New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Thu Oct 28 12:23:17 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
28 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 28 defect(s)
** CID 1508210: Error handling issues (CHECKED_RETURN)
/zebra/zebra_script.c: 310 in lua_pushzebra_dplane_ctx()
________________________________________________________________________________________________________
*** CID 1508210: Error handling issues (CHECKED_RETURN)
/zebra/zebra_script.c: 310 in lua_pushzebra_dplane_ctx()
304 case DPLANE_OP_IPSET_ADD:
305 case DPLANE_OP_IPSET_DELETE:
306 case DPLANE_OP_IPSET_ENTRY_ADD:
307 case DPLANE_OP_IPSET_ENTRY_DELETE: {
308 struct zebra_pbr_ipset ipset;
309
>>> CID 1508210: Error handling issues (CHECKED_RETURN)
>>> Calling "dplane_ctx_get_pbr_ipset" without checking return value (as is done elsewhere 4 out of 5 times).
310 dplane_ctx_get_pbr_ipset(ctx, &ipset);
311 /* ipset */
312 lua_newtable(L);
313 {
314 lua_pushinteger(L, ipset.sock);
315 lua_setfield(L, -2, "sock");
** CID 1506514: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info()
________________________________________________________________________________________________________
*** CID 1506514: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info()
1232 if (!use_json)
1233 vty_out(vty, "TLV info:\n");
1234 } else {
1235 zlog_debug(" TLV info:");
1236 }
1237
>>> CID 1506514: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
1238 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
1239 tlvh = TLV_HDR_NEXT(tlvh)) {
1240 switch (ntohs(tlvh->type)) {
1241 case GRACE_PERIOD_TYPE:
1242 gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
1243 sum += TLV_SIZE(tlvh);
** CID 1506513: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields()
________________________________________________________________________________________________________
*** CID 1506513: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields()
154 int sum = 0;
155
156 lsah = (struct ospf6_lsa_header *)lsa->header;
157
158 length = ntohs(lsah->length) - OSPF6_LSA_HEADER_SIZE;
159
>>> CID 1506513: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
160 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
161 tlvh = TLV_HDR_NEXT(tlvh)) {
162 switch (ntohs(tlvh->type)) {
163 case GRACE_PERIOD_TYPE:
164 gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
165 *interval = ntohl(gracePeriod->interval);
** CID 1506512: (USE_AFTER_FREE)
/ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list()
/ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list()
________________________________________________________________________________________________________
*** CID 1506512: (USE_AFTER_FREE)
/ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list()
224 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) {
225 struct ospf6_lsa *lsa_in_db = NULL;
226
227 /* Fetching the same copy of LSA form LSDB to validate the
228 * topochange.
229 */
>>> CID 1506512: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
230 lsa_in_db =
231 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id,
232 lsa->header->adv_router, lsa->lsdb);
233
234 if (lsa_in_db && lsa_in_db->tobe_acknowledged) {
235 ospf6_lsa_unlock(lsa);
/ospf6d/ospf6_gr_helper.c: 230 in ospf6_check_chg_in_rxmt_list()
224 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) {
225 struct ospf6_lsa *lsa_in_db = NULL;
226
227 /* Fetching the same copy of LSA form LSDB to validate the
228 * topochange.
