New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Tue Apr 7 07:54:43 EDT 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
28 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 16 of 16 defect(s)
** CID 1492504: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2588 in route_set_ecommunity_lb()
________________________________________________________________________________________________________
*** CID 1492504: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2588 in route_set_ecommunity_lb()
2582 } else if (rels->lb_type == RMAP_ECOMM_LB_SET_NUM_MPATH) {
2583
2584 /* process this only for the best path. */
2585 if (!CHECK_FLAG(path->flags, BGP_PATH_SELECTED))
2586 return RMAP_OKAY;
2587
>>> CID 1492504: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "peer->bgp->lb_ref_bw * 1000U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2588 bw_bytes = ((uint64_t)(peer->bgp->lb_ref_bw * 1000 * 1000))/8;
2589 mpath_count = bgp_path_info_mpath_count(path) + 1;
2590 bw_bytes *= mpath_count;
2591 }
2592
2593 encode_lb_extcomm(as, bw_bytes, rels->non_trans, &lb_eval);
** CID 1492503: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2572 in route_set_ecommunity_lb()
________________________________________________________________________________________________________
*** CID 1492503: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2572 in route_set_ecommunity_lb()
2566 if (!peer || !peer->bgp)
2567 return RMAP_ERROR;
2568
2569 /* Build link bandwidth extended community */
2570 as = (peer->bgp->as > BGP_AS_MAX) ? BGP_AS_TRANS : peer->bgp->as;
2571 if (rels->lb_type == RMAP_ECOMM_LB_SET_VALUE) {
>>> CID 1492503: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "rels->bw * 1000U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2572 bw_bytes = ((uint64_t)(rels->bw * 1000 * 1000))/8;
2573 } else if (rels->lb_type == RMAP_ECOMM_LB_SET_CUMUL) {
2574 /* process this only for the best path. */
2575 if (!CHECK_FLAG(path->flags, BGP_PATH_SELECTED))
2576 return RMAP_OKAY;
2577
** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 494 in seqnumber_mismatch()
488 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
489 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
490 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
491
492 ospf6_lsdb_remove_all(on->summary_list);
493 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
494 for (ALL_LSDB(on->retrans_list, lsa)) {
495 ospf6_decrement_retrans_count(lsa);
496 ospf6_lsdb_remove(lsa, on->retrans_list);
497 }
498
499 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486266: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2343 in ospf6_lsack_send_neighbor()
2337 p = (uint8_t *)((caddr_t)oh
2338 + sizeof(struct ospf6_header));
2339 lsa_cnt = 0;
2340 }
2341 }
2342
>>> CID 1486266: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2343 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2344 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2345 p += sizeof(struct ospf6_lsa_header);
2346
2347 assert(lsa->lock == 1);
2348 ospf6_lsdb_remove(lsa, on->lsack_list);
/ospf6d/ospf6_message.c: 2343 in ospf6_lsack_send_neighbor()
2337 p = (uint8_t *)((caddr_t)oh
2338 + sizeof(struct ospf6_header));
2339 lsa_cnt = 0;
2340 }
2341 }
2342
>>> CID 1486266: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2343 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2344 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2345 p += sizeof(struct ospf6_lsa_header);
2346
2347 assert(lsa->lock == 1);
2348 ospf6_lsdb_remove(lsa, on->lsack_list);
** CID 1486265: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()
________________________________________________________________________________________________________
*** CID 1486265: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()
2229 lsa_cnt = 0;
2230
2231 for (iterend = ospf6_lsdb_head(oi->lsupdate_list, 0, 0, 0, &lsa); lsa;
2232 lsa = lsa_next) {
2233 lsa_next = ospf6_lsdb_next(iterend, lsa);
2234 /* MTU check */
>>> CID 1486265: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2235 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header)))
2236 > ospf6_packet_max(oi)) {
2237 if (lsa_cnt) {
2238 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2239 oh->length = htons(p - sendbuf);
2240 lsupdate->lsa_number = htonl(lsa_cnt);
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()
2229 lsa_cnt = 0;
2230
2231 for (iterend = ospf6_lsdb_head(oi->lsupdate_list, 0, 0, 0, &lsa); lsa;
2232 lsa = lsa_next) {
2233 lsa_next = ospf6_lsdb_next(iterend, lsa);
2234 /* MTU check */
>>> CID 1486265: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2235 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header)))
2236 > ospf6_packet_max(oi)) {
2237 if (lsa_cnt) {
2238 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2239 oh->length = htons(p - sendbuf);
2240 lsupdate->lsa_number = htonl(lsa_cnt);
** CID 1486264: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486264: (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 310 in ospf6_lsdb_remove_all()
304 if (lsdb == NULL)
305 return;
306
307 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
308 lsa = lsa_next) {
309 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486264: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_remove" dereferences freed pointer "lsa".
