New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Mon Apr 13 09:37:27 EDT 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
19 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
16 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 19 of 19 defect(s)
** CID 1492577: Control flow issues (DEADCODE)
/zebra/zebra_nhg.c: 1478 in zebra_nhg_rib_find_nhe()
________________________________________________________________________________________________________
*** CID 1492577: Control flow issues (DEADCODE)
/zebra/zebra_nhg.c: 1478 in zebra_nhg_rib_find_nhe()
1472 flog_err(EC_ZEBRA_TABLE_LOOKUP_FAILED,
1473 "No nexthop passed to %s", __func__);
1474 return NULL;
1475 }
1476
1477 if (IS_ZEBRA_DEBUG_NHG_DETAIL)
>>> CID 1492577: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "0U" inside this statement: "zlog_debug("%s: rt_nhe %p (...".
1478 zlog_debug("%s: rt_nhe %p (%u)",
1479 __func__, rt_nhe,
1480 rt_nhe ? rt_nhe->id : 0);
1481
1482 zebra_nhe_find(&nhe, rt_nhe, NULL, rt_afi);
1483
** CID 1492576: Null pointer dereferences (FORWARD_NULL)
/zebra/zebra_nhg.c: 492 in nhg_compare_nexthops()
________________________________________________________________________________________________________
*** CID 1492576: Null pointer dereferences (FORWARD_NULL)
/zebra/zebra_nhg.c: 492 in nhg_compare_nexthops()
486 * -> 1.1.2.1 dummy2 (inactive)
487 *
488 * Without checking each individual one, they would hash to
489 * the same group and both have 1.1.1.1 dummy1 marked inactive.
490 *
491 */
>>> CID 1492576: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "nh1".
492 if (CHECK_FLAG(nh1->flags, NEXTHOP_FLAG_ACTIVE)
493 != CHECK_FLAG(nh2->flags, NEXTHOP_FLAG_ACTIVE))
494 return false;
495
496 if (!nexthop_same(nh1, nh2))
497 return false;
** CID 1492575: Null pointer dereferences (REVERSE_INULL)
/zebra/zebra_dplane.c: 1584 in dplane_ctx_route_init()
________________________________________________________________________________________________________
*** CID 1492575: Null pointer dereferences (REVERSE_INULL)
/zebra/zebra_dplane.c: 1584 in dplane_ctx_route_init()
1578 /* Extract ns info - can't use pointers to 'core' structs */
1579 zvrf = vrf_info_lookup(re->vrf_id);
1580 zns = zvrf->zns;
1581 dplane_ctx_ns_init(ctx, zns, (op == DPLANE_OP_ROUTE_UPDATE));
1582
1583 #ifdef HAVE_NETLINK
>>> CID 1492575: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "re->nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1584 if (re->nhe) {
1585 struct nhg_hash_entry *nhe = zebra_nhg_resolve(re->nhe);
1586
1587 ctx->u.rinfo.nhe.id = nhe->id;
1588 /*
1589 * Check if the nhe is installed/queued before doing anything
** CID 1492574: (REVERSE_INULL)
/zebra/zebra_nhg.c: 1577 in zebra_nhg_free()
/zebra/zebra_nhg.c: 1572 in zebra_nhg_free()
________________________________________________________________________________________________________
*** CID 1492574: (REVERSE_INULL)
/zebra/zebra_nhg.c: 1577 in zebra_nhg_free()
1571 __func__, nhe,
1572 (nhe ? nhe->id : 0),
1573 (nhe ? nhe->refcnt : 0));
1574 else
1575 zlog_debug("%s: nhe %p (%u), refcnt %d, NH %pNHv",
1576 __func__, nhe,
>>> CID 1492574: (REVERSE_INULL)
>>> Null-checking "nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1577 (nhe ? nhe->id : 0),
1578 (nhe ? nhe->refcnt : 0),
1579 nhe->nhg.nexthop);
1580 }
1581
1582 if (nhe->refcnt)
/zebra/zebra_nhg.c: 1572 in zebra_nhg_free()
1566 {
1567 if (IS_ZEBRA_DEBUG_NHG_DETAIL) {
1568 /* Group or singleton? */
1569 if (nhe->nhg.nexthop && nhe->nhg.nexthop->next)
1570 zlog_debug("%s: nhe %p (%u), refcnt %d",
1571 __func__, nhe,
>>> CID 1492574: (REVERSE_INULL)
>>> Null-checking "nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1572 (nhe ? nhe->id : 0),
1573 (nhe ? nhe->refcnt : 0));
1574 else
1575 zlog_debug("%s: nhe %p (%u), refcnt %d, NH %pNHv",
1576 __func__, nhe,
1577 (nhe ? nhe->id : 0),
** CID 1492573: Incorrect expression (COPY_PASTE_ERROR)
/zebra/zebra_nhg.c: 1948 in nexthop_active()
________________________________________________________________________________________________________
*** CID 1492573: Incorrect expression (COPY_PASTE_ERROR)
/zebra/zebra_nhg.c: 1948 in nexthop_active()
1942 nexthop_set_resolved(afi, newhop, nexthop);
1943 resolved = 1;
1944 }
1945 if (resolved)
1946 re->nexthop_mtu = match->mtu;
1947
>>> CID 1492573: Incorrect expression (COPY_PASTE_ERROR)
>>> "zebra_debug_rib" in "zebra_debug_rib & 2UL" looks like a copy-paste error.
