New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Tue Apr 7 07:54:43 EDT 2020


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
28 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 16 of 16 defect(s)


** CID 1492504:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2588 in route_set_ecommunity_lb()


________________________________________________________________________________________________________
*** CID 1492504:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2588 in route_set_ecommunity_lb()
2582     	} else if (rels->lb_type == RMAP_ECOMM_LB_SET_NUM_MPATH) {
2583     
2584     		/* process this only for the best path. */
2585     		if (!CHECK_FLAG(path->flags, BGP_PATH_SELECTED))
2586     			return RMAP_OKAY;
2587     
>>>     CID 1492504:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "peer->bgp->lb_ref_bw * 1000U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2588     		bw_bytes = ((uint64_t)(peer->bgp->lb_ref_bw * 1000 * 1000))/8;
2589     		mpath_count = bgp_path_info_mpath_count(path) + 1;
2590     		bw_bytes *= mpath_count;
2591     	}
2592     
2593     	encode_lb_extcomm(as, bw_bytes, rels->non_trans, &lb_eval);

** CID 1492503:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2572 in route_set_ecommunity_lb()


________________________________________________________________________________________________________
*** CID 1492503:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/bgpd/bgp_routemap.c: 2572 in route_set_ecommunity_lb()
2566     	if (!peer || !peer->bgp)
2567     		return RMAP_ERROR;
2568     
2569     	/* Build link bandwidth extended community */
2570     	as = (peer->bgp->as > BGP_AS_MAX) ? BGP_AS_TRANS : peer->bgp->as;
2571     	if (rels->lb_type == RMAP_ECOMM_LB_SET_VALUE) {
>>>     CID 1492503:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "rels->bw * 1000U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_uint64_t" (64 bits, unsigned).
2572     		bw_bytes = ((uint64_t)(rels->bw * 1000 * 1000))/8;
2573     	} else if (rels->lb_type == RMAP_ECOMM_LB_SET_CUMUL) {
2574     		/* process this only for the best path. */
2575     		if (!CHECK_FLAG(path->flags, BGP_PATH_SELECTED))
2576     			return RMAP_OKAY;
2577     

** CID 1486267:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486267:  Memory - illegal accesses  (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 494 in seqnumber_mismatch()
488     	SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
489     	SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
490     	SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
491     
492     	ospf6_lsdb_remove_all(on->summary_list);
493     	ospf6_lsdb_remove_all(on->request_list);
>>>     CID 1486267:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
494     	for (ALL_LSDB(on->retrans_list, lsa)) {
495     		ospf6_decrement_retrans_count(lsa);
496     		ospf6_lsdb_remove(lsa, on->retrans_list);
497     	}
498     
499     	THREAD_OFF(on->thread_send_dbdesc);

** CID 1486266:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486266:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2343 in ospf6_lsack_send_neighbor()
2337     				p = (uint8_t *)((caddr_t)oh
2338     						+ sizeof(struct ospf6_header));
2339     				lsa_cnt = 0;
2340     			}
2341     		}
2342     
>>>     CID 1486266:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2343     		ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2344     		memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2345     		p += sizeof(struct ospf6_lsa_header);
2346     
2347     		assert(lsa->lock == 1);
2348     		ospf6_lsdb_remove(lsa, on->lsack_list);
/ospf6d/ospf6_message.c: 2343 in ospf6_lsack_send_neighbor()
2337     				p = (uint8_t *)((caddr_t)oh
2338     						+ sizeof(struct ospf6_header));
2339     				lsa_cnt = 0;
2340     			}
2341     		}
2342     
>>>     CID 1486266:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2343     		ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2344     		memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2345     		p += sizeof(struct ospf6_lsa_header);
2346     
2347     		assert(lsa->lock == 1);
2348     		ospf6_lsdb_remove(lsa, on->lsack_list);

