[dev] New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Wed May 1 20:01:27 EDT 2019
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
11 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 11 of 11 defect(s)
** CID 1479721: Null pointer dereferences (FORWARD_NULL)
/ripngd/ripng_interface.c: 187 in ripng_if_down()
________________________________________________________________________________________________________
*** CID 1479721: Null pointer dereferences (FORWARD_NULL)
/ripngd/ripng_interface.c: 187 in ripng_if_down()
181
182 if (ri->running) {
183 if (IS_RIPNG_DEBUG_EVENT)
184 zlog_debug("turn off %s", ifp->name);
185
186 /* Leave from multicast group. */
>>> CID 1479721: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "ripng".
187 ripng_multicast_leave(ifp, ripng->sock);
188
189 ri->running = 0;
190 }
191
192 return 0;
** CID 1479720: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1479720: Memory - corruptions (OVERRUN)
/isisd/fabricd.c: 389 in fabricd_calculate_fabric_tier()
383
384 if (!furthest_from_remote) {
385 zlog_info("OpenFabric: Found no furthest node in remote spf");
386 isis_spftree_del(remote_tree);
387 return ISIS_TIER_UNDEFINED;
388 } else {
>>> CID 1479720: Memory - corruptions (OVERRUN)
>>> Overrunning array "furthest_from_remote->N.id" of 7 bytes by passing it to a function which accesses it at byte offset 7.
389 zlog_info("OpenFabric: Found %s as furthest from remote dist == %"
390 PRIu32, rawlspid_print(furthest_from_remote->N.id),
391 furthest_from_remote->d_N);
392 }
393
394 int64_t tier = furthest_from_remote->d_N - furthest_t0->d_N;
** CID 1479719: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1479719: Null pointer dereferences (FORWARD_NULL)
/pimd/pim_vxlan.c: 351 in pim_vxlan_orig_mr_up_add()
345 nht_p.u.prefix4 = up->upstream_addr;
346 pim_delete_tracked_nexthop(vxlan_sg->pim,
347 &nht_p, up, NULL);
348 }
349 pim_upstream_ref(up, flags, __PRETTY_FUNCTION__);
350 vxlan_sg->up = up;
>>> CID 1479719: Null pointer dereferences (FORWARD_NULL)
>>> Passing "vxlan_sg" to "pim_vxlan_orig_mr_up_iif_update", which dereferences null "vxlan_sg->iif".
351 pim_vxlan_orig_mr_up_iif_update(vxlan_sg);
352 } else {
353 up = pim_upstream_add(vxlan_sg->pim, &vxlan_sg->sg,
354 vxlan_sg->iif, flags,
355 __PRETTY_FUNCTION__, NULL);
356 vxlan_sg->up = up;
** CID 1479718: (BUFFER_SIZE_WARNING)
/zebra/zebra_dplane.c: 1709 in intf_addr_update_internal()
/zebra/zebra_dplane.c: 1737 in intf_addr_update_internal()
________________________________________________________________________________________________________
*** CID 1479718: (BUFFER_SIZE_WARNING)
/zebra/zebra_dplane.c: 1709 in intf_addr_update_internal()
1703 zns = zebra_ns_lookup(ifp->vrf_id);
1704 dplane_ctx_ns_init(ctx, zns, false);
1705
1706 /* Init the interface-addr-specific area */
1707 memset(&ctx->u.intf, 0, sizeof(ctx->u.intf));
1708
>>> CID 1479718: (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 20 bytes on destination array "ctx->u.intf.ifname" of size 20 bytes might leave the destination string unterminated.
1709 strncpy(ctx->u.intf.ifname, ifp->name, sizeof(ctx->u.intf.ifname));
1710 ctx->u.intf.ifindex = ifp->ifindex;
1711 ctx->u.intf.prefix = *(ifc->address);
1712
1713 if (if_is_broadcast(ifp))
1714 ctx->u.intf.flags |= DPLANE_INTF_BROADCAST;
/zebra/zebra_dplane.c: 1737 in intf_addr_update_internal()
1731 ctx->u.intf.flags |= DPLANE_INTF_HAS_LABEL;
1732
1733 /* Use embedded buffer if it's adequate; else allocate. */
1734 len = strlen(ifc->label);
1735
1736 if (len < sizeof(ctx->u.intf.label_buf)) {
>>> CID 1479718: (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 32 bytes on destination array "ctx->u.intf.label_buf" of size 32 bytes might leave the destination string unterminated.
