New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Tue Mar 16 23:03:47 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
39 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 39 defect(s)
** CID 1502815: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1502815: Integer handling issues (NEGATIVE_RETURNS)
/pceplib/test/pcep_msg_tools_test.c: 516 in test_pcep_msg_read_pcep_open_cisco_pce()
510
511 void test_pcep_msg_read_pcep_open_cisco_pce()
512 {
513 int fd = convert_hexstrs_to_binary(
514 pcep_open_cisco_pce_hexbyte_strs,
515 pcep_open_cisco_pce_hexbyte_strs_length);
>>> CID 1502815: Integer handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
516 double_linked_list *msg_list = pcep_msg_read(fd);
517 CU_ASSERT_PTR_NOT_NULL(msg_list);
518 CU_ASSERT_EQUAL(msg_list->num_entries, 1);
519
520 struct pcep_message *msg = (struct pcep_message *)msg_list->head->data;
521 CU_ASSERT_EQUAL(msg->msg_header->type, PCEP_TYPE_OPEN);
** CID 1502814: (SIZEOF_MISMATCH)
/pceplib/pcep_msg_objects_encoding.c: 1692 in pcep_decode_obj_ro()
/pceplib/pcep_msg_objects_encoding.c: 1671 in pcep_decode_obj_ro()
/pceplib/pcep_msg_objects_encoding.c: 1687 in pcep_decode_obj_ro()
/pceplib/pcep_msg_objects_encoding.c: 1697 in pcep_decode_obj_ro()
________________________________________________________________________________________________________
*** CID 1502814: (SIZEOF_MISMATCH)
/pceplib/pcep_msg_objects_encoding.c: 1692 in pcep_decode_obj_ro()
1686 sizeof(struct in_addr));
1687 ipv4->s_addr = uint32_ptr[LENGTH_4WORDS];
1688 dll_append(sr_subobj->nai_list, ipv4);
1689
1690 ipv6 = pceplib_malloc(PCEPLIB_MESSAGES,
1691 sizeof(struct in6_addr));
>>> CID 1502814: (SIZEOF_MISMATCH)
>>> Adding "20UL /* sizeof (uint32_t) * 5 */" to pointer "uint32_ptr" of type "uint32_t *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 4 bytes, of the pointed-to type, "uint32_t". Most likely, the multiplication by "sizeof (uint32_t)" in this expression is extraneous and should be eliminated.
1692 decode_ipv6(uint32_ptr + LENGTH_5WORDS, ipv6);
1693 dll_append(sr_subobj->nai_list, ipv6);
1694
1695 ipv4 = pceplib_malloc(PCEPLIB_MESSAGES,
1696 sizeof(struct in_addr));
1697 ipv4->s_addr = uint32_ptr[LENGTH_9WORDS];
/pceplib/pcep_msg_objects_encoding.c: 1671 in pcep_decode_obj_ro()
1665 sizeof(struct in6_addr));
1666 decode_ipv6(uint32_ptr, ipv6);
1667 dll_append(sr_subobj->nai_list, ipv6);
1668
1669 ipv6 = pceplib_malloc(PCEPLIB_MESSAGES,
1670 sizeof(struct in6_addr));
>>> CID 1502814: (SIZEOF_MISMATCH)
>>> Adding "16UL /* sizeof (uint32_t) * 4 */" to pointer "uint32_ptr" of type "uint32_t *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 4 bytes, of the pointed-to type, "uint32_t". Most likely, the multiplication by "sizeof (uint32_t)" in this expression is extraneous and should be eliminated.
1671 decode_ipv6(uint32_ptr + LENGTH_4WORDS, ipv6);
1672 dll_append(sr_subobj->nai_list, ipv6);
1673
1674 read_count += LENGTH_8WORDS;
1675 } break;
1676
/pceplib/pcep_msg_objects_encoding.c: 1687 in pcep_decode_obj_ro()
1681 decode_ipv6(uint32_ptr, ipv6);
1682 dll_append(sr_subobj->nai_list, ipv6);
1683
1684 struct in_addr *ipv4 =
1685 pceplib_malloc(PCEPLIB_MESSAGES,
1686 sizeof(struct in_addr));
>>> CID 1502814: (SIZEOF_MISMATCH)
>>> Adding "16UL /* sizeof (uint32_t) * 4 */" to pointer "uint32_ptr" of type "uint32_t *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 4 bytes, of the pointed-to type, "uint32_t". Most likely, the multiplication by "sizeof (uint32_t)" in this expression is extraneous and should be eliminated.
