New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Mon Sep 20 13:58:45 UTC 2021
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
39 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 39 defect(s)
** CID 1506514: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info()
________________________________________________________________________________________________________
*** CID 1506514: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 1238 in ospf6_grace_lsa_show_info()
1232 if (!use_json)
1233 vty_out(vty, "TLV info:\n");
1234 } else {
1235 zlog_debug(" TLV info:");
1236 }
1237
>>> CID 1506514: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
1238 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
1239 tlvh = TLV_HDR_NEXT(tlvh)) {
1240 switch (ntohs(tlvh->type)) {
1241 case GRACE_PERIOD_TYPE:
1242 gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
1243 sum += TLV_SIZE(tlvh);
** CID 1506513: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields()
________________________________________________________________________________________________________
*** CID 1506513: Insecure data handling (TAINTED_SCALAR)
/ospf6d/ospf6_gr_helper.c: 160 in ospf6_extract_grace_lsa_fields()
154 int sum = 0;
155
156 lsah = (struct ospf6_lsa_header *)lsa->header;
157
158 length = ntohs(lsah->length) - OSPF6_LSA_HEADER_SIZE;
159
>>> CID 1506513: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "length" as a loop boundary.
160 for (tlvh = TLV_HDR_TOP(lsah); sum < length;
161 tlvh = TLV_HDR_NEXT(tlvh)) {
162 switch (ntohs(tlvh->type)) {
163 case GRACE_PERIOD_TYPE:
164 gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
165 *interval = ntohl(gracePeriod->interval);
** CID 1506512: (USE_AFTER_FREE)
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()
________________________________________________________________________________________________________
*** CID 1506512: (USE_AFTER_FREE)
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()
226 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) {
227 struct ospf6_lsa *lsa_in_db = NULL;
228
229 /* Fetching the same copy of LSA form LSDB to validate the
230 * topochange.
231 */
>>> CID 1506512: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
232 lsa_in_db =
233 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id,
234 lsa->header->adv_router, lsa->lsdb);
235
236 if (lsa_in_db && lsa_in_db->tobe_acknowledged) {
237 ospf6_lsa_unlock(lsa);
/ospf6d/ospf6_gr_helper.c: 232 in ospf6_check_chg_in_rxmt_list()
226 for (ALL_LSDB(nbr->retrans_list, lsa, lsanext)) {
227 struct ospf6_lsa *lsa_in_db = NULL;
228
229 /* Fetching the same copy of LSA form LSDB to validate the
230 * topochange.
231 */
>>> CID 1506512: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
232 lsa_in_db =
233 ospf6_lsdb_lookup(lsa->header->type, lsa->header->id,
234 lsa->header->adv_router, lsa->lsdb);
235
236 if (lsa_in_db && lsa_in_db->tobe_acknowledged) {
237 ospf6_lsa_unlock(lsa);
** CID 1505419: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list()
/ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list()
________________________________________________________________________________________________________
*** CID 1505419: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2458 in ospf6_make_lsupdate_list()
2452 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2453 struct ospf6_lsa *lsa, *lsanext;
2454
2455 /* skip over fixed header */
2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2457
>>> CID 1505419: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2460 + OSPF6_HEADER_SIZE)
2461 > ospf6_packet_max(on->ospf6_if)) {
2462 ospf6_fill_header(on->ospf6_if, (*op)->s,
2463 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list()
2453 struct ospf6_lsa *lsa, *lsanext;
2454
2455 /* skip over fixed header */
2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2457
2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>> CID 1505419: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2460 + OSPF6_HEADER_SIZE)
2461 > ospf6_packet_max(on->ospf6_if)) {
2462 ospf6_fill_header(on->ospf6_if, (*op)->s,
2463 length + OSPF6_HEADER_SIZE);
2464 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2458 in ospf6_make_lsupdate_list()
2452 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2453 struct ospf6_lsa *lsa, *lsanext;
2454
2455 /* skip over fixed header */
2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2457
>>> CID 1505419: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2460 + OSPF6_HEADER_SIZE)
2461 > ospf6_packet_max(on->ospf6_if)) {
2462 ospf6_fill_header(on->ospf6_if, (*op)->s,
2463 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2459 in ospf6_make_lsupdate_list()
2453 struct ospf6_lsa *lsa, *lsanext;
2454
2455 /* skip over fixed header */
