Error: SHELLCHECK_WARNING: /usr/sbin/cbq:535:18: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 533| ### Prefixed message # 534| cbq_message () { # 535|-> echo -e "**CBQ: $@" # 536| } # cbq_message # 537| Error: SHELLCHECK_WARNING: /usr/sbin/cbq:563:5: warning: Quote this to prevent word splitting. [SC2046] # 561| cbq_show () { # 562| for dev in `cbq_device_list`; do # 563|-> [ `tc qdisc show dev $dev| wc -l` -eq 0 ] && continue # 564| echo -e "### $dev: queueing disciplines\n" # 565| tc $1 qdisc show dev $dev; echo Error: SHELLCHECK_WARNING: /usr/sbin/cbq:567:5: warning: Quote this to prevent word splitting. [SC2046] # 565| tc $1 qdisc show dev $dev; echo # 566| # 567|-> [ `tc class show dev $dev| wc -l` -eq 0 ] && continue # 568| echo -e "### $dev: traffic classes\n" # 569| tc $1 class show dev $dev; echo Error: SHELLCHECK_WARNING: /usr/sbin/cbq:571:5: warning: Quote this to prevent word splitting. [SC2046] # 569| tc $1 class show dev $dev; echo # 570| # 571|-> [ `tc filter show dev $dev| wc -l` -eq 0 ] && continue # 572| echo -e "### $dev: filtering rules\n" # 573| tc $1 filter show dev $dev; echo Error: SHELLCHECK_WARNING: /usr/sbin/cbq:587:13: warning: Use -print0/-0 or -exec + to allow for non-alphanumeric filenames. [SC2038] # 585| # 586| ### Gather all DEVICE fields from $1/cbq-* # 587|-> DEVFIELDS=`find $1 -maxdepth 1 \( -type f -or -type l \) -name 'cbq-*' \ # 588| -not -name '*~' | xargs sed -n 's/#.*//; \ # 589| s/[[:space:]]//g; /^DEVICE=[^,]*,[^,]*\(,[^,]*\)\?/ \ Error: SHELLCHECK_WARNING: /usr/sbin/cbq:596:4: warning: Quote this to prevent word splitting. [SC2046] # 594| ### Check for different DEVICE fields for the same device # 595| DEVICES=`echo "$DEVFIELDS"| sed 's/,.*//'| sort -u` # 596|-> [ `echo "$DEVICES"| wc -l` -ne `echo "$DEVFIELDS"| wc -l` ] && # 597| cbq_failure "different DEVICE fields for single device!\n$DEVFIELDS" # 598| } # cbq_init Error: SHELLCHECK_WARNING: /usr/sbin/cbq:596:33: warning: Quote this to prevent word splitting. [SC2046] # 594| ### Check for different DEVICE fields for the same device # 595| DEVICES=`echo "$DEVFIELDS"| sed 's/,.*//'| sort -u` # 596|-> [ `echo "$DEVICES"| wc -l` -ne `echo "$DEVFIELDS"| wc -l` ] && # 597| cbq_failure "different DEVICE fields for single device!\n$DEVFIELDS" # 598| } # cbq_init Error: SHELLCHECK_WARNING: /usr/sbin/cbq:621:7: warning: Quote this to prevent word splitting. [SC2046] # 619| PRIO_REALM=$PRIO_REALM_DEFAULT # 620| # 621|-> eval `echo "$CFILE"| grep -E "^($CBQ_WORDS)="` # 622| # 623| ### Require RATE/WEIGHT Error: SHELLCHECK_WARNING: /usr/sbin/cbq:664:13: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 662| ### echo-only version of "tc" command # 663| tc () { # 664|-> echo "$TC $@" # 665| } # tc # 666| Error: SHELLCHECK_WARNING: /usr/sbin/cbq:672:19: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 670| ### Logging version of "ip" command # 671| ip () { # 672|-> echo -e "\n# ip $@" >> $CBQ_DEBUG # 673| $IP "$@" 2>&1 | tee -a $CBQ_DEBUG # 674| } # ip Error: SHELLCHECK_WARNING: /usr/sbin/cbq:678:19: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 676| ### Logging version of "tc" command # 677| tc () { # 678|-> echo -e "\n# tc $@" >> $CBQ_DEBUG # 679| $TC "$@" 2>&1 | tee -a $CBQ_DEBUG # 680| } # tc Error: SHELLCHECK_WARNING: /usr/sbin/cbq:714:5: warning: Quote this to prevent word splitting. [SC2046] # 712| [ "$2" = "invalidate" -o ! -f $CBQ_CACHE ] && VALID=0 # 713| if [ $VALID -eq 1 ]; then # 714|-> [ `find $CBQ_PATH -maxdepth 1 -newer $CBQ_CACHE| \ # 715| wc -l` -gt 0 ] && VALID=0 # 716| fi Error: SHELLCHECK_WARNING: /usr/sbin/ifcfg:134:6: warning: Quote this to prevent word splitting. [SC2046] # 132| ip route add unreachable 224.0.0.0/24 >& /dev/null # 133| ip route add unreachable 255.255.255.255 >& /dev/null # 134|-> if [ `ip link ls $dev | grep -c MULTICAST` -ge 1 ]; then # 135| ip route add 224.0.0.0/4 dev $dev scope global >& /dev/null # 136| fi Error: SHELLCHECK_WARNING: /usr/sbin/routel:19:9: warning: To assign a variable, use just 'var=value', no 'set ..'. [SC2121] # 17| ip route list table "$@" | # 18| while read network rest # 19|-> do set xx $rest # 20| shift # 21| proto="" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:535:18: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 533| ### Prefixed message # 534| cbq_message () { # 535|-> echo -e "**CBQ: $@" # 536| } # cbq_message # 537| Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:563:5: warning: Quote this to prevent word splitting. [SC2046] # 561| cbq_show () { # 562| for dev in `cbq_device_list`; do # 563|-> [ `tc qdisc show dev $dev| wc -l` -eq 0 ] && continue # 564| echo -e "### $dev: queueing disciplines\n" # 565| tc $1 qdisc show dev $dev; echo Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:567:5: warning: Quote this to prevent word splitting. [SC2046] # 565| tc $1 qdisc show dev $dev; echo # 566| # 567|-> [ `tc class show dev $dev| wc -l` -eq 0 ] && continue # 568| echo -e "### $dev: traffic classes\n" # 569| tc $1 class show dev $dev; echo Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:571:5: warning: Quote this to prevent word splitting. [SC2046] # 569| tc $1 class show dev $dev; echo # 570| # 571|-> [ `tc filter show dev $dev| wc -l` -eq 0 ] && continue # 572| echo -e "### $dev: filtering rules\n" # 573| tc $1 filter show dev $dev; echo Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:587:13: warning: Use -print0/-0 or -exec + to allow for non-alphanumeric filenames. [SC2038] # 585| # 586| ### Gather all DEVICE fields from $1/cbq-* # 587|-> DEVFIELDS=`find $1 -maxdepth 1 \( -type f -or -type l \) -name 'cbq-*' \ # 588| -not -name '*~' | xargs sed -n 's/#.*//; \ # 589| s/[[:space:]]//g; /^DEVICE=[^,]*,[^,]*\(,[^,]*\)\?/ \ Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:596:4: warning: Quote this to prevent word splitting. [SC2046] # 594| ### Check for different DEVICE fields for the same device # 595| DEVICES=`echo "$DEVFIELDS"| sed 's/,.*//'| sort -u` # 596|-> [ `echo "$DEVICES"| wc -l` -ne `echo "$DEVFIELDS"| wc -l` ] && # 597| cbq_failure "different DEVICE fields for single device!\n$DEVFIELDS" # 598| } # cbq_init Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:596:33: warning: Quote this to prevent word splitting. [SC2046] # 594| ### Check for different DEVICE fields for the same device # 595| DEVICES=`echo "$DEVFIELDS"| sed 's/,.*//'| sort -u` # 596|-> [ `echo "$DEVICES"| wc -l` -ne `echo "$DEVFIELDS"| wc -l` ] && # 597| cbq_failure "different DEVICE fields for single device!\n$DEVFIELDS" # 598| } # cbq_init Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:621:7: warning: Quote this to prevent word splitting. [SC2046] # 619| PRIO_REALM=$PRIO_REALM_DEFAULT # 620| # 621|-> eval `echo "$CFILE"| grep -E "^($CBQ_WORDS)="` # 622| # 623| ### Require RATE/WEIGHT Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:664:13: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 662| ### echo-only version of "tc" command # 663| tc () { # 664|-> echo "$TC $@" # 665| } # tc # 666| Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:672:19: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 670| ### Logging version of "ip" command # 671| ip () { # 672|-> echo -e "\n# ip $@" >> $CBQ_DEBUG # 673| $IP "$@" 2>&1 | tee -a $CBQ_DEBUG # 674| } # ip Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:678:19: error: Argument mixes string and array. Use * or separate argument. [SC2145] # 676| ### Logging version of "tc" command # 677| tc () { # 678|-> echo -e "\n# tc $@" >> $CBQ_DEBUG # 679| $TC "$@" 2>&1 | tee -a $CBQ_DEBUG # 680| } # tc Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbq.init-v0.7.3:714:5: warning: Quote this to prevent word splitting. [SC2046] # 712| [ "$2" = "invalidate" -o ! -f $CBQ_CACHE ] && VALID=0 # 713| if [ $VALID -eq 1 ]; then # 714|-> [ `find $CBQ_PATH -maxdepth 1 -newer $CBQ_CACHE| \ # 715| wc -l` -gt 0 ] && VALID=0 # 716| fi Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/cbqinit.eth1:4:1: warning: IP appears unused. Verify it or export it. [SC2034] # 2| # 3| TC=/home/root/tc # 4|-> IP=/home/root/ip # 5| DEVICE=eth1 # 6| BANDWIDTH="bandwidth 10Mbit" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:19:17: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 17| exec >> /var/log/DHS.log 2>&1 # 18| # 19|-> echo dhc-script $* reason=$reason # 20| set | grep "^\(old_\|new_\|check_\)" # 21| Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:19:27: warning: reason is referenced but not assigned. [SC2154] # 17| exec >> /var/log/DHS.log 2>&1 # 18| # 19|-> echo dhc-script $* reason=$reason # 20| set | grep "^\(old_\|new_\|check_\)" # 21| Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:23:14: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 21| # 22| LOG () { # 23|-> echo LOG $* ; # 24| } # 25| Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:34:11: error: Can only return 0-255. Other data should be written to stdout. [SC2152] # 32| while [ $l -le 7 ]; do # 33| if [ $[ ( 1 << $l ) + $1 ] -eq 256 ]; then # 34|-> return $[ 8 - $l ] # 35| fi # 36| l=$[ $l + 1 ] Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:71:9: error: Can only return 0-255. Other data should be written to stdout. [SC2152] # 69| esac # 70| Mask8ToLen $mask8 # 71|-> return $[ $? + $masklen ] # 72| } # 73| Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:131:19: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 129| local addrid=$1 # 130| # 131|-> LOG DelINETAddr $* # 132| # 133| if [ "$5" ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:152:19: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 150| local addrid=$1 # 151| # 152|-> LOG AddINETAddr $* # 153| # 154| if [ "$5" ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:175:28: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 173| # 174| if [ "$1" ]; then # 175|-> LOG AddDefaultRoutes $* # 176| for router in $1; do # 177| LOG route add default gw $router Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:190:28: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 188| # 189| if [ "$1" ]; then # 190|-> LOG DelDefaultRoutes $* # 191| # 192| for router in $1; do Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:203:18: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 201| # # 202| PingNode() { # 203|-> LOG PingNode $* # 204| if ping -q -c 1 -w 2 $1 ; then # 205| return 0; Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:218:25: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 216| local succeed=1 # 217| # 218|-> LOG CheckRouterList $* # 219| # 220| for router in $1; do Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:241:27: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 239| local masklen # 240| # 241|-> LOG X-StaticRouteList $* # 242| # 243| if [ "$lst" ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:246:28: warning: Quote this to prevent word splitting. [SC2046] # 244| set $lst # 245| while [ $# -gt 1 ]; do # 246|-> route $op -net $1 netmask `ABCMask "$1"` gw $2 # 247| shift; shift; # 248| done Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:256:28: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 254| # # 255| AddStaticRouteList() { # 256|-> LOG AddStaticRouteList $* # 257| X-StaticRouteList add "$1" # 258| } Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:264:28: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 262| # # 263| DelStaticRouteList() { # 264|-> LOG DelStaticRouteList $* # 265| X-StaticRouteList del "$1" # 266| } Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:299:1: warning: UpdateDNS references arguments, but none are ever passed. [SC2120] # 297| # The script mangles it, only if it has dhcp magic signature. # 298| # # 299|-> UpdateDNS() { # 300| local nameserver # 301| local idstring="#### Generated by DHCPCD" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:303:19: warning: Use "$@" (with quotes) to prevent whitespace problems. [SC2048] # 301| local idstring="#### Generated by DHCPCD" # 302| # 303|-> LOG UpdateDNS $* # 304| # 305| if [ "$new_domain_name" = "" -a "$new_domain_name_servers" = "" ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:305:11: warning: new_domain_name is referenced but not assigned. [SC2154] # 303| LOG UpdateDNS $* # 304| # 305|-> if [ "$new_domain_name" = "" -a "$new_domain_name_servers" = "" ]; then # 306| return 0; # 307| fi Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:305:38: warning: new_domain_name_servers is referenced but not assigned. [SC2154] # 303| LOG UpdateDNS $* # 304| # 305|-> if [ "$new_domain_name" = "" -a "$new_domain_name_servers" = "" ]; then # 306| return 0; # 307| fi Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:327:8: warning: old_domain_name is referenced but not assigned. [SC2154] # 325| return 0 # 326| fi # 327|-> if [ "$old_domain_name" = "$new_domain_name" -a # 328| "$new_domain_name_servers" = "$old_domain_name_servers" ]; then # 329| return 0 Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:327:48: error: When breaking lines in [ ], you need \ before the linefeed. [SC1080] # 325| return 0 # 326| fi # 327|-> if [ "$old_domain_name" = "$new_domain_name" -a # 328| "$new_domain_name_servers" = "$old_domain_name_servers" ]; then # 329| return 0 Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:328:37: warning: old_domain_name_servers is referenced but not assigned. [SC2154] # 326| fi # 327| if [ "$old_domain_name" = "$new_domain_name" -a # 328|-> "$new_domain_name_servers" = "$old_domain_name_servers" ]; then # 329| return 0 # 330| fi Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:345:12: warning: interface is referenced but not assigned. [SC2154] # 343| # 344| PREINIT) # 345|-> ifconfig $interface:dhcp down # 346| ifconfig $interface:dhcp1 down # 347| if [ -d /proc/sys/net/ipv4/conf/$interface ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:363:24: warning: check_ip_address is referenced but not assigned. [SC2154] # 361| # 362| ARPCHECK) # 363|-> if DAD "$interface" "$check_ip_address" ; then # 364| exit 0 # 365| fi Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:370:9: warning: old_ip_address is referenced but not assigned. [SC2154] # 368| # 369| BOUND|RENEW|REBIND|REBOOT) # 370|-> if [ "$old_ip_address" -a "$alias_ip_address" -a \ # 371| "$alias_ip_address" != "$old_ip_address" ]; then # 372| DelINETAddr "$interface" "$alias_ip_address" "$alias_subnet_mask" "$alias_broadcast_address" dhcp1 Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:370:30: warning: alias_ip_address is referenced but not assigned. [SC2154] # 368| # 369| BOUND|RENEW|REBIND|REBOOT) # 370|-> if [ "$old_ip_address" -a "$alias_ip_address" -a \ # 371| "$alias_ip_address" != "$old_ip_address" ]; then # 372| DelINETAddr "$interface" "$alias_ip_address" "$alias_subnet_mask" "$alias_broadcast_address" dhcp1 Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:372:51: warning: alias_subnet_mask is referenced but not assigned. [SC2154] # 370| if [ "$old_ip_address" -a "$alias_ip_address" -a \ # 371| "$alias_ip_address" != "$old_ip_address" ]; then # 372|-> DelINETAddr "$interface" "$alias_ip_address" "$alias_subnet_mask" "$alias_broadcast_address" dhcp1 # 373| fi # 374| if [ "$old_ip_address" -a "$old_ip_address" != "$new_ip_address" ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:372:72: warning: alias_broadcast_address is referenced but not assigned. [SC2154] # 370| if [ "$old_ip_address" -a "$alias_ip_address" -a \ # 371| "$alias_ip_address" != "$old_ip_address" ]; then # 372|-> DelINETAddr "$interface" "$alias_ip_address" "$alias_subnet_mask" "$alias_broadcast_address" dhcp1 # 373| fi # 374| if [ "$old_ip_address" -a "$old_ip_address" != "$new_ip_address" ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:374:51: warning: new_ip_address is referenced but not assigned. [SC2154] # 372| DelINETAddr "$interface" "$alias_ip_address" "$alias_subnet_mask" "$alias_broadcast_address" dhcp1 # 373| fi # 374|-> if [ "$old_ip_address" -a "$old_ip_address" != "$new_ip_address" ]; then # 375| DelINETAddr "$interface" "$old_ip_address" "$old_subnet_mask" "$old_broadcast_address" dhcp # 376| DelDefaultRoutes "$old_routers" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:375:49: warning: old_subnet_mask is referenced but not assigned. [SC2154] # 373| fi # 374| if [ "$old_ip_address" -a "$old_ip_address" != "$new_ip_address" ]; then # 375|-> DelINETAddr "$interface" "$old_ip_address" "$old_subnet_mask" "$old_broadcast_address" dhcp # 376| DelDefaultRoutes "$old_routers" # 377| DelStaticRouteList "$old_static_routes" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:375:68: warning: old_broadcast_address is referenced but not assigned. [SC2154] # 373| fi # 374| if [ "$old_ip_address" -a "$old_ip_address" != "$new_ip_address" ]; then # 375|-> DelINETAddr "$interface" "$old_ip_address" "$old_subnet_mask" "$old_broadcast_address" dhcp # 376| DelDefaultRoutes "$old_routers" # 377| DelStaticRouteList "$old_static_routes" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:376:23: warning: old_routers is referenced but not assigned. [SC2154] # 374| if [ "$old_ip_address" -a "$old_ip_address" != "$new_ip_address" ]; then # 375| DelINETAddr "$interface" "$old_ip_address" "$old_subnet_mask" "$old_broadcast_address" dhcp # 376|-> DelDefaultRoutes "$old_routers" # 377| DelStaticRouteList "$old_static_routes" # 378| fi Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:377:25: warning: old_static_routes is referenced but not assigned. [SC2154] # 375| DelINETAddr "$interface" "$old_ip_address" "$old_subnet_mask" "$old_broadcast_address" dhcp # 376| DelDefaultRoutes "$old_routers" # 377|-> DelStaticRouteList "$old_static_routes" # 378| fi # 379| if [ "$old_ip_address" = "" -o "$old_ip_address" != "$new_ip_address" -o \ Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:381:49: warning: new_subnet_mask is referenced but not assigned. [SC2154] # 379| if [ "$old_ip_address" = "" -o "$old_ip_address" != "$new_ip_address" -o \ # 380| "$reason" = "BOUND" -o "$reason" = "REBOOT" ]; then # 381|-> AddINETAddr "$interface" "$new_ip_address" "$new_subnet_mask" "$new_broadcast_address" dhcp # 382| AddStaticRouteList "$new_static_routes" # 383| AddDefaultRoutes "$new_routers" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:381:68: warning: new_broadcast_address is referenced but not assigned. [SC2154] # 379| if [ "$old_ip_address" = "" -o "$old_ip_address" != "$new_ip_address" -o \ # 380| "$reason" = "BOUND" -o "$reason" = "REBOOT" ]; then # 381|-> AddINETAddr "$interface" "$new_ip_address" "$new_subnet_mask" "$new_broadcast_address" dhcp # 382| AddStaticRouteList "$new_static_routes" # 383| AddDefaultRoutes "$new_routers" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:382:25: warning: new_static_routes is referenced but not