229 */
>>> CID 1506512: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
230 lsa_in_db =
231 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id,
232 lsa->header->adv_router, lsa->lsdb);
233
234 if (lsa_in_db && lsa_in_db->tobe_acknowledged) {
235 ospf6_lsa_unlock(lsa);
** CID 1505419: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list()
/ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list()
________________________________________________________________________________________________________
*** CID 1505419: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list()
2448 struct ospf6_lsa *lsa, *lsanext;
2449
2450 /* skip over fixed header */
2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2452
2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>> CID 1505419: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2455 + OSPF6_HEADER_SIZE)
2456 > ospf6_packet_max(on->ospf6_if)) {
2457 ospf6_fill_header(on->ospf6_if, (*op)->s,
2458 length + OSPF6_HEADER_SIZE);
2459 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2454 in ospf6_make_lsupdate_list()
2448 struct ospf6_lsa *lsa, *lsanext;
2449
2450 /* skip over fixed header */
2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2452
2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>> CID 1505419: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2455 + OSPF6_HEADER_SIZE)
2456 > ospf6_packet_max(on->ospf6_if)) {
2457 ospf6_fill_header(on->ospf6_if, (*op)->s,
2458 length + OSPF6_HEADER_SIZE);
2459 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2453 in ospf6_make_lsupdate_list()
2447 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2448 struct ospf6_lsa *lsa, *lsanext;
2449
2450 /* skip over fixed header */
2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2452
>>> CID 1505419: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2455 + OSPF6_HEADER_SIZE)
2456 > ospf6_packet_max(on->ospf6_if)) {
2457 ospf6_fill_header(on->ospf6_if, (*op)->s,
2458 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2453 in ospf6_make_lsupdate_list()
2447 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2448 struct ospf6_lsa *lsa, *lsanext;
2449
2450 /* skip over fixed header */
2451 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2452
>>> CID 1505419: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2453 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2454 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2455 + OSPF6_HEADER_SIZE)
2456 > ospf6_packet_max(on->ospf6_if)) {
2457 ospf6_fill_header(on->ospf6_if, (*op)->s,
2458 length + OSPF6_HEADER_SIZE);
** CID 1505418: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq()
/ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq()
________________________________________________________________________________________________________
*** CID 1505418: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2278 in ospf6_make_lsreq()
2272 uint16_t length = 0;
2273 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2274
2275 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2276 if ((length + OSPF6_HEADER_SIZE)
2277 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1505418: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2278 ospf6_lsa_unlock(lsa);
2279 if (lsanext)
2280 ospf6_lsa_unlock(lsanext);
2281 break;
2282 }
2283 stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2278 in ospf6_make_lsreq()
2272 uint16_t length = 0;
2273 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2274
2275 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2276 if ((length + OSPF6_HEADER_SIZE)
2277 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1505418: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2278 ospf6_lsa_unlock(lsa);
2279 if (lsanext)
2280 ospf6_lsa_unlock(lsanext);
2281 break;
2282 }
2283 stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq()
2278 ospf6_lsa_unlock(lsa);
2279 if (lsanext)
2280 ospf6_lsa_unlock(lsanext);
2281 break;
2282 }
2283 stream_putw(s, 0); /* reserved */
>>> CID 1505418: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2284 stream_putw(s, ntohs(lsa->header->type));
2285 stream_putl(s, ntohl(lsa->header->id));
2286 stream_putl(s, ntohl(lsa->header->adv_router));
2287 length += sizeof(struct ospf6_lsreq_entry);
2288 last_req = lsa;
2289 }
/ospf6d/ospf6_message.c: 2284 in ospf6_make_lsreq()
2278 ospf6_lsa_unlock(lsa);
2279 if (lsanext)
2280 ospf6_lsa_unlock(lsanext);
2281 break;
2282 }
2283 stream_putw(s, 0); /* reserved */
>>> CID 1505418: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2284 stream_putw(s, ntohs(lsa->header->type));
