New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Tue Oct 27 13:09:02 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
92 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 92 defect(s)
** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 620 in ospf_apiclient_handle_lsa_delete()
________________________________________________________________________________________________________
*** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 620 in ospf_apiclient_handle_lsa_delete()
614 __func__, lsalen, OSPF_MAX_LSA_SIZE);
615 return;
616 }
617
618 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
619
>>> CID 1497888: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
620 memcpy(p, &(cn->data), lsalen);
621 lsa = p;
622
623 /* Invoke registered update callback function */
624 if (oclient->delete_notify) {
625 (oclient->delete_notify)(cn->ifaddr, cn->area_id,
** CID 1497887: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields()
________________________________________________________________________________________________________
*** CID 1497887: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 248 in ospf_extract_grace_lsa_fields()
242 __func__, length);
243 return OSPF_GR_FAILURE;
244 }
245
246 length -= OSPF_LSA_HEADER_SIZE;
247
>>> CID 1497887: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
248 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
249 tlvh = TLV_HDR_NEXT(tlvh)) {
250
251 /* Check TLV len against overall LSA */
252 if (sum + TLV_SIZE(tlvh) > length) {
253 if (IS_DEBUG_OSPF_GR_HELPER)
** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 585 in ospf_apiclient_handle_lsa_update()
________________________________________________________________________________________________________
*** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 585 in ospf_apiclient_handle_lsa_update()
579 __func__, lsalen, OSPF_MAX_LSA_SIZE);
580 return;
581 }
582
583 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
584
>>> CID 1497886: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
585 memcpy(p, &(cn->data), lsalen);
586 lsa = p;
587
588 /* Invoke registered update callback function */
589 if (oclient->update_notify) {
590 (oclient->update_notify)(cn->ifaddr, cn->area_id,
** CID 1497885: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info()
________________________________________________________________________________________________________
*** CID 1497885: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_gr_helper.c: 1017 in show_ospf_grace_lsa_info()
1011 }
1012
1013 length -= OSPF_LSA_HEADER_SIZE;
1014
1015 vty_out(vty, " TLV info:\n");
1016
>>> CID 1497885: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
1017 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
1018 tlvh = TLV_HDR_NEXT(tlvh)) {
1019 /* Check TLV len */
1020 if (sum + TLV_SIZE(tlvh) > length) {
1021 vty_out(vty, "%% Invalid TLV length: %zu\n",
1022 TLV_SIZE(tlvh));
** CID 1497792: (USE_AFTER_FREE)
/ospf6d/ospf6_interface.c: 978 in ospf6_interface_show()
/ospf6d/ospf6_interface.c: 988 in ospf6_interface_show()
/ospf6d/ospf6_interface.c: 988 in ospf6_interface_show()
/ospf6d/ospf6_interface.c: 978 in ospf6_interface_show()
________________________________________________________________________________________________________
*** CID 1497792: (USE_AFTER_FREE)
/ospf6d/ospf6_interface.c: 978 in ospf6_interface_show()
972 timerstring(&res, duration, sizeof(duration));
973 vty_out(vty,
974 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
975 oi->lsupdate_list->count, duration,
976 (oi->thread_send_lsupdate ? "on" : "off"));
977 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
978 vty_out(vty, " %s\n", lsa->name);
979
980 timerclear(&res);
981 if (oi->thread_send_lsack)
982 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
983 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_interface.c: 988 in ospf6_interface_show()
982 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
983 timerstring(&res, duration, sizeof(duration));
984 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
985 oi->lsack_list->count, duration,
986 (oi->thread_send_lsack ? "on" : "off"));
987 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
988 vty_out(vty, " %s\n", lsa->name);
989 ospf6_bfd_show_info(vty, oi->bfd_info, 1);
990 return 0;
