New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Sat Aug 15 13:46:32 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
16 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 16 of 16 defect(s)
** CID 1496644: Null pointer dereferences (REVERSE_INULL)
/zebra/zebra_evpn_neigh.c: 722 in zebra_evpn_proc_sync_neigh_update()
________________________________________________________________________________________________________
*** CID 1496644: Null pointer dereferences (REVERSE_INULL)
/zebra/zebra_evpn_neigh.c: 722 in zebra_evpn_proc_sync_neigh_update()
716 if (old_bgp_ready) {
717 zebra_evpn_neigh_send_del_to_client(
718 zevpn->vni, &n->ip, &n->emac, n->flags,
719 n->state, false /*force*/);
720 old_bgp_ready = false;
721 }
>>> CID 1496644: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "n->mac" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
722 if (n->mac)
723 zebra_evpn_local_neigh_deref_mac(
724 n, false /*send_mac_update*/);
725 }
726 /* clear old fwd info */
727 n->rem_seq = 0;
** CID 1496643: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496643: Null pointer dereferences (FORWARD_NULL)
/zebra/zebra_evpn_mh.c: 362 in zebra_evpn_es_evi_show_vni()
356 vty_out(vty, "%-8s %-30s %-4s\n", "VNI", "ESI", "Type");
357 }
358 } else {
359 if (!uj)
360 vty_out(vty, "VNI %d doesn't exist\n", vni);
361 }
>>> CID 1496643: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "zevpn" to "zebra_evpn_es_evi_show_one_evpn", which dereferences it.
362 zebra_evpn_es_evi_show_one_evpn(zevpn, vty, json, detail);
363 }
364
365 /* Initialize the ES tables maintained per-L2_VNI */
366 void zebra_evpn_evpn_es_init(zebra_evpn_t *zevpn)
367 {
** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 486 in seqnumber_mismatch()
480 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
483
484 ospf6_lsdb_remove_all(on->summary_list);
485 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
486 for (ALL_LSDB(on->retrans_list, lsa)) {
487 ospf6_decrement_retrans_count(lsa);
488 ospf6_lsdb_remove(lsa, on->retrans_list);
489 }
490
491 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2306 in ospf6_lsack_send_neighbor()
2300
2301 memset(sendbuf, 0, iobuflen);
2302 oh = (struct ospf6_header *)sendbuf;
2303
2304 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
2305
>>> CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2306 for (ALL_LSDB(on->lsack_list, lsa)) {
2307 /* MTU check */
2308 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
2309 > ospf6_packet_max(on->ospf6_if)) {
2310 /* if we run out of packet size/space here,
2311 better to try again soon. */
** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2223 in ospf6_lsupdate_send_interface()
2217 lsupdate = (struct ospf6_lsupdate *)((caddr_t)oh
2218 + sizeof(struct ospf6_header));
2219
2220 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate));
2221 lsa_cnt = 0;
2222
>>> CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2223 for (ALL_LSDB(oi->lsupdate_list, lsa)) {
2224 /* MTU check */
2225 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header)))
2226 > ospf6_packet_max(oi)) {
2227 if (lsa_cnt) {
2228 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 306 in ospf6_lsdb_remove_all()
300 {
301 struct ospf6_lsa *lsa;
302
303 if (lsdb == NULL)
304 return;
305
>>> CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
306 for (ALL_LSDB(lsdb, lsa))
307 ospf6_lsdb_remove(lsa, lsdb);
308 }
309
310 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
311 {
** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 125 in ospf6_neighbor_delete()
119 void ospf6_neighbor_delete(struct ospf6_neighbor *on)
120 {
121 struct ospf6_lsa *lsa;
122
123 ospf6_lsdb_remove_all(on->summary_list);
124 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
125 for (ALL_LSDB(on->retrans_list, lsa)) {
126 ospf6_decrement_retrans_count(lsa);
127 ospf6_lsdb_remove(lsa, on->retrans_list);
128 }
129
130 ospf6_lsdb_remove_all(on->dbdesc_list);
** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1872 in ospf6_dbdesc_send_newone()
1866 ospf6_lsdb_remove_all(on->dbdesc_list);
1867
1868 /* move LSAs from summary_list to dbdesc_list (within neighbor
1869 structure)
1870 so that ospf6_send_dbdesc () can send those LSAs */
1871 size = sizeof(struct ospf6_lsa_header) + sizeof(struct ospf6_dbdesc);
>>> CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
1872 for (ALL_LSDB(on->summary_list, lsa)) {
1873 if (size + sizeof(struct ospf6_lsa_header)
1874 > ospf6_packet_max(on->ospf6_if)) {
1875 ospf6_lsdb_lsa_unlock(lsa);
1876 break;
1877 }
** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 523 in bad_lsreq()
517 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
518 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
519 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
520
521 ospf6_lsdb_remove_all(on->summary_list);
522 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
523 for (ALL_LSDB(on->retrans_list, lsa)) {
524 ospf6_decrement_retrans_count(lsa);
525 ospf6_lsdb_remove(lsa, on->retrans_list);
526 }
527
528 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 310 in negotiation_done()
304 if (IS_OSPF6_DEBUG_NEIGHBOR(EVENT))
305 zlog_debug("Neighbor Event %s: *NegotiationDone*", on->name);
306
307 /* clear ls-list */
308 ospf6_lsdb_remove_all(on->summary_list);
309 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
310 for (ALL_LSDB(on->retrans_list, lsa)) {
311 ospf6_decrement_retrans_count(lsa);
312 ospf6_lsdb_remove(lsa, on->retrans_list);
313 }
314
315 /* Interface scoped LSAs */
** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 324 in ospf6_lsdb_maxage_remover()
318
319 int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb)
320 {
321 int reschedule = 0;
322 struct ospf6_lsa *lsa;
323
>>> CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
324 for (ALL_LSDB(lsdb, lsa)) {
325 if (!OSPF6_LSA_IS_MAXAGE(lsa))
326 continue;
327 if (lsa->retrans_count != 0) {
328 reschedule = 1;
329 continue;
** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2385 in ospf6_lsack_send_interface()
2379
2380 memset(sendbuf, 0, iobuflen);
2381 oh = (struct ospf6_header *)sendbuf;
2382
2383 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
2384
>>> CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2385 for (ALL_LSDB(oi->lsack_list, lsa)) {
2386 /* MTU check */
2387 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
2388 > ospf6_packet_max(oi)) {
2389 /* if we run out of packet size/space here,
2390 better to try again soon. */
** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486256: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2040 in ospf6_lsupdate_send_neighbor()
2034
2035 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate));
2036 lsa_cnt = 0;
2037
2038 /* lsupdate_list lists those LSA which doesn't need to be
2039 retransmitted. remove those from the list */
>>> CID 1486256: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2040 for (ALL_LSDB(on->lsupdate_list, lsa)) {
2041 /* MTU check */
2042 if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header))
2043 > ospf6_packet_max(on->ospf6_if)) {
2044 if (lsa_cnt) {
2045 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486255: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 558 in oneway_received()
552 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_INIT, on,
553 OSPF6_NEIGHBOR_EVENT_ONEWAY_RCVD);
554 thread_add_event(master, neighbor_change, on->ospf6_if, 0, NULL);
555
556 ospf6_lsdb_remove_all(on->summary_list);
557 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486255: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
558 for (ALL_LSDB(on->retrans_list, lsa)) {
559 ospf6_decrement_retrans_count(lsa);
560 ospf6_lsdb_remove(lsa, on->retrans_list);
561 }
562
563 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 455 in adj_ok()
449
450 } else if (on->state >= OSPF6_NEIGHBOR_EXSTART && !need_adjacency(on)) {
451 ospf6_neighbor_state_change(OSPF6_NEIGHBOR_TWOWAY, on,
452 OSPF6_NEIGHBOR_EVENT_ADJ_OK);
453 ospf6_lsdb_remove_all(on->summary_list);
454 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486253: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
455 for (ALL_LSDB(on->retrans_list, lsa)) {
456 ospf6_decrement_retrans_count(lsa);
457 ospf6_lsdb_remove(lsa, on->retrans_list);
458 }
459 }
460
** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1950 in ospf6_lsreq_send()
1944 }
1945
1946 if (last_req != NULL) {
1947 if (on->last_ls_req != NULL)
1948 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
1949
>>> CID 1221460: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
1950 ospf6_lsa_lock(last_req);
1951 on->last_ls_req = last_req;
1952 }
1953
1954 oh->type = OSPF6_MESSAGE_TYPE_LSREQ;
1955 oh->length = htons(p - sendbuf);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DYF82_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTyEkYp75KqIOW0RgfhzFhjQlUDO2wV68X9ww0eJyqx-2Bkv1GNHSH5r4ma0L-2Bkn40of8rtzNyfIKweG5j26Gd51YqVkiKp7dfE6jkC4S64NTvl4-2BU6H3KXHKUBRQGWClEh4Q8hVMitCdlnAk1uD8nId8CLO4fBZAXN5Y-2Bvu66DguPwRFz8TVnIOGo-2B-2FQpmjG1SEk-3D
More information about the dev
mailing list