[dev] New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Tue Feb 6 13:02:51 EST 2018 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

8 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 8 of 8 defect(s)


** CID 1464999:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/ospfd/ospf_ext.c: 1193 in ospf_ext_link_lsa_originate1()


________________________________________________________________________________________________________
*** CID 1464999:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/ospfd/ospf_ext.c: 1193 in ospf_ext_link_lsa_originate1()
1187     	/* Flood new LSA through area. */
1188     	ospf_flood_through_area(area, NULL /*nbr */, new);
1189     
1190     	if (IS_DEBUG_OSPF(lsa, LSA_GENERATE)) {
1191     		char area_id[INET_ADDRSTRLEN];
1192     
>>>     CID 1464999:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on destination array "area_id" of size 16 bytes might leave the destination string unterminated.
1193     		strncpy(area_id, inet_ntoa(area->area_id), INET_ADDRSTRLEN);
1194     		zlog_debug(
1195     			"EXT (%s): LSA[Type%u:%s]: Originate Opaque-LSA "
1196     			"Extended Link Opaque LSA: Area(%s), Link(%s)",
1197     			 __func__, new->data->type, inet_ntoa(new->data->id),
1198     			 area_id, exti->ifp->name);

** CID 1464998:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1464998:  Null pointer dereferences  (FORWARD_NULL)
/ospfd/ospf_ext.c: 1396 in ospf_ext_pref_lsa_refresh()
1390     		zlog_warn("EXT (%s): ospf_lsa_install() error", __func__);
1391     		ospf_lsa_unlock(&new);
1392     		return NULL;
1393     	}
1394     
1395     	/* Flood updated LSA through the Prefix Area according to the RFC7684 */
>>>     CID 1464998:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "area" to "ospf_flood_through_area", which dereferences it.
1396     	ospf_flood_through_area(area, NULL /*nbr */, new);
1397     
1398     	/* Debug logging. */
1399     	if (IS_DEBUG_OSPF(lsa, LSA_GENERATE)) {
1400     		zlog_debug(
1401     			"EXT (%s): LSA[Type%u:%s] Refresh Extended Prefix LSA",

** CID 1464997:    (BUFFER_SIZE_WARNING)
/ospfd/ospf_sr.c: 2169 in show_vty_sr_node()
/ospfd/ospf_sr.c: 2183 in show_vty_sr_node()


________________________________________________________________________________________________________
*** CID 1464997:    (BUFFER_SIZE_WARNING)
/ospfd/ospf_sr.c: 2169 in show_vty_sr_node()
2163     		"\n\n    Prefix or Link  Label In  Label Out       "
2164     		"Node or Adj. SID  Interface          Nexthop\n");
2165     	vty_out(vty,
2166     		"------------------  --------  ---------  "
2167     		"---------------------  ---------  ---------------\n");
2168     	for (ALL_LIST_ELEMENTS_RO(srn->ext_prefix, node, srp)) {
>>>     CID 1464997:    (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on destination array "pref" of size 16 bytes might leave the destination string unterminated.
2169     		strncpy(pref, inet_ntoa(srp->nhlfe.prefv4.prefix), 16);
2170     		snprintf(sid, 22, "SR Pfx (idx %u)", srp->sid);
2171     		if (srp->nhlfe.label_out == MPLS_IMP_NULL_LABEL)
2172     			sprintf(label, "pop");
2173     		else
2174     			sprintf(label, "%u", srp->nhlfe.label_out);
/ospfd/ospf_sr.c: 2183 in show_vty_sr_node()
2177     			srp->nhlfe.prefv4.prefixlen, srp->nhlfe.label_in, label,
2178     			sid, itf ? itf->name : "-",
2179     			inet_ntoa(srp->nhlfe.nexthop));
2180     	}
2181     
2182     	for (ALL_LIST_ELEMENTS_RO(srn->ext_link, node, srl)) {
>>>     CID 1464997:    (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on destination array "pref" of size 16 bytes might leave the destination string unterminated.
2183     		strncpy(pref, inet_ntoa(srl->nhlfe[0].prefv4.prefix), 16);
2184     		snprintf(sid, 22, "SR Adj. (lbl %u)", srl->sid[0]);
2185     		if (srl->nhlfe[0].label_out == MPLS_IMP_NULL_LABEL)
2186     			sprintf(label, "pop");
2187     		else
2188     			sprintf(label, "%u", srl->nhlfe[0].label_out);