1687 ipv4->s_addr = uint32_ptr[LENGTH_4WORDS];
1688 dll_append(sr_subobj->nai_list, ipv4);
1689
1690 ipv6 = pceplib_malloc(PCEPLIB_MESSAGES,
1691 sizeof(struct in6_addr));
1692 decode_ipv6(uint32_ptr + LENGTH_5WORDS, ipv6);
/pceplib/pcep_msg_objects_encoding.c: 1697 in pcep_decode_obj_ro()
1691 sizeof(struct in6_addr));
1692 decode_ipv6(uint32_ptr + LENGTH_5WORDS, ipv6);
1693 dll_append(sr_subobj->nai_list, ipv6);
1694
1695 ipv4 = pceplib_malloc(PCEPLIB_MESSAGES,
1696 sizeof(struct in_addr));
>>> CID 1502814: (SIZEOF_MISMATCH)
>>> Adding "36UL /* sizeof (uint32_t) * 9 */" to pointer "uint32_ptr" of type "uint32_t *" is suspicious because adding an integral value to this pointer automatically scales that value by the size, 4 bytes, of the pointed-to type, "uint32_t". Most likely, the multiplication by "sizeof (uint32_t)" in this expression is extraneous and should be eliminated.
1697 ipv4->s_addr = uint32_ptr[LENGTH_9WORDS];
1698 dll_append(sr_subobj->nai_list, ipv4);
1699
1700 read_count += LENGTH_10WORDS;
1701 } break;
1702
** CID 1502813: Memory - corruptions (OVERRUN)
/pceplib/pcep_msg_tools.c: 143 in pcep_msg_read()
________________________________________________________________________________________________________
*** CID 1502813: Memory - corruptions (OVERRUN)
/pceplib/pcep_msg_tools.c: 143 in pcep_msg_read()
137 int read_ret = 0;
138 pcep_log(
139 LOG_INFO,
140 "%s: pcep_msg_read: Message not fully read! Trying to read %d bytes more, fd [%d]",
141 __func__, read_len, sock_fd);
142
>>> CID 1502813: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "&buffer[ret]" of 6000 bytes by passing it to a function which accesses it at byte offset 6000.
143 read_ret = read(sock_fd, &buffer[ret], read_len);
144
145 if (read_ret != read_len) {
146 pcep_log(
147 LOG_INFO,
148 "%s: pcep_msg_read: Did not manage to read enough data (%d != %d) fd [%d]",
** CID 1502812: API usage errors (SWAPPED_ARGUMENTS)
________________________________________________________________________________________________________
*** CID 1502812: API usage errors (SWAPPED_ARGUMENTS)
/pceplib/pcep_session_logic.c: 576 in create_pcep_open()
570 || session->pcc_config.support_lsp_triggered_resync
571 || session->pcc_config.support_lsp_delta_sync
572 || session->pcc_config.support_pce_triggered_initial_sync) {
573 /* Prepend this TLV as the first in the list */
574 dll_append(
575 tlv_list,
>>> CID 1502812: API usage errors (SWAPPED_ARGUMENTS)
>>> The positions of arguments in the call to "pcep_tlv_create_stateful_pce_capability" do not match the ordering of the parameters:
* "session->pcc_config.support_lsp_triggered_resync" is passed to "flag_i_lsp_instantiation_capability"
* "session->pcc_config.support_lsp_delta_sync" is passed to "flag_t_triggered_resync"
* "session->pcc_config.support_pce_triggered_initial_sync" is passed to "flag_d_delta_lsp_sync"
* "session->pcc_config.support_pce_lsp_instantiation" is passed to "flag_f_triggered_initial_sync"
576 pcep_tlv_create_stateful_pce_capability(
577 session->pcc_config
578 .support_stateful_pce_lsp_update, /* U
579 flag
580 */
581 session->pcc_config
** CID 1502811: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1502811: Integer handling issues (NEGATIVE_RETURNS)
/pceplib/test/pcep_msg_tools_test.c: 491 in test_pcep_msg_read_pcep_open_initiate()
485
486 void test_pcep_msg_read_pcep_open_initiate()
487 {
488 int fd = convert_hexstrs_to_binary(
489 pcep_open_initiate_odl_hexbyte_strs,
490 pcep_open_initiate_hexbyte_strs_length);
>>> CID 1502811: Integer handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
491 double_linked_list *msg_list = pcep_msg_read(fd);
492 CU_ASSERT_PTR_NOT_NULL(msg_list);
493 CU_ASSERT_EQUAL(msg_list->num_entries, 2);
494
495 struct pcep_message *msg = (struct pcep_message *)msg_list->head->data;
496 CU_ASSERT_EQUAL(msg->obj_list->num_entries, 1);
** CID 1502810: Security best practices violations (SECURE_TEMP)
/pceplib/test/pcep_msg_tools_test.c: 167 in convert_hexstrs_to_binary()
________________________________________________________________________________________________________
*** CID 1502810: Security best practices violations (SECURE_TEMP)
/pceplib/test/pcep_msg_tools_test.c: 167 in convert_hexstrs_to_binary()
161
162 /* Reads an array of hexbyte strs, and writes them to a temporary file.
