New Defects reported by Coverity Scan for freerangerouting/frr
Hi, Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 102 new defect(s) introduced to freerangerouting/frr found with Coverity Scan. 24 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 102 defect(s) ** CID 1519830: (NULL_RETURNS) /bgpd/bgp_evpn_vty.c: 4059 in no_bgp_evpn_advertise_type5() /bgpd/bgp_evpn_vty.c: 4074 in no_bgp_evpn_advertise_type5() ________________________________________________________________________________________________________ *** CID 1519830: (NULL_RETURNS) /bgpd/bgp_evpn_vty.c: 4059 in no_bgp_evpn_advertise_type5() 4053 4054 if (afi == AFI_IP) { 4055 4056 /* if we are not advertising ipv4 prefix as type-5 4057 * nothing to do 4058 */
CID 1519830: (NULL_RETURNS) Dereferencing "bgp_vrf", which is known to be "NULL".
4059 if ((CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN], 4060 BGP_L2VPN_EVPN_ADV_IPV4_UNICAST)) || 4061 (CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN], 4062 BGP_L2VPN_EVPN_ADV_IPV4_UNICAST_GW_IP))) { 4063 bgp_evpn_withdraw_type5_routes(bgp_vrf, afi, safi); 4064 UNSET_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN], /bgpd/bgp_evpn_vty.c: 4074 in no_bgp_evpn_advertise_type5() 4068 } 4069 } else { 4070 4071 /* if we are not advertising ipv6 prefix as type-5 4072 * nothing to do 4073 */
CID 1519830: (NULL_RETURNS) Dereferencing "bgp_vrf", which is known to be "NULL".
4074 if ((CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN], 4075 BGP_L2VPN_EVPN_ADV_IPV6_UNICAST)) || 4076 (CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN], 4077 BGP_L2VPN_EVPN_ADV_IPV6_UNICAST_GW_IP))){ 4078 bgp_evpn_withdraw_type5_routes(bgp_vrf, afi, safi); 4079 UNSET_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN],
** CID 1519829: Integer handling issues (BAD_SHIFT) /pathd/path_pcep_pcc.c: 151 in plspid_map_add() ________________________________________________________________________________________________________ *** CID 1519829: Integer handling issues (BAD_SHIFT) /pathd/path_pcep_pcc.c: 151 in plspid_map_add() 145 static uint32_t nbkey_map_hash(const struct nbkey_map_data *e); 146 static int req_map_cmp(const struct req_map_data *a, 147 const struct req_map_data *b); 148 static uint32_t req_map_hash(const struct req_map_data *e); 149 150 /* Data Structure Declarations */
CID 1519829: Integer handling issues (BAD_SHIFT) In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior. The shift amount, "33 - h->hh.tabshift", is 33.
151 DECLARE_HASH(plspid_map, struct plspid_map_data, mi, plspid_map_cmp, 152 plspid_map_hash); 153 DECLARE_HASH(nbkey_map, struct nbkey_map_data, mi, nbkey_map_cmp, 154 nbkey_map_hash); 155 DECLARE_HASH(req_map, struct req_map_data, mi, req_map_cmp, req_map_hash); 156
** CID 1519828: High impact quality (Y2K38_SAFETY) /pimd/mtracebis_netlink.c: 95 in rtnl_open_byproto() ________________________________________________________________________________________________________ *** CID 1519828: High impact quality (Y2K38_SAFETY) /pimd/mtracebis_netlink.c: 95 in rtnl_open_byproto() 89 } 90 if (rth->local.nl_family != AF_NETLINK) { 91 fprintf(stderr, "Wrong address family %d\n", 92 rth->local.nl_family); 93 return -1; 94 }
CID 1519828: High impact quality (Y2K38_SAFETY) A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "__u32".
