New Defects reported by Coverity Scan for freerangerouting/frr

scan-admin at coverity.com scan-admin at coverity.com
Mon Aug 15 22:29:18 UTC 2022 

Hi,

Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.

8 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
29 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 8 of 8 defect(s)


** CID 1519848:  Null pointer dereferences  (FORWARD_NULL)
/pimd/pim6_mld.c: 2253 in gm_ifp_update()


________________________________________________________________________________________________________
*** CID 1519848:  Null pointer dereferences  (FORWARD_NULL)
/pimd/pim6_mld.c: 2253 in gm_ifp_update()
2247     	}
2248     
2249     	if (!pim_ifp->mld)
2250     		gm_start(ifp);
2251     
2252     	gm_ifp = pim_ifp->mld;
>>>     CID 1519848:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "&gm_ifp->cur_ll_lowest" to "memcmp", which dereferences it.
2253     	if (IPV6_ADDR_CMP(&pim_ifp->ll_lowest, &gm_ifp->cur_ll_lowest))
2254     		gm_update_ll(ifp);
2255     
2256     	unsigned int cfg_query_intv = pim_ifp->gm_default_query_interval * 1000;
2257     
2258     	if (gm_ifp->cur_query_intv != cfg_query_intv) {

** CID 1519847:  Insecure data handling  (TAINTED_SCALAR)
/pimd/pim6_mld.c: 844 in gm_handle_v2_report()


________________________________________________________________________________________________________
*** CID 1519847:  Insecure data handling  (TAINTED_SCALAR)
/pimd/pim6_mld.c: 844 in gm_handle_v2_report()
838     	pkt->iface = gm_ifp;
839     	pkt->subscriber = gm_subscriber_findref(gm_ifp, pkt_src->sin6_addr);
840     
841     	n_records = ntohs(hdr->n_records);
842     
843     	/* validate & remove state in v2_pass1() */
>>>     CID 1519847:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "n_records" as a loop boundary.
844     	for (i = 0; i < n_records; i++) {
845     		struct mld_v2_rec_hdr *rechdr;
846     		size_t n_src, record_size;
847     
848     		if (len < sizeof(*rechdr)) {
849     			zlog_warn(log_pkt_src(

** CID 1519846:    (TAINTED_SCALAR)
/pimd/pim6_mld.c: 688 in gm_handle_v2_pass1()


________________________________________________________________________________________________________
*** CID 1519846:    (TAINTED_SCALAR)
/pimd/pim6_mld.c: 682 in gm_handle_v2_pass1()
676     			 * of blocked sources from full group state records
677     			 */
678     			return;
679     		}
680     
681     		if (subscriber)
>>>     CID 1519846:    (TAINTED_SCALAR)
>>>     Passing tainted expression "n_src" to "gm_packet_sg_remove_sources", which uses it as a loop boundary.
682     			gm_packet_sg_remove_sources(pkt->iface, subscriber,
683     						    rechdr->grp, rechdr->srcs,
684     						    n_src, GM_SUB_POS);
685     		return;
686     	}
687     
/pimd/pim6_mld.c: 688 in gm_handle_v2_pass1()
682     			gm_packet_sg_remove_sources(pkt->iface, subscriber,
683     						    rechdr->grp, rechdr->srcs,
684     						    n_src, GM_SUB_POS);
685     		return;
686     	}
687     
>>>     CID 1519846:    (TAINTED_SCALAR)
>>>     Using tainted variable "n_src" as a loop boundary.
688     	for (j = 0; j < n_src; j++) {
689     		struct gm_sg *sg;
690     
691     		sg = gm_sg_find(pkt->iface, rechdr->grp, rechdr->srcs[j]);
692     		if (!sg)
693     			sg = gm_sg_make(pkt->iface, rechdr->grp,
/pimd/pim6_mld.c: 661 in gm_handle_v2_pass1()
655     		}
656     		break;
657     
658     	case MLD_RECTYPE_ALLOW_NEW_SOURCES:
659     		if (old_grp) {
660     			/* remove S,Gs from EXCLUDE, and then we're done */
>>>     CID 1519846:    (TAINTED_SCALAR)
>>>     Passing tainted expression "n_src" to "gm_packet_sg_remove_sources", which uses it as a loop boundary.
661     			gm_packet_sg_remove_sources(pkt->iface, subscriber,
662     						    rechdr->grp, rechdr->srcs,
663     						    n_src, GM_SUB_NEG);
664     			return;
665     		}
666     		/* in INCLUDE mode => ALLOW_NEW_SOURCES is functionally

** CID 1519845:  Integer handling issues  (BAD_SHIFT)
/pimd/pim6_mld.c: 188 in gm_gsq_pends_add()


________________________________________________________________________________________________________
*** CID 1519845:  Integer handling issues  (BAD_SHIFT)
/pimd/pim6_mld.c: 188 in gm_gsq_pends_add()
182     {
183     	uint32_t seed = a->s_bit ? 0x68f0eb5e : 0x156b7f19;
184     
185     	return jhash(&a->grp, sizeof(a->grp), seed);
186     }
187     
>>>     CID 1519845:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior.  The shift amount, "33 - h->hh.tabshift", is 33.
188     DECLARE_HASH(gm_gsq_pends, struct gm_gsq_pending, itm, gm_gsq_pending_cmp,
189     	     gm_gsq_pending_hash);
190     
191     /*
192      * interface -> (S,G)
193      */