163 * The caller should close the returned file. */
164 int convert_hexstrs_to_binary(const char *hexbyte_strs[],
165 uint16_t hexbyte_strs_length)
166 {
>>> CID 1502810: Security best practices violations (SECURE_TEMP)
>>> "tmpfile" creates files with predictable names, which is unsafe.
167 int fd = fileno(tmpfile());
168
169 int i = 0;
170 for (; i < hexbyte_strs_length; i++) {
171 uint8_t byte = (uint8_t)strtol(hexbyte_strs[i], 0, 16);
172 if (write(fd, (char *)&byte, 1) < 0) {
** CID 1502809: Memory - corruptions (OVERRUN)
/pathd/path_pcep_cli.c: 1047 in path_pcep_cli_pcc_pcc_peer()
________________________________________________________________________________________________________
*** CID 1502809: Memory - corruptions (OVERRUN)
/pathd/path_pcep_cli.c: 1047 in path_pcep_cli_pcc_pcc_peer()
1041 return CMD_WARNING;
1042 }
1043
1044 /* Update the pcc_opts with the source ip, port, and msd */
1045 struct pcc_opts *pcc_opts_copy =
1046 XMALLOC(MTYPE_PCEP, sizeof(struct pcc_opts));
>>> CID 1502809: Memory - corruptions (OVERRUN)
>>> Overrunning struct type ipaddr of 20 bytes by passing it to a function which accesses it at byte offset 23 using argument "24UL".
1047 memcpy(&pcc_opts_copy->addr,
1048 &pce_opts_cli->pce_opts.config_opts.source_ip,
1049 sizeof(struct pcc_opts));
1050 pcc_opts_copy->msd = pcc_msd_g;
1051 pcc_opts_copy->port = pce_opts_cli->pce_opts.config_opts.source_port;
1052 if (pcep_ctrl_update_pcc_options(pcep_g->fpt, pcc_opts_copy)) {
** CID 1502808: Concurrent data access violations (MISSING_LOCK)
/pceplib/pcep_session_logic.c: 64 in run_session_logic_common()
________________________________________________________________________________________________________
*** CID 1502808: Concurrent data access violations (MISSING_LOCK)
/pceplib/pcep_session_logic.c: 64 in run_session_logic_common()
58
59 session_logic_handle_ = pceplib_malloc(
60 PCEPLIB_INFRA, sizeof(pcep_session_logic_handle));
61 memset(session_logic_handle_, 0, sizeof(pcep_session_logic_handle));
62
63 session_logic_handle_->active = true;
>>> CID 1502808: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "session_logic_handle_->session_logic_condition" without holding lock "pcep_session_logic_handle_.session_logic_mutex". Elsewhere, "pcep_session_logic_handle_.session_logic_condition" is accessed with "pcep_session_logic_handle_.session_logic_mutex" held 5 out of 7 times (3 of these accesses strongly imply that it is necessary).
64 session_logic_handle_->session_logic_condition = false;
65 session_logic_handle_->session_list =
66 ordered_list_initialize(pointer_compare_function);
67 session_logic_handle_->session_event_queue = queue_initialize();
68
69 /* Initialize the event queue */
** CID 1502807: Memory - illegal accesses (OVERRUN)
________________________________________________________________________________________________________
*** CID 1502807: Memory - illegal accesses (OVERRUN)
/pceplib/pcep_msg_messages_encoding.c: 129 in pcep_encode_message()
123 return;
124 }
125
126 /* Encode each of the objects */
127 double_linked_list_node *node = message->obj_list->head;
128 for (; node != NULL; node = node->next_node) {
>>> CID 1502807: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 65535 bytes at byte offset 65535 by dereferencing pointer "message_buffer + message_length".