95 rth->seq = time(NULL); 96 return 0; 97 } 98 99 int rtnl_open(struct rtnl_handle *rth, unsigned subscriptions) 100 {
** CID 1519827: Security best practices violations (DC.WEAK_CRYPTO) /nhrpd/nhrp_peer.c: 337 in nhrp_peer_check() ________________________________________________________________________________________________________ *** CID 1519827: Security best practices violations (DC.WEAK_CRYPTO) /nhrpd/nhrp_peer.c: 337 in nhrp_peer_check() 331 thread_add_timer( 332 master, nhrp_peer_request_timeout, p, 333 (nifp->ipsec_fallback_profile && !p->prio) ? 15 : 30, 334 &p->t_fallback); 335 } else { 336 /* Maximum timeout is 1 second */
CID 1519827: Security best practices violations (DC.WEAK_CRYPTO) "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
337 int r_time_ms = rand() % 1000; 338 339 debugf(NHRP_DEBUG_COMMON, 340 "Initiating IPsec connection request to %pSU after %d ms:", 341 &vc->remote.nbma, r_time_ms); 342 thread_add_timer_msec(master, nhrp_peer_defer_vici_request,
** CID 1519826: Integer handling issues (BAD_SHIFT) /lib/qobj.c: 45 in qobj_nodes_add() ________________________________________________________________________________________________________ *** CID 1519826: Integer handling issues (BAD_SHIFT) /lib/qobj.c: 45 in qobj_nodes_add() 39 return -1; 40 if (na->nid > nb->nid) 41 return 1; 42 return 0; 43 } 44
CID 1519826: Integer handling issues (BAD_SHIFT) In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior. The shift amount, "33 - h->hh.tabshift", is 33.
45 DECLARE_HASH(qobj_nodes, struct qobj_node, nodehash, 46 qobj_cmp, qobj_hash); 47 48 static pthread_rwlock_t nodes_lock; 49 static struct qobj_nodes_head nodes = { }; 50
** CID 1519825: Null pointer dereferences (NULL_RETURNS) /ospfd/ospf_ti_lfa.c: 123 in ospf_ti_lfa_find_q_node() ________________________________________________________________________________________________________ *** CID 1519825: Null pointer dereferences (NULL_RETURNS) /ospfd/ospf_ti_lfa.c: 123 in ospf_ti_lfa_find_q_node() 117 { 118 struct listnode *curr_node, *next_node; 119 struct vertex *p_node, *q_node, *q_space_parent = NULL, *pc_node_parent; 120 struct vertex_parent *pc_vertex_parent; 121 122 curr_node = listnode_lookup(q_space->pc_path, pc_node);
CID 1519825: Null pointer dereferences (NULL_RETURNS) Dereferencing "curr_node", which is known to be "NULL".
123 next_node = curr_node->next; 124 pc_node_parent = listgetdata(next_node); 125 pc_vertex_parent = 126 ospf_spf_vertex_parent_find(pc_node_parent->id, pc_node); 127 128 p_node = ospf_spf_vertex_find(pc_node->id, p_space->vertex_list);
** CID 1519824: Null pointer dereferences (REVERSE_INULL) /pimd/pim_ifchannel.c: 640 in ifjoin_to_noinfo() ________________________________________________________________________________________________________ *** CID 1519824: Null pointer dereferences (REVERSE_INULL) /pimd/pim_ifchannel.c: 640 in ifjoin_to_noinfo() 634 635 static void ifjoin_to_noinfo(struct pim_ifchannel *ch) 636 { 637 pim_ifchannel_ifjoin_switch(__func__, ch, PIM_IFJOIN_NOINFO); 638 pim_forward_stop(ch); 639
CID 1519824: Null pointer dereferences (REVERSE_INULL) Null-checking "ch->upstream" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
640 if (ch->upstream) 641 PIM_UPSTREAM_FLAG_UNSET_SRC_PIM(ch->upstream->flags); 642 643 PIM_IF_FLAG_UNSET_PROTO_PIM(ch->flags); 644 645 delete_on_noinfo(ch);
** CID 1519823: Insecure data handling (TAINTED_SCALAR) /nhrpd/nhrp_peer.c: 1097 in nhrp_packet_debug() ________________________________________________________________________________________________________ *** CID 1519823: Insecure data handling (TAINTED_SCALAR) /nhrpd/nhrp_peer.c: 1097 in nhrp_packet_debug() 1091 if (likely(!(debug_flags & NHRP_DEBUG_COMMON))) 1092 return; 1093 1094 zbuf_init(&zhdr, zb->buf, zb->tail - zb->buf, zb->tail - zb->buf); 1095 hdr = nhrp_packet_pull(&zhdr, &src_nbma, &src_proto, &dst_proto); 1096
CID 1519823: Insecure data handling (TAINTED_SCALAR) Using tainted variable "hdr->type" as an index into an array "packet_types".
