New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Thu Aug 6 20:15:42 UTC 2020


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

6 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)


** CID 1496619:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1496619:  Null pointer dereferences  (FORWARD_NULL)
/zebra/zebra_evpn_mh.c: 360 in zebra_evpn_es_evi_show_vni()
354     			vty_out(vty, "%-8s %-30s %-4s\n", "VNI", "ESI", "Type");
355     		}
356     	} else {
357     		if (!uj)
358     			vty_out(vty, "VNI %d doesn't exist\n", vni);
359     	}
>>>     CID 1496619:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "zvni" to "zebra_evpn_es_evi_show_one_vni", which dereferences it.
360     	zebra_evpn_es_evi_show_one_vni(zvni, vty, json, detail);
361     }
362     
363     /* Initialize the ES tables maintained per-L2_VNI */
364     void zebra_evpn_vni_es_init(zebra_vni_t *zvni)
365     {

** CID 1496618:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1496618:  Null pointer dereferences  (FORWARD_NULL)
/bgpd/bgp_evpn_mh.c: 909 in bgp_evpn_type1_route_update()
903     	attr_new = pi->attr;
904     
905     	/* Perform route selection;
906     	 * this is just to set the flags correctly as local route in
907     	 * the ES always wins.
908     	 */
>>>     CID 1496618:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "vpn" to "evpn_route_select_install", which dereferences it.
909     	evpn_route_select_install(bgp, vpn, rn);
910     	bgp_dest_unlock_node(rn);
911     
912     	/* If this is a new route or some attribute has changed, export the
913     	 * route to the global table. The route will be advertised to peers
914     	 * from there. Note that this table is a 2-level tree (RD-level +

** CID 1496617:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1496617:  Memory - illegal accesses  (USE_AFTER_FREE)
/zebra/zebra_evpn_mh.c: 1688 in zebra_evpn_es_cleanup()
1682     	struct zebra_evpn_es *es;
1683     	struct zebra_evpn_es *es_next;
1684     
1685     	RB_FOREACH_SAFE(es, zebra_es_rb_head,
1686     			&zmh_info->es_rb_tree, es_next) {
1687     		zebra_evpn_local_es_del(es);
>>>     CID 1496617:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Calling "zebra_evpn_remote_es_flush" dereferences freed pointer "es".
1688     		zebra_evpn_remote_es_flush(es);
1689     	}
1690     }
1691     
1692     /* Only certain types of access ports can be setup as an Ethernet Segment */
1693     bool zebra_evpn_is_if_es_capable(struct zebra_if *zif)

** CID 1496616:  Null pointer dereferences  (REVERSE_INULL)
/zebra/zebra_vxlan.c: 6885 in zebra_vxlan_proc_sync_neigh_update()


________________________________________________________________________________________________________
*** CID 1496616:  Null pointer dereferences  (REVERSE_INULL)
/zebra/zebra_vxlan.c: 6885 in zebra_vxlan_proc_sync_neigh_update()
6879     			if (old_bgp_ready) {
6880     				zvni_neigh_send_del_to_client(zvni->vni, &n->ip,
6881     						&n->emac, n->flags, n->state,
6882     						false /*force*/);
6883     				old_bgp_ready = false;
6884     			}
>>>     CID 1496616:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "n->mac" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
6885     			if (n->mac)
6886     				zebra_vxlan_local_neigh_deref_mac(n,
6887     						false /*send_mac_update*/);
6888     		}
6889     		/* clear old fwd info */
6890     		n->rem_seq = 0;

** CID 1496615:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/zebra/rt_netlink.c: 3206 in netlink_macfdb_update_ctx()


________________________________________________________________________________________________________
*** CID 1496615:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/zebra/rt_netlink.c: 3206 in netlink_macfdb_update_ctx()
3200     		vid = dplane_ctx_mac_get_vlan(ctx);
3201     		if (vid > 0)
3202     			snprintf(vid_buf, sizeof(vid_buf), " VLAN %u", vid);
3203     		else
3204     			vid_buf[0] = '\0';
3205     
>>>     CID 1496615:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "nfy & (8 /* 1 << 3 */)" is always 0 regardless of the values of its operands. This occurs as the logical first operand of "?:".
3206     		zlog_debug("Tx %s family %s IF %s(%u)%s %sMAC %s dst %s nhg %u%s%s%s%s%s",
3207     			   nl_msg_type_to_str(cmd), nl_family_to_str(AF_BRIDGE),
3208     			   dplane_ctx_get_ifname(ctx),
3209     			   dplane_ctx_get_ifindex(ctx), vid_buf,
3210     			   dplane_ctx_mac_is_sticky(ctx) ? "sticky " : "",
3211     			   prefix_mac2str(mac, buf, sizeof(buf)),

** CID 1496614:  Error handling issues  (CHECKED_RETURN)
/bgpd/bgp_evpn_mh.c: 1445 in bgp_evpn_local_es_up()


________________________________________________________________________________________________________
*** CID 1496614:  Error handling issues  (CHECKED_RETURN)
/bgpd/bgp_evpn_mh.c: 1445 in bgp_evpn_local_es_up()
1439     	/* generate EAD-EVI */
1440     	bgp_evpn_local_type1_evi_route_add(bgp, es);
1441     
1442     	/* generate EAD-ES */
1443     	build_evpn_type1_prefix(&p, BGP_EVPN_AD_ES_ETH_TAG,
1444     			&es->esi, es->originator_ip);
>>>     CID 1496614:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "bgp_evpn_type1_route_update" without checking return value (as is done elsewhere 4 out of 5 times).
1445     	bgp_evpn_type1_route_update(bgp, es, NULL, &p);
1446     }
1447     
1448     static void bgp_evpn_local_es_do_del(struct bgp *bgp, struct bgp_evpn_es *es)
1449     {
1450     	struct bgp_evpn_es_evi *es_evi;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3D3pD5_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTyrxOlWR-2BOiFdmdgt9g4IWDoooua-2FxgGP-2BWxBdNtY52p1KgEF60GKM3vMIOAZ-2FLGrCoDlM5Dgv5-2Bvpczn9SMYBsdSRyKE6h1RkBpva0pinXD2mF-2FtQv4FyqG0cx-2FZyQtcZCiQCbaciLaJB-2FmNNhRVXVqbTNxY9EBQVzUkv92xL7TC3mmcXO9qkHQ3FsF0P9DWs-3D




More information about the dev mailing list