New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Thu Aug 27 11:43:43 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
9 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
8 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)
** CID 1496729: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 266 in ecommunity_dup()
/bgpd/bgp_ecommunity.c: 268 in ecommunity_dup()
________________________________________________________________________________________________________
*** CID 1496729: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 266 in ecommunity_dup()
260 struct ecommunity *new;
261
262 new = XCALLOC(MTYPE_ECOMMUNITY, sizeof(struct ecommunity));
263 new->size = ecom->size;
264 new->unit_size = ecom->unit_size;
265 if (new->size) {
>>> CID 1496729: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
266 new->val = XMALLOC(MTYPE_ECOMMUNITY_VAL,
267 ecom->size * ecom->unit_size);
268 memcpy(new->val, ecom->val, ecom->size * ecom->unit_size);
269 } else
270 new->val = NULL;
271 return new;
/bgpd/bgp_ecommunity.c: 268 in ecommunity_dup()
262 new = XCALLOC(MTYPE_ECOMMUNITY, sizeof(struct ecommunity));
263 new->size = ecom->size;
264 new->unit_size = ecom->unit_size;
265 if (new->size) {
266 new->val = XMALLOC(MTYPE_ECOMMUNITY_VAL,
267 ecom->size * ecom->unit_size);
>>> CID 1496729: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
268 memcpy(new->val, ecom->val, ecom->size * ecom->unit_size);
269 } else
270 new->val = NULL;
271 return new;
272 }
273
** CID 1496728: Resource leaks (RESOURCE_LEAK)
/pimd/pim_igmp.c: 1016 in pim_igmp_sock_add()
________________________________________________________________________________________________________
*** CID 1496728: Resource leaks (RESOURCE_LEAK)
/pimd/pim_igmp.c: 1016 in pim_igmp_sock_add()
1010 sin.sin_family = AF_INET;
1011 sin.sin_addr = ifaddr;
1012 sin.sin_port = 0;
1013 if (bind(fd, (struct sockaddr *) &sin, sizeof(sin)) != 0) {
1014 zlog_warn("Could not bind IGMP socket for %s on %s",
1015 inet_ntoa(ifaddr), ifp->name);
>>> CID 1496728: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
1016 return 0;
1017 }
1018
1019 igmp = igmp_sock_new(fd, ifaddr, ifp, mtrace_only);
1020
1021 igmp_read_on(igmp);
** CID 1496727: (FORWARD_NULL)
/bgpd/bgp_zebra.c: 2377 in bgp_encode_pbr_rule_action()
/bgpd/bgp_zebra.c: 2408 in bgp_encode_pbr_rule_action()
________________________________________________________________________________________________________
*** CID 1496727: (FORWARD_NULL)
/bgpd/bgp_zebra.c: 2377 in bgp_encode_pbr_rule_action()
2371 * - FS PBR entries based on iprule
2372 * the latter may contain default routing information injected by FS
2373 */
2374 if (pbr)
2375 stream_putl(s, pbr->unique);
2376 else
>>> CID 1496727: (FORWARD_NULL)
>>> Dereferencing null pointer "pbra".
2377 stream_putl(s, pbra->unique);
2378 if (pbr && pbr->flags & MATCH_IP_SRC_SET)
2379 memcpy(&pfx, &(pbr->src), sizeof(struct prefix));
2380 else {
2381 memset(&pfx, 0, sizeof(pfx));
2382 pfx.family = fam;
/bgpd/bgp_zebra.c: 2408 in bgp_encode_pbr_rule_action()
2402 /* if pbr present, fwmark is not used */
2403 if (pbr)
2404 stream_putl(s, 0);
2405 else
2406 stream_putl(s, pbra->fwmark); /* fwmark */
2407
>>> CID 1496727: (FORWARD_NULL)
>>> Dereferencing null pointer "pbra".
