[dev] New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Wed May 1 20:01:27 EDT 2019


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

11 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 11 of 11 defect(s)


** CID 1479721:  Null pointer dereferences  (FORWARD_NULL)
/ripngd/ripng_interface.c: 187 in ripng_if_down()


________________________________________________________________________________________________________
*** CID 1479721:  Null pointer dereferences  (FORWARD_NULL)
/ripngd/ripng_interface.c: 187 in ripng_if_down()
181     
182     	if (ri->running) {
183     		if (IS_RIPNG_DEBUG_EVENT)
184     			zlog_debug("turn off %s", ifp->name);
185     
186     		/* Leave from multicast group. */
>>>     CID 1479721:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "ripng".
187     		ripng_multicast_leave(ifp, ripng->sock);
188     
189     		ri->running = 0;
190     	}
191     
192     	return 0;

** CID 1479720:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1479720:  Memory - corruptions  (OVERRUN)
/isisd/fabricd.c: 389 in fabricd_calculate_fabric_tier()
383     
384     	if (!furthest_from_remote) {
385     		zlog_info("OpenFabric: Found no furthest node in remote spf");
386     		isis_spftree_del(remote_tree);
387     		return ISIS_TIER_UNDEFINED;
388     	} else {
>>>     CID 1479720:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "furthest_from_remote->N.id" of 7 bytes by passing it to a function which accesses it at byte offset 7.
389     		zlog_info("OpenFabric: Found %s as furthest from remote dist == %"
390     			  PRIu32, rawlspid_print(furthest_from_remote->N.id),
391     			  furthest_from_remote->d_N);
392     	}
393     
394     	int64_t tier = furthest_from_remote->d_N - furthest_t0->d_N;

** CID 1479719:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1479719:  Null pointer dereferences  (FORWARD_NULL)
/pimd/pim_vxlan.c: 351 in pim_vxlan_orig_mr_up_add()
345     			nht_p.u.prefix4 = up->upstream_addr;
346     			pim_delete_tracked_nexthop(vxlan_sg->pim,
347     				&nht_p, up, NULL);
348     		}
349     		pim_upstream_ref(up, flags, __PRETTY_FUNCTION__);
350     		vxlan_sg->up = up;
>>>     CID 1479719:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing "vxlan_sg" to "pim_vxlan_orig_mr_up_iif_update", which dereferences null "vxlan_sg->iif".
351     		pim_vxlan_orig_mr_up_iif_update(vxlan_sg);
352     	} else {
353     		up = pim_upstream_add(vxlan_sg->pim, &vxlan_sg->sg,
354     				vxlan_sg->iif, flags,
355     				__PRETTY_FUNCTION__, NULL);
356     		vxlan_sg->up = up;

** CID 1479718:    (BUFFER_SIZE_WARNING)
/zebra/zebra_dplane.c: 1709 in intf_addr_update_internal()
/zebra/zebra_dplane.c: 1737 in intf_addr_update_internal()


________________________________________________________________________________________________________
*** CID 1479718:    (BUFFER_SIZE_WARNING)
/zebra/zebra_dplane.c: 1709 in intf_addr_update_internal()
1703     	zns = zebra_ns_lookup(ifp->vrf_id);
1704     	dplane_ctx_ns_init(ctx, zns, false);
1705     
1706     	/* Init the interface-addr-specific area */
1707     	memset(&ctx->u.intf, 0, sizeof(ctx->u.intf));
1708     
>>>     CID 1479718:    (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 20 bytes on destination array "ctx->u.intf.ifname" of size 20 bytes might leave the destination string unterminated.
1709     	strncpy(ctx->u.intf.ifname, ifp->name, sizeof(ctx->u.intf.ifname));
1710     	ctx->u.intf.ifindex = ifp->ifindex;
1711     	ctx->u.intf.prefix = *(ifc->address);
1712     
1713     	if (if_is_broadcast(ifp))
1714     		ctx->u.intf.flags |= DPLANE_INTF_BROADCAST;
/zebra/zebra_dplane.c: 1737 in intf_addr_update_internal()
1731     		ctx->u.intf.flags |= DPLANE_INTF_HAS_LABEL;
1732     
1733     		/* Use embedded buffer if it's adequate; else allocate. */
1734     		len = strlen(ifc->label);
1735     
1736     		if (len < sizeof(ctx->u.intf.label_buf)) {
>>>     CID 1479718:    (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 32 bytes on destination array "ctx->u.intf.label_buf" of size 32 bytes might leave the destination string unterminated.
1737     			strncpy(ctx->u.intf.label_buf, ifc->label,
1738     				sizeof(ctx->u.intf.label_buf));
1739     			ctx->u.intf.label = ctx->u.intf.label_buf;
1740     		} else {
1741     			ctx->u.intf.label = strdup(ifc->label);
1742     		}

