New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Tue Sep 19 16:59:09 UTC 2023
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
38 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
26 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 38 defect(s)
** CID 1568213: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1568213: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_auth.c: 203 in ospf_auth_check_md5_digest()
197 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
198 EVP_DigestFinal(ctx, digest, &md5_size);
199 EVP_MD_CTX_free(ctx);
200 #elif CRYPTO_INTERNAL
201 memset(&ctx, 0, sizeof(ctx));
202 MD5Init(&ctx);
>>> CID 1568213: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "md5_loop", which uses it as a loop boundary.
203 MD5Update(&ctx, ospfh, length);
204 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
205 MD5Final(digest, &ctx);
206 #endif
207
208 /* compare the two */
** CID 1568212: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1568212: Insecure data handling (TAINTED_SCALAR)
/ospfd/ospf_auth.c: 254 in ospf_auth_make_md5_digest()
248 EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
249 EVP_DigestFinal(ctx, digest, &md5_size);
250 EVP_MD_CTX_free(ctx);
251 #elif CRYPTO_INTERNAL
252 memset(&ctx, 0, sizeof(ctx));
253 MD5Init(&ctx);
>>> CID 1568212: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "length" to "md5_loop", which uses it as a loop boundary.
254 MD5Update(&ctx, ospfh, length);
255 MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
256 MD5Final(digest, &ctx);
257 #endif
258
259 stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
** CID 1568211: Integer handling issues (BAD_SHIFT)
/pimd/pim6_mld.c: 178 in gm_gsq_pends_del()
________________________________________________________________________________________________________
*** CID 1568211: Integer handling issues (BAD_SHIFT)
/pimd/pim6_mld.c: 178 in gm_gsq_pends_del()
172 {
173 uint32_t seed = a->s_bit ? 0x68f0eb5e : 0x156b7f19;
174
175 return jhash(&a->grp, sizeof(a->grp), seed);
176 }
177
>>> CID 1568211: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
178 DECLARE_HASH(gm_gsq_pends, struct gm_gsq_pending, itm, gm_gsq_pending_cmp,
179 gm_gsq_pending_hash);
180
181 /*
182 * interface -> (S,G)
183 */
** CID 1568210: Integer handling issues (BAD_SHIFT)
/vtysh/vtysh_config.c: 88 in config_master_hash_del()
________________________________________________________________________________________________________
*** CID 1568210: Integer handling issues (BAD_SHIFT)
/vtysh/vtysh_config.c: 88 in config_master_hash_del()
82 static uint32_t config_hash(const struct config *c)
83 {
84 return string_hash_make(c->name);
85 }
86
87 DECLARE_LIST(config_master, struct config, rbt_item);
>>> CID 1568210: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
88 DECLARE_HASH(config_master_hash, struct config, hash_item, config_cmp,
89 config_hash);
90
91 /*
92 * The config_master_head is a list for order of receipt
93 * The hash is for quick lookup under this NODE
** CID 1568209: Integer handling issues (BAD_SHIFT)
/lib/event.c: 105 in cpu_records_const_next()
________________________________________________________________________________________________________
*** CID 1568209: Integer handling issues (BAD_SHIFT)
/lib/event.c: 105 in cpu_records_const_next()
99 static int cpu_record_hash_cmp(const struct cpu_event_history *a,
100 const struct cpu_event_history *b)
101 {
102 return numcmp((uintptr_t)a->func, (uintptr_t)b->func);
103 }
104
>>> CID 1568209: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
105 DECLARE_HASH(cpu_records, struct cpu_event_history, item, cpu_record_hash_cmp,
106 cpu_record_hash_key);
107
108 static struct cpu_event_history *cpu_records_get(struct event_loop *loop,
109 void (*func)(struct event *e),
