New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Wed Jun 23 09:24:39 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
13 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)
** CID 1505419: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()
________________________________________________________________________________________________________
*** CID 1505419: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2365 in ospf6_make_lsupdate_list()
2359 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2360 struct ospf6_lsa *lsa, *lsanext;
2361
2362 /* skip over fixed header */
2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364
>>> CID 1505419: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367 + OSPF6_HEADER_SIZE)
2368 > ospf6_packet_max(on->ospf6_if)) {
2369 ospf6_fill_header(on->ospf6_if, (*op)->s,
2370 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()
2360 struct ospf6_lsa *lsa, *lsanext;
2361
2362 /* skip over fixed header */
2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364
2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>> CID 1505419: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367 + OSPF6_HEADER_SIZE)
2368 > ospf6_packet_max(on->ospf6_if)) {
2369 ospf6_fill_header(on->ospf6_if, (*op)->s,
2370 length + OSPF6_HEADER_SIZE);
2371 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2365 in ospf6_make_lsupdate_list()
2359 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2360 struct ospf6_lsa *lsa, *lsanext;
2361
2362 /* skip over fixed header */
2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364
>>> CID 1505419: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367 + OSPF6_HEADER_SIZE)
2368 > ospf6_packet_max(on->ospf6_if)) {
2369 ospf6_fill_header(on->ospf6_if, (*op)->s,
2370 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()
2360 struct ospf6_lsa *lsa, *lsanext;
2361
2362 /* skip over fixed header */
2363 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364
2365 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>> CID 1505419: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2366 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367 + OSPF6_HEADER_SIZE)
2368 > ospf6_packet_max(on->ospf6_if)) {
2369 ospf6_fill_header(on->ospf6_if, (*op)->s,
2370 length + OSPF6_HEADER_SIZE);
2371 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505418: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()
________________________________________________________________________________________________________
*** CID 1505418: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()
2201 ospf6_lsa_unlock(lsa);
2202 if (lsanext)
2203 ospf6_lsa_unlock(lsanext);
2204 break;
2205 }
2206 stream_putw(s, 0); /* reserved */
>>> CID 1505418: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2207 stream_putw(s, ntohs(lsa->header->type));
2208 stream_putl(s, ntohl(lsa->header->id));
2209 stream_putl(s, ntohl(lsa->header->adv_router));
2210 length += sizeof(struct ospf6_lsreq_entry);
2211 last_req = lsa;
2212 }
/ospf6d/ospf6_message.c: 2201 in ospf6_make_lsreq()
2195 uint16_t length = 0;
2196 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2197
2198 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2199 if ((length + OSPF6_HEADER_SIZE)
2200 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1505418: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2201 ospf6_lsa_unlock(lsa);
2202 if (lsanext)
2203 ospf6_lsa_unlock(lsanext);
2204 break;
2205 }
2206 stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2201 in ospf6_make_lsreq()
2195 uint16_t length = 0;
2196 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2197
2198 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2199 if ((length + OSPF6_HEADER_SIZE)
2200 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1505418: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2201 ospf6_lsa_unlock(lsa);
2202 if (lsanext)
2203 ospf6_lsa_unlock(lsanext);
2204 break;
2205 }
2206 stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()
2201 ospf6_lsa_unlock(lsa);
2202 if (lsanext)
2203 ospf6_lsa_unlock(lsanext);
2204 break;
2205 }
2206 stream_putw(s, 0); /* reserved */
>>> CID 1505418: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2207 stream_putw(s, ntohs(lsa->header->type));
2208 stream_putl(s, ntohl(lsa->header->id));
2209 stream_putl(s, ntohl(lsa->header->adv_router));
2210 length += sizeof(struct ospf6_lsreq_entry);
2211 last_req = lsa;
2212 }
** CID 1505417: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()
________________________________________________________________________________________________________
*** CID 1505417: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()
2398 struct ospf6_lsa *lsa, *lsanext;
2399
2400 /* skip over fixed header */
2401 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2402
2403 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1505417: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2404 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2405 + OSPF6_HEADER_SIZE)
2406 > ospf6_packet_max(on->ospf6_if)) {
2407 ospf6_fill_header(on->ospf6_if, (*op)->s,
2408 length + OSPF6_HEADER_SIZE);
2409 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()
2398 struct ospf6_lsa *lsa, *lsanext;
2399
2400 /* skip over fixed header */
2401 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2402
2403 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1505417: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2404 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2405 + OSPF6_HEADER_SIZE)
2406 > ospf6_packet_max(on->ospf6_if)) {
2407 ospf6_fill_header(on->ospf6_if, (*op)->s,
2408 length + OSPF6_HEADER_SIZE);
2409 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505416: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 1949 in ospf6_write()
________________________________________________________________________________________________________
*** CID 1505416: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 1949 in ospf6_write()
1943 monotime(×tamp);
1944 if (oi->hello_out)
1945 latency = monotime_since(&oi->last_hello, NULL)
1946 - (oi->hello_interval * 1000000);
1947
1948 /* log if latency exceeds the hello period */
>>> CID 1505416: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "oi->hello_interval * 1000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_int64_t" (64 bits, signed).
