[dev] New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Wed Apr 11 21:49:37 EDT 2018
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
12 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1467832: Null pointer dereferences (NULL_RETURNS)
/pbrd/pbr_nht.c: 217 in pbr_nhgroup_add_cb()
________________________________________________________________________________________________________
*** CID 1467832: Null pointer dereferences (NULL_RETURNS)
/pbrd/pbr_nht.c: 217 in pbr_nhgroup_add_cb()
211 nhgc = nhgc_find(name);
212 pnhgc = pbr_nht_add_group(name);
213
214 DEBUGD(&pbr_dbg_nht, "%s: Added nexthop-group %s", __PRETTY_FUNCTION__,
215 name);
216
>>> CID 1467832: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "nhgc".
217 pbr_nht_install_nexthop_group(pnhgc, nhgc->nhg);
218 pbr_map_check_nh_group_change(name);
219 }
220
221 void pbr_nhgroup_add_nexthop_cb(const struct nexthop_group_cmd *nhgc,
222 const struct nexthop *nhop)
** CID 1467831: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1467831: Null pointer dereferences (FORWARD_NULL)
/pbrd/pbr_vty_clippy.c: 148 in pbr_map_nexthop_group()
142 }
143 #if 0 /* anything that can fail? */
144 if (_failcnt)
145 return CMD_WARNING;
146 #endif
147 #endif
>>> CID 1467831: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "name" to "pbr_map_nexthop_group_magic", which dereferences it.
148 return pbr_map_nexthop_group_magic(self, vty, argc, argv, no, name);
149 }
150
151 /* pbr_map_nexthop => "[no] set nexthop <A.B.C.D|X:X::X:X>$addr [INTERFACE]$intf [nexthop-vrf NAME$name]" */
152 DEFUN_CMD_FUNC_DECL(pbr_map_nexthop)
153 #define funcdecl_pbr_map_nexthop static int pbr_map_nexthop_magic(\
** CID 1467830: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1467830: Null pointer dereferences (FORWARD_NULL)
/pbrd/pbr_vty_clippy.c: 265 in pbr_policy()
259 }
260 #if 0 /* anything that can fail? */
261 if (_failcnt)
262 return CMD_WARNING;
263 #endif
264 #endif
>>> CID 1467830: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "mapname" to "pbr_policy_magic", which dereferences it.
265 return pbr_policy_magic(self, vty, argc, argv, no, mapname);
266 }
267
268 /* show_pbr => "show pbr [json$json]" */
269 DEFUN_CMD_FUNC_DECL(show_pbr)
270 #define funcdecl_show_pbr static int show_pbr_magic(\
** CID 1467829: Resource leaks (RESOURCE_LEAK)
/pbrd/pbr_vty.c: 348 in pbr_policy_magic()
________________________________________________________________________________________________________
*** CID 1467829: Resource leaks (RESOURCE_LEAK)
/pbrd/pbr_vty.c: 348 in pbr_policy_magic()
342 if (pbrm)
343 pbr_map_add_interface(pbrm, ifp);
344 }
345 }
346 }
347
>>> CID 1467829: Resource leaks (RESOURCE_LEAK)
>>> Variable "pbr_ifp" going out of scope leaks the storage it points to.
348 return CMD_SUCCESS;
349 }
350
351 DEFPY (show_pbr,
352 show_pbr_cmd,
353 "show pbr [json$json]",
** CID 1467828: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 779 in pbr_nht_get_installed()
________________________________________________________________________________________________________
*** CID 1467828: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 779 in pbr_nht_get_installed()
773 bool pbr_nht_get_installed(const char *name)
774 {
775 struct pbr_nexthop_group_cache find;
776 struct pbr_nexthop_group_cache *pnhgc;
777
778 memset(&find, 0, sizeof(find));
>>> CID 1467828: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "find.name" by copying "name" without checking the length.
779 strcpy(find.name, name);
780
781 pnhgc = hash_lookup(pbr_nhg_hash, &find);
782
783 if (!pnhgc)
784 return false;
** CID 1467827: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 436 in pbr_nht_change_group()
________________________________________________________________________________________________________
*** CID 1467827: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 436 in pbr_nht_change_group()
430
431 nhgc = nhgc_find(name);
432 if (!nhgc)
433 return;
434
435 memset(&find, 0, sizeof(find));
>>> CID 1467827: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "find.name" by copying "name" without checking the length.
436 strcpy(find.name, name);
437 pnhgc = hash_lookup(pbr_nhg_hash, &find);
438
439 if (!pnhgc) {
440 DEBUGD(&pbr_dbg_nht,
441 "%s: Could not find nexthop-group cache w/ name '%s'",
** CID 1467826: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 511 in pbr_nht_delete_individual_nexthop()
________________________________________________________________________________________________________
*** CID 1467826: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 511 in pbr_nht_delete_individual_nexthop()
505 pbrm->valid = false;
506 pbrms->nhs_installed = false;
507 pbrms->installed = false;
508 pbrms->reason |= PBR_MAP_INVALID_NO_NEXTHOPS;
509
510 memset(&find, 0, sizeof(find));
>>> CID 1467826: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "&find.name[0]" by copying "pbrms->internal_nhg_name" without checking the length.