110 const char *funcname)
** CID 1568208: Integer handling issues (BAD_SHIFT)
/zebra/zebra_opaque.c: 54 in opq_regh_const_next()
________________________________________________________________________________________________________
*** CID 1568208: Integer handling issues (BAD_SHIFT)
/zebra/zebra_opaque.c: 54 in opq_regh_const_next()
48
49 /* Registration helper prototypes */
50 static uint32_t registration_hash(const struct opq_msg_reg *reg);
51 static int registration_compare(const struct opq_msg_reg *reg1,
52 const struct opq_msg_reg *reg2);
53
>>> CID 1568208: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
54 DECLARE_HASH(opq_regh, struct opq_msg_reg, item, registration_compare,
55 registration_hash);
56
57 static struct opq_regh_head opq_reg_hash;
58
59 /*
** CID 1568207: Integer handling issues (BAD_SHIFT)
/pathd/path_pcep_pcc.c: 139 in nbkey_map_del()
________________________________________________________________________________________________________
*** CID 1568207: Integer handling issues (BAD_SHIFT)
/pathd/path_pcep_pcc.c: 139 in nbkey_map_del()
133 const struct req_map_data *b);
134 static uint32_t req_map_hash(const struct req_map_data *e);
135
136 /* Data Structure Declarations */
137 DECLARE_HASH(plspid_map, struct plspid_map_data, mi, plspid_map_cmp,
138 plspid_map_hash);
>>> CID 1568207: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
139 DECLARE_HASH(nbkey_map, struct nbkey_map_data, mi, nbkey_map_cmp,
140 nbkey_map_hash);
141 DECLARE_HASH(req_map, struct req_map_data, mi, req_map_cmp, req_map_hash);
142
143 static inline int req_entry_compare(const struct req_entry *a,
144 const struct req_entry *b)
** CID 1568206: Integer handling issues (BAD_SHIFT)
/lib/event.c: 105 in cpu_records_del()
________________________________________________________________________________________________________
*** CID 1568206: Integer handling issues (BAD_SHIFT)
/lib/event.c: 105 in cpu_records_del()
99 static int cpu_record_hash_cmp(const struct cpu_event_history *a,
100 const struct cpu_event_history *b)
101 {
102 return numcmp((uintptr_t)a->func, (uintptr_t)b->func);
103 }
104
>>> CID 1568206: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
105 DECLARE_HASH(cpu_records, struct cpu_event_history, item, cpu_record_hash_cmp,
106 cpu_record_hash_key);
107
108 static struct cpu_event_history *cpu_records_get(struct event_loop *loop,
109 void (*func)(struct event *e),
110 const char *funcname)
** CID 1568205: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 197 in bmp_qhash_del()
________________________________________________________________________________________________________
*** CID 1568205: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 197 in bmp_qhash_del()
191 + PSIZE(e->rd.prefixlen),
192 key);
193
194 return key;
195 }
196
>>> CID 1568205: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
197 DECLARE_HASH(bmp_qhash, struct bmp_queue_entry, bhi,
198 bmp_qhash_cmp, bmp_qhash_hkey);
199
200 static int bmp_active_cmp(const struct bmp_active *a,
201 const struct bmp_active *b)
202 {
** CID 1568204: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 80 in bmp_bgph_const_next()
________________________________________________________________________________________________________
*** CID 1568204: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 80 in bmp_bgph_const_next()
74
75 static uint32_t bmp_bgp_hash(const struct bmp_bgp *e)
76 {
77 return jhash(&e->bgp, sizeof(e->bgp), 0x55aa5a5a);
78 }
79
>>> CID 1568204: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
80 DECLARE_HASH(bmp_bgph, struct bmp_bgp, bbi, bmp_bgp_cmp, bmp_bgp_hash);
81
82 struct bmp_bgph_head bmp_bgph;
83
84 static int bmp_bgp_peer_cmp(const struct bmp_bgp_peer *a,
85 const struct bmp_bgp_peer *b)
