New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Mon Apr 13 09:37:27 EDT 2020


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

19 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
16 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 19 of 19 defect(s)


** CID 1492577:  Control flow issues  (DEADCODE)
/zebra/zebra_nhg.c: 1478 in zebra_nhg_rib_find_nhe()


________________________________________________________________________________________________________
*** CID 1492577:  Control flow issues  (DEADCODE)
/zebra/zebra_nhg.c: 1478 in zebra_nhg_rib_find_nhe()
1472     		flog_err(EC_ZEBRA_TABLE_LOOKUP_FAILED,
1473     			 "No nexthop passed to %s", __func__);
1474     		return NULL;
1475     	}
1476     
1477     	if (IS_ZEBRA_DEBUG_NHG_DETAIL)
>>>     CID 1492577:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "0U" inside this statement: "zlog_debug("%s: rt_nhe %p (...".
1478     		zlog_debug("%s: rt_nhe %p (%u)",
1479     			   __func__, rt_nhe,
1480     			   rt_nhe ? rt_nhe->id : 0);
1481     
1482     	zebra_nhe_find(&nhe, rt_nhe, NULL, rt_afi);
1483     

** CID 1492576:  Null pointer dereferences  (FORWARD_NULL)
/zebra/zebra_nhg.c: 492 in nhg_compare_nexthops()


________________________________________________________________________________________________________
*** CID 1492576:  Null pointer dereferences  (FORWARD_NULL)
/zebra/zebra_nhg.c: 492 in nhg_compare_nexthops()
486     	 *           -> 1.1.2.1 dummy2 (inactive)
487     	 *
488     	 * Without checking each individual one, they would hash to
489     	 * the same group and both have 1.1.1.1 dummy1 marked inactive.
490     	 *
491     	 */
>>>     CID 1492576:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "nh1".
492     	if (CHECK_FLAG(nh1->flags, NEXTHOP_FLAG_ACTIVE)
493     	    != CHECK_FLAG(nh2->flags, NEXTHOP_FLAG_ACTIVE))
494     		return false;
495     
496     	if (!nexthop_same(nh1, nh2))
497     		return false;

** CID 1492575:  Null pointer dereferences  (REVERSE_INULL)
/zebra/zebra_dplane.c: 1584 in dplane_ctx_route_init()


________________________________________________________________________________________________________
*** CID 1492575:  Null pointer dereferences  (REVERSE_INULL)
/zebra/zebra_dplane.c: 1584 in dplane_ctx_route_init()
1578     	/* Extract ns info - can't use pointers to 'core' structs */
1579     	zvrf = vrf_info_lookup(re->vrf_id);
1580     	zns = zvrf->zns;
1581     	dplane_ctx_ns_init(ctx, zns, (op == DPLANE_OP_ROUTE_UPDATE));
1582     
1583     #ifdef HAVE_NETLINK
>>>     CID 1492575:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "re->nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1584     	if (re->nhe) {
1585     		struct nhg_hash_entry *nhe = zebra_nhg_resolve(re->nhe);
1586     
1587     		ctx->u.rinfo.nhe.id = nhe->id;
1588     		/*
1589     		 * Check if the nhe is installed/queued before doing anything

** CID 1492574:    (REVERSE_INULL)
/zebra/zebra_nhg.c: 1577 in zebra_nhg_free()
/zebra/zebra_nhg.c: 1572 in zebra_nhg_free()


