New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Mon Oct 12 11:23:02 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
7 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)
** CID 1497792: (USE_AFTER_FREE)
/ospf6d/ospf6_interface.c: 991 in ospf6_interface_show()
/ospf6d/ospf6_interface.c: 981 in ospf6_interface_show()
/ospf6d/ospf6_interface.c: 991 in ospf6_interface_show()
/ospf6d/ospf6_interface.c: 981 in ospf6_interface_show()
________________________________________________________________________________________________________
*** CID 1497792: (USE_AFTER_FREE)
/ospf6d/ospf6_interface.c: 991 in ospf6_interface_show()
985 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
986 timerstring(&res, duration, sizeof(duration));
987 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
988 oi->lsack_list->count, duration,
989 (oi->thread_send_lsack ? "on" : "off"));
990 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
991 vty_out(vty, " %s\n", lsa->name);
992 ospf6_bfd_show_info(vty, oi->bfd_info, 1);
993 return 0;
994 }
995
996 /* show interface */
/ospf6d/ospf6_interface.c: 981 in ospf6_interface_show()
975 timerstring(&res, duration, sizeof(duration));
976 vty_out(vty,
977 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
978 oi->lsupdate_list->count, duration,
979 (oi->thread_send_lsupdate ? "on" : "off"));
980 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
981 vty_out(vty, " %s\n", lsa->name);
982
983 timerclear(&res);
984 if (oi->thread_send_lsack)
985 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
986 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_interface.c: 991 in ospf6_interface_show()
985 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
986 timerstring(&res, duration, sizeof(duration));
987 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
988 oi->lsack_list->count, duration,
989 (oi->thread_send_lsack ? "on" : "off"));
990 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
991 vty_out(vty, " %s\n", lsa->name);
992 ospf6_bfd_show_info(vty, oi->bfd_info, 1);
993 return 0;
994 }
995
996 /* show interface */
/ospf6d/ospf6_interface.c: 981 in ospf6_interface_show()
975 timerstring(&res, duration, sizeof(duration));
976 vty_out(vty,
977 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
978 oi->lsupdate_list->count, duration,
979 (oi->thread_send_lsupdate ? "on" : "off"));
980 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
981 vty_out(vty, " %s\n", lsa->name);
982
983 timerclear(&res);
984 if (oi->thread_send_lsack)
985 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
986 timerstring(&res, duration, sizeof(duration));
** CID 1497791: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
________________________________________________________________________________________________________
*** CID 1497791: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
677 return SNMP_INTEGER(ospf6->lsdb->count);
678 return SNMP_INTEGER(0);
679 case OSPFv3ASSCOPELSACHECKSUMSUM:
680 if (ospf6) {
681 sum = 0;
682 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
>>> CID 1497791: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
683 sum += ntohs(lsa->header->checksum);
684 return SNMP_INTEGER(sum);
685 }
686 return SNMP_INTEGER(0);
687 case OSPFv3ORIGINATENEWLSAS:
688 return SNMP_INTEGER(
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
677 return SNMP_INTEGER(ospf6->lsdb->count);
678 return SNMP_INTEGER(0);
679 case OSPFv3ASSCOPELSACHECKSUMSUM:
680 if (ospf6) {
681 sum = 0;
682 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
>>> CID 1497791: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
683 sum += ntohs(lsa->header->checksum);
684 return SNMP_INTEGER(sum);
685 }
686 return SNMP_INTEGER(0);
687 case OSPFv3ORIGINATENEWLSAS:
688 return SNMP_INTEGER(
** CID 1497790: (USE_AFTER_FREE)
/ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area()
/ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area()
________________________________________________________________________________________________________
*** CID 1497790: (USE_AFTER_FREE)
/ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area()
1006 /* When an area is unstubified, flood all the external LSAs in the area */
1007 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa)
1008 {
1009 struct ospf6_lsa *lsa, *lsanext;
1010
1011 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
>>> CID 1497790: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1012 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) {
1013 zlog_debug("%s: Flooding AS-External LSA %s",
1014 __func__, lsa->name);
1015 ospf6_flood_area(NULL, lsa, oa);
1016 }
1017 }
/ospf6d/ospf6_asbr.c: 1012 in ospf6_asbr_send_externals_to_area()
1006 /* When an area is unstubified, flood all the external LSAs in the area */
