New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Mon Oct 14 08:53:42 EDT 2019
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
15 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)
** CID 1487027: Uninitialized variables (UNINIT)
/zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect()
________________________________________________________________________________________________________
*** CID 1487027: Uninitialized variables (UNINIT)
/zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect()
189 return 0;
190 }
191 len = sizeof(struct ucred);
192 ucred.pid = getpid();
193
194 set_nonblocking(mlag_socket);
>>> CID 1487027: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ucred". Field "ucred.uid" is uninitialized when calling "setsockopt".
195 setsockopt(mlag_socket, SOL_SOCKET, SO_PEERCRED, &ucred, len);
196
197 if (IS_ZEBRA_DEBUG_MLAG)
198 zlog_debug("%s: Connection with MLAG is established ",
199 __func__);
200
** CID 1487026: (TAINTED_SCALAR)
/zebra/zebra_mlag_private.c: 126 in zebra_mlag_read()
/zebra/zebra_mlag_private.c: 126 in zebra_mlag_read()
________________________________________________________________________________________________________
*** CID 1487026: (TAINTED_SCALAR)
/zebra/zebra_mlag_private.c: 126 in zebra_mlag_read()
120 /* This will be the actual length of the packet */
121 tot_len = h_msglen + ZEBRA_MLAG_LEN_SIZE;
122
123 if (curr_len < tot_len) {
124 ssize_t data_len;
125
>>> CID 1487026: (TAINTED_SCALAR)
>>> Passing tainted variable "tot_len - curr_len" to a tainted sink.
126 data_len = read(mlag_socket, mlag_rd_buffer + curr_len,
127 tot_len - curr_len);
128 if (data_len == 0 || data_len == -1) {
129 if (IS_ZEBRA_DEBUG_MLAG)
130 zlog_debug("MLAG connection closed socket : %d",
131 mlag_socket);
/zebra/zebra_mlag_private.c: 126 in zebra_mlag_read()
120 /* This will be the actual length of the packet */
121 tot_len = h_msglen + ZEBRA_MLAG_LEN_SIZE;
122
123 if (curr_len < tot_len) {
124 ssize_t data_len;
125
>>> CID 1487026: (TAINTED_SCALAR)
>>> Passing tainted variable "tot_len - curr_len" to a tainted sink.
126 data_len = read(mlag_socket, mlag_rd_buffer + curr_len,
127 tot_len - curr_len);
128 if (data_len == 0 || data_len == -1) {
129 if (IS_ZEBRA_DEBUG_MLAG)
130 zlog_debug("MLAG connection closed socket : %d",
131 mlag_socket);
/zebra/zebra_mlag_private.c: 146 in zebra_mlag_read()
140 }
141 }
142
143 if (IS_ZEBRA_DEBUG_MLAG) {
144 zlog_debug("Received a MLAG Message from socket: %d, len:%u ",
145 mlag_socket, tot_len);
>>> CID 1487026: (TAINTED_SCALAR)
>>> Passing tainted variable "tot_len" to a tainted sink.
146 zlog_hexdump(mlag_rd_buffer, tot_len);
147 }
148
149 tot_len -= ZEBRA_MLAG_LEN_SIZE;
150
151 /* Process the packet */
/zebra/zebra_mlag_private.c: 146 in zebra_mlag_read()
140 }
141 }
142
143 if (IS_ZEBRA_DEBUG_MLAG) {
144 zlog_debug("Received a MLAG Message from socket: %d, len:%u ",
145 mlag_socket, tot_len);
>>> CID 1487026: (TAINTED_SCALAR)
>>> Passing tainted variable "tot_len" to a tainted sink.
146 zlog_hexdump(mlag_rd_buffer, tot_len);
147 }
148
149 tot_len -= ZEBRA_MLAG_LEN_SIZE;
150
151 /* Process the packet */
** CID 1487025: (CHECKED_RETURN)
/bgpd/bgp_bmp.c: 1310 in bmp_open()
/bgpd/bgp_bmp.c: 1311 in bmp_open()
________________________________________________________________________________________________________
*** CID 1487025: (CHECKED_RETURN)
/bgpd/bgp_bmp.c: 1310 in bmp_open()
1304 zlog_info("bmp[%s] connection refused by access-list", buf);
1305 close(bmp_sock);
1306 return NULL;
1307 }
1308 bt->cnt_accept++;
1309
>>> CID 1487025: (CHECKED_RETURN)
>>> Calling "setsockopt(bmp_sock, 1, 9, &on, 4U)" without checking return value. This library function may fail and return an error code.
