New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Thu Jan 16 00:35:58 UTC 2025
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
7 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)
** CID 1617729: API usage errors (PRINTF_ARGS)
________________________________________________________________________________________________________
*** CID 1617729: API usage errors (PRINTF_ARGS)
/lib/mgmt_be_client.c: 624 in mgmt_be_txn_cfg_prepare()
618 }
619 }
620
621 mgmt_be_send_cfgdata_create_reply(client_ctx, txn->txn_id,
622 error ? false : true, error ? err_buf : NULL);
623
>>> CID 1617729: API usage errors (PRINTF_ARGS)
>>> Length modifier "L" not applicable to conversion specifier in "%Lu".
624 debug_be_client("Avg-nb-edit-duration %Lu uSec, nb-prep-duration %lu (avg: %Lu) uSec, batch size %u",
625 client_ctx->avg_edit_nb_cfg_tm, prep_nb_cfg_tm,
626 client_ctx->avg_prep_nb_cfg_tm, (uint32_t)num_processed);
627
628 if (error)
629 mgmt_be_txn_cfg_abort(txn);
** CID 1617728: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1617728: Insecure data handling (TAINTED_SCALAR)
/zebra/dplane_fpm_nl.c: 726 in fpm_read()
720 * enqueue it to zebra for processing.
721 */
722 ctx = dplane_ctx_alloc();
723 dplane_ctx_route_init(ctx, DPLANE_OP_ROUTE_NOTIFY, NULL,
724 NULL);
725
>>> CID 1617728: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "hdr->rta_len" to "netlink_route_notify_read_ctx", which uses it as a loop boundary.
726 if (netlink_route_notify_read_ctx(hdr, 0, ctx) >= 0) {
727 /* In the FPM encoding, the vrfid is present */
728 ival = dplane_ctx_get_table(ctx);
729 dplane_ctx_set_vrf(ctx, ival);
730 dplane_ctx_set_table(ctx,
731 ZEBRA_ROUTE_TABLE_UNKNOWN);
** CID 1617727: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1617727: Null pointer dereferences (FORWARD_NULL)
/bgpd/bgp_vty.c: 6016 in no_neighbor_capability_enhe()
6010 argv[idx_peer]->arg);
6011 return CMD_WARNING_CONFIG_FAILED;
6012 }
6013
6014 ret = peer_flag_unset_vty(vty, argv[idx_peer]->arg, PEER_FLAG_CAPABILITY_ENHE);
6015
>>> CID 1617727: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "peer" to "bgp_capability_send", which dereferences it.
6016 bgp_capability_send(peer, AFI_IP, SAFI_UNICAST, CAPABILITY_CODE_ENHE,
6017 CAPABILITY_ACTION_UNSET);
6018
6019 return ret;
6020 }
6021
** CID 1617726: API usage errors (PRINTF_ARGS)
________________________________________________________________________________________________________
*** CID 1617726: API usage errors (PRINTF_ARGS)
/lib/mgmt_be_client.c: 791 in mgmt_be_txn_proc_cfgapply()
785 mgmt_be_batches_del(&txn->apply_cfgs, batch);
786 mgmt_be_batches_add_tail(&txn->cfg_batches, batch);
787 }
788
789 mgmt_be_send_apply_reply(client_ctx, txn->txn_id, true, NULL);
790
>>> CID 1617726: API usage errors (PRINTF_ARGS)
>>> Length modifier "L" not applicable to conversion specifier in "%Lu".
791 debug_be_client("Nb-apply-duration %lu (avg: %Lu) uSec", apply_nb_cfg_tm,
792 client_ctx->avg_apply_nb_cfg_tm);
793
794 return 0;
795 }
796
** CID 1617725: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1617725: Memory - illegal accesses (USE_AFTER_FREE)
/lib/northbound_notif.c: 670 in nb_notif_terminate()
664
665 EVENT_OFF(nb_notif_timer);
666
667 if (nb_notif_walk) {
668 nb_oper_cancel_walk(nb_notif_walk);
669 /* need to free the group that's in the walk */
>>> CID 1617725: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "nb_oper_walk_finish_arg" dereferences freed pointer "nb_notif_walk".