1007 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa)
1008 {
1009 struct ospf6_lsa *lsa, *lsanext;
1010
1011 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
>>> CID 1497790: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1012 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) {
1013 zlog_debug("%s: Flooding AS-External LSA %s",
1014 __func__, lsa->name);
1015 ospf6_flood_area(NULL, lsa, oa);
1016 }
1017 }
** CID 1497789: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
________________________________________________________________________________________________________
*** CID 1497789: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
1169 return SNMP_INTEGER(oi->cost);
1170 case OSPFv3IFLINKSCOPELSACOUNT:
1171 return SNMP_INTEGER(oi->lsdb->count);
1172 case OSPFv3IFLINKLSACKSUMSUM:
1173 sum = 0;
1174 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
>>> CID 1497789: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1175 sum += ntohs(lsa->header->checksum);
1176 return SNMP_INTEGER(sum);
1177 case OSPFv3IFDEMANDNBRPROBE:
1178 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT:
1179 case OSPFv3IFDEMANDNBRPROBEINTERVAL:
1180 case OSPFv3IFTEDISABLED:
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
1169 return SNMP_INTEGER(oi->cost);
1170 case OSPFv3IFLINKSCOPELSACOUNT:
1171 return SNMP_INTEGER(oi->lsdb->count);
1172 case OSPFv3IFLINKLSACKSUMSUM:
1173 sum = 0;
1174 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
>>> CID 1497789: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1175 sum += ntohs(lsa->header->checksum);
1176 return SNMP_INTEGER(sum);
1177 case OSPFv3IFDEMANDNBRPROBE:
1178 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT:
1179 case OSPFv3IFDEMANDNBRPROBEINTERVAL:
1180 case OSPFv3IFTEDISABLED:
** CID 1497788: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
________________________________________________________________________________________________________
*** CID 1497788: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
764 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
765 on->lsack_list->count, duration,
766 (on->thread_send_lsack ? "on" : "off"));
767 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
768 vty_out(vty, " %s\n", lsa->name);
769
770 ospf6_bfd_show_info(vty, on->bfd_info, 0);
771 }
772
773 DEFUN (show_ipv6_ospf6_neighbor,
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
752 timerstring(&res, duration, sizeof(duration));
753 vty_out(vty,
754 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
755 on->lsupdate_list->count, duration,
756 (on->thread_send_lsupdate ? "on" : "off"));
757 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
758 vty_out(vty, " %s\n", lsa->name);
759
760 timerclear(&res);
761 if (on->thread_send_lsack)
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
733 vty_out(vty, " %d Pending LSAs for DbDesc in Time %s [thread %s]\n",
734 on->dbdesc_list->count, duration,
735 (on->thread_send_dbdesc ? "on" : "off"));
736 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
737 vty_out(vty, " %s\n", lsa->name);
738
739 timerclear(&res);
740 if (on->thread_send_lsreq)
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
713 (CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT) ? "Master"
714 : "Slave"),
715 (unsigned long)ntohl(on->dbdesc_seqnum));
716
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
727 vty_out(vty, " %s\n", lsa->name);
728
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
752 timerstring(&res, duration, sizeof(duration));
753 vty_out(vty,
754 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
755 on->lsupdate_list->count, duration,
756 (on->thread_send_lsupdate ? "on" : "off"));
757 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
758 vty_out(vty, " %s\n", lsa->name);
759
760 timerclear(&res);
761 if (on->thread_send_lsack)
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
764 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
765 on->lsack_list->count, duration,
766 (on->thread_send_lsack ? "on" : "off"));
767 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
768 vty_out(vty, " %s\n", lsa->name);
769
770 ospf6_bfd_show_info(vty, on->bfd_info, 0);
771 }
772
773 DEFUN (show_ipv6_ospf6_neighbor,
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
727 vty_out(vty, " %s\n", lsa->name);
728
729 timerclear(&res);
730 if (on->thread_send_dbdesc)
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
713 (CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT) ? "Master"
714 : "Slave"),
715 (unsigned long)ntohl(on->dbdesc_seqnum));
716
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
733 vty_out(vty, " %d Pending LSAs for DbDesc in Time %s [thread %s]\n",
734 on->dbdesc_list->count, duration,
735 (on->thread_send_dbdesc ? "on" : "off"));
736 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