1737 strncpy(ctx->u.intf.label_buf, ifc->label,
1738 sizeof(ctx->u.intf.label_buf));
1739 ctx->u.intf.label = ctx->u.intf.label_buf;
1740 } else {
1741 ctx->u.intf.label = strdup(ifc->label);
1742 }
** CID 1479717: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1479717: Null pointer dereferences (FORWARD_NULL)
/pimd/pim_vxlan.c: 947 in pim_vxlan_term_mr_oif_update()
941 if (PIM_DEBUG_VXLAN)
942 zlog_debug("vxlan SG %s term oif changed from %s to %s",
943 vxlan_sg->sg_str,
944 vxlan_sg->term_oif ? vxlan_sg->term_oif->name : "-",
945 ifp ? ifp->name : "-");
946
>>> CID 1479717: Null pointer dereferences (FORWARD_NULL)
>>> Passing "vxlan_sg" to "pim_vxlan_term_mr_del", which dereferences null "vxlan_sg->term_oif".
947 pim_vxlan_term_mr_del(vxlan_sg);
948 vxlan_sg->term_oif = ifp;
949 pim_vxlan_term_mr_add(vxlan_sg);
950 }
951
952 void pim_vxlan_add_term_dev(struct pim_instance *pim,
** CID 1479716: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_vxlan.c: 267 in pim_vxlan_orig_mr_up_iif_update()
________________________________________________________________________________________________________
*** CID 1479716: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_vxlan.c: 267 in pim_vxlan_orig_mr_up_iif_update()
261 pim_scan_individual_oil(vxlan_sg->up->channel_oil,
262 vif_index);
263
264 if (PIM_DEBUG_VXLAN)
265 zlog_debug("vxlan SG %s orig mroute-up updated with iif %s vifi %d",
266 vxlan_sg->sg_str,
>>> CID 1479716: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "vxlan_sg->iif" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
267 vxlan_sg->iif?vxlan_sg->iif->name:"-", vif_index);
268
269 }
270
271 /* For every VxLAN BUM multicast group we setup a SG-up that has the following
272 * "forced properties" -
** CID 1479715: API usage errors (USE_AFTER_FREE)
/ospfd/ospf_network.c: 239 in ospf_sock_init()
________________________________________________________________________________________________________
*** CID 1479715: API usage errors (USE_AFTER_FREE)
/ospfd/ospf_network.c: 239 in ospf_sock_init()
233 if (ret < 0)
234 flog_err(EC_LIB_SOCKET,
235 "Can't set pktinfo option for fd %d",
236 ospf_sock);
237 }
238
>>> CID 1479715: API usage errors (USE_AFTER_FREE)
>>> Passing closed handle "ospf_sock" as an argument to "setsockopt_so_sendbuf".
239 setsockopt_so_sendbuf(ospf_sock, bufsize);
240 setsockopt_so_recvbuf(ospf_sock, bufsize);
241
242 ospf->fd = ospf_sock;
243 return ret;
** CID 1479714: Security best practices violations (DC.WEAK_CRYPTO)
/lib/typesafe.c: 194 in typesafe_skiplist_add()
________________________________________________________________________________________________________
*** CID 1479714: Security best practices violations (DC.WEAK_CRYPTO)
/lib/typesafe.c: 194 in typesafe_skiplist_add()
188 {
189 size_t level = SKIPLIST_MAXDEPTH, newlevel, auxlevel;
190 struct sskip_item *prev = &head->hitem, *next, *auxprev, *auxnext;
191 int cmpval;
192
193 /* level / newlevel are 1-counted here */
>>> CID 1479714: Security best practices violations (DC.WEAK_CRYPTO)
>>> "random" should not be used for security related applications, as linear congruential algorithms are too easy to break.