2456 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2457
2458 for (ALL_LSDB(on->lsupdate_list, lsa, lsanext)) {
>>> CID 1505419: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2459 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2460 + OSPF6_HEADER_SIZE)
2461 > ospf6_packet_max(on->ospf6_if)) {
2462 ospf6_fill_header(on->ospf6_if, (*op)->s,
2463 length + OSPF6_HEADER_SIZE);
2464 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505418: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq()
/ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq()
________________________________________________________________________________________________________
*** CID 1505418: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2282 in ospf6_make_lsreq()
2276 uint16_t length = 0;
2277 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2278
2279 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2280 if ((length + OSPF6_HEADER_SIZE)
2281 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1505418: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2282 ospf6_lsa_unlock(lsa);
2283 if (lsanext)
2284 ospf6_lsa_unlock(lsanext);
2285 break;
2286 }
2287 stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2282 in ospf6_make_lsreq()
2276 uint16_t length = 0;
2277 struct ospf6_lsa *lsa, *lsanext, *last_req = NULL;
2278
2279 for (ALL_LSDB(on->request_list, lsa, lsanext)) {
2280 if ((length + OSPF6_HEADER_SIZE)
2281 > ospf6_packet_max(on->ospf6_if)) {
>>> CID 1505418: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2282 ospf6_lsa_unlock(lsa);
2283 if (lsanext)
2284 ospf6_lsa_unlock(lsanext);
2285 break;
2286 }
2287 stream_putw(s, 0); /* reserved */
/ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq()
2282 ospf6_lsa_unlock(lsa);
2283 if (lsanext)
2284 ospf6_lsa_unlock(lsanext);
2285 break;
2286 }
2287 stream_putw(s, 0); /* reserved */
>>> CID 1505418: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2288 stream_putw(s, ntohs(lsa->header->type));
2289 stream_putl(s, ntohl(lsa->header->id));
2290 stream_putl(s, ntohl(lsa->header->adv_router));
2291 length += sizeof(struct ospf6_lsreq_entry);
2292 last_req = lsa;
2293 }
/ospf6d/ospf6_message.c: 2288 in ospf6_make_lsreq()
2282 ospf6_lsa_unlock(lsa);
2283 if (lsanext)
2284 ospf6_lsa_unlock(lsanext);
2285 break;
2286 }
2287 stream_putw(s, 0); /* reserved */
>>> CID 1505418: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2288 stream_putw(s, ntohs(lsa->header->type));
2289 stream_putl(s, ntohl(lsa->header->id));
2290 stream_putl(s, ntohl(lsa->header->adv_router));
2291 length += sizeof(struct ospf6_lsreq_entry);
2292 last_req = lsa;
2293 }
** CID 1505417: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list()
/ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list()
________________________________________________________________________________________________________
*** CID 1505417: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list()
2491 struct ospf6_lsa *lsa, *lsanext;
2492
2493 /* skip over fixed header */
2494 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2495
2496 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1505417: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2497 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2498 + OSPF6_HEADER_SIZE)
2499 > ospf6_packet_max(on->ospf6_if)) {
2500 ospf6_fill_header(on->ospf6_if, (*op)->s,
2501 length + OSPF6_HEADER_SIZE);
2502 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2497 in ospf6_make_ls_retrans_list()
2491 struct ospf6_lsa *lsa, *lsanext;
2492
2493 /* skip over fixed header */
2494 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2495
2496 for (ALL_LSDB(on->retrans_list, lsa, lsanext)) {
>>> CID 1505417: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2497 if ((length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2498 + OSPF6_HEADER_SIZE)
2499 > ospf6_packet_max(on->ospf6_if)) {
2500 ospf6_fill_header(on->ospf6_if, (*op)->s,
2501 length + OSPF6_HEADER_SIZE);
2502 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505415: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505415: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2299 in ospf6_make_lsreq()
2293 }
2294
2295 if (last_req != NULL) {
2296 if (on->last_ls_req != NULL)
2297 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2298
>>> CID 1505415: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2299 ospf6_lsa_lock(last_req);
2300 on->last_ls_req = last_req;
2301 }
2302
2303 return length;
2304 }
/ospf6d/ospf6_message.c: 2299 in ospf6_make_lsreq()
2293 }
2294
2295 if (last_req != NULL) {
2296 if (on->last_ls_req != NULL)
2297 on->last_ls_req = ospf6_lsa_unlock(on->last_ls_req);
2298
>>> CID 1505415: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_lock" dereferences freed pointer "last_req".