________________________________________________________________________________________________________
*** CID 1492574:    (REVERSE_INULL)
/zebra/zebra_nhg.c: 1577 in zebra_nhg_free()
1571     				   __func__, nhe,
1572     				   (nhe ? nhe->id : 0),
1573     				   (nhe ? nhe->refcnt : 0));
1574     		else
1575     			zlog_debug("%s: nhe %p (%u), refcnt %d, NH %pNHv",
1576     				   __func__, nhe,
>>>     CID 1492574:    (REVERSE_INULL)
>>>     Null-checking "nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1577     				   (nhe ? nhe->id : 0),
1578     				   (nhe ? nhe->refcnt : 0),
1579     				   nhe->nhg.nexthop);
1580     	}
1581     
1582     	if (nhe->refcnt)
/zebra/zebra_nhg.c: 1572 in zebra_nhg_free()
1566     {
1567     	if (IS_ZEBRA_DEBUG_NHG_DETAIL) {
1568     		/* Group or singleton? */
1569     		if (nhe->nhg.nexthop && nhe->nhg.nexthop->next)
1570     			zlog_debug("%s: nhe %p (%u), refcnt %d",
1571     				   __func__, nhe,
>>>     CID 1492574:    (REVERSE_INULL)
>>>     Null-checking "nhe" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1572     				   (nhe ? nhe->id : 0),
1573     				   (nhe ? nhe->refcnt : 0));
1574     		else
1575     			zlog_debug("%s: nhe %p (%u), refcnt %d, NH %pNHv",
1576     				   __func__, nhe,
1577     				   (nhe ? nhe->id : 0),

** CID 1492573:  Incorrect expression  (COPY_PASTE_ERROR)
/zebra/zebra_nhg.c: 1948 in nexthop_active()


________________________________________________________________________________________________________
*** CID 1492573:  Incorrect expression  (COPY_PASTE_ERROR)
/zebra/zebra_nhg.c: 1948 in nexthop_active()
1942     				nexthop_set_resolved(afi, newhop, nexthop);
1943     				resolved = 1;
1944     			}
1945     			if (resolved)
1946     				re->nexthop_mtu = match->mtu;
1947     
>>>     CID 1492573:  Incorrect expression  (COPY_PASTE_ERROR)
>>>     "zebra_debug_rib" in "zebra_debug_rib & 2UL" looks like a copy-paste error.
1948     			if (!resolved && IS_ZEBRA_DEBUG_RIB_DETAILED)
1949     				zlog_debug(
1950     					"        %s: Recursion failed to find",
1951     					__func__);
1952     			return resolved;
1953     		} else if (re->type == ZEBRA_ROUTE_STATIC) {

** CID 1491788:  Control flow issues  (DEADCODE)
/nhrpd/nhrp_vty.c: 626 in show_ip_nhrp_cache()


________________________________________________________________________________________________________
*** CID 1491788:  Control flow issues  (DEADCODE)
/nhrpd/nhrp_vty.c: 626 in show_ip_nhrp_cache()
620     		sockunion2str(&c->cur.peer->vc->remote.nbma,
621     			      buf[1], sizeof(buf[1]));
622     	else
623     		snprintf(buf[1], sizeof(buf[1]), "-");
624     
625     	if (json) {
>>>     CID 1491788:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "json = json_object_new_obje...".
626     		json = json_object_new_object();
627     		json_object_string_add(json, "interface", c->ifp->name);
628     		json_object_string_add(json, "type",
629     				       nhrp_cache_type_str[c->cur.type]);
630     		json_object_string_add(json, "protocol", buf[0]);
631     		json_object_string_add(json, "nbma", buf[1]);

** CID 1482185:    (USE_AFTER_FREE)
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()
/isisd/isis_pdu.c: 399 in process_p2p_hello()