1948 if (!resolved && IS_ZEBRA_DEBUG_RIB_DETAILED)
1949 zlog_debug(
1950 " %s: Recursion failed to find",
1951 __func__);
1952 return resolved;
1953 } else if (re->type == ZEBRA_ROUTE_STATIC) {
** CID 1491788: Control flow issues (DEADCODE)
/nhrpd/nhrp_vty.c: 626 in show_ip_nhrp_cache()
________________________________________________________________________________________________________
*** CID 1491788: Control flow issues (DEADCODE)
/nhrpd/nhrp_vty.c: 626 in show_ip_nhrp_cache()
620 sockunion2str(&c->cur.peer->vc->remote.nbma,
621 buf[1], sizeof(buf[1]));
622 else
623 snprintf(buf[1], sizeof(buf[1]), "-");
624
625 if (json) {
>>> CID 1491788: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "json = json_object_new_obje...".
626 json = json_object_new_object();
627 json_object_string_add(json, "interface", c->ifp->name);
628 json_object_string_add(json, "type",
629 nhrp_cache_type_str[c->cur.type]);
630 json_object_string_add(json, "protocol", buf[0]);
631 json_object_string_add(json, "nbma", buf[1]);
** CID 1482185: (USE_AFTER_FREE)
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
________________________________________________________________________________________________________
*** CID 1482185: (USE_AFTER_FREE)
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393 }
394 } else {
395 /* down - area mismatch */
396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397 }
398
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) {
400 lsp_regenerate_schedule(adj->circuit->area,
401 isis_adj_usage2levels(adj->adj_usage),
402 0);
403 }
404
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393 }
394 } else {
395 /* down - area mismatch */
396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397 }
398
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) {
400 lsp_regenerate_schedule(adj->circuit->area,
401 isis_adj_usage2levels(adj->adj_usage),
402 0);
403 }
404
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393 }
394 } else {
395 /* down - area mismatch */
396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397 }
398
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) {
400 lsp_regenerate_schedule(adj->circuit->area,
401 isis_adj_usage2levels(adj->adj_usage),
402 0);
403 }
404
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393 }
394 } else {
395 /* down - area mismatch */
396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397 }
398
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) {
400 lsp_regenerate_schedule(adj->circuit->area,
401 isis_adj_usage2levels(adj->adj_usage),
402 0);
403 }
404
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393 }
394 } else {
395 /* down - area mismatch */
396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397 }
398
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) {
400 lsp_regenerate_schedule(adj->circuit->area,
401 isis_adj_usage2levels(adj->adj_usage),
402 0);
403 }
404
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393 }
394 } else {
395 /* down - area mismatch */
396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397 }
398
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) {
400 lsp_regenerate_schedule(adj->circuit->area,
401 isis_adj_usage2levels(adj->adj_usage),
402 0);
403 }
404
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393 }
394 } else {
395 /* down - area mismatch */
396 isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397 }
398
>>> CID 1482185: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "adj".