2408 stream_putl(s, pbra->table_id);
2409
2410 stream_putl(s, 0); /* ifindex unused */
2411 }
2412
2413 static void bgp_encode_pbr_ipset_match(struct stream *s,
** CID 1496726: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1234 in ecommunity_strip()
________________________________________________________________________________________________________
*** CID 1496726: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1234 in ecommunity_strip()
1228 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val);
1229 ecom->size = 0;
1230 return true;
1231 }
1232
1233 /* Strip matching ext community(ies). */
>>> CID 1496726: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - found) * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - found) * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1234 new = XMALLOC(MTYPE_ECOMMUNITY_VAL,
1235 (ecom->size - found) * ecom->unit_size);
1236 q = new;
1237 for (c = 0, p = ecom->val; c < ecom->size; c++, p += ecom->unit_size) {
1238 if (!(p[0] == type && p[1] == subtype)) {
1239 memcpy(q, p, ecom->unit_size);
** CID 1496725: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 294 in ecommunity_merge()
/bgpd/bgp_ecommunity.c: 289 in ecommunity_merge()
/bgpd/bgp_ecommunity.c: 299 in ecommunity_merge()
________________________________________________________________________________________________________
*** CID 1496725: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 294 in ecommunity_merge()
288 ecom1->val =
289 XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom1->val,
290 (ecom1->size + ecom2->size) *
291 ecom1->unit_size);
292 else
293 ecom1->val =
>>> CID 1496725: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom1->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom1->size + ecom2->size) * ecom1->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom1->size + ecom2->size) * ecom1->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
294 XMALLOC(MTYPE_ECOMMUNITY_VAL,
295 (ecom1->size + ecom2->size) *
296 ecom1->unit_size);
297
298 memcpy(ecom1->val + (ecom1->size * ecom1->unit_size), ecom2->val,
299 ecom2->size * ecom1->unit_size);
/bgpd/bgp_ecommunity.c: 289 in ecommunity_merge()
283 /* Merge two Extended Communities Attribute structure. */
284 struct ecommunity *ecommunity_merge(struct ecommunity *ecom1,
285 struct ecommunity *ecom2)
286 {
287 if (ecom1->val)
288 ecom1->val =
>>> CID 1496725: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom1->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom1->size + ecom2->size) * ecom1->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom1->size + ecom2->size) * ecom1->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
289 XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom1->val,
290 (ecom1->size + ecom2->size) *
291 ecom1->unit_size);
292 else
293 ecom1->val =
294 XMALLOC(MTYPE_ECOMMUNITY_VAL,
/bgpd/bgp_ecommunity.c: 299 in ecommunity_merge()
293 ecom1->val =
294 XMALLOC(MTYPE_ECOMMUNITY_VAL,
295 (ecom1->size + ecom2->size) *
296 ecom1->unit_size);
297
298 memcpy(ecom1->val + (ecom1->size * ecom1->unit_size), ecom2->val,
>>> CID 1496725: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom1->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom2->size * ecom1->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom2->size * ecom1->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
299 ecom2->size * ecom1->unit_size);
300 ecom1->size += ecom2->size;
301
302 return ecom1;
303 }
304
** CID 1496724: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1275 in ecommunity_del_val()
/bgpd/bgp_ecommunity.c: 1273 in ecommunity_del_val()
/bgpd/bgp_ecommunity.c: 1279 in ecommunity_del_val()
________________________________________________________________________________________________________
*** CID 1496724: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1275 in ecommunity_del_val()
1269 return false;
1270
1271 /* Delete the selected value */
1272 ecom->size--;
1273 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size);
1274 if (c != 0)
>>> CID 1496724: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "c * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "c * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1275 memcpy(p, ecom->val, c * ecom->unit_size);
1276 if ((ecom->size - c) != 0)
1277 memcpy(p + (c)*ecom->unit_size,
1278 ecom->val + (c + 1) * ecom->unit_size,
1279 (ecom->size - c) * ecom->unit_size);
1280 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val);
/bgpd/bgp_ecommunity.c: 1273 in ecommunity_del_val()
1267 }
1268 if (found == 0)
1269 return false;
1270
1271 /* Delete the selected value */
1272 ecom->size--;
>>> CID 1496724: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1273 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size);
