[dev] New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Wed Aug 2 16:45:25 EDT 2017
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
17 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
54 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 17 of 17 defect(s)
** CID 1452506: Resource leaks (RESOURCE_LEAK)
/pimd/pim_msdp_socket.c: 159 in pim_msdp_sock_listen()
________________________________________________________________________________________________________
*** CID 1452506: Resource leaks (RESOURCE_LEAK)
/pimd/pim_msdp_socket.c: 159 in pim_msdp_sock_listen()
153 if (pim->vrf_id != VRF_DEFAULT) {
154 struct interface *ifp =
155 if_lookup_by_name(pim->vrf->name, pim->vrf_id);
156 if (!ifp) {
157 zlog_err("%s: Unable to lookup vrf interface: %s",
158 __PRETTY_FUNCTION__, pim->vrf->name);
>>> CID 1452506: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "sock" going out of scope leaks the handle.
159 return -1;
160 }
161 pim_socket_bind(sock, ifp);
162 }
163
164 if (pimd_privs.change(ZPRIVS_RAISE)) {
** CID 1452505: Error handling issues (CHECKED_RETURN)
/pimd/pim_mroute.c: 717 in pim_mroute_socket_enable()
________________________________________________________________________________________________________
*** CID 1452505: Error handling issues (CHECKED_RETURN)
/pimd/pim_mroute.c: 717 in pim_mroute_socket_enable()
711 zlog_err("pim_mroute_socket_enable: could not raise privs, %s",
712 safe_strerror(errno));
713
714 fd = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);
715
716 #ifdef SO_BINDTODEVICE
>>> CID 1452505: Error handling issues (CHECKED_RETURN)
>>> Calling "setsockopt(fd, 1, 25, pim->vrf->name, strlen(pim->vrf->name))" without checking return value. This library function may fail and return an error code.
717 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, pim->vrf->name,
718 strlen(pim->vrf->name));
719 #endif
720
721 if (pimd_privs.change(ZPRIVS_LOWER))
722 zlog_err("pim_mroute_socket_enable: could not lower privs, %s",
** CID 1452504: Null pointer dereferences (FORWARD_NULL)
/pimd/pim_instance.c: 198 in pim_vrf_config_write()
________________________________________________________________________________________________________
*** CID 1452504: Null pointer dereferences (FORWARD_NULL)
/pimd/pim_instance.c: 198 in pim_vrf_config_write()
192 struct vrf *vrf;
193 struct pim_instance *pim;
194
195 RB_FOREACH(vrf, vrf_name_head, &vrfs_by_name)
196 {
197 pim = vrf->info;
>>> CID 1452504: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "pim" to null implies that "pim" might be null.
198 if (!pim || vrf->vrf_id != VRF_DEFAULT) {
199 vty_out(vty, "vrf %s\n", vrf->name);
200 pim_global_config_write_worker(pim, vty);
201 vty_out(vty, "!\n");
202 }
203 }
** CID 1452503: Error handling issues (CHECKED_RETURN)
/zebra/zebra_vty.c: 1853 in show_ipv6_route()
________________________________________________________________________________________________________
*** CID 1452503: Error handling issues (CHECKED_RETURN)
/zebra/zebra_vty.c: 1853 in show_ipv6_route()
1847 }
1848
1849 if (argv_find(argv, argc, "tag", &idx))
1850 tag = strtoul(argv[idx + 1]->arg, NULL, 10);
1851
1852 else if (argv_find(argv, argc, "X:X::X:X/M", &idx)) {
>>> CID 1452503: Error handling issues (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
1853 str2prefix(argv[idx]->arg, &p);
1854 longer_prefixes = true;
1855 }
1856
1857 else {
1858 if (argv_find(argv, argc, "kernel", &idx))
** CID 1452502: Error handling issues (NEGATIVE_RETURNS)
/pimd/pim_mroute.c: 717 in pim_mroute_socket_enable()