737 vty_out(vty, " %s\n", lsa->name);
738
739 timerclear(&res);
740 if (on->thread_send_lsreq)
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
743 vty_out(vty, " %d Pending LSAs for LSReq in Time %s [thread %s]\n",
744 on->request_list->count, duration,
745 (on->thread_send_lsreq ? "on" : "off"));
746 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
747 vty_out(vty, " %s\n", lsa->name);
748
749 timerclear(&res);
750 if (on->thread_send_lsupdate)
751 timersub(&on->thread_send_lsupdate->u.sands, &now, &res);
752 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
727 vty_out(vty, " %s\n", lsa->name);
728
729 timerclear(&res);
730 if (on->thread_send_dbdesc)
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
727 vty_out(vty, " %s\n", lsa->name);
728
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
743 vty_out(vty, " %d Pending LSAs for LSReq in Time %s [thread %s]\n",
744 on->request_list->count, duration,
745 (on->thread_send_lsreq ? "on" : "off"));
746 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
747 vty_out(vty, " %s\n", lsa->name);
748
749 timerclear(&res);
750 if (on->thread_send_lsupdate)
751 timersub(&on->thread_send_lsupdate->u.sands, &now, &res);
752 timerstring(&res, duration, sizeof(duration));
** CID 1497787: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
________________________________________________________________________________________________________
*** CID 1497787: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
1941 > ospf6_packet_max(on->ospf6_if)) {
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
>>> CID 1497787: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type;
1948 e->id = lsa->header->id;
1949 e->adv_router = lsa->header->adv_router;
1950 p += sizeof(struct ospf6_lsreq_entry);
1951 last_req = lsa;
1952 }
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
1936 /* set Request entries in lsreq */
1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
1939 /* MTU check */
1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry)
1941 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1497787: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
1947 e->type = lsa->header->type;
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
1941 > ospf6_packet_max(on->ospf6_if)) {
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
>>> CID 1497787: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type;
1948 e->id = lsa->header->id;
1949 e->adv_router = lsa->header->adv_router;
1950 p += sizeof(struct ospf6_lsreq_entry);
1951 last_req = lsa;
1952 }
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
1936 /* set Request entries in lsreq */
1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
1939 /* MTU check */
1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry)
1941 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1497787: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
1947 e->type = lsa->header->type;
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
1936 /* set Request entries in lsreq */
1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
1939 /* MTU check */
1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry)
1941 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1497787: (USE_AFTER_FREE)
>>> Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
1947 e->type = lsa->header->type;
** CID 1497786: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1497786: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send()
1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum);
1832
1833 /* if this is not initial one, set LSA headers in dbdesc */
1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc));
1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1497786: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa,
1838 on->ospf6_if->transdelay);
1839
1840 /* MTU check */
1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
1842 > ospf6_packet_max(on->ospf6_if)) {
/ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send()
1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum);
1832
1833 /* if this is not initial one, set LSA headers in dbdesc */
1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc));
1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1497786: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa,
1838 on->ospf6_if->transdelay);
1839
1840 /* MTU check */
1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
1842 > ospf6_packet_max(on->ospf6_if)) {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Dr4Jk_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxuy3bz6LApMqrXzyD08cJJe3PgF6kihFho3trMI4s8Viva5WruHTACh1yXTWZgj751cOTKbwS5aeJncgnYYOoTNSnJ6Oludvm-2Fw7RAUo0YKL0GWk8omYSif7GtHa2xJgKvFT-2FuTzTog3fOIGjBAB4mpBQpBVnW8-2F6Cv0U-2FT0vSDSBXXHp4KpGdT5NRN10vCEo-3D
More information about the dev
mailing list