[dev] New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Tue Sep 3 19:25:50 EDT 2019
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
21 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 16 of 16 defect(s)
** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 480 in seqnumber_mismatch()
474 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
475 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
476 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
477
478 ospf6_lsdb_remove_all(on->summary_list);
479 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
480 for (ALL_LSDB(on->retrans_list, lsa)) {
481 ospf6_decrement_retrans_count(lsa);
482 ospf6_lsdb_remove(lsa, on->retrans_list);
483 }
484
485 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2315 in ospf6_lsack_send_neighbor()
2309
2310 memset(sendbuf, 0, iobuflen);
2311 oh = (struct ospf6_header *)sendbuf;
2312
2313 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
2314
>>> CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2315 for (ALL_LSDB(on->lsack_list, lsa)) {
2316 /* MTU check */
2317 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
2318 > ospf6_packet_max(on->ospf6_if)) {
2319 /* if we run out of packet size/space here,
2320 better to try again soon. */
** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2231 in ospf6_lsupdate_send_interface()
2225 lsupdate = (struct ospf6_lsupdate *)((caddr_t)oh
2226 + sizeof(struct ospf6_header));
2227
2228 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate));
2229 lsa_cnt = 0;
2230
>>> CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2231 for (ALL_LSDB(oi->lsupdate_list, lsa)) {
2232 /* MTU check */
2233 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header)))
2234 > ospf6_packet_max(oi)) {
2235 if (lsa_cnt) {
2236 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 306 in ospf6_lsdb_remove_all()
300 {
301 struct ospf6_lsa *lsa;
302
303 if (lsdb == NULL)
304 return;
305
>>> CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
306 for (ALL_LSDB(lsdb, lsa))
307 ospf6_lsdb_remove(lsa, lsdb);
308 }
309
310 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
311 {
** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 119 in ospf6_neighbor_delete()
113 void ospf6_neighbor_delete(struct ospf6_neighbor *on)
114 {
115 struct ospf6_lsa *lsa;
116
117 ospf6_lsdb_remove_all(on->summary_list);
118 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
119 for (ALL_LSDB(on->retrans_list, lsa)) {
120 ospf6_decrement_retrans_count(lsa);
121 ospf6_lsdb_remove(lsa, on->retrans_list);
122 }
123
124 ospf6_lsdb_remove_all(on->dbdesc_list);
** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
1873 ospf6_lsdb_remove_all(on->dbdesc_list);
1874
1875 /* move LSAs from summary_list to dbdesc_list (within neighbor
1876 structure)
1877 so that ospf6_send_dbdesc () can send those LSAs */
1878 size = sizeof(struct ospf6_lsa_header) + sizeof(struct ospf6_dbdesc);
>>> CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
1879 for (ALL_LSDB(on->summary_list, lsa)) {
1880 if (size + sizeof(struct ospf6_lsa_header)
1881 > ospf6_packet_max(on->ospf6_if)) {
1882 ospf6_lsdb_lsa_unlock(lsa);
1883 break;
1884 }
** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 517 in bad_lsreq()
511 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
512 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
513 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
514
515 ospf6_lsdb_remove_all(on->summary_list);
516 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
517 for (ALL_LSDB(on->retrans_list, lsa)) {
518 ospf6_decrement_retrans_count(lsa);
519 ospf6_lsdb_remove(lsa, on->retrans_list);
520 }
521
522 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 304 in negotiation_done()
298 if (IS_OSPF6_DEBUG_NEIGHBOR(EVENT))
299 zlog_debug("Neighbor Event %s: *NegotiationDone*", on->name);
300
301 /* clear ls-list */
302 ospf6_lsdb_remove_all(on->summary_list);
303 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
304 for (ALL_LSDB(on->retrans_list, lsa)) {
305 ospf6_decrement_retrans_count(lsa);
306 ospf6_lsdb_remove(lsa, on->retrans_list);
307 }
308
309 /* Interface scoped LSAs */
** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 324 in ospf6_lsdb_maxage_remover()
318
319 int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb)
320 {
321 int reschedule = 0;
322 struct ospf6_lsa *lsa;
323
>>> CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
324 for (ALL_LSDB(lsdb, lsa)) {
325 if (!OSPF6_LSA_IS_MAXAGE(lsa))
326 continue;
327 if (lsa->retrans_count != 0) {
328 reschedule = 1;
329 continue;
** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2394 in ospf6_lsack_send_interface()
2388
2389 memset(sendbuf, 0, iobuflen);
2390 oh = (struct ospf6_header *)sendbuf;
2391
2392 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
2393
>>> CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2394 for (ALL_LSDB(oi->lsack_list, lsa)) {
2395 /* MTU check */
2396 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
2397 > ospf6_packet_max(oi)) {
2398 /* if we run out of packet size/space here,
2399 better to try again soon. */
** CID 1486257: Incorrect expression (MISSING_COMMA)
/bgpd/bgp_fsm.c: 551 in ()
________________________________________________________________________________________________________
*** CID 1486257: Incorrect expression (MISSING_COMMA)
/bgpd/bgp_fsm.c: 551 in ()
545 "Passive config change",
546 "Multihop config change",
547 "NSF peer closed the session",
548 "Intf peering v6only config change",
549 "BFD down received",
550 "Interface down",
>>> CID 1486257: Incorrect expression (MISSING_COMMA)
>>> In the initialization of "peer_down_str", a suspicious concatenated string ""Neighbor address lostWaiting for NHT"" is produced due to a missing comma between lines.