________________________________________________________________________________________________________
*** CID 1452502: Error handling issues (NEGATIVE_RETURNS)
/pimd/pim_mroute.c: 717 in pim_mroute_socket_enable()
711 zlog_err("pim_mroute_socket_enable: could not raise privs, %s",
712 safe_strerror(errno));
713
714 fd = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);
715
716 #ifdef SO_BINDTODEVICE
>>> CID 1452502: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
717 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, pim->vrf->name,
718 strlen(pim->vrf->name));
719 #endif
720
721 if (pimd_privs.change(ZPRIVS_LOWER))
722 zlog_err("pim_mroute_socket_enable: could not lower privs, %s",
** CID 1452501: Null pointer dereferences (NULL_RETURNS)
/pimd/pim_zebra.c: 185 in pim_zebra_if_state_up()
________________________________________________________________________________________________________
*** CID 1452501: Null pointer dereferences (NULL_RETURNS)
/pimd/pim_zebra.c: 185 in pim_zebra_if_state_up()
179 if (sscanf(ifp->name, "pimreg%d", &table_id) == 1) {
180 struct vrf *vrf;
181 RB_FOREACH(vrf, vrf_name_head, &vrfs_by_name)
182 {
183 if ((table_id == vrf->data.l.table_id)
184 && (ifp->vrf_id != vrf->vrf_id)) {
>>> CID 1452501: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "master" = null return value from "if_lookup_by_name".
185 struct interface *master = if_lookup_by_name(
186 vrf->name, vrf->vrf_id);
187 zclient_interface_set_master(zclient, master,
188 ifp);
189 }
190 }
** CID 1452500: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 1452500: Error handling issues (CHECKED_RETURN)
/pimd/pim_msdp_socket.c: 239 in pim_msdp_sock_connect()
233 if_lookup_by_name(mp->pim->vrf->name, mp->pim->vrf_id);
234 if (!ifp) {
235 zlog_err("%s: Unable to lookup vrf interface: %s",
236 __PRETTY_FUNCTION__, mp->pim->vrf->name);
237 return -1;
238 }
>>> CID 1452500: Error handling issues (CHECKED_RETURN)
>>> Calling "pim_socket_bind(mp->fd, ifp)" without checking return value. It wraps a library function that may fail and return an error code.
239 pim_socket_bind(mp->fd, ifp);
240 }
241
242 set_nonblocking(mp->fd);
243
244 /* Set socket send buffer size */
** CID 1452499: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 1452499: Error handling issues (CHECKED_RETURN)
/pimd/pim_msdp_socket.c: 161 in pim_msdp_sock_listen()
155 if_lookup_by_name(pim->vrf->name, pim->vrf_id);
156 if (!ifp) {
157 zlog_err("%s: Unable to lookup vrf interface: %s",
158 __PRETTY_FUNCTION__, pim->vrf->name);
159 return -1;
160 }
>>> CID 1452499: Error handling issues (CHECKED_RETURN)
>>> Calling "pim_socket_bind(sock, ifp)" without checking return value. It wraps a library function that may fail and return an error code.
161 pim_socket_bind(sock, ifp);
162 }
163
164 if (pimd_privs.change(ZPRIVS_RAISE)) {
165 zlog_err("pim_msdp_socket: could not raise privs, %s",
166 safe_strerror(errno));
** CID 1452498: Memory - corruptions (REVERSE_NEGATIVE)
/pimd/pim_mroute.c: 725 in pim_mroute_socket_enable()
________________________________________________________________________________________________________
*** CID 1452498: Memory - corruptions (REVERSE_NEGATIVE)
/pimd/pim_mroute.c: 725 in pim_mroute_socket_enable()
719 #endif
720
721 if (pimd_privs.change(ZPRIVS_LOWER))
722 zlog_err("pim_mroute_socket_enable: could not lower privs, %s",
723 safe_strerror(errno));
724
>>> CID 1452498: Memory - corruptions (REVERSE_NEGATIVE)
>>> You might be using variable "fd" before verifying that it is >= 0.
