[dev] New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Wed Aug 15 09:40:23 EDT 2018


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

15 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)


** CID 1472631:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1472631:  Null pointer dereferences  (FORWARD_NULL)
/bfdd/bfdd_vty_clippy.c: 522 in bfd_show_peer()
516     	}
517     #if 1 /* anything that can fail? */
518     	if (_failcnt)
519     		return CMD_WARNING;
520     #endif
521     #endif
>>>     CID 1472631:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "peer_str" to "bfd_show_peer_magic", which dereferences it.
522     	return bfd_show_peer_magic(self, vty, argc, argv, label, peer, peer_str, local, local_str, ifname, vrfname);

** CID 1472630:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 1472630:  Uninitialized variables  (UNINIT)
/bfdd/bfd_packet.c: 990 in bfd_recv_cb()
984     	peer.family = AF_INET;
985     	strcpy(peer_addr, inet_ntoa(sin.sin_addr));
986     #endif
987     
988     	/* Implement RFC 5880 6.8.6 */
989     	if (mlen < BFD_PKT_LEN) {
>>>     CID 1472630:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized element of array "port" when calling "cp_debug".
990     		cp_debug(is_mhop, &peer, &local, port, vrfname,
991     			 "too small (%ld bytes)", mlen);
992     		return 0;
993     	}
994     
995     	/*

** CID 1472629:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1472629:  Memory - corruptions  (OVERRUN)
/bfdd/bfd_packet.c: 302 in ptm_bfd_echo_pkt_create()
296     
297     	/* Construct Echo packet information */
298     	ep.data.ver = BFD_ECHO_VERSION;
299     	ep.data.len = BFD_ECHO_PKT_LEN;
300     	ep.data.my_discr = htonl(bfd->discrs.my_discr);
301     #ifdef BFD_LINUX
>>>     CID 1472629:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type udphdr of 8 bytes by passing it to a function which accesses it at byte offset 31 using argument "32".
302     	ep.udp.check =
303     #endif /* BFD_LINUX */
304     #ifdef BFD_BSD
305     	ep.udp.uh_sum =
306     #endif /* BFD_BSD */
307     		udp4_checksum(&ep.ip, (uint8_t *)&ep.udp,

** CID 1472628:  Security best practices violations  (DC.WEAK_CRYPTO)
/bfdd/bfd.c: 113 in ptm_bfd_start_xmt_timer()


________________________________________________________________________________________________________
*** CID 1472628:  Security best practices violations  (DC.WEAK_CRYPTO)
/bfdd/bfd.c: 113 in ptm_bfd_start_xmt_timer()
107     	 * between
108     	 * 75% and 100% of nominal value, unless detect_mult is 1, then should
109     	 * be
110     	 * between 75% and 90%.
111     	 */
112     	maxpercent = (bfd->detect_mult == 1) ? 16 : 26;
>>>     CID 1472628:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "random" should not be used for security related applications, as linear congruential algorithms are too easy to break.
113     	jitter = (xmt_TO * (75 + (random() % maxpercent))) / 100;
114     	/* XXX remove that division above */
115     
116     	if (is_echo)
117     		bfd_echo_xmttimer_update(bfd, jitter);
118     	else

** CID 1472627:  Memory - illegal accesses  (USE_AFTER_FREE)
/bfdd/control.c: 322 in control_queue_dequeue()


________________________________________________________________________________________________________
*** CID 1472627:  Memory - illegal accesses  (USE_AFTER_FREE)
/bfdd/control.c: 322 in control_queue_dequeue()
316     	control_queue_free(bcs, bcq);
317     
318     	/* Get the next buffer to send. */
319     	if (TAILQ_EMPTY(&bcs->bcs_bcqueue))
320     		goto empty_list;
321     
>>>     CID 1472627:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Using freed pointer "bcs->bcs_bcqueue.tqh_first".
322     	bcq = TAILQ_FIRST(&bcs->bcs_bcqueue);
323     	bcs->bcs_bout = &bcq->bcq_bcb;
324     
325     	bcs->bcs_outev = NULL;
326     	thread_add_write(master, control_write, bcs, bcs->bcs_sd,
327     			 &bcs->bcs_outev);

** CID 1472626:  Memory - corruptions  (OVERRUN)
/bfdd/ptm_adapter.c: 387 in _ptm_msg_read()


________________________________________________________________________________________________________
*** CID 1472626:  Memory - corruptions  (OVERRUN)
/bfdd/ptm_adapter.c: 387 in _ptm_msg_read()
381     			return -1;
382     		}
383     
384     		bpc->bpc_has_localif = ifnamelen > 0;
385     		if (bpc->bpc_has_localif) {
386     			STREAM_GET(bpc->bpc_localif, msg, ifnamelen);
>>>     CID 1472626:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "bpc->bpc_localif" of 33 bytes at byte offset 33 using index "ifnamelen" (which evaluates to 33).
387     			bpc->bpc_localif[ifnamelen] = 0;
388     		}
389     	}
390     
391     	/* Sanity check: peer and local address must match IP types. */
392     	if (bpc->bpc_local.sa_sin.sin_family != 0

