New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Wed Jun 23 09:24:39 UTC 2021


Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

13 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)


** CID 1505419:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()


________________________________________________________________________________________________________
*** CID 1505419:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2365 in ospf6_make_lsupdate_list()
2359     	uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2360     	struct ospf6_lsa *lsa, *lsanext;
2361     
2362     	/* skip over fixed header */
2363     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364     
>>>     CID 1505419:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2365     	for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2366     		if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367     		     + OSPF6_HEADER_SIZE)
2368     		    > ospf6_packet_max(on->ospf6_if)) {
2369     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2370     					  length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()
2360     	struct ospf6_lsa *lsa, *lsanext;
2361     
2362     	/* skip over fixed header */
2363     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364     
2365     	for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>>     CID 1505419:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2366     		if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367     		     + OSPF6_HEADER_SIZE)
2368     		    > ospf6_packet_max(on->ospf6_if)) {
2369     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2370     					  length + OSPF6_HEADER_SIZE);
2371     			(*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2365 in ospf6_make_lsupdate_list()
2359     	uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2360     	struct ospf6_lsa *lsa, *lsanext;
2361     
2362     	/* skip over fixed header */
2363     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364     
>>>     CID 1505419:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2365     	for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2366     		if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367     		     + OSPF6_HEADER_SIZE)
2368     		    > ospf6_packet_max(on->ospf6_if)) {
2369     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2370     					  length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2366 in ospf6_make_lsupdate_list()
2360     	struct ospf6_lsa *lsa, *lsanext;
2361     
2362     	/* skip over fixed header */
2363     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2364     
2365     	for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>>     CID 1505419:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2366     		if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2367     		     + OSPF6_HEADER_SIZE)
2368     		    > ospf6_packet_max(on->ospf6_if)) {
2369     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2370     					  length + OSPF6_HEADER_SIZE);
2371     			(*op)->length = length + OSPF6_HEADER_SIZE;

** CID 1505418:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()


________________________________________________________________________________________________________
*** CID 1505418:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()
2201     			ospf6_lsa_unlock(lsa);
2202     			if (lsanext)
2203     				ospf6_lsa_unlock(lsanext);
2204     			break;
2205     		}
2206     		stream_putw(s, 0); /* reserved */
>>>     CID 1505418:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2207     		stream_putw(s, ntohs(lsa->header->type));
2208     		stream_putl(s, ntohl(lsa->header->id));
2209     		stream_putl(s, ntohl(lsa->header->adv_router));
2210     		length += sizeof(struct ospf6_lsreq_entry);
2211     		last_req = lsa;
2212     	}
/ospf6d/ospf6_message.c: 2201 in ospf6_make_lsreq()
2195     	uint16_t length = 0;
2196     	struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2197     
2198     	for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2199     		if ((length + OSPF6_HEADER_SIZE)
2200     		    > ospf6_packet_max(on->ospf6_if)) {
>>>     CID 1505418:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2201     			ospf6_lsa_unlock(lsa);
2202     			if (lsanext)
2203     				ospf6_lsa_unlock(lsanext);
2204     			break;
2205     		}
2206     		stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2201 in ospf6_make_lsreq()
2195     	uint16_t length = 0;
2196     	struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2197     
2198     	for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2199     		if ((length + OSPF6_HEADER_SIZE)
2200     		    > ospf6_packet_max(on->ospf6_if)) {
>>>     CID 1505418:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2201     			ospf6_lsa_unlock(lsa);
2202     			if (lsanext)
2203     				ospf6_lsa_unlock(lsanext);
2204     			break;
2205     		}
2206     		stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2207 in ospf6_make_lsreq()
2201     			ospf6_lsa_unlock(lsa);
2202     			if (lsanext)
2203     				ospf6_lsa_unlock(lsanext);
2204     			break;
2205     		}
2206     		stream_putw(s, 0); /* reserved */
>>>     CID 1505418:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2207     		stream_putw(s, ntohs(lsa->header->type));
2208     		stream_putl(s, ntohl(lsa->header->id));
2209     		stream_putl(s, ntohl(lsa->header->adv_router));
2210     		length += sizeof(struct ospf6_lsreq_entry);
2211     		last_req = lsa;
2212     	}