129 message_length +=
130 pcep_encode_object(node->data, versioning,
131 message_buffer + message_length);
132 if (message_length > PCEP_MESSAGE_LENGTH) {
133 message->encoded_message = NULL;
134 message->encoded_message_length = 0;
** CID 1502806: (TAINTED_SCALAR)
/pceplib/pcep_msg_tools.c: 143 in pcep_msg_read()
________________________________________________________________________________________________________
*** CID 1502806: (TAINTED_SCALAR)
/pceplib/pcep_msg_tools.c: 143 in pcep_msg_read()
137 int read_ret = 0;
138 pcep_log(
139 LOG_INFO,
140 "%s: pcep_msg_read: Message not fully read! Trying to read %d bytes more, fd [%d]",
141 __func__, read_len, sock_fd);
142
>>> CID 1502806: (TAINTED_SCALAR)
>>> Passing tainted variable "read_len" to a tainted sink.
143 read_ret = read(sock_fd, &buffer[ret], read_len);
144
145 if (read_ret != read_len) {
146 pcep_log(
147 LOG_INFO,
148 "%s: pcep_msg_read: Did not manage to read enough data (%d != %d) fd [%d]",
/pceplib/pcep_msg_tools.c: 154 in pcep_msg_read()
148 "%s: pcep_msg_read: Did not manage to read enough data (%d != %d) fd [%d]",
149 __func__, read_ret, read_len, sock_fd);
150 return msg_list;
151 }
152 }
153
>>> CID 1502806: (TAINTED_SCALAR)
>>> Passing tainted variable "buffer + buffer_read" to a tainted sink.
154 msg = pcep_decode_message(buffer + buffer_read);
155 buffer_read += msg_hdr_length;
156
157 if (msg == NULL) {
158 return msg_list;
159 } else {
** CID 1502805: Resource leaks (RESOURCE_LEAK)
/pceplib/pcep_pcc.c: 316 in send_pce_report_message()
________________________________________________________________________________________________________
*** CID 1502805: Resource leaks (RESOURCE_LEAK)
/pceplib/pcep_pcc.c: 316 in send_pce_report_message()
310 plsp_id, lsp_status, c_flag, a_flag, r_flag, s_flag, d_flag,
311 lsp_tlv_list);
312 if (obj == NULL) {
313 pcep_log(LOG_WARNING,
314 "%s: send_pce_report_message LSP object was NULL",
315 __func__);
>>> CID 1502805: Resource leaks (RESOURCE_LEAK)
>>> Variable "report_list" going out of scope leaks the storage it points to.
316 return;
317 }
318 dll_append(report_list, obj);
319
320 /* Create 2 ERO NONAI sub-objects */
321 double_linked_list *ero_subobj_list = dll_initialize();
** CID 1502804: Concurrent data access violations (MISSING_LOCK)
/pceplib/test/pcep_timers_event_loop_test.c: 133 in test_walk_and_process_timers_timer_expired()
________________________________________________________________________________________________________
*** CID 1502804: Concurrent data access violations (MISSING_LOCK)
/pceplib/test/pcep_timers_event_loop_test.c: 133 in test_walk_and_process_timers_timer_expired()
127 /* We need to alloc it, since it will be free'd in
128 * walk_and_process_timers */
129 pcep_timer *timer = pceplib_malloc(PCEPLIB_INFRA, sizeof(pcep_timer));
130 timer->data = timer;
131 // Set the timer to expire 10 seconds ago
132 timer->expire_time = time(NULL) - 10;
>>> CID 1502804: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "timer->timer_id" without holding lock "pcep_timers_context_.timer_list_lock". Elsewhere, "pcep_timer_.timer_id" is accessed with "pcep_timers_context_.timer_list_lock" held 3 out of 4 times (3 of these accesses strongly imply that it is necessary).