1949 if (latency > (oi->hello_interval * 1000000))
1950 zlog_warn("%s hello TX high latency %" PRId64
1951 "us.",
1952 __func__, latency);
1953 oi->last_hello = timestamp;
1954 oi->hello_out++;
** CID 1505415: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505415: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2218 in ospf6_make_lsreq()
2212 }
2213
2214 if (last_req != NULL) {
2215 if (on->last_ls_req != NULL)
2216 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2217
>>> CID 1505415: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2218 ospf6_lsa_lock(last_req);
2219 on->last_ls_req = last_req;
2220 }
2221
2222 return length;
2223 }
/ospf6d/ospf6_message.c: 2218 in ospf6_make_lsreq()
2212 }
2213
2214 if (last_req != NULL) {
2215 if (on->last_ls_req != NULL)
2216 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2217
>>> CID 1505415: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2218 ospf6_lsa_lock(last_req);
2219 on->last_ls_req = last_req;
2220 }
2221
2222 return length;
2223 }
** CID 1505414: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505414: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2081 in ospf6_make_dbdesc()
2075 stream_putc(s, on->dbdesc_bits);
2076 stream_putl(s, on->dbdesc_seqnum);
2077
2078 /* if this is not initial one, set LSA headers in dbdesc */
2079 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2080 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1505414: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2081 ospf6_lsa_age_update_to_send(lsa,
2082 on->ospf6_if->transdelay);
2083
2084 /* MTU check */
2085 if ((length + sizeof(struct ospf6_lsa_header)
2086 + OSPF6_HEADER_SIZE)
/ospf6d/ospf6_message.c: 2081 in ospf6_make_dbdesc()
2075 stream_putc(s, on->dbdesc_bits);
2076 stream_putl(s, on->dbdesc_seqnum);
2077
2078 /* if this is not initial one, set LSA headers in dbdesc */
2079 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2080 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1505414: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2081 ospf6_lsa_age_update_to_send(lsa,
2082 on->ospf6_if->transdelay);
2083
2084 /* MTU check */
2085 if ((length + sizeof(struct ospf6_lsa_header)
2086 + OSPF6_HEADER_SIZE)
** CID 1505413: Null pointer dereferences (REVERSE_INULL)
/bgpd/bgp_evpn_vty.c: 67 in argv_find_and_parse_oly_idx()
________________________________________________________________________________________________________
*** CID 1505413: Null pointer dereferences (REVERSE_INULL)
/bgpd/bgp_evpn_vty.c: 67 in argv_find_and_parse_oly_idx()
61
62 int argv_find_and_parse_oly_idx(struct cmd_token **argv, int argc, int *oly_idx,
63 enum overlay_index_type *oly)
64 {
65 *oly = OVERLAY_INDEX_TYPE_NONE;
66 if (argv_find(argv, argc, "gateway-ip", oly_idx)) {
>>> CID 1505413: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "oly" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
67 if (oly)
68 *oly = OVERLAY_INDEX_GATEWAY_IP;
69 }
70 return 1;
71 }
72
** CID 1505412: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505412: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2672 in ospf6_make_lsack_interface()
2666 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2667 struct ospf6_packet *op)
2668 {
2669 uint16_t length = 0;
2670 struct ospf6_lsa *lsa, *lsanext;
2671
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2672 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2673 if ((length + sizeof(struct ospf6_lsa_header)
2674 + OSPF6_HEADER_SIZE)
2675 > ospf6_packet_max(oi)) {
2676 /* if we run out of packet size/space here,
2677 better to try again soon. */
/ospf6d/ospf6_message.c: 2687 in ospf6_make_lsack_interface()
2681
2682 ospf6_lsa_unlock(lsa);
2683 if (lsanext)
2684 ospf6_lsa_unlock(lsanext);
2685 break;
2686 }
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2687 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2688 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2689 length += sizeof(struct ospf6_lsa_header);
2690
2691 assert(lsa->lock == 2);
2692 ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2687 in ospf6_make_lsack_interface()
2681
2682 ospf6_lsa_unlock(lsa);
2683 if (lsanext)
2684 ospf6_lsa_unlock(lsanext);
2685 break;
2686 }
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2687 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2688 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2689 length += sizeof(struct ospf6_lsa_header);
2690
2691 assert(lsa->lock == 2);