399 if (adj->adj_state == ISIS_ADJ_UP && changed) {
400 lsp_regenerate_schedule(adj->circuit->area,
401 isis_adj_usage2levels(adj->adj_usage),
402 0);
403 }
404
** CID 1482173: (STRING_NULL)
/watchfrr/watchfrr.c: 646 in handle_read()
/watchfrr/watchfrr.c: 634 in handle_read()
________________________________________________________________________________________________________
*** CID 1482173: (STRING_NULL)
/watchfrr/watchfrr.c: 646 in handle_read()
640
641 /* We are expecting an echo response: is there any chance that the
642 response would not be returned entirely in the first read? That
643 seems inconceivable... */
644 if ((rc != sizeof(resp)) || memcmp(buf, resp, sizeof(resp))) {
645 char why[100 + sizeof(buf)];
>>> CID 1482173: (STRING_NULL)
>>> Passing unterminated string "buf" to "snprintf".
646 snprintf(why, sizeof(why),
647 "read returned bad echo response of %d bytes "
648 "(expecting %u): %.*s",
649 (int)rc, (unsigned int)sizeof(resp), (int)rc, buf);
650 daemon_down(dmn, why);
651 return 0;
/watchfrr/watchfrr.c: 634 in handle_read()
628 if (rc == 0) {
629 daemon_down(dmn, "read returned EOF");
630 return 0;
631 }
632 if (!dmn->echo_sent.tv_sec) {
633 char why[sizeof(buf) + 100];
>>> CID 1482173: (STRING_NULL)
>>> Passing unterminated string "buf" to "snprintf".
634 snprintf(why, sizeof(why),
635 "unexpected read returns %d bytes: %.*s", (int)rc,
636 (int)rc, buf);
637 daemon_down(dmn, why);
638 return 0;
639 }
** CID 1482161: (TAINTED_SCALAR)
/ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa()
/ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa()
________________________________________________________________________________________________________
*** CID 1482161: (TAINTED_SCALAR)
/ospf6d/ospf6_spf.c: 1011 in ospf6_create_single_router_lsa()
1005 zlog_debug("%s: adv_router %s not found in LSDB.",
1006 __func__, ifbuf);
1007 return NULL;
1008 }
1009
1010 /* Allocate memory for this LSA */
>>> CID 1482161: (TAINTED_SCALAR)
>>> Passing tainted variable "total_lsa_length" to a tainted sink.
1011 new_header = XMALLOC(MTYPE_OSPF6_LSA_HEADER, total_lsa_length);
1012
1013 /* LSA information structure */
1014 lsa = XCALLOC(MTYPE_OSPF6_LSA, sizeof(struct ospf6_lsa));
1015
1016 lsa->header = (struct ospf6_lsa_header *)new_header;
/ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa()
1025 * a valid pointer.
1026 */
1027 assert(rtr_lsa);
1028 if (!OSPF6_LSA_IS_MAXAGE(rtr_lsa)) {
1029 /* Append first Link State ID LSA */
1030 lsa_header = rtr_lsa->header;
>>> CID 1482161: (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(lsa_header->length)" to a tainted sink.
1031 memcpy(new_header, lsa_header, ntohs(lsa_header->length));
1032 /* Assign new lsa length as aggregated length. */
1033 ((struct ospf6_lsa_header *)new_header)->length =
1034 htons(total_lsa_length);
1035 new_header += ntohs(lsa_header->length);
1036 num_lsa--;
/ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa()
1055 __func__, rtr_lsa->name,
1056 ntohs(lsa_header->length), ifbuf);
1057 }
1058
1059 /* Append Next Link State ID LSA */
1060 lsa_header = rtr_lsa->header;
>>> CID 1482161: (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(lsa_header->length) - lsa_length" to a tainted sink.
