG_DEBUG_EVENT) 184 zlog_debug("turn off %s", ifp->name); 185 186 /* Leave from multicast group. */
CID 1479721: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "ripng".
187 ripng_multicast_leave(ifp, ripng->sock); 188 189 ri->running = 0; 190 } 191 192 return 0;
** CID 1479720: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1479720: Memory - corruptions (OVERRUN) /isisd/fabricd.c: 389 in fabricd_calculate_fabric_tier() 383 384 if (!furthest_from_remote) { 385 zlog_info("OpenFabric: Found no furthest node in remote spf"); 386 isis_spftree_del(remote_tree); 387 return ISIS_TIER_UNDEFINED; 388 } else {
CID 1479720: Memory - corruptions (OVERRUN) Overrunning array "furthest_from_remote->N.id" of 7 bytes by passing it to a function which accesses it at byte offset 7.
389 zlog_info("OpenFabric: Found %s as furthest from remote dist == %" 390 PRIu32, rawlspid_print(furthest_from_remote->N.id), 391 furthest_from_remote->d_N); 392 } 393 394 int64_t tier = furthest_from_remote->d_N - furthest_t0->d_N;
** CID 1479719: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1479719: Null pointer dereferences (FORWARD_NULL) /pimd/pim_vxlan.c: 351 in pim_vxlan_orig_mr_up_add() 345 nht_p.u.prefix4 = up->upstream_addr; 346 pim_delete_tracked_nexthop(vxlan_sg->pim, 347 &nht_p, up, NULL); 348 } 349 pim_upstream_ref(up, flags, __PRETTY_FUNCTION__); 350 vxlan_sg->up = up;
CID 1479719: Null pointer dereferences (FORWARD_NULL) Passing "vxlan_sg" to "pim_vxlan_orig_mr_up_iif_update", which dereferences null "vxlan_sg->iif".
351 pim_vxlan_orig_mr_up_iif_update(vxlan_sg); 352 } else { 353 up = pim_upstream_add(vxlan_sg->pim, &vxlan_sg->sg, 354 vxlan_sg->iif, flags, 355 __PRETTY_FUNCTION__, NULL); 356 vxlan_sg->up = up;
** CID 1479718: (BUFFER_SIZE_WARNING) /zebra/zebra_dplane.c: 1709 in intf_addr_update_internal() /zebra/zebra_dplane.c: 1737 in intf_addr_update_internal() ________________________________________________________________________________________________________ *** CID 1479718: (BUFFER_SIZE_WARNING) /zebra/zebra_dplane.c: 1709 in intf_addr_update_internal() 1703 zns = zebra_ns_lookup(ifp->vrf_id); 1704 dplane_ctx_ns_init(ctx, zns, false); 1705 1706 /* Init the interface-addr-specific area */ 1707 memset(&ctx->u.intf, 0, sizeof(ctx->u.intf)); 1708
CID 1479718: (BUFFER_SIZE_WARNING) Calling strncpy with a maximum size argument of 20 bytes on destination array "ctx->u.intf.ifname" of size 20 bytes might leave the destination string unterminated.
1709 strncpy(ctx->u.intf.ifname, ifp->name, sizeof(ctx->u.intf.ifname)); 1710 ctx->u.intf.ifindex = ifp->ifindex; 1711 ctx->u.intf.prefix = *(ifc->address); 1712 1713 if (if_is_broadcast(ifp)) 1714 ctx->u.intf.flags |= DPLANE_INTF_BROADCAST; /zebra/zebra_dplane.c: 1737 in intf_addr_update_internal() 1731 ctx->u.intf.flags |= DPLANE_INTF_HAS_LABEL; 1732 1733 /* Use embedded buffer if it's adequate; else allocate. */ 1734 len = strlen(ifc->label); 1735 1736 if (len < sizeof(ctx->u.intf.label_buf)) {
CID 1479718: (BUFFER_SIZE_WARNING) Calling strncpy with a maximum size argument of 32 bytes on destination array "ctx->u.intf.label_buf" of size 32 bytes might leave the destination string unterminated.
1737 strncpy(ctx->u.intf.label_buf, ifc->label, 1738 sizeof(ctx->u.intf.label_buf)); 1739 ctx->u.intf.label = ctx->u.intf.label_buf; 1740 } else { 1741 ctx->u.intf.label = strdup(ifc->label); 1742 }
** CID 1479717: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1479717: Null pointer dereferences (FORWARD_NULL) /pimd/pim_vxlan.c: 947 in pim_vxlan_term_mr_oif_update() 941 if (PIM_DEBUG_VXLAN) 942 zlog_debug("vxlan SG %s term oif changed from %s to %s", 943 vxlan_sg->sg_str, 944 vxlan_sg->term_oif ? vxlan_sg->term_oif->name : "-", 945 ifp ? ifp->name : "-"); 946
CID 1479717: Null pointer dereferences (FORWARD_NULL) Passing "vxlan_sg" to "pim_vxlan_term_mr_del", which dereferences null "vxlan_sg->term_oif".