2285 stream_putl(s, ntohl(lsa->header->id));
2286 stream_putl(s, ntohl(lsa->header->adv_router));
2287 length += sizeof(struct ospf6_lsreq_entry);
2288 last_req = lsa;
2289 }
** CID 1505417: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list()
/ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list()
________________________________________________________________________________________________________
*** CID 1505417: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list()
2486 struct ospf6_lsa *lsa, *lsanext;
2487
2488 /* skip over fixed header */
2489 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2490
2491 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1505417: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2492 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2493 + OSPF6_HEADER_SIZE)
2494 > ospf6_packet_max(on->ospf6_if)) {
2495 ospf6_fill_header(on->ospf6_if, (*op)->s,
2496 length + OSPF6_HEADER_SIZE);
2497 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2492 in ospf6_make_ls_retrans_list()
2486 struct ospf6_lsa *lsa, *lsanext;
2487
2488 /* skip over fixed header */
2489 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2490
2491 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1505417: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2492 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2493 + OSPF6_HEADER_SIZE)
2494 > ospf6_packet_max(on->ospf6_if)) {
2495 ospf6_fill_header(on->ospf6_if, (*op)->s,
2496 length + OSPF6_HEADER_SIZE);
2497 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505415: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505415: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2295 in ospf6_make_lsreq()
2289 }
2290
2291 if (last_req != NULL) {
2292 if (on->last_ls_req != NULL)
2293 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2294
>>> CID 1505415: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2295 ospf6_lsa_lock(last_req);
2296 on->last_ls_req = last_req;
2297 }
2298
2299 return length;
2300 }
/ospf6d/ospf6_message.c: 2295 in ospf6_make_lsreq()
2289 }
2290
2291 if (last_req != NULL) {
2292 if (on->last_ls_req != NULL)
2293 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2294
>>> CID 1505415: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2295 ospf6_lsa_lock(last_req);
2296 on->last_ls_req = last_req;
2297 }
2298
2299 return length;
2300 }
** CID 1505414: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505414: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2158 in ospf6_make_dbdesc()
2152 stream_putc(s, on->dbdesc_bits);
2153 stream_putl(s, on->dbdesc_seqnum);
2154
2155 /* if this is not initial one, set LSA headers in dbdesc */
2156 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2157 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1505414: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2158 ospf6_lsa_age_update_to_send(lsa,
2159 on->ospf6_if->transdelay);
2160
2161 /* MTU check */
2162 if ((length + sizeof(struct ospf6_lsa_header)
2163 + OSPF6_HEADER_SIZE)
/ospf6d/ospf6_message.c: 2158 in ospf6_make_dbdesc()
2152 stream_putc(s, on->dbdesc_bits);
2153 stream_putl(s, on->dbdesc_seqnum);
2154
2155 /* if this is not initial one, set LSA headers in dbdesc */
2156 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2157 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1505414: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2158 ospf6_lsa_age_update_to_send(lsa,
2159 on->ospf6_if->transdelay);
2160
2161 /* MTU check */
2162 if ((length + sizeof(struct ospf6_lsa_header)
2163 + OSPF6_HEADER_SIZE)
** CID 1505412: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505412: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2757 in ospf6_make_lsack_interface()
2751 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2752 struct ospf6_packet *op)
2753 {
2754 uint16_t length = 0;
2755 struct ospf6_lsa *lsa, *lsanext;
2756
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2757 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2758 if ((length + sizeof(struct ospf6_lsa_header)
2759 + OSPF6_HEADER_SIZE)
2760 > ospf6_packet_max(oi)) {
2761 /* if we run out of packet size/space here,
2762 better to try again soon. */
/ospf6d/ospf6_message.c: 2772 in ospf6_make_lsack_interface()
2766
2767 ospf6_lsa_unlock(lsa);
2768 if (lsanext)
2769 ospf6_lsa_unlock(lsanext);
2770 break;
2771 }
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2772 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2773 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2774 length += sizeof(struct ospf6_lsa_header);