________________________________________________________________________________________________________
*** CID 1482185:    (USE_AFTER_FREE)
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393     		}
394     	} else {
395     		/* down - area mismatch */
396     		isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397     	}
398     
>>>     CID 1482185:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "adj".
399     	if (adj->adj_state == ISIS_ADJ_UP && changed) {
400     		lsp_regenerate_schedule(adj->circuit->area,
401     					isis_adj_usage2levels(adj->adj_usage),
402     					0);
403     	}
404     
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393     		}
394     	} else {
395     		/* down - area mismatch */
396     		isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397     	}
398     
>>>     CID 1482185:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "adj".
399     	if (adj->adj_state == ISIS_ADJ_UP && changed) {
400     		lsp_regenerate_schedule(adj->circuit->area,
401     					isis_adj_usage2levels(adj->adj_usage),
402     					0);
403     	}
404     
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393     		}
394     	} else {
395     		/* down - area mismatch */
396     		isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397     	}
398     
>>>     CID 1482185:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "adj".
399     	if (adj->adj_state == ISIS_ADJ_UP && changed) {
400     		lsp_regenerate_schedule(adj->circuit->area,
401     					isis_adj_usage2levels(adj->adj_usage),
402     					0);
403     	}
404     
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393     		}
394     	} else {
395     		/* down - area mismatch */
396     		isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397     	}
398     
>>>     CID 1482185:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "adj".
399     	if (adj->adj_state == ISIS_ADJ_UP && changed) {
400     		lsp_regenerate_schedule(adj->circuit->area,
401     					isis_adj_usage2levels(adj->adj_usage),
402     					0);
403     	}
404     
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393     		}
394     	} else {
395     		/* down - area mismatch */
396     		isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397     	}
398     
>>>     CID 1482185:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "adj".
399     	if (adj->adj_state == ISIS_ADJ_UP && changed) {
400     		lsp_regenerate_schedule(adj->circuit->area,
401     					isis_adj_usage2levels(adj->adj_usage),
402     					0);
403     	}
404     
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393     		}
394     	} else {
395     		/* down - area mismatch */
396     		isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397     	}
398     
>>>     CID 1482185:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "adj".
399     	if (adj->adj_state == ISIS_ADJ_UP && changed) {
400     		lsp_regenerate_schedule(adj->circuit->area,
401     					isis_adj_usage2levels(adj->adj_usage),
402     					0);
403     	}
404     
/isisd/isis_pdu.c: 399 in process_p2p_hello()
393     		}
394     	} else {
395     		/* down - area mismatch */
396     		isis_adj_state_change(adj, ISIS_ADJ_DOWN, "Area Mismatch");
397     	}
398     
>>>     CID 1482185:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "adj".
399     	if (adj->adj_state == ISIS_ADJ_UP && changed) {
400     		lsp_regenerate_schedule(adj->circuit->area,
401     					isis_adj_usage2levels(adj->adj_usage),
402     					0);
403     	}
404     

** CID 1482173:    (STRING_NULL)
/watchfrr/watchfrr.c: 646 in handle_read()
/watchfrr/watchfrr.c: 634 in handle_read()


________________________________________________________________________________________________________
*** CID 1482173:    (STRING_NULL)
/watchfrr/watchfrr.c: 646 in handle_read()
640     
641     	/* We are expecting an echo response: is there any chance that the
642     	   response would not be returned entirely in the first read?  That
643     	   seems inconceivable... */
644     	if ((rc != sizeof(resp)) || memcmp(buf, resp, sizeof(resp))) {
645     		char why[100 + sizeof(buf)];
>>>     CID 1482173:    (STRING_NULL)
>>>     Passing unterminated string "buf" to "snprintf".
646     		snprintf(why, sizeof(why),
647     			 "read returned bad echo response of %d bytes "
648     			 "(expecting %u): %.*s",
649     			 (int)rc, (unsigned int)sizeof(resp), (int)rc, buf);
650     		daemon_down(dmn, why);
651     		return 0;
/watchfrr/watchfrr.c: 634 in handle_read()
628     	if (rc == 0) {
629     		daemon_down(dmn, "read returned EOF");
630     		return 0;
631     	}
632     	if (!dmn->echo_sent.tv_sec) {
633     		char why[sizeof(buf) + 100];
>>>     CID 1482173:    (STRING_NULL)
>>>     Passing unterminated string "buf" to "snprintf".
634     		snprintf(why, sizeof(why),
635     			 "unexpected read returns %d bytes: %.*s", (int)rc,
636     			 (int)rc, buf);
637     		daemon_down(dmn, why);
638     		return 0;
639     	}

** CID 1482161:    (TAINTED_SCALAR)
/ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa()
/ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa()