1310 setsockopt(bmp_sock, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on));
1311 setsockopt(bmp_sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
1312
1313 zlog_info("bmp[%s] connection established", buf);
1314
1315 /* Allocate new BMP structure and set up default values. */
/bgpd/bgp_bmp.c: 1311 in bmp_open()
1305 close(bmp_sock);
1306 return NULL;
1307 }
1308 bt->cnt_accept++;
1309
1310 setsockopt(bmp_sock, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on));
>>> CID 1487025: (CHECKED_RETURN)
>>> Calling "setsockopt(bmp_sock, IPPROTO_TCP, 1, &on, 4U)" without checking return value. This library function may fail and return an error code.
1311 setsockopt(bmp_sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
1312
1313 zlog_info("bmp[%s] connection established", buf);
1314
1315 /* Allocate new BMP structure and set up default values. */
1316 bmp = bmp_new(bt, bmp_sock);
** CID 1487024: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1487024: Null pointer dereferences (FORWARD_NULL)
/bgpd/bgp_route.c: 3212 in bgp_update()
3206
3207 attr_new = bgp_attr_intern(&new_attr);
3208
3209 /* If the update is implicit withdraw. */
3210 if (pi) {
3211 pi->uptime = bgp_clock();
>>> CID 1487024: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "pi->attr" to "attrhash_cmp", which dereferences it.
3212 same_attr = attrhash_cmp(pi->attr, attr_new);
3213
3214 hook_call(bgp_process, bgp, afi, safi, rn, peer, true);
3215
3216 /* Same attribute comes in. */
3217 if (!CHECK_FLAG(pi->flags, BGP_PATH_REMOVED)
** CID 1487023: Error handling issues (CHECKED_RETURN)
/zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect()
________________________________________________________________________________________________________
*** CID 1487023: Error handling issues (CHECKED_RETURN)
/zebra/zebra_mlag_private.c: 195 in zebra_mlag_connect()
189 return 0;
190 }
191 len = sizeof(struct ucred);
192 ucred.pid = getpid();
193
194 set_nonblocking(mlag_socket);
>>> CID 1487023: Error handling issues (CHECKED_RETURN)
>>> Calling "setsockopt(mlag_socket, 1, 17, &ucred, len)" without checking return value. This library function may fail and return an error code.
195 setsockopt(mlag_socket, SOL_SOCKET, SO_PEERCRED, &ucred, len);
196
197 if (IS_ZEBRA_DEBUG_MLAG)
198 zlog_debug("%s: Connection with MLAG is established ",
199 __func__);
200
** CID 1485633: Null pointer dereferences (REVERSE_INULL)
/zebra/zebra_vty.c: 1028 in show_route_all_table_vrf_magic()
________________________________________________________________________________________________________
*** CID 1485633: Null pointer dereferences (REVERSE_INULL)
/zebra/zebra_vty.c: 1028 in show_route_all_table_vrf_magic()
1022 rib_table_info_t *info = route_table_get_info(zrt->table);
1023
1024 if (zvrf && zvrf != info->zvrf)
1025 continue;
1026 if (zrt->afi != afi || zrt->safi != SAFI_UNICAST)
1027 continue;
>>> CID 1485633: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "zrt->table" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1028 if (zrt->table)
1029 do_show_route_helper(vty, info->zvrf, zrt->table, afi,
1030 false, 0, false, false,
1031 0, 0, !!json, zrt->tableid);
1032 }
1033 return CMD_SUCCESS;
** CID 1482189: (VARARGS)
/lib/printf/glue.c: 106 in vasnprintfrr()
/lib/printf/glue.c: 116 in vasnprintfrr()
________________________________________________________________________________________________________
*** CID 1482189: (VARARGS)
/lib/printf/glue.c: 106 in vasnprintfrr()
100 char *ret = out;
101
102 va_copy(ap2, ap);
103 len = vbprintfrr(&fb, fmt, ap);
104 if (len < 0)
105 /* error = malformed format string => try something useful */
>>> CID 1482189: (VARARGS)
>>> va_end was not called for "ap2".