** CID 1505417:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()


________________________________________________________________________________________________________
*** CID 1505417:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()
2398     	struct ospf6_lsa *lsa, *lsanext;
2399     
2400     	/* skip over fixed header */
2401     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2402     
2403     	for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>>     CID 1505417:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2404     		if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2405     		     + OSPF6_HEADER_SIZE)
2406     		    > ospf6_packet_max(on->ospf6_if)) {
2407     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2408     					  length + OSPF6_HEADER_SIZE);
2409     			(*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2404 in ospf6_make_ls_retrans_list()
2398     	struct ospf6_lsa *lsa, *lsanext;
2399     
2400     	/* skip over fixed header */
2401     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2402     
2403     	for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>>     CID 1505417:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2404     		if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2405     		     + OSPF6_HEADER_SIZE)
2406     		    > ospf6_packet_max(on->ospf6_if)) {
2407     			ospf6_fill_header(on->ospf6_if, (*op)->s,
2408     					  length + OSPF6_HEADER_SIZE);
2409     			(*op)->length = length + OSPF6_HEADER_SIZE;

** CID 1505416:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 1949 in ospf6_write()


________________________________________________________________________________________________________
*** CID 1505416:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 1949 in ospf6_write()
1943     			monotime(&timestamp);
1944     			if (oi->hello_out)
1945     				latency = monotime_since(&oi->last_hello, NULL)
1946     					  - (oi->hello_interval * 1000000);
1947     
1948     			/* log if latency exceeds the hello period */
>>>     CID 1505416:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "oi->hello_interval * 1000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_int64_t" (64 bits, signed).
1949     			if (latency > (oi->hello_interval * 1000000))
1950     				zlog_warn("%s hello TX high latency %" PRId64
1951     					  "us.",
1952     					  __func__, latency);
1953     			oi->last_hello = timestamp;
1954     			oi->hello_out++;

** CID 1505415:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1505415:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2218 in ospf6_make_lsreq()
2212     	}
2213     
2214     	if (last_req != NULL) {
2215     		if (on->last_ls_req != NULL)
2216     			on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2217     
>>>     CID 1505415:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2218     		ospf6_lsa_lock(last_req);
2219     		on->last_ls_req = last_req;
2220     	}
2221     
2222     	return length;
2223     }
/ospf6d/ospf6_message.c: 2218 in ospf6_make_lsreq()
2212     	}
2213     
2214     	if (last_req != NULL) {
2215     		if (on->last_ls_req != NULL)
2216     			on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2217     
>>>     CID 1505415:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2218     		ospf6_lsa_lock(last_req);
2219     		on->last_ls_req = last_req;
2220     	}
2221     
2222     	return length;
2223     }

** CID 1505414:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1505414:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2081 in ospf6_make_dbdesc()
2075     	stream_putc(s, on->dbdesc_bits);
2076     	stream_putl(s, on->dbdesc_seqnum);
2077     
2078     	/* if this is not initial one, set LSA headers in dbdesc */
2079     	if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2080     		for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>>     CID 1505414:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2081     			ospf6_lsa_age_update_to_send(lsa,
2082     						     on->ospf6_if->transdelay);
2083     
2084     			/* MTU check */
2085     			if ((length + sizeof(struct ospf6_lsa_header)
2086     			     + OSPF6_HEADER_SIZE)
/ospf6d/ospf6_message.c: 2081 in ospf6_make_dbdesc()
2075     	stream_putc(s, on->dbdesc_bits);
2076     	stream_putl(s, on->dbdesc_seqnum);
2077     
2078     	/* if this is not initial one, set LSA headers in dbdesc */
2079     	if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2080     		for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>>     CID 1505414:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2081     			ospf6_lsa_age_update_to_send(lsa,
2082     						     on->ospf6_if->transdelay);
2083     
2084     			/* MTU check */
2085     			if ((length + sizeof(struct ospf6_lsa_header)
2086     			     + OSPF6_HEADER_SIZE)

