New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Wed Aug 26 01:06:15 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
58 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 58 defect(s)
** CID 1496712: Incorrect expression (IDENTICAL_BRANCHES)
/ospfd/ospf_ext.c: 589 in ospf_ext_link_delete_adj_sid()
________________________________________________________________________________________________________
*** CID 1496712: Incorrect expression (IDENTICAL_BRANCHES)
/ospfd/ospf_ext.c: 589 in ospf_ext_link_delete_adj_sid()
583 {
584 /* Process only (LAN)Adjacency-SID Type */
585 if (exti->stype != ADJ_SID && exti->stype != LAN_ADJ_SID)
586 return;
587
588 /* Release Primary & Backup Labels from Label Manager */
>>> CID 1496712: Incorrect expression (IDENTICAL_BRANCHES)
>>> The same code is executed regardless of whether "exti->stype == ADJ_SID" is true, because the 'then' and 'else' branches are identical. Should one of the branches be modified, or the entire 'if' statement replaced?
589 if (exti->stype == ADJ_SID) {
590 ospf_sr_local_block_release_label(exti->adj_sid[0].value);
591 ospf_sr_local_block_release_label(exti->adj_sid[1].value);
592 } else {
593 ospf_sr_local_block_release_label(exti->adj_sid[0].value);
594 ospf_sr_local_block_release_label(exti->adj_sid[1].value);
** CID 1496711: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496711: Null pointer dereferences (FORWARD_NULL)
/ospfd/ospf_sr.c: 2319 in no_sr_node_msd()
2313 OspfSR.msd = 0;
2314 if (OspfSR.self != NULL)
2315 OspfSR.self->msd = 0;
2316
2317 /* Set Router Information parameters if SR is UP */
2318 if (OspfSR.status == SR_UP)
>>> CID 1496711: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2319 ospf_router_info_update_sr(true, OspfSR.self);
2320
2321 return CMD_SUCCESS;
2322 }
2323
2324 DEFUN (sr_prefix_sid,
** CID 1496710: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496710: Null pointer dereferences (FORWARD_NULL)
/ospfd/ospf_sr.c: 2078 in update_srgb()
2072 OspfSR.srgb.reserved = true;
2073
2074 osr_debug("SR(%s): Got new SRGB [%u/%u]", __func__, OspfSR.srgb.start,
2075 OspfSR.srgb.start + OspfSR.srgb.size - 1);
2076
2077 /* SRGB is reserved, set Router Information parameters */
>>> CID 1496710: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2078 ospf_router_info_update_sr(true, OspfSR.self);
2079
2080 /* and update NHLFE entries */
2081 hash_iterate(OspfSR.neighbors,
2082 (void (*)(struct hash_bucket *, void *))update_in_nhlfe,
2083 NULL);
** CID 1496709: Control flow issues (DEADCODE)
/bgpd/bgp_vty.c: 12806 in bgp_show_all_instances_neighbors_vty()
________________________________________________________________________________________________________
*** CID 1496709: Control flow issues (DEADCODE)
/bgpd/bgp_vty.c: 12806 in bgp_show_all_instances_neighbors_vty()
12800 json = NULL;
12801 }
12802
12803 if (use_json) {
12804 vty_out(vty, "}\n");
12805 if (json)
>>> CID 1496709: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "json_object_free(json);".
12806 json_object_free(json);
12807 }
12808 else if (!nbr_output)
12809 vty_out(vty, "%% BGP instance not found\n");
12810 }
12811
** CID 1496708: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496708: Null pointer dereferences (FORWARD_NULL)
/ospfd/ospf_sr.c: 2254 in no_sr_local_label_range()
2248
2249 /* SRLB is reserved, Update Self SR-Node and Router Information LSA */
2250 if (OspfSR.self != NULL) {
2251 OspfSR.self->srlb.lower_bound = DEFAULT_SRLB_LABEL;
2252 OspfSR.self->srlb.range_size = DEFAULT_SRLB_SIZE;
2253 }
>>> CID 1496708: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2254 ospf_router_info_update_sr(true, OspfSR.self);
2255
2256 /* and update (LAN)-Adjacency SID */
2257 ospf_ext_link_srlb_update();
2258
2259 return CMD_SUCCESS;
** CID 1496707: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496707: Null pointer dereferences (FORWARD_NULL)
/ospfd/ospf_sr.c: 2295 in sr_node_msd()
2289 OspfSR.msd = msd;
2290 if (OspfSR.self != NULL)
2291 OspfSR.self->msd = msd;
2292
2293 /* Set Router Information parameters if SR is UP */
2294 if (OspfSR.status == SR_UP)
>>> CID 1496707: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "OspfSR.self" to "ospf_router_info_update_sr", which dereferences it.