** CID 1479717:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1479717:  Null pointer dereferences  (FORWARD_NULL)
/pimd/pim_vxlan.c: 947 in pim_vxlan_term_mr_oif_update()
941     	if (PIM_DEBUG_VXLAN)
942     		zlog_debug("vxlan SG %s term oif changed from %s to %s",
943     			vxlan_sg->sg_str,
944     			vxlan_sg->term_oif ? vxlan_sg->term_oif->name : "-",
945     			ifp ? ifp->name : "-");
946     
>>>     CID 1479717:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing "vxlan_sg" to "pim_vxlan_term_mr_del", which dereferences null "vxlan_sg->term_oif".
947     	pim_vxlan_term_mr_del(vxlan_sg);
948     	vxlan_sg->term_oif = ifp;
949     	pim_vxlan_term_mr_add(vxlan_sg);
950     }
951     
952     void pim_vxlan_add_term_dev(struct pim_instance *pim,

** CID 1479716:  Null pointer dereferences  (REVERSE_INULL)
/pimd/pim_vxlan.c: 267 in pim_vxlan_orig_mr_up_iif_update()


________________________________________________________________________________________________________
*** CID 1479716:  Null pointer dereferences  (REVERSE_INULL)
/pimd/pim_vxlan.c: 267 in pim_vxlan_orig_mr_up_iif_update()
261     		pim_scan_individual_oil(vxlan_sg->up->channel_oil,
262     				vif_index);
263     
264     	if (PIM_DEBUG_VXLAN)
265     		zlog_debug("vxlan SG %s orig mroute-up updated with iif %s vifi %d",
266     			vxlan_sg->sg_str,
>>>     CID 1479716:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "vxlan_sg->iif" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
267     			vxlan_sg->iif?vxlan_sg->iif->name:"-", vif_index);
268     
269     }
270     
271     /* For every VxLAN BUM multicast group we setup a SG-up that has the following
272      * "forced properties" -

** CID 1479715:  API usage errors  (USE_AFTER_FREE)
/ospfd/ospf_network.c: 239 in ospf_sock_init()


________________________________________________________________________________________________________
*** CID 1479715:  API usage errors  (USE_AFTER_FREE)
/ospfd/ospf_network.c: 239 in ospf_sock_init()
233     		if (ret < 0)
234     			flog_err(EC_LIB_SOCKET,
235     				 "Can't set pktinfo option for fd %d",
236     				 ospf_sock);
237     	}
238     
>>>     CID 1479715:  API usage errors  (USE_AFTER_FREE)
>>>     Passing closed handle "ospf_sock" as an argument to "setsockopt_so_sendbuf".
239     	setsockopt_so_sendbuf(ospf_sock, bufsize);
240     	setsockopt_so_recvbuf(ospf_sock, bufsize);
241     
242     	ospf->fd = ospf_sock;
243     	return ret;

** CID 1479714:  Security best practices violations  (DC.WEAK_CRYPTO)
/lib/typesafe.c: 194 in typesafe_skiplist_add()


________________________________________________________________________________________________________
*** CID 1479714:  Security best practices violations  (DC.WEAK_CRYPTO)
/lib/typesafe.c: 194 in typesafe_skiplist_add()
188     {
189     	size_t level = SKIPLIST_MAXDEPTH, newlevel, auxlevel;
190     	struct sskip_item *prev = &head->hitem, *next, *auxprev, *auxnext;
191     	int cmpval;
192     
193     	/* level / newlevel are 1-counted here */
>>>     CID 1479714:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "random" should not be used for security related applications, as linear congruential algorithms are too easy to break.
194     	newlevel = __builtin_ctz(random()) + 1;
195     	if (newlevel > SKIPLIST_MAXDEPTH)
196     		newlevel = SKIPLIST_MAXDEPTH;
197     
198     	next = NULL;
199     	while (level >= newlevel) {