2299 ospf6_lsa_lock(last_req);
2300 on->last_ls_req = last_req;
2301 }
2302
2303 return length;
2304 }
** CID 1505414: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505414: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2162 in ospf6_make_dbdesc()
2156 stream_putc(s, on->dbdesc_bits);
2157 stream_putl(s, on->dbdesc_seqnum);
2158
2159 /* if this is not initial one, set LSA headers in dbdesc */
2160 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2161 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1505414: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2162 ospf6_lsa_age_update_to_send(lsa,
2163 on->ospf6_if->transdelay);
2164
2165 /* MTU check */
2166 if ((length + sizeof(struct ospf6_lsa_header)
2167 + OSPF6_HEADER_SIZE)
/ospf6d/ospf6_message.c: 2162 in ospf6_make_dbdesc()
2156 stream_putc(s, on->dbdesc_bits);
2157 stream_putl(s, on->dbdesc_seqnum);
2158
2159 /* if this is not initial one, set LSA headers in dbdesc */
2160 if (!CHECK_FLAG(on->dbdesc_bits, OSPF6_DBDESC_IBIT)) {
2161 for (ALL_LSDB(on->dbdesc_list, lsa, lsanext)) {
>>> CID 1505414: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2162 ospf6_lsa_age_update_to_send(lsa,
2163 on->ospf6_if->transdelay);
2164
2165 /* MTU check */
2166 if ((length + sizeof(struct ospf6_lsa_header)
2167 + OSPF6_HEADER_SIZE)
** CID 1505412: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505412: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2765 in ospf6_make_lsack_interface()
2759 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2760 struct ospf6_packet *op)
2761 {
2762 uint16_t length = 0;
2763 struct ospf6_lsa *lsa, *lsanext;
2764
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2765 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2766 if ((length + sizeof(struct ospf6_lsa_header)
2767 + OSPF6_HEADER_SIZE)
2768 > ospf6_packet_max(oi)) {
2769 /* if we run out of packet size/space here,
2770 better to try again soon. */
/ospf6d/ospf6_message.c: 2775 in ospf6_make_lsack_interface()
2769 /* if we run out of packet size/space here,
2770 better to try again soon. */
2771 THREAD_OFF(oi->thread_send_lsack);
2772 thread_add_event(master, ospf6_lsack_send_interface, oi,
2773 0, &oi->thread_send_lsack);
2774
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2775 ospf6_lsa_unlock(lsa);
2776 if (lsanext)
2777 ospf6_lsa_unlock(lsanext);
2778 break;
2779 }
2780 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
/ospf6d/ospf6_message.c: 2780 in ospf6_make_lsack_interface()
2774
2775 ospf6_lsa_unlock(lsa);
2776 if (lsanext)
2777 ospf6_lsa_unlock(lsanext);
2778 break;
2779 }
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2780 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2781 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2782 length += sizeof(struct ospf6_lsa_header);
2783
2784 assert(lsa->lock == 2);
2785 ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2780 in ospf6_make_lsack_interface()
2774
2775 ospf6_lsa_unlock(lsa);
2776 if (lsanext)
2777 ospf6_lsa_unlock(lsanext);
2778 break;
2779 }
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2780 ospf6_lsa_age_update_to_send(lsa, oi->transdelay);
2781 stream_put(op->s, lsa->header, sizeof(struct ospf6_lsa_header));
2782 length += sizeof(struct ospf6_lsa_header);
2783
2784 assert(lsa->lock == 2);
2785 ospf6_lsdb_remove(lsa, oi->lsack_list);
/ospf6d/ospf6_message.c: 2765 in ospf6_make_lsack_interface()
2759 static uint16_t ospf6_make_lsack_interface(struct ospf6_interface *oi,
2760 struct ospf6_packet *op)