551 "Neighbor address lost"
552 "Waiting for NHT",
553 "Waiting for Peer IPv6 Addr",
554 "Waiting for VRF to be initialized"};
555
556 static int bgp_graceful_restart_timer_expire(struct thread *thread)
** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2047 in ospf6_lsupdate_send_neighbor()
2041
2042 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate));
2043 lsa_cnt = 0;
2044
2045 /* lsupdate_list lists those LSA which doesn't need to be
2046 retransmitted. remove those from the list */
>>> CID 1486256: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2047 for (ALL_LSDB(on->lsupdate_list, lsa)) {
2048 /* MTU check */
2049 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header))
2050 > ospf6_packet_max(on->ospf6_if)) {
2051 if (lsa_cnt) {
2052 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 552 in oneway_received()
546 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_INIT, on,
547 OSPF6_NEIGHBOR_EVENT_ONEWAY_RCVD);
548 thread_add_event(master, neighbor_change, on->ospf6_if, 0, NULL);
549
550 ospf6_lsdb_remove_all(on->summary_list);
551 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486255: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
552 for (ALL_LSDB(on->retrans_list, lsa)) {
553 ospf6_decrement_retrans_count(lsa);
554 ospf6_lsdb_remove(lsa, on->retrans_list);
555 }
556
557 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486254: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 1486254: Null pointer dereferences (NULL_RETURNS)
/eigrpd/eigrpd.c: 162 in eigrp_new()
156
157 /* init internal data structures */
158 eigrp->eiflist = list_new();
159 eigrp->passive_interface_default = EIGRP_IF_ACTIVE;
160 eigrp->networks = eigrp_topology_new();
161
>>> CID 1486254: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "vrf_lookup_by_id(vrf_id)" when calling "eigrp_sock_init".
162 eigrp->fd = eigrp_sock_init(vrf_lookup_by_id(vrf_id));
163
164 if (eigrp->fd < 0) {
165 flog_err_sys(
166 EC_LIB_SOCKET,
167 "eigrp_new: fatal error: eigrp_sock_init was unable to open a socket");
** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 449 in adj_ok()
443
444 } else if (on->state >= OSPF6_NEIGHBOR_EXSTART && !need_adjacency(on)) {
445 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_TWOWAY, on,
446 OSPF6_NEIGHBOR_EVENT_ADJ_OK);
447 ospf6_lsdb_remove_all(on->summary_list);
448 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
449 for (ALL_LSDB(on->retrans_list, lsa)) {
450 ospf6_decrement_retrans_count(lsa);
451 ospf6_lsdb_remove(lsa, on->retrans_list);
452 }
453 }
454
** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1957 in ospf6_lsreq_send()
1951 }
1952
1953 if (last_req != NULL) {
1954 if (on->last_ls_req != NULL) {
1955 ospf6_lsa_unlock(on->last_ls_req);
1956 }
>>> CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
1957 ospf6_lsa_lock(last_req);
1958 on->last_ls_req = last_req;
1959 }
1960
1961 oh->type = OSPF6_MESSAGE_TYPE_LSREQ;
1962 oh->length = htons(p - sendbuf);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRa7dJ8klHLUFWVd2fqpS-2B-2FHaN43B-2FQ11ntcKmbKat2WeDU1AdI-2FBBrnda9ub5tlg3U-3D_d-2Fi2nRutHp-2FDWtw8JRg-2Bc1m9CS4-2B5uVbodfDyLsp-2FJmkVGVubFmYGqACeptvkF8CMDf6w2tvIAXUwkxlGHtu0o-2BEiyWmHBFD-2Baa12VXkagJBk3b-2BsKrDiSo33ZU2y3cg-2FcJ2emv6LLo6rNFmMBPLHfQ02YQPJS3fJ9iy4jF45g2j7Do0Y2IS3wiNd5QMeqGieKFatJ0ZlIByv1JNwZcSGg-3D-3D
More information about the dev
mailing list