1097 reply = packet_types[hdr->type].type == PACKET_REPLY; 1098 debugf(NHRP_DEBUG_COMMON, "%s %s(%d) %pSU -> %pSU", dir, 1099 (packet_types[hdr->type].name ? packet_types[hdr->type].name 1100 : "Unknown"), 1101 hdr->type, reply ? &dst_proto : &src_proto, 1102 reply ? &src_proto : &dst_proto);
** CID 1519822: High impact quality (Y2K38_SAFETY) /isisd/isis_lsp.c: 1414 in lsp_generate() ________________________________________________________________________________________________________ *** CID 1519822: High impact quality (Y2K38_SAFETY) /isisd/isis_lsp.c: 1414 in lsp_generate() 1408 "ISIS (%s): Built L%d LSP. Set triggered regenerate to non-pending.", 1409 area->area_tag, level); 1410 1411 #ifndef FABRICD 1412 /* send northbound notification */ 1413 isis_notif_lsp_gen(area, newlsp->hdr.lsp_id, newlsp->hdr.seqno,
CID 1519822: High impact quality (Y2K38_SAFETY) A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "newlsp->last_generated" is cast to "uint32_t".
1414 newlsp->last_generated); 1415 #endif /* ifndef FABRICD */ 1416 1417 return ISIS_OK; 1418 } 1419
** CID 1519821: Null pointer dereferences (REVERSE_INULL) /pimd/pim_cmd.c: 5532 in show_ip_msdp_mesh_group() ________________________________________________________________________________________________________ *** CID 1519821: Null pointer dereferences (REVERSE_INULL) /pimd/pim_cmd.c: 5532 in show_ip_msdp_mesh_group() 5526 int idx = 2; 5527 struct pim_msdp_mg *mg; 5528 struct vrf *vrf = pim_cmd_lookup_vrf(vty, argv, argc, &idx); 5529 struct pim_instance *pim = vrf->info; 5530 struct json_object *json = NULL; 5531
CID 1519821: Null pointer dereferences (REVERSE_INULL) Null-checking "vrf" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
5532 if (!vrf) 5533 return CMD_WARNING; 5534 5535 /* Quick case: list is empty. */ 5536 if (SLIST_EMPTY(&pim->msdp.mglist)) { 5537 if (uj)
** CID 1519820: Memory - illegal accesses (USE_AFTER_FREE) /lib/link_state.c: 1805 in ls_msg2edge() ________________________________________________________________________________________________________ *** CID 1519820: Memory - illegal accesses (USE_AFTER_FREE) /lib/link_state.c: 1805 in ls_msg2edge() 1799 break; 1800 default: 1801 edge = NULL; 1802 break; 1803 } 1804
CID 1519820: Memory - illegal accesses (USE_AFTER_FREE) Using freed pointer "edge".
1805 return edge; 1806 } 1807 1808 struct ls_subnet *ls_msg2subnet(struct ls_ted *ted, struct ls_message *msg, 1809 bool delete) 1810 {
** CID 1519819: Memory - illegal accesses (USE_AFTER_FREE) /pathd/path_pcep_pcc.c: 1330 in handle_pcep_lsp_initiate() ________________________________________________________________________________________________________ *** CID 1519819: Memory - illegal accesses (USE_AFTER_FREE) /pathd/path_pcep_pcc.c: 1330 in handle_pcep_lsp_initiate() 1324 } else { 1325 /* FIXME: Monitor the amount of errors from the PCE and 1326 * possibly disconnect and blacklist */ 1327 flog_warn(EC_PATH_PCEP_UNSUPPORTED_PCEP_FEATURE, 1328 "Unsupported PCEP protocol feature: %s", err); 1329 pcep_free_path(path);
CID 1519819: Memory - illegal accesses (USE_AFTER_FREE) Passing freed pointer "path" as an argument to "send_pcep_error".
