[dev] New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Fri May 17 16:44:57 EDT 2019 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

5 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 1480235:  Incorrect expression  (NO_EFFECT)
/vrrpd/vrrp.c: 1387 in vrrp_change_state_initialize()


________________________________________________________________________________________________________
*** CID 1480235:  Incorrect expression  (NO_EFFECT)
/vrrpd/vrrp.c: 1387 in vrrp_change_state_initialize()
1381      *
1382      * r
1383      *    VRRP Router to operate on
1384      */
1385     static void vrrp_change_state_initialize(struct vrrp_router *r)
1386     {
>>>     CID 1480235:  Incorrect expression  (NO_EFFECT)
>>>     Assigning "r->vr->advertisement_interval" to itself has no effect.
1387     	r->vr->advertisement_interval = r->vr->advertisement_interval;
1388     	r->master_adver_interval = 0;
1389     	vrrp_recalculate_timers(r);
1390     
1391     	r->advert_pending = false;
1392     	r->garp_pending = false;

** CID 1480234:  Integer handling issues  (NEGATIVE_RETURNS)


________________________________________________________________________________________________________
*** CID 1480234:  Integer handling issues  (NEGATIVE_RETURNS)
/vrrpd/vrrp_arp.c: 145 in vrrp_garp_send()
139     	       VRRP_LOGPFX VRRP_LOGPFX_VRID VRRP_LOGPFX_FAM
140     	       "Sending gratuitous ARP on %s for %s",
141     	       r->vr->vrid, family2str(r->family), ifp->name, astr);
142     	if (DEBUG_MODE_CHECK(&vrrp_dbg_arp, DEBUG_MODE_ALL))
143     		zlog_hexdump(garpbuf, garpbuf_len);
144     
>>>     CID 1480234:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     "garpbuf_len" is passed to a parameter that cannot be negative.
145     	sent_len = vrrp_send_garp(ifp, garpbuf, garpbuf_len);
146     
147     	if (sent_len < 0)
148     		zlog_warn(VRRP_LOGPFX VRRP_LOGPFX_VRID VRRP_LOGPFX_FAM
149     			  "Error sending gratuitous ARP on %s for %s",
150     			  r->vr->vrid, family2str(r->family), ifp->name, astr);

** CID 1480233:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1480233:  Memory - corruptions  (OVERRUN)
/vrrpd/vrrp_ndisc.c: 142 in vrrp_ndisc_una_build()
136     	struct ipv6_ph ph = {};
137     
138     	ph.src = ip6h->ip6_src;
139     	ph.dst = ip6h->ip6_dst;
140     	ph.ulpl = htonl(len);
141     	ph.next_hdr = IPPROTO_ICMPV6;
>>>     CID 1480233:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type icmp6_hdr of 8 bytes by passing it to a function which accesses it at byte offset 31 using argument "len" (which evaluates to 32).
142     	icmp6h->icmp6_cksum = in_cksum_with_ph6(&ph, (void *)icmp6h, len);
143     
144     	return 0;
145     }
146     
147     int vrrp_ndisc_una_send(struct vrrp_router *r, struct ipaddr *ip)

** CID 1480232:  Uninitialized variables  (UNINIT)
/vrrpd/vrrp.c: 984 in vrrp_read()


________________________________________________________________________________________________________
*** CID 1480232:  Uninitialized variables  (UNINIT)
/vrrpd/vrrp.c: 984 in vrrp_read()
978     	m.msg_namelen = sizeof(sa);
979     	m.msg_iov = &iov;
980     	m.msg_iovlen = 1;
981     	m.msg_control = control;
982     	m.msg_controllen = sizeof(control);
983     
>>>     CID 1480232:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "m". Field "m.msg_flags" is uninitialized when calling "recvmsg".
984     	nbytes = recvmsg(r->sock_rx, &m, MSG_DONTWAIT);
985     
986     	if ((nbytes < 0 && ERRNO_IO_RETRY(errno))) {
987     		resched = true;
988     		goto done;
989     	} else if (nbytes <= 0) {

** CID 1480231:  Error handling issues  (CHECKED_RETURN)
/vrrpd/vrrp.c: 766 in vrrp_send_advertisement()


________________________________________________________________________________________________________
*** CID 1480231:  Error handling issues  (CHECKED_RETURN)
/vrrpd/vrrp.c: 766 in vrrp_send_advertisement()
760     
761     	if (DEBUG_MODE_CHECK(&vrrp_dbg_pkt, DEBUG_MODE_ALL))
762     		zlog_hexdump(pkt, (size_t)pktsz);
763     
764     	const char *group = r->family == AF_INET ? VRRP_MCASTV4_GROUP_STR
765     						 : VRRP_MCASTV6_GROUP_STR;
>>>     CID 1480231:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "str2sockunion" without checking return value (as is done elsewhere 26 out of 27 times).
766     	str2sockunion(group, &dest);
767     
768     	ssize_t sent = sendto(r->sock_tx, pkt, (size_t)pktsz, 0, &dest.sa,
769     			      sockunion_sizeof(&dest));
770     
771     	XFREE(MTYPE_VRRP_PKT, pkt);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeDU1AdI-2FBBrnda9ub5tlg3U-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJlQTCsA6cZsdoXjE8XtF5r1d76jGZPs-2FVN6XnCpU2VAAuxISlWFvvxobQEOTM7IFHCXapTHfzPH5Qry5IK3LC5M2gAxwKTOxdIEqwOBRVfasM1ETULo33KNY4rOScqBNBO6k2A2Eq1Yu88SngK1lGpBb7vI5nSECxHUmoLrW4f0qQ-3D-3D

More information about the dev mailing list