947 pim_vxlan_term_mr_del(vxlan_sg); 948 vxlan_sg->term_oif = ifp; 949 pim_vxlan_term_mr_add(vxlan_sg); 950 } 951 952 void pim_vxlan_add_term_dev(struct pim_instance *pim,
** CID 1479716: Null pointer dereferences (REVERSE_INULL) /pimd/pim_vxlan.c: 267 in pim_vxlan_orig_mr_up_iif_update() ________________________________________________________________________________________________________ *** CID 1479716: Null pointer dereferences (REVERSE_INULL) /pimd/pim_vxlan.c: 267 in pim_vxlan_orig_mr_up_iif_update() 261 pim_scan_individual_oil(vxlan_sg->up->channel_oil, 262 vif_index); 263 264 if (PIM_DEBUG_VXLAN) 265 zlog_debug("vxlan SG %s orig mroute-up updated with iif %s vifi %d", 266 vxlan_sg->sg_str,
CID 1479716: Null pointer dereferences (REVERSE_INULL) Null-checking "vxlan_sg->iif" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
267 vxlan_sg->iif?vxlan_sg->iif->name:"-", vif_index); 268 269 } 270 271 /* For every VxLAN BUM multicast group we setup a SG-up that has the following 272 * "forced properties" -
** CID 1479715: API usage errors (USE_AFTER_FREE) /ospfd/ospf_network.c: 239 in ospf_sock_init() ________________________________________________________________________________________________________ *** CID 1479715: API usage errors (USE_AFTER_FREE) /ospfd/ospf_network.c: 239 in ospf_sock_init() 233 if (ret < 0) 234 flog_err(EC_LIB_SOCKET, 235 "Can't set pktinfo option for fd %d", 236 ospf_sock); 237 } 238
CID 1479715: API usage errors (USE_AFTER_FREE) Passing closed handle "ospf_sock" as an argument to "setsockopt_so_sendbuf".
239 setsockopt_so_sendbuf(ospf_sock, bufsize); 240 setsockopt_so_recvbuf(ospf_sock, bufsize); 241 242 ospf->fd = ospf_sock; 243 return ret;
** CID 1479714: Security best practices violations (DC.WEAK_CRYPTO) /lib/typesafe.c: 194 in typesafe_skiplist_add() ________________________________________________________________________________________________________ *** CID 1479714: Security best practices violations (DC.WEAK_CRYPTO) /lib/typesafe.c: 194 in typesafe_skiplist_add() 188 { 189 size_t level = SKIPLIST_MAXDEPTH, newlevel, auxlevel; 190 struct sskip_item *prev = &head->hitem, *next, *auxprev, *auxnext; 191 int cmpval; 192 193 /* level / newlevel are 1-counted here */
CID 1479714: Security best practices violations (DC.WEAK_CRYPTO) "random" should not be used for security related applications, as linear congruential algorithms are too easy to break.
194 newlevel = __builtin_ctz(random()) + 1; 195 if (newlevel > SKIPLIST_MAXDEPTH) 196 newlevel = SKIPLIST_MAXDEPTH; 197 198 next = NULL; 199 while (level >= newlevel) {
** CID 1479713: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1479713: Null pointer dereferences (FORWARD_NULL) /zebra/zebra_vty_clippy.c: 208 in show_ip_nht() 202 } 203 #if 1 /* anything that can fail? */ 204 if (_failcnt) 205 return CMD_WARNING; 206 #endif 207 #endif
CID 1479713: Null pointer dereferences (FORWARD_NULL) Passing null pointer "type" to "show_ip_nht_magic", which dereferences it.
208 return show_ip_nht_magic(self, vty, argc, argv, ipv4, ipv6, type, addr, addr_str, vrf_name, vrf_all); 209 } 210 211 /* show_route => "show < ip$ipv4 <fib$fib|route> [vrf <NAME$vrf_name|all$vrf_all>] [{ tag (1-4294967295) |A.B.C.D/M$prefix longer-prefixes |supernets-only$supernets_only }] [< RR_IP_REDIST_STR_ZEBR$type_str |ospf$type_str (1-65535)$ospf_instance_id >] |ipv6$ipv6 <fib$fib|route> [vrf <NAME$vrf_name|all$vrf_all>] [{ tag (1-4294967295) |X:X::X:X/M$prefix longer-prefixes }] [RR_IP6_REDIST_STR_ZEBR$type_str] > [json$json]" */ 212 DEFUN_CMD_FUNC_DECL(show_route) 213 #define funcdecl_show_route static int show_route_magic(\
** CID 1479712: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1479712: Memory - corruptions (OVERRUN) /isisd/fabricd.c: 375 in fabricd_calculate_fabric_tier() 369 370 if (!second_furthest_t0) { 371 zlog_info("OpenFabric: Could not find two T0 routers"); 372 return ISIS_TIER_UNDEFINED; 373 } 374
CID 1479712: Memory - corruptions (OVERRUN) Overrunning array "furthest_t0->N.id" of 7 bytes by passing it to a function which accesses it at byte offset 7.
375 zlog_info("OpenFabric: Found %s as furthest t0 from local system, dist == %" 376 PRIu32, rawlspid_print(furthest_t0->N.id), furthest_t0->d_N); 377 378 struct isis_spftree *remote_tree = 379 isis_run_hopcount_spf(area, furthest_t0->N.id, NULL); 380
** CID 1479711: Error handling issues (CHECKED_RETURN) /pimd/pim_zebra.c: 1012 in igmp_source_forward_start() ________________________________________________________________________________________________________ *** CID 1479711: Error handling issues (CHECKED_RETURN) /pimd/pim_zebra.c: 1012 in igmp_source_forward_start() 1006 grp.u.prefix4 = sg.grp; 1007 1008 up = pim_upstream_find(pim, &sg); 1009 if (up) { 1010 memcpy(&nexthop, &up->rpf.source_nexthop, 1011 sizeof(struct pim_nexthop));
CID 1479711: Error handling issues (CHECKED_RETURN) Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
1012 pim_ecmp_nexthop_lookup(pim, &nexthop, &src, 1013 &grp, 0); 1014 if (nexthop.interface) 1015 input_iface_vif_index = 1016 pim_if_find_vifindex_by_ifindex( 1017 pim,
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
participants (1)
-
scan-admin@coverity.com