** CID 1486265:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()


________________________________________________________________________________________________________
*** CID 1486265:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()
2229     	lsa_cnt = 0;
2230     
2231     	for (iterend = ospf6_lsdb_head(oi->lsupdate_list, 0, 0, 0, &lsa); lsa;
2232     	     lsa = lsa_next) {
2233     		lsa_next = ospf6_lsdb_next(iterend, lsa);
2234     		/* MTU check */
>>>     CID 1486265:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2235     		if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header)))
2236     		    > ospf6_packet_max(oi)) {
2237     			if (lsa_cnt) {
2238     				oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2239     				oh->length = htons(p - sendbuf);
2240     				lsupdate->lsa_number = htonl(lsa_cnt);
/ospf6d/ospf6_message.c: 2235 in ospf6_lsupdate_send_interface()
2229     	lsa_cnt = 0;
2230     
2231     	for (iterend = ospf6_lsdb_head(oi->lsupdate_list, 0, 0, 0, &lsa); lsa;
2232     	     lsa = lsa_next) {
2233     		lsa_next = ospf6_lsdb_next(iterend, lsa);
2234     		/* MTU check */
>>>     CID 1486265:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2235     		if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header)))
2236     		    > ospf6_packet_max(oi)) {
2237     			if (lsa_cnt) {
2238     				oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2239     				oh->length = htons(p - sendbuf);
2240     				lsupdate->lsa_number = htonl(lsa_cnt);

** CID 1486264:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486264:    (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 310 in ospf6_lsdb_remove_all()
304     	if (lsdb == NULL)
305     		return;
306     
307     	for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
308     	     lsa = lsa_next) {
309     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486264:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsdb_remove" dereferences freed pointer "lsa".
310     		ospf6_lsdb_remove(lsa, lsdb);
311     	}
312     }
313     
314     void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
315     {
/ospf6d/ospf6_lsdb.c: 310 in ospf6_lsdb_remove_all()
304     	if (lsdb == NULL)
305     		return;
306     
307     	for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
308     	     lsa = lsa_next) {
309     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486264:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsdb_remove" dereferences freed pointer "lsa".
310     		ospf6_lsdb_remove(lsa, lsdb);
311     	}
312     }
313     
314     void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
315     {

** CID 1486263:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486263:    (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 130 in ospf6_neighbor_delete()
124     	ospf6_lsdb_remove_all(on->summary_list);
125     	ospf6_lsdb_remove_all(on->request_list);
126     
127     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
128     	     lsa = lsa_next) {
129     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486263:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
130     		ospf6_decrement_retrans_count(lsa);
131     		ospf6_lsdb_remove(lsa, on->retrans_list);
132     	}
133     
134     	ospf6_lsdb_remove_all(on->dbdesc_list);
135     	ospf6_lsdb_remove_all(on->lsupdate_list);
/ospf6d/ospf6_neighbor.c: 130 in ospf6_neighbor_delete()
124     	ospf6_lsdb_remove_all(on->summary_list);
125     	ospf6_lsdb_remove_all(on->request_list);
126     
127     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
128     	     lsa = lsa_next) {
129     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486263:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
130     		ospf6_decrement_retrans_count(lsa);
131     		ospf6_lsdb_remove(lsa, on->retrans_list);
132     	}
133     
134     	ospf6_lsdb_remove_all(on->dbdesc_list);
135     	ospf6_lsdb_remove_all(on->lsupdate_list);