991 }
992
993 /* show interface */
/ospf6d/ospf6_interface.c: 988 in ospf6_interface_show()
982 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
983 timerstring(&res, duration, sizeof(duration));
984 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
985 oi->lsack_list->count, duration,
986 (oi->thread_send_lsack ? "on" : "off"));
987 for (ALL_LSDB(oi->lsack_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
988 vty_out(vty, " %s\n", lsa->name);
989 ospf6_bfd_show_info(vty, oi->bfd_info, 1);
990 return 0;
991 }
992
993 /* show interface */
/ospf6d/ospf6_interface.c: 978 in ospf6_interface_show()
972 timerstring(&res, duration, sizeof(duration));
973 vty_out(vty,
974 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
975 oi->lsupdate_list->count, duration,
976 (oi->thread_send_lsupdate ? "on" : "off"));
977 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext))
>>> CID 1497792: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
978 vty_out(vty, " %s\n", lsa->name);
979
980 timerclear(&res);
981 if (oi->thread_send_lsack)
982 timersub(&oi->thread_send_lsack->u.sands, &now, &res);
983 timerstring(&res, duration, sizeof(duration));
** CID 1497791: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
________________________________________________________________________________________________________
*** CID 1497791: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
677 return SNMP_INTEGER(ospf6->lsdb->count);
678 return SNMP_INTEGER(0);
679 case OSPFv3ASSCOPELSACHECKSUMSUM:
680 if (ospf6) {
681 sum = 0;
682 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
>>> CID 1497791: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
683 sum += ntohs(lsa->header->checksum);
684 return SNMP_INTEGER(sum);
685 }
686 return SNMP_INTEGER(0);
687 case OSPFv3ORIGINATENEWLSAS:
688 return SNMP_INTEGER(
/ospf6d/ospf6_snmp.c: 683 in ospfv3GeneralGroup()
677 return SNMP_INTEGER(ospf6->lsdb->count);
678 return SNMP_INTEGER(0);
679 case OSPFv3ASSCOPELSACHECKSUMSUM:
680 if (ospf6) {
681 sum = 0;
682 for (ALL_LSDB(ospf6->lsdb, lsa, lsanext))
>>> CID 1497791: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
683 sum += ntohs(lsa->header->checksum);
684 return SNMP_INTEGER(sum);
685 }
686 return SNMP_INTEGER(0);
687 case OSPFv3ORIGINATENEWLSAS:
688 return SNMP_INTEGER(
** CID 1497790: (USE_AFTER_FREE)
/ospf6d/ospf6_asbr.c: 997 in ospf6_asbr_send_externals_to_area()
/ospf6d/ospf6_asbr.c: 997 in ospf6_asbr_send_externals_to_area()
________________________________________________________________________________________________________
*** CID 1497790: (USE_AFTER_FREE)
/ospf6d/ospf6_asbr.c: 997 in ospf6_asbr_send_externals_to_area()
991 /* When an area is unstubified, flood all the external LSAs in the area */
992 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa)
993 {
994 struct ospf6_lsa *lsa, *lsanext;
995
996 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
>>> CID 1497790: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
997 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) {
998 zlog_debug("%s: Flooding AS-External LSA %s",
999 __func__, lsa->name);
1000 ospf6_flood_area(NULL, lsa, oa);
1001 }
1002 }
/ospf6d/ospf6_asbr.c: 997 in ospf6_asbr_send_externals_to_area()
991 /* When an area is unstubified, flood all the external LSAs in the area */
992 void ospf6_asbr_send_externals_to_area(struct ospf6_area *oa)
993 {
994 struct ospf6_lsa *lsa, *lsanext;
995
996 for (ALL_LSDB(oa->ospf6->lsdb, lsa, lsanext)) {
>>> CID 1497790: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
997 if (ntohs(lsa->header->type) == OSPF6_LSTYPE_AS_EXTERNAL) {
998 zlog_debug("%s: Flooding AS-External LSA %s",
999 __func__, lsa->name);
1000 ospf6_flood_area(NULL, lsa, oa);
1001 }
1002 }
** CID 1497789: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
________________________________________________________________________________________________________
*** CID 1497789: (USE_AFTER_FREE)
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
1169 return SNMP_INTEGER(oi->cost);
1170 case OSPFv3IFLINKSCOPELSACOUNT:
1171 return SNMP_INTEGER(oi->lsdb->count);
1172 case OSPFv3IFLINKLSACKSUMSUM:
1173 sum = 0;
1174 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
>>> CID 1497789: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1175 sum += ntohs(lsa->header->checksum);
