New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Fri Nov 15 07:51:23 EST 2019 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

7 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
13 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)


** CID 1487863:  Incorrect expression  (DIVIDE_BY_ZERO)


________________________________________________________________________________________________________
*** CID 1487863:  Incorrect expression  (DIVIDE_BY_ZERO)
/bgpd/bgp_route.c: 12126 in bgp_damp_set()
12120     	if (suppress < reuse) {
12121     		vty_out(vty,
12122     			"Suppress value cannot be less than reuse value \n");
12123     		return 0;
12124     	}
12125     
>>>     CID 1487863:  Incorrect expression  (DIVIDE_BY_ZERO)
>>>     In function call "bgp_damp_enable", division by expression "reuse" which may be zero has undefined behavior.
12126     	return bgp_damp_enable(bgp, bgp_node_afi(vty), bgp_node_safi(vty), half,
12127     			       reuse, suppress, max);
12128     }
12129     
12130     DEFUN (bgp_damp_unset,
12131            bgp_damp_unset_cmd,

** CID 1487862:  Incorrect expression  (DIVIDE_BY_ZERO)


________________________________________________________________________________________________________
*** CID 1487862:  Incorrect expression  (DIVIDE_BY_ZERO)
/bgpd/bgp_damp.c: 171 in bgp_reuse_timer()
165     				bgp_damp_info_free(bdi, 1, bdc->afi, bdc->safi);
166     			else
167     				BGP_DAMP_LIST_ADD(bdc, bdi);
168     		} else
169     			/* Re-insert into another list (See RFC2439 Section
170     			 * 4.8.6).  */
>>>     CID 1487862:  Incorrect expression  (DIVIDE_BY_ZERO)
>>>     In function call "bgp_reuse_list_add", division by expression "bdc->reuse_limit" which may be zero has undefined behavior.
171     			bgp_reuse_list_add(bdi, bdc);
172     	}
173     
174     	return 0;
175     }
176     

** CID 1487861:    (DIVIDE_BY_ZERO)


________________________________________________________________________________________________________
*** CID 1487861:    (DIVIDE_BY_ZERO)
/bgpd/bgp_route.c: 12126 in bgp_damp_set()
12120     	if (suppress < reuse) {
12121     		vty_out(vty,
12122     			"Suppress value cannot be less than reuse value \n");
12123     		return 0;
12124     	}
12125     
>>>     CID 1487861:    (DIVIDE_BY_ZERO)
>>>     In function call "bgp_damp_enable", division by expression "half" which may be zero has undefined behavior.
12126     	return bgp_damp_enable(bgp, bgp_node_afi(vty), bgp_node_safi(vty), half,
12127     			       reuse, suppress, max);
12128     }
12129     
12130     DEFUN (bgp_damp_unset,
12131            bgp_damp_unset_cmd,
/bgpd/bgp_route.c: 12126 in bgp_damp_set()
12120     	if (suppress < reuse) {
12121     		vty_out(vty,
12122     			"Suppress value cannot be less than reuse value \n");
12123     		return 0;
12124     	}
12125     
>>>     CID 1487861:    (DIVIDE_BY_ZERO)
>>>     In function call "bgp_damp_enable", division by expression "half" which may be zero has undefined behavior.
12126     	return bgp_damp_enable(bgp, bgp_node_afi(vty), bgp_node_safi(vty), half,
12127     			       reuse, suppress, max);
12128     }
12129     
12130     DEFUN (bgp_damp_unset,
12131            bgp_damp_unset_cmd,

** CID 1487860:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1487860:  Memory - corruptions  (OVERRUN)
/zebra/rt_netlink.c: 2481 in netlink_request_nexthop()
2475     	memset(&req, 0, sizeof(req));
2476     	req.n.nlmsg_type = type;
2477     	req.n.nlmsg_flags = NLM_F_ROOT | NLM_F_MATCH | NLM_F_REQUEST;
2478     	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct nhmsg));
2479     	req.nhm.nh_family = family;
2480     
>>>     CID 1487860:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 23 using argument "req.n.nlmsg_len" (which evaluates to 24).
2481     	return netlink_request(&zns->netlink_cmd, &req.n);
2482     }
2483     
2484     
2485     /**
2486      * netlink_nexthop_read() - Nexthop read function using netlink interface

** CID 1487859:  Null pointer dereferences  (NULL_RETURNS)


________________________________________________________________________________________________________
*** CID 1487859:  Null pointer dereferences  (NULL_RETURNS)
/isisd/isis_zebra.c: 97 in isis_zebra_if_address_add()
91     	if (p->family == AF_INET)
92     		zlog_debug("connected IP address %s", buf);
93     	if (p->family == AF_INET6)
94     		zlog_debug("connected IPv6 address %s", buf);
95     #endif /* EXTREME_DEBUG */
96     	if (if_is_operative(c->ifp))
>>>     CID 1487859:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "circuit_scan_by_ifp(c->ifp)" when calling "isis_circuit_add_addr".
97     		isis_circuit_add_addr(circuit_scan_by_ifp(c->ifp), c);
98     
99     	return 0;
100     }
101     
102     static int isis_zebra_if_address_del(ZAPI_CALLBACK_ARGS)

** CID 1487858:  Memory - illegal accesses  (USE_AFTER_FREE)
/ospfd/ospf_interface.c: 908 in ospf_vl_if_delete()


________________________________________________________________________________________________________
*** CID 1487858:  Memory - illegal accesses  (USE_AFTER_FREE)
/ospfd/ospf_interface.c: 908 in ospf_vl_if_delete()
902     
903     static void ospf_vl_if_delete(struct ospf_vl_data *vl_data)
904     {
905     	vl_data->vl_oi->address->u.prefix4.s_addr = 0;
906     	vl_data->vl_oi->address->prefixlen = 0;
907     	ospf_if_free(vl_data->vl_oi);
>>>     CID 1487858:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "vl_data->vl_oi".
908     	if_delete(&vl_data->vl_oi->ifp);
909     	vlink_count--;
910     }
911     
912     /* for a defined area, count the number of configured vl
913      */

** CID 20290:  Control flow issues  (MISSING_BREAK)
/lib/command_parse.c: 1001 in yytnamerr()


________________________________________________________________________________________________________
*** CID 20290:  Control flow issues  (MISSING_BREAK)
/lib/command_parse.c: 1001 in yytnamerr()
995             switch (*++yyp)
996               {
997               case '\'':
998               case ',':
999                 goto do_not_strip_quotes;
1000     
>>>     CID 20290:  Control flow issues  (MISSING_BREAK)
>>>     The case for value "'\\'" is not terminated by a 'break' statement.
1001               case '\\':
1002                 if (*++yyp != '\\')
1003                   goto do_not_strip_quotes;
1004                 else
1005                   goto append;
1006     


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeDU1AdI-2FBBrnda9ub5tlg3U-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJn3ugF-2B8pAZyIvgWnVhd8y4bFby4DJr-2FUavUuNAFw0pEPJ25yBuFxwRz-2B-2FIiM1uqu9ZTcWIyoaKA3PQrQCjC-2BQkKfhWNFRj0we3oS4E5e37R1Qi6DJ05XXp19WCvcpLp2IDmiRv-2FcpaXlsWYxVmbPMAlFYtDoBJ2tzCvyYFDxYjsw-3D-3D

More information about the dev mailing list