1061 memcpy(new_header, (OSPF6_LSA_HEADER_END(rtr_lsa->header) + 4),
1062 (ntohs(lsa_header->length) - lsa_length));
1063 new_header += (ntohs(lsa_header->length) - lsa_length);
1064 num_lsa--;
1065
1066 rtr_lsa = ospf6_lsdb_next(end, rtr_lsa);
** CID 1479711: Error handling issues (CHECKED_RETURN)
/pimd/pim_zebra.c: 650 in igmp_source_forward_start()
________________________________________________________________________________________________________
*** CID 1479711: Error handling issues (CHECKED_RETURN)
/pimd/pim_zebra.c: 650 in igmp_source_forward_start()
644 grp.u.prefix4 = sg.grp;
645
646 up = pim_upstream_find(pim, &sg);
647 if (up) {
648 memcpy(&nexthop, &up->rpf.source_nexthop,
649 sizeof(struct pim_nexthop));
>>> CID 1479711: Error handling issues (CHECKED_RETURN)
>>> Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
650 pim_ecmp_nexthop_lookup(pim, &nexthop, &src,
651 &grp, 0);
652 if (nexthop.interface)
653 input_iface_vif_index =
654 pim_if_find_vifindex_by_ifindex(
655 pim,
** CID 1479155: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 1479155: Uninitialized variables (UNINIT)
/pimd/pim_cmd.c: 8110 in pim_test_sg_keepalive_magic()
8104
8105 if (!pim) {
8106 vty_out(vty, "%% Unable to find pim instance\n");
8107 return CMD_WARNING;
8108 }
8109
>>> CID 1479155: Uninitialized variables (UNINIT)
>>> Using uninitialized value "sg". Field "sg.family" is uninitialized when calling "pim_upstream_find".
8110 up = pim_upstream_find(pim, &sg);
8111 if (!up) {
8112 vty_out(vty, "%% Unable to find %s specified\n",
8113 pim_str_sg_dump(&sg));
8114 return CMD_WARNING;
8115 }
** CID 1479142: Memory - illegal accesses (OVERRUN)
/zebra/zebra_rib.c: 2098 in rib_meta_queue_add()
________________________________________________________________________________________________________
*** CID 1479142: Memory - illegal accesses (OVERRUN)
/zebra/zebra_rib.c: 2098 in rib_meta_queue_add()
2092 "rn %p is already queued in sub-queue %u",
2093 (void *)rn, qindex);
2094 return -1;
2095 }
2096
2097 SET_FLAG(rib_dest_from_rnode(rn)->flags, RIB_ROUTE_QUEUED(qindex));
>>> CID 1479142: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "mq->subq" of 6 8-byte elements at element index 6 (byte offset 55) using index "qindex" (which evaluates to 6).
2098 listnode_add(mq->subq[qindex], rn);
2099 route_lock_node(rn);
2100 mq->size++;
2101
2102 if (IS_ZEBRA_DEBUG_RIB_DETAILED)
2103 rnode_debug(rn, re->vrf_id, "queued rn %p into sub-queue %u",
** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 889 in phase_check()
________________________________________________________________________________________________________
*** CID 1475948: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 889 in phase_check()
883 return;
884
885 /* startup complete, everything out of INIT */
886 gs.phase = PHASE_NONE;
887 for (dmn = gs.daemons; dmn; dmn = dmn->next)
888 if (dmn->state == DAEMON_DOWN) {
>>> CID 1475948: Security best practices violations (DC.WEAK_CRYPTO)
>>> "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
889 SET_WAKEUP_DOWN(dmn);
890 try_restart(dmn);
891 }
892 break;
893 case PHASE_STOPS_PENDING:
894 if (gs.numpids)
** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 581 in restart_done()
________________________________________________________________________________________________________
*** CID 1475944: Security best practices violations (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 581 in restart_done()
575 dmn->name, state_str[dmn->state]);
576 return;
577 }
578 if (dmn->t_wakeup)
579 THREAD_OFF(dmn->t_wakeup);
580 if (try_connect(dmn) < 0)
>>> CID 1475944: Security best practices violations (DC.WEAK_CRYPTO)
>>> "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
581 SET_WAKEUP_DOWN(dmn);
582 }
583
584 static void daemon_down(struct daemon *dmn, const char *why)
585 {
586 if (IS_UP(dmn) || (dmn->state == DAEMON_INIT))
** CID 1420264: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 1420264: Null pointer dereferences (NULL_RETURNS)
/pimd/pim_nht.c: 791 in pim_parse_nexthop_update()
785 nexthop->gate.ipv4 =
786 pnc->rpf.rpf_addr.u.prefix4;
787 break;
788 case NEXTHOP_TYPE_IPV6_IFINDEX:
789 ifp1 = if_lookup_by_index(nexthop->ifindex,
790 pim->vrf_id);
>>> CID 1420264: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "ifp1" when calling "pim_neighbor_find_if".