725 if (fd < 0) {
726 zlog_warn("Could not create mroute socket: errno=%d: %s", errno,
727 safe_strerror(errno));
728 return -2;
729 }
730
** CID 1452497: Control flow issues (MISSING_BREAK)
/zebra/zserv.c: 2435 in zebra_client_read()
________________________________________________________________________________________________________
*** CID 1452497: Control flow issues (MISSING_BREAK)
/zebra/zserv.c: 2435 in zebra_client_read()
2429 break;
2430 case ZEBRA_REMOTE_MACIP_ADD:
2431 zebra_vxlan_remote_macip_add(client, sock, length, zvrf);
2432 break;
2433 case ZEBRA_REMOTE_MACIP_DEL:
2434 zebra_vxlan_remote_macip_del(client, sock, length, zvrf);
>>> CID 1452497: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
2435 case ZEBRA_INTERFACE_SET_MASTER:
2436 zread_interface_set_master(client, sock, length);
2437 break;
2438 default:
2439 zlog_info("Zebra received unknown command %d", command);
2440 break;
** CID 1452496: Null pointer dereferences (NULL_RETURNS)
/pimd/pim_cmd.c: 4898 in show_ip_mroute_count()
________________________________________________________________________________________________________
*** CID 1452496: Null pointer dereferences (NULL_RETURNS)
/pimd/pim_cmd.c: 4898 in show_ip_mroute_count()
4892 VRF_CMD_HELP_STR
4893 "Route and packet count data\n")
4894 {
4895 int idx = 2;
4896 struct vrf *vrf = pim_cmd_lookup_vrf(vty, argv, argc, &idx);
4897
>>> CID 1452496: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "vrf".
4898 show_mroute_count(vrf->info, vty);
4899 return CMD_SUCCESS;
4900 }
4901
4902 DEFUN (show_ip_mroute_count_vrf_all,
4903 show_ip_mroute_count_vrf_all_cmd,
** CID 1452495: Error handling issues (CHECKED_RETURN)
/zebra/zebra_vty.c: 1198 in show_ip_route()
________________________________________________________________________________________________________
*** CID 1452495: Error handling issues (CHECKED_RETURN)
/zebra/zebra_vty.c: 1198 in show_ip_route()
1192 }
1193
1194 if (argv_find(argv, argc, "tag", &idx))
1195 tag = strtoul(argv[idx + 1]->arg, NULL, 10);
1196
1197 else if (argv_find(argv, argc, "A.B.C.D/M", &idx)) {
>>> CID 1452495: Error handling issues (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
1198 str2prefix(argv[idx]->arg, &p);
1199 longer_prefixes = true;
1200 }
1201
1202 else if (argv_find(argv, argc, "supernets_only", &idx))
1203 supernets_only = true;
** CID 1423945: Error handling issues (CHECKED_RETURN)
/pimd/pim_ssm.c: 74 in pim_is_grp_standard_ssm()
________________________________________________________________________________________________________
*** CID 1423945: Error handling issues (CHECKED_RETURN)
/pimd/pim_ssm.c: 74 in pim_is_grp_standard_ssm()
68 static int pim_is_grp_standard_ssm(struct prefix *group)
69 {
70 static int first = 1;
71 static struct prefix group_ssm;
72
73 if (first) {
>>> CID 1423945: Error handling issues (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
74 str2prefix(PIM_SSM_STANDARD_RANGE, &group_ssm);
75 first = 0;
76 }
77
78 return prefix_match(&group_ssm, group);
79 }
** CID 1399208: Error handling issues (CHECKED_RETURN)
/pimd/pim_rp.c: 545 in pim_rp_del()