133 timer->timer_id = TEST_EVENT_LOOP_TIMER_ID;
134 ordered_list_add_node(test_timers_context->timer_list, timer);
135
136 walk_and_process_timers(test_timers_context);
137
138 /* Since the timer expired, the expire_handler should have been called
** CID 1502803: (RESOURCE_LEAK)
/pceplib/test/pcep_msg_tlvs_test.c: 196 in test_pcep_tlv_create_path_setup_type_capability()
/pceplib/test/pcep_msg_tlvs_test.c: 178 in test_pcep_tlv_create_path_setup_type_capability()
________________________________________________________________________________________________________
*** CID 1502803: (RESOURCE_LEAK)
/pceplib/test/pcep_msg_tlvs_test.c: 196 in test_pcep_tlv_create_path_setup_type_capability()
190 *pst1 = 1;
191 *pst2 = 2;
192 *pst3 = 3;
193 dll_append(pst_list, pst1);
194 dll_append(pst_list, pst2);
195 dll_append(pst_list, pst3);
>>> CID 1502803: (RESOURCE_LEAK)
>>> Overwriting "tlv" in "tlv = pcep_tlv_create_path_setup_type_capability(pst_list, sub_tlv_list)" leaks the storage that "tlv" points to.
196 tlv = pcep_tlv_create_path_setup_type_capability(pst_list,
197 sub_tlv_list);
198 CU_ASSERT_PTR_NOT_NULL(tlv);
199
200 pcep_encode_tlv(&tlv->header, versioning, tlv_buf);
201 CU_ASSERT_EQUAL(tlv->header.type,
/pceplib/test/pcep_msg_tlvs_test.c: 178 in test_pcep_tlv_create_path_setup_type_capability()
172 double_linked_list *pst_list = dll_initialize();
173 tlv = pcep_tlv_create_path_setup_type_capability(pst_list, NULL);
174 CU_ASSERT_PTR_NULL(tlv);
175
176 /* Should still return NULL if pst_list is NULL */
177 double_linked_list *sub_tlv_list = dll_initialize();
>>> CID 1502803: (RESOURCE_LEAK)
>>> Overwriting "tlv" in "tlv = pcep_tlv_create_path_setup_type_capability(NULL, sub_tlv_list)" leaks the storage that "tlv" points to.
178 tlv = pcep_tlv_create_path_setup_type_capability(NULL, sub_tlv_list);
179 CU_ASSERT_PTR_NULL(tlv);
180
181 /* Should still return NULL if pst_list is empty */
182 tlv = pcep_tlv_create_path_setup_type_capability(pst_list,
183 sub_tlv_list);
** CID 1502802: Resource leaks (RESOURCE_LEAK)
/pceplib/test/pcep_session_logic_loop_test.c: 131 in test_session_logic_msg_ready_handler()
________________________________________________________________________________________________________
*** CID 1502802: Resource leaks (RESOURCE_LEAK)
/pceplib/test/pcep_session_logic_loop_test.c: 131 in test_session_logic_msg_ready_handler()
125 {
126 /* Just testing that it does not core dump */
127 CU_ASSERT_EQUAL(session_logic_msg_ready_handler(NULL, 0), -1);
128
129 /* Read from an empty file should return 0, thus
130 * session_logic_msg_ready_handler returns -1 */
>>> CID 1502802: Resource leaks (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "tmpfile()" leaks it.
131 int fd = fileno(tmpfile());
132 pcep_session session;
133 memset(&session, 0, sizeof(pcep_session));
134 session.session_id = 100;
135 CU_ASSERT_EQUAL(session_logic_msg_ready_handler(&session, fd), 0);
136 CU_ASSERT_EQUAL(session_logic_handle_->session_event_queue->num_entries,
** CID 1502801: Resource leaks (RESOURCE_LEAK)
/pceplib/test/pcep_msg_tlvs_test.c: 114 in test_pcep_tlv_create_speaker_entity_id()
________________________________________________________________________________________________________
*** CID 1502801: Resource leaks (RESOURCE_LEAK)
/pceplib/test/pcep_msg_tlvs_test.c: 114 in test_pcep_tlv_create_speaker_entity_id()
108 CU_ASSERT_PTR_NULL(tlv);
109
110 uint32_t *speaker_entity =
111 pceplib_malloc(PCEPLIB_MESSAGES, sizeof(uint32_t));
112 *speaker_entity = 42;
113 dll_append(list, speaker_entity);
>>> CID 1502801: Resource leaks (RESOURCE_LEAK)
>>> Overwriting "tlv" in "tlv = pcep_tlv_create_speaker_entity_id(list)" leaks the storage that "tlv" points to.