** CID 1486262:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()


________________________________________________________________________________________________________
*** CID 1486262:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1883 in ospf6_dbdesc_send_newone()
1877     		if (size + sizeof(struct ospf6_lsa_header)
1878     		    > ospf6_packet_max(on->ospf6_if)) {
1879     			ospf6_lsdb_lsa_unlock(lsa);
1880     			break;
1881     		}
1882     
>>>     CID 1486262:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_copy" dereferences freed pointer "lsa".
1883     		ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884     		ospf6_lsdb_remove(lsa, on->summary_list);
1885     		size += sizeof(struct ospf6_lsa_header);
1886     	}
1887     
1888     	if (on->summary_list->count == 0)
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
1873     
1874     	for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa;
1875     	     lsa = lsa_next) {
1876     		lsa_next = ospf6_lsdb_next(iterend, lsa);
1877     		if (size + sizeof(struct ospf6_lsa_header)
1878     		    > ospf6_packet_max(on->ospf6_if)) {
>>>     CID 1486262:    (USE_AFTER_FREE)
>>>     Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
1879     			ospf6_lsdb_lsa_unlock(lsa);
1880     			break;
1881     		}
1882     
1883     		ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884     		ospf6_lsdb_remove(lsa, on->summary_list);
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
1873     
1874     	for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa;
1875     	     lsa = lsa_next) {
1876     		lsa_next = ospf6_lsdb_next(iterend, lsa);
1877     		if (size + sizeof(struct ospf6_lsa_header)
1878     		    > ospf6_packet_max(on->ospf6_if)) {
>>>     CID 1486262:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1879     			ospf6_lsdb_lsa_unlock(lsa);
1880     			break;
1881     		}
1882     
1883     		ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884     		ospf6_lsdb_remove(lsa, on->summary_list);
/ospf6d/ospf6_message.c: 1883 in ospf6_dbdesc_send_newone()
1877     		if (size + sizeof(struct ospf6_lsa_header)
1878     		    > ospf6_packet_max(on->ospf6_if)) {
1879     			ospf6_lsdb_lsa_unlock(lsa);
1880     			break;
1881     		}
1882     
>>>     CID 1486262:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_copy" dereferences freed pointer "lsa".
1883     		ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884     		ospf6_lsdb_remove(lsa, on->summary_list);
1885     		size += sizeof(struct ospf6_lsa_header);
1886     	}
1887     
1888     	if (on->summary_list->count == 0)
/ospf6d/ospf6_message.c: 1879 in ospf6_dbdesc_send_newone()
1873     
1874     	for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa;
1875     	     lsa = lsa_next) {
1876     		lsa_next = ospf6_lsdb_next(iterend, lsa);
1877     		if (size + sizeof(struct ospf6_lsa_header)
1878     		    > ospf6_packet_max(on->ospf6_if)) {
>>>     CID 1486262:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1879     			ospf6_lsdb_lsa_unlock(lsa);
1880     			break;
1881     		}
1882     
1883     		ospf6_lsdb_add(ospf6_lsa_copy(lsa), on->dbdesc_list);
1884     		ospf6_lsdb_remove(lsa, on->summary_list);

** CID 1486261:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486261:    (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 536 in bad_lsreq()
530     	ospf6_lsdb_remove_all(on->summary_list);
531     	ospf6_lsdb_remove_all(on->request_list);
532     
533     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
534     	     lsa = lsa_next) {
535     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486261:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
536     		ospf6_decrement_retrans_count(lsa);
537     		ospf6_lsdb_remove(lsa, on->retrans_list);
538     	}
539     
540     	THREAD_OFF(on->thread_send_dbdesc);
541     	on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */
/ospf6d/ospf6_neighbor.c: 536 in bad_lsreq()
530     	ospf6_lsdb_remove_all(on->summary_list);
531     	ospf6_lsdb_remove_all(on->request_list);
532     
533     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
534     	     lsa = lsa_next) {
535     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486261:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
536     		ospf6_decrement_retrans_count(lsa);
537     		ospf6_lsdb_remove(lsa, on->retrans_list);
538     	}
539     
540     	THREAD_OFF(on->thread_send_dbdesc);
541     	on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */

** CID 1486260:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486260:    (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 319 in negotiation_done()
313     	ospf6_lsdb_remove_all(on->summary_list);
314     	ospf6_lsdb_remove_all(on->request_list);
315     
316     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
317     	     lsa = lsa_next) {
318     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486260:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
319     		ospf6_decrement_retrans_count(lsa);
320     		ospf6_lsdb_remove(lsa, on->retrans_list);
321     	}
322     
323     	/* Interface scoped LSAs */
324     	for (ALL_LSDB(on->ospf6_if->lsdb, lsa)) {
/ospf6d/ospf6_neighbor.c: 319 in negotiation_done()
313     	ospf6_lsdb_remove_all(on->summary_list);
314     	ospf6_lsdb_remove_all(on->request_list);
315     
316     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
317     	     lsa = lsa_next) {
318     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486260:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
319     		ospf6_decrement_retrans_count(lsa);
320     		ospf6_lsdb_remove(lsa, on->retrans_list);
321     	}
322     
323     	/* Interface scoped LSAs */
324     	for (ALL_LSDB(on->ospf6_if->lsdb, lsa)) {