** CID 1472625:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1472625:  Null pointer dereferences  (FORWARD_NULL)
/bfdd/bfdd_vty_clippy.c: 399 in bfd_no_peer()
393     	}
394     #if 1 /* anything that can fail? */
395     	if (_failcnt)
396     		return CMD_WARNING;
397     #endif
398     #endif
>>>     CID 1472625:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "peer_str" to "bfd_no_peer_magic", which dereferences it.
399     	return bfd_no_peer_magic(self, vty, argc, argv, peer, peer_str, local, local_str, ifname, vrfname);
400     }
401     
402     /* bfd_show_peers => "show bfd peers [json]" */
403     DEFUN_CMD_FUNC_DECL(bfd_show_peers)
404     #define funcdecl_bfd_show_peers static int bfd_show_peers_magic(\

** CID 1472624:  Control flow issues  (DEADCODE)
/bfdd/bfdd_vty.c: 728 in bfd_configure_peer()


________________________________________________________________________________________________________
*** CID 1472624:  Control flow issues  (DEADCODE)
/bfdd/bfdd_vty.c: 728 in bfd_configure_peer()
722     		bpc->bpc_local = *local;
723     
724     	if (peer) {
725     		bpc->bpc_peer = *peer;
726     	} else {
727     		/* Peer configuration is mandatory. */
>>>     CID 1472624:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "snprintf(ebuf, ebuflen, "no...".
728     		snprintf(ebuf, ebuflen, "no peer configured");
729     		return -1;
730     	}
731     
732     	bpc->bpc_mhop = mhop;
733     

** CID 1472623:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 1472623:  Uninitialized variables  (UNINIT)
/bfdd/bfd_packet.c: 990 in bfd_recv_cb()
984     	peer.family = AF_INET;
985     	strcpy(peer_addr, inet_ntoa(sin.sin_addr));
986     #endif
987     
988     	/* Implement RFC 5880 6.8.6 */
989     	if (mlen < BFD_PKT_LEN) {
>>>     CID 1472623:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized element of array "vrfname" when calling "cp_debug".
990     		cp_debug(is_mhop, &peer, &local, port, vrfname,
991     			 "too small (%ld bytes)", mlen);
992     		return 0;
993     	}
994     
995     	/*

** CID 1472622:    (UNINIT)
/bfdd/control.c: 517 in control_read()


________________________________________________________________________________________________________
*** CID 1472622:    (UNINIT)
/bfdd/control.c: 517 in control_read()
511     	bcb->bcb_pos += bread;
512     	bcb->bcb_left -= bread;
513     	/* We need more data, return to wait more. */
514     	if (bcb->bcb_left > 0)
515     		goto schedule_next_read;
516     
>>>     CID 1472622:    (UNINIT)
>>>     Using uninitialized value "bcm.bcm_type".
517     	switch (bcm.bcm_type) {
518     	case BMT_REQUEST_ADD:
519     		control_handle_request_add(bcs, bcb->bcb_bcm);
520     		break;
521     	case BMT_REQUEST_DEL:
522     		control_handle_request_del(bcs, bcb->bcb_bcm);
/bfdd/control.c: 537 in control_read()
531     		control_handle_notify_del(bcs, bcb->bcb_bcm);
532     		break;
533     
534     	default:
535     		log_debug("%s: unhandled message type: %d", __func__,
536     			  bcm.bcm_type);
>>>     CID 1472622:    (UNINIT)
>>>     Using uninitialized value "bcm.bcm_id" when calling "control_response".
537     		control_response(bcs, bcm.bcm_id, BCM_RESPONSE_ERROR,
538     				 "invalid message type");
539     		break;
540     	}
541     
542     	bcs->bcs_version = 0;

** CID 1472621:  Possible Control flow issues  (DEADCODE)
/bfdd/bfd_packet.c: 340 in ptm_bfd_echo_snd()


________________________________________________________________________________________________________
*** CID 1472621:  Possible Control flow issues  (DEADCODE)
/bfdd/bfd_packet.c: 340 in ptm_bfd_echo_snd()
334     		ep->ip.ip_sum = 0;
335     		ep->ip.ip_sum = checksum((uint16_t *)&ep->ip, IP_HDR_LEN);
336     #endif /* BFD_BSD */
337     	}
338     
339     	if (use_layer2) {
>>>     CID 1472621:  Possible Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "pkt = bfd->echo_pkt;".
340     		pkt = bfd->echo_pkt;
341     		pktlen = BFD_ECHO_PKT_TOT_LEN;
342     	} else {
343     		pkt = &bfd->echo_pkt[ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN];
344     		pktlen = BFD_ECHO_PKT_TOT_LEN
345     			 - (ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN);