2775
2776 assert(lsa->lock == 2);
2777 ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2767 in ospf6_make_lsack_interface()
2761 /* if we run out of packet size/space here,
2762 better to try again soon. */
2763 THREAD_OFF(oi->thread_send_lsack);
2764 thread_add_event(master, ospf6_lsack_send_interface, oi,
2765 0, &oi->thread_send_lsack);
2766
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2767 ospf6_lsa_unlock(lsa);
2768 if (lsanext)
2769 ospf6_lsa_unlock(lsanext);
2770 break;
2771 }
2772 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
/ospf6d/ospf6_message.c: 2757 in ospf6_make_lsack_interface()
2751 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2752 struct ospf6_packet *op)
2753 {
2754 uint16_t length = 0;
2755 struct ospf6_lsa *lsa, *lsanext;
2756
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2757 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2758 if ((length + sizeof(struct ospf6_lsa_header)
2759 + OSPF6_HEADER_SIZE)
2760 > ospf6_packet_max(oi)) {
2761 /* if we run out of packet size/space here,
2762 better to try again soon. */
/ospf6d/ospf6_message.c: 2772 in ospf6_make_lsack_interface()
2766
2767 ospf6_lsa_unlock(lsa);
2768 if (lsanext)
2769 ospf6_lsa_unlock(lsanext);
2770 break;
2771 }
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2772 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2773 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2774 length += sizeof(struct ospf6_lsa_header);
2775
2776 assert(lsa->lock == 2);
2777 ospf6_lsdb_remove(lsa, oi->lsack_list);
** CID 1505410: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface()
/ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface()
________________________________________________________________________________________________________
*** CID 1505410: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2630 in ospf6_make_lsupdate_interface()
2624 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2625 struct ospf6_lsa *lsa, *lsanext;
2626
2627 /* skip over fixed header */
2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2629
>>> CID 1505410: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2632 + OSPF6_HEADER_SIZE
2633 > ospf6_packet_max(oi)) {
2634 ospf6_fill_header(oi, (*op)->s,
2635 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface()
2625 struct ospf6_lsa *lsa, *lsanext;
2626
2627 /* skip over fixed header */
2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2629
2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>> CID 1505410: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2632 + OSPF6_HEADER_SIZE
2633 > ospf6_packet_max(oi)) {
2634 ospf6_fill_header(oi, (*op)->s,
2635 length + OSPF6_HEADER_SIZE);
2636 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2631 in ospf6_make_lsupdate_interface()
2625 struct ospf6_lsa *lsa, *lsanext;
2626
2627 /* skip over fixed header */
2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2629
2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>> CID 1505410: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2632 + OSPF6_HEADER_SIZE
2633 > ospf6_packet_max(oi)) {
2634 ospf6_fill_header(oi, (*op)->s,
2635 length + OSPF6_HEADER_SIZE);
2636 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2630 in ospf6_make_lsupdate_interface()
2624 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2625 struct ospf6_lsa *lsa, *lsanext;
2626
2627 /* skip over fixed header */
2628 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2629
>>> CID 1505410: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2630 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2631 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2632 + OSPF6_HEADER_SIZE
2633 > ospf6_packet_max(oi)) {
2634 ospf6_fill_header(oi, (*op)->s,
2635 length + OSPF6_HEADER_SIZE);
** CID 1505407: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505407: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2309 in ospf6_make_lsack_neighbor()
2303 struct ospf6_packet **op)
2304 {
2305 uint16_t length = 0;
2306 struct ospf6_lsa *lsa, *lsanext;
2307 int lsa_cnt = 0;
2308
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2309 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2310 if ((length + sizeof(struct ospf6_lsa_header)
2311 + OSPF6_HEADER_SIZE)
2312 > ospf6_packet_max(on->ospf6_if)) {
2313 /* if we run out of packet size/space here,
2314 better to try again soon. */
/ospf6d/ospf6_message.c: 2331 in ospf6_make_lsack_neighbor()
2325 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2326 on->ospf6_if, (*op)->s);
2327 length = 0;
2328 lsa_cnt = 0;
2329 }