106 return qstrdup(mt, fmt);
107
108 if ((size_t)len >= outsz - 1) {
109 ret = qmalloc(mt, len + 1);
110 fb.buf = fb.pos = ret;
111 fb.len = len;
/lib/printf/glue.c: 116 in vasnprintfrr()
110 fb.buf = fb.pos = ret;
111 fb.len = len;
112
113 vbprintfrr(&fb, fmt, ap2);
114 }
115 ret[len] = '\0';
>>> CID 1482189: (VARARGS)
>>> va_end was not called for "ap2".
116 return ret;
117 }
118
119 char *asnprintfrr(struct memtype *mt, char *out, size_t outsz, const char *fmt,
120 ...)
121 {
** CID 1482185: (USE_AFTER_FREE)
/isisd/isis_pdu.c: 398 in process_p2p_hello()
/isisd/isis_pdu.c: 398 in process_p2p_hello()
/isisd/isis_pdu.c: 398 in process_p2p_hello()
/isisd/isis_pdu.c: 398 in process_p2p_hello()
/isisd/isis_pdu.c: 398 in process_p2p_hello()
/isisd/isis_pdu.c: 398 in process_p2p_hello()
/isisd/isis_pdu.c: 398 in process_p2p_hello()
________________________________________________________________________________________________________
*** CID 1482185: (USE_AFTER_FREE)
/isisd/isis_pdu.c: 398 in process_p2p_hello()
392 }
393 } else {
394 /* down - area mismatch */
395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
396 }
397
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) {
399 lsp_regenerate_schedule(adj->circuit->area,
400 isis_adj_usage2levels(adj->adj_usage),
401 0);
402 }
403
/isisd/isis_pdu.c: 398 in process_p2p_hello()
392 }
393 } else {
394 /* down - area mismatch */
395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
396 }
397
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) {
399 lsp_regenerate_schedule(adj->circuit->area,
400 isis_adj_usage2levels(adj->adj_usage),
401 0);
402 }
403
/isisd/isis_pdu.c: 398 in process_p2p_hello()
392 }
393 } else {
394 /* down - area mismatch */
395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
396 }
397
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) {
399 lsp_regenerate_schedule(adj->circuit->area,
400 isis_adj_usage2levels(adj->adj_usage),
401 0);
402 }
403
/isisd/isis_pdu.c: 398 in process_p2p_hello()
392 }
393 } else {
394 /* down - area mismatch */
395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
396 }
397
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) {
399 lsp_regenerate_schedule(adj->circuit->area,
400 isis_adj_usage2levels(adj->adj_usage),
401 0);
402 }
403
/isisd/isis_pdu.c: 398 in process_p2p_hello()
392 }
393 } else {
394 /* down - area mismatch */
395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
396 }
397
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) {
399 lsp_regenerate_schedule(adj->circuit->area,
400 isis_adj_usage2levels(adj->adj_usage),
401 0);
402 }
403
/isisd/isis_pdu.c: 398 in process_p2p_hello()
392 }
393 } else {
394 /* down - area mismatch */
395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
396 }
397
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) {
399 lsp_regenerate_schedule(adj->circuit->area,
400 isis_adj_usage2levels(adj->adj_usage),
401 0);
402 }
403
/isisd/isis_pdu.c: 398 in process_p2p_hello()
392 }
393 } else {
394 /* down - area mismatch */
395 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
396 }
397
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
398 if (adj->adj_state == ISIS_ADJ_UP && changed) {
399 lsp_regenerate_schedule(adj->circuit->area,
400 isis_adj_usage2levels(adj->adj_usage),
401 0);
402 }
403
** CID 1482174: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_bsm.c: 293 in pim_bsm_proc_free()
________________________________________________________________________________________________________
*** CID 1482174: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_bsm.c: 293 in pim_bsm_proc_free()
287 bsgrp = rn->info;
288 if (!bsgrp)
289 continue;
290 pim_free_bsgrp_data(bsgrp);
291 }
292
>>> CID 1482174: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "pim->global_scope.bsrp_table" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
293 if (pim->global_scope.bsrp_table)
294 route_table_finish(pim->global_scope.bsrp_table);
295 }
296
297 static bool is_hold_time_elapsed(void *data)
298 {
** CID 1482173: (STRING_NULL)
/watchfrr/watchfrr.c: 636 in handle_read()
/watchfrr/watchfrr.c: 648 in handle_read()
________________________________________________________________________________________________________
*** CID 1482173: (STRING_NULL)
/watchfrr/watchfrr.c: 636 in handle_read()
630 if (rc == 0) {
631 daemon_down(dmn, "read returned EOF");
632 return 0;
633 }
634 if (!dmn->echo_sent.tv_sec) {
635 char why[sizeof(buf) + 100];
>>> CID 1482173: (STRING_NULL)
>>> Passing unterminated string "buf" to "snprintf".