** CID 1568203: Integer handling issues (BAD_SHIFT)
/zebra/zebra_opaque.c: 54 in opq_regh_del()
________________________________________________________________________________________________________
*** CID 1568203: Integer handling issues (BAD_SHIFT)
/zebra/zebra_opaque.c: 54 in opq_regh_del()
48
49 /* Registration helper prototypes */
50 static uint32_t registration_hash(const struct opq_msg_reg *reg);
51 static int registration_compare(const struct opq_msg_reg *reg1,
52 const struct opq_msg_reg *reg2);
53
>>> CID 1568203: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
54 DECLARE_HASH(opq_regh, struct opq_msg_reg, item, registration_compare,
55 registration_hash);
56
57 static struct opq_regh_head opq_reg_hash;
58
59 /*
** CID 1568202: Integer handling issues (BAD_SHIFT)
/pathd/path_pcep_pcc.c: 137 in plspid_map_const_next()
________________________________________________________________________________________________________
*** CID 1568202: Integer handling issues (BAD_SHIFT)
/pathd/path_pcep_pcc.c: 137 in plspid_map_const_next()
131 static uint32_t nbkey_map_hash(const struct nbkey_map_data *e);
132 static int req_map_cmp(const struct req_map_data *a,
133 const struct req_map_data *b);
134 static uint32_t req_map_hash(const struct req_map_data *e);
135
136 /* Data Structure Declarations */
>>> CID 1568202: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
137 DECLARE_HASH(plspid_map, struct plspid_map_data, mi, plspid_map_cmp,
138 plspid_map_hash);
139 DECLARE_HASH(nbkey_map, struct nbkey_map_data, mi, nbkey_map_cmp,
140 nbkey_map_hash);
141 DECLARE_HASH(req_map, struct req_map_data, mi, req_map_cmp, req_map_hash);
142
** CID 1568201: Integer handling issues (BAD_SHIFT)
/lib/qobj.c: 32 in qobj_nodes_del()
________________________________________________________________________________________________________
*** CID 1568201: Integer handling issues (BAD_SHIFT)
/lib/qobj.c: 32 in qobj_nodes_del()
26 return -1;
27 if (na->nid > nb->nid)
28 return 1;
29 return 0;
30 }
31
>>> CID 1568201: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
32 DECLARE_HASH(qobj_nodes, struct qobj_node, nodehash,
33 qobj_cmp, qobj_hash);
34
35 static pthread_rwlock_t nodes_lock;
36 static struct qobj_nodes_head nodes = { };
37
** CID 1568200: Integer handling issues (BAD_SHIFT)
/staticd/static_zebra.c: 69 in static_nht_hash_del()
________________________________________________________________________________________________________
*** CID 1568200: Integer handling issues (BAD_SHIFT)
/staticd/static_zebra.c: 69 in static_nht_hash_del()
63 unsigned int key = 0;
64
65 key = prefix_hash_key(&nhtd->nh);
66 return jhash_2words(nhtd->nh_vrf_id, nhtd->safi, key);
67 }
68
>>> CID 1568200: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
69 DECLARE_HASH(static_nht_hash, struct static_nht_data, itm, static_nht_data_cmp,
70 static_nht_data_hash);
71
72 static struct static_nht_hash_head static_nht_hash[1];
73
74 /* Zebra structure to hold current status. */
** CID 1568199: Integer handling issues (BAD_SHIFT)
/pimd/pim6_mld.c: 249 in gm_subscribers_const_next()
________________________________________________________________________________________________________
*** CID 1568199: Integer handling issues (BAD_SHIFT)
/pimd/pim6_mld.c: 249 in gm_subscribers_const_next()
243
244 static uint32_t gm_subscriber_hash(const struct gm_subscriber *a)
245 {
246 return jhash(&a->addr, sizeof(a->addr), 0xd0e94ad4);
247 }
248
>>> CID 1568199: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
249 DECLARE_HASH(gm_subscribers, struct gm_subscriber, itm, gm_subscriber_cmp,
250 gm_subscriber_hash);
251
252 static struct gm_subscriber *gm_subscriber_findref(struct gm_if *gm_ifp,
253 pim_addr addr)
254 {
