[dev] New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Wed Aug 15 09:40:23 EDT 2018
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
15 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)
** CID 1472631: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1472631: Null pointer dereferences (FORWARD_NULL)
/bfdd/bfdd_vty_clippy.c: 522 in bfd_show_peer()
516 }
517 #if 1 /* anything that can fail? */
518 if (_failcnt)
519 return CMD_WARNING;
520 #endif
521 #endif
>>> CID 1472631: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "peer_str" to "bfd_show_peer_magic", which dereferences it.
522 return bfd_show_peer_magic(self, vty, argc, argv, label, peer, peer_str, local, local_str, ifname, vrfname);
** CID 1472630: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 1472630: Uninitialized variables (UNINIT)
/bfdd/bfd_packet.c: 990 in bfd_recv_cb()
984 peer.family = AF_INET;
985 strcpy(peer_addr, inet_ntoa(sin.sin_addr));
986 #endif
987
988 /* Implement RFC 5880 6.8.6 */
989 if (mlen < BFD_PKT_LEN) {
>>> CID 1472630: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "port" when calling "cp_debug".
990 cp_debug(is_mhop, &peer, &local, port, vrfname,
991 "too small (%ld bytes)", mlen);
992 return 0;
993 }
994
995 /*
** CID 1472629: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1472629: Memory - corruptions (OVERRUN)
/bfdd/bfd_packet.c: 302 in ptm_bfd_echo_pkt_create()
296
297 /* Construct Echo packet information */
298 ep.data.ver = BFD_ECHO_VERSION;
299 ep.data.len = BFD_ECHO_PKT_LEN;
300 ep.data.my_discr = htonl(bfd->discrs.my_discr);
301 #ifdef BFD_LINUX
>>> CID 1472629: Memory - corruptions (OVERRUN)
>>> Overrunning struct type udphdr of 8 bytes by passing it to a function which accesses it at byte offset 31 using argument "32".
302 ep.udp.check =
303 #endif /* BFD_LINUX */
304 #ifdef BFD_BSD
305 ep.udp.uh_sum =
306 #endif /* BFD_BSD */
307 udp4_checksum(&ep.ip, (uint8_t *)&ep.udp,
** CID 1472628: Security best practices violations (DC.WEAK_CRYPTO)
/bfdd/bfd.c: 113 in ptm_bfd_start_xmt_timer()
________________________________________________________________________________________________________
*** CID 1472628: Security best practices violations (DC.WEAK_CRYPTO)
/bfdd/bfd.c: 113 in ptm_bfd_start_xmt_timer()
107 * between
108 * 75% and 100% of nominal value, unless detect_mult is 1, then should
109 * be
110 * between 75% and 90%.
111 */
112 maxpercent = (bfd->detect_mult == 1) ? 16 : 26;
>>> CID 1472628: Security best practices violations (DC.WEAK_CRYPTO)
>>> "random" should not be used for security related applications, as linear congruential algorithms are too easy to break.
113 jitter = (xmt_TO * (75 + (random() % maxpercent))) / 100;
114 /* XXX remove that division above */
115
116 if (is_echo)
117 bfd_echo_xmttimer_update(bfd, jitter);
118 else
** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
/bfdd/control.c: 322 in control_queue_dequeue()
________________________________________________________________________________________________________
*** CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
/bfdd/control.c: 322 in control_queue_dequeue()
316 control_queue_free(bcs, bcq);
317
318 /* Get the next buffer to send. */
319 if (TAILQ_EMPTY(&bcs->bcs_bcqueue))
320 goto empty_list;
321
>>> CID 1472627: Memory - illegal accesses (USE_AFTER_FREE)
>>> Using freed pointer "bcs->bcs_bcqueue.tqh_first".
322 bcq = TAILQ_FIRST(&bcs->bcs_bcqueue);
323 bcs->bcs_bout = &bcq->bcq_bcb;
324
325 bcs->bcs_outev = NULL;
326 thread_add_write(master, control_write, bcs, bcs->bcs_sd,
327 &bcs->bcs_outev);
** CID 1472626: Memory - corruptions (OVERRUN)
/bfdd/ptm_adapter.c: 387 in _ptm_msg_read()
________________________________________________________________________________________________________
*** CID 1472626: Memory - corruptions (OVERRUN)
/bfdd/ptm_adapter.c: 387 in _ptm_msg_read()
381 return -1;
382 }
383
384 bpc->bpc_has_localif = ifnamelen > 0;
385 if (bpc->bpc_has_localif) {
386 STREAM_GET(bpc->bpc_localif, msg, ifnamelen);
>>> CID 1472626: Memory - corruptions (OVERRUN)
>>> Overrunning array "bpc->bpc_localif" of 33 bytes at byte offset 33 using index "ifnamelen" (which evaluates to 33).