114 tlv = pcep_tlv_create_speaker_entity_id(list);
115 CU_ASSERT_PTR_NOT_NULL(tlv);
116
117 pcep_encode_tlv(&tlv->header, versioning, tlv_buf);
118 CU_ASSERT_EQUAL(tlv->header.type, PCEP_OBJ_TLV_TYPE_SPEAKER_ENTITY_ID);
119 CU_ASSERT_EQUAL(tlv->header.encoded_tlv_length, sizeof(uint32_t));
** CID 1502800: (BAD_SHIFT)
/pceplib/pcep_socket_comm_loop.c: 157 in build_fd_sets()
/pceplib/pcep_socket_comm_loop.c: 155 in build_fd_sets()
/pceplib/pcep_socket_comm_loop.c: 137 in build_fd_sets()
/pceplib/pcep_socket_comm_loop.c: 139 in build_fd_sets()
________________________________________________________________________________________________________
*** CID 1502800: (BAD_SHIFT)
/pceplib/pcep_socket_comm_loop.c: 157 in build_fd_sets()
151
152 /*pcep_log(LOG_DEBUG, "%s: [%ld] socket_comm::build_fdSets set
153 ready_toWrite [%d]", __func__, time(NULL),
154 comm_session->socket_fd);*/
155 FD_SET(comm_session->socket_fd,
156 &socket_comm_handle->write_master_set);
>>> CID 1502800: (BAD_SHIFT)
>>> In expression "1UL << comm_session->socket_fd % 64", shifting by a negative amount has undefined behavior. The shift amount, "comm_session->socket_fd % 64", is as little as -63.
157 FD_SET(comm_session->socket_fd,
158 &socket_comm_handle->except_master_set);
159 node = node->next_node;
160 }
161
162 pthread_mutex_unlock(&(socket_comm_handle->socket_comm_mutex));
/pceplib/pcep_socket_comm_loop.c: 155 in build_fd_sets()
149 max_fd = comm_session->socket_fd;
150 }
151
152 /*pcep_log(LOG_DEBUG, "%s: [%ld] socket_comm::build_fdSets set
153 ready_toWrite [%d]", __func__, time(NULL),
154 comm_session->socket_fd);*/
>>> CID 1502800: (BAD_SHIFT)
>>> In expression "1UL << comm_session->socket_fd % 64", shifting by a negative amount has undefined behavior. The shift amount, "comm_session->socket_fd % 64", is as little as -63.
155 FD_SET(comm_session->socket_fd,
156 &socket_comm_handle->write_master_set);
157 FD_SET(comm_session->socket_fd,
158 &socket_comm_handle->except_master_set);
159 node = node->next_node;
160 }
/pceplib/pcep_socket_comm_loop.c: 137 in build_fd_sets()
131 max_fd = comm_session->socket_fd;
132 }
133
134 /*pcep_log(LOG_DEBUG, ld] socket_comm::build_fdSets set
135 ready_toRead
136 [%d]", __func__, time(NULL), comm_session->socket_fd);*/
>>> CID 1502800: (BAD_SHIFT)
>>> In expression "1UL << comm_session->socket_fd % 64", shifting by a negative amount has undefined behavior. The shift amount, "comm_session->socket_fd % 64", is as little as -63.
137 FD_SET(comm_session->socket_fd,
138 &socket_comm_handle->read_master_set);
139 FD_SET(comm_session->socket_fd,
140 &socket_comm_handle->except_master_set);
141 node = node->next_node;
142 }
/pceplib/pcep_socket_comm_loop.c: 139 in build_fd_sets()
133
134 /*pcep_log(LOG_DEBUG, ld] socket_comm::build_fdSets set
135 ready_toRead
136 [%d]", __func__, time(NULL), comm_session->socket_fd);*/
137 FD_SET(comm_session->socket_fd,
138 &socket_comm_handle->read_master_set);
>>> CID 1502800: (BAD_SHIFT)
>>> In expression "1UL << comm_session->socket_fd % 64", shifting by a negative amount has undefined behavior. The shift amount, "comm_session->socket_fd % 64", is as little as -63.