** CID 1486259:    (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()


________________________________________________________________________________________________________
*** CID 1486259:    (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()
326     	struct ospf6_lsa *lsa, *lsa_next;
327     	const struct route_node *iterend;
328     
329     	for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
330     	     lsa = lsa_next) {
331     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486259:    (USE_AFTER_FREE)
>>>     Passing freed pointer "lsa" as an argument to "ospf6_lsa_age_current".
332     		if (!OSPF6_LSA_IS_MAXAGE(lsa))
333     			continue;
334     		if (lsa->retrans_count != 0) {
335     			reschedule = 1;
336     			continue;
337     		}
/ospf6d/ospf6_lsdb.c: 332 in ospf6_lsdb_maxage_remover()
326     	struct ospf6_lsa *lsa, *lsa_next;
327     	const struct route_node *iterend;
328     
329     	for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa;
330     	     lsa = lsa_next) {
331     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486259:    (USE_AFTER_FREE)
>>>     Passing freed pointer "lsa" as an argument to "ospf6_lsa_age_current".
332     		if (!OSPF6_LSA_IS_MAXAGE(lsa))
333     			continue;
334     		if (lsa->retrans_count != 0) {
335     			reschedule = 1;
336     			continue;
337     		}

** CID 1486258:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface()


________________________________________________________________________________________________________
*** CID 1486258:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface()
2405     			/* if we run out of packet size/space here,
2406     			   better to try again soon. */
2407     			THREAD_OFF(oi->thread_send_lsack);
2408     			thread_add_event(master, ospf6_lsack_send_interface, oi,
2409     					 0, &oi->thread_send_lsack);
2410     
>>>     CID 1486258:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
2411     			ospf6_lsdb_lsa_unlock(lsa);
2412     			break;
2413     		}
2414     
2415     		ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416     		memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
/ospf6d/ospf6_message.c: 2415 in ospf6_lsack_send_interface()
2409     					 0, &oi->thread_send_lsack);
2410     
2411     			ospf6_lsdb_lsa_unlock(lsa);
2412     			break;
2413     		}
2414     
>>>     CID 1486258:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2415     		ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416     		memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2417     		p += sizeof(struct ospf6_lsa_header);
2418     
2419     		assert(lsa->lock == 1);
2420     		ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2411 in ospf6_lsack_send_interface()
2405     			/* if we run out of packet size/space here,
2406     			   better to try again soon. */
2407     			THREAD_OFF(oi->thread_send_lsack);
2408     			thread_add_event(master, ospf6_lsack_send_interface, oi,
2409     					 0, &oi->thread_send_lsack);
2410     
>>>     CID 1486258:    (USE_AFTER_FREE)
>>>     Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
2411     			ospf6_lsdb_lsa_unlock(lsa);
2412     			break;
2413     		}
2414     
2415     		ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416     		memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
/ospf6d/ospf6_message.c: 2415 in ospf6_lsack_send_interface()
2409     					 0, &oi->thread_send_lsack);
2410     
2411     			ospf6_lsdb_lsa_unlock(lsa);
2412     			break;
2413     		}
2414     
>>>     CID 1486258:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2415     		ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2416     		memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header));
2417     		p += sizeof(struct ospf6_lsa_header);
2418     
2419     		assert(lsa->lock == 1);
2420     		ospf6_lsdb_remove(lsa, oi->lsack_list);

** CID 1486256:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()


________________________________________________________________________________________________________
*** CID 1486256:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()
2043     	/* lsupdate_list lists those LSA which doesn't need to be
2044     	   retransmitted. remove those from the list */
2045     	for (iterend = ospf6_lsdb_head(on->lsupdate_list, 0, 0, 0, &lsa); lsa;
2046     	     lsa = lsa_next) {
2047     		lsa_next = ospf6_lsdb_next(iterend, lsa);
2048     		/* MTU check */
>>>     CID 1486256:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2049     		if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header))
2050     		    > ospf6_packet_max(on->ospf6_if)) {
2051     			if (lsa_cnt) {
2052     				oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2053     				oh->length = htons(p - sendbuf);
2054     				lsupdate->lsa_number = htonl(lsa_cnt);
/ospf6d/ospf6_message.c: 2049 in ospf6_lsupdate_send_neighbor()
2043     	/* lsupdate_list lists those LSA which doesn't need to be
2044     	   retransmitted. remove those from the list */
2045     	for (iterend = ospf6_lsdb_head(on->lsupdate_list, 0, 0, 0, &lsa); lsa;
2046     	     lsa = lsa_next) {
2047     		lsa_next = ospf6_lsdb_next(iterend, lsa);
2048     		/* MTU check */
>>>     CID 1486256:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2049     		if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header))
2050     		    > ospf6_packet_max(on->ospf6_if)) {
2051     			if (lsa_cnt) {
2052     				oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
2053     				oh->length = htons(p - sendbuf);
2054     				lsupdate->lsa_number = htonl(lsa_cnt);