________________________________________________________________________________________________________
*** CID 1482161:    (TAINTED_SCALAR)
/ospf6d/ospf6_spf.c: 1011 in ospf6_create_single_router_lsa()
1005     			zlog_debug("%s: adv_router %s not found in LSDB.",
1006     				   __func__, ifbuf);
1007     		return NULL;
1008     	}
1009     
1010     	/* Allocate memory for this LSA */
>>>     CID 1482161:    (TAINTED_SCALAR)
>>>     Passing tainted variable "total_lsa_length" to a tainted sink.
1011     	new_header = XMALLOC(MTYPE_OSPF6_LSA_HEADER, total_lsa_length);
1012     
1013     	/* LSA information structure */
1014     	lsa = XCALLOC(MTYPE_OSPF6_LSA, sizeof(struct ospf6_lsa));
1015     
1016     	lsa->header = (struct ospf6_lsa_header *)new_header;
/ospf6d/ospf6_spf.c: 1031 in ospf6_create_single_router_lsa()
1025     	 * a valid pointer.
1026     	 */
1027     	assert(rtr_lsa);
1028     	if (!OSPF6_LSA_IS_MAXAGE(rtr_lsa)) {
1029     		/* Append first Link State ID LSA */
1030     		lsa_header = rtr_lsa->header;
>>>     CID 1482161:    (TAINTED_SCALAR)
>>>     Passing tainted variable "ntohs(lsa_header->length)" to a tainted sink.
1031     		memcpy(new_header, lsa_header, ntohs(lsa_header->length));
1032     		/* Assign new lsa length as aggregated length. */
1033     		((struct ospf6_lsa_header *)new_header)->length =
1034     			htons(total_lsa_length);
1035     		new_header += ntohs(lsa_header->length);
1036     		num_lsa--;
/ospf6d/ospf6_spf.c: 1061 in ospf6_create_single_router_lsa()
1055     				__func__, rtr_lsa->name,
1056     				ntohs(lsa_header->length), ifbuf);
1057     		}
1058     
1059     		/* Append Next Link State ID LSA */
1060     		lsa_header = rtr_lsa->header;
>>>     CID 1482161:    (TAINTED_SCALAR)
>>>     Passing tainted variable "ntohs(lsa_header->length) - lsa_length" to a tainted sink.
1061     		memcpy(new_header, (OSPF6_LSA_HEADER_END(rtr_lsa->header) + 4),
1062     		       (ntohs(lsa_header->length) - lsa_length));
1063     		new_header += (ntohs(lsa_header->length) - lsa_length);
1064     		num_lsa--;
1065     
1066     		rtr_lsa = ospf6_lsdb_next(end, rtr_lsa);

** CID 1479711:  Error handling issues  (CHECKED_RETURN)
/pimd/pim_zebra.c: 650 in igmp_source_forward_start()


________________________________________________________________________________________________________
*** CID 1479711:  Error handling issues  (CHECKED_RETURN)
/pimd/pim_zebra.c: 650 in igmp_source_forward_start()
644     			grp.u.prefix4 = sg.grp;
645     
646     			up = pim_upstream_find(pim, &sg);
647     			if (up) {
648     				memcpy(&nexthop, &up->rpf.source_nexthop,
649     				       sizeof(struct pim_nexthop));
>>>     CID 1479711:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
650     				pim_ecmp_nexthop_lookup(pim, &nexthop, &src,
651     							&grp, 0);
652     				if (nexthop.interface)
653     					input_iface_vif_index =
654     						pim_if_find_vifindex_by_ifindex(
655     							pim,

** CID 1479155:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 1479155:  Uninitialized variables  (UNINIT)
/pimd/pim_cmd.c: 8110 in pim_test_sg_keepalive_magic()
8104     
8105     	if (!pim) {
8106     		vty_out(vty, "%% Unable to find pim instance\n");
8107     		return CMD_WARNING;
8108     	}
8109     
>>>     CID 1479155:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "sg". Field "sg.family" is uninitialized when calling "pim_upstream_find".
8110     	up = pim_upstream_find(pim, &sg);
8111     	if (!up) {
8112     		vty_out(vty, "%% Unable to find %s specified\n",
8113     			pim_str_sg_dump(&sg));
8114     		return CMD_WARNING;
8115     	}