511 strcpy(&find.name[0], pbrms->internal_nhg_name);
512 pnhgc = hash_lookup(pbr_nhg_hash, &find);
513
514 nh = pbrms->nhg->nexthop;
515 nh_afi = nh->type;
516 lup.nexthop = nh;
** CID 1467825: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 760 in pbr_nht_get_table()
________________________________________________________________________________________________________
*** CID 1467825: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 760 in pbr_nht_get_table()
754 uint32_t pbr_nht_get_table(const char *name)
755 {
756 struct pbr_nexthop_group_cache find;
757 struct pbr_nexthop_group_cache *pnhgc;
758
759 memset(&find, 0, sizeof(find));
>>> CID 1467825: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "find.name" by copying "name" without checking the length.
760 strcpy(find.name, name);
761 pnhgc = hash_lookup(pbr_nhg_hash, &find);
762
763 if (!pnhgc) {
764 DEBUGD(&pbr_dbg_nht,
765 "%s: Could not find nexthop-group cache w/ name '%s'",
** CID 1467824: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 605 in pbr_nht_nexthop_group_valid()
________________________________________________________________________________________________________
*** CID 1467824: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 605 in pbr_nht_nexthop_group_valid()
599 {
600 struct pbr_nexthop_group_cache *pnhgc;
601 struct pbr_nexthop_group_cache lookup;
602
603 DEBUGD(&pbr_dbg_nht, "%s: %s", __PRETTY_FUNCTION__, name);
604
>>> CID 1467824: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "lookup.name" by copying "name" without checking the length.
605 strcpy(lookup.name, name);
606 pnhgc = hash_get(pbr_nhg_hash, &lookup, NULL);
607 if (!pnhgc)
608 return false;
609 DEBUGD(&pbr_dbg_nht, "%s: \t%d %d", __PRETTY_FUNCTION__, pnhgc->valid,
610 pnhgc->installed);
** CID 1467823: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 546 in pbr_nht_add_group()
________________________________________________________________________________________________________
*** CID 1467823: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_nht.c: 546 in pbr_nht_add_group()
540 if (!nhgc) {
541 zlog_warn("%s: Could not find group %s to add",
542 __PRETTY_FUNCTION__, name);
543 return NULL;
544 }
545
>>> CID 1467823: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "lookup.name" by copying "name" without checking the length.
546 strcpy(lookup.name, name);
547 pnhgc = hash_get(pbr_nhg_hash, &lookup, pbr_nhgc_alloc);
548 DEBUGD(&pbr_dbg_nht, "%s: Retrieved NHGC @ %p", __PRETTY_FUNCTION__,
549 pnhgc);
550
551 for (ALL_NEXTHOPS(nhgc->nhg, nhop)) {
** CID 1467822: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_map.c: 271 in pbrms_get()
________________________________________________________________________________________________________
*** CID 1467822: Security best practices violations (STRING_OVERFLOW)
/pbrd/pbr_map.c: 271 in pbrms_get()
265 struct pbr_map_sequence *pbrms;
266 struct listnode *node;
267
268 pbrm = pbrm_find(name);
269 if (!pbrm) {
270 pbrm = XCALLOC(MTYPE_PBR_MAP, sizeof(*pbrm));
>>> CID 1467822: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "pbrm->name" by copying "name" without checking the length.
271 strcpy(pbrm->name, name);
272
273 pbrm->seqnumbers = list_new();
274 pbrm->seqnumbers->cmp =
275 (int (*)(void *, void *))pbr_map_sequence_compare;
276 pbrm->seqnumbers->del =
** CID 1467821: (STRING_OVERFLOW)
/pbrd/pbr_vty.c: 332 in pbr_policy_magic()
/pbrd/pbr_vty.c: 341 in pbr_policy_magic()
________________________________________________________________________________________________________
*** CID 1467821: (STRING_OVERFLOW)
/pbrd/pbr_vty.c: 332 in pbr_policy_magic()
326
327 if (pbrm)
328 pbr_map_interface_delete(pbrm, ifp);
329 }
330 } else {
331 if (strcmp(pbr_ifp->mapname, "") == 0) {
>>> CID 1467821: (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "pbr_ifp->mapname" by copying "mapname" without checking the length.
332 strcpy(pbr_ifp->mapname, mapname);
333
334 if (pbrm)
335 pbr_map_add_interface(pbrm, ifp);
336 } else {
337 if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) {
/pbrd/pbr_vty.c: 341 in pbr_policy_magic()
335 pbr_map_add_interface(pbrm, ifp);
336 } else {
337 if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) {
338 old_pbrm = pbrm_find(pbr_ifp->mapname);
339 if (old_pbrm)
340 pbr_map_interface_delete(old_pbrm, ifp);
>>> CID 1467821: (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "pbr_ifp->mapname" by copying "mapname" without checking the length.
341 strcpy(pbr_ifp->mapname, mapname);
342 if (pbrm)
343 pbr_map_add_interface(pbrm, ifp);
344 }
345 }
346 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeHs8691VOJpZofPkpp-2BRBqc-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJkoYPmZaUL0E4MEbl90GJL72na4UaOi6eu9avdQvatQkysl1dIBZ-2FeRM1w7VcHv0kQlYrJ8UFj6FQI2RhHDxOXO-2B3ZHFSO5BCeEyLlbawDYgKuJ-2FiQUh3b5-2BlsGhr6B3K4-2BxY-2BIlr9ozc3dHBSyJQVvFk7JEmHpU3esyqtzJXM-2BJA-3D-3D
More information about the dev
mailing list