** CID 1472620:  Possible Control flow issues  (DEADCODE)
/bfdd/bfd_packet.c: 1035 in bfd_recv_cb()


________________________________________________________________________________________________________
*** CID 1472620:  Possible Control flow issues  (DEADCODE)
/bfdd/bfd_packet.c: 1035 in bfd_recv_cb()
1029     		cp_debug(is_mhop, &peer, &local, port, vrfname,
1030     			 "no session found");
1031     		return 0;
1032     	}
1033     
1034     	/* Handle VxLAN cases. */
>>>     CID 1472620:  Possible Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "ptm_bfd_validate_vxlan_pkt(bfd, &vxlan_info)" inside this statement: "if (is_vxlan && !ptm_bfd_va...".
1035     	if (is_vxlan && !ptm_bfd_validate_vxlan_pkt(bfd, &vxlan_info))
1036     		return 0;
1037     
1038     	bfd->stats.rx_ctrl_pkt++;
1039     
1040     	/*

** CID 1472619:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1472619:  Null pointer dereferences  (FORWARD_NULL)
/bfdd/bfdd_vty_clippy.c: 319 in bfd_peer_label()
313     	}
314     #if 0 /* anything that can fail? */
315     	if (_failcnt)
316     		return CMD_WARNING;
317     #endif
318     #endif
>>>     CID 1472619:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "label" to "bfd_peer_label_magic", which dereferences it.
319     	return bfd_peer_label_magic(self, vty, argc, argv, label);
320     }
321     
322     /* bfd_no_peer => "no peer <A.B.C.D|X:X::X:X>$peer [{multihop|local-address <A.B.C.D|X:X::X:X>$local|interface IFNAME$ifname|vrf NAME$vrfname}]" */
323     DEFUN_CMD_FUNC_DECL(bfd_no_peer)
324     #define funcdecl_bfd_no_peer static int bfd_no_peer_magic(\

** CID 1399484:  Null pointer dereferences  (NULL_RETURNS)
/tools/permutations.c: 39 in main()


________________________________________________________________________________________________________
*** CID 1399484:  Null pointer dereferences  (NULL_RETURNS)
/tools/permutations.c: 39 in main()
33     {
34     	if (argc < 2) {
35     		fprintf(stdout, USAGE "\n");
36     		exit(EXIT_SUCCESS);
37     	}
38     	struct cmd_element *cmd = calloc(1, sizeof(struct cmd_element));
>>>     CID 1399484:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a null pointer "cmd".
39     	cmd->string = strdup(argv[1]);
40     
41     	struct graph *graph = graph_new();
42     	struct cmd_token *token =
43     		cmd_token_new(START_TKN, cmd->attr, NULL, NULL);
44     	graph_new_node(graph, token, NULL);

** CID 1399196:  Error handling issues  (CHECKED_RETURN)
/tools/start-stop-daemon.c: 1028 in main()


________________________________________________________________________________________________________
*** CID 1399196:  Error handling issues  (CHECKED_RETURN)
/tools/start-stop-daemon.c: 1028 in main()
1022     		/* now close all extra fds */
1023     		for (i = getdtablesize() - 1; i >= 0; --i)
1024     			close(i);
1025     		/* change tty */
1026     		fd = open("/dev/tty", O_RDWR);
1027     		if (fd >= 0) {
>>>     CID 1399196:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "ioctl" without checking return value (as is done elsewhere 8 out of 10 times).
1028     			ioctl(fd, TIOCNOTTY, 0);
1029     			close(fd);
1030     		}
1031     		chdir("/");
1032     		umask(022);    /* set a default for dumb programs */
1033     		setpgid(0, 0); /* set the process group */


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeHs8691VOJpZofPkpp-2BRBqc-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJkXvDwt-2BRxwZ6qXlSXH0eCwel9EOGOLvz5sByn1HYQIFd50yooRhyGVJ7Q9mbJDqjsrFvpm8jlL24wGiNT-2FgmFeQ6exy22lI7qOhWl5LkV0vonr90l0Bm3zzKacdJUycAoD2s43Tsev4i6ZMjrPGx-2F109HRbVmDPblQBRREVKygHg-3D-3D




More information about the dev mailing list