310 ospf6_lsdb_remove(lsa, lsdb);
311 }
312 }
313
314 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
315 {
/ospf6d/ospf6_lsdb.c: 310 in ospf6_lsdb_remove_all()
304 if (lsdb == NULL)
305 return;
306
307 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
308 lsa = lsa_next) {
309 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486264: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_remove" dereferences freed pointer "lsa".
310 ospf6_lsdb_remove(lsa, lsdb);
311 }
312 }
313
314 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
315 {
** CID 1486263: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486263: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 130 in ospf6_neighbor_delete()
124 ospf6_lsdb_remove_all(on->summary_list);
125 ospf6_lsdb_remove_all(on->request_list);
126
127 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
128 lsa = lsa_next) {
129 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486263: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
130 ospf6_decrement_retrans_count(lsa);
131 ospf6_lsdb_remove(lsa, on->retrans_list);
132 }
133
134 ospf6_lsdb_remove_all(on->dbdesc_list);
135 ospf6_lsdb_remove_all(on->lsupdate_list);
/ospf6d/ospf6_neighbor.c: 130 in ospf6_neighbor_delete()
124 ospf6_lsdb_remove_all(on->summary_list);
125 ospf6_lsdb_remove_all(on->request_list);
126
127 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
128 lsa = lsa_next) {
129 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486263: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
130 ospf6_decrement_retrans_count(lsa);
131 ospf6_lsdb_remove(lsa, on->retrans_list);
132 }
133
134 ospf6_lsdb_remove_all(on->dbdesc_list);
135 ospf6_lsdb_remove_all(on->lsupdate_list);
** CID 1486262: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
________________________________________________________________________________________________________
*** CID 1486262: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1883 in ospf6_dbdesc_send_newone()
1877 if (size + sizeof(struct ospf6_lsa_header)
1878 > ospf6_packet_max(on->ospf6_if)) {
1879 ospf6_lsdb_lsa_unlock(lsa);
1880 break;
1881 }
1882
>>> CID 1486262: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_copy" dereferences freed pointer "lsa".
1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884 ospf6_lsdb_remove(lsa, on->summary_list);
1885 size += sizeof(struct ospf6_lsa_header);
1886 }
1887
1888 if (on->summary_list->count == 0)
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
1873
1874 for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa;
1875 lsa = lsa_next) {
1876 lsa_next = ospf6_lsdb_next(iterend, lsa);
1877 if (size + sizeof(struct ospf6_lsa_header)
1878 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1486262: (USE_AFTER_FREE)
>>> Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
1879 ospf6_lsdb_lsa_unlock(lsa);
1880 break;
1881 }
1882
1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884 ospf6_lsdb_remove(lsa, on->summary_list);
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
1873
1874 for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa;
1875 lsa = lsa_next) {
1876 lsa_next = ospf6_lsdb_next(iterend, lsa);
1877 if (size + sizeof(struct ospf6_lsa_header)
1878 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1486262: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1879 ospf6_lsdb_lsa_unlock(lsa);
1880 break;
1881 }
1882
1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884 ospf6_lsdb_remove(lsa, on->summary_list);
/ospf6d/ospf6_message.c: 1883 in ospf6_dbdesc_send_newone()
1877 if (size + sizeof(struct ospf6_lsa_header)
1878 > ospf6_packet_max(on->ospf6_if)) {
1879 ospf6_lsdb_lsa_unlock(lsa);
1880 break;
1881 }
1882
>>> CID 1486262: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_copy" dereferences freed pointer "lsa".