** CID 1505413:  Null pointer dereferences  (REVERSE_INULL)
/bgpd/bgp_evpn_vty.c: 67 in argv_find_and_parse_oly_idx()


________________________________________________________________________________________________________
*** CID 1505413:  Null pointer dereferences  (REVERSE_INULL)
/bgpd/bgp_evpn_vty.c: 67 in argv_find_and_parse_oly_idx()
61     
62     int argv_find_and_parse_oly_idx(struct cmd_token **argv, int argc, int *oly_idx,
63     				enum overlay_index_type *oly)
64     {
65     	*oly = OVERLAY_INDEX_TYPE_NONE;
66     	if (argv_find(argv, argc, "gateway-ip", oly_idx)) {
>>>     CID 1505413:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "oly" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
67     		if (oly)
68     			*oly = OVERLAY_INDEX_GATEWAY_IP;
69     	}
70     	return 1;
71     }
72     

** CID 1505412:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1505412:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2672 in ospf6_make_lsack_interface()
2666     static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2667     					   struct ospf6_packet *op)
2668     {
2669     	uint16_t length = 0;
2670     	struct ospf6_lsa *lsa, *lsanext;
2671     
>>>     CID 1505412:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2672     	for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2673     		if ((length + sizeof(struct ospf6_lsa_header)
2674     		     + OSPF6_HEADER_SIZE)
2675     		    > ospf6_packet_max(oi)) {
2676     			/* if we run out of packet size/space here,
2677     			   better to try again soon. */
/ospf6d/ospf6_message.c: 2687 in ospf6_make_lsack_interface()
2681     
2682     			ospf6_lsa_unlock(lsa);
2683     			if (lsanext)
2684     				ospf6_lsa_unlock(lsanext);
2685     			break;
2686     		}
>>>     CID 1505412:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2687     		ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2688     		stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2689     		length += sizeof(struct ospf6_lsa_header);
2690     
2691     		assert(lsa->lock == 2);
2692     		ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2687 in ospf6_make_lsack_interface()
2681     
2682     			ospf6_lsa_unlock(lsa);
2683     			if (lsanext)
2684     				ospf6_lsa_unlock(lsanext);
2685     			break;
2686     		}
>>>     CID 1505412:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2687     		ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2688     		stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2689     		length += sizeof(struct ospf6_lsa_header);
2690     
2691     		assert(lsa->lock == 2);
2692     		ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2682 in ospf6_make_lsack_interface()
2676     			/* if we run out of packet size/space here,
2677     			   better to try again soon. */
2678     			THREAD_OFF(oi->thread_send_lsack);
2679     			thread_add_event(master, ospf6_lsack_send_interface, oi,
2680     					 0, &oi->thread_send_lsack);
2681     
>>>     CID 1505412:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2682     			ospf6_lsa_unlock(lsa);
2683     			if (lsanext)
2684     				ospf6_lsa_unlock(lsanext);
2685     			break;
2686     		}
2687     		ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
/ospf6d/ospf6_message.c: 2672 in ospf6_make_lsack_interface()
2666     static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2667     					   struct ospf6_packet *op)
2668     {
2669     	uint16_t length = 0;
2670     	struct ospf6_lsa *lsa, *lsanext;
2671     
>>>     CID 1505412:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2672     	for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2673     		if ((length + sizeof(struct ospf6_lsa_header)
2674     		     + OSPF6_HEADER_SIZE)
2675     		    > ospf6_packet_max(oi)) {
2676     			/* if we run out of packet size/space here,
2677     			   better to try again soon. */

** CID 1505411:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()


________________________________________________________________________________________________________
*** CID 1505411:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()
443     
444     	/* check latency against hello period */
445     	if (on->hello_in)
446     		latency = monotime_since(&on->last_hello, NULL)
447     			  - (oi->hello_interval * 1000000);
448     	/* log if latency exceeds the hello period */
>>>     CID 1505411:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "oi->hello_interval * 1000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "_int64_t" (64 bits, signed).
449     	if (latency > (oi->hello_interval * 1000000))
450     		zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__,
451     			  &on->router_id, latency);
452     	on->last_hello = timestamp;
453     	on->hello_in++;
454     