791 nbr = pim_neighbor_find_if(ifp1);
792 /* Overwrite with Nbr address as NH addr */
793 if (nbr)
794 nexthop->gate.ipv4 = nbr->source_addr;
795 else {
796 // Mark nexthop address to 0 until PIM
** CID 1302468: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1302468: Memory - corruptions (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 371 in get_fwtable_route_node()
365 /* For exact: search matching entry in rib table. */
366
367 if (exact) {
368 if (policy) /* Not supported (yet?) */
369 return;
370 for (*np = route_top(table); *np; *np = route_next(*np)) {
>>> CID 1302468: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
371 if (!in_addr_cmp(&(*np)->p.u.prefix,
372 (uint8_t *)&dest)) {
373 RNODE_FOREACH_RE (*np, *re) {
374 if (!in_addr_cmp((uint8_t *)&(*re)->nhe
375 ->nhg.nexthop
376 ->gate.ipv4,
** CID 1302467: (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1302467: (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 271 in check_replace()
265 *re = re2;
266 return;
267 }
268
269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270 return;
>>> CID 1302467: (ARRAY_VS_SINGLETON)
>>> Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272 *np = np2;
273 *re = re2;
274 return;
275 }
276
/zebra/zebra_snmp.c: 269 in check_replace()
263 if (!*np) {
264 *np = np2;
265 *re = re2;
266 return;
267 }
268
>>> CID 1302467: (ARRAY_VS_SINGLETON)
>>> Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270 return;
271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272 *np = np2;
273 *re = re2;
274 return;
** CID 1302466: (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1302466: (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 397 in get_fwtable_route_node()
391 /* Check destination first */
392 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest) > 0)
393 RNODE_FOREACH_RE (np2, re2) {
394 check_replace(np2, re2, np, re);
395 }
396
>>> CID 1302466: (ARRAY_VS_SINGLETON)
>>> Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
397 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest)
398 == 0) { /* have to look at each re individually */
399 RNODE_FOREACH_RE (np2, re2) {
400 int proto2, policy2;
401
402 proto2 = proto_trans(re2->type);
/zebra/zebra_snmp.c: 392 in get_fwtable_route_node()
386
387 /* Search next best entry */
388
389 for (np2 = route_top(table); np2; np2 = route_next(np2)) {
390
391 /* Check destination first */
>>> CID 1302466: (ARRAY_VS_SINGLETON)
>>> Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
392 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest) > 0)
393 RNODE_FOREACH_RE (np2, re2) {
394 check_replace(np2, re2, np, re);
395 }
396
397 if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest)
** CID 1302465: (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1302465: (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 269 in check_replace()
263 if (!*np) {
264 *np = np2;
265 *re = re2;
266 return;
267 }
268
>>> CID 1302465: (ARRAY_VS_SINGLETON)
>>> Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270 return;
271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272 *np = np2;
273 *re = re2;
274 return;
/zebra/zebra_snmp.c: 271 in check_replace()
265 *re = re2;
266 return;
267 }
268
269 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270 return;
>>> CID 1302465: (ARRAY_VS_SINGLETON)
>>> Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
271 if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272 *np = np2;
273 *re = re2;
274 return;
275 }
276
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teEwtXAn74UdOrNjckt5W0LJ0CDxXoQFnSJSV51LhpQIExOPuUyDQ-2BIaYqt88E1d5-2F-2Fc-3DtPXN_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxTK8n5az938SobFKi3qh1GuVWd3F9G4VjEMfQzNarfiJEWYGbKIw22GAuPI2xSc3d-2FOxWPt0GYDMxqdmN3JS5VyRvpGmovnYbQSPMeOtmgHAbRwe2tlRmOxUrQJ7wzuie8Hb2mVlsXIKm4hH2ob2wWQ-2F7lubpALHz4E3Aw-2B3L-2BUQ-3D-3D
More information about the dev
mailing list