1176 return SNMP_INTEGER(sum);
1177 case OSPFv3IFDEMANDNBRPROBE:
1178 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT:
1179 case OSPFv3IFDEMANDNBRPROBEINTERVAL:
1180 case OSPFv3IFTEDISABLED:
/ospf6d/ospf6_snmp.c: 1175 in ospfv3IfEntry()
1169 return SNMP_INTEGER(oi->cost);
1170 case OSPFv3IFLINKSCOPELSACOUNT:
1171 return SNMP_INTEGER(oi->lsdb->count);
1172 case OSPFv3IFLINKLSACKSUMSUM:
1173 sum = 0;
1174 for (ALL_LSDB(oi->lsdb, lsa, lsanext))
>>> CID 1497789: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1175 sum += ntohs(lsa->header->checksum);
1176 return SNMP_INTEGER(sum);
1177 case OSPFv3IFDEMANDNBRPROBE:
1178 case OSPFv3IFDEMANDNBRPROBERETRANSLIMIT:
1179 case OSPFv3IFDEMANDNBRPROBEINTERVAL:
1180 case OSPFv3IFTEDISABLED:
** CID 1497788: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
________________________________________________________________________________________________________
*** CID 1497788: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
743 vty_out(vty, " %d Pending LSAs for LSReq in Time %s [thread %s]\n",
744 on->request_list->count, duration,
745 (on->thread_send_lsreq ? "on" : "off"));
746 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
747 vty_out(vty, " %s\n", lsa->name);
748
749 timerclear(&res);
750 if (on->thread_send_lsupdate)
751 timersub(&on->thread_send_lsupdate->u.sands, &now, &res);
752 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
752 timerstring(&res, duration, sizeof(duration));
753 vty_out(vty,
754 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
755 on->lsupdate_list->count, duration,
756 (on->thread_send_lsupdate ? "on" : "off"));
757 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
758 vty_out(vty, " %s\n", lsa->name);
759
760 timerclear(&res);
761 if (on->thread_send_lsack)
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
727 vty_out(vty, " %s\n", lsa->name);
728
729 timerclear(&res);
730 if (on->thread_send_dbdesc)
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
733 vty_out(vty, " %d Pending LSAs for DbDesc in Time %s [thread %s]\n",
734 on->dbdesc_list->count, duration,
735 (on->thread_send_dbdesc ? "on" : "off"));
736 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
737 vty_out(vty, " %s\n", lsa->name);
738
739 timerclear(&res);
740 if (on->thread_send_lsreq)
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 737 in ospf6_neighbor_show_detail()
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
733 vty_out(vty, " %d Pending LSAs for DbDesc in Time %s [thread %s]\n",
734 on->dbdesc_list->count, duration,
735 (on->thread_send_dbdesc ? "on" : "off"));
736 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
737 vty_out(vty, " %s\n", lsa->name);
738
739 timerclear(&res);
740 if (on->thread_send_lsreq)
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 747 in ospf6_neighbor_show_detail()
741 timersub(&on->thread_send_lsreq->u.sands, &now, &res);
742 timerstring(&res, duration, sizeof(duration));
743 vty_out(vty, " %d Pending LSAs for LSReq in Time %s [thread %s]\n",
744 on->request_list->count, duration,
745 (on->thread_send_lsreq ? "on" : "off"));
746 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
747 vty_out(vty, " %s\n", lsa->name);
748
749 timerclear(&res);
750 if (on->thread_send_lsupdate)
751 timersub(&on->thread_send_lsupdate->u.sands, &now, &res);
752 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
727 vty_out(vty, " %s\n", lsa->name);
728
/ospf6d/ospf6_neighbor.c: 727 in ospf6_neighbor_show_detail()
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
727 vty_out(vty, " %s\n", lsa->name);
728
729 timerclear(&res);
730 if (on->thread_send_dbdesc)
731 timersub(&on->thread_send_dbdesc->u.sands, &now, &res);
732 timerstring(&res, duration, sizeof(duration));
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
713 (CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT) ? "Master"
714 : "Slave"),
715 (unsigned long)ntohl(on->dbdesc_seqnum));
716
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
/ospf6d/ospf6_neighbor.c: 719 in ospf6_neighbor_show_detail()
713 (CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT) ? "Master"
714 : "Slave"),
715 (unsigned long)ntohl(on->dbdesc_seqnum));
716
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
723 vty_out(vty, " %s\n", lsa->name);
724