** CID 1464996:  Null pointer dereferences  (REVERSE_INULL)
/ospfd/ospf_sr.c: 153 in sr_node_new()


________________________________________________________________________________________________________
*** CID 1464996:  Null pointer dereferences  (REVERSE_INULL)
/ospfd/ospf_sr.c: 153 in sr_node_new()
147     	new->ext_link = list_new();
148     	new->ext_prefix = list_new();
149     	new->ext_link->del = del_sr_link;
150     	new->ext_prefix->del = del_sr_pref;
151     
152     	/* Check if list are correctly created */
>>>     CID 1464996:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "new->ext_prefix" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
153     	if (new->ext_link == NULL || new->ext_prefix == NULL) {
154     		list_delete_original(new->ext_link);
155     		list_delete_original(new->ext_prefix);
156     		XFREE(MTYPE_OSPF_SR_PARAMS, new);
157     		return NULL;
158     	}

** CID 1464995:  Null pointer dereferences  (REVERSE_INULL)
/ospfd/ospf_sr.c: 153 in sr_node_new()


________________________________________________________________________________________________________
*** CID 1464995:  Null pointer dereferences  (REVERSE_INULL)
/ospfd/ospf_sr.c: 153 in sr_node_new()
147     	new->ext_link = list_new();
148     	new->ext_prefix = list_new();
149     	new->ext_link->del = del_sr_link;
150     	new->ext_prefix->del = del_sr_pref;
151     
152     	/* Check if list are correctly created */
>>>     CID 1464995:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "new->ext_link" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
153     	if (new->ext_link == NULL || new->ext_prefix == NULL) {
154     		list_delete_original(new->ext_link);
155     		list_delete_original(new->ext_prefix);
156     		XFREE(MTYPE_OSPF_SR_PARAMS, new);
157     		return NULL;
158     	}

** CID 1464994:  Null pointer dereferences  (FORWARD_NULL)
/ospfd/ospf_sr.c: 443 in get_nexthop_by_addr()


________________________________________________________________________________________________________
*** CID 1464994:  Null pointer dereferences  (FORWARD_NULL)
/ospfd/ospf_sr.c: 443 in get_nexthop_by_addr()
437     	struct ospf_route *or;
438     	struct ospf_path *path;
439     	struct listnode *node;
440     	struct route_node *rn;
441     
442     	/* Sanity Check */
>>>     CID 1464994:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "top".
443     	if ((top == NULL) && (top->new_table))
444     		return NULL;
445     
446     	if (IS_DEBUG_OSPF_SR)
447     		zlog_debug("      |-  Search Nexthop for prefix %s/%u",
448     			   inet_ntoa(p.prefix), p.prefixlen);

** CID 1464993:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/ospfd/ospf_ext.c: 1143 in ospf_ext_pref_lsa_originate1()


________________________________________________________________________________________________________
*** CID 1464993:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/ospfd/ospf_ext.c: 1143 in ospf_ext_pref_lsa_originate1()
1137     	/* Flood new LSA through area. */
1138     	ospf_flood_through_area(area, NULL /*nbr */, new);
1139     
1140     	if (IS_DEBUG_OSPF(lsa, LSA_GENERATE)) {
1141     		char area_id[INET_ADDRSTRLEN];
1142     
>>>     CID 1464993:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on destination array "area_id" of size 16 bytes might leave the destination string unterminated.
1143     		strncpy(area_id, inet_ntoa(area->area_id), INET_ADDRSTRLEN);
1144     		zlog_debug(
1145     			"EXT (%s): LSA[Type%u:%s]: Originate Opaque-LSA "
1146     			"Extended Prefix Opaque LSA: Area(%s), Link(%s)",
1147     			__func__, new->data->type, inet_ntoa(new->data->id),
1148     			area_id, exti->ifp->name);

** CID 1464992:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/ospfd/ospf_ext.c: 177 in ospf_ext_term()


________________________________________________________________________________________________________
*** CID 1464992:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/ospfd/ospf_ext.c: 177 in ospf_ext_term()
171      * @param - none
172      * @return - none
173      */
174     void ospf_ext_term(void)
175     {
176     
>>>     CID 1464992:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     The "or" condition "OspfEXT.scope != 10 || OspfEXT.scope != 11" will always be true because "OspfEXT.scope" cannot be equal to two different values at the same time, so it must be not equal to at least one of them.
177     	if ((OspfEXT.scope != OSPF_OPAQUE_AREA_LSA)
178     	    || (OspfEXT.scope != OSPF_OPAQUE_AS_LSA))
179     		zlog_warn(
180     			"EXT: Unable to unregister Extended Prefix "
181     			"Opaque LSA functions: Wrong scope!");
182     	else


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeHs8691VOJpZofPkpp-2BRBqc-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJlGRRBApKIrCi6WCqY0KZjcmag2-2FP4XZ07o6F86BXaWnuh9p5XSP0tRw2nvhd5xLnr-2Bss2P920Uisf9cRNOqW4C2JYDN-2BhIU4dtBrXISNZnJZ5y8cNlzeSK9rg1-2FBbhTAoeq1UNG8ehBPRBOOU2ZtYSkqyRisx01Yx91gxBVftCfQ-3D-3D

More information about the dev mailing list