2761 {
2762 uint16_t length = 0;
2763 struct ospf6_lsa *lsa, *lsanext;
2764
>>> CID 1505412: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2765 for (ALL_LSDB(oi->lsack_list, lsa, lsanext)) {
2766 if ((length + sizeof(struct ospf6_lsa_header)
2767 + OSPF6_HEADER_SIZE)
2768 > ospf6_packet_max(oi)) {
2769 /* if we run out of packet size/space here,
2770 better to try again soon. */
** CID 1505410: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface()
/ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface()
________________________________________________________________________________________________________
*** CID 1505410: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2637 in ospf6_make_lsupdate_interface()
2631 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2632 struct ospf6_lsa *lsa, *lsanext;
2633
2634 /* skip over fixed header */
2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2636
>>> CID 1505410: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2639 + OSPF6_HEADER_SIZE
2640 > ospf6_packet_max(oi)) {
2641 ospf6_fill_header(oi, (*op)->s,
2642 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2637 in ospf6_make_lsupdate_interface()
2631 uint16_t length = OSPF6_LS_UPD_MIN_SIZE;
2632 struct ospf6_lsa *lsa, *lsanext;
2633
2634 /* skip over fixed header */
2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2636
>>> CID 1505410: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2639 + OSPF6_HEADER_SIZE
2640 > ospf6_packet_max(oi)) {
2641 ospf6_fill_header(oi, (*op)->s,
2642 length + OSPF6_HEADER_SIZE);
/ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface()
2632 struct ospf6_lsa *lsa, *lsanext;
2633
2634 /* skip over fixed header */
2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2636
2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>> CID 1505410: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2639 + OSPF6_HEADER_SIZE
2640 > ospf6_packet_max(oi)) {
2641 ospf6_fill_header(oi, (*op)->s,
2642 length + OSPF6_HEADER_SIZE);
2643 (*op)->length = length + OSPF6_HEADER_SIZE;
/ospf6d/ospf6_message.c: 2638 in ospf6_make_lsupdate_interface()
2632 struct ospf6_lsa *lsa, *lsanext;
2633
2634 /* skip over fixed header */
2635 stream_forward_endp((*op)->s, OSPF6_LS_UPD_MIN_SIZE);
2636
2637 for (ALL_LSDB(oi->lsupdate_list, lsa, lsanext)) {
>>> CID 1505410: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "lsa".
2638 if (length + (unsigned int)OSPF6_LSA_SIZE(lsa->header)
2639 + OSPF6_HEADER_SIZE
2640 > ospf6_packet_max(oi)) {
2641 ospf6_fill_header(oi, (*op)->s,
2642 length + OSPF6_HEADER_SIZE);
2643 (*op)->length = length + OSPF6_HEADER_SIZE;
** CID 1505407: (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1505407: (USE_AFTER_FREE)
/ospf6d/ospf6_message.c: 2313 in ospf6_make_lsack_neighbor()
2307 struct ospf6_packet **op)
2308 {
2309 uint16_t length = 0;
2310 struct ospf6_lsa *lsa, *lsanext;
2311 int lsa_cnt = 0;
2312
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2313 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2314 if ((length + sizeof(struct ospf6_lsa_header)
2315 + OSPF6_HEADER_SIZE)
2316 > ospf6_packet_max(on->ospf6_if)) {
2317 /* if we run out of packet size/space here,
2318 better to try again soon. */
/ospf6d/ospf6_message.c: 2313 in ospf6_make_lsack_neighbor()
2307 struct ospf6_packet **op)
2308 {
2309 uint16_t length = 0;
2310 struct ospf6_lsa *lsa, *lsanext;
2311 int lsa_cnt = 0;
2312
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_unlock" dereferences freed pointer "lsa".