assigned. [SC2154] # 380| "$reason" = "BOUND" -o "$reason" = "REBOOT" ]; then # 381| AddINETAddr "$interface" "$new_ip_address" "$new_subnet_mask" "$new_broadcast_address" dhcp # 382|-> AddStaticRouteList "$new_static_routes" # 383| AddDefaultRoutes "$new_routers" # 384| UnsolicitedARP "$interface" "$new_ip_address" Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/dhcp-client-script:383:23: warning: new_routers is referenced but not assigned. [SC2154] # 381| AddINETAddr "$interface" "$new_ip_address" "$new_subnet_mask" "$new_broadcast_address" dhcp # 382| AddStaticRouteList "$new_static_routes" # 383|-> AddDefaultRoutes "$new_routers" # 384| UnsolicitedARP "$interface" "$new_ip_address" # 385| fi Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/gaiconf:14:1: warning: 'function' keyword is non-standard. Delete it. [SC2112] # 12| debug= # 13| # 14|-> function run () # 15| { # 16| if [ x"$verbose" != x"" ]; then Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/gaiconf:24:1: warning: 'function' keyword is non-standard. Delete it. [SC2112] # 22| } # 23| # 24|-> function do_load_config () # 25| { # 26| file=$1; shift Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/gaiconf:39:1: warning: 'function' keyword is non-standard. Delete it. [SC2112] # 37| } # 38| # 39|-> function do_list_config () # 40| { # 41| ${IP} -6 addrlabel list | while read p pfx l lbl; do Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/gaiconf:41:39: warning: p appears unused. Verify it or export it. [SC2034] # 39| function do_list_config () # 40| { # 41|-> ${IP} -6 addrlabel list | while read p pfx l lbl; do # 42| echo label ${pfx} ${lbl} # 43| done Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/gaiconf:41:45: warning: l appears unused. Verify it or export it. [SC2034] # 39| function do_list_config () # 40| { # 41|-> ${IP} -6 addrlabel list | while read p pfx l lbl; do # 42| echo label ${pfx} ${lbl} # 43| done Error: SHELLCHECK_WARNING: /usr/share/doc/iproute-doc-4.11.0/examples/gaiconf:46:1: warning: 'function' keyword is non-standard. Delete it. [SC2112] # 44| } # 45| # 46|-> function help () # 47| { # 48| echo "Usage: $0 [-v] {--list | --config [ ${DEFAULT_GAICONF} ] | --default}" Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:358:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:358:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 356| { # 357| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 358|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 359| struct dl *dl = data; # 360| struct ifname_map *ifname_map; Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:529: error[uninitvar]: Uninitialized variable: handlestr # 527| uint32_t *p_port_index) # 528| { # 529|-> char *handlestr = handlestr; # 530| char *portstr = portstr; # 531| int err; Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:529:2: warning: Assigned value is garbage or undefined # char *handlestr = handlestr; # ^ iproute-4.11.0-0.el7/devlink/devlink.c:565:6: note: Assuming 'str' is non-null # if (!str) { # ^~~~ iproute-4.11.0-0.el7/devlink/devlink.c:565:2: note: Taking false branch # if (!str) { # ^ iproute-4.11.0-0.el7/devlink/devlink.c:570:2: note: Control jumps to 'case 2:' at line 574 # switch (slash_count) { # ^ iproute-4.11.0-0.el7/devlink/devlink.c:575:10: note: Calling '__dl_argv_handle_port' # return __dl_argv_handle_port(str, p_bus_name, # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:529:2: note: Assigned value is garbage or undefined # char *handlestr = handlestr; # ^ ~~~~~~~~~ # 527| uint32_t *p_port_index) # 528| { # 529|-> char *handlestr = handlestr; # 530| char *portstr = portstr; # 531| int err; Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:530: error[uninitvar]: Uninitialized variable: portstr # 528| { # 529| char *handlestr = handlestr; # 530|-> char *portstr = portstr; # 531| int err; # 532| Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:782: error[uninitvar]: Uninitialized variable: handle_bit # 780| # 781| if (o_required & DL_OPT_HANDLE && o_required & DL_OPT_HANDLEP) { # 782|-> uint32_t handle_bit = handle_bit; # 783| # 784| err = dl_argv_handle_both(dl, &opts->bus_name, &opts->dev_name, Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:1476:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:1476:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 1474| struct dl *dl = data; # 1475| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 1476|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 1477| # 1478| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:1547:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:1547:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 1545| struct dl *dl = data; # 1546| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 1547|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 1548| # 1549| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:1649:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:1649:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 1647| struct dl *dl = data; # 1648| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 1649|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 1650| # 1651| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:1792:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:1792:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 1790| struct dl *dl = data; # 1791| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 1792|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 1793| # 1794| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:1867:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:1867:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 1865| struct dl *dl = data; # 1866| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 1867|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 1868| # 1869| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:1952:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:1952:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 1950| struct dl *dl = data; # 1951| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 1952|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 1953| # 1954| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:2054:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2054:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 2052| struct dl *dl = data; # 2053| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 2054|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 2055| # 2056| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:2344:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2344:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 2342| struct occ_show *occ_show = data; # 2343| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 2344|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 2345| # 2346| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:2395:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2395:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 2393| struct occ_show *occ_show = data; # 2394| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 2395|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 2396| # 2397| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:2684:19: warning: Call to 'calloc' has an allocation size of 0 bytes # header->fields = calloc(fields_count, sizeof(struct dpipe_field)); # ^ iproute-4.11.0-0.el7/devlink/devlink.c:2946:6: note: Assuming 'err' is equal to 1 # if (err != MNL_CB_OK) # ^~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2946:2: note: Taking false branch # if (err != MNL_CB_OK) # ^ iproute-4.11.0-0.el7/devlink/devlink.c:2949:6: note: Left side of '||' is false # if (!nla_header[DEVLINK_ATTR_DPIPE_HEADER_NAME] || # ^ iproute-4.11.0-0.el7/devlink/devlink.c:2949:6: note: Left side of '||' is false iproute-4.11.0-0.el7/devlink/devlink.c:2949:2: note: Taking false branch # if (!nla_header[DEVLINK_ATTR_DPIPE_HEADER_NAME] || # ^ iproute-4.11.0-0.el7/devlink/devlink.c:2954:17: note: Calling 'dpipe_header_field_count_get' # fields_count = dpipe_header_field_count_get(nla_header[DEVLINK_ATTR_DPIPE_HEADER_FIELDS]); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2929:2: note: 'count' initialized to 0 # unsigned int count = 0; # ^~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2931:2: note: Loop condition is false. Execution continues on line 2933 # mnl_attr_for_each_nested(nla_field, nla_fields) # ^ /usr/include/libmnl/libmnl.h:155:2: note: expanded from macro 'mnl_attr_for_each_nested' # for ((attr) = mnl_attr_get_payload(nest); \ # ^ iproute-4.11.0-0.el7/devlink/devlink.c:2933:2: note: Returning zero (loaded from 'count') # return count; # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2954:17: note: Returning from 'dpipe_header_field_count_get' # fields_count = dpipe_header_field_count_get(nla_header[DEVLINK_ATTR_DPIPE_HEADER_FIELDS]); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2954:2: note: The value 0 is assigned to 'fields_count' # fields_count = dpipe_header_field_count_get(nla_header[DEVLINK_ATTR_DPIPE_HEADER_FIELDS]); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2955:30: note: Passing the value 0 via 1st parameter 'fields_count' # header = dpipe_header_alloc(fields_count); # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2955:11: note: Calling 'dpipe_header_alloc' # header = dpipe_header_alloc(fields_count); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2682:6: note: Assuming 'header' is non-null # if (!header) # ^~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2682:2: note: Taking false branch # if (!header) # ^ iproute-4.11.0-0.el7/devlink/devlink.c:2684:19: note: Call to 'calloc' has an allocation size of 0 bytes # header->fields = calloc(fields_count, sizeof(struct dpipe_field)); # ^ ~~~~~~~~~~~~ # 2682| if (!header) # 2683| return NULL; # 2684|-> header->fields = calloc(fields_count, sizeof(struct dpipe_field)); # 2685| if (!header->fields) # 2686| goto err_fields_alloc; Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:2917: error[uninitvar]: Uninitialized variable: nla_field # 2915| int err; # 2916| # 2917|-> mnl_attr_for_each_nested(nla_field, nla_fields) { # 2918| err = dpipe_header_field_get(nla_field, &fields[count]); # 2919| if (err) Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:2983: error[uninitvar]: Uninitialized variable: nla_header # 2981| int err; # 2982| # 2983|-> mnl_attr_for_each_nested(nla_header, nla_headers) { # 2984| err = dpipe_header_get(ctx, nla_header); # 2985| if (err) Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:2995:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:2995:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 2993| struct dpipe_ctx *ctx = data; # 2994| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 2995|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 2996| int err; # 2997| Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:3120: error[uninitvar]: Uninitialized variable: nla_action # 3118| struct nlattr *nla_action; # 3119| # 3120|-> mnl_attr_for_each_nested(nla_action, nla_actions) { # 3121| pr_out_entry_start(ctx->dl); # 3122| if (dpipe_action_show(ctx, nla_action)) Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:3193: error[uninitvar]: Uninitialized variable: nla_match # 3191| struct nlattr *nla_match; # 3192| # 3193|-> mnl_attr_for_each_nested(nla_match, nla_matches) { # 3194| pr_out_entry_start(ctx->dl); # 3195| if (dpipe_match_show(ctx, nla_match)) Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:3258: error[uninitvar]: Uninitialized variable: nla_table # 3256| struct nlattr *nla_table; # 3257| # 3258|-> mnl_attr_for_each_nested(nla_table, nla_tables) { # 3259| pr_out_handle_start_arr(ctx->dl, tb); # 3260| if (dpipe_table_show(ctx, nla_table)) Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:3275:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:3275:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 3273| struct dpipe_ctx *ctx = data; # 3274| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 3275|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 3276| # 3277| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:3439: error[uninitvar]: Uninitialized variable: nla_action_value # 3437| struct nlattr *nla_action_value; # 3438| # 3439|-> mnl_attr_for_each_nested(nla_action_value, nla_action_values) { # 3440| if (dpipe_entry_action_value_show(ctx, nla_action_value)) # 3441| return -EINVAL; Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:3452: error[uninitvar]: Uninitialized variable: nla_match_value # 3450| struct nlattr *nla_match_value; # 3451| # 3452|-> mnl_attr_for_each_nested(nla_match_value, nla_match_values) { # 3453| if (dpipe_entry_match_value_show(ctx, nla_match_value)) # 3454| return -EINVAL; Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/devlink.c:3508: error[uninitvar]: Uninitialized variable: nla_entry # 3506| struct nlattr *nla_entry; # 3507| # 3508|-> mnl_attr_for_each_nested(nla_entry, nla_entries) { # 3509| pr_out_handle_start_arr(ctx->dl, tb); # 3510| if (dpipe_entry_show(ctx, nla_entry)) Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/devlink.c:3525:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/devlink.c:3525:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 3523| struct dpipe_ctx *ctx = data; # 3524| struct nlattr *tb[DEVLINK_ATTR_MAX + 1] = {}; # 3525|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 3526| # 3527| mnl_attr_parse(nlh, sizeof(*genl), attr_cb, tb); Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/devlink/mnlg.c:113: error[uninitvar]: Uninitialized variable: pos # 111| const char *name; # 112| # 113|-> mnl_attr_for_each_nested(pos, nested) { # 114| struct nlattr *tb[CTRL_ATTR_MCAST_GRP_MAX + 1] = {}; # 115| Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/mnlg.c:149:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/mnlg.c:149:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 147| struct group_info *group_info = data; # 148| struct nlattr *tb[CTRL_ATTR_MAX + 1] = {}; # 149|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 150| # 151| mnl_attr_parse(nlh, sizeof(*genl), get_group_id_attr_cb, tb); Error: CLANG_WARNING: iproute-4.11.0-0.el7/devlink/mnlg.c:210:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/devlink/mnlg.c:210:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 208| uint32_t *p_id = data; # 209| struct nlattr *tb[CTRL_ATTR_MAX + 1] = {}; # 210|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 211| # 212| mnl_attr_parse(nlh, sizeof(*genl), get_family_id_attr_cb, tb); Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/genl/ctrl.c:359: check_return: Calling "rtnl_dump_filter_nc" without checking return value (as is done elsewhere 44 out of 46 times). iproute-4.11.0-0.el7/bridge/fdb.c:383: example_checked: Example 1: "rtnl_dump_filter_nc(&rth, print_fdb, stdout, 0)" has its value checked in "rtnl_dump_filter_nc(&rth, print_fdb, stdout, 0) < 0". iproute-4.11.0-0.el7/bridge/link.c:462: example_checked: Example 2: "rtnl_dump_filter_nc(&rth, print_linkinfo, stdout, 0)" has its value checked in "rtnl_dump_filter_nc(&rth, print_linkinfo, stdout, 0) < 0". iproute-4.11.0-0.el7/bridge/mdb.c:223: example_checked: Example 3: "rtnl_dump_filter_nc(&rth, print_mdb, stdout, 0)" has its value checked in "rtnl_dump_filter_nc(&rth, print_mdb, stdout, 0) < 0". iproute-4.11.0-0.el7/bridge/vlan.c:459: example_checked: Example 4: "rtnl_dump_filter_nc(&rth, print_vlan_stats, stdout, 0)" has its value checked in "rtnl_dump_filter_nc(&rth, print_vlan_stats, stdout, 0) < 0". iproute-4.11.0-0.el7/ip/ipaddress.c:1737: example_checked: Example 5: "rtnl_dump_filter_nc(&rth, store_nlmsg, &ainfo, 0)" has its value checked in "rtnl_dump_filter_nc(&rth, store_nlmsg, &ainfo, 0) < 0". # 357| } # 358| # 359|-> rtnl_dump_filter(&rth, print_ctrl2, stdout); # 360| # 361| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/genl/genl.c:68: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/genl/genl.c:68: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/genl/genl.c:80: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/genl/genl.c:86: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 84| f->next = genl_list; # 85| genl_list = f; # 86|-> return f; # 87| # 88| noexist: Error: TAINTED_STRING (CWE-20): iproute-4.11.0-0.el7/genl/genl.c:137: tainted_string: Passing tainted string "argv[1]" to "get_genl_kind", which cannot accept tainted data. iproute-4.11.0-0.el7/genl/genl.c:67:2: vararg_transitive: Call to "snprintf" with tainted argument "str" taints "buf". iproute-4.11.0-0.el7/genl/genl.c:68:2: tainted_string_sink_content_lv_call: Passing tainted string "buf" to "dlopen", which depends on its content. # 135| int ret; # 136| struct genl_util *a = NULL; # 137|-> a = get_genl_kind(argv[1]); # 138| if (!a) { # 139| fprintf(stderr,"bad genl %s\n", argv[1]); Error: STRING_OVERFLOW (CWE-120): iproute-4.11.0-0.el7/ip/ipaddress.c:183: fixed_size_dest: You might overrun the 16-character fixed-size string "ifr.ifr_ifrn.ifrn_name" by copying the return value of "rta_getattr_str" without checking the length. # 181| return; # 182| # 183|-> strcpy(ifr.ifr_name, rta_getattr_str(tb[IFLA_IFNAME])); # 184| if (ioctl(s, SIOCGIFTXQLEN, &ifr) < 0) { # 185| fprintf(f, "ioctl(SIOCGIFTXQLEN) failed: %s\n", strerror(errno)); Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/ip/ipaddress.c:1228: alias: Assigning: "n" = "&ainfo->h". "n" now points to element 0 of "ainfo->h" (which consists of 1 16-byte elements). iproute-4.11.0-0.el7/ip/ipaddress.c:1229: alias: Assigning: "ifa" = "(char *)n + 16". "ifa" now points to element 2 of "ainfo->h" (which consists of 2 8-byte elements). iproute-4.11.0-0.el7/ip/ipaddress.c:1237: overrun-local: Overrunning array of 2 8-byte elements at element index 2 (byte offset 16) by dereferencing pointer "ifa". # 1235| return -1; # 1236| # 1237|-> if (ifa->ifa_index != ifi->ifi_index || # 1238| (filter.family && filter.family != ifa->ifa_family)) # 1239| continue; Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/ip/ipaddress.c:1392: alias: Assigning: "ifi" = "(char *)&l->h + 16". "ifi" now points to element 1 of "l->h" (which consists of 1 16-byte elements). iproute-4.11.0-0.el7/ip/ipaddress.c:1401: overrun-local: Overrunning array of 1 16-byte elements at element index 1 (byte offset 16) by dereferencing pointer "ifi". # 1399| unsigned int ifa_flags; # 1400| # 1401|-> if (ifa->ifa_index != ifi->ifi_index) # 1402| continue; # 1403| missing_net_address = 0; Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/ip/ipaddress.c:1396: alias: Assigning: "n" = "&a->h". "n" now points to element 0 of "a->h" (which consists of 1 16-byte elements). iproute-4.11.0-0.el7/ip/ipaddress.c:1397: alias: Assigning: "ifa" = "(char *)n + 16". "ifa" now points to element 2 of "a->h" (which consists of 2 8-byte elements). iproute-4.11.0-0.el7/ip/ipaddress.c:1401: overrun-local: Overrunning array of 2 8-byte elements at element index 2 (byte offset 16) by dereferencing pointer "ifa". # 1399| unsigned int ifa_flags; # 1400| # 1401|-> if (ifa->ifa_index != ifi->ifi_index) # 1402| continue; # 1403| missing_net_address = 0; Error: CLANG_WARNING: iproute-4.11.0-0.el7/ip/ipaddress.c:1505:1: warning: Address of stack memory associated with local variable 'flushb' is still referred to by the global variable 'filter' upon returning to the caller. This will be a dangling reference #} #^ iproute-4.11.0-0.el7/ip/ipaddress.c:1463:10: note: Assuming 'max_flush_loops' is not equal to 0 # while ((max_flush_loops == 0) || (round < max_flush_loops)) { # ^~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/ipaddress.c:1463:9: note: Left side of '||' is false # while ((max_flush_loops == 0) || (round < max_flush_loops)) { # ^ iproute-4.11.0-0.el7/ip/ipaddress.c:1463:36: note: Assuming 'round' is >= 'max_flush_loops' # while ((max_flush_loops == 0) || (round < max_flush_loops)) { # ^~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/ipaddress.c:1463:2: note: Loop condition is false. Execution continues on line 1502 # while ((max_flush_loops == 0) || (round < max_flush_loops)) { # ^ iproute-4.11.0-0.el7/ip/ipaddress.c:1505:1: note: Address of stack memory associated with local variable 'flushb' is still referred to by the global variable 'filter' upon returning to the caller. This will be a dangling reference #} #^ # 1503| fflush(stderr); # 1504| return 1; # 1505|-> } # 1506| # 1507| static int iplink_filter_req(struct nlmsghdr *nlh, int reqlen) Error: UNINIT (CWE-457): iproute-4.11.0-0.el7/ip/ipaddress.c:1879: var_decl: Declaring variable "lcl" without initializer. iproute-4.11.0-0.el7/ip/ipaddress.c:2014: uninit_use: Using uninitialized value "lcl.bitlen". # 2012| } # 2013| if (req.ifa.ifa_prefixlen == 0) # 2014|-> req.ifa.ifa_prefixlen = lcl.bitlen; # 2015| # 2016| if (brd_len < 0 && cmd != RTM_DELADDR) { Error: UNINIT (CWE-457): iproute-4.11.0-0.el7/ip/ipaddress.c:1879: var_decl: Declaring variable "lcl" without initializer. iproute-4.11.0-0.el7/ip/ipaddress.c:2062: uninit_use_in_call: Using uninitialized value "lcl.family" when calling "ipaddr_is_multicast". iproute-4.11.0-0.el7/ip/ipaddress.c:1854:2: read_parm_fld: Reading a parameter field. # 2060| } # 2061| # 2062|-> if ((ifa_flags & IFA_F_MCAUTOJOIN) && !ipaddr_is_multicast(&lcl)) { # 2063| fprintf(stderr, "autojoin needs multicast address\n"); # 2064| return -1; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/iplink.c:149: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/ip/iplink.c:149: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/ip/iplink.c:161: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/ip/iplink.c:163: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 161| l = dlsym(dlh, buf); # 162| if (l == NULL) # 163|-> return NULL; # 164| # 165| l->next = linkutil_list; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/iplink.c:149: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/ip/iplink.c:149: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/ip/iplink.c:161: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/ip/iplink.c:167: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 165| l->next = linkutil_list; # 166| linkutil_list = l; # 167|-> return l; # 168| } # 169| Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iplink.c:1077: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 1075| int err; # 1076| # 1077|-> strncpy(ifr.ifr_name, dev, IFNAMSIZ); # 1078| fd = get_ctl_fd(); # 1079| if (fd < 0) Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iplink.c:1104: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 1102| int err; # 1103| # 1104|-> strncpy(ifr.ifr_name, dev, IFNAMSIZ); # 1105| strncpy(ifr.ifr_newname, newdev, IFNAMSIZ); # 1106| fd = get_ctl_fd(); Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iplink.c:1105: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifru.ifru_newname" of size 16 bytes might leave the destination string unterminated. # 1103| # 1104| strncpy(ifr.ifr_name, dev, IFNAMSIZ); # 1105|-> strncpy(ifr.ifr_newname, newdev, IFNAMSIZ); # 1106| fd = get_ctl_fd(); # 1107| if (fd < 0) Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iplink.c:1128: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 1126| return -1; # 1127| # 1128|-> strncpy(ifr.ifr_name, dev, IFNAMSIZ); # 1129| if (ioctl(s, SIOCSIFTXQLEN, &ifr) < 0) { # 1130| perror("SIOCSIFXQLEN"); Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iplink.c:1148: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 1146| return -1; # 1147| # 1148|-> strncpy(ifr.ifr_name, dev, IFNAMSIZ); # 1149| if (ioctl(s, SIOCSIFMTU, &ifr) < 0) { # 1150| perror("SIOCSIFMTU"); Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iplink.c:1175: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 1173| } # 1174| # 1175|-> strncpy(ifr.ifr_name, dev, IFNAMSIZ); # 1176| if (ioctl(s, SIOCGIFINDEX, &ifr) < 0) { # 1177| perror("SIOCGIFINDEX"); Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iplink.c:1206: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr->ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 1204| # 1205| memset(ifr, 0, sizeof(*ifr)); # 1206|-> strncpy(ifr->ifr_name, dev, IFNAMSIZ); # 1207| ifr->ifr_hwaddr.sa_family = hatype; # 1208| alen = ll_addr_a2n(ifr->ifr_hwaddr.sa_data, 14, lla); Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/ip/iplink_can.c:268: cond_at_most: Checking "state <= CAN_STATE_MAX" implies that "state" may be up to 6 on the true branch. iproute-4.11.0-0.el7/ip/iplink_can.c:268: overrun-local: Overrunning array "can_state_names" of 6 8-byte elements at element index 6 (byte offset 48) using index "state" (which evaluates to 6). # 266| uint32_t state = rta_getattr_u32(tb[IFLA_CAN_STATE]); # 267| # 268|-> fprintf(f, "state %s ", state <= CAN_STATE_MAX ? # 269| can_state_names[state] : "UNKNOWN"); # 270| } Error: CLANG_WARNING: iproute-4.11.0-0.el7/ip/iplink_vrf.c:216:9: warning: Use of memory after it is freed # return ifi->ifi_index; # ^~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/iplink_vrf.c:191:2: note: Taking false branch # if (rtnl_talk_suppress_rtnl_errmsg(&rth, &req.n, &answer) < 0) # ^ iproute-4.11.0-0.el7/ip/iplink_vrf.c:196:2: note: Taking false branch # if (len < 0) { # ^ iproute-4.11.0-0.el7/ip/iplink_vrf.c:203:2: note: Taking true branch # if (!tb[IFLA_LINKINFO]) # ^ iproute-4.11.0-0.el7/ip/iplink_vrf.c:204:3: note: Control jumps to line 215 # goto out; # ^ iproute-4.11.0-0.el7/ip/iplink_vrf.c:215:2: note: Memory is released # free(answer); # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/iplink_vrf.c:216:9: note: Use of memory after it is freed # return ifi->ifi_index; # ^~~~~~~~~~~~~~ # 214| out: # 215| free(answer); # 216|-> return ifi->ifi_index; # 217| } Error: UNINIT (CWE-457): iproute-4.11.0-0.el7/ip/ipmaddr.c:139: var_decl: Declaring variable "len" without initializer. iproute-4.11.0-0.el7/ip/ipmaddr.c:149: uninit_use_in_call: Using uninitialized value "len" when calling "strncmp". # 147| } # 148| # 149|-> if (filter.dev && strncmp(filter.dev, m.name, len)) # 150| continue; # 151| Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/ipmaddr.c:287: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 285| if (ifr.ifr_name[0]) # 286| duparg("dev", *argv); # 287|-> strncpy(ifr.ifr_name, *argv, IFNAMSIZ); # 288| } else { # 289| if (matches(*argv, "address") == 0) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:439: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:439: var_assign: Assigning: "netns" = handle returned from "open(net_path, 0)". iproute-4.11.0-0.el7/ip/ipnetns.c:445: noescape: Resource "netns" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:448: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 446| fprintf(stderr, "Stat of netns failed: %s\n", # 447| strerror(errno)); # 448|-> return -1; # 449| } # 450| dir = opendir("/proc/"); Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:439: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:439: var_assign: Assigning: "netns" = handle returned from "open(net_path, 0)". iproute-4.11.0-0.el7/ip/ipnetns.c:445: noescape: Resource "netns" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:454: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 452| fprintf(stderr, "Open of /proc failed: %s\n", # 453| strerror(errno)); # 454|-> return -1; # 455| } # 456| while ((entry = readdir(dir))) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:439: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:439: var_assign: Assigning: "netns" = handle returned from "open(net_path, 0)". iproute-4.11.0-0.el7/ip/ipnetns.c:445: noescape: Resource "netns" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:472: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 470| } # 471| closedir(dir); # 472|-> return 0; # 473| # 474| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:487: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:487: var_assign: Assigning: "netns" = handle returned from "open(net_path, 0)". iproute-4.11.0-0.el7/ip/ipnetns.c:493: noescape: Resource "netns" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:496: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 494| fprintf(stderr, "Stat of netns failed: %s\n", # 495| strerror(errno)); # 496|-> return -1; # 497| } # 498| dir = opendir(NETNS_RUN_DIR); Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:487: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:487: var_assign: Assigning: "netns" = handle returned from "open(net_path, 0)". iproute-4.11.0-0.el7/ip/ipnetns.c:493: noescape: Resource "netns" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:502: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 500| /* Succeed treat a missing directory as an empty directory */ # 501| if (errno == ENOENT) # 502|-> return 0; # 503| # 504| fprintf(stderr, "Failed to open directory %s:%s\n", Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:487: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:487: var_assign: Assigning: "netns" = handle returned from "open(net_path, 0)". iproute-4.11.0-0.el7/ip/ipnetns.c:493: noescape: Resource "netns" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:506: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 504| fprintf(stderr, "Failed to open directory %s:%s\n", # 505| NETNS_RUN_DIR, strerror(errno)); # 506|-> return -1; # 507| } # 508| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:487: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:487: var_assign: Assigning: "netns" = handle returned from "open(net_path, 0)". iproute-4.11.0-0.el7/ip/ipnetns.c:493: noescape: Resource "netns" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:531: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 529| } # 530| closedir(dir); # 531|-> return 0; # 532| # 533| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/ip/ipnetns.c:723: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipnetns.c:723: var_assign: Assigning: "netns" = handle returned from "open(netns_path, 524288)". iproute-4.11.0-0.el7/ip/ipnetns.c:730: leaked_handle: Handle variable "netns" going out of scope leaks the handle. # 728| } # 729| # 730|-> return set_netnsid_from_name(name, nsid); # 731| } # 732| Error: STRING_NULL (CWE-170): iproute-4.11.0-0.el7/ip/ipnetns.c:755: string_null_argument: Function "read" does not terminate string "*buf". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:762: var_assign_var: Assigning: "event" = "(struct inotify_event *)buf". Both now point to the same unterminated string. iproute-4.11.0-0.el7/ip/ipnetns.c:762: var_assign_var: Assigning: "event" = "(struct inotify_event *)buf". Both now point to the same unterminated string. iproute-4.11.0-0.el7/ip/ipnetns.c:764: var_assign_var: Assigning: "event" = "(struct inotify_event *)((char *)event + 16UL + event->len)". Both now point to the same unterminated string. iproute-4.11.0-0.el7/ip/ipnetns.c:766: string_null: Passing unterminated string "event->name" to "printf". # 764| event = (struct inotify_event *)((char *)event + sizeof(*event) + event->len)) { # 765| if (event->mask & IN_CREATE) # 766|-> printf("add %s\n", event->name); # 767| if (event->mask & IN_DELETE) # 768| printf("delete %s\n", event->name); Error: STRING_NULL (CWE-170): iproute-4.11.0-0.el7/ip/ipnetns.c:755: string_null_argument: Function "read" does not terminate string "*buf". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/ip/ipnetns.c:762: var_assign_var: Assigning: "event" = "(struct inotify_event *)buf". Both now point to the same unterminated string. iproute-4.11.0-0.el7/ip/ipnetns.c:762: var_assign_var: Assigning: "event" = "(struct inotify_event *)buf". Both now point to the same unterminated string. iproute-4.11.0-0.el7/ip/ipnetns.c:764: var_assign_var: Assigning: "event" = "(struct inotify_event *)((char *)event + 16UL + event->len)". Both now point to the same unterminated string. iproute-4.11.0-0.el7/ip/ipnetns.c:768: string_null: Passing unterminated string "event->name" to "printf". # 766| printf("add %s\n", event->name); # 767| if (event->mask & IN_DELETE) # 768|-> printf("delete %s\n", event->name); # 769| } # 770| } Error: REVERSE_INULL (CWE-476): iproute-4.11.0-0.el7/ip/ipntable.c:82: deref_ptr: Directly dereferencing pointer "parms_rta". iproute-4.11.0-0.el7/ip/ipntable.c:205: check_after_deref: Null-checking "parms_rta" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. # 203| invarg("\"queue\" value is invalid", *argv); # 204| # 205|-> if (!parms_rta) # 206| parms_rta = (struct rtattr *)&parms_buf; # 207| rta_addattr32(parms_rta, sizeof(parms_buf), Error: DEADCODE (CWE-561): iproute-4.11.0-0.el7/ip/ipntable.c:79: addr_non_null: The address of an object "parms_buf" is never null. iproute-4.11.0-0.el7/ip/ipntable.c:79: assignment: Assigning: "parms_rta" = "(struct rtattr *)parms_buf". iproute-4.11.0-0.el7/ip/ipntable.c:205: notnull: At condition "parms_rta", the value of "parms_rta" cannot be "NULL". iproute-4.11.0-0.el7/ip/ipntable.c:205: dead_error_condition: The condition "!parms_rta" cannot be true. iproute-4.11.0-0.el7/ip/ipntable.c:206: dead_error_line: Execution cannot reach this statement: "parms_rta = (struct rtattr ...". # 204| # 205| if (!parms_rta) # 206|-> parms_rta = (struct rtattr *)&parms_buf; # 207| rta_addattr32(parms_rta, sizeof(parms_buf), # 208| NDTPA_QUEUE_LEN, queue); Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/ipntable.c:636: buffer_size_warning: Calling strncpy with a maximum size argument of 1024 bytes on destination array "filter.name" of size 1024 bytes might leave the destination string unterminated. # 634| NEXT_ARG(); # 635| # 636|-> strncpy(filter.name, *argv, sizeof(filter.name)); # 637| } else # 638| invarg("unknown", *argv); Error: DEADCODE (CWE-561): iproute-4.11.0-0.el7/ip/iproute.c:621: assignment: Assigning: "first" = "0". iproute-4.11.0-0.el7/ip/iproute.c:631: const: At condition "first", the value of "first" must be equal to 0. iproute-4.11.0-0.el7/ip/iproute.c:631: dead_error_condition: The condition "first" cannot be true. iproute-4.11.0-0.el7/ip/iproute.c:632: dead_error_line: Execution cannot reach this statement: "fprintf(fp, "Oifs: ");". iproute-4.11.0-0.el7/ip/iproute.c:632: effectively_constant: Local variable "first" is assigned only once, to a constant value, making it effectively constant throughout its scope. If this is not the intent, examine the logic to see if there is a missing assignment that would make "first" not remain constant. # 630| if (r->rtm_flags&RTM_F_CLONED && r->rtm_type == RTN_MULTICAST) { # 631| if (first) # 632|-> fprintf(fp, "Oifs: "); # 633| else # 634| fprintf(fp, " "); Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/ip/iproute.c:1470: check_return: Calling "get_unsigned" without checking return value (as is done elsewhere 81 out of 84 times). iproute-4.11.0-0.el7/bridge/fdb.c:78: example_checked: Example 1: "get_unsigned(s, arg, 0)" has its value checked in "get_unsigned(s, arg, 0)". iproute-4.11.0-0.el7/ip/ip.c:267: example_checked: Example 2: "get_unsigned(&size, argv[1], 0)" has its value checked in "get_unsigned(&size, argv[1], 0)". iproute-4.11.0-0.el7/ip/iplink.c:282: example_checked: Example 3: "get_unsigned(&ivvip->vlan, *argv, 0)" has its value checked in "get_unsigned(&ivvip->vlan, *argv, 0)". iproute-4.11.0-0.el7/ip/iplink_geneve.c:86: example_checked: Example 4: "get_unsigned(&uval, *argv, 0)" has its value checked in "get_unsigned(&uval, *argv, 0)". iproute-4.11.0-0.el7/ip/iplink_vxlan.c:149: example_checked: Example 5: "get_unsigned(&uval, *argv, 0)" has its value checked in "get_unsigned(&uval, *argv, 0)". # 1468| } else if (strcmp(*argv, "mark") == 0) { # 1469| NEXT_ARG(); # 1470|-> get_unsigned(&mark, *argv, 0); # 1471| filter.markmask = -1; # 1472| } else if (strcmp(*argv, "via") == 0) { Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/ip/iproute.c:1687: check_return: Calling "get_unsigned" without checking return value (as is done elsewhere 81 out of 84 times). iproute-4.11.0-0.el7/bridge/fdb.c:78: example_checked: Example 1: "get_unsigned(s, arg, 0)" has its value checked in "get_unsigned(s, arg, 0)". iproute-4.11.0-0.el7/ip/ip.c:267: example_checked: Example 2: "get_unsigned(&size, argv[1], 0)" has its value checked in "get_unsigned(&size, argv[1], 0)". iproute-4.11.0-0.el7/ip/iplink.c:282: example_checked: Example 3: "get_unsigned(&ivvip->vlan, *argv, 0)" has its value checked in "get_unsigned(&ivvip->vlan, *argv, 0)". iproute-4.11.0-0.el7/ip/iplink_geneve.c:86: example_checked: Example 4: "get_unsigned(&uval, *argv, 0)" has its value checked in "get_unsigned(&uval, *argv, 0)". iproute-4.11.0-0.el7/ip/iplink_vxlan.c:149: example_checked: Example 5: "get_unsigned(&uval, *argv, 0)" has its value checked in "get_unsigned(&uval, *argv, 0)". # 1685| } else if (matches(*argv, "mark") == 0) { # 1686| NEXT_ARG(); # 1687|-> get_unsigned(&mark, *argv, 0); # 1688| } else if (matches(*argv, "oif") == 0 || # 1689| strcmp(*argv, "dev") == 0) { Error: NO_EFFECT (CWE-398): iproute-4.11.0-0.el7/ip/iproute_lwtunnel.c:350: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "csum_mode < 0". # 348| # 349| csum_mode = ila_csum_name2mode(*argv); # 350|-> if (csum_mode < 0) # 351| invarg("\"csum-mode\" value is invalid\n", # 352| *argv); Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/ip/iproute_lwtunnel.c:467: negative_return_fn: Function "bpf_parse_common(bpf_type, &cfg, &bpf_cb_ops, &x)" returns a negative number. iproute-4.11.0-0.el7/lib/bpf.c:827:2: negative_return: Calling "bpf_parse_opt_tbl", which might return a negative