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
764 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
765 on->lsack_list->count, duration,
766 (on->thread_send_lsack ? "on" : "off"));
767 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
768 vty_out(vty, " %s\n", lsa->name);
769
770 ospf6_bfd_show_info(vty, on->bfd_info, 0);
771 }
772
773 DEFUN (show_ipv6_ospf6_neighbor,
/ospf6d/ospf6_neighbor.c: 768 in ospf6_neighbor_show_detail()
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
764 vty_out(vty, " %d Pending LSAs for LSAck in Time %s [thread %s]\n",
765 on->lsack_list->count, duration,
766 (on->thread_send_lsack ? "on" : "off"));
767 for (ALL_LSDB(on->lsack_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
768 vty_out(vty, " %s\n", lsa->name);
769
770 ospf6_bfd_show_info(vty, on->bfd_info, 0);
771 }
772
773 DEFUN (show_ipv6_ospf6_neighbor,
/ospf6d/ospf6_neighbor.c: 723 in ospf6_neighbor_show_detail()
717 vty_out(vty, " Summary-List: %d LSAs\n", on->summary_list->count);
718 for (ALL_LSDB(on->summary_list, lsa, lsanext))
719 vty_out(vty, " %s\n", lsa->name);
720
721 vty_out(vty, " Request-List: %d LSAs\n", on->request_list->count);
722 for (ALL_LSDB(on->request_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
723 vty_out(vty, " %s\n", lsa->name);
724
725 vty_out(vty, " Retrans-List: %d LSAs\n", on->retrans_list->count);
726 for (ALL_LSDB(on->retrans_list, lsa, lsanext))
727 vty_out(vty, " %s\n", lsa->name);
728
/ospf6d/ospf6_neighbor.c: 758 in ospf6_neighbor_show_detail()
752 timerstring(&res, duration, sizeof(duration));
753 vty_out(vty,
754 " %d Pending LSAs for LSUpdate in Time %s [thread %s]\n",
755 on->lsupdate_list->count, duration,
756 (on->thread_send_lsupdate ? "on" : "off"));
757 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext))
>>> CID 1497788: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
758 vty_out(vty, " %s\n", lsa->name);
759
760 timerclear(&res);
761 if (on->thread_send_lsack)
762 timersub(&on->thread_send_lsack->u.sands, &now, &res);
763 timerstring(&res, duration, sizeof(duration));
** CID 1497787: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
________________________________________________________________________________________________________
*** CID 1497787: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
1941 > ospf6_packet_max(on->ospf6_if)) {
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
>>> CID 1497787: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type;
1948 e->id = lsa->header->id;
1949 e->adv_router = lsa->header->adv_router;
1950 p += sizeof(struct ospf6_lsreq_entry);
1951 last_req = lsa;
1952 }
/ospf6d/ospf6_message.c: 1947 in ospf6_lsreq_send()
1941 > ospf6_packet_max(on->ospf6_if)) {
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
>>> CID 1497787: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
1947 e->type = lsa->header->type;
1948 e->id = lsa->header->id;
1949 e->adv_router = lsa->header->adv_router;
1950 p += sizeof(struct ospf6_lsreq_entry);
1951 last_req = lsa;
1952 }
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
1936 /* set Request entries in lsreq */
1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
1939 /* MTU check */
1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry)
1941 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1497787: (USE_AFTER_FREE)
>>> Passing freed pointer "lsa" as an argument to "ospf6_lsdb_lsa_unlock".
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
1947 e->type = lsa->header->type;
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
1936 /* set Request entries in lsreq */
1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
1939 /* MTU check */
1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry)
1941 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1497787: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
1947 e->type = lsa->header->type;
/ospf6d/ospf6_message.c: 1942 in ospf6_lsreq_send()
1936 /* set Request entries in lsreq */
1937 p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header));
1938 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
1939 /* MTU check */
1940 if (p - sendbuf + sizeof(struct ospf6_lsreq_entry)
1941 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1497787: (USE_AFTER_FREE)
>>> Calling "ospf6_lsdb_lsa_unlock" frees pointer "lsa" which has already been freed.