387 bpc->bpc_localif[ifnamelen] = 0;
388 }
389 }
390
391 /* Sanity check: peer and local address must match IP types. */
392 if (bpc->bpc_local.sa_sin.sin_family != 0
** CID 1472625: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1472625: Null pointer dereferences (FORWARD_NULL)
/bfdd/bfdd_vty_clippy.c: 399 in bfd_no_peer()
393 }
394 #if 1 /* anything that can fail? */
395 if (_failcnt)
396 return CMD_WARNING;
397 #endif
398 #endif
>>> CID 1472625: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "peer_str" to "bfd_no_peer_magic", which dereferences it.
399 return bfd_no_peer_magic(self, vty, argc, argv, peer, peer_str, local, local_str, ifname, vrfname);
400 }
401
402 /* bfd_show_peers => "show bfd peers [json]" */
403 DEFUN_CMD_FUNC_DECL(bfd_show_peers)
404 #define funcdecl_bfd_show_peers static int bfd_show_peers_magic(\
** CID 1472624: Control flow issues (DEADCODE)
/bfdd/bfdd_vty.c: 728 in bfd_configure_peer()
________________________________________________________________________________________________________
*** CID 1472624: Control flow issues (DEADCODE)
/bfdd/bfdd_vty.c: 728 in bfd_configure_peer()
722 bpc->bpc_local = *local;
723
724 if (peer) {
725 bpc->bpc_peer = *peer;
726 } else {
727 /* Peer configuration is mandatory. */
>>> CID 1472624: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "snprintf(ebuf, ebuflen, "no...".
728 snprintf(ebuf, ebuflen, "no peer configured");
729 return -1;
730 }
731
732 bpc->bpc_mhop = mhop;
733
** CID 1472623: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 1472623: Uninitialized variables (UNINIT)
/bfdd/bfd_packet.c: 990 in bfd_recv_cb()
984 peer.family = AF_INET;
985 strcpy(peer_addr, inet_ntoa(sin.sin_addr));
986 #endif
987
988 /* Implement RFC 5880 6.8.6 */
989 if (mlen < BFD_PKT_LEN) {
>>> CID 1472623: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "vrfname" when calling "cp_debug".
990 cp_debug(is_mhop, &peer, &local, port, vrfname,
991 "too small (%ld bytes)", mlen);
992 return 0;
993 }
994
995 /*
** CID 1472622: (UNINIT)
/bfdd/control.c: 517 in control_read()
________________________________________________________________________________________________________
*** CID 1472622: (UNINIT)
/bfdd/control.c: 517 in control_read()
511 bcb->bcb_pos += bread;
512 bcb->bcb_left -= bread;
513 /* We need more data, return to wait more. */
514 if (bcb->bcb_left > 0)
515 goto schedule_next_read;
516
>>> CID 1472622: (UNINIT)
>>> Using uninitialized value "bcm.bcm_type".
517 switch (bcm.bcm_type) {
518 case BMT_REQUEST_ADD:
519 control_handle_request_add(bcs, bcb->bcb_bcm);
520 break;
521 case BMT_REQUEST_DEL:
522 control_handle_request_del(bcs, bcb->bcb_bcm);
/bfdd/control.c: 537 in control_read()
531 control_handle_notify_del(bcs, bcb->bcb_bcm);
532 break;
533
534 default:
535 log_debug("%s: unhandled message type: %d", __func__,
536 bcm.bcm_type);
>>> CID 1472622: (UNINIT)
>>> Using uninitialized value "bcm.bcm_id" when calling "control_response".
537 control_response(bcs, bcm.bcm_id, BCM_RESPONSE_ERROR,
538 "invalid message type");
539 break;
540 }
541
542 bcs->bcs_version = 0;
** CID 1472621: Possible Control flow issues (DEADCODE)
/bfdd/bfd_packet.c: 340 in ptm_bfd_echo_snd()
________________________________________________________________________________________________________
*** CID 1472621: Possible Control flow issues (DEADCODE)
/bfdd/bfd_packet.c: 340 in ptm_bfd_echo_snd()
334 ep->ip.ip_sum = 0;
335 ep->ip.ip_sum = checksum((uint16_t *)&ep->ip, IP_HDR_LEN);
336 #endif /* BFD_BSD */
337 }
338
339 if (use_layer2) {
>>> CID 1472621: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "pkt = bfd->echo_pkt;".