value. iproute-4.11.0-0.el7/lib/bpf.c:797:2: var_tested_neg: Variable "ret" is negative. iproute-4.11.0-0.el7/lib/bpf.c:798:3: return_negative_variable: Explicitly returning negative variable "ret". iproute-4.11.0-0.el7/lib/bpf.c:827:2: return_negative_fn: Returning the return value of "bpf_parse_opt_tbl", which might be negative. iproute-4.11.0-0.el7/ip/iproute_lwtunnel.c:467: var_assign: Assigning: signed variable "err" = "bpf_parse_common". iproute-4.11.0-0.el7/ip/iproute_lwtunnel.c:469: negative_returns: "err" is passed to a parameter that cannot be negative. # 467| err = bpf_parse_common(bpf_type, &cfg, &bpf_cb_ops, &x); # 468| if (err < 0) { # 469|-> fprintf(stderr, "Failed to parse eBPF program: %s\n", # 470| strerror(err)); # 471| return -1; Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iprule.c:475: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "filter.iif" of size 16 bytes might leave the destination string unterminated. # 473| strcmp(*argv, "iif") == 0) { # 474| NEXT_ARG(); # 475|-> strncpy(filter.iif, *argv, IFNAMSIZ); # 476| filter.iifmask = 1; # 477| } else if (strcmp(*argv, "oif") == 0) { Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iprule.c:479: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "filter.oif" of size 16 bytes might leave the destination string unterminated. # 477| } else if (strcmp(*argv, "oif") == 0) { # 478| NEXT_ARG(); # 479|-> strncpy(filter.oif, *argv, IFNAMSIZ); # 480| filter.oifmask = 1; # 481| } else if (strcmp(*argv, "l3mdev") == 0) { Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/iptuntap.c:187: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr->ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 185| if (ifr->ifr_name[0]) # 186| duparg2("name", *argv); # 187|-> strncpy(ifr->ifr_name, *argv, IFNAMSIZ); # 188| } # 189| count++; Error: CPPCHECK_WARNING (CWE-843): iproute-4.11.0-0.el7/ip/iptuntap.c:304: error[deallocret]: Returning/dereferencing 'comm' after it is deallocated / released # 302| perror("fclose"); # 303| # 304|-> return comm; # 305| } # 306| Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/ip/ipvrf.c:263: negative_return_fn: Function "open(path, 65536)" returns a negative number. [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/ip/ipvrf.c:263: var_assign: Assigning: signed variable "cg_fd" = "open". iproute-4.11.0-0.el7/ip/ipvrf.c:295: negative_returns: "cg_fd" is passed to a parameter that cannot be negative. # 293| rc = 0; # 294| out: # 295|-> close(cg_fd); # 296| close(prog_fd); # 297| Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/ip/ipvrf.c:261: var_tested_neg: Assigning: "prog_fd" = a negative value. iproute-4.11.0-0.el7/ip/ipvrf.c:296: negative_returns: "prog_fd" is passed to a parameter that cannot be negative. # 294| out: # 295| close(cg_fd); # 296|-> close(prog_fd); # 297| # 298| return rc; Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/ip/ipvrf.c:356: var_tested_neg: Assigning: "fd" = a negative value. iproute-4.11.0-0.el7/ip/ipvrf.c:434: negative_returns: "fd" is passed to a parameter that cannot be negative. # 432| out: # 433| free(mnt); # 434|-> close(fd); # 435| # 436| return rc; Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/ip/tcp_metrics.c:168: assignment: Assigning: "req2.n.nlmsg_len" = "20U". iproute-4.11.0-0.el7/ip/tcp_metrics.c:181: overrun-buffer-arg: Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 19 using argument "req2.n.nlmsg_len" (which evaluates to 20). [Note: The source code implementation of the function has been overridden by a builtin model.] # 179| } # 180| fn = (struct nlmsghdr *) (f.flushb + NLMSG_ALIGN(f.flushp)); # 181|-> memcpy(fn, &req2.n, req2.n.nlmsg_len); # 182| fn->nlmsg_seq = ++grth.seq; # 183| f.flushp = (((char *) fn) + req2.n.nlmsg_len) - f.flushb; Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/tunnel.c:74: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 72| int err; # 73| # 74|-> strncpy(ifr.ifr_name, basedev, IFNAMSIZ); # 75| ifr.ifr_ifru.ifru_data = (void *)p; # 76| Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/tunnel.c:99: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 97| # 98| if (cmd == SIOCCHGTUNNEL && name[0]) # 99|-> strncpy(ifr.ifr_name, name, IFNAMSIZ); # 100| else # 101| strncpy(ifr.ifr_name, basedev, IFNAMSIZ); Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/tunnel.c:101: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 99| strncpy(ifr.ifr_name, name, IFNAMSIZ); # 100| else # 101|-> strncpy(ifr.ifr_name, basedev, IFNAMSIZ); # 102| ifr.ifr_ifru.ifru_data = p; # 103| Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/tunnel.c:125: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 123| # 124| if (name[0]) # 125|-> strncpy(ifr.ifr_name, name, IFNAMSIZ); # 126| else # 127| strncpy(ifr.ifr_name, basedev, IFNAMSIZ); Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/tunnel.c:127: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 125| strncpy(ifr.ifr_name, name, IFNAMSIZ); # 126| else # 127|-> strncpy(ifr.ifr_name, basedev, IFNAMSIZ); # 128| # 129| ifr.ifr_ifru.ifru_data = p; Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/tunnel.c:152: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 150| int err; # 151| # 152|-> strncpy(ifr.ifr_name, name, IFNAMSIZ); # 153| ifr.ifr_ifru.ifru_data = p; # 154| Error: CLANG_WARNING: iproute-4.11.0-0.el7/ip/xfrm_policy.c:539:26: warning: Access to field 'hard' results in a dereference of a null pointer (loaded from variable 'xpexp') # fprintf(fp, "hard %u", xpexp->hard); # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1137:6: note: Assuming 'argc' is >= 1 # if (argc < 1) # ^~~~~~~~ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1137:2: note: Taking false branch # if (argc < 1) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1140:2: note: Taking false branch # if (matches(*argv, "add") == 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1143:2: note: Taking false branch # if (matches(*argv, "update") == 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1146:2: note: Taking false branch # if (matches(*argv, "delete") == 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1148:6: note: Left side of '||' is false # if (matches(*argv, "deleteall") == 0 || matches(*argv, "delall") == 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1148:2: note: Taking false branch # if (matches(*argv, "deleteall") == 0 || matches(*argv, "delall") == 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1150:6: note: Left side of '||' is false # if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0 # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1150:6: note: Left side of '||' is false iproute-4.11.0-0.el7/ip/xfrm_policy.c:1150:2: note: Taking false branch # if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0 # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1153:2: note: Taking true branch # if (matches(*argv, "get") == 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:1154:10: note: Calling 'xfrm_policy_get' # return xfrm_policy_get(argc-1, argv+1); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/xfrm_policy.c:681:6: note: Calling 'xfrm_policy_print' # if (xfrm_policy_print(NULL, n, (void *)stdout) < 0) { # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/xfrm_policy.c:459:2: note: 'xpexp' initialized to a null pointer value # struct xfrm_user_polexpire *xpexp = NULL; # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/xfrm_policy.c:465:6: note: Left side of '&&' is true # if (n->nlmsg_type != XFRM_MSG_NEWPOLICY && # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:466:42: note: Left side of '&&' is false # n->nlmsg_type != XFRM_MSG_DELPOLICY && # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:474:2: note: Taking true branch # if (n->nlmsg_type == XFRM_MSG_DELPOLICY) { # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:487:2: note: Taking false branch # if (len < 0) { # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:492:2: note: Taking true branch # if (n->nlmsg_type == XFRM_MSG_DELPOLICY) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:501:2: note: Taking false branch # if (tb[XFRMA_POLICY_TYPE]) { # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:512:13: note: Left side of '&&' is false # if (xpinfo && !xfrm_policy_filter_match(xpinfo, ptype)) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:515:2: note: Taking false branch # if (n->nlmsg_type == XFRM_MSG_DELPOLICY) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:517:7: note: Taking false branch # else if (n->nlmsg_type == XFRM_MSG_UPDPOLICY) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:519:7: note: Taking true branch # else if (n->nlmsg_type == XFRM_MSG_POLEXPIRE) # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:522:2: note: Taking false branch # if (n->nlmsg_type == XFRM_MSG_DELPOLICY) { # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:537:2: note: Taking true branch # if (n->nlmsg_type == XFRM_MSG_POLEXPIRE) { # ^ iproute-4.11.0-0.el7/ip/xfrm_policy.c:539:26: note: Access to field 'hard' results in a dereference of a null pointer (loaded from variable 'xpexp') # fprintf(fp, "hard %u", xpexp->hard); # ^~~~~ # 537| if (n->nlmsg_type == XFRM_MSG_POLEXPIRE) { # 538| fprintf(fp, "\t"); # 539|-> fprintf(fp, "hard %u", xpexp->hard); # 540| fprintf(fp, "%s", _SL_); # 541| } Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/ip/xfrm_state.c:126: buffer_size_warning: Calling strncpy with a maximum size argument of 64 bytes on destination array "alg->alg_name" of size 64 bytes might leave the destination string unterminated. # 124| #endif # 125| # 126|-> strncpy(alg->alg_name, name, sizeof(alg->alg_name)); # 127| # 128| if (slen > 2 && strncmp(key, "0x", 2) == 0) { Error: CLANG_WARNING: iproute-4.11.0-0.el7/ip/xfrm_state.c:929:26: warning: Access to field 'hard' results in a dereference of a null pointer (loaded from variable 'xexp') # fprintf(fp, "hard %u", xexp->hard); # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:950:19: note: Assuming 'delete' is 0 # .n.nlmsg_type = delete ? XFRM_MSG_DELSA : XFRM_MSG_GETSA, # ^~~~~~ iproute-4.11.0-0.el7/ip/xfrm_state.c:950:19: note: '?' condition is false iproute-4.11.0-0.el7/ip/xfrm_state.c:957:9: note: Assuming 'argc' is <= 0 # while (argc > 0) { # ^~~~~~~~ iproute-4.11.0-0.el7/ip/xfrm_state.c:957:2: note: Loop condition is false. Execution continues on line 984 # while (argc > 0) { # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:984:2: note: Taking false branch # if (mark.m & mark.v) { # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:993:2: note: Taking false branch # if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:996:2: note: Taking false branch # if (req.xsid.family == AF_UNSPEC) # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:999:2: note: Taking false branch # if (delete) { # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:1005:3: note: Taking false branch # if (rtnl_talk(&rth, &req.n, &answer) < 0) # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:1008:7: note: Calling 'xfrm_state_print' # if (xfrm_state_print(NULL, answer, (void *)stdout) < 0) { # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/xfrm_state.c:860:2: note: 'xexp' initialized to a null pointer value # struct xfrm_user_expire *xexp = NULL; # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/ip/xfrm_state.c:864:6: note: Left side of '&&' is true # if (n->nlmsg_type != XFRM_MSG_NEWSA && # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:865:38: note: Left side of '&&' is false # n->nlmsg_type != XFRM_MSG_DELSA && # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:873:2: note: Taking true branch # if (n->nlmsg_type == XFRM_MSG_DELSA) { # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:887:2: note: Taking false branch # if (len < 0) { # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:892:13: note: Left side of '&&' is false # if (xsinfo && !xfrm_state_filter_match(xsinfo)) # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:895:2: note: Taking true branch # if (n->nlmsg_type == XFRM_MSG_DELSA) # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:902:2: note: Taking true branch # if (n->nlmsg_type == XFRM_MSG_DELSA) # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:911:2: note: Taking false branch # if (n->nlmsg_type == XFRM_MSG_DELSA) { # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:927:2: note: Taking true branch # if (n->nlmsg_type == XFRM_MSG_EXPIRE) { # ^ iproute-4.11.0-0.el7/ip/xfrm_state.c:929:26: note: Access to field 'hard' results in a dereference of a null pointer (loaded from variable 'xexp') # fprintf(fp, "hard %u", xexp->hard); # ^~~~ # 927| if (n->nlmsg_type == XFRM_MSG_EXPIRE) { # 928| fprintf(fp, "\t"); # 929|-> fprintf(fp, "hard %u", xexp->hard); # 930| fprintf(fp, "%s", _SL_); # 931| } Error: CPPCHECK_WARNING (CWE-404): iproute-4.11.0-0.el7/lib/bpf.c:437: error[resourceLeak]: Resource leak: fp # 435| fp = fopen("/proc/mounts", "r"); # 436| if (fp == NULL || len != PATH_MAX) # 437|-> return NULL; # 438| # 439| while (fscanf(fp, "%*s %" textify(PATH_MAX) "s %99s %*s %*d %*d\n", Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/lib/bpf.c:435: alloc_fn: Storage is returned from allocation function "fopen". iproute-4.11.0-0.el7/lib/bpf.c:435: var_assign: Assigning: "fp" = storage returned from "fopen("/proc/mounts", "r")". iproute-4.11.0-0.el7/lib/bpf.c:437: leaked_storage: Variable "fp" going out of scope leaks the storage it points to. # 435| fp = fopen("/proc/mounts", "r"); # 436| if (fp == NULL || len != PATH_MAX) # 437|-> return NULL; # 438| # 439| while (fscanf(fp, "%*s %" textify(PATH_MAX) "s %99s %*s %*d %*d\n", Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/lib/bpf.c:486: check_return: Calling "write" without checking return value (as is done elsewhere 9 out of 11 times). iproute-4.11.0-0.el7/ip/ipaddress.c:1288: example_assign: Example 1: Assigning: "ret" = return value from "write(1, &ipadd_dump_magic, 4UL)". iproute-4.11.0-0.el7/ip/ipaddress.c:1289: example_checked: Example 1 (cont.): "ret" has its value checked in "ret != 4UL". iproute-4.11.0-0.el7/ip/iproute.c:1359: example_assign: Example 2: Assigning: "ret" = return value from "write(1, &route_dump_magic, 4UL)". iproute-4.11.0-0.el7/ip/iproute.c:1360: example_checked: Example 2 (cont.): "ret" has its value checked in "ret != 4UL". iproute-4.11.0-0.el7/ip/iprule.c:352: example_assign: Example 3: Assigning: "ret" = return value from "write(1, &rule_dump_magic, 4UL)". iproute-4.11.0-0.el7/ip/iprule.c:353: example_checked: Example 3 (cont.): "ret" has its value checked in "ret != 4UL". iproute-4.11.0-0.el7/ip/ipvrf.c:426: example_checked: Example 4: "write(fd, pid, strlen(pid))" has its value checked in "write(fd, pid, strlen(pid)) < 0L". iproute-4.11.0-0.el7/misc/rtacct.c:328: example_assign: Example 5: Assigning: "n" = return value from "write(fd, (char *)kern_db + tot, 20608UL - tot)". iproute-4.11.0-0.el7/misc/rtacct.c:330: example_checked: Example 5 (cont.): "n" has its value checked in "n < 0". # 484| ret = read(fd, buff, sizeof(buff) - 1); # 485| if (ret > 0) { # 486|-> write(2, buff, ret); # 487| fflush(stderr); # 488| } Error: COMPILER_WARNING: iproute-4.11.0-0.el7/lib/bpf.c: scope_hint: In function 'bpf_trace_pipe' iproute-4.11.0-0.el7/lib/bpf.c:486:9: warning: ignoring return value of 'write', declared with attribute warn_unused_result [-Wunused-result] # write(2, buff, ret); # ^ # 484| ret = read(fd, buff, sizeof(buff) - 1); # 485| if (ret > 0) { # 486|-> write(2, buff, ret); # 487| fflush(stderr); # 488| } Error: TAINTED_STRING (CWE-20): iproute-4.11.0-0.el7/lib/bpf.c:629: tainted_string_return_content: "getenv" returns tainted string content. iproute-4.11.0-0.el7/lib/bpf.c:629: var_assign: Assigning: "mnt" = "getenv("TC_BPF_MNT")", which taints "mnt". iproute-4.11.0-0.el7/lib/bpf.c:639: vararg_transitive: Call to "snprintf" with tainted argument "mnt" taints "bpf_wrk_dir". iproute-4.11.0-0.el7/lib/bpf.c:641: tainted_string: Passing tainted string "bpf_wrk_dir" to "bpf_gen_hierarchy", which cannot accept tainted data. iproute-4.11.0-0.el7/lib/bpf.c:596:3: tainted_string_sink_content_lv_call: Passing tainted string "base" to "bpf_gen_slave", which depends on its content. iproute-4.11.0-0.el7/lib/bpf.c:561:2: vararg_transitive: Call to "snprintf" with tainted argument "base" taints "bpf_sub_dir". iproute-4.11.0-0.el7/lib/bpf.c:572:4: tainted_string_sink_content_lv_call: Passing tainted string "bpf_sub_dir" to "bpf_slave_via_bind_mnt", which depends on its content. iproute-4.11.0-0.el7/lib/bpf.c:544:3: tainted_string_sink_content_lv_call: Passing tainted string "full_name" to "rmdir", which depends on its content. # 639| snprintf(bpf_wrk_dir, sizeof(bpf_wrk_dir), "%s/", mnt); # 640| # 641|-> ret = bpf_gen_hierarchy(bpf_wrk_dir); # 642| if (ret) { # 643| mnt = NULL; Error: CLANG_WARNING: iproute-4.11.0-0.el7/lib/bpf.c:801:3: warning: Called function pointer is null (null dereference) # ops->cbpf_cb(nl, opcodes, ret); # ^ iproute-4.11.0-0.el7/lib/bpf.c:817:6: note: Assuming pointer value is null # if (ops->cbpf_cb) { # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:817:2: note: Taking false branch # if (ops->cbpf_cb) { # ^ iproute-4.11.0-0.el7/lib/bpf.c:822:2: note: Taking false branch # if (ops->ebpf_cb) { # ^ iproute-4.11.0-0.el7/lib/bpf.c:827:9: note: Calling 'bpf_parse_opt_tbl' # return bpf_parse_opt_tbl(type, cfg, ops, nl, opt_tbl); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:797:6: note: Assuming 'ret' is >= 0 # if (ret < 0) # ^~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:797:2: note: Taking false branch # if (ret < 0) # ^ iproute-4.11.0-0.el7/lib/bpf.c:800:6: note: Assuming 'mode' is equal to CBPF_BYTECODE # if (mode == CBPF_BYTECODE || mode == CBPF_FILE) # ^~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:800:28: note: Left side of '||' is true # if (mode == CBPF_BYTECODE || mode == CBPF_FILE) # ^ iproute-4.11.0-0.el7/lib/bpf.c:801:3: note: Called function pointer is null (null dereference) # ops->cbpf_cb(nl, opcodes, ret); # ^~~~~~~~~~~~ # 799| # 800| if (mode == CBPF_BYTECODE || mode == CBPF_FILE) # 801|-> ops->cbpf_cb(nl, opcodes, ret); # 802| if (mode == EBPF_OBJECT || mode == EBPF_PINNED) { # 803| snprintf(annotation, sizeof(annotation), "%s:[%s]", Error: CLANG_WARNING: iproute-4.11.0-0.el7/lib/bpf.c:806:3: warning: Called function pointer is null (null dereference) # ops->ebpf_cb(nl, ret, annotation); # ^ iproute-4.11.0-0.el7/lib/bpf.c:817:2: note: Taking false branch # if (ops->cbpf_cb) { # ^ iproute-4.11.0-0.el7/lib/bpf.c:822:6: note: Assuming pointer value is null # if (ops->ebpf_cb) { # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:822:2: note: Taking false branch # if (ops->ebpf_cb) { # ^ iproute-4.11.0-0.el7/lib/bpf.c:827:9: note: Calling 'bpf_parse_opt_tbl' # return bpf_parse_opt_tbl(type, cfg, ops, nl, opt_tbl); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:797:6: note: Assuming 'ret' is >= 0 # if (ret < 0) # ^~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:797:2: note: Taking false branch # if (ret < 0) # ^ iproute-4.11.0-0.el7/lib/bpf.c:800:6: note: Assuming 'mode' is not equal to CBPF_BYTECODE # if (mode == CBPF_BYTECODE || mode == CBPF_FILE) # ^~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:800:6: note: Left side of '||' is false iproute-4.11.0-0.el7/lib/bpf.c:800:31: note: Assuming 'mode' is not equal to CBPF_FILE # if (mode == CBPF_BYTECODE || mode == CBPF_FILE) # ^~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:800:2: note: Taking false branch # if (mode == CBPF_BYTECODE || mode == CBPF_FILE) # ^ iproute-4.11.0-0.el7/lib/bpf.c:802:6: note: Assuming 'mode' is equal to EBPF_OBJECT # if (mode == EBPF_OBJECT || mode == EBPF_PINNED) { # ^~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/bpf.c:802:26: note: Left side of '||' is true # if (mode == EBPF_OBJECT || mode == EBPF_PINNED) { # ^ iproute-4.11.0-0.el7/lib/bpf.c:804:28: note: '?' condition is false # basename(cfg->object), mode == EBPF_PINNED ? # ^ iproute-4.11.0-0.el7/lib/bpf.c:806:3: note: Called function pointer is null (null dereference) # ops->ebpf_cb(nl, ret, annotation); # ^~~~~~~~~~~~ # 804| basename(cfg->object), mode == EBPF_PINNED ? # 805| "*fsobj" : cfg->section); # 806|-> ops->ebpf_cb(nl, ret, annotation); # 807| } # 808| Error: DEADCODE (CWE-561): iproute-4.11.0-0.el7/lib/bpf.c:833: incr: Incrementing "opt_tbl@dim0". The value of "opt_tbl@dim0" is now 1. iproute-4.11.0-0.el7/lib/bpf.c:833: incr: Incrementing "opt_tbl@dim0". The value of "opt_tbl@dim0" is now 2. iproute-4.11.0-0.el7/lib/bpf.c:833: incr: Incrementing "opt_tbl@dim0". The value of "opt_tbl@dim0" is now 3. iproute-4.11.0-0.el7/lib/bpf.c:833: incr: Incrementing "opt_tbl@dim0". The value of "opt_tbl@dim0" is now 4. iproute-4.11.0-0.el7/lib/bpf.c:833: const: At condition "opt_tbl@dim0 < 4UL", the value of "opt_tbl@dim0" must be equal to 4. iproute-4.11.0-0.el7/lib/bpf.c:833: dead_error_condition: The condition "opt_tbl@dim0 < 4UL" cannot be true. iproute-4.11.0-0.el7/lib/bpf.c:833: dead_error_line: Execution cannot reach this statement: "opt_tbl[opt_tbl@dim0] = false;". # 831| { # 832| enum bpf_prog_type type = BPF_PROG_TYPE_UNSPEC; # 833|-> const bool opt_tbl[BPF_MODE_MAX] = { # 834| [EBPF_OBJECT] = true, # 835| [EBPF_PINNED] = true, Error: CPPCHECK_WARNING (CWE-120): iproute-4.11.0-0.el7/lib/fs.c:48: error[invalidScanfFormatWidth]: Width 4096 given in format string (no. 1) is larger than destination buffer 'path[4096]', use %4095s to prevent overflowing it. # 46| } # 47| # 48|-> while (fscanf(fp, "%*s %4096s %127s %*s %*d %*d\n", # 49| path, fstype) == 2) { # 50| if (strcmp(fstype, fs_to_find) == 0) { Error: TOCTOU (CWE-367): iproute-4.11.0-0.el7/lib/fs.c:123: fs_check_call: Calling function "stat" to perform check on "dir". iproute-4.11.0-0.el7/lib/fs.c:131: toctou: Calling function "mkdir" that uses "dir" after a check function. This can cause a time-of-check, time-of-use race condition. # 129| } # 130| # 131|-> if (mkdir(dir, mode) != 0) { # 132| fprintf(stderr, # 133| "mkdir failed for %s: %s\n", Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/lib/inet_proto.c:38: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ncache" of size 16 bytes might leave the destination string unterminated. # 36| if (pe) { # 37| icache = proto; # 38|-> strncpy(ncache, pe->p_name, 16); # 39| strncpy(buf, pe->p_name, len); # 40| return buf; Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/lib/inet_proto.c:65: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ncache" of size 16 bytes might leave the destination string unterminated. # 63| if (pe) { # 64| icache = pe->p_proto; # 65|-> strncpy(ncache, pe->p_name, 16); # 66| return pe->p_proto; # 67| } Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/lib/libnetlink.c:149: check_return: Calling "setsockopt(rth->fd, 270, 11, &one, 4U)" without checking return value. This library function may fail and return an error code. # 147| # 148| /* Older kernels may no support extended ACK reporting */ # 149|-> setsockopt(rth->fd, SOL_NETLINK, NETLINK_EXT_ACK, # 150| &one, sizeof(one)); # 151| Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/ip/ipnetns.c:64: assignment: Assigning: "req.n.nlmsg_len" = "17U". iproute-4.11.0-0.el7/ip/ipnetns.c:81: overrun-buffer-arg: Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 16 using argument "req.n.nlmsg_len" (which evaluates to 17). iproute-4.11.0-0.el7/lib/libnetlink.c:261:2: access_dbuff_in_call: Calling "send" indexes array "buf" with index "len". # 259| int rtnl_send(struct rtnl_handle *rth, const void *buf, int len) # 260| { # 261|-> return send(rth->fd, buf, len, 0); # 262| } # 263| Error: CLANG_WARNING: iproute-4.11.0-0.el7/lib/libnetlink.c:479:11: warning: The left operand of '>=' is a garbage value # while (NLMSG_OK(h, msglen)) { # ^ iproute-4.11.0-0.el7/include/uapi/linux/netlink.h:97:24: note: expanded from macro 'NLMSG_OK' # (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \ # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:550:9: note: Calling 'rtnl_dump_filter_l' # return rtnl_dump_filter_l(rth, a); # ^~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:461:2: note: Loop condition is true. Entering loop body # while (1) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:467:12: note: Calling 'rtnl_recvmsg' # status = rtnl_recvmsg(rth->fd, &msg, &buf); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:421:6: note: Assuming 'len' is >= 0 # if (len < 0) # ^~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:421:2: note: Taking false branch # if (len < 0) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:424:8: note: Uninitialized value stored to field 'nlmsg_len' # buf = malloc(len); # ^~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:425:6: note: Assuming 'buf' is non-null # if (!buf) { # ^~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:425:2: note: Taking false branch # if (!buf) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:434:6: note: Assuming 'len' is >= 0 # if (len < 0) { # ^~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:434:2: note: Taking false branch # if (len < 0) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:439:2: note: Taking true branch # if (answer) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:467:12: note: Returning from 'rtnl_recvmsg' # status = rtnl_recvmsg(rth->fd, &msg, &buf); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:468:3: note: Taking false branch # if (status < 0) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:471:3: note: Taking false branch # if (rth->dump_fp) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:474:3: note: Loop condition is true. Entering loop body # for (a = arg; a->filter; a++) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:479:11: note: Left side of '&&' is true # while (NLMSG_OK(h, msglen)) { # ^ iproute-4.11.0-0.el7/include/uapi/linux/netlink.h:96:28: note: expanded from macro 'NLMSG_OK' ##define NLMSG_OK(nlh,len) ((len) >= (int)sizeof(struct nlmsghdr) && \ # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:479:11: note: The left operand of '>=' is a garbage value # while (NLMSG_OK(h, msglen)) { # ^~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/include/uapi/linux/netlink.h:97:24: note: expanded from macro 'NLMSG_OK' # (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \ # ~~~~~~~~~~~~~~~~ ^ # 477| msglen = status; # 478| # 479|-> while (NLMSG_OK(h, msglen)) { # 480| int err = 0; # 481| Error: CLANG_WARNING: iproute-4.11.0-0.el7/lib/libnetlink.c:607:4: warning: Assigned value is garbage or undefined # int len = h->nlmsg_len; # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:693:9: note: Calling '__rtnl_talk' # return __rtnl_talk(rtnl, n, answer, false, NULL); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:585:6: note: Assuming 'answer' is not equal to null # if (answer == NULL) # ^~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:585:2: note: Taking false branch # if (answer == NULL) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:589:6: note: Assuming 'status' is >= 0 # if (status < 0) { # ^~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:589:2: note: Taking false branch # if (status < 0) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:594:2: note: Loop condition is true. Entering loop body # while (1) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:595:12: note: Calling 'rtnl_recvmsg' # status = rtnl_recvmsg(rtnl->fd, &msg, &buf); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:421:6: note: Assuming 'len' is >= 0 # if (len < 0) # ^~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:421:2: note: Taking false branch # if (len < 0) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:424:8: note: Uninitialized value stored to field 'nlmsg_len' # buf = malloc(len); # ^~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:425:6: note: Assuming 'buf' is non-null # if (!buf) { # ^~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:425:2: note: Taking false branch # if (!buf) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:434:6: note: Assuming 'len' is >= 0 # if (len < 0) { # ^~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:434:2: note: Taking false branch # if (len < 0) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:439:2: note: Taking true branch # if (answer) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:595:12: note: Returning from 'rtnl_recvmsg' # status = rtnl_recvmsg(rtnl->fd, &msg, &buf); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:597:3: note: Taking false branch # if (status < 0) # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:600:3: note: Taking false branch # if (msg.msg_namelen != sizeof(nladdr)) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:606:3: note: Loop condition is true. Entering loop body # for (h = (struct nlmsghdr *)buf; status >= sizeof(*h); ) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:607:4: note: Assigned value is garbage or undefined # int len = h->nlmsg_len; # ^ ~~~~~~~~~~~~ # 605| } # 606| for (h = (struct nlmsghdr *)buf; status >= sizeof(*h); ) { # 607|-> int len = h->nlmsg_len; # 608| int l = len - sizeof(*h); # 609| Error: CPPCHECK_WARNING (CWE-843): iproute-4.11.0-0.el7/lib/libnetlink.c:901: warning[nullPointer]: Possible null pointer dereference: data # 899| rta->rta_type = type; # 900| rta->rta_len = len; # 901|-> memcpy(RTA_DATA(rta), data, alen); # 902| n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); # 903| return 0; Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/tc/m_action.c:232: cond_at_most: Checking "slen > 32UL" implies that "slen" may be up to 32 on the false branch. iproute-4.11.0-0.el7/tc/m_action.c:245: assignment: Assigning: "act_ck_len" = "slen". The value of "act_ck_len" may now be up to 32. iproute-4.11.0-0.el7/tc/m_action.c:251: overrun-buffer-arg: Overrunning array "act_ck" of 16 bytes by passing it to a function which accesses it at byte offset 31 using argument "act_ck_len" (which evaluates to 32). iproute-4.11.0-0.el7/lib/libnetlink.c:901:2: access_dbuff_in_call: Calling "memcpy" indexes array "data" with index "alen". [Note: The source code implementation of the function has been overridden by a builtin model.] # 899| rta->rta_type = type; # 900| rta->rta_len = len; # 901|-> memcpy(RTA_DATA(rta), data, alen); # 902| n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); # 903| return 0; Error: CLANG_WARNING: iproute-4.11.0-0.el7/lib/libnetlink.c:901:2: warning: Null pointer passed as an argument to a 'nonnull' parameter # memcpy(RTA_DATA(rta), data, alen); # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:941:2: note: Calling 'addattr_nest' # addattr_nest(n, maxlen, type); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:925:29: note: Passing null pointer value via 4th parameter 'data' # addattr_l(n, maxlen, type, NULL, 0); # ^~~~ /usr/lib/clang/3.4.2/include/stddef.h:77:16: note: expanded from macro 'NULL' ## define NULL ((void*)0) # ^~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:925:2: note: Calling 'addattr_l' # addattr_l(n, maxlen, type, NULL, 0); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:892:2: note: Taking false branch # if (NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len) > maxlen) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:901:2: note: Null pointer passed as an argument to a 'nonnull' parameter # memcpy(RTA_DATA(rta), data, alen); # ^ ~~~~ # 899| rta->rta_type = type; # 900| rta->rta_len = len; # 901|-> memcpy(RTA_DATA(rta), data, alen); # 902| n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); # 903| return 0; Error: CPPCHECK_WARNING (CWE-843): iproute-4.11.0-0.el7/lib/libnetlink.c:988: warning[nullPointer]: Possible null pointer dereference: data # 986| subrta->rta_type = type; # 987| subrta->rta_len = len; # 988|-> memcpy(RTA_DATA(subrta), data, alen); # 989| rta->rta_len = NLMSG_ALIGN(rta->rta_len) + RTA_ALIGN(len); # 990| return 0; Error: CLANG_WARNING: iproute-4.11.0-0.el7/lib/libnetlink.c:988:2: warning: Null pointer passed as an argument to a 'nonnull' parameter # memcpy(RTA_DATA(subrta), data, alen); # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:1012:35: note: Passing null pointer value via 4th parameter 'data' # rta_addattr_l(rta, maxlen, type, NULL, 0); # ^~~~ /usr/lib/clang/3.4.2/include/stddef.h:77:16: note: expanded from macro 'NULL' ## define NULL ((void*)0) # ^~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:1012:2: note: Calling 'rta_addattr_l' # rta_addattr_l(rta, maxlen, type, NULL, 0); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/lib/libnetlink.c:979:2: note: Taking false branch # if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) { # ^ iproute-4.11.0-0.el7/lib/libnetlink.c:988:2: note: Null pointer passed as an argument to a 'nonnull' parameter # memcpy(RTA_DATA(subrta), data, alen); # ^ ~~~~ # 986| subrta->rta_type = type; # 987| subrta->rta_len = len; # 988|-> memcpy(RTA_DATA(subrta), data, alen); # 989| rta->rta_len = NLMSG_ALIGN(rta->rta_len) + RTA_ALIGN(len); # 990| return 0; Error: STRING_OVERFLOW (CWE-120): iproute-4.11.0-0.el7/lib/ll_map.c:127: fixed_size_dest: You might overrun the 16-character fixed-size string "im->name" by copying "ifname" without checking the length. # 125| return 0; # 126| im->index = ifi->ifi_index; # 127|-> strcpy(im->name, ifname); # 128| im->type = ifi->ifi_type; # 129| im->flags = ifi->ifi_flags; Error: CONSTANT_EXPRESSION_RESULT (CWE-398): iproute-4.11.0-0.el7/lib/rt_names.c:413: result_independent_of_operands: "id > RT_TABLE_MAX" is always false regardless of the values of its operands. This occurs as the logical operand of "if". # 411| struct rtnl_hash_entry *entry; # 412| # 413|-> if (id > RT_TABLE_MAX) { # 414| snprintf(buf, len, "%u", id); # 415| return buf; Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/arpd.c:498:16: warning: Function call argument is an uninitialized value # if (ifnum && !handle_if(sll.sll_ifindex)) # ^ iproute-4.11.0-0.el7/misc/arpd.c:594:2: note: Loop condition is false. Execution continues on line 644 # while ((opt = getopt(argc, argv, "h?b:lf:a:n:p:kR:B:")) != EOF) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:647:6: note: Assuming 'argc' is <= 0 # if (argc > 0) { # ^~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:647:2: note: Taking false branch # if (argc > 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:657:2: note: Taking false branch # if ((udp_sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:662:6: note: Assuming 'ifnum' is 0 # if (ifnum) { # ^~~~~ iproute-4.11.0-0.el7/misc/arpd.c:662:2: note: Taking false branch # if (ifnum) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:677:6: note: Assuming 'dbase' is not equal to null # if (dbase == NULL) { # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:677:2: note: Taking false branch # if (dbase == NULL) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:682:2: note: Taking false branch # if (do_load) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:732:2: note: Taking false branch # if (do_list) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:757:6: note: Left side of '||' is false # if (do_load || do_list) # ^ iproute-4.11.0-0.el7/misc/arpd.c:757:2: note: Taking false branch # if (do_load || do_list) # ^ iproute-4.11.0-0.el7/misc/arpd.c:761:2: note: Taking false branch # if (pset[0].fd < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:766:2: note: Taking true branch # if (1) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:770:20: note: '?' condition is false # .sll_ifindex = (ifnum == 1 ? ifvec[0] : 0), # ^ iproute-4.11.0-0.el7/misc/arpd.c:773:3: note: Taking false branch # if (bind(pset[0].fd, (struct sockaddr *)&sll, sizeof(sll)) < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:779:2: note: Taking false branch # if (rtnl_open(&rth, RTMGRP_NEIGH) < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:787:2: note: Taking false branch # if (daemon(0, 0)) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:806:2: note: Loop condition is true. Entering loop body # for (;;) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:809:7: note: Assuming 'do_exit' is 0 # if (do_exit) # ^~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:809:3: note: Taking false branch # if (do_exit) # ^ iproute-4.11.0-0.el7/misc/arpd.c:811:7: note: Assuming 'do_sync' is 0 # if (do_sync) { # ^~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:811:3: note: Taking false branch # if (do_sync) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:817:7: note: Assuming 'do_stats' is 0 # if (do_stats) # ^~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:817:3: note: Taking false branch # if (do_stats) # ^ iproute-4.11.0-0.el7/misc/arpd.c:819:3: note: Taking true branch # if (poll(pset, 2, poll_timeout) > 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:821:4: note: Taking true branch # if (pset[0].revents&EVENTS) # ^ iproute-4.11.0-0.el7/misc/arpd.c:822:5: note: Calling 'get_arp_pkt' # get_arp_pkt(); # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:492:6: note: Assuming 'n' is >= 0 # if (n < 0) { # ^~~~~ iproute-4.11.0-0.el7/misc/arpd.c:492:2: note: Taking false branch # if (n < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:498:6: note: Left side of '&&' is true # if (ifnum && !handle_if(sll.sll_ifindex)) # ^ iproute-4.11.0-0.el7/misc/arpd.c:498:16: note: Function call argument is an uninitialized value # if (ifnum && !handle_if(sll.sll_ifindex)) # ^ ~~~~~~~~~~~~~~~ # 496| } # 497| # 498|-> if (ifnum && !handle_if(sll.sll_ifindex)) # 499| return; # 500| Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/arpd.c:508:16: warning: The right operand of '!