139 FD_SET(comm_session->socket_fd,
140 &socket_comm_handle->except_master_set);
141 node = node->next_node;
142 }
143
144 FD_ZERO(&socket_comm_handle->write_master_set);
** CID 1502799: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1502799: Integer handling issues (NEGATIVE_RETURNS)
/pceplib/test/pcep_msg_tools_test.c: 711 in test_pcep_msg_read_pcep_report_cisco_pcc()
705
706 void test_pcep_msg_read_pcep_report_cisco_pcc()
707 {
708 int fd = convert_hexstrs_to_binary(
709 pcep_report_cisco_pcc_hexbyte_strs,
710 pcep_report_cisco_pcc_hexbyte_strs_length);
>>> CID 1502799: Integer handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
711 double_linked_list *msg_list = pcep_msg_read(fd);
712 CU_ASSERT_PTR_NOT_NULL(msg_list);
713 CU_ASSERT_EQUAL(msg_list->num_entries, 1);
714
715 struct pcep_message *msg = (struct pcep_message *)msg_list->head->data;
716 CU_ASSERT_EQUAL(msg->msg_header->type, PCEP_TYPE_REPORT);
** CID 1502798: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1502798: Integer handling issues (NEGATIVE_RETURNS)
/pceplib/test/pcep_msg_tools_test.c: 413 in test_pcep_msg_read_pcep_update()
407 }
408
409 void test_pcep_msg_read_pcep_update()
410 {
411 int fd = convert_hexstrs_to_binary(pcep_update_hexbyte_strs,
412 pcep_update_hexbyte_strs_length);
>>> CID 1502798: Integer handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
413 double_linked_list *msg_list = pcep_msg_read(fd);
414 CU_ASSERT_PTR_NOT_NULL(msg_list);
415 CU_ASSERT_EQUAL(msg_list->num_entries, 1);
416
417 struct pcep_message *msg = (struct pcep_message *)msg_list->head->data;
418 CU_ASSERT_EQUAL(msg->obj_list->num_entries, 3);
** CID 1502797: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1502797: Integer handling issues (NEGATIVE_RETURNS)
/pceplib/test/pcep_msg_tools_test.c: 290 in test_pcep_msg_read_pcep_initiate2()
284
285
286 void test_pcep_msg_read_pcep_initiate2()
287 {
288 int fd = convert_hexstrs_to_binary(pcep_initiate2_hexbyte_strs,
289 pcep_initiate2_hexbyte_strs_length);
>>> CID 1502797: Integer handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
290 double_linked_list *msg_list = pcep_msg_read(fd);
291 CU_ASSERT_PTR_NOT_NULL(msg_list);
292 CU_ASSERT_EQUAL(msg_list->num_entries, 1);
293
294 struct pcep_message *msg = (struct pcep_message *)msg_list->head->data;
295 CU_ASSERT_EQUAL(msg->obj_list->num_entries, 4);
** CID 1502796: Resource leaks (RESOURCE_LEAK)
/pceplib/test/pcep_msg_messages_test.c: 393 in test_pcep_msg_create_update()
________________________________________________________________________________________________________
*** CID 1502796: Resource leaks (RESOURCE_LEAK)
/pceplib/test/pcep_msg_messages_test.c: 393 in test_pcep_msg_create_update()
387 dll_append(obj_list, srp);
388 dll_append(obj_list, lsp);
389 message = pcep_msg_create_update(obj_list);
390 CU_ASSERT_PTR_NULL(message);
391
392 dll_append(obj_list, ero);
>>> CID 1502796: Resource leaks (RESOURCE_LEAK)
>>> Overwriting "message" in "message = pcep_msg_create_update(obj_list)" leaks the storage that "message" points to.
393 message = pcep_msg_create_update(obj_list);
394 CU_ASSERT_PTR_NOT_NULL(message);
395 pcep_encode_message(message, versioning);
396 CU_ASSERT_PTR_NOT_NULL(message->msg_header);
397 CU_ASSERT_PTR_NOT_NULL(message->obj_list);
398 CU_ASSERT_EQUAL(message->obj_list->num_entries, 3);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3D8i1O_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTw5Utd7dGDy7PEoBZnXChNL-2FMjlc05ZD2SPdya0q-2FbmpBoUgPRuhWfONiUsINqCowp1FdV4yTBFMnjD3XP4nZ-2BCor-2FhDZi5-2FvjUK0Eo-2Bwmjf0dcZ4NVGjVIYG-2BhaWNrr4AdNXWxWGb4dX-2FrI-2FCBbgD-2BJKfytZjnm0lFUrVI-2F2Fhvzn-2FpAwNgydNux8Bxf-2BJ580-3D
More information about the dev
mailing list