2313 for (ALL_LSDB(on->lsack_list, lsa, lsanext)) {
2314 if ((length + sizeof(struct ospf6_lsa_header)
2315 + OSPF6_HEADER_SIZE)
2316 > ospf6_packet_max(on->ospf6_if)) {
2317 /* if we run out of packet size/space here,
2318 better to try again soon. */
/ospf6d/ospf6_message.c: 2335 in ospf6_make_lsack_neighbor()
2329 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2330 on->ospf6_if, (*op)->s);
2331 length = 0;
2332 lsa_cnt = 0;
2333 }
2334 }
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2335 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2336 stream_put((*op)->s, lsa->header,
2337 sizeof(struct ospf6_lsa_header));
2338 length += sizeof(struct ospf6_lsa_header);
2339
2340 assert(lsa->lock == 2);
/ospf6d/ospf6_message.c: 2335 in ospf6_make_lsack_neighbor()
2329 ospf6_make_header(OSPF6_MESSAGE_TYPE_LSACK,
2330 on->ospf6_if, (*op)->s);
2331 length = 0;
2332 lsa_cnt = 0;
2333 }
2334 }
>>> CID 1505407: (USE_AFTER_FREE)
>>> Calling "ospf6_lsa_age_update_to_send" dereferences freed pointer "lsa".
2335 ospf6_lsa_age_update_to_send(lsa, on->ospf6_if->transdelay);
2336 stream_put((*op)->s, lsa->header,
2337 sizeof(struct ospf6_lsa_header));
2338 length += sizeof(struct ospf6_lsa_header);
2339
2340 assert(lsa->lock == 2);
** CID 1504898: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1504898: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_dump.c: 585 in ospf_packet_dump()
579 ospf_packet_hello_dump(s, ntohs(ospfh->length));
580 break;
581 case OSPF_MSG_DB_DESC:
582 ospf_packet_db_desc_dump(s, ntohs(ospfh->length));
583 break;
584 case OSPF_MSG_LS_REQ:
>>> CID 1504898: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
585 ospf_packet_ls_req_dump(s, ntohs(ospfh->length));
586 break;
587 case OSPF_MSG_LS_UPD:
588 ospf_packet_ls_upd_dump(s, ntohs(ospfh->length));
589 break;
590 case OSPF_MSG_LS_ACK:
** CID 1504897: Memory - corruptions (OVERRUN)
/ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event()
________________________________________________________________________________________________________
*** CID 1504897: Memory - corruptions (OVERRUN)
/ospfd/ospf_apiserver.c: 1175 in ospf_apiserver_handle_register_event()
1169 size = ntohs(msg->hdr.msglen);
1170 if (size < OSPF_MAX_LSA_SIZE) {
1171
1172 apiserv->filter = XMALLOC(MTYPE_OSPF_APISERVER_MSGFILTER, size);
1173
1174 /* copy it over. */
>>> CID 1504897: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_filter_type of 4 bytes by passing it to a function which accesses it at byte offset 1498 using argument "size" (which evaluates to 1499).
1175 memcpy(apiserv->filter, &rmsg->filter, size);
1176 rc = OSPF_API_OK;
1177 } else
1178 rc = OSPF_API_NOMEMORY;
1179
1180 /* Send a reply back to client with return code */
** CID 1504585: Insecure data handling (TAINTED_SCALAR)
/ospfclient/ospf_apiclient.c: 334 in ospf_apiclient_send_request()
________________________________________________________________________________________________________
*** CID 1504585: Insecure data handling (TAINTED_SCALAR)
/ospfclient/ospf_apiclient.c: 334 in ospf_apiclient_send_request()
328 /* Wait for reply */ /* NB: New "msg" is allocated by "msg_read()". */
329 msg = msg_read(oclient->fd_sync);
330 if (!msg)
331 return -1;
332
333 assert(msg->hdr.msgtype == MSG_REPLY);
>>> CID 1504585: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "reqseq" as a loop boundary.