1942 ospf6_lsdb_lsa_unlock(lsa);
1943 break;
1944 }
1945
1946 e = (struct ospf6_lsreq_entry *)p;
1947 e->type = lsa->header->type;
** CID 1497786: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1497786: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send()
1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum);
1832
1833 /* if this is not initial one, set LSA headers in dbdesc */
1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc));
1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1497786: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa,
1838 on->ospf6_if->transdelay);
1839
1840 /* MTU check */
1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
1842 > ospf6_packet_max(on->ospf6_if)) {
/ospf6d/ospf6_message.c: 1837 in ospf6_dbdesc_send()
1831 dbdesc->seqnum = htonl(on->dbdesc_seqnum);
1832
1833 /* if this is not initial one, set LSA headers in dbdesc */
1834 p = (uint8_t *)((caddr_t)dbdesc + sizeof(struct ospf6_dbdesc));
1835 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
1836 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1497786: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
1837 ospf6_lsa_age_update_to_send(lsa,
1838 on->ospf6_if->transdelay);
1839
1840 /* MTU check */
1841 if (p - sendbuf + sizeof(struct ospf6_lsa_header)
1842 > ospf6_packet_max(on->ospf6_if)) {
** CID 1496729: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 268 in ecommunity_dup()
________________________________________________________________________________________________________
*** CID 1496729: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 268 in ecommunity_dup()
262 struct ecommunity *new;
263
264 new = XCALLOC(MTYPE_ECOMMUNITY, sizeof(struct ecommunity));
265 new->size = ecom->size;
266 new->unit_size = ecom->unit_size;
267 if (new->size) {
>>> CID 1496729: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
268 new->val = XMALLOC(MTYPE_ECOMMUNITY_VAL,
269 ecom->size * ecom->unit_size);
270 memcpy(new->val, ecom->val,
271 (size_t)ecom->size * (size_t)ecom->unit_size);
272 } else
273 new->val = NULL;
** CID 1496726: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1235 in ecommunity_strip()
________________________________________________________________________________________________________
*** CID 1496726: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1235 in ecommunity_strip()
1229 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val);
1230 ecom->size = 0;
1231 return true;
1232 }
1233
1234 /* Strip matching ext community(ies). */
>>> CID 1496726: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - found) * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - found) * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1235 new = XMALLOC(MTYPE_ECOMMUNITY_VAL,
1236 (ecom->size - found) * ecom->unit_size);
1237 q = new;
1238 for (c = 0, p = ecom->val; c < ecom->size; c++, p += ecom->unit_size) {
1239 if (!(p[0] == type && p[1] == subtype)) {
1240 memcpy(q, p, ecom->unit_size);
** CID 1496724: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1280 in ecommunity_del_val()
/bgpd/bgp_ecommunity.c: 1276 in ecommunity_del_val()
/bgpd/bgp_ecommunity.c: 1274 in ecommunity_del_val()
________________________________________________________________________________________________________
*** CID 1496724: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 1280 in ecommunity_del_val()
1274 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size);
1275 if (c != 0)
1276 memcpy(p, ecom->val, c * ecom->unit_size);
1277 if ((ecom->size - c) != 0)
1278 memcpy(p + (c)*ecom->unit_size,
1279 ecom->val + (c + 1) * ecom->unit_size,
>>> CID 1496724: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - c) * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - c) * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1280 (ecom->size - c) * ecom->unit_size);
1281 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val);
1282 ecom->val = p;
1283 return true;
1284 }
1285
/bgpd/bgp_ecommunity.c: 1276 in ecommunity_del_val()
1270 return false;
1271
1272 /* Delete the selected value */
1273 ecom->size--;
1274 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size);
1275 if (c != 0)
>>> CID 1496724: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "c * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "c * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1276 memcpy(p, ecom->val, c * ecom->unit_size);