** CID 1505410:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()


________________________________________________________________________________________________________
*** CID 1505410:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2544 in ospf6_make_lsupdate_interface()
2538     	uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2539     	struct ospf6_lsa *lsa, *lsanext;
2540     
2541     	/* skip over fixed header */
2542     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543     
>>>     CID 1505410:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2544     	for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2545     		if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546     			    + OSPF6_HEADER_SIZE
2547     		    > ospf6_packet_max(oi)) {
2548     			ospf6_fill_header(oi, (*op)->s,
2549     					  length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2544 in ospf6_make_lsupdate_interface()
2538     	uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2539     	struct ospf6_lsa *lsa, *lsanext;
2540     
2541     	/* skip over fixed header */
2542     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543     
>>>     CID 1505410:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2544     	for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2545     		if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546     			    + OSPF6_HEADER_SIZE
2547     		    > ospf6_packet_max(oi)) {
2548     			ospf6_fill_header(oi, (*op)->s,
2549     					  length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()
2539     	struct ospf6_lsa *lsa, *lsanext;
2540     
2541     	/* skip over fixed header */
2542     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543     
2544     	for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>>     CID 1505410:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2545     		if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546     			    + OSPF6_HEADER_SIZE
2547     		    > ospf6_packet_max(oi)) {
2548     			ospf6_fill_header(oi, (*op)->s,
2549     					  length + OSPF6_HEADER_SIZE);
2550     			(*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2545 in ospf6_make_lsupdate_interface()
2539     	struct ospf6_lsa *lsa, *lsanext;
2540     
2541     	/* skip over fixed header */
2542     	stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2543     
2544     	for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>>     CID 1505410:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "lsa".
2545     		if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2546     			    + OSPF6_HEADER_SIZE
2547     		    > ospf6_packet_max(oi)) {
2548     			ospf6_fill_header(oi, (*op)->s,
2549     					  length + OSPF6_HEADER_SIZE);
2550     			(*op)->length = length + OSPF6_HEADER_SIZE;

** CID 1505409:    (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 1946 in ospf6_write()
/ospf6d/ospf6_message.c: 1949 in ospf6_write()


________________________________________________________________________________________________________
*** CID 1505409:    (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 1946 in ospf6_write()
1940     		}
1941     		switch (oh->type) {
1942     		case OSPF6_MESSAGE_TYPE_HELLO:
1943     			monotime(&timestamp);
1944     			if (oi->hello_out)
1945     				latency = monotime_since(&oi->last_hello, NULL)
>>>     CID 1505409:    (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed).  If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1946     					  - (oi->hello_interval * 1000000);
1947     
1948     			/* log if latency exceeds the hello period */
1949     			if (latency > (oi->hello_interval * 1000000))
1950     				zlog_warn("%s hello TX high latency %" PRId64
1951     					  "us.",
/ospf6d/ospf6_message.c: 1949 in ospf6_write()
1943     			monotime(&timestamp);
1944     			if (oi->hello_out)
1945     				latency = monotime_since(&oi->last_hello, NULL)
1946     					  - (oi->hello_interval * 1000000);
1947     
1948     			/* log if latency exceeds the hello period */
>>>     CID 1505409:    (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed).  If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1949     			if (latency > (oi->hello_interval * 1000000))
1950     				zlog_warn("%s hello TX high latency %" PRId64
1951     					  "us.",
1952     					  __func__, latency);
1953     			oi->last_hello = timestamp;
1954     			oi->hello_out++;

** CID 1505408:    (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 447 in ospf6_hello_recv()
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()