2295 ospf_router_info_update_sr(true, OspfSR.self);
2296
2297 return CMD_SUCCESS;
2298 }
2299
2300 DEFUN (no_sr_node_msd,
** CID 1496706: Performance inefficiencies (PASS_BY_VALUE)
/ospfd/ospf_ri.c: 576 in is_mandated_params_set()
________________________________________________________________________________________________________
*** CID 1496706: Performance inefficiencies (PASS_BY_VALUE)
/ospfd/ospf_ri.c: 576 in is_mandated_params_set()
570 | PCE_CAP_ADDITIVE | PCE_CAP_MULTIPLE_REQ;
571 set_pce_cap_flag(cap, &ori->pce_info);
572
573 return;
574 }
575
>>> CID 1496706: Performance inefficiencies (PASS_BY_VALUE)
>>> Passing parameter ori of type "struct ospf_router_info" (size 136 bytes) by value.
576 static int is_mandated_params_set(struct ospf_router_info ori)
577 {
578 int rc = 0;
579
580 if (ntohs(ori.router_cap.header.type) == 0)
581 return rc;
** CID 1496643: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496643: Null pointer dereferences (FORWARD_NULL)
/zebra/zebra_evpn_mh.c: 362 in zebra_evpn_es_evi_show_vni()
356 vty_out(vty, "%-8s %-30s %-4s\n", "VNI", "ESI", "Type");
357 }
358 } else {
359 if (!uj)
360 vty_out(vty, "VNI %d doesn't exist\n", vni);
361 }
>>> CID 1496643: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "zevpn" to "zebra_evpn_es_evi_show_one_evpn", which dereferences it.
362 zebra_evpn_es_evi_show_one_evpn(zevpn, vty, json, detail);
363 }
364
365 /* Initialize the ES tables maintained per-L2_VNI */
366 void zebra_evpn_evpn_es_init(zebra_evpn_t *zevpn)
367 {
** CID 1496642: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496642: Null pointer dereferences (FORWARD_NULL)
/bgpd/bgp_route.c: 3073 in bgp_filtered_routes_count()
3067
3068 for (dest = bgp_table_top(table); dest; dest = bgp_route_next(dest)) {
3069 for (ain = dest->adj_in; ain; ain = ain->next) {
3070 const struct prefix *rn_p = bgp_dest_get_prefix(dest);
3071 struct attr attr = {};
3072
>>> CID 1496642: Null pointer dereferences (FORWARD_NULL)
>>> Passing "&attr" to "bgp_input_filter", which dereferences null "attr.aspath".
3073 if (bgp_input_filter(peer, rn_p, &attr, afi, safi)
3074 == FILTER_DENY)
3075 filtered = true;
3076
3077 if (bgp_input_modifier(
3078 peer, rn_p, &attr, afi, safi,
** CID 1496617: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1496617: Memory - illegal accesses (USE_AFTER_FREE)
/zebra/zebra_evpn_mh.c: 1690 in zebra_evpn_es_cleanup()
1684 struct zebra_evpn_es *es;
1685 struct zebra_evpn_es *es_next;
1686
1687 RB_FOREACH_SAFE(es, zebra_es_rb_head,
1688 &zmh_info->es_rb_tree, es_next) {
1689 zebra_evpn_local_es_del(es);
>>> CID 1496617: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "zebra_evpn_remote_es_flush" dereferences freed pointer "es".