1330 send_pcep_error(pcc_state, PCEP_ERRT_INVALID_OPERATION, 1331 PCEP_ERRV_LSP_NOT_PCE_INITIATED, path); 1332 } 1333 } 1334 1335 void handle_pcep_comp_reply(struct ctrl_state *ctrl_state,
** CID 1519818: Null pointer dereferences (NULL_RETURNS) /pbrd/pbr_vty.c: 173 in pbr_map_match_dst_magic() ________________________________________________________________________________________________________ *** CID 1519818: Null pointer dereferences (NULL_RETURNS) /pbrd/pbr_vty.c: 173 in pbr_map_match_dst_magic() 167 "Choose the dst ip or ipv6 prefix to use\n" 168 "v4 Prefix\n" 169 "v6 Prefix\n") 170 { 171 struct pbr_map_sequence *pbrms = VTY_GET_CONTEXT(pbr_map_sequence); 172
CID 1519818: Null pointer dereferences (NULL_RETURNS) Dereferencing "pbrms", which is known to be "NULL".
173 if (pbrms->src && pbrms->family && prefix->family != pbrms->family) { 174 vty_out(vty, "Cannot mismatch families within match src/dst\n"); 175 return CMD_WARNING_CONFIG_FAILED; 176 } 177 178 pbrms->family = prefix->family;
** CID 1519817: Code maintainability issues (UNUSED_VALUE) /zebra/zebra_dplane.c: 3425 in dplane_nexthop_update_internal() ________________________________________________________________________________________________________ *** CID 1519817: Code maintainability issues (UNUSED_VALUE) /zebra/zebra_dplane.c: 3425 in dplane_nexthop_update_internal() 3419 * Return: Result of the change 3420 */ 3421 static enum zebra_dplane_result 3422 dplane_nexthop_update_internal(struct nhg_hash_entry *nhe, enum dplane_op_e op) 3423 { 3424 enum zebra_dplane_result result = ZEBRA_DPLANE_REQUEST_FAILURE;
CID 1519817: Code maintainability issues (UNUSED_VALUE) Assigning value "22" to "ret" here, but that stored value is overwritten before it can be used.
3425 int ret = EINVAL; 3426 struct zebra_dplane_ctx *ctx = NULL; 3427 3428 /* Obtain context block */ 3429 ctx = dplane_ctx_alloc(); 3430 if (!ctx) {
** CID 1519816: Error handling issues (CHECKED_RETURN) /pimd/pim_tib.c: 52 in tib_sg_oil_setup() ________________________________________________________________________________________________________ *** CID 1519816: Error handling issues (CHECKED_RETURN) /pimd/pim_tib.c: 52 in tib_sg_oil_setup() 46 pim_addr_to_prefix(&grp, sg.grp); 47 48 up = pim_upstream_find(pim, &sg); 49 if (up) { 50 memcpy(&nexthop, &up->rpf.source_nexthop, 51 sizeof(struct pim_nexthop));
CID 1519816: Error handling issues (CHECKED_RETURN) Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
52 pim_ecmp_nexthop_lookup(pim, &nexthop, vif_source, &grp, 0); 53 if (nexthop.interface) 54 input_iface_vif_index = pim_if_find_vifindex_by_ifindex( 55 pim, nexthop.interface->ifindex); 56 } else 57 input_iface_vif_index =
** CID 1519815: (TAINTED_SCALAR) /nhrpd/nhrp_peer.c: 976 in nhrp_peer_forward() /nhrpd/nhrp_peer.c: 1003 in nhrp_peer_forward() ________________________________________________________________________________________________________ *** CID 1519815: (TAINTED_SCALAR) /nhrpd/nhrp_peer.c: 976 in nhrp_peer_forward() 970 goto err; 971 972 switch (type) { 973 case NHRP_EXTENSION_FORWARD_TRANSIT_NHS: 974 case NHRP_EXTENSION_REVERSE_TRANSIT_NHS: 975 zbuf_put(zb, extpl.head, len);
CID 1519815: (TAINTED_SCALAR) Using tainted variable "hdr->type" as an index into an array "packet_types".
976 if ((type == NHRP_EXTENSION_REVERSE_TRANSIT_NHS) 977 == (packet_types[hdr->type].type == PACKET_REPLY)) { 978 /* Check NHS list for forwarding loop */ 979 while (nhrp_cie_pull(&extpl, pp->hdr, 980 &cie_nbma, 981 &cie_protocol) != NULL) { /nhrpd/nhrp_peer.c: 1003 in nhrp_peer_forward() 997 proto = NULL; 998 999 /* If NAT extension is empty then attempt to populate 1000 * it with cached NBMA information 1001 */ 1002 if (len == 0) {
CID 1519815: (TAINTED_SCALAR) Using tainted variable "hdr->type" as an index into an array "packet_types".