1277 if ((ecom->size - c) != 0)
1278 memcpy(p + (c)*ecom->unit_size,
1279 ecom->val + (c + 1) * ecom->unit_size,
1280 (ecom->size - c) * ecom->unit_size);
1281 XFREE(MTYPE_ECOMMUNITY_VAL, ecom->val);
/bgpd/bgp_ecommunity.c: 1274 in ecommunity_del_val()
1268 }
1269 if (found == 0)
1270 return false;
1271
1272 /* Delete the selected value */
1273 ecom->size--;
>>> CID 1496724: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom->unit_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1274 p = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size);
1275 if (c != 0)
1276 memcpy(p, ecom->val, c * ecom->unit_size);
1277 if ((ecom->size - c) != 0)
1278 memcpy(p + (c)*ecom->unit_size,
1279 ecom->val + (c + 1) * ecom->unit_size,
** CID 1496723: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 164 in ecommunity_add_val_internal()
/bgpd/bgp_ecommunity.c: 106 in ecommunity_add_val_internal()
/bgpd/bgp_ecommunity.c: 158 in ecommunity_add_val_internal()
________________________________________________________________________________________________________
*** CID 1496723: (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 164 in ecommunity_add_val_internal()
158 ecom->val = XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom->val,
159 ecom_length_size(ecom, ecom_size));
160
161
162 memmove(ecom->val + ((ins_idx + 1) * ecom_size),
163 ecom->val + (ins_idx * ecom_size),
>>> CID 1496723: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "(ecom->size - 1 - ins_idx) * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ecom->size - 1 - ins_idx) * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
164 (ecom->size - 1 - ins_idx) * ecom_size);
165 memcpy(ecom->val + (ins_idx * ecom_size),
166 eval, ecom_size);
167
168 return true;
169 }
/bgpd/bgp_ecommunity.c: 106 in ecommunity_add_val_internal()
100 const struct ecommunity_val_ipv6 *eval6 =
101 (struct ecommunity_val_ipv6 *)eval;
102
103 /* When this is fist value, just add it. */
104 if (ecom->val == NULL) {
105 ecom->size = 1;
>>> CID 1496723: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
106 ecom->val = XMALLOC(MTYPE_ECOMMUNITY_VAL,
107 ecom_length_size(ecom, ecom_size));
108 memcpy(ecom->val, eval, ecom_size);
109 return true;
110 }
111
/bgpd/bgp_ecommunity.c: 158 in ecommunity_add_val_internal()
152
153 if (ins_idx == -1)
154 ins_idx = c;
155
156 /* Add the value to the structure with numerical sorting. */
157 ecom->size++;
>>> CID 1496723: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom_size" with type "uint8_t" (8 bits, unsigned) is promoted in "ecom->size * ecom_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom->size * ecom_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
158 ecom->val = XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom->val,
159 ecom_length_size(ecom, ecom_size));
160
161
162 memmove(ecom->val + ((ins_idx + 1) * ecom_size),
163 ecom->val + (ins_idx * ecom_size),
** CID 1496721: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 368 in ecommunity_cmp()
________________________________________________________________________________________________________
*** CID 1496721: Integer handling issues (SIGN_EXTENSION)
/bgpd/bgp_ecommunity.c: 368 in ecommunity_cmp()
362 return false;
363
364 if (ecom1->unit_size != ecom2->unit_size)
365 return false;
366
367 return (ecom1->size == ecom2->size
>>> CID 1496721: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ecom1->unit_size" with type "uint8_t const" (8 bits, unsigned) is promoted in "ecom1->size * ecom1->unit_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ecom1->size * ecom1->unit_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
368 && memcmp(ecom1->val, ecom2->val, ecom1->size *
369 ecom1->unit_size) == 0);
370 }
371
372 /* Initialize Extended Comminities related hash. */
373 void ecommunity_init(void)
** CID 1496618: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1496618: Null pointer dereferences (FORWARD_NULL)
/bgpd/bgp_evpn_mh.c: 919 in bgp_evpn_type1_route_update()
913 attr_new = pi->attr;
914
915 /* Perform route selection;
916 * this is just to set the flags correctly as local route in
917 * the ES always wins.
918 */
>>> CID 1496618: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "vpn" to "evpn_route_select_install", which dereferences it.