636 snprintf(why, sizeof(why),
637 "unexpected read returns %d bytes: %.*s", (int)rc,
638 (int)rc, buf);
639 daemon_down(dmn, why);
640 return 0;
641 }
/watchfrr/watchfrr.c: 648 in handle_read()
642
643 /* We are expecting an echo response: is there any chance that the
644 response would not be returned entirely in the first read? That
645 seems inconceivable... */
646 if ((rc != sizeof(resp)) || memcmp(buf, resp, sizeof(resp))) {
647 char why[100 + sizeof(buf)];
>>> CID 1482173: (STRING_NULL)
>>> Passing unterminated string "buf" to "snprintf".
648 snprintf(why, sizeof(why),
649 "read returned bad echo response of %d bytes "
650 "(expecting %u): %.*s",
651 (int)rc, (unsigned int)sizeof(resp), (int)rc, buf);
652 daemon_down(dmn, why);
653 return 0;
** CID 1482170: Memory - corruptions (OVERRUN)
/lib/command_parse.c: 1379 in cmd_yyparse()
________________________________________________________________________________________________________
*** CID 1482170: Memory - corruptions (OVERRUN)
/lib/command_parse.c: 1379 in cmd_yyparse()
1373 yyvsp = yyvs + yysize - 1;
1374 yylsp = yyls + yysize - 1;
1375
1376 YYDPRINTF ((stderr, "Stack size increased to %lu\n",
1377 (unsigned long int) yystacksize));
1378
>>> CID 1482170: Memory - corruptions (OVERRUN)
>>> "yyss + yystacksize - 1" evaluates to an address that is at byte offset 19998 of an array of 16 bytes.
1379 if (yyss + yystacksize - 1 <= yyssp)
1380 YYABORT;
1381 }
1382
1383 YYDPRINTF ((stderr, "Entering state %d\n", yystate));
1384
** CID 1482161: (TAINTED_SCALAR)
/ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa()
/ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa()
________________________________________________________________________________________________________
*** CID 1482161: (TAINTED_SCALAR)
/ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa()
1025 * a valid pointer.
1026 */
1027 assert(rtr_lsa);
1028 if (!OSPF6_LSA_IS_MAXAGE(rtr_lsa)) {
1029 /* Append first Link State ID LSA */
1030 lsa_header = (struct ospf6_lsa_header *)rtr_lsa->header;
>>> CID 1482161: (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(lsa_header->length)" to a tainted sink.
1031 memcpy(new_header, lsa_header, ntohs(lsa_header->length));
1032 /* Assign new lsa length as aggregated length. */
1033 ((struct ospf6_lsa_header *)new_header)->length =
1034 htons(total_lsa_length);
1035 new_header += ntohs(lsa_header->length);
1036 num_lsa--;
/ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa()
1055 __PRETTY_FUNCTION__, rtr_lsa->name,
1056 ntohs(lsa_header->length), ifbuf);
1057 }
1058
1059 /* Append Next Link State ID LSA */
1060 lsa_header = (struct ospf6_lsa_header *)rtr_lsa->header;
>>> CID 1482161: (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(lsa_header->length) - lsa_length" to a tainted sink.