** CID 1486255:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486255:    (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 574 in oneway_received()
568     
569     	ospf6_lsdb_remove_all(on->summary_list);
570     	ospf6_lsdb_remove_all(on->request_list);
571     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
572     	     lsa = lsa_next) {
573     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486255:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
574     		ospf6_decrement_retrans_count(lsa);
575     		ospf6_lsdb_remove(lsa, on->retrans_list);
576     	}
577     
578     	THREAD_OFF(on->thread_send_dbdesc);
579     	THREAD_OFF(on->thread_send_lsreq);
/ospf6d/ospf6_neighbor.c: 574 in oneway_received()
568     
569     	ospf6_lsdb_remove_all(on->summary_list);
570     	ospf6_lsdb_remove_all(on->request_list);
571     	for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa;
572     	     lsa = lsa_next) {
573     		lsa_next = ospf6_lsdb_next(iterend, lsa);
>>>     CID 1486255:    (USE_AFTER_FREE)
>>>     Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
574     		ospf6_decrement_retrans_count(lsa);
575     		ospf6_lsdb_remove(lsa, on->retrans_list);
576     	}
577     
578     	THREAD_OFF(on->thread_send_dbdesc);
579     	THREAD_OFF(on->thread_send_lsreq);

** CID 1486253:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1486253:  Memory - illegal accesses  (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 463 in adj_ok()
457     
458     	} else if (on->state >= OSPF6_NEIGHBOR_EXSTART && !need_adjacency(on)) {
459     		ospf6_neighbor_state_change(OSPF6_NEIGHBOR_TWOWAY, on,
460     					    OSPF6_NEIGHBOR_EVENT_ADJ_OK);
461     		ospf6_lsdb_remove_all(on->summary_list);
462     		ospf6_lsdb_remove_all(on->request_list);
>>>     CID 1486253:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
463     		for (ALL_LSDB(on->retrans_list, lsa)) {
464     			ospf6_decrement_retrans_count(lsa);
465     			ospf6_lsdb_remove(lsa, on->retrans_list);
466     		}
467     	}
468     

** CID 1221460:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1221460:  Memory - illegal accesses  (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1954 in ospf6_lsreq_send()
1948     	}
1949     
1950     	if (last_req != NULL) {
1951     		if (on->last_ls_req != NULL) {
1952     			ospf6_lsa_unlock(on->last_ls_req);
1953     		}
>>>     CID 1221460:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
1954     		ospf6_lsa_lock(last_req);
1955     		on->last_ls_req = last_req;
1956     	}
1957     
1958     	oh->type = OSPF6_MESSAGE_TYPE_LSREQ;
1959     	oh->length = htons(p - sendbuf);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teEwtXAn74UdOrNjckt5W0LJ0CDxXoQFnSJSV51LhpQIExOPuUyDQ-2BIaYqt88E1d5-2F-2Fc-3D7bv-_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTwD2xgdXI24N3-2BmZwG3lsChtpKYxxsXHRyeDpBs7jj-2FxNMyuhiuLTX1WXkFdf9qFzaThov6rBcoQDJDBFpFlXi-2B-2FxG9yc5k8SoegB8a-2FutWfc9x67v4Fo4lG3GaDmv6xGSaPZAxneyawMqEurQA2Q03K-2BTVaDmnxjySaRY96eRkn8QVtjgWmhgykl-2BTaEVPf0M-3D




More information about the dev mailing list