________________________________________________________________________________________________________
*** CID 1399208: Error handling issues (CHECKED_RETURN)
/pimd/pim_rp.c: 545 in pim_rp_del()
539 prefix2str(&nht_p, buf, sizeof(buf));
540 zlog_debug("%s: Deregister RP addr %s with Zebra ",
541 __PRETTY_FUNCTION__, buf);
542 }
543 pim_delete_tracked_nexthop(pim, &nht_p, NULL, rp_info);
544
>>> CID 1399208: Error handling issues (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
545 str2prefix("224.0.0.0/4", &g_all);
546 rp_all = pim_rp_find_match_group(pim, &g_all);
547
548 if (rp_all == rp_info) {
549 rp_all->rp.rpf_addr.family = AF_INET;
550 rp_all->rp.rpf_addr.u.prefix4.s_addr = INADDR_NONE;
** CID 1399199: (CHECKED_RETURN)
/bgpd/bgp_updgrp_adv.c: 697 in subgroup_default_originate()
/bgpd/bgp_updgrp_adv.c: 699 in subgroup_default_originate()
/bgpd/bgp_updgrp_adv.c: 764 in subgroup_default_originate()
/bgpd/bgp_updgrp_adv.c: 766 in subgroup_default_originate()
________________________________________________________________________________________________________
*** CID 1399199: (CHECKED_RETURN)
/bgpd/bgp_updgrp_adv.c: 697 in subgroup_default_originate()
691
692 bgp_attr_default_set(&attr, BGP_ORIGIN_IGP);
693 aspath = attr.aspath;
694 attr.local_pref = bgp->default_local_pref;
695
696 if (afi == AFI_IP)
>>> CID 1399199: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
697 str2prefix("0.0.0.0/0", &p);
698 else if (afi == AFI_IP6) {
699 str2prefix("::/0", &p);
700
701 /* IPv6 global nexthop must be included. */
702 attr.mp_nexthop_len = BGP_ATTR_NHLEN_IPV6_GLOBAL;
/bgpd/bgp_updgrp_adv.c: 699 in subgroup_default_originate()
693 aspath = attr.aspath;
694 attr.local_pref = bgp->default_local_pref;
695
696 if (afi == AFI_IP)
697 str2prefix("0.0.0.0/0", &p);
698 else if (afi == AFI_IP6) {
>>> CID 1399199: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
699 str2prefix("::/0", &p);
700
701 /* IPv6 global nexthop must be included. */
702 attr.mp_nexthop_len = BGP_ATTR_NHLEN_IPV6_GLOBAL;
703
704 /* If the peer is on shared nextwork and we have link-local
/bgpd/bgp_updgrp_adv.c: 764 in subgroup_default_originate()
758 * implicit withdraw for any previous UPDATEs sent for
759 * 0.0.0.0/0 so
760 * clear adj_out for the 0.0.0.0/0 prefix in the BGP
761 * table.
762 */
763 if (afi == AFI_IP)
>>> CID 1399199: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
764 str2prefix("0.0.0.0/0", &p);
765 else
766 str2prefix("::/0", &p);
767
768 rn = bgp_afi_node_get(bgp->rib[afi][safi], afi, safi,
769 &p, NULL);
/bgpd/bgp_updgrp_adv.c: 766 in subgroup_default_originate()
760 * clear adj_out for the 0.0.0.0/0 prefix in the BGP
761 * table.
762 */
763 if (afi == AFI_IP)
764 str2prefix("0.0.0.0/0", &p);
765 else
>>> CID 1399199: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
766 str2prefix("::/0", &p);
767
768 rn = bgp_afi_node_get(bgp->rib[afi][safi], afi, safi,
769 &p, NULL);
770 bgp_adj_out_unset_subgroup(
771 rn, subgrp, 0,
** CID 1399197: (CHECKED_RETURN)
/bgpd/bgp_updgrp_packet.c: 1095 in subgroup_default_update_packet()
/bgpd/bgp_updgrp_packet.c: 1097 in subgroup_default_update_packet()
________________________________________________________________________________________________________
*** CID 1399197: (CHECKED_RETURN)
/bgpd/bgp_updgrp_packet.c: 1095 in subgroup_default_update_packet()