2692 ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2682 in ospf6_make_lsack_interface()
2676 /* if we run out of packet size/space here,
2677 better to try again soon. */
2678 THREAD_OFF(oi->thread_send_lsack);
2679 thread_add_event(master, ospf6_lsack_send_interface, oi,
2680 0, &oi->thread_send_lsack);
2681
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2682 ospf6_lsa_unlock(lsa);
2683 if (lsanext)
2684 ospf6_lsa_unlock(lsanext);
2685 break;
2686 }
2687 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
/ospf6d/ospf6_message.c: 2672 in ospf6_make_lsack_interface()
2666 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2667 struct ospf6_packet *op)
2668 {
2669 uint16_t length = 0;
2670 struct ospf6_lsa *lsa, *lsanext;
2671
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2672 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2673 if ((length + sizeof(struct ospf6_lsa_header)
2674 + OSPF6_HEADER_SIZE)
2675 > ospf6_packet_max(oi)) {
2676 /* if we run out of packet size/space here,
2677 better to try again soon. */
** CID 1505411: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()
________________________________________________________________________________________________________
*** CID 1505411: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()
443
444 /* check latency against hello period */
445 if (on->hello_in)
446 latency = monotime_since(&on->last_hello, NULL)
447 - (oi->hello_interval * 1000000);
448 /* log if latency exceeds the hello period */
>>> CID 1505411: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "oi->hello_interval * 1000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_int64_t" (64 bits, signed).
449 if (latency > (oi->hello_interval * 1000000))
450 zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__,
451 &on->router_id, latency);
452 on->last_hello = timestamp;
453 on->hello_in++;
454
** CID 1505410: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()
________________________________________________________________________________________________________
*** CID 1505410: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2544 in ospf6_make_lsupdate_interface()
2538 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2539 struct ospf6_lsa *lsa, *lsanext;
2540
2541 /* skip over fixed header */
2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543
>>> CID 1505410: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546 + OSPF6_HEADER_SIZE
2547 > ospf6_packet_max(oi)) {
2548 ospf6_fill_header(oi, (*op)->s,
2549 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2544 in ospf6_make_lsupdate_interface()
2538 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2539 struct ospf6_lsa *lsa, *lsanext;
2540
2541 /* skip over fixed header */
2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543
>>> CID 1505410: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546 + OSPF6_HEADER_SIZE
2547 > ospf6_packet_max(oi)) {
2548 ospf6_fill_header(oi, (*op)->s,
2549 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()
2539 struct ospf6_lsa *lsa, *lsanext;
2540
2541 /* skip over fixed header */
2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543
2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>> CID 1505410: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546 + OSPF6_HEADER_SIZE
2547 > ospf6_packet_max(oi)) {
2548 ospf6_fill_header(oi, (*op)->s,
2549 length + OSPF6_HEADER_SIZE);
2550 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()
2539 struct ospf6_lsa *lsa, *lsanext;
2540
2541 /* skip over fixed header */
2542 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543
2544 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>> CID 1505410: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2545 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546 + OSPF6_HEADER_SIZE
2547 > ospf6_packet_max(oi)) {
2548 ospf6_fill_header(oi, (*op)->s,
2549 length + OSPF6_HEADER_SIZE);
2550 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505409: (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 1946 in ospf6_write()
/ospf6d/ospf6_message.c: 1949 in ospf6_write()
________________________________________________________________________________________________________
*** CID 1505409: (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 1946 in ospf6_write()
1940 }
1941 switch (oh->type) {
1942 case OSPF6_MESSAGE_TYPE_HELLO:
1943 monotime(×tamp);
1944 if (oi->hello_out)
1945 latency = monotime_since(&oi->last_hello, NULL)
>>> CID 1505409: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1946 - (oi->hello_interval * 1000000);