1061 memcpy(new_header, (OSPF6_LSA_HEADER_END(rtr_lsa->header) + 4),
1062 (ntohs(lsa_header->length) - lsa_length));
1063 new_header += (ntohs(lsa_header->length) - lsa_length);
1064 num_lsa--;
1065
1066 rtr_lsa = ospf6_lsdb_next(end, rtr_lsa);
/ospf6d/ospf6_spf.c: 1011 in ospf6_create_single_router_lsa()
1005 zlog_debug("%s: adv_router %s not found in LSDB.",
1006 __PRETTY_FUNCTION__, ifbuf);
1007 return NULL;
1008 }
1009
1010 /* Allocate memory for this LSA */
>>> CID 1482161: (TAINTED_SCALAR)
>>> Passing tainted variable "total_lsa_length" to a tainted sink.
1011 new_header = XMALLOC(MTYPE_OSPF6_LSA_HEADER, total_lsa_length);
1012
1013 /* LSA information structure */
1014 lsa = XCALLOC(MTYPE_OSPF6_LSA, sizeof(struct ospf6_lsa));
1015
1016 lsa->header = (struct ospf6_lsa_header *)new_header;
** CID 1479142: Memory - illegal accesses (OVERRUN)
/zebra/zebra_rib.c: 2191 in rib_meta_queue_add()
________________________________________________________________________________________________________
*** CID 1479142: Memory - illegal accesses (OVERRUN)
/zebra/zebra_rib.c: 2191 in rib_meta_queue_add()
2185 "rn %p is already queued in sub-queue %u",
2186 (void *)rn, qindex);
2187 return;
2188 }
2189
2190 SET_FLAG(rib_dest_from_rnode(rn)->flags, RIB_ROUTE_QUEUED(qindex));
>>> CID 1479142: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "mq->subq" of 5 8-byte elements at element index 5 (byte offset 47) using index "qindex" (which evaluates to 5).
2191 listnode_add(mq->subq[qindex], rn);
2192 route_lock_node(rn);
2193 mq->size++;
2194
2195 if (IS_ZEBRA_DEBUG_RIB_DETAILED)
2196 rnode_debug(rn, re->vrf_id, "queued rn %p into sub-queue %u",
** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 891 in phase_check()
________________________________________________________________________________________________________
*** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 891 in phase_check()
885 return;
886
887 /* startup complete, everything out of INIT */
888 gs.phase = PHASE_NONE;
889 for (dmn = gs.daemons; dmn; dmn = dmn->next)
890 if (dmn->state == DAEMON_DOWN) {
>>> CID 1475948: Security best practices violations (DC.WEAK_CRYPTO)
>>> "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
891 SET_WAKEUP_DOWN(dmn);
892 try_restart(dmn);
893 }
894 break;
895 case PHASE_STOPS_PENDING:
896 if (gs.numpids)
** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 583 in restart_done()
________________________________________________________________________________________________________
*** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 583 in restart_done()
577 dmn->name, state_str[dmn->state]);
578 return;
579 }
580 if (dmn->t_wakeup)
581 THREAD_OFF(dmn->t_wakeup);
582 if (try_connect(dmn) < 0)
>>> CID 1475944: Security best practices violations (DC.WEAK_CRYPTO)
>>> "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
583 SET_WAKEUP_DOWN(dmn);
584 }
585
586 static void daemon_down(struct daemon *dmn, const char *why)
587 {
588 if (IS_UP(dmn) || (dmn->state == DAEMON_INIT))
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeDU1AdI-2FBBrnda9ub5tlg3U-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJkJvt9Sf6qCpyeoa8tn-2B23cmECa2Zof4LM4STEZCc8IzSjbzjmSZ9lgs5N7X6mI6M5rNsuhFojsNqsQT0Fy9JUANS46M7mMSuhC-2FEMKChOqSbR4fbyXQ9C8vesRIxTQDEdh1O81ku-2BYlbzdzDIAfd5SjHx-2BRi5nTGfz-2Bc47xrl7sg-3D-3D
More information about the dev
mailing list