** CID 1568198: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 99 in bmp_peerh_const_next()
________________________________________________________________________________________________________
*** CID 1568198: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 99 in bmp_peerh_const_next()
93
94 static uint32_t bmp_bgp_peer_hash(const struct bmp_bgp_peer *e)
95 {
96 return e->peerid;
97 }
98
>>> CID 1568198: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
99 DECLARE_HASH(bmp_peerh, struct bmp_bgp_peer, bpi,
100 bmp_bgp_peer_cmp, bmp_bgp_peer_hash);
101
102 struct bmp_peerh_head bmp_peerh;
103
104 DECLARE_LIST(bmp_mirrorq, struct bmp_mirrorq, bmi);
** CID 1568197: Integer handling issues (BAD_SHIFT)
/lib/table.c: 28 in rn_hash_node_del()
________________________________________________________________________________________________________
*** CID 1568197: Integer handling issues (BAD_SHIFT)
/lib/table.c: 28 in rn_hash_node_del()
22 static int route_table_hash_cmp(const struct route_node *a,
23 const struct route_node *b)
24 {
25 return prefix_cmp(&a->p, &b->p);
26 }
27
>>> CID 1568197: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
28 DECLARE_HASH(rn_hash_node, struct route_node, nodehash, route_table_hash_cmp,
29 prefix_hash_key);
30 /*
31 * route_table_init_with_delegate
32 */
33 struct route_table *
** CID 1568196: Integer handling issues (BAD_SHIFT)
/lib/routemap.c: 49 in rmap_cmd_name_const_next()
________________________________________________________________________________________________________
*** CID 1568196: Integer handling issues (BAD_SHIFT)
/lib/routemap.c: 49 in rmap_cmd_name_const_next()
43
44 static uint32_t rmap_cmd_name_hash(const struct route_map_rule_cmd_proxy *item)
45 {
46 return jhash(item->cmd->str, strlen(item->cmd->str), 0xbfd69320);
47 }
48
>>> CID 1568196: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
49 DECLARE_HASH(rmap_cmd_name, struct route_map_rule_cmd_proxy, itm,
50 rmap_cmd_name_cmp, rmap_cmd_name_hash);
51
52 static struct rmap_cmd_name_head rmap_match_cmds[1] = {
53 INIT_HASH(rmap_match_cmds[0]),
54 };
** CID 1568195: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 99 in bmp_peerh_del()
________________________________________________________________________________________________________
*** CID 1568195: Integer handling issues (BAD_SHIFT)
/bgpd/bgp_bmp.c: 99 in bmp_peerh_del()
93
94 static uint32_t bmp_bgp_peer_hash(const struct bmp_bgp_peer *e)
95 {
96 return e->peerid;
97 }
98
>>> CID 1568195: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
99 DECLARE_HASH(bmp_peerh, struct bmp_bgp_peer, bpi,
100 bmp_bgp_peer_cmp, bmp_bgp_peer_hash);
101
102 struct bmp_peerh_head bmp_peerh;
103
104 DECLARE_LIST(bmp_mirrorq, struct bmp_mirrorq, bmi);
** CID 1568194: Integer handling issues (BAD_SHIFT)
/pimd/pim6_mld.c: 178 in gm_gsq_pends_const_next()
________________________________________________________________________________________________________
*** CID 1568194: Integer handling issues (BAD_SHIFT)
/pimd/pim6_mld.c: 178 in gm_gsq_pends_const_next()
172 {
173 uint32_t seed = a->s_bit ? 0x68f0eb5e : 0x156b7f19;
174
175 return jhash(&a->grp, sizeof(a->grp), seed);
176 }
177
>>> CID 1568194: Integer handling issues (BAD_SHIFT)
>>> In expression "1U << h->hh.tabshift", left shifting by more than 31 bits has undefined behavior. The shift amount, "h->hh.tabshift", is as much as 33.
178 DECLARE_HASH(gm_gsq_pends, struct gm_gsq_pending, itm, gm_gsq_pending_cmp,
179 gm_gsq_pending_hash);
180
181 /*
182 * interface -> (S,G)
183 */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3Dd-cv_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTxPFOJgp-2FasSBLZ62ZByIszGD2cAVioTJJpXcLA-2FBVVKpHAcrbTzzVdDLe6CF4Rjy84EjOiYCMQQht-2BmWsjme4Ep6A3w0t3JISrhYw20xTAnyjkq0Ek5b24buddFoodDv4dh2yCJm1Udd7ll9WTYLTf5cshOFxsfASWAeGfaZhTiQ-3D-3D
More information about the dev
mailing list