919 evpn_route_select_install(bgp, vpn, dest);
920 bgp_dest_unlock_node(dest);
921
922 /* If this is a new route or some attribute has changed, export the
923 * route to the global table. The route will be advertised to peers
924 * from there. Note that this table is a 2-level tree (RD-level +
** CID 1496614: Error handling issues (CHECKED_RETURN)
/bgpd/bgp_evpn_mh.c: 1452 in bgp_evpn_local_es_up()
________________________________________________________________________________________________________
*** CID 1496614: Error handling issues (CHECKED_RETURN)
/bgpd/bgp_evpn_mh.c: 1452 in bgp_evpn_local_es_up()
1446 /* generate EAD-EVI */
1447 bgp_evpn_local_type1_evi_route_add(bgp, es);
1448
1449 /* generate EAD-ES */
1450 build_evpn_type1_prefix(&p, BGP_EVPN_AD_ES_ETH_TAG,
1451 &es->esi, es->originator_ip);
>>> CID 1496614: Error handling issues (CHECKED_RETURN)
>>> Calling "bgp_evpn_type1_route_update" without checking return value (as is done elsewhere 4 out of 5 times).
1452 bgp_evpn_type1_route_update(bgp, es, NULL, &p);
1453 }
1454
1455 static void bgp_evpn_local_es_do_del(struct bgp *bgp, struct bgp_evpn_es *es)
1456 {
1457 struct bgp_evpn_es_evi *es_evi;
** CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON)
/lib/prefix.c: 265 in evpn_type5_prefix_match()
________________________________________________________________________________________________________
*** CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON)
/lib/prefix.c: 265 in evpn_type5_prefix_match()
259 return 0;
260
261 offset = prefixlen / PNBBY;
262 shift = prefixlen % PNBBY;
263
264 if (shift)
>>> CID 1487305: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Using "np" as an array. This might corrupt or misinterpret adjacent memory locations.
265 if (maskbit[shift] & (np[offset] ^ pp[offset]))
266 return 0;
267
268 while (offset--)
269 if (np[offset] != pp[offset])
270 return 0;
** CID 1486267: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1486267: (USE_AFTER_FREE)
/ospf6d/ospf6_neighbor.c: 486 in seqnumber_mismatch()
480 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
483
484 ospf6_lsdb_remove_all(on->summary_list);
485 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486267: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
486 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
487 ospf6_decrement_retrans_count(lsa);
488 ospf6_lsdb_remove(lsa, on->retrans_list);
489 }
490
491 THREAD_OFF(on->thread_send_dbdesc);
/ospf6d/ospf6_neighbor.c: 487 in seqnumber_mismatch()
481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
483
484 ospf6_lsdb_remove_all(on->summary_list);
485 ospf6_lsdb_remove_all(on->request_list);
486 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1486267: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
487 ospf6_decrement_retrans_count(lsa);
488 ospf6_lsdb_remove(lsa, on->retrans_list);
489 }
490
491 THREAD_OFF(on->thread_send_dbdesc);
492 on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */
/ospf6d/ospf6_neighbor.c: 487 in seqnumber_mismatch()
481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
483
484 ospf6_lsdb_remove_all(on->summary_list);
485 ospf6_lsdb_remove_all(on->request_list);
486 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1486267: (USE_AFTER_FREE)
>>> Calling "ospf6_decrement_retrans_count" dereferences freed pointer "lsa".
487 ospf6_decrement_retrans_count(lsa);
488 ospf6_lsdb_remove(lsa, on->retrans_list);
489 }
490
491 THREAD_OFF(on->thread_send_dbdesc);
492 on->dbdesc_seqnum++; /* Incr seqnum as per RFC2328, sec 10.3 */
/ospf6d/ospf6_neighbor.c: 486 in seqnumber_mismatch()
480 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MSBIT);
481 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_MBIT);
482 SET_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT);
483
484 ospf6_lsdb_remove_all(on->summary_list);
485 ospf6_lsdb_remove_all(on->request_list);
>>> CID 1486267: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
486 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
487 ospf6_decrement_retrans_count(lsa);
488 ospf6_lsdb_remove(lsa, on->retrans_list);
489 }
490
491 THREAD_OFF(on->thread_send_dbdesc);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Db3B5_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxhZDdUmMucp17qcmCOi5YvgeqVM-2BlYQaYJowimdR1gBFlBlXqGjJJIbuC3d61ycVEGq7-2FqrsuqeDJHWijRSgvWfNOoNVkJ8QolZH42x4wA-2BtI5Vp3mIWPeyqjKP7F9kJn-2FGThuMkRsD4ArjvCVQkbYw3TFcJ7oVJfZJpjVQLLdX7xA7AkegK60KuCyaG6ZwQA-3D
More information about the dev
mailing list