1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884 ospf6_lsdb_remove(lsa, on->summary_list);
1885 size += sizeof(struct ospf6_lsa_header);
1886 }
1887
1888 if (on->summary_list->count == 0)
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
1873
1874 for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa;
1875 lsa = lsa_next) {
1876 lsa_next = ospf6_lsdb_next(iterend, lsa);
1877 if (size + sizeof(struct ospf6_lsa_header)
1878 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1486262: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1879 ospf6_lsdb_lsa_unlock(lsa);
1880 break;
1881 }
1882
1883 ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884 ospf6_lsdb_remove(lsa, on->summary_list);
** CID 1486261: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486261: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 536 in bad_lsreq()
530 ospf6_lsdb_remove_all(on->summary_list);
531 ospf6_lsdb_remove_all(on->request_list);
532
533 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
534 lsa = lsa_next) {
535 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486261: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
536 ospf6_decrement_retrans_count(lsa);
537 ospf6_lsdb_remove(lsa, on->retrans_list);
538 }
539
540 THREAD_OFF(on->thread_send_dbdesc);
541 on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */
/ospf6d/ospf6_neighbor.c: 536 in bad_lsreq()
530 ospf6_lsdb_remove_all(on->summary_list);
531 ospf6_lsdb_remove_all(on->request_list);
532
533 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
534 lsa = lsa_next) {
535 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486261: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
536 ospf6_decrement_retrans_count(lsa);
537 ospf6_lsdb_remove(lsa, on->retrans_list);
538 }
539
540 THREAD_OFF(on->thread_send_dbdesc);
541 on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */
** CID 1486260: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486260: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 319 in negotiation_done()
313 ospf6_lsdb_remove_all(on->summary_list);
314 ospf6_lsdb_remove_all(on->request_list);
315
316 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
317 lsa = lsa_next) {
318 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486260: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
319 ospf6_decrement_retrans_count(lsa);
320 ospf6_lsdb_remove(lsa, on->retrans_list);
321 }
322
323 /* Interface scoped LSAs */
324 for (ALL_LSDB(on->ospf6_if->lsdb, lsa)) {
/ospf6d/ospf6_neighbor.c: 319 in negotiation_done()
313 ospf6_lsdb_remove_all(on->summary_list);
314 ospf6_lsdb_remove_all(on->request_list);
315
316 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
317 lsa = lsa_next) {
318 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486260: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
319 ospf6_decrement_retrans_count(lsa);
320 ospf6_lsdb_remove(lsa, on->retrans_list);
321 }
322
323 /* Interface scoped LSAs */
324 for (ALL_LSDB(on->ospf6_if->lsdb, lsa)) {
** CID 1486259: (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()
________________________________________________________________________________________________________
*** CID 1486259: (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()
326 struct ospf6_lsa *lsa, *lsa_next;
327 const struct route_node *iterend;
328
329 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
330 lsa = lsa_next) {
331 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486259: (USE_AFTER_FREE)
>>> Passing freed pointer "lsa" as an argument to "ospf6_lsa_age_current".
332 if (!OSPF6_LSA_IS_MAXAGE(lsa))
333 continue;
334 if (lsa->retrans_count != 0) {
335 reschedule = 1;
336 continue;
337 }
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()
326 struct ospf6_lsa *lsa, *lsa_next;
327 const struct route_node *iterend;
328
329 for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
330 lsa = lsa_next) {
331 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486259: (USE_AFTER_FREE)
>>> Passing freed pointer "lsa" as an argument to "ospf6_lsa_age_current".
332 if (!OSPF6_LSA_IS_MAXAGE(lsa))
333 continue;
334 if (lsa->retrans_count != 0) {
335 reschedule = 1;
336 continue;
337 }
** CID 1486258: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface()
________________________________________________________________________________________________________
*** CID 1486258: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface()
2405 /* if we run out of packet size/space here,
2406 better to try again soon. */
2407 THREAD_OFF(oi->thread_send_lsack);
2408 thread_add_event(master, ospf6_lsack_send_interface, oi,
2409 0, &oi->thread_send_lsack);
2410
>>> CID 1486258: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
2411 ospf6_lsdb_lsa_unlock(lsa);
2412 break;
2413 }
2414
2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
/ospf6d/ospf6_message.c: 2415 in ospf6_lsack_send_interface()
2409 0, &oi->thread_send_lsack);
2410
2411 ospf6_lsdb_lsa_unlock(lsa);
2412 break;
2413 }
2414