670 args = nb_oper_walk_finish_arg(nb_notif_walk);
671 if (args)
672 op_changes_group_free(args->group);
673 nb_notif_walk = NULL;
674 }
675
** CID 1617724: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1617724: Null pointer dereferences (FORWARD_NULL)
/bgpd/bgp_vty.c: 5988 in neighbor_capability_enhe()
5982 peer = peer_and_group_lookup_vty(vty, argv[idx_peer]->arg);
5983 if (peer && peer->conf_if)
5984 return CMD_SUCCESS;
5985
5986 ret = peer_flag_set_vty(vty, argv[idx_peer]->arg, PEER_FLAG_CAPABILITY_ENHE);
5987
>>> CID 1617724: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "peer" to "bgp_capability_send", which dereferences it.
5988 bgp_capability_send(peer, AFI_IP, SAFI_UNICAST, CAPABILITY_CODE_ENHE, CAPABILITY_ACTION_SET);
5989
5990 return ret;
5991 }
5992
5993 DEFUN (no_neighbor_capability_enhe,
** CID 1617723: (PRINTF_ARGS)
________________________________________________________________________________________________________
*** CID 1617723: (PRINTF_ARGS)
/mgmtd/mgmt_fe_adapter.c: 1669 in fe_adapter_handle_notify_select()
1663 // [ ] Keep a local tree to optimize sending selectors to BE?
1664 // [*] Or just KISS and fanout the original message to BEs?
1665 // mgmt_remove_add_notify_selectors(session->notify_xpaths, selectors);
1666 new = darr_append_nz(session->notify_xpaths, darr_len(selectors));
1667 memcpy(new, selectors, darr_len(selectors) * sizeof(*selectors));
1668 } else {
>>> CID 1617723: (PRINTF_ARGS)
>>> Length modifier "L" not applicable to conversion specifier in "%Lu".
1669 __log_err("Invalid msg from session-id: %Lu: no selectors present in non-replace msg",
1670 session->session_id);
1671 darr_free_free(selectors);
1672 selectors = NULL;
1673 goto done;
1674 }
/mgmtd/mgmt_fe_adapter.c: 1698 in fe_adapter_handle_notify_select()
1692 clients = mgmt_be_interested_clients("/", MGMT_BE_XPATH_SUBSCR_TYPE_OPER);
1693 } else {
1694 darr_foreach_p (selectors, sp)
1695 clients |= mgmt_be_interested_clients(*sp, MGMT_BE_XPATH_SUBSCR_TYPE_OPER);
1696 }
1697 if (!clients) {
>>> CID 1617723: (PRINTF_ARGS)
>>> Length modifier "L" not applicable to conversion specifier in "%Lu".
1698 __dbg("No backends provide oper for notify selectors: '%s' txn-id %Lu session-id: %Lu",
1699 selstr, session->txn_id, session->session_id);
1700 goto done;
1701 }
1702
1703 /* We don't use a transaction for this, just send the message */
/mgmtd/mgmt_fe_adapter.c: 1680 in fe_adapter_handle_notify_select()
1674 }
1675
1676
1677 if (session->notify_xpaths && DEBUG_MODE_CHECK(&mgmt_debug_fe, DEBUG_MODE_ALL)) {
1678 const char **sel = session->notify_xpaths;
1679 char *s = frrstr_join(sel, darr_len(sel), ", ");
>>> CID 1617723: (PRINTF_ARGS)
>>> Length modifier "L" not applicable to conversion specifier in "%Lu".
1680 __dbg("New NOTIF %d selectors '%s' (replace: %d) txn-id: %Lu for session-id: %Lu",
1681 darr_len(sel), s, msg->replace, session->cfg_txn_id, session->session_id);
1682 XFREE(MTYPE_TMP, s);
1683 }
1684
1685 /* Add the new selectors to the global tree */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/freerangerouting-frr?tab=overview
More information about the dev
mailing list