** CID 1479713:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1479713:  Null pointer dereferences  (FORWARD_NULL)
/zebra/zebra_vty_clippy.c: 208 in show_ip_nht()
202     	}
203     #if 1 /* anything that can fail? */
204     	if (_failcnt)
205     		return CMD_WARNING;
206     #endif
207     #endif
>>>     CID 1479713:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "type" to "show_ip_nht_magic", which dereferences it.
208     	return show_ip_nht_magic(self, vty, argc, argv, ipv4, ipv6, type, addr, addr_str, vrf_name, vrf_all);
209     }
210     
211     /* show_route => "show         <	  ip$ipv4 <fib$fib|route> [vrf <NAME$vrf_name|all$vrf_all>]	   [{	    tag (1-4294967295)	    |A.B.C.D/M$prefix longer-prefixes	    |supernets-only$supernets_only	   }]	   [<	    RR_IP_REDIST_STR_ZEBR$type_str	    |ospf$type_str (1-65535)$ospf_instance_id	   >]          |ipv6$ipv6 <fib$fib|route> [vrf <NAME$vrf_name|all$vrf_all>]	   [{	    tag (1-4294967295)	    |X:X::X:X/M$prefix longer-prefixes	   }]	   [RR_IP6_REDIST_STR_ZEBR$type_str]	 >        [json$json]" */
212     DEFUN_CMD_FUNC_DECL(show_route)
213     #define funcdecl_show_route static int show_route_magic(\

** CID 1479712:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1479712:  Memory - corruptions  (OVERRUN)
/isisd/fabricd.c: 375 in fabricd_calculate_fabric_tier()
369     
370     	if (!second_furthest_t0) {
371     		zlog_info("OpenFabric: Could not find two T0 routers");
372     		return ISIS_TIER_UNDEFINED;
373     	}
374     
>>>     CID 1479712:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "furthest_t0->N.id" of 7 bytes by passing it to a function which accesses it at byte offset 7.
375     	zlog_info("OpenFabric: Found %s as furthest t0 from local system, dist == %"
376     		  PRIu32, rawlspid_print(furthest_t0->N.id), furthest_t0->d_N);
377     
378     	struct isis_spftree *remote_tree =
379     		isis_run_hopcount_spf(area, furthest_t0->N.id, NULL);
380     

** CID 1479711:  Error handling issues  (CHECKED_RETURN)
/pimd/pim_zebra.c: 1012 in igmp_source_forward_start()


________________________________________________________________________________________________________
*** CID 1479711:  Error handling issues  (CHECKED_RETURN)
/pimd/pim_zebra.c: 1012 in igmp_source_forward_start()
1006     			grp.u.prefix4 = sg.grp;
1007     
1008     			up = pim_upstream_find(pim, &sg);
1009     			if (up) {
1010     				memcpy(&nexthop, &up->rpf.source_nexthop,
1011     				       sizeof(struct pim_nexthop));
>>>     CID 1479711:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
1012     				pim_ecmp_nexthop_lookup(pim, &nexthop, &src,
1013     							&grp, 0);
1014     				if (nexthop.interface)
1015     					input_iface_vif_index =
1016     						pim_if_find_vifindex_by_ifindex(
1017     							pim,


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeDU1AdI-2FBBrnda9ub5tlg3U-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJlZ3sZQJcea8DAsf4Yiv9RSh4TzCh4i-2B-2B7T5M6uzKd-2Fp8JF9ia444lKeDn4fYd13a6Q-2B8Ww9zr49U3z6zyIN7UmG-2FD9ujZ5iCXWsz0CrBQSAqC5gx6F2egKK3fqysBEHMFM-2FRdY6NZIoadGBBPztJd13FcskIsrSnBAywXDDD380A-3D-3D




More information about the dev mailing list