194 newlevel = __builtin_ctz(random()) + 1;
195 if (newlevel > SKIPLIST_MAXDEPTH)
196 newlevel = SKIPLIST_MAXDEPTH;
197
198 next = NULL;
199 while (level >= newlevel) {
** CID 1479713: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1479713: Null pointer dereferences (FORWARD_NULL)
/zebra/zebra_vty_clippy.c: 208 in show_ip_nht()
202 }
203 #if 1 /* anything that can fail? */
204 if (_failcnt)
205 return CMD_WARNING;
206 #endif
207 #endif
>>> CID 1479713: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "type" to "show_ip_nht_magic", which dereferences it.
208 return show_ip_nht_magic(self, vty, argc, argv, ipv4, ipv6, type, addr, addr_str, vrf_name, vrf_all);
209 }
210
211 /* show_route => "show < ip$ipv4 <fib$fib|route> [vrf <NAME$vrf_name|all$vrf_all>] [{ tag (1-4294967295) |A.B.C.D/M$prefix longer-prefixes |supernets-only$supernets_only }] [< RR_IP_REDIST_STR_ZEBR$type_str |ospf$type_str (1-65535)$ospf_instance_id >] |ipv6$ipv6 <fib$fib|route> [vrf <NAME$vrf_name|all$vrf_all>] [{ tag (1-4294967295) |X:X::X:X/M$prefix longer-prefixes }] [RR_IP6_REDIST_STR_ZEBR$type_str] > [json$json]" */
212 DEFUN_CMD_FUNC_DECL(show_route)
213 #define funcdecl_show_route static int show_route_magic(\
** CID 1479712: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1479712: Memory - corruptions (OVERRUN)
/isisd/fabricd.c: 375 in fabricd_calculate_fabric_tier()
369
370 if (!second_furthest_t0) {
371 zlog_info("OpenFabric: Could not find two T0 routers");
372 return ISIS_TIER_UNDEFINED;
373 }
374
>>> CID 1479712: Memory - corruptions (OVERRUN)
>>> Overrunning array "furthest_t0->N.id" of 7 bytes by passing it to a function which accesses it at byte offset 7.
375 zlog_info("OpenFabric: Found %s as furthest t0 from local system, dist == %"
376 PRIu32, rawlspid_print(furthest_t0->N.id), furthest_t0->d_N);
377
378 struct isis_spftree *remote_tree =
379 isis_run_hopcount_spf(area, furthest_t0->N.id, NULL);
380
** CID 1479711: Error handling issues (CHECKED_RETURN)
/pimd/pim_zebra.c: 1012 in igmp_source_forward_start()
________________________________________________________________________________________________________
*** CID 1479711: Error handling issues (CHECKED_RETURN)
/pimd/pim_zebra.c: 1012 in igmp_source_forward_start()
1006 grp.u.prefix4 = sg.grp;
1007
1008 up = pim_upstream_find(pim, &sg);
1009 if (up) {
1010 memcpy(&nexthop, &up->rpf.source_nexthop,
1011 sizeof(struct pim_nexthop));
>>> CID 1479711: Error handling issues (CHECKED_RETURN)
>>> Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
1012 pim_ecmp_nexthop_lookup(pim, &nexthop, &src,
1013 &grp, 0);
1014 if (nexthop.interface)
1015 input_iface_vif_index =
1016 pim_if_find_vifindex_by_ifindex(
1017 pim,
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeDU1AdI-2FBBrnda9ub5tlg3U-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJlZ3sZQJcea8DAsf4Yiv9RSh4TzCh4i-2B-2B7T5M6uzKd-2Fp8JF9ia444lKeDn4fYd13a6Q-2B8Ww9zr49U3z6zyIN7UmG-2FD9ujZ5iCXWsz0CrBQSAqC5gx6F2egKK3fqysBEHMFM-2FRdY6NZIoadGBBPztJd13FcskIsrSnBAywXDDD380A-3D-3D
More information about the dev
mailing list