2330 }
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2331 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2332 stream_put((*op)->s, lsa->header,
2333 sizeof(struct ospf6_lsa_header));
2334 length += sizeof(struct ospf6_lsa_header);
2335
2336 assert(lsa->lock == 2);
/ospf6d/ospf6_message.c: 2331 in ospf6_make_lsack_neighbor()
2325 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2326 on->ospf6_if, (*op)->s);
2327 length = 0;
2328 lsa_cnt = 0;
2329 }
2330 }
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2331 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2332 stream_put((*op)->s, lsa->header,
2333 sizeof(struct ospf6_lsa_header));
2334 length += sizeof(struct ospf6_lsa_header);
2335
2336 assert(lsa->lock == 2);
/ospf6d/ospf6_message.c: 2309 in ospf6_make_lsack_neighbor()
2303 struct ospf6_packet **op)
2304 {
2305 uint16_t length = 0;
2306 struct ospf6_lsa *lsa, *lsanext;
2307 int lsa_cnt = 0;
2308
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2309 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2310 if ((length + sizeof(struct ospf6_lsa_header)
2311 + OSPF6_HEADER_SIZE)
2312 > ospf6_packet_max(on->ospf6_if)) {
2313 /* if we run out of packet size/space here,
2314 better to try again soon. */
** CID 1504898: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1504898: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_dump.c: 591 in ospf_packet_dump()
585 ospf_packet_hello_dump(s, ntohs(ospfh->length));
586 break;
587 case OSPF_MSG_DB_DESC:
588 ospf_packet_db_desc_dump(s, ntohs(ospfh->length));
589 break;
590 case OSPF_MSG_LS_REQ:
>>> CID 1504898: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
591 ospf_packet_ls_req_dump(s, ntohs(ospfh->length));
592 break;
593 case OSPF_MSG_LS_UPD:
594 ospf_packet_ls_upd_dump(s, ntohs(ospfh->length));
595 break;
596 case OSPF_MSG_LS_ACK:
** CID 1504897: Memory - corruptions (OVERRUN)
/ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event()
________________________________________________________________________________________________________
*** CID 1504897: Memory - corruptions (OVERRUN)
/ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event()
1169 size = ntohs(msg->hdr.msglen);
1170 if (size < OSPF_MAX_LSA_SIZE) {
1171
1172 apiserv->filter = XMALLOC(MTYPE_OSPF_APISERVER_MSGFILTER, size);
1173
1174 /* copy it over. */
>>> CID 1504897: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_filter_type of 4 bytes by passing it to a function which accesses it at byte offset 1498 using argument "size" (which evaluates to 1499).
1175 memcpy(apiserv->filter, &rmsg->filter, size);
1176 rc = OSPF_API_OK;
1177 } else
1178 rc = OSPF_API_NOMEMORY;
1179
1180 /* Send a reply back to client with return code */
** CID 1482217: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1482217: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_packet.c: 355 in ospf_check_md5_digest()
349 EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
350 EVP_DigestFinal(ctx, digest, &md5_size);
351 EVP_MD_CTX_free(ctx);
352 #elif CRYPTO_INTERNAL
353 memset(&ctx, 0, sizeof(ctx));
354 MD5Init(&ctx);
>>> CID 1482217: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "length" to a tainted sink.
355 MD5Update(&ctx, ospfh, length);
356 MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
357 MD5Final(digest, &ctx);
358 #endif
359
360 /* compare the two */
** CID 1482211: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1482211: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_packet.c: 430 in ospf_make_md5_digest()
424 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
425 EVP_DigestFinal(ctx, digest, &md5_size);
426 EVP_MD_CTX_free(ctx);
427 #elif CRYPTO_INTERNAL
428 memset(&ctx, 0, sizeof(ctx));
429 MD5Init(&ctx);
>>> CID 1482211: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
430 MD5Update(&ctx, ibuf, ntohs(ospfh->length));
431 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
432 MD5Final(digest, &ctx);
433 #endif
434
435 /* Append md5 digest to the end of the stream. */
** CID 1482199: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1482199: Memory - corruptions (OVERRUN)
/babeld/message.c: 1277 in flushupdates()
1271 update_source(route->src, seqno, metric);
1272 last_prefix = route->src->prefix;
1273 last_plen = route->src->plen;
1274 } else {
1275 /* There's no route for this prefix. This can happen shortly
1276 after an xroute has been retracted, so send a retraction. */
>>> CID 1482199: Memory - corruptions (OVERRUN)
>>> Overrunning array "b[i].prefix" of 16 bytes by passing it to a function which accesses it at byte offset 27.