1947
1948 /* log if latency exceeds the hello period */
1949 if (latency > (oi->hello_interval * 1000000))
1950 zlog_warn("%s hello TX high latency %" PRId64
1951 "us.",
/ospf6d/ospf6_message.c: 1949 in ospf6_write()
1943 monotime(×tamp);
1944 if (oi->hello_out)
1945 latency = monotime_since(&oi->last_hello, NULL)
1946 - (oi->hello_interval * 1000000);
1947
1948 /* log if latency exceeds the hello period */
>>> CID 1505409: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1949 if (latency > (oi->hello_interval * 1000000))
1950 zlog_warn("%s hello TX high latency %" PRId64
1951 "us.",
1952 __func__, latency);
1953 oi->last_hello = timestamp;
1954 oi->hello_out++;
** CID 1505408: (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 447 in ospf6_hello_recv()
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()
________________________________________________________________________________________________________
*** CID 1505408: (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 447 in ospf6_hello_recv()
441 on->priority = hello->priority;
442 }
443
444 /* check latency against hello period */
445 if (on->hello_in)
446 latency = monotime_since(&on->last_hello, NULL)
>>> CID 1505408: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
447 - (oi->hello_interval * 1000000);
448 /* log if latency exceeds the hello period */
449 if (latency > (oi->hello_interval * 1000000))
450 zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__,
451 &on->router_id, latency);
452 on->last_hello = timestamp;
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()
443
444 /* check latency against hello period */
445 if (on->hello_in)
446 latency = monotime_since(&on->last_hello, NULL)
447 - (oi->hello_interval * 1000000);
448 /* log if latency exceeds the hello period */
>>> CID 1505408: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
449 if (latency > (oi->hello_interval * 1000000))
450 zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__,
451 &on->router_id, latency);
452 on->last_hello = timestamp;
453 on->hello_in++;
454
** CID 1505407: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505407: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2232 in ospf6_make_lsack_neighbor()
2226 struct ospf6_packet **op)
2227 {
2228 uint16_t length = 0;
2229 struct ospf6_lsa *lsa, *lsanext;
2230 int lsa_cnt = 0;
2231
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2232 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2233 if ((length + sizeof(struct ospf6_lsa_header)
2234 + OSPF6_HEADER_SIZE)
2235 > ospf6_packet_max(on->ospf6_if)) {
2236 /* if we run out of packet size/space here,
2237 better to try again soon. */
/ospf6d/ospf6_message.c: 2232 in ospf6_make_lsack_neighbor()
2226 struct ospf6_packet **op)
2227 {
2228 uint16_t length = 0;
2229 struct ospf6_lsa *lsa, *lsanext;
2230 int lsa_cnt = 0;
2231
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2232 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2233 if ((length + sizeof(struct ospf6_lsa_header)
2234 + OSPF6_HEADER_SIZE)
2235 > ospf6_packet_max(on->ospf6_if)) {
2236 /* if we run out of packet size/space here,
2237 better to try again soon. */
/ospf6d/ospf6_message.c: 2254 in ospf6_make_lsack_neighbor()
2248 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2249 on->ospf6_if, (*op)->s);
2250 length = 0;
2251 lsa_cnt = 0;
2252 }
2253 }
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2254 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2255 stream_put((*op)->s, lsa->header,
2256 sizeof(struct ospf6_lsa_header));
2257 length += sizeof(struct ospf6_lsa_header);
2258
2259 assert(lsa->lock == 2);
/ospf6d/ospf6_message.c: 2254 in ospf6_make_lsack_neighbor()
2248 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2249 on->ospf6_if, (*op)->s);
2250 length = 0;
2251 lsa_cnt = 0;
2252 }
2253 }
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2254 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2255 stream_put((*op)->s, lsa->header,
2256 sizeof(struct ospf6_lsa_header));
2257 length += sizeof(struct ospf6_lsa_header);
2258
2259 assert(lsa->lock == 2);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Dz3ri_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTy9kvLDw7xI52vbkUipLXZrwNyJxAE-2B9vRo-2BEThzRdQOIiXyA3KKfteWnmPNQ9esexEQbHjHJ4QXbIcyi0fi-2BvPxKGa2JcK4oFin4iMXvDe-2BcZPCxLqCqZo-2B7b-2B3ezD4ifDYddF1aZZKiurzw0TJNE07e7uAsYtdMHL-2B1-2BHyTMWqw-3D-3D
More information about the dev
mailing list