1089 afi = SUBGRP_AFI(subgrp);
1090 safi = SUBGRP_SAFI(subgrp);
1091 bpacket_attr_vec_arr_reset(&vecarr);
1092 addpath_encode = bgp_addpath_encode_tx(peer, afi, safi);
1093
1094 if (afi == AFI_IP)
>>> CID 1399197: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
1095 str2prefix("0.0.0.0/0", &p);
1096 else
1097 str2prefix("::/0", &p);
1098
1099 /* Logging the attribute. */
1100 if (bgp_debug_update(NULL, &p, subgrp->update_group, 0)) {
/bgpd/bgp_updgrp_packet.c: 1097 in subgroup_default_update_packet()
1091 bpacket_attr_vec_arr_reset(&vecarr);
1092 addpath_encode = bgp_addpath_encode_tx(peer, afi, safi);
1093
1094 if (afi == AFI_IP)
1095 str2prefix("0.0.0.0/0", &p);
1096 else
>>> CID 1399197: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
1097 str2prefix("::/0", &p);
1098
1099 /* Logging the attribute. */
1100 if (bgp_debug_update(NULL, &p, subgrp->update_group, 0)) {
1101 char attrstr[BUFSIZ];
1102 char buf[PREFIX_STRLEN];
** CID 1399194: (CHECKED_RETURN)
/bgpd/bgp_updgrp_packet.c: 1181 in subgroup_default_withdraw_packet()
/bgpd/bgp_updgrp_packet.c: 1183 in subgroup_default_withdraw_packet()
________________________________________________________________________________________________________
*** CID 1399194: (CHECKED_RETURN)
/bgpd/bgp_updgrp_packet.c: 1181 in subgroup_default_withdraw_packet()
1175 peer = SUBGRP_PEER(subgrp);
1176 afi = SUBGRP_AFI(subgrp);
1177 safi = SUBGRP_SAFI(subgrp);
1178 addpath_encode = bgp_addpath_encode_tx(peer, afi, safi);
1179
1180 if (afi == AFI_IP)
>>> CID 1399194: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
1181 str2prefix("0.0.0.0/0", &p);
1182 else
1183 str2prefix("::/0", &p);
1184
1185 if (bgp_debug_update(NULL, &p, subgrp->update_group, 0)) {
1186 char buf[PREFIX_STRLEN];
/bgpd/bgp_updgrp_packet.c: 1183 in subgroup_default_withdraw_packet()
1177 safi = SUBGRP_SAFI(subgrp);
1178 addpath_encode = bgp_addpath_encode_tx(peer, afi, safi);
1179
1180 if (afi == AFI_IP)
1181 str2prefix("0.0.0.0/0", &p);
1182 else
>>> CID 1399194: (CHECKED_RETURN)
>>> Calling "str2prefix" without checking return value (as is done elsewhere 66 out of 78 times).
1183 str2prefix("::/0", &p);
1184
1185 if (bgp_debug_update(NULL, &p, subgrp->update_group, 0)) {
1186 char buf[PREFIX_STRLEN];
1187 /* ' with addpath ID ' 17
1188 * max strlen of uint32 + 10
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeHs8691VOJpZofPkpp-2BRBqc-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJnkuXWAnJ6ZnRyJxrlwF3wZUlPVPkEAJs7uGwu-2BgzclRrcdZFBddpQGhLJDjfC4gPNmc9c8Pcpuk1FT3-2BFGharsSCvQAoy4N8gK3hUxr0PSPeZJDu71dLJOGlivucoYWM-2F0zH6gJLvZFngORQUK7vd0h-2FIwHpK1zexbIxbTLesQlQ-3D-3D
To manage Coverity Scan email notifications for "frr at lists.nox.tf", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4lcTWm1Zma8LQDNpOYqrETKrqBiM18kcBcL8b08LzBPOYJYGySZ4Vv7d5QYcnSbGxl3QyORKgEmDxh-2BE2mj6dp1V4JSs2jbMZuLnEQJOW0Z0-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJnkuXWAnJ6ZnRyJxrlwF3wZDCM31vgrqafXEfMl0c8GejiKR-2Fw896Ik6bLaZMP6MMyO9CmStevvyQeYUGbpL9Y7Yb9frgkVLAxR8i2j1yKf0DHolOaQzBFcKPKL58zqoA4tbqMush69CUCP884zKJi-2FssvCoxJkiGbas-2BNEalrE2g-3D-3D
More information about the dev
mailing list