** CID 1479142:  Memory - illegal accesses  (OVERRUN)
/zebra/zebra_rib.c: 2098 in rib_meta_queue_add()


________________________________________________________________________________________________________
*** CID 1479142:  Memory - illegal accesses  (OVERRUN)
/zebra/zebra_rib.c: 2098 in rib_meta_queue_add()
2092     				    "rn %p is already queued in sub-queue %u",
2093     				    (void *)rn, qindex);
2094     		return -1;
2095     	}
2096     
2097     	SET_FLAG(rib_dest_from_rnode(rn)->flags, RIB_ROUTE_QUEUED(qindex));
>>>     CID 1479142:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "mq->subq" of 6 8-byte elements at element index 6 (byte offset 55) using index "qindex" (which evaluates to 6).
2098     	listnode_add(mq->subq[qindex], rn);
2099     	route_lock_node(rn);
2100     	mq->size++;
2101     
2102     	if (IS_ZEBRA_DEBUG_RIB_DETAILED)
2103     		rnode_debug(rn, re->vrf_id, "queued rn %p into sub-queue %u",

** CID 1475948:  Security best practices violations  (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 889 in phase_check()


________________________________________________________________________________________________________
*** CID 1475948:  Security best practices violations  (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 889 in phase_check()
883     				return;
884     
885     		/* startup complete, everything out of INIT */
886     		gs.phase = PHASE_NONE;
887     		for (dmn = gs.daemons; dmn; dmn = dmn->next)
888     			if (dmn->state == DAEMON_DOWN) {
>>>     CID 1475948:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
889     				SET_WAKEUP_DOWN(dmn);
890     				try_restart(dmn);
891     			}
892     		break;
893     	case PHASE_STOPS_PENDING:
894     		if (gs.numpids)

** CID 1475944:  Security best practices violations  (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 581 in restart_done()


________________________________________________________________________________________________________
*** CID 1475944:  Security best practices violations  (DC.WEAK_CRYPTO)
/watchfrr/watchfrr.c: 581 in restart_done()
575     			dmn->name, state_str[dmn->state]);
576     		return;
577     	}
578     	if (dmn->t_wakeup)
579     		THREAD_OFF(dmn->t_wakeup);
580     	if (try_connect(dmn) < 0)
>>>     CID 1475944:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
581     		SET_WAKEUP_DOWN(dmn);
582     }
583     
584     static void daemon_down(struct daemon *dmn, const char *why)
585     {
586     	if (IS_UP(dmn) || (dmn->state == DAEMON_INIT))

** CID 1420264:  Null pointer dereferences  (NULL_RETURNS)


________________________________________________________________________________________________________
*** CID 1420264:  Null pointer dereferences  (NULL_RETURNS)
/pimd/pim_nht.c: 791 in pim_parse_nexthop_update()
785     				nexthop->gate.ipv4 =
786     					pnc->rpf.rpf_addr.u.prefix4;
787     				break;
788     			case NEXTHOP_TYPE_IPV6_IFINDEX:
789     				ifp1 = if_lookup_by_index(nexthop->ifindex,
790     							  pim->vrf_id);
>>>     CID 1420264:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "ifp1" when calling "pim_neighbor_find_if".
791     				nbr = pim_neighbor_find_if(ifp1);
792     				/* Overwrite with Nbr address as NH addr */
793     				if (nbr)
794     					nexthop->gate.ipv4 = nbr->source_addr;
795     				else {
796     					// Mark nexthop address to 0 until PIM