340 pkt = bfd->echo_pkt;
341 pktlen = BFD_ECHO_PKT_TOT_LEN;
342 } else {
343 pkt = &bfd->echo_pkt[ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN];
344 pktlen = BFD_ECHO_PKT_TOT_LEN
345 - (ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN);
** CID 1472620: Possible Control flow issues (DEADCODE)
/bfdd/bfd_packet.c: 1035 in bfd_recv_cb()
________________________________________________________________________________________________________
*** CID 1472620: Possible Control flow issues (DEADCODE)
/bfdd/bfd_packet.c: 1035 in bfd_recv_cb()
1029 cp_debug(is_mhop, &peer, &local, port, vrfname,
1030 "no session found");
1031 return 0;
1032 }
1033
1034 /* Handle VxLAN cases. */
>>> CID 1472620: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "ptm_bfd_validate_vxlan_pkt(bfd, &vxlan_info)" inside this statement: "if (is_vxlan && !ptm_bfd_va...".
1035 if (is_vxlan && !ptm_bfd_validate_vxlan_pkt(bfd, &vxlan_info))
1036 return 0;
1037
1038 bfd->stats.rx_ctrl_pkt++;
1039
1040 /*
** CID 1472619: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1472619: Null pointer dereferences (FORWARD_NULL)
/bfdd/bfdd_vty_clippy.c: 319 in bfd_peer_label()
313 }
314 #if 0 /* anything that can fail? */
315 if (_failcnt)
316 return CMD_WARNING;
317 #endif
318 #endif
>>> CID 1472619: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "label" to "bfd_peer_label_magic", which dereferences it.
319 return bfd_peer_label_magic(self, vty, argc, argv, label);
320 }
321
322 /* bfd_no_peer => "no peer <A.B.C.D|X:X::X:X>$peer [{multihop|local-address <A.B.C.D|X:X::X:X>$local|interface IFNAME$ifname|vrf NAME$vrfname}]" */
323 DEFUN_CMD_FUNC_DECL(bfd_no_peer)
324 #define funcdecl_bfd_no_peer static int bfd_no_peer_magic(\
** CID 1399484: Null pointer dereferences (NULL_RETURNS)
/tools/permutations.c: 39 in main()
________________________________________________________________________________________________________
*** CID 1399484: Null pointer dereferences (NULL_RETURNS)
/tools/permutations.c: 39 in main()
33 {
34 if (argc < 2) {
35 fprintf(stdout, USAGE "\n");
36 exit(EXIT_SUCCESS);
37 }
38 struct cmd_element *cmd = calloc(1, sizeof(struct cmd_element));
>>> CID 1399484: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "cmd".
39 cmd->string = strdup(argv[1]);
40
41 struct graph *graph = graph_new();
42 struct cmd_token *token =
43 cmd_token_new(START_TKN, cmd->attr, NULL, NULL);
44 graph_new_node(graph, token, NULL);
** CID 1399196: Error handling issues (CHECKED_RETURN)
/tools/start-stop-daemon.c: 1028 in main()
________________________________________________________________________________________________________
*** CID 1399196: Error handling issues (CHECKED_RETURN)
/tools/start-stop-daemon.c: 1028 in main()
1022 /* now close all extra fds */
1023 for (i = getdtablesize() - 1; i >= 0; --i)
1024 close(i);
1025 /* change tty */
1026 fd = open("/dev/tty", O_RDWR);
1027 if (fd >= 0) {
>>> CID 1399196: Error handling issues (CHECKED_RETURN)
>>> Calling "ioctl" without checking return value (as is done elsewhere 8 out of 10 times).
1028 ioctl(fd, TIOCNOTTY, 0);
1029 close(fd);
1030 }
1031 chdir("/");
1032 umask(022); /* set a default for dumb programs */
1033 setpgid(0, 0); /* set the process group */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeHs8691VOJpZofPkpp-2BRBqc-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJkXvDwt-2BRxwZ6qXlSXH0eCwel9EOGOLvz5sByn1HYQIFd50yooRhyGVJ7Q9mbJDqjsrFvpm8jlL24wGiNT-2FgmFeQ6exy22lI7qOhWl5LkV0vonr90l0Bm3zzKacdJUycAoD2s43Tsev4i6ZMjrPGx-2F109HRbVmDPblQBRREVKygHg-3D-3D
More information about the dev
mailing list