________________________________________________________________________________________________________
*** CID 1505408:    (SIGN_EXTENSION)
/ospf6d/ospf6_message.c: 447 in ospf6_hello_recv()
441     		on->priority = hello->priority;
442     	}
443     
444     	/* check latency against hello period */
445     	if (on->hello_in)
446     		latency = monotime_since(&on->last_hello, NULL)
>>>     CID 1505408:    (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed).  If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
447     			  - (oi->hello_interval * 1000000);
448     	/* log if latency exceeds the hello period */
449     	if (latency > (oi->hello_interval * 1000000))
450     		zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__,
451     			  &on->router_id, latency);
452     	on->last_hello = timestamp;
/ospf6d/ospf6_message.c: 449 in ospf6_hello_recv()
443     
444     	/* check latency against hello period */
445     	if (on->hello_in)
446     		latency = monotime_since(&on->last_hello, NULL)
447     			  - (oi->hello_interval * 1000000);
448     	/* log if latency exceeds the hello period */
>>>     CID 1505408:    (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "oi->hello_interval" with type "uint16_t" (16 bits, unsigned) is promoted in "oi->hello_interval * 1000000" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed).  If "oi->hello_interval * 1000000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
449     	if (latency > (oi->hello_interval * 1000000))
450     		zlog_warn("%s RX %pI4 high latency %" PRId64 "us.", __func__,
451     			  &on->router_id, latency);
452     	on->last_hello = timestamp;
453     	on->hello_in++;
454     

** CID 1505407:    (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1505407:    (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2232 in ospf6_make_lsack_neighbor()
2226     					  struct ospf6_packet **op)
2227     {
2228     	uint16_t length = 0;
2229     	struct ospf6_lsa *lsa, *lsanext;
2230     	int lsa_cnt = 0;
2231     
>>>     CID 1505407:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2232     	for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2233     		if ((length + sizeof(struct ospf6_lsa_header)
2234     		     + OSPF6_HEADER_SIZE)
2235     		    > ospf6_packet_max(on->ospf6_if)) {
2236     			/* if we run out of packet size/space here,
2237     			   better to try again soon. */
/ospf6d/ospf6_message.c: 2232 in ospf6_make_lsack_neighbor()
2226     					  struct ospf6_packet **op)
2227     {
2228     	uint16_t length = 0;
2229     	struct ospf6_lsa *lsa, *lsanext;
2230     	int lsa_cnt = 0;
2231     
>>>     CID 1505407:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2232     	for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2233     		if ((length + sizeof(struct ospf6_lsa_header)
2234     		     + OSPF6_HEADER_SIZE)
2235     		    > ospf6_packet_max(on->ospf6_if)) {
2236     			/* if we run out of packet size/space here,
2237     			   better to try again soon. */
/ospf6d/ospf6_message.c: 2254 in ospf6_make_lsack_neighbor()
2248     				ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2249     						  on->ospf6_if, (*op)->s);
2250     				length = 0;
2251     				lsa_cnt = 0;
2252     			}
2253     		}
>>>     CID 1505407:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2254     		ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2255     		stream_put((*op)->s, lsa->header,
2256     			   sizeof(struct ospf6_lsa_header));
2257     		length += sizeof(struct ospf6_lsa_header);
2258     
2259     		assert(lsa->lock == 2);
/ospf6d/ospf6_message.c: 2254 in ospf6_make_lsack_neighbor()
2248     				ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2249     						  on->ospf6_if, (*op)->s);
2250     				length = 0;
2251     				lsa_cnt = 0;
2252     			}
2253     		}
>>>     CID 1505407:    (USE_AFTER_FREE)
>>>     Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2254     		ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2255     		stream_put((*op)->s, lsa->header,
2256     			   sizeof(struct ospf6_lsa_header));
2257     		length += sizeof(struct ospf6_lsa_header);
2258     
2259     		assert(lsa->lock == 2);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Dz3ri_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTy9kvLDw7xI52vbkUipLXZrwNyJxAE-2B9vRo-2BEThzRdQOIiXyA3KKfteWnmPNQ9esexEQbHjHJ4QXbIcyi0fi-2BvPxKGa2JcK4oFin4iMXvDe-2BcZPCxLqCqZo-2B7b-2B3ezD4ifDYddF1aZZKiurzw0TJNE07e7uAsYtdMHL-2B1-2BHyTMWqw-3D-3D




More information about the dev mailing list