[zebra 23134] bugs/inappropriate coding practice discovered by
interprocedural code analysis for version 0.95a of Zebra-2
BOYA SUN
boya.sun at case.edu
Wed May 14 13:47:36 PDT 2008
BUG#1
Category: 1
File Name: /zebra/zebra/rt_netlink.c
Function Name: kernel_read()
Buggy Code:
1471: sock = THREAD_FD (thread);
1472: ret = netlink_parse_info (netlink_information_fetch, &netlink);
1473: thread_add_read (master, kernel_read, NULL, netlink.sock);
1474:
1475: return 0;
Description: The source code of netlink_parse_info() shows that an error occurs if the function returns -1. However, the output of the function is not checked in the above code.
=====================================================================
BUG#2
Category: 1
File Name: /zebra/zebra/ipforward_proc.c
Function Name: ipforward_on()
Code:
68: ipforward_on (¡) {
¡¡
81: return ipforward ();
File Name: /zebra/zebra/zserv.c
Function Name: zebra_init()
Buggy Code:
1907: zebra_init(¡) {
¡¡
1913: ipforward_on();
Description: An error occurs if ipforward() returns -1. Thus, we infer from the first code fragment that an error occurs if ipforward_on() returns -1. However, the output of ipforward_on() is checked in the second code fragment.
=====================================================================
BUG#3
Category: 2
File Name: /zebra/bgpd/bgp_routemap.c
Function Name: set_community()
Correct Code:
2937: buffer_putc (b, '\0');
2940: str = buffer_getstr (b);
2941: buffer_free (b);
2943: if (str)
2945: com = community_str2com (str);
2946: free (str);
2950: if (! com)
File Name: /zebra/bgpd/bgp_routemap.c
Function Name: bgp_show_community()
Buggy Code:
6096: buffer_putc (b, '\0');
6097:
6098: str = buffer_getstr (b);
6099: buffer_free (b);
6100:
6101: com = community_str2com (str);
6102: free (str);
6103: if (! com)
Description: The first code fragment shows that the input parameter of community_str2com() should not be NULL. However, the input parameter of community_str2com() is not checked before the function is called in the second code fragment.
=====================================================================
BUG#4
Category: 3
File Name: /zebra/ospfd/ospf_packet.c
Function Name: ospf_ls_ack_send_list()
Correct Code:
2755: op = ospf_packet_new (oi->ifp->mtu);
¡¡
2757: /* Prepare OSPF common header. */
2758: ospf_make_header (OSPF_MSG_HELLO, oi, op->s);
¡¡
3180: ospf_packet_add (oi, op);
¡¡
3183: ospf_ism_write_on (oi->ospf);
File Name: /zebra/ospfd/ospf_packet.c
Function Name: ospf_packet_dup() / ospf_hello_send()
Buggy Code:
224: ospf_packet_dup(¡) {
233: new = ospf_packet_new (stream_get_endp(op->s) + OSPF_AUTH_MD5_SIZE);
239: return new;
--------------------------------------------------------------------------------------------------------------------
2849: ospf_hello_send(¡) {
¡¡
2904: op_dup = ospf_packet_dup(op);
¡¡
// missing calling ospf_make_header();
2908: ospf_packet_add(oi, op_dup);
2910: ospf_ism_write_on(oi->ospf);
Description: We found a potential rule requiring that the function ospf_make_header() be executed to prepare OSPF common header after the execution of ospf_packet_new(), as shown in first code fragment. However, the second code fragment shows that ospf_make_header() is not called after the execution of ospf_packet_dup(), whose return value is the output of ospf_packet_new().
=====================================================================
BUG#5
Category: 1
File Name: /zebra/bgpd/bgp_zebra.c
Function Name: bgp_interface_delete()
120: ifp = zebra_interface_state_read (s);
Description: The function zebra_interface_state_read() might return NULL. However, the above code does not check the output of the function.
BOYA SUN
Computer Science Division
Electrical Engineering & Computer Science Department
513 Olin Building
Case Western Reserve University
10900 Euclid Avenue
Clevelnd, OH 44106
boya.sun at case.edu
2008-05-14
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ml.zebra.org/pipermail/zebra/attachments/20080514/66e96e33/attachment.html
More information about the Zebra
mailing list