334 assert(ntohl(msg->hdr.msgseq) == reqseq);
335
336 msgreply = (struct msg_reply *)STREAM_DATA(msg->s);
337 rc = msgreply->errcode;
338 msg_free(msg);
339
** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete()
________________________________________________________________________________________________________
*** CID 1497888: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 623 in ospf_apiclient_handle_lsa_delete()
617 __func__, lsalen, OSPF_MAX_LSA_SIZE);
618 return;
619 }
620
621 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
622
>>> CID 1497888: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
623 memcpy(p, &(cn->data), lsalen);
624 lsa = p;
625
626 /* Invoke registered update callback function */
627 if (oclient->delete_notify) {
628 (oclient->delete_notify)(cn->ifaddr, cn->area_id,
** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update()
________________________________________________________________________________________________________
*** CID 1497886: Memory - corruptions (OVERRUN)
/ospfclient/ospf_apiclient.c: 588 in ospf_apiclient_handle_lsa_update()
582 __func__, lsalen, OSPF_MAX_LSA_SIZE);
583 return;
584 }
585
586 p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
587
>>> CID 1497886: Memory - corruptions (OVERRUN)
>>> Overrunning struct type lsa_header of 20 bytes by passing it to a function which accesses it at byte offset 1499 using argument "lsalen" (which evaluates to 1500).
588 memcpy(p, &(cn->data), lsalen);
589 lsa = p;
590
591 /* Invoke registered update callback function */
592 if (oclient->update_notify) {
593 (oclient->update_notify)(cn->ifaddr, cn->area_id,
** CID 1485637: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array()
________________________________________________________________________________________________________
*** CID 1485637: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb_allocator.h: 57 in qpb_alloc_ptr_array()
51 *
52 * Allocate space for the specified number of pointers.
53 */
54 static inline void *qpb_alloc_ptr_array(qpb_allocator_t *allocator,
55 size_t num_ptrs)
56 {
>>> CID 1485637: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "num_ptrs * 8UL /* sizeof (void *) */" to function "qpb_alloc" which returns a value of type "void *" is suspicious.
57 return qpb_alloc(allocator, num_ptrs * sizeof(void *));
58 }
59
60 /*
61 * qpb_free
62 */
** CID 1485635: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb.h: 124 in qpb__l3_prefix__get()
________________________________________________________________________________________________________
*** CID 1485635: Incorrect expression (SIZEOF_MISMATCH)
/qpb/qpb.h: 124 in qpb__l3_prefix__get()
118 uint8_t family, struct prefix *prefix)
119 {
120
121 switch (family) {
122
123 case AF_INET:
>>> CID 1485635: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "prefix" of type "struct prefix *" and argument "16UL" ("sizeof (struct prefix_ipv4)") to function "memset" is suspicious because a multiple of "sizeof (struct prefix) /*48*/" is expected.
124 memset(prefix, 0, sizeof(struct prefix_ipv4));
125 break;
126
127 case AF_INET6:
128 memset(prefix, 0, sizeof(struct prefix_ipv6));
129 break;
** CID 1482217: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1482217: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_packet.c: 355 in ospf_check_md5_digest()
349 EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
350 EVP_DigestFinal(ctx, digest, &md5_size);
351 EVP_MD_CTX_free(ctx);
352 #elif CRYPTO_INTERNAL
353 memset(&ctx, 0, sizeof(ctx));
354 MD5Init(&ctx);
>>> CID 1482217: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "length" to a tainted sink.
355 MD5Update(&ctx, ospfh, length);
356 MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
357 MD5Final(digest, &ctx);
358 #endif
359
360 /* compare the two */
** CID 1482211: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1482211: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_packet.c: 430 in ospf_make_md5_digest()
424 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
425 EVP_DigestFinal(ctx, digest, &md5_size);
426 EVP_MD_CTX_free(ctx);
427 #elif CRYPTO_INTERNAL
428 memset(&ctx, 0, sizeof(ctx));
429 MD5Init(&ctx);
>>> CID 1482211: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "ntohs(ospfh->length)" to a tainted sink.
430 MD5Update(&ctx, ibuf, ntohs(ospfh->length));
431 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
432 MD5Final(digest, &ctx);
433 #endif
434
435 /* Append md5 digest to the end of the stream. */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Dzvwo_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTz7UkPcDR-2F9g84R6Bdm-2FI7toyD7VfPTS-2BUVyV46O9j9-2FlrPYuq-2Bfp3t1W75aEna9VuYzHflL2M3Rup7owrDOBE4mapnJnihhJd2sbcFn9njG6450POtm5aKXKd5m1JKDGZV63ngf-2Fetx22D5r0B4kCzvbri81oKUmF5h-2BKpqzbM1g-3D-3D
More information about the dev
mailing list