1274 if (c != 0)
1275 memcpy(p, ecom->val, c * ecom->unit_size);
1276 if ((ecom->size - c) != 0)
1277 memcpy(p + (c)*ecom->unit_size,
1278 ecom->val + (c + 1) * ecom->unit_size,
/bgpd/bgp_ecommunity.c: 1279 in ecommunity_del_val()
1273 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size);
1274 if (c != 0)
1275 memcpy(p, ecom->val, c * ecom->unit_size);
1276 if ((ecom->size - c) != 0)
1277 memcpy(p + (c)*ecom->unit_size,
1278 ecom->val + (c + 1) * ecom->unit_size,
>>> CID 1496724: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - c) * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - c) * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1279 (ecom->size - c) * ecom->unit_size);
1280 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val);
1281 ecom->val = p;
1282 return true;
1283 }
1284
** CID 1496723: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 162 in ecommunity_add_val_internal()
/bgpd/bgp_ecommunity.c: 156 in ecommunity_add_val_internal()
/bgpd/bgp_ecommunity.c: 104 in ecommunity_add_val_internal()
________________________________________________________________________________________________________
*** CID 1496723: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 162 in ecommunity_add_val_internal()
156 ecom->val = XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom->val,
157 ecom_length_size(ecom, ecom_size));
158
159
160 memmove(ecom->val + ((ins_idx + 1) * ecom_size),
161 ecom->val + (ins_idx * ecom_size),
>>> CID 1496723: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - 1 - ins_idx) * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - 1 - ins_idx) * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
162 (ecom->size - 1 - ins_idx) * ecom_size);
163 memcpy(ecom->val + (ins_idx * ecom_size),
164 eval, ecom_size);
165
166 return true;
167 }
/bgpd/bgp_ecommunity.c: 156 in ecommunity_add_val_internal()
150
151 if (ins_idx == -1)
152 ins_idx = c;
153
154 /* Add the value to the structure with numerical sorting. */
155 ecom->size++;
>>> CID 1496723: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
156 ecom->val = XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom->val,
157 ecom_length_size(ecom, ecom_size));
158
159
160 memmove(ecom->val + ((ins_idx + 1) * ecom_size),
161 ecom->val + (ins_idx * ecom_size),
/bgpd/bgp_ecommunity.c: 104 in ecommunity_add_val_internal()
98 const struct ecommunity_val_ipv6 *eval6 =
99 (struct ecommunity_val_ipv6 *)eval;
100
101 /* When this is fist value, just add it. */
102 if (ecom->val == NULL) {
103 ecom->size = 1;
>>> CID 1496723: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
104 ecom->val = XMALLOC(MTYPE_ECOMMUNITY_VAL,
105 ecom_length_size(ecom, ecom_size));
106 memcpy(ecom->val, eval, ecom_size);
107 return true;
108 }
109
** CID 1496722: Incorrect expression (USELESS_CALL)
________________________________________________________________________________________________________
*** CID 1496722: Incorrect expression (USELESS_CALL)
/bgpd/bgp_flowspec_vty.c: 276 in route_vty_out_flowspec()
270 char timebuf[BGP_UPTIME_LEN];
271 struct bgp_dest *dest = NULL;
272
273 if (path)
274 dest = path->net;
275 if (dest)
>>> CID 1496722: Incorrect expression (USELESS_CALL)
>>> Calling "bgp_dest_get_bgp_table_info(dest)" is only useful for its return value, which is ignored.
276 bgp_dest_get_bgp_table_info(dest);
277 if (p == NULL || p->family != AF_FLOWSPEC)
278 return;
279 if (json_paths) {
280 if (display == NLRI_STRING_FORMAT_JSON)
281 json_nlri_path = json_object_new_object();
** CID 1496721: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 367 in ecommunity_cmp()
________________________________________________________________________________________________________
*** CID 1496721: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 367 in ecommunity_cmp()
361 return false;
362
363 if (ecom1->unit_size != ecom2->unit_size)
364 return false;
365
366 return (ecom1->size == ecom2->size
>>> CID 1496721: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom1->unit_size" with type "uint8_t const" (8 bits, unsigned) is promoted in "ecom1->size * ecom1->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom1->size * ecom1->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
367 && memcmp(ecom1->val, ecom2->val, ecom1->size *
368 ecom1->unit_size) == 0);
369 }
370
371 /* Initialize Extended Comminities related hash. */
372 void ecommunity_init(void)
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DctiN_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTysjFKnrB1GUTiNRuyIaoVGyKJE2IVTxiO6XzePo95qACtLkUUGqGursKHbSgi-2BD24Lz6bWDCzUshcE0or3ReWC3OT2uMzP-2Bh8SfY2H99T6-2F17kYkeZ4VdhJumnLUjqbSDfKIFOJlqHXlS7UUdmjzbrhRhdAlmrjTAP8X58UFFNM8athtHBW-2FbnighHQvC3Vqo-3D
More information about the dev
mailing list