** CID 1302468:  Memory - corruptions  (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1302468:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 371 in get_fwtable_route_node()
365     	/* For exact: search matching entry in rib table. */
366     
367     	if (exact) {
368     		if (policy) /* Not supported (yet?) */
369     			return;
370     		for (*np = route_top(table); *np; *np = route_next(*np)) {
>>>     CID 1302468:  Memory - corruptions  (ARRAY_VS_SINGLETON)
>>>     Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
371     			if (!in_addr_cmp(&(*np)->p.u.prefix,
372     					 (uint8_t *)&dest)) {
373     				RNODE_FOREACH_RE (*np, *re) {
374     					if (!in_addr_cmp((uint8_t *)&(*re)->nhe
375     							 ->nhg.nexthop
376     							 ->gate.ipv4,

** CID 1302467:    (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1302467:    (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 271 in check_replace()
265     		*re = re2;
266     		return;
267     	}
268     
269     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270     		return;
>>>     CID 1302467:    (ARRAY_VS_SINGLETON)
>>>     Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
271     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272     		*np = np2;
273     		*re = re2;
274     		return;
275     	}
276     
/zebra/zebra_snmp.c: 269 in check_replace()
263     	if (!*np) {
264     		*np = np2;
265     		*re = re2;
266     		return;
267     	}
268     
>>>     CID 1302467:    (ARRAY_VS_SINGLETON)
>>>     Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
269     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270     		return;
271     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272     		*np = np2;
273     		*re = re2;
274     		return;

** CID 1302466:    (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1302466:    (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 397 in get_fwtable_route_node()
391     		/* Check destination first */
392     		if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest) > 0)
393     			RNODE_FOREACH_RE (np2, re2) {
394     				check_replace(np2, re2, np, re);
395     			}
396     
>>>     CID 1302466:    (ARRAY_VS_SINGLETON)
>>>     Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
397     		if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest)
398     		    == 0) { /* have to look at each re individually */
399     			RNODE_FOREACH_RE (np2, re2) {
400     				int proto2, policy2;
401     
402     				proto2 = proto_trans(re2->type);
/zebra/zebra_snmp.c: 392 in get_fwtable_route_node()
386     
387     	/* Search next best entry */
388     
389     	for (np2 = route_top(table); np2; np2 = route_next(np2)) {
390     
391     		/* Check destination first */
>>>     CID 1302466:    (ARRAY_VS_SINGLETON)
>>>     Passing "&np2->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
392     		if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest) > 0)
393     			RNODE_FOREACH_RE (np2, re2) {
394     				check_replace(np2, re2, np, re);
395     			}
396     
397     		if (in_addr_cmp(&np2->p.u.prefix, (uint8_t *)&dest)

** CID 1302465:    (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1302465:    (ARRAY_VS_SINGLETON)
/zebra/zebra_snmp.c: 269 in check_replace()
263     	if (!*np) {
264     		*np = np2;
265     		*re = re2;
266     		return;
267     	}
268     
>>>     CID 1302465:    (ARRAY_VS_SINGLETON)
>>>     Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
269     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270     		return;
271     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272     		*np = np2;
273     		*re = re2;
274     		return;
/zebra/zebra_snmp.c: 271 in check_replace()
265     		*re = re2;
266     		return;
267     	}
268     
269     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) < 0)
270     		return;
>>>     CID 1302465:    (ARRAY_VS_SINGLETON)
>>>     Passing "&(*np)->p.u.prefix" to function "in_addr_cmp" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
271     	if (in_addr_cmp(&(*np)->p.u.prefix, &np2->p.u.prefix) > 0) {
272     		*np = np2;
273     		*re = re2;
274     		return;
275     	}
276     


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teEwtXAn74UdOrNjckt5W0LJ0CDxXoQFnSJSV51LhpQIExOPuUyDQ-2BIaYqt88E1d5-2F-2Fc-3DtPXN_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxTK8n5az938SobFKi3qh1GuVWd3F9G4VjEMfQzNarfiJEWYGbKIw22GAuPI2xSc3d-2FOxWPt0GYDMxqdmN3JS5VyRvpGmovnYbQSPMeOtmgHAbRwe2tlRmOxUrQJ7wzuie8Hb2mVlsXIKm4hH2ob2wWQ-2F7lubpALHz4E3Aw-2B3L-2BUQ-3D-3D




More information about the dev mailing list