** CID 1519844:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1519844:  Insecure data handling  (TAINTED_SCALAR)
/pimd/pim6_mld.c: 1505 in gm_handle_query()
1499     		gm_handle_q_general(gm_ifp, &timers);
1500     		gm_ifp->stats.rx_query_new_general++;
1501     	} else if (!ntohs(hdr->n_src)) {
1502     		gm_handle_q_group(gm_ifp, &timers, hdr->grp);
1503     		gm_ifp->stats.rx_query_new_group++;
1504     	} else {
>>>     CID 1519844:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "ntohs(hdr->n_src)" to "gm_handle_q_groupsrc", which uses it as a loop boundary.
1505     		gm_handle_q_groupsrc(gm_ifp, &timers, hdr->grp, hdr->srcs,
1506     				     ntohs(hdr->n_src));
1507     		gm_ifp->stats.rx_query_new_groupsrc++;
1508     	}
1509     }
1510     

** CID 1519843:    (UNINIT)


________________________________________________________________________________________________________
*** CID 1519843:    (UNINIT)
/pimd/pim6_mld.c: 1715 in gm_t_recv()
1709     	if (pktlen < sizeof(struct icmp6_plain_hdr)) {
1710     		zlog_warn(log_pkt_src("truncated packet"));
1711     		gm_ifp->stats.rx_drop_malformed++;
1712     		goto out_free;
1713     	}
1714     
>>>     CID 1519843:    (UNINIT)
>>>     Using uninitialized value "pkt_src->sin6_addr" when calling "gm_rx_process".
1715     	gm_rx_process(gm_ifp, pkt_src, &pktinfo->ipi6_addr, iov->iov_base,
1716     		      pktlen);
1717     
1718     out_free:
1719     	if (iov->iov_base != rxbuf)
1720     		XFREE(MTYPE_GM_PACKET, iov->iov_base);
/pimd/pim6_mld.c: 1647 in gm_t_recv()
1641     		pim->gm_rx_drop_sys++;
1642     		goto out_free;
1643     	}
1644     
1645     	struct interface *ifp;
1646     
>>>     CID 1519843:    (UNINIT)
>>>     Using uninitialized value "pkt_src->sin6_scope_id" when calling "if_lookup_by_index".
1647     	ifp = if_lookup_by_index(pkt_src->sin6_scope_id, pim->vrf->vrf_id);
1648     	if (!ifp || !ifp->info)
1649     		goto out_free;
1650     
1651     	struct pim_interface *pim_ifp = ifp->info;
1652     	struct gm_if *gm_ifp = pim_ifp->mld;

** CID 1519842:  Integer handling issues  (BAD_SHIFT)
/pimd/pim6_mld.c: 261 in gm_subscribers_add()


________________________________________________________________________________________________________
*** CID 1519842:  Integer handling issues  (BAD_SHIFT)
/pimd/pim6_mld.c: 261 in gm_subscribers_add()
255     
256     static uint32_t gm_subscriber_hash(const struct gm_subscriber *a)
257     {
258     	return jhash(&a->addr, sizeof(a->addr), 0xd0e94ad4);
259     }
260     
>>>     CID 1519842:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior.  The shift amount, "33 - h->hh.tabshift", is 33.
261     DECLARE_HASH(gm_subscribers, struct gm_subscriber, itm, gm_subscriber_cmp,
262     	     gm_subscriber_hash);
263     
264     static struct gm_subscriber *gm_subscriber_findref(struct gm_if *gm_ifp,
265     						   pim_addr addr)
266     {

** CID 1519841:  Error handling issues  (CHECKED_RETURN)
/vrrpd/vrrp.c: 1248 in vrrp_socket()


________________________________________________________________________________________________________
*** CID 1519841:  Error handling issues  (CHECKED_RETURN)
/vrrpd/vrrp.c: 1248 in vrrp_socket()
1242     				  r->vr->vrid, family2str(r->family));
1243     			failed = true;
1244     			goto done;
1245     		}
1246     
1247     		/* Turn off multicast loop on Tx */
>>>     CID 1519841:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "setsockopt_ipv6_multicast_loop" without checking return value (as is done elsewhere 4 out of 5 times).
1248     		setsockopt_ipv6_multicast_loop(r->sock_tx, 0);
1249     
1250     		/* Bind Rx socket to exact interface */
1251     		frr_with_privs(&vrrp_privs) {
1252     			ret = setsockopt(r->sock_rx, SOL_SOCKET,
1253     					 SO_BINDTODEVICE, r->vr->ifp->name,


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DYOca_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTyDRpjbvhGikqqNLcQiCmC0XOiI1XB4eM55WnFKGzkJsvB4ivm3qlGrQ9DW3COgpfvB-2B3eR8-2BEnLrwWSJ6LHFFANFUDt-2BSecda6TUE2px9vnwqEDka1L7loW0KnPbkpnT0GF5Vcje888iu70InUiM3UL7b6RQKJkXvxgCZhSy3pAQ-3D-3D

More information about the dev mailing list