1003 if (packet_types[hdr->type].type 1004 == PACKET_REQUEST) { 1005 debugf(NHRP_DEBUG_COMMON, 1006 "Processing NHRP_EXTENSION_NAT_ADDRESS while forwarding the request packet"); 1007 proto = &pp->src_proto; 1008 } else if (packet_types[hdr->type].type
** CID 1519814: Null pointer dereferences (NULL_RETURNS) /pbrd/pbr_vty.c: 627 in pbr_map_nexthop_magic() ________________________________________________________________________________________________________ *** CID 1519814: Null pointer dereferences (NULL_RETURNS) /pbrd/pbr_vty.c: 627 in pbr_map_nexthop_magic() 621 nhop.type = NEXTHOP_TYPE_IPV6; 622 } 623 } 624 } else 625 nhop.type = NEXTHOP_TYPE_IFINDEX; 626
CID 1519814: Null pointer dereferences (NULL_RETURNS) Dereferencing "pbrms", which is known to be "NULL".
627 if (pbrms->nhg) 628 nh = nexthop_exists(pbrms->nhg, &nhop); 629 630 if (nh) /* Same config re-entered */ 631 goto done; 632
** CID 1519813: (NULL_RETURNS) /pbrd/pbr_vty.c: 254 in pbr_map_match_dst_port_magic() /pbrd/pbr_vty.c: 259 in pbr_map_match_dst_port_magic() ________________________________________________________________________________________________________ *** CID 1519813: (NULL_RETURNS) /pbrd/pbr_vty.c: 254 in pbr_map_match_dst_port_magic() 248 "Choose the destination port to use\n" 249 "The Destination Port\n") 250 { 251 struct pbr_map_sequence *pbrms = VTY_GET_CONTEXT(pbr_map_sequence); 252 253 if (!no) {
CID 1519813: (NULL_RETURNS) Dereferencing "pbrms", which is known to be "NULL".
254 if (pbrms->dst_prt == port) 255 return CMD_SUCCESS; 256 else 257 pbrms->dst_prt = port; 258 } else 259 pbrms->dst_prt = 0; /pbrd/pbr_vty.c: 259 in pbr_map_match_dst_port_magic() 253 if (!no) { 254 if (pbrms->dst_prt == port) 255 return CMD_SUCCESS; 256 else 257 pbrms->dst_prt = port; 258 } else
CID 1519813: (NULL_RETURNS) Dereferencing "pbrms", which is known to be "NULL".
259 pbrms->dst_prt = 0; 260 261 pbr_map_check(pbrms, true); 262 263 return CMD_SUCCESS; 264 }
** CID 1519812: High impact quality (Y2K38_SAFETY) /zebra/zebra_netns_id.c: 76 in initiate_nlh() ________________________________________________________________________________________________________ *** CID 1519812: High impact quality (Y2K38_SAFETY) /zebra/zebra_netns_id.c: 76 in initiate_nlh() 70 nlh->nlmsg_len = NETLINK_ALIGN(sizeof(struct nlmsghdr)); 71 72 nlh->nlmsg_type = type; 73 nlh->nlmsg_flags = NLM_F_REQUEST; 74 if (type == RTM_NEWNSID) 75 nlh->nlmsg_flags |= NLM_F_ACK;
CID 1519812: High impact quality (Y2K38_SAFETY) A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "unsigned int".
76 nlh->nlmsg_seq = *seq = time(NULL); 77 return nlh; 78 } 79 80 static int send_receive(int sock, struct nlmsghdr *nlh, unsigned int seq, 81 char *buf)
** CID 1519811: Null pointer dereferences (NULL_RETURNS) ________________________________________________________________________________________________________ *** CID 1519811: Null pointer dereferences (NULL_RETURNS) /pbrd/pbr_vty.c: 725 in no_pbr_map_vrf_magic() 719 "Specify the VRF for this map\n" 720 "The VRF Name\n" 721 "Use the interface's VRF for lookup\n") 722 { 723 struct pbr_map_sequence *pbrms = VTY_GET_CONTEXT(pbr_map_sequence); 724
CID 1519811: Null pointer dereferences (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "pbrms" when calling "pbrms_clear_set_config".
725 pbrms_clear_set_config(pbrms); 726 727 return CMD_SUCCESS; 728 } 729 730 DEFPY (pbr_policy,
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
scan-admin@coverity.com