1690 zebra_evpn_remote_es_flush(es);
1691 }
1692 }
1693
1694 /* Only certain types of access ports can be setup as an Ethernet Segment */
1695 bool zebra_evpn_is_if_es_capable(struct zebra_if *zif)
** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 486 in seqnumber_mismatch()
480 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
483
484 ospf6_lsdb_remove_all(on->summary_list);
485 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486267: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
486 for (ALL_LSDB(on->retrans_list, lsa)) {
487 ospf6_decrement_retrans_count(lsa);
488 ospf6_lsdb_remove(lsa, on->retrans_list);
489 }
490
491 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2306 in ospf6_lsack_send_neighbor()
2300
2301 memset(sendbuf, 0, iobuflen);
2302 oh = (struct ospf6_header *)sendbuf;
2303
2304 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
2305
>>> CID 1486266: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2306 for (ALL_LSDB(on->lsack_list, lsa)) {
2307 /* MTU check */
2308 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
2309 > ospf6_packet_max(on->ospf6_if)) {
2310 /* if we run out of packet size/space here,
2311 better to try again soon. */
** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2223 in ospf6_lsupdate_send_interface()
2217 lsupdate = (struct ospf6_lsupdate *)((caddr_t)oh
2218 + sizeof(struct ospf6_header));
2219
2220 p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate));
2221 lsa_cnt = 0;
2222
>>> CID 1486265: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2223 for (ALL_LSDB(oi->lsupdate_list, lsa)) {
2224 /* MTU check */
2225 if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header)))
2226 > ospf6_packet_max(oi)) {
2227 if (lsa_cnt) {
2228 oh->type = OSPF6_MESSAGE_TYPE_LSUPDATE;
** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 306 in ospf6_lsdb_remove_all()
300 {
301 struct ospf6_lsa *lsa;
302
303 if (lsdb == NULL)
304 return;
305
>>> CID 1486264: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
306 for (ALL_LSDB(lsdb, lsa))
307 ospf6_lsdb_remove(lsa, lsdb);
308 }
309
310 void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
311 {
** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 125 in ospf6_neighbor_delete()
119 void ospf6_neighbor_delete(struct ospf6_neighbor *on)
120 {
121 struct ospf6_lsa *lsa;
122
123 ospf6_lsdb_remove_all(on->summary_list);
124 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486263: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
125 for (ALL_LSDB(on->retrans_list, lsa)) {
126 ospf6_decrement_retrans_count(lsa);
127 ospf6_lsdb_remove(lsa, on->retrans_list);
128 }
129
130 ospf6_lsdb_remove_all(on->dbdesc_list);
** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1872 in ospf6_dbdesc_send_newone()
1866 ospf6_lsdb_remove_all(on->dbdesc_list);
1867
1868 /* move LSAs from summary_list to dbdesc_list (within neighbor
1869 structure)
1870 so that ospf6_send_dbdesc () can send those LSAs */
1871 size = sizeof(struct ospf6_lsa_header) + sizeof(struct ospf6_dbdesc);
>>> CID 1486262: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
1872 for (ALL_LSDB(on->summary_list, lsa)) {
1873 if (size + sizeof(struct ospf6_lsa_header)
1874 > ospf6_packet_max(on->ospf6_if)) {
1875 ospf6_lsdb_lsa_unlock(lsa);
1876 break;
1877 }
** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 523 in bad_lsreq()
517 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
518 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
519 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
520
521 ospf6_lsdb_remove_all(on->summary_list);
522 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486261: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
523 for (ALL_LSDB(on->retrans_list, lsa)) {
524 ospf6_decrement_retrans_count(lsa);
525 ospf6_lsdb_remove(lsa, on->retrans_list);
526 }
527
528 THREAD_OFF(on->thread_send_dbdesc);
** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 310 in negotiation_done()
304 if (IS_OSPF6_DEBUG_NEIGHBOR(EVENT))
305 zlog_debug("Neighbor Event %s: *NegotiationDone*", on->name);
306
307 /* clear ls-list */
308 ospf6_lsdb_remove_all(on->summary_list);
309 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486260: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
310 for (ALL_LSDB(on->retrans_list, lsa)) {
311 ospf6_decrement_retrans_count(lsa);
312 ospf6_lsdb_remove(lsa, on->retrans_list);
313 }
314
315 /* Interface scoped LSAs */
** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_lsdb.c: 324 in ospf6_lsdb_maxage_remover()
318
319 int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb)
320 {
321 int reschedule = 0;
322 struct ospf6_lsa *lsa;
323
>>> CID 1486259: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
324 for (ALL_LSDB(lsdb, lsa)) {
325 if (!OSPF6_LSA_IS_MAXAGE(lsa))
326 continue;
327 if (lsa->retrans_count != 0) {
328 reschedule = 1;
329 continue;
** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2385 in ospf6_lsack_send_interface()
2379
2380 memset(sendbuf, 0, iobuflen);
2381 oh = (struct ospf6_header *)sendbuf;
2382
2383 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
2384
>>> CID 1486258: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_next" dereferences freed pointer "lsa".
2385 for (ALL_LSDB(oi->lsack_list, lsa)) {
2386 /* MTU check */
2387 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
2388 > ospf6_packet_max(oi)) {
2389 /* if we run out of packet size/space here,
2390 better to try again soon. */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3D1EFD_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTy8E7HsxbZ-2BTHMbE5kL5PYLiotQaOZgn4l-2FBE3ug-2BiyvGePmQuM8Fo8wam-2BX1uVobV5lk5E6rGGl319K6A5tBB5Ln-2B6Q5E3OfutyKbGorwjaZKy7RiY8PdKEAUdF-2BLrXdsvJbyE5WV6R5AGgerbqI59c-2FY6LFIC4dm8BwavyEhGYDmmpOMneJeYlmf1VFZpLAo-3D
More information about the dev
mailing list