1277 really_send_update(ifp, myid, b[i].prefix, b[i].plen,
1278 myseqno, INFINITY, NULL, -1);
1279 }
1280 }
1281 schedule_flush_now(ifp);
1282 done:
** CID 1482187: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1482187: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_message.c: 1580 in ospf6_lsupdate_recv()
1574
1575 /* Process LSAs */
1576 for (p = (char *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate));
1577 p < OSPF6_MESSAGE_END(oh)
1578 && p + OSPF6_LSA_SIZE(p) <= OSPF6_MESSAGE_END(oh);
1579 p += OSPF6_LSA_SIZE(p)) {
>>> CID 1482187: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "((struct ospf6_lsa_header *)p)->length" to a tainted sink.
1580 ospf6_receive_lsa(on, (struct ospf6_lsa_header *)p);
1581 }
1582
1583 assert(p == OSPF6_MESSAGE_END(oh));
1584 }
1585
** CID 1482175: (TAINTED_SCALAR)
/ospfd/ospf_apiserver.c: 2107 in ospf_apiserver_show_info()
/ospfd/ospf_apiserver.c: 2094 in ospf_apiserver_show_info()
________________________________________________________________________________________________________
*** CID 1482175: (TAINTED_SCALAR)
/ospfd/ospf_apiserver.c: 2107 in ospf_apiserver_show_info()
2101 " Added using OSPF API: %u octets of opaque data %s",
2102 opaquelen,
2103 VALID_OPAQUE_INFO_LEN(lsa->data) ? ""
2104 : "(Invalid length?)");
2105 zlog_debug(" Opaque data: ");
2106
>>> CID 1482175: (TAINTED_SCALAR)
>>> Using tainted variable "opaquelen" as a loop boundary.
2107 for (i = 0; i < opaquelen; i++) {
2108 zlog_debug("0x%x ", olsa->data[i]);
2109 }
2110 }
2111 return;
2112 }
/ospfd/ospf_apiserver.c: 2094 in ospf_apiserver_show_info()
2088 " Added using OSPF API: %u octets of opaque data %s\n",
2089 opaquelen,
2090 VALID_OPAQUE_INFO_LEN(lsa->data) ? ""
2091 : "(Invalid length?)");
2092 vty_out(vty, " Opaque data: ");
2093
>>> CID 1482175: (TAINTED_SCALAR)
>>> Using tainted variable "opaquelen" as a loop boundary.
2094 for (i = 0; i < opaquelen; i++) {
2095 vty_out(vty, "0x%x ", olsa->data[i]);
2096 }
2097 vty_out(vty, "\n");
2098 } else {
2099 int i;
** CID 1482165: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_lsa.c: 251 in ospf6_lsa_is_changed()
________________________________________________________________________________________________________
*** CID 1482165: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_lsa.c: 251 in ospf6_lsa_is_changed()
245 length = OSPF6_LSA_SIZE(lsa1->header) - sizeof(struct ospf6_lsa_header);
246 /* Once upper layer verifies LSAs received, length underrun should
247 * become a warning. */
248 if (length <= 0)
249 return 0;
250
>>> CID 1482165: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "length" to a tainted sink.
251 return memcmp(OSPF6_LSA_HEADER_END(lsa1->header),
252 OSPF6_LSA_HEADER_END(lsa2->header), length);
253 }
254
255 /* ospf6 age functions */
256 /* calculate birth */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Dyb-e_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTwnvDH-2F0B-2BJ0JPlsg1Kj7QCTMkMkcIUfxj0sFvrsJZT23SFMdAZaeVGdd5liYQU1HsZaFcIEp-2BlN4-2B3BHnmvzBlfg-2BQ4wEjPh7YqAq-2Be5rFzrRVGmDM9DfBewFkpUrLPeeL-2FuPb9rjrokFFapNV8ZRwNJNyed6g6a68Vq-2FaFkEumKLhggBZ760TL4S1CPmLk3g-3D
More information about the dev
mailing list