[dev] New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Mon Jun 11 11:53:14 EDT 2018


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

6 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)


** CID 1469898:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 1469898:  Uninitialized variables  (UNINIT)
/lib/command.c: 270 in argv_concat()
264     	int cnt = argc - shift;
265     	const char *argstr[cnt];
266     
267     	for (int i = 0; i < cnt; i++)
268     		argstr[i] = argv[i + shift]->arg;
269     
>>>     CID 1469898:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized element of array "argstr" when calling "frrstr_join".
270     	return frrstr_join(argstr, cnt, " ");
271     }
272     
273     vector cmd_make_strvec(const char *string)
274     {
275     	if (!string)

** CID 1469897:  Memory - corruptions  (OVERRUN)
/bgpd/bgp_route.c: 6978 in route_vty_out_tag()


________________________________________________________________________________________________________
*** CID 1469897:  Memory - corruptions  (OVERRUN)
/bgpd/bgp_route.c: 6978 in route_vty_out_tag()
6972     			} else if (attr->mp_nexthop_len
6973     				   == BGP_ATTR_NHLEN_IPV6_GLOBAL_AND_LL) {
6974     				if (json) {
6975     					inet_ntop(AF_INET6,
6976     						  &attr->mp_nexthop_global,
6977     						  buf_a, BUFSIZ);
>>>     CID 1469897:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "buf_b" of 512 bytes by passing it to a function which accesses it at byte offset 8191 using argument "8192U".
6978     					inet_ntop(AF_INET6,
6979     						  &attr->mp_nexthop_local,
6980     						  buf_b, BUFSIZ);
6981     					sprintf(buf_c, "%s(%s)", buf_a, buf_b);
6982     					json_object_string_add(
6983     						json_out,

** CID 1469896:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1469896:  Null pointer dereferences  (FORWARD_NULL)
/vtysh/vtysh.c: 556 in vtysh_execute_func()
550     
551     				if (vline == NULL && vty->is_paged) {
552     					vty_close_pager(vty);
553     					return CMD_SUCCESS;
554     				}
555     
>>>     CID 1469896:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "vline" to "cmd_execute_command", which dereferences it.
556     				ret = cmd_execute_command(vline, vty, &cmd, 1);
557     				cmd_free_strvec(vline);
558     				if (ret != CMD_SUCCESS_DAEMON)
559     					break;
560     			} else if (cmd->func) {
561     				(*cmd->func)(cmd, vty, 0, NULL);

** CID 1469895:  Null pointer dereferences  (FORWARD_NULL)
/lib/vty.c: 129 in vty_set_include()


________________________________________________________________________________________________________
*** CID 1469895:  Null pointer dereferences  (FORWARD_NULL)
/lib/vty.c: 129 in vty_set_include()
123     	if (!regexp && vty->filter) {
124     		regfree(&vty->include);
125     		vty->filter = false;
126     		return true;
127     	}
128     
>>>     CID 1469895:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "regexp" to "regcomp", which dereferences it.
129     	errcode = regcomp(&vty->include, regexp,
130     			  REG_EXTENDED | REG_NEWLINE | REG_NOSUB);
131     	if (errcode) {
132     		ret = false;
133     		regerror(ret, &vty->include, errbuf, sizeof(errbuf));
134     		vty_out(vty, "%% Regex compilation error: %s", errbuf);

** CID 1469894:  Null pointer dereferences  (NULL_RETURNS)
/lib/command.c: 1216 in handle_pipe_action()


________________________________________________________________________________________________________
*** CID 1469894:  Null pointer dereferences  (NULL_RETURNS)
/lib/command.c: 1216 in handle_pipe_action()
1210     
1211     		if (!succ) {
1212     			vty_out(vty, "%% Bad regexp '%s'\n", regexp);
1213     			goto fail;
1214     		}
1215     		*cmd_out = XSTRDUP(MTYPE_TMP, cmd_in);
>>>     CID 1469894:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a null pointer "strstr(*cmd_out, "|")".
1216     		*(strstr(*cmd_out, "|")) = '\0';
1217     	} else {
1218     		vty_out(vty, "%% Unknown action '%s'\n", token);
1219     		goto fail;
1220     	}
1221     

** CID 1469893:  Memory - corruptions  (OVERRUN)
/bgpd/bgp_route.c: 6975 in route_vty_out_tag()


________________________________________________________________________________________________________
*** CID 1469893:  Memory - corruptions  (OVERRUN)
/bgpd/bgp_route.c: 6975 in route_vty_out_tag()
6969     							AF_INET6,
6970     							&attr->mp_nexthop_global,
6971     							buf_a, BUFSIZ));
6972     			} else if (attr->mp_nexthop_len
6973     				   == BGP_ATTR_NHLEN_IPV6_GLOBAL_AND_LL) {
6974     				if (json) {
>>>     CID 1469893:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "buf_a" of 512 bytes by passing it to a function which accesses it at byte offset 8191 using argument "8192U".
6975     					inet_ntop(AF_INET6,
6976     						  &attr->mp_nexthop_global,
6977     						  buf_a, BUFSIZ);
6978     					inet_ntop(AF_INET6,
6979     						  &attr->mp_nexthop_local,
6980     						  buf_b, BUFSIZ);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeHs8691VOJpZofPkpp-2BRBqc-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJlZwukMp6Bk4JKeKPG1HI-2FVbPjLfRWHglruetYozJ8WBBXHMUeGOaeEg0yD-2FhdxmNH5E5IkYWliKi-2B4yY75dl-2BXbSnc-2BUbkzvZ0vC0fqJDL5yvRF032ts4f4La4LQMkFFRWXMVq1QQZ6hX92SL0rrjj4hyE-2Bo1te6aQ2ktZC4RsMA-3D-3D




More information about the dev mailing list