>>> CID 1486258: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2417 p += sizeof(struct ospf6_lsa_header);
2418
2419 assert(lsa->lock == 1);
2420 ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface()
2405 /* if we run out of packet size/space here,
2406 better to try again soon. */
2407 THREAD_OFF(oi->thread_send_lsack);
2408 thread_add_event(master, ospf6_lsack_send_interface, oi,
2409 0, &oi->thread_send_lsack);
2410
>>> CID 1486258: (USE_AFTER_FREE)
>>> Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
2411 ospf6_lsdb_lsa_unlock(lsa);
2412 break;
2413 }
2414
2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
/ospf6d/ospf6_message.c: 2415 in ospf6_lsack_send_interface()
2409 0, &oi->thread_send_lsack);
2410
2411 ospf6_lsdb_lsa_unlock(lsa);
2412 break;
2413 }
2414
>>> CID 1486258: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2415 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416 memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2417 p += sizeof(struct ospf6_lsa_header);
2418
2419 assert(lsa->lock == 1);
2420 ospf6_lsdb_remove(lsa, oi->lsack_list);
** CID 1486256: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()
________________________________________________________________________________________________________
*** CID 1486256: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()
2043 /* lsupdate_list lists those LSA which doesn't need to be
2044 retransmitted. remove those from the list */
2045 for (iterend = ospf6_lsdb_head(on->lsupdate_list, 0, 0, 0, &lsa); lsa;
2046 lsa = lsa_next) {
2047 lsa_next = ospf6_lsdb_next(iterend, lsa);
2048 /* MTU check */
>>> CID 1486256: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2049 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header))
2050 > ospf6_packet_max(on->ospf6_if)) {
2051 if (lsa_cnt) {
2052 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2053 oh->length = htons(p - sendbuf);
2054 lsupdate->lsa_number = htonl(lsa_cnt);
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()
2043 /* lsupdate_list lists those LSA which doesn't need to be
2044 retransmitted. remove those from the list */
2045 for (iterend = ospf6_lsdb_head(on->lsupdate_list, 0, 0, 0, &lsa); lsa;
2046 lsa = lsa_next) {
2047 lsa_next = ospf6_lsdb_next(iterend, lsa);
2048 /* MTU check */
>>> CID 1486256: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2049 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header))
2050 > ospf6_packet_max(on->ospf6_if)) {
2051 if (lsa_cnt) {
2052 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2053 oh->length = htons(p - sendbuf);
2054 lsupdate->lsa_number = htonl(lsa_cnt);
** CID 1486255: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486255: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 574 in oneway_received()
568
569 ospf6_lsdb_remove_all(on->summary_list);
570 ospf6_lsdb_remove_all(on->request_list);
571 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
572 lsa = lsa_next) {
573 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486255: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
574 ospf6_decrement_retrans_count(lsa);
575 ospf6_lsdb_remove(lsa, on->retrans_list);
576 }
577
578 THREAD_OFF(on->thread_send_dbdesc);
579 THREAD_OFF(on->thread_send_lsreq);
/ospf6d/ospf6_neighbor.c: 574 in oneway_received()
568
569 ospf6_lsdb_remove_all(on->summary_list);
570 ospf6_lsdb_remove_all(on->request_list);
571 for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
572 lsa = lsa_next) {
573 lsa_next = ospf6_lsdb_next(iterend, lsa);
>>> CID 1486255: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
574 ospf6_decrement_retrans_count(lsa);
575 ospf6_lsdb_remove(lsa, on->retrans_list);
576 }
577
578 THREAD_OFF(on->thread_send_dbdesc);
579 THREAD_OFF(on->thread_send_lsreq);
** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 463 in adj_ok()
457
458 } else if (on->state >= OSPF6_NEIGHBOR_EXSTART && !need_adjacency(on)) {
459 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_TWOWAY, on,
460 OSPF6_NEIGHBOR_EVENT_ADJ_OK);
461 ospf6_lsdb_remove_all(on->summary_list);
462 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
463 for (ALL_LSDB(on->retrans_list, lsa)) {
464 ospf6_decrement_retrans_count(lsa);
465 ospf6_lsdb_remove(lsa, on->retrans_list);
466 }
467 }
468
** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1954 in ospf6_lsreq_send()
1948 }
1949
1950 if (last_req != NULL) {
1951 if (on->last_ls_req != NULL) {
1952 ospf6_lsa_unlock(on->last_ls_req);
1953 }
>>> CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
1954 ospf6_lsa_lock(last_req);
1955 on->last_ls_req = last_req;
1956 }
1957
1958 oh->type = OSPF6_MESSAGE_TYPE_LSREQ;
1959 oh->length = htons(p - sendbuf);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teEwtXAn74UdOrNjckt5W0LJ0CDxXoQFnSJSV51LhpQIExOPuUyDQ-2BIaYqt88E1d5-2F-2Fc-3D7bv-_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTwD2xgdXI24N3-2BmZwG3lsChtpKYxxsXHRyeDpBs7jj-2FxNMyuhiuLTX1WXkFdf9qFzaThov6rBcoQDJDBFpFlXi-2B-2FxG9yc5k8SoegB8a-2FutWfc9x67v4Fo4lG3GaDmv6xGSaPZAxneyawMqEurQA2Q03K-2BTVaDmnxjySaRY96eRkn8QVtjgWmhgykl-2BTaEVPf0M-3D
More information about the dev
mailing list