=' is a garbage value # a->ar_hln != sll.sll_halen || # ^ iproute-4.11.0-0.el7/misc/arpd.c:594:2: note: Loop condition is false. Execution continues on line 644 # while ((opt = getopt(argc, argv, "h?b:lf:a:n:p:kR:B:")) != EOF) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:647:6: note: Assuming 'argc' is <= 0 # if (argc > 0) { # ^~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:647:2: note: Taking false branch # if (argc > 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:657:2: note: Taking false branch # if ((udp_sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:662:6: note: Assuming 'ifnum' is 0 # if (ifnum) { # ^~~~~ iproute-4.11.0-0.el7/misc/arpd.c:662:2: note: Taking false branch # if (ifnum) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:677:6: note: Assuming 'dbase' is not equal to null # if (dbase == NULL) { # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:677:2: note: Taking false branch # if (dbase == NULL) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:682:2: note: Taking false branch # if (do_load) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:732:2: note: Taking false branch # if (do_list) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:757:6: note: Left side of '||' is false # if (do_load || do_list) # ^ iproute-4.11.0-0.el7/misc/arpd.c:757:2: note: Taking false branch # if (do_load || do_list) # ^ iproute-4.11.0-0.el7/misc/arpd.c:761:2: note: Taking false branch # if (pset[0].fd < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:766:2: note: Taking true branch # if (1) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:770:20: note: '?' condition is false # .sll_ifindex = (ifnum == 1 ? ifvec[0] : 0), # ^ iproute-4.11.0-0.el7/misc/arpd.c:773:3: note: Taking false branch # if (bind(pset[0].fd, (struct sockaddr *)&sll, sizeof(sll)) < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:779:2: note: Taking false branch # if (rtnl_open(&rth, RTMGRP_NEIGH) < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:787:2: note: Taking false branch # if (daemon(0, 0)) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:806:2: note: Loop condition is true. Entering loop body # for (;;) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:809:7: note: Assuming 'do_exit' is 0 # if (do_exit) # ^~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:809:3: note: Taking false branch # if (do_exit) # ^ iproute-4.11.0-0.el7/misc/arpd.c:811:7: note: Assuming 'do_sync' is 0 # if (do_sync) { # ^~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:811:3: note: Taking false branch # if (do_sync) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:817:7: note: Assuming 'do_stats' is 0 # if (do_stats) # ^~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:817:3: note: Taking false branch # if (do_stats) # ^ iproute-4.11.0-0.el7/misc/arpd.c:819:3: note: Taking true branch # if (poll(pset, 2, poll_timeout) > 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:821:4: note: Taking true branch # if (pset[0].revents&EVENTS) # ^ iproute-4.11.0-0.el7/misc/arpd.c:822:5: note: Calling 'get_arp_pkt' # get_arp_pkt(); # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/arpd.c:492:6: note: Assuming 'n' is >= 0 # if (n < 0) { # ^~~~~ iproute-4.11.0-0.el7/misc/arpd.c:492:2: note: Taking false branch # if (n < 0) { # ^ iproute-4.11.0-0.el7/misc/arpd.c:498:12: note: Left side of '&&' is false # if (ifnum && !handle_if(sll.sll_ifindex)) # ^ iproute-4.11.0-0.el7/misc/arpd.c:503:6: note: Left side of '||' is false # if (n < sizeof(*a) || # ^ iproute-4.11.0-0.el7/misc/arpd.c:504:40: note: Left side of '&&' is false # (a->ar_op != htons(ARPOP_REQUEST) && # ^ iproute-4.11.0-0.el7/misc/arpd.c:503:6: note: Left side of '||' is false # if (n < sizeof(*a) || # ^ iproute-4.11.0-0.el7/misc/arpd.c:503:6: note: Left side of '||' is false iproute-4.11.0-0.el7/misc/arpd.c:508:16: note: The right operand of '!=' is a garbage value # a->ar_hln != sll.sll_halen || # ^ ~~~~~~~~~~~~~ # 506| a->ar_pln != 4 || # 507| a->ar_pro != htons(ETH_P_IP) || # 508|-> a->ar_hln != sll.sll_halen || # 509| sizeof(*a) + 2*4 + 2*a->ar_hln > n) # 510| return; Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/misc/arpd.c:667: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "ifr.ifr_ifrn.ifrn_name" of size 16 bytes might leave the destination string unterminated. # 665| # 666| for (i = 0; i < ifnum; i++) { # 667|-> strncpy(ifr.ifr_name, ifnames[i], IFNAMSIZ); # 668| if (ioctl(udp_sock, SIOCGIFINDEX, &ifr)) { # 669| perror("ioctl(SIOCGIFINDEX)"); Error: CPPCHECK_WARNING (CWE-401): iproute-4.11.0-0.el7/misc/ifstat.c:147: error[memleak]: Memory leak: n # 145| attr = parse_rtattr_one_nested(sub_type, tb[filter_type]); # 146| if (attr == NULL) # 147|-> return 0; # 148| memcpy(&n->val, RTA_DATA(attr), sizeof(n->val)); # 149| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/misc/ifstat.c:133: alloc_fn: Storage is returned from allocation function "malloc". iproute-4.11.0-0.el7/misc/ifstat.c:133: var_assign: Assigning: "n" = storage returned from "malloc(504UL)". iproute-4.11.0-0.el7/misc/ifstat.c:147: leaked_storage: Variable "n" going out of scope leaks the storage it points to. # 145| attr = parse_rtattr_one_nested(sub_type, tb[filter_type]); # 146| if (attr == NULL) # 147|-> return 0; # 148| memcpy(&n->val, RTA_DATA(attr), sizeof(n->val)); # 149| } Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/ifstat.c:147:11: warning: Potential leak of memory pointed to by 'n' # return 0; # ^ iproute-4.11.0-0.el7/misc/ifstat.c:122:2: note: Taking false branch # if (m->nlmsg_type != RTM_NEWSTATS) # ^ iproute-4.11.0-0.el7/misc/ifstat.c:126:2: note: Taking false branch # if (len < 0) # ^ iproute-4.11.0-0.el7/misc/ifstat.c:130:2: note: Taking false branch # if (tb[filter_type] == NULL) # ^ iproute-4.11.0-0.el7/misc/ifstat.c:133:6: note: Memory is allocated # n = malloc(sizeof(*n)); # ^~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ifstat.c:134:6: note: Assuming 'n' is non-null # if (!n) # ^~ iproute-4.11.0-0.el7/misc/ifstat.c:134:2: note: Taking false branch # if (!n) # ^ iproute-4.11.0-0.el7/misc/ifstat.c:140:6: note: Assuming 'sub_type' is not equal to 65535 # if (sub_type == NO_SUB_TYPE) { # ^~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ifstat.c:140:2: note: Taking false branch # if (sub_type == NO_SUB_TYPE) { # ^ iproute-4.11.0-0.el7/misc/ifstat.c:146:7: note: Assuming 'attr' is equal to null # if (attr == NULL) # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ifstat.c:146:3: note: Taking true branch # if (attr == NULL) # ^ iproute-4.11.0-0.el7/misc/ifstat.c:147:11: note: Potential leak of memory pointed to by 'n' # return 0; # ^ # 145| attr = parse_rtattr_one_nested(sub_type, tb[filter_type]); # 146| if (attr == NULL) # 147|-> return 0; # 148| memcpy(&n->val, RTA_DATA(attr), sizeof(n->val)); # 149| } Error: NULL_RETURNS (CWE-476): iproute-4.11.0-0.el7/misc/ifstat.c:987: returned_null: "fdopen" returns null (checked 8 out of 10 times). iproute-4.11.0-0.el7/misc/ifstat.c:703: example_assign: Example 1: Assigning: "fp" = return value from "fdopen(clnt, "w")". iproute-4.11.0-0.el7/misc/ifstat.c:705: example_checked: Example 1 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/ifstat.c:944: example_checked: Example 2: "fdopen(fd, "r+")" has its value checked in "(hist_fp = fdopen(fd, "r+")) == NULL". iproute-4.11.0-0.el7/misc/nstat.c:287: example_assign: Example 3: Assigning: "fp" = return value from "fdopen(net_netstat_open(), "r")". iproute-4.11.0-0.el7/misc/nstat.c:289: example_checked: Example 3 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/nstat.c:257: example_assign: Example 4: Assigning: "fp" = return value from "fdopen(net_sctp_snmp_open(), "r")". iproute-4.11.0-0.el7/misc/nstat.c:259: example_checked: Example 4 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/nstat.c:267: example_assign: Example 5: Assigning: "fp" = return value from "fdopen(net_snmp_open(), "r")". iproute-4.11.0-0.el7/misc/nstat.c:269: example_checked: Example 5 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/ifstat.c:987: var_assigned: Assigning: "sfp" = null return value from "fdopen". iproute-4.11.0-0.el7/misc/ifstat.c:989: dereference: Dereferencing a pointer that might be null "sfp" when calling "load_raw_table". iproute-4.11.0-0.el7/misc/ifstat.c:246:2: deref_parm_in_call: Function "fgets" dereferences "fp". [Note: The source code implementation of the function has been overridden by a builtin model.] # 244| struct ifstat_ent *n; # 245| # 246|-> while (fgets(buf, sizeof(buf), fp) != NULL) { # 247| char *p; # 248| char *next; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/misc/ifstat.c:516: alloc_fn: Storage is returned from allocation function "jsonw_new". iproute-4.11.0-0.el7/lib/json_writer.c:99:22: alloc_fn: Storage is returned from allocation function "malloc". iproute-4.11.0-0.el7/lib/json_writer.c:99:22: var_assign: Assigning: "self" = "malloc(16UL)". iproute-4.11.0-0.el7/lib/json_writer.c:106:2: return_alloc: Returning allocated memory "self". iproute-4.11.0-0.el7/misc/ifstat.c:516: var_assign: Assigning: "jw" = storage returned from "jsonw_new(fp)". iproute-4.11.0-0.el7/misc/ifstat.c:520: noescape: Resource "jw" is not freed or pointed-to in "jsonw_start_object". iproute-4.11.0-0.el7/lib/json_writer.c:170:40: noescape: "jsonw_start_object(json_writer_t *)" does not free or save its parameter "self". iproute-4.11.0-0.el7/misc/ifstat.c:521: noescape: Resource "jw" is not freed or pointed-to in "jsonw_pretty". iproute-4.11.0-0.el7/lib/json_writer.c:121:34: noescape: "jsonw_pretty(json_writer_t *, _Bool)" does not free or save its parameter "self". iproute-4.11.0-0.el7/misc/ifstat.c:522: noescape: Resource "jw" is not freed or pointed-to in "jsonw_name". iproute-4.11.0-0.el7/lib/json_writer.c:148:32: noescape: "jsonw_name(json_writer_t *, char const *)" does not free or save its parameter "self". iproute-4.11.0-0.el7/misc/ifstat.c:523: noescape: Resource "jw" is not freed or pointed-to in "jsonw_start_object". iproute-4.11.0-0.el7/lib/json_writer.c:170:40: noescape: "jsonw_start_object(json_writer_t *)" does not free or save its parameter "self". iproute-4.11.0-0.el7/misc/ifstat.c:538: leaked_storage: Variable "jw" going out of scope leaks the storage it points to. # 536| if (json_output) # 537| fprintf(fp, "\n} }\n"); # 538|-> } # 539| # 540| static void dump_incr_db(FILE *fp) Error: DC.WEAK_CRYPTO: iproute-4.11.0-0.el7/misc/ifstat.c:672: dont_call: "random" should not be used for security related applications, as linear congruential algorithms are too easy to break. iproute-4.11.0-0.el7/misc/ifstat.c:672: remediation: Use a compliant random number generator, such as "/dev/random" or "/dev/urandom" on Unix-like systems, and "CryptGenRandom" on Windows. # 670| # 671| sprintf(info_source, "%d.%lu sampling_interval=%d time_const=%d", # 672|-> getpid(), (unsigned long)random(), scan_interval/1000, time_constant/1000); # 673| # 674| load_info(); Error: INFINITE_LOOP (CWE-835): iproute-4.11.0-0.el7/misc/lnstat.c:356: loop_top: Top of the loop. iproute-4.11.0-0.el7/misc/lnstat.c:369: loop_bottom: Bottom of the loop. iproute-4.11.0-0.el7/misc/lnstat.c:356: loop_condition: If "count" is initially true then it will remain true. # 354| interval = 1; # 355| # 356|-> for (i = 0; i < count || !count; i++) { # 357| lnstat_update(lnstat_files); # 358| if (mode == MODE_JSON) Error: STRING_OVERFLOW (CWE-120): iproute-4.11.0-0.el7/misc/lnstat_util.c:184: fixed_size_dest: You might overrun the 256-character fixed-size string "lf->basename" by copying "file" without checking the length. iproute-4.11.0-0.el7/misc/lnstat_util.c:184: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. # 182| /* initialize */ # 183| /* de->d_name is guaranteed to be <= NAME_MAX */ # 184|-> strcpy(lf->basename, file); # 185| strcpy(lf->path, path); # 186| strcat(lf->path, "/"); Error: STRING_OVERFLOW (CWE-120): iproute-4.11.0-0.el7/misc/lnstat_util.c:185: fixed_size_dest: You might overrun the 4097-character fixed-size string "lf->path" by copying "path" without checking the length. iproute-4.11.0-0.el7/misc/lnstat_util.c:185: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. # 183| /* de->d_name is guaranteed to be <= NAME_MAX */ # 184| strcpy(lf->basename, file); # 185|-> strcpy(lf->path, path); # 186| strcat(lf->path, "/"); # 187| strcat(lf->path, lf->basename); Error: NULL_RETURNS (CWE-476): iproute-4.11.0-0.el7/misc/nstat.c:707: returned_null: "fdopen" returns null (checked 8 out of 10 times). iproute-4.11.0-0.el7/misc/ifstat.c:703: example_assign: Example 1: Assigning: "fp" = return value from "fdopen(clnt, "w")". iproute-4.11.0-0.el7/misc/ifstat.c:705: example_checked: Example 1 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/ifstat.c:944: example_checked: Example 2: "fdopen(fd, "r+")" has its value checked in "(hist_fp = fdopen(fd, "r+")) == NULL". iproute-4.11.0-0.el7/misc/nstat.c:287: example_assign: Example 3: Assigning: "fp" = return value from "fdopen(net_netstat_open(), "r")". iproute-4.11.0-0.el7/misc/nstat.c:289: example_checked: Example 3 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/nstat.c:257: example_assign: Example 4: Assigning: "fp" = return value from "fdopen(net_sctp_snmp_open(), "r")". iproute-4.11.0-0.el7/misc/nstat.c:259: example_checked: Example 4 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/nstat.c:267: example_assign: Example 5: Assigning: "fp" = return value from "fdopen(net_snmp_open(), "r")". iproute-4.11.0-0.el7/misc/nstat.c:269: example_checked: Example 5 (cont.): "fp" has its value checked in "fp". iproute-4.11.0-0.el7/misc/nstat.c:707: var_assigned: Assigning: "sfp" = null return value from "fdopen". iproute-4.11.0-0.el7/misc/nstat.c:709: dereference: Dereferencing a pointer that might be null "sfp" when calling "load_good_table". iproute-4.11.0-0.el7/misc/nstat.c:130:2: deref_parm_in_call: Function "fgets" dereferences "fp". [Note: The source code implementation of the function has been overridden by a builtin model.] # 128| struct nstat_ent *n; # 129| # 130|-> while (fgets(buf, sizeof(buf), fp) != NULL) { # 131| int nr; # 132| unsigned long long val; Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/nstat.c:141:32: warning: Potential buffer overflow. Replace with 'sizeof(info_source) - strlen(info_source) - 1' or use a safer 'strlcat' API # strncat(info_source, buf+1, sizeof(info_source)-1); # ^~~~~~~~~~~~~~~~~~~~~ /usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat' ## define strncat(dest, src, n) __builtin_strncat (dest, src, n) # ^ iproute-4.11.0-0.el7/misc/nstat.c:141:32: note: Potential buffer overflow. Replace with 'sizeof(info_source) - strlen(info_source) - 1' or use a safer 'strlcat' API # strncat(info_source, buf+1, sizeof(info_source)-1); # ^~~~~~~~~~~~~~~~~~~~~ /usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat' ## define strncat(dest, src, n) __builtin_strncat (dest, src, n) # ^ # 139| source_mismatch = 1; # 140| info_source[0] = 0; # 141|-> strncat(info_source, buf+1, sizeof(info_source)-1); # 142| continue; # 143| } Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/nstat.c:197:23: warning: Potential buffer overflow. Replace with 'sizeof(idbuf) - strlen(idbuf) - 1' or use a safer 'strlcat' API # strncat(idbuf, buf, sizeof(idbuf) - 1); # ^~~~~~~~~~~~~~~~~ /usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat' ## define strncat(dest, src, n) __builtin_strncat (dest, src, n) # ^ iproute-4.11.0-0.el7/misc/nstat.c:197:23: note: Potential buffer overflow. Replace with 'sizeof(idbuf) - strlen(idbuf) - 1' or use a safer 'strlcat' API # strncat(idbuf, buf, sizeof(idbuf) - 1); # ^~~~~~~~~~~~~~~~~ /usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat' ## define strncat(dest, src, n) __builtin_strncat (dest, src, n) # ^ # 195| *p = 0; # 196| idbuf[0] = 0; # 197|-> strncat(idbuf, buf, sizeof(idbuf) - 1); # 198| off = p - buf; # 199| p += 2; Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/misc/nstat.c:206: var_compare_op: Comparing "next" to null implies that "next" might be null. iproute-4.11.0-0.el7/misc/nstat.c:219: alias_transfer: Assigning: "p" = "next". iproute-4.11.0-0.el7/misc/nstat.c:201: var_deref_op: Dereferencing null pointer "p". # 199| p += 2; # 200| # 201|-> while (*p) { # 202| char *next; # 203| Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/nstat.c:201:10: warning: Dereference of null pointer (loaded from variable 'p') # while (*p) { # ^~ iproute-4.11.0-0.el7/misc/nstat.c:185:2: note: Loop condition is true. Entering loop body # while (fgets(buf, sizeof(buf), fp) != NULL) { # ^ iproute-4.11.0-0.el7/misc/nstat.c:192:7: note: Assuming 'p' is non-null # if (!p) # ^~ iproute-4.11.0-0.el7/misc/nstat.c:192:3: note: Taking false branch # if (!p) # ^ iproute-4.11.0-0.el7/misc/nstat.c:201:3: note: Loop condition is false. Execution continues on line 221 # while (*p) { # ^ iproute-4.11.0-0.el7/misc/nstat.c:222:3: note: Taking false branch # if (fgets(buf, sizeof(buf), fp) == NULL) # ^ iproute-4.11.0-0.el7/misc/nstat.c:225:7: note: Assuming 'count2' is > 'count1' # if (count2 > count1) # ^~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/nstat.c:225:3: note: Taking true branch # if (count2 > count1) # ^ iproute-4.11.0-0.el7/misc/nstat.c:229:8: note: Assuming 'p' is non-null # if (!p) # ^~ iproute-4.11.0-0.el7/misc/nstat.c:229:4: note: Taking false branch # if (!p) # ^ iproute-4.11.0-0.el7/misc/nstat.c:232:4: note: Taking false branch # if (sscanf(p+1, "%llu", &n->val) != 1) # ^ iproute-4.11.0-0.el7/misc/nstat.c:235:4: note: Taking true branch # if (skip) # ^ iproute-4.11.0-0.el7/misc/nstat.c:227:3: note: Loop condition is false. Exiting loop # do { # ^ iproute-4.11.0-0.el7/misc/nstat.c:185:2: note: Loop condition is true. Entering loop body # while (fgets(buf, sizeof(buf), fp) != NULL) { # ^ iproute-4.11.0-0.el7/misc/nstat.c:192:7: note: Assuming 'p' is non-null # if (!p) # ^~ iproute-4.11.0-0.el7/misc/nstat.c:192:3: note: Taking false branch # if (!p) # ^ iproute-4.11.0-0.el7/misc/nstat.c:201:3: note: Loop condition is true. Entering loop body # while (*p) { # ^ iproute-4.11.0-0.el7/misc/nstat.c:204:4: note: Taking false branch # if ((next = strchr(p, ' ')) != NULL) # ^ iproute-4.11.0-0.el7/misc/nstat.c:206:14: note: Value assigned to 'next' # else if ((next = strchr(p, '\n')) != NULL) # ^~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/nstat.c:206:13: note: Assuming pointer value is null # else if ((next = strchr(p, '\n')) != NULL) # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/nstat.c:206:9: note: Taking false branch # else if ((next = strchr(p, '\n')) != NULL) # ^ iproute-4.11.0-0.el7/misc/nstat.c:208:4: note: Taking false branch # if (off < sizeof(idbuf)) { # ^ iproute-4.11.0-0.el7/misc/nstat.c:213:8: note: Assuming 'n' is non-null # if (!n) # ^~ iproute-4.11.0-0.el7/misc/nstat.c:213:4: note: Taking false branch # if (!n) # ^ iproute-4.11.0-0.el7/misc/nstat.c:219:4: note: Null pointer value stored to 'p' # p = next; # ^~~~~~~~ iproute-4.11.0-0.el7/misc/nstat.c:201:10: note: Dereference of null pointer (loaded from variable 'p') # while (*p) { # ^~ # 199| p += 2; # 200| # 201|-> while (*p) { # 202| char *next; # 203| Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/nstat.c:238:9: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'n') # n = n->next; # ^ iproute-4.11.0-0.el7/misc/nstat.c:182:2: note: 'db' initialized to a null pointer value # struct nstat_ent *db = NULL; # ^~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/nstat.c:185:2: note: Loop condition is true. Entering loop body # while (fgets(buf, sizeof(buf), fp) != NULL) { # ^ iproute-4.11.0-0.el7/misc/nstat.c:192:7: note: Assuming 'p' is non-null # if (!p) # ^~ iproute-4.11.0-0.el7/misc/nstat.c:192:3: note: Taking false branch # if (!p) # ^ iproute-4.11.0-0.el7/misc/nstat.c:201:3: note: Loop condition is false. Execution continues on line 221 # while (*p) { # ^ iproute-4.11.0-0.el7/misc/nstat.c:221:3: note: Null pointer value stored to 'n' # n = db; # ^~~~~~ iproute-4.11.0-0.el7/misc/nstat.c:222:3: note: Taking false branch # if (fgets(buf, sizeof(buf), fp) == NULL) # ^ iproute-4.11.0-0.el7/misc/nstat.c:225:7: note: Assuming 'count2' is <= 'count1' # if (count2 > count1) # ^~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/nstat.c:225:3: note: Taking false branch # if (count2 > count1) # ^ iproute-4.11.0-0.el7/misc/nstat.c:229:8: note: Assuming 'p' is non-null # if (!p) # ^~ iproute-4.11.0-0.el7/misc/nstat.c:229:4: note: Taking false branch # if (!p) # ^ iproute-4.11.0-0.el7/misc/nstat.c:232:4: note: Taking false branch # if (sscanf(p+1, "%llu", &n->val) != 1) # ^ iproute-4.11.0-0.el7/misc/nstat.c:235:4: note: Taking false branch # if (skip) # ^ iproute-4.11.0-0.el7/misc/nstat.c:238:9: note: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'n') # n = n->next; # ^ # 236| skip--; # 237| else # 238|-> n = n->next; # 239| } while (p > buf + off + 2); # 240| } Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/misc/nstat.c:257: negative_return_fn: Function "net_sctp_snmp_open()" returns a negative number. iproute-4.11.0-0.el7/misc/nstat.c:81:2: negative_return: Calling "generic_proc_open", which might return a negative value. iproute-4.11.0-0.el7/misc/nstat.c:61:2: negative_return: Calling "open", which might return a negative value. [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/misc/nstat.c:61:2: return_negative_fn: Returning the return value of "open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:81:2: return_negative_fn: Returning the return value of "generic_proc_open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:257: negative_returns: "net_sctp_snmp_open()" is passed to a parameter that cannot be negative. # 255| static void load_sctp_snmp(void) # 256| { # 257|-> FILE *fp = fdopen(net_sctp_snmp_open(), "r"); # 258| # 259| if (fp) { Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/misc/nstat.c:267: negative_return_fn: Function "net_snmp_open()" returns a negative number. iproute-4.11.0-0.el7/misc/nstat.c:71:2: negative_return: Calling "generic_proc_open", which might return a negative value. iproute-4.11.0-0.el7/misc/nstat.c:61:2: negative_return: Calling "open", which might return a negative value. [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/misc/nstat.c:61:2: return_negative_fn: Returning the return value of "open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:71:2: return_negative_fn: Returning the return value of "generic_proc_open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:267: negative_returns: "net_snmp_open()" is passed to a parameter that cannot be negative. # 265| static void load_snmp(void) # 266| { # 267|-> FILE *fp = fdopen(net_snmp_open(), "r"); # 268| # 269| if (fp) { Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/misc/nstat.c:277: negative_return_fn: Function "net_snmp6_open()" returns a negative number. iproute-4.11.0-0.el7/misc/nstat.c:76:2: negative_return: Calling "generic_proc_open", which might return a negative value. iproute-4.11.0-0.el7/misc/nstat.c:61:2: negative_return: Calling "open", which might return a negative value. [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/misc/nstat.c:61:2: return_negative_fn: Returning the return value of "open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:76:2: return_negative_fn: Returning the return value of "generic_proc_open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:277: negative_returns: "net_snmp6_open()" is passed to a parameter that cannot be negative. # 275| static void load_snmp6(void) # 276| { # 277|-> FILE *fp = fdopen(net_snmp6_open(), "r"); # 278| # 279| if (fp) { Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/misc/nstat.c:287: negative_return_fn: Function "net_netstat_open()" returns a negative number. iproute-4.11.0-0.el7/misc/nstat.c:66:2: negative_return: Calling "generic_proc_open", which might return a negative value. iproute-4.11.0-0.el7/misc/nstat.c:61:2: negative_return: Calling "open", which might return a negative value. [Note: The source code implementation of the function has been overridden by a user model.] iproute-4.11.0-0.el7/misc/nstat.c:61:2: return_negative_fn: Returning the return value of "open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:66:2: return_negative_fn: Returning the return value of "generic_proc_open", which might be negative. iproute-4.11.0-0.el7/misc/nstat.c:287: negative_returns: "net_netstat_open()" is passed to a parameter that cannot be negative. # 285| static void load_netstat(void) # 286| { # 287|-> FILE *fp = fdopen(net_netstat_open(), "r"); # 288| # 289| if (fp) { Error: DC.WEAK_CRYPTO: iproute-4.11.0-0.el7/misc/nstat.c:464: dont_call: "random" should not be used for security related applications, as linear congruential algorithms are too easy to break. iproute-4.11.0-0.el7/misc/nstat.c:464: remediation: Use a compliant random number generator, such as "/dev/random" or "/dev/urandom" on Unix-like systems, and "CryptGenRandom" on Windows. # 462| # 463| sprintf(info_source, "%d.%lu sampling_interval=%d time_const=%d", # 464|-> getpid(), (unsigned long)random(), scan_interval/1000, time_constant/1000); # 465| # 466| load_netstat(); Error: DC.WEAK_CRYPTO: iproute-4.11.0-0.el7/misc/rtacct.c:365: dont_call: "random" should not be used for security related applications, as linear congruential algorithms are too easy to break. iproute-4.11.0-0.el7/misc/rtacct.c:365: remediation: Use a compliant random number generator, such as "/dev/random" or "/dev/urandom" on Unix-like systems, and "CryptGenRandom" on Windows. # 363| sprintf(kern_db->signature, # 364| "%u.%lu sampling_interval=%d time_const=%d", # 365|-> (unsigned int) getpid(), (unsigned long)random(), # 366| scan_interval/1000, time_constant/1000); # 367| Error: TOCTOU (CWE-367): iproute-4.11.0-0.el7/misc/ss.c:497: fs_check_call: Calling function "readlink" to perform check on "name". iproute-4.11.0-0.el7/misc/ss.c:476: toctou: Calling function "opendir" that uses "name" after a check function. This can cause a time-of-check, time-of-use race condition. # 474| snprintf(name + nameoff, sizeof(name) - nameoff, "%d/fd/", pid); # 475| pos = strlen(name); # 476|-> if ((dir1 = opendir(name)) == NULL) { # 477| free(pid_context); # 478| continue; Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/ss.c:1304:15: warning: Call to 'malloc' has an allocation size of 0 bytes # if (!(ptr = malloc(len))) abort(); # ^ ~~~ iproute-4.11.0-0.el7/misc/ss.c:1279:2: note: Control jumps to 'case 1:' at line 1287 # switch (f->type) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1292:16: note: '?' condition is false # int code = (f->type == SSF_DCOND ? INET_DIAG_BC_D_COND : INET_DIAG_BC_S_COND); # ^ iproute-4.11.0-0.el7/misc/ss.c:1293:3: note: 'len' initialized to 0 # int len = 0; # ^~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1295:3: note: Loop condition is false. Execution continues on line 1304 # for (b = a; b; b = b->next) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1304:15: note: Call to 'malloc' has an allocation size of 0 bytes # if (!(ptr = malloc(len))) abort(); # ^ ~~~ # 1302| len += 4; # 1303| } # 1304|-> if (!(ptr = malloc(len))) abort(); # 1305| *bytecode = ptr; # 1306| for (b = a; b; b = b->next) { Error: REVERSE_INULL (CWE-476): iproute-4.11.0-0.el7/misc/ss.c:1570: deref_ptr_in_call: Dereferencing pointer "addr". iproute-4.11.0-0.el7/misc/ss.c:1680: deref_ptr_in_call: Dereferencing pointer "addr". iproute-4.11.0-0.el7/misc/ss.c:1738: check_after_deref: Null-checking "addr" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. # 1736| } # 1737| } # 1738|-> if (!is_port && addr && *addr && *addr != '*') { # 1739| if (get_prefix_1(&a.addr, addr, fam)) { # 1740| if (get_dns_host(&a, addr, fam)) { Error: CLANG_WARNING: iproute-4.11.0-0.el7/misc/ss.c:1758:9: warning: Potential leak of memory pointed to by 'a.next' # return res; # ^ iproute-4.11.0-0.el7/misc/ss.c:1570:6: note: Assuming 'fam' is not equal to 1 # if (fam == AF_UNIX || strncmp(addr, "unix:", 5) == 0) { # ^~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1570:6: note: Left side of '||' is false iproute-4.11.0-0.el7/misc/ss.c:1570:2: note: Taking false branch # if (fam == AF_UNIX || strncmp(addr, "unix:", 5) == 0) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1583:6: note: Assuming 'fam' is not equal to 17 # if (fam == AF_PACKET || strncmp(addr, "link:", 5) == 0) { # ^~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1583:6: note: Left side of '||' is false iproute-4.11.0-0.el7/misc/ss.c:1583:2: note: Taking false branch # if (fam == AF_PACKET || strncmp(addr, "link:", 5) == 0) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1610:6: note: Assuming 'fam' is not equal to 16 # if (fam == AF_NETLINK || strncmp(addr, "netlink:", 8) == 0) { # ^~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1610:6: note: Left side of '||' is false iproute-4.11.0-0.el7/misc/ss.c:1610:2: note: Taking false branch # if (fam == AF_NETLINK || strncmp(addr, "netlink:", 8) == 0) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1636:6: note: Assuming 'fam' is not equal to 40 # if (fam == AF_VSOCK || strncmp(addr, "vsock:", 6) == 0) { # ^~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1636:6: note: Left side of '||' is false iproute-4.11.0-0.el7/misc/ss.c:1636:2: note: Taking false branch # if (fam == AF_VSOCK || strncmp(addr, "vsock:", 6) == 0) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1667:6: note: Assuming 'fam' is not equal to 2 # if (fam == AF_INET || !strncmp(addr, "inet:", 5)) { # ^~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1667:6: note: Left side of '||' is false iproute-4.11.0-0.el7/misc/ss.c:1667:2: note: Taking false branch # if (fam == AF_INET || !strncmp(addr, "inet:", 5)) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1671:13: note: Assuming 'fam' is not equal to 10 # } else if (fam == AF_INET6 || !strncmp(addr, "inet6:", 6)) { # ^~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1671:13: note: Left side of '||' is false iproute-4.11.0-0.el7/misc/ss.c:1671:9: note: Taking false branch # } else if (fam == AF_INET6 || !strncmp(addr, "inet6:", 6)) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1678:2: note: Taking false branch # if (addr[0] == '[') { # ^ iproute-4.11.0-0.el7/misc/ss.c:1683:9: note: Taking false branch # } else if (addr[0] == '*') { # ^ iproute-4.11.0-0.el7/misc/ss.c:1689:6: note: Assuming 'is_port' is 0 # if (is_port) # ^~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1689:2: note: Taking false branch # if (is_port) # ^ iproute-4.11.0-0.el7/misc/ss.c:1692:11: note: Left side of '&&' is false # if (port && *port) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1738:6: note: Left side of '&&' is true # if (!is_port && addr && *addr && *addr != '*') { # ^ iproute-4.11.0-0.el7/misc/ss.c:1738:6: note: Left side of '&&' is true iproute-4.11.0-0.el7/misc/ss.c:1738:6: note: Left side of '&&' is true iproute-4.11.0-0.el7/misc/ss.c:1738:2: note: Taking true branch # if (!is_port && addr && *addr && *addr != '*') { # ^ iproute-4.11.0-0.el7/misc/ss.c:1739:3: note: Taking true branch # if (get_prefix_1(&a.addr, addr, fam)) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1740:8: note: Calling 'get_dns_host' # if (get_dns_host(&a, addr, fam)) { # ^~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1487:2: note: Taking true branch # if (!notfirst) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1491:28: note: Assuming 'fam' is not equal to 0 # he = gethostbyname2(addr, fam == AF_UNSPEC ? AF_INET : fam); # ^~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1491:28: note: '?' condition is false iproute-4.11.0-0.el7/misc/ss.c:1492:6: note: Assuming 'he' is non-null # if (he) # ^~ iproute-4.11.0-0.el7/misc/ss.c:1492:2: note: Taking true branch # if (he) # ^ iproute-4.11.0-0.el7/misc/ss.c:1493:9: note: Calling 'remember_he' # cnt = remember_he(a, he); # ^~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1453:2: note: Taking true branch # if (he->h_addrtype == AF_INET) # ^ iproute-4.11.0-0.el7/misc/ss.c:1460:2: note: Loop condition is true. Entering loop body # while (*ptr) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1463:3: note: Taking false branch # if (a->addr.bitlen) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1460:2: note: Loop condition is true. Entering loop body # while (*ptr) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1463:3: note: Taking true branch # if (a->addr.bitlen) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1464:13: note: Memory is allocated # if ((b = malloc(sizeof(*b))) == NULL) # ^~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1464:4: note: Taking false branch # if ((b = malloc(sizeof(*b))) == NULL) # ^ iproute-4.11.0-0.el7/misc/ss.c:1460:2: note: Loop condition is false. Execution continues on line 1477 # while (*ptr) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1493:9: note: Returned allocated memory # cnt = remember_he(a, he); # ^~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1494:2: note: Taking false branch # if (fam == AF_UNSPEC) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1740:8: note: Returned allocated memory # if (get_dns_host(&a, addr, fam)) { # ^~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/misc/ss.c:1740:4: note: Taking false branch # if (get_dns_host(&a, addr, fam)) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1748:2: note: Taking true branch # if (fam != AF_UNSPEC) { # ^ iproute-4.11.0-0.el7/misc/ss.c:1756:6: note: Assuming 'res' is null # if (res) # ^~~ iproute-4.11.0-0.el7/misc/ss.c:1756:2: note: Taking false branch # if (res) # ^ iproute-4.11.0-0.el7/misc/ss.c:1758:9: note: Potential leak of memory pointed to by 'a.next' # return res; # ^ # 1756| if (res) # 1757| memcpy(res, &a, sizeof(a)); # 1758|-> return res; # 1759| } # 1760| Error: UNINIT (CWE-457): iproute-4.11.0-0.el7/misc/ss.c:1763: var_decl: Declaring variable "a" without initializer. iproute-4.11.0-0.el7/misc/ss.c:1776: uninit_use_in_call: Using uninitialized value "a". Field "a.port" is uninitialized when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] # 1774| res = malloc(sizeof(*res)); # 1775| if (res) # 1776|-> memcpy(res, &a, sizeof(a)); # 1777| return res; # 1778| } Error: TAINTED_SCALAR (CWE-20): iproute-4.11.0-0.el7/misc/ss.c:2776: tainted_data_argument: Calling function "fread" taints argument "h". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/misc/ss.c:2809: tainted_data: Passing tainted variable "h" to a tainted sink. iproute-4.11.0-0.el7/misc/ss.c:2460:26: var_assign_alias: Assigning: "r" = "(void *)((char *)nlh + 16)". Both are now tainted. iproute-4.11.0-0.el7/misc/ss.c:2473:3: var_assign_alias: Assigning: "t.timer" = "r->idiag_timer". Both are now tainted. iproute-4.11.0-0.el7/misc/ss.c:2479:4: data_index: Passing tainted variable "t.timer" to a tainted data index sink. iproute-4.11.0-0.el7/misc/ss.c:2072:3: upper_bounds: Checking upper bounds of signed scalar "s->timer" by "s->timer > 4". iproute-4.11.0-0.el7/misc/ss.c:2074:3: data_index: Using tainted variable "s->timer" as an index to array "tmr_name". # 2072| if (s->timer > 4) # 2073| s->timer = 5; # 2074|-> printf(" timer:(%s,%s,%d)", # 2075| tmr_name[s->timer], # 2076| print_ms_timer(s->timeout), Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/misc/ss.c:2756: alloc_fn: Storage is returned from allocation function "fopen". iproute-4.11.0-0.el7/misc/ss.c:2756: var_assign: Assigning: "fp" = storage returned from "fopen(getenv("TCPDIAG_FILE"), "r")". iproute-4.11.0-0.el7/misc/ss.c:2766: noescape: Resource "fp" is not freed or pointed-to in "fread". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/misc/ss.c:2773: leaked_storage: Variable "fp" going out of scope leaks the storage it points to. # 2771| if (status != sizeof(*h)) { # 2772| perror("Unexpected EOF reading $TCPDIAG_FILE"); # 2773|-> return -1; # 2774| } # 2775| Error: TAINTED_SCALAR (CWE-20): iproute-4.11.0-0.el7/misc/ss.c:3205: tainted_data_argument: Calling function "fgets" taints argument "buf". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/misc/ss.c:3212: vararg_transitive: Call to "sscanf" with tainted argument "buf" taints "u->rport". iproute-4.11.0-0.el7/misc/ss.c:3212: vararg_transitive: Call to "sscanf" with tainted argument "buf" taints "u->rq". iproute-4.11.0-0.el7/misc/ss.c:3212: vararg_transitive: Call to "sscanf" with tainted argument "buf" taints "u->wq". iproute-4.11.0-0.el7/misc/ss.c:3212: vararg_transitive: Call to "sscanf" with tainted argument "buf" taints "flags". iproute-4.11.0-0.el7/misc/ss.c:3212: vararg_transitive: Call to "sscanf" with tainted argument "buf" taints "u->type". iproute-4.11.0-0.el7/misc/ss.c:3212: vararg_transitive: Call to "sscanf" with tainted argument "buf" taints "u->state". iproute-4.11.0-0.el7/misc/ss.c:3223: tainted_data: Using tainted variable "u->state - 1" as an index into an array "unix_state_map". # 3221| u->state = SS_LISTEN; # 3222| } else { # 3223|-> u->state = unix_state_map[u->state-1]; # 3224| if (u->type == SOCK_DGRAM && u->state == SS_CLOSE && u->rport) # 3225| u->state = SS_ESTABLISHED; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/misc/ss.c:3209: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/misc/ss.c:3209: var_assign: Assigning: "u" = storage returned from "calloc(1UL, 168UL)". iproute-4.11.0-0.el7/misc/ss.c:3227: noescape: Resource "u" is not freed or pointed-to in "unix_type_skip". iproute-4.11.0-0.el7/misc/ss.c:3052:45: noescape: "unix_type_skip(struct sockstat *, struct filter *)" does not free or save its parameter "s". iproute-4.11.0-0.el7/misc/ss.c:3242: leaked_storage: Variable "u" going out of scope leaks the storage it points to. # 3240| u->name = strdup(name); # 3241| if (!u->name) # 3242|-> break; # 3243| } # 3244| Error: UNINIT (CWE-457): iproute-4.11.0-0.el7/misc/ss.c:3549: var_decl: Declaring variable "st" without initializer. iproute-4.11.0-0.el7/misc/ss.c:3564: uninit_use_in_call: Using uninitialized value "st.iface" when calling "run_ssfilter". iproute-4.11.0-0.el7/misc/ss.c:1242:3: read_parm_fld: Reading a parameter field. # 3562| st.lport = pid; # 3563| st.local.data[0] = prot; # 3564|-> if (run_ssfilter(f->f, &st) == 0) # 3565| return 1; # 3566| } Error: UNINIT (CWE-457): iproute-4.11.0-0.el7/misc/ss.c:3549: var_decl: Declaring variable "st" without initializer. iproute-4.11.0-0.el7/misc/ss.c:3564: uninit_use_in_call: Using uninitialized value "st.mark" when calling "run_ssfilter". iproute-4.11.0-0.el7/misc/ss.c:1248:3: read_parm_fld: Reading a parameter field. # 3562| st.lport = pid; # 3563| st.local.data[0] = prot; # 3564|-> if (run_ssfilter(f->f, &st) == 0) # 3565| return 1; # 3566| } Error: UNINIT (CWE-457): iproute-4.11.0-0.el7/misc/ss.c:3549: var_decl: Declaring variable "st" without initializer. iproute-4.11.0-0.el7/misc/ss.c:3568: uninit_use_in_call: Using uninitialized value "st.type" when calling "sock_state_print". iproute-4.11.0-0.el7/misc/ss.c:845:3: read_parm_fld: Reading a parameter field. # 3566| } # 3567| # 3568|-> sock_state_print(&st); # 3569| # 3570| if (resolve_services) Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/misc/ss.c:3821: assign_zero: Assigning: "inet_arg.rth" = "NULL". iproute-4.11.0-0.el7/misc/ss.c:3826: var_deref_model: Passing "&inet_arg" to "show_one_inet_sock", which dereferences null "inet_arg.rth". iproute-4.11.0-0.el7/misc/ss.c:2688:2: deref_parm_in_call: Function "kill_inet_sock" dereferences "arg->rth". iproute-4.11.0-0.el7/misc/ss.c:2649:33: var_assign_parm: Assigning: "diag_arg" = "arg". iproute-4.11.0-0.el7/misc/ss.c:2650:26: var_assign_parm: Assigning: "rth" = "diag_arg->rth". iproute-4.11.0-0.el7/misc/ss.c:2656:2: deref_var: Dereferencing "rth" (which is a copy of "arg->rth"). # 3824| case AF_INET: # 3825| case AF_INET6: # 3826|-> return show_one_inet_sock(addr, nlh, &inet_arg); # 3827| case AF_UNIX: # 3828| return unix_show_sock(addr, nlh, arg); Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/misc/ssfilter.c:1151: alloc_fn: Storage is returned from allocation function "malloc". iproute-4.11.0-0.el7/misc/ssfilter.c:1151: var_assign: Assigning: "yyptr" = storage returned from "malloc(yystacksize * 10UL + 7UL)". iproute-4.11.0-0.el7/misc/ssfilter.c:1160: leaked_storage: Variable "yyptr" going out of scope leaks the storage it points to. # 1158| if (yyss1 != yyssa) # 1159| YYSTACK_FREE (yyss1); # 1160|-> } # 1161| # endif # 1162| #endif /* no yyoverflow */ Error: ARRAY_VS_SINGLETON (CWE-119): iproute-4.11.0-0.el7/misc/ssfilter.c:1155: address_of: Taking address with "&yyptr->yyss_alloc" yields a singleton pointer. iproute-4.11.0-0.el7/misc/ssfilter.c:1155: assign: Assigning: "yyss" = "&yyptr->yyss_alloc". iproute-4.11.0-0.el7/misc/ssfilter.c:1164: ptr_arith: Using "yyss" as an array. This might corrupt or misinterpret adjacent memory locations. # 1162| #endif /* no yyoverflow */ # 1163| # 1164|-> yyssp = yyss + yysize - 1; # 1165| yyvsp = yyvs + yysize - 1; # 1166| Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/netem/maketable.c:27: check_return: Calling "fstat(fileno(fp), &info)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] # 25| int n=0, i; # 26| # 27|-> fstat(fileno(fp), &info); # 28| if (info.st_size > 0) { # 29| limit = 2*info.st_size/sizeof(double); /* @@ approximate */ Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/netem/maketable.c:41: check_return: Calling "fscanf(fp, "%lf", &x[i])" without checking return value. This library function may fail and return an error code. # 39| # 40| for (i=0; i fscanf(fp, "%lf", &x[i]); # 42| if (feof(fp)) # 43| break; Error: CPPCHECK_WARNING (CWE-401): iproute-4.11.0-0.el7/netem/maketable.c:233: error[memleak]: Memory leak: table # 231| interpolatetable(inverse, TABLESIZE); # 232| printtable(inverse, TABLESIZE); # 233|-> return 0; # 234| } Error: CLANG_WARNING: iproute-4.11.0-0.el7/netem/normal.c:39:34: warning: The left operand of '*' is a garbage value # int value = (int) rint(table[i]*TABLEFACTOR); # ~~~~~~~~^ iproute-4.11.0-0.el7/netem/normal.c:31:2: note: Loop condition is false. Execution continues on line 37 # for (x = -10.0; x < 10.05; x += .00005) { # ^ iproute-4.11.0-0.el7/netem/normal.c:38:2: note: Loop condition is true. Entering loop body # for (i = n = 0; i < TABLESIZE; i += 4) { # ^ iproute-4.11.0-0.el7/netem/normal.c:39:34: note: The left operand of '*' is a garbage value # int value = (int) rint(table[i]*TABLEFACTOR); # ~~~~~~~~^ # 37| printf("# This is the distribution table for the normal distribution.\n"); # 38| for (i = n = 0; i < TABLESIZE; i += 4) { # 39|-> int value = (int) rint(table[i]*TABLEFACTOR); # 40| if (value < SHRT_MIN) value = SHRT_MIN; # 41| if (value > SHRT_MAX) value = SHRT_MAX; Error: CLANG_WARNING: iproute-4.11.0-0.el7/netem/paretonormal.c:67:34: warning: The left operand of '*' is a garbage value # normvalue = (int) rint(table[i]*TABLEFACTOR); # ~~~~~~~~^ iproute-4.11.0-0.el7/netem/paretonormal.c:56:2: note: Loop condition is false. Execution continues on line 60 # for (x = -10.0; x < 10.05; x += .00005) { # ^ iproute-4.11.0-0.el7/netem/paretonormal.c:64:2: note: Loop condition is true. Entering loop body # for (i = n = 0; i < TABLESIZE; i += 4) { # ^ iproute-4.11.0-0.el7/netem/paretonormal.c:67:34: note: The left operand of '*' is a garbage value # normvalue = (int) rint(table[i]*TABLEFACTOR); # ~~~~~~~~^ # 65| int normvalue, parvalue, value; # 66| # 67|-> normvalue = (int) rint(table[i]*TABLEFACTOR); # 68| parvalue = paretovalue(i); # 69| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/e_bpf.c:124: start: Starting defect path here. iproute-4.11.0-0.el7/tc/e_bpf.c:133: alloc_fn: Storage is returned from allocation function "malloc". iproute-4.11.0-0.el7/tc/e_bpf.c:133: var_assign: Assigning: "envp_run" = storage returned from "malloc(8UL * env_num)". iproute-4.11.0-0.el7/tc/e_bpf.c:160: noescape: Resource "envp_run" is not freed or pointed-to in "execvpe". iproute-4.11.0-0.el7/tc/e_bpf.c:160: leaked_storage: Variable "envp_run" going out of scope leaks the storage it points to. # 158| envp_run[env_num - 1] = NULL; # 159| out: # 160|-> return execvpe(argv_run[0], argv_run, envp_run); # 161| # 162| err_free_env: Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/em_ipset.c:74: open_fn: Returning handle opened by "socket". iproute-4.11.0-0.el7/tc/em_ipset.c:74: var_assign: Assigning: "sockfd" = handle returned from "socket(2, SOCK_RAW, IPPROTO_RAW)". iproute-4.11.0-0.el7/tc/em_ipset.c:84: noescape: Resource "sockfd" is not freed or pointed-to in "getsockopt". iproute-4.11.0-0.el7/tc/em_ipset.c:87: leaked_handle: Handle variable "sockfd" going out of scope leaks the handle. # 85| if (res != 0) { # 86| perror("xt_set getsockopt"); # 87|-> return -1; # 88| } # 89| Error: CLANG_WARNING: iproute-4.11.0-0.el7/tc/em_meta.c:163:32: warning: Access to field 'data' results in a dereference of a null pointer (loaded from variable 'a') # addattr_l(n, MAX_MSG, tlv, a->data, a->len); # ^ iproute-4.11.0-0.el7/tc/em_meta.c:365:16: note: 'lvalue' initialized to 0 # unsigned long lvalue = 0, rvalue = 0; # ^~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:367:6: note: Assuming 'args' is not equal to null # if (args == NULL) # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:367:2: note: Taking false branch # if (args == NULL) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:370:2: note: Taking false branch # if (!bstrcmp(args, "list")) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:375:6: note: Calling 'parse_object' # a = parse_object(args, args, &meta_hdr.left, &lvalue, NULL); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:257:2: note: Taking false branch # if (arg->quoted) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:265:2: note: Taking false branch # if (num != ULONG_MAX) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:274:6: note: Assuming 'entry' is not equal to null # if (entry == NULL) { # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:274:2: note: Taking false branch # if (entry == NULL) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:279:27: note: Calling 'map_type' # obj->kind = entry->id | (map_type(entry->mask[0]) << 12); # ^~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:116:2: note: 'Default' branch taken. Execution continues on line 121 # switch (k) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:279:27: note: Returning from 'map_type' # obj->kind = entry->id | (map_type(entry->mask[0]) << 12); # ^~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:281:2: note: Taking false branch # if (left) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:310:6: note: Calling 'bstr_next' # a = bstr_next(arg); # ^~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:310:6: note: Returning from 'bstr_next' # a = bstr_next(arg); # ^~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:312:2: note: Loop condition is true. Entering loop body # while (a) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:313:3: note: Taking false branch # if (!bstrcmp(a, "shift")) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:331:10: note: Taking false branch # } else if (!bstrcmp(a, "mask")) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:349:4: note: Execution continues on line 352 # break; # ^ iproute-4.11.0-0.el7/tc/em_meta.c:375:6: note: Returning from 'parse_object' # a = parse_object(args, args, &meta_hdr.left, &lvalue, NULL); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:376:2: note: Taking false branch # if (a == PARSE_FAILURE) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:378:7: note: Taking false branch # else if (a == NULL) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:381:2: note: Taking false branch # if (!bstrcmp(a, "eq")) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:383:7: note: Taking false branch # else if (!bstrcmp(a, "gt")) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:385:7: note: Taking true branch # else if (!bstrcmp(a, "lt")) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:392:2: note: Taking false branch # if (a->next == NULL) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:397:2: note: Taking false branch # if (a == PARSE_FAILURE) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:399:11: note: Assuming 'a' is equal to null # else if (a != NULL) # ^~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:399:7: note: Taking false branch # else if (a != NULL) # ^ iproute-4.11.0-0.el7/tc/em_meta.c:407:36: note: Passing the value 0 via 3rd parameter 'val' # dump_value(n, TCA_EM_META_LVALUE, lvalue, &meta_hdr.left); # ^~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:407:2: note: Calling 'dump_value' # dump_value(n, TCA_EM_META_LVALUE, lvalue, &meta_hdr.left); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:153:2: note: Control jumps to 'case TCF_META_TYPE_VAR:' at line 159 # switch (TCF_META_TYPE(hdr->kind)) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:160:4: note: Taking true branch # if (TCF_META_ID(hdr->kind) == TCF_META_ID_VALUE) { # ^ iproute-4.11.0-0.el7/tc/em_meta.c:161:5: note: 'a' initialized to a null pointer value # struct bstr *a = (struct bstr *) val; # ^~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tc/em_meta.c:163:32: note: Access to field 'data' results in a dereference of a null pointer (loaded from variable 'a') # addattr_l(n, MAX_MSG, tlv, a->data, a->len); # ^ # 161| struct bstr *a = (struct bstr *) val; # 162| # 163|-> addattr_l(n, MAX_MSG, tlv, a->data, a->len); # 164| } # 165| break; Error: CPPCHECK_WARNING (CWE-401): iproute-4.11.0-0.el7/tc/emp_ematch.l:46: error[memleakOnRealloc]: Common realloc mistake: 'strbuf' nulled but not freed upon failure # 44| { # 45| strbuf_size += 512; # 46|-> strbuf = realloc(strbuf, strbuf_size); # 47| } # 48| Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:788: var_compare_op: Comparing "yy_buffer_stack" to null implies that "yy_buffer_stack" might be null. iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:790: var_deref_op: Dereferencing null pointer "yy_buffer_stack". Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1456: var_compare_op: Comparing "yy_buffer_stack" to null implies that "yy_buffer_stack" might be null. iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1458: var_deref_op: Dereferencing null pointer "yy_buffer_stack". Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1482: var_compare_op: Comparing "yy_buffer_stack" to null implies that "yy_buffer_stack" might be null. iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1490: var_deref_op: Dereferencing null pointer "yy_buffer_stack". Error: CPPCHECK_WARNING (CWE-843): iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1569: warning[nullPointer]: Possible null pointer dereference: b Error: CPPCHECK_WARNING (CWE-843): iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1570: warning[nullPointer]: Possible null pointer dereference: b Error: CPPCHECK_WARNING (CWE-843): iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1581: warning[nullPointer]: Possible null pointer dereference: b Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1636: var_compare_op: Comparing "yy_buffer_stack" to null implies that "yy_buffer_stack" might be null. iproute-4.11.0-0.el7/tc/emp_ematch.lex.c:1638: var_deref_op: Dereferencing null pointer "yy_buffer_stack". Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/tc/f_u32.c:1108: var_compare_op: Comparing "*argv" to null implies that "*argv" might be null. iproute-4.11.0-0.el7/tc/f_u32.c:1012: var_deref_model: Passing null pointer "*argv" to "matches", which dereferences it. iproute-4.11.0-0.el7/lib/utils.c:701:10: deref_parm_in_call: Function "strlen" dereferences "cmd". # 1010| # 1011| while (argc > 0) { # 1012|-> if (matches(*argv, "match") == 0) { # 1013| NEXT_ARG(); # 1014| if (parse_selector(&argc, &argv, &sel.sel, n)) { Error: TAINTED_STRING (CWE-20): iproute-4.11.0-0.el7/tc/m_action.c:100: tainted_string_return_content: "get_tc_lib" returns tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: tainted_string_return_content: Function "getenv" returning tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: var_assign: Assigning: "lib_dir" = "getenv("TC_LIB_DIR")", which taints "lib_dir". iproute-4.11.0-0.el7/tc/tc_util.c:73:2: return_tainted_string: Returning tainted string "lib_dir". iproute-4.11.0-0.el7/tc/m_action.c:100: vararg_transitive: Call to "snprintf" with tainted argument "get_tc_lib()" taints "buf". iproute-4.11.0-0.el7/tc/m_action.c:101: tainted_string: Passing tainted string "buf" to "dlopen", which cannot accept tainted data. # 99| # 100| snprintf(buf, sizeof(buf), "%s/m_%s.so", get_tc_lib(), str); # 101|-> dlh = dlopen(buf, RTLD_LAZY | RTLD_GLOBAL); # 102| if (dlh == NULL) { # 103| dlh = aBODY; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/m_action.c:101: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/tc/m_action.c:101: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 257)". iproute-4.11.0-0.el7/tc/m_action.c:112: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/tc/m_action.c:119: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 117| a->next = action_list; # 118| action_list = a; # 119|-> return a; # 120| # 121| noexist: Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/tc/m_action.c:227: var_compare_op: Comparing "*argv" to null implies that "*argv" might be null. iproute-4.11.0-0.el7/tc/m_action.c:178: var_deref_model: Passing null pointer "*argv" to "strcmp", which dereferences it. # 176| memset(k, 0, sizeof(k)); # 177| # 178|-> if (strcmp(*argv, "action") == 0) { # 179| argc--; # 180| argv++; Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/tc/m_action.c:439: assignment: Assigning: "req.n.nlmsg_len" = "20U". iproute-4.11.0-0.el7/tc/m_action.c:450: illegal_address: "(void *)&req.n + (req.n.nlmsg_len + 4U - 1U & 0xfffffffcU)" evaluates to an address that is at byte offset 20 of an array of 16 bytes. # 448| # 449| # 450|-> tail = NLMSG_TAIL(&req.n); # 451| addattr_l(&req.n, MAX_MSG, TCA_ACT_TAB, NULL, 0); # 452| Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/tc/m_action.c:537: assignment: Assigning: "req.n.nlmsg_len" = "20U". iproute-4.11.0-0.el7/tc/m_action.c:543: illegal_address: "(void *)&req.n + (req.n.nlmsg_len + 4U - 1U & 0xfffffffcU)" evaluates to an address that is at byte offset 20 of an array of 16 bytes. # 541| .t.tca_family = AF_UNSPEC, # 542| }; # 543|-> struct rtattr *tail = NLMSG_TAIL(&req.n); # 544| # 545| argc -= 1; Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/tc/m_action.c:574: assignment: Assigning: "req.n.nlmsg_len" = "20U". iproute-4.11.0-0.el7/tc/m_action.c:579: illegal_address: "(void *)&req.n + (req.n.nlmsg_len + 4U - 1U & 0xfffffffcU)" evaluates to an address that is at byte offset 20 of an array of 16 bytes. # 577| }; # 578| # 579|-> tail = NLMSG_TAIL(&req.n); # 580| addattr_l(&req.n, MAX_MSG, TCA_ACT_TAB, NULL, 0); # 581| tail2 = NLMSG_TAIL(&req.n); Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/m_ematch.c:142: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/tc/m_ematch.c:142: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/tc/m_ematch.c:153: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/tc/m_ematch.c:155: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 153| e = dlsym(dlh, buf); # 154| if (e == NULL) # 155|-> return NULL; # 156| # 157| e->next = ematch_list; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/m_ematch.c:142: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/tc/m_ematch.c:142: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/tc/m_ematch.c:153: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/tc/m_ematch.c:160: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 158| ematch_list = e; # 159| # 160|-> return e; # 161| } # 162| Error: DEADCODE (CWE-561): iproute-4.11.0-0.el7/tc/m_gact.c:89: assignment: Assigning: "ok" = "0". iproute-4.11.0-0.el7/tc/m_gact.c:103: incr: Incrementing "ok". The value of "ok" is now 1. iproute-4.11.0-0.el7/tc/m_gact.c:170: incr: Incrementing "ok". The value of "ok" is now 2. iproute-4.11.0-0.el7/tc/m_gact.c:176: between: At condition "ok", the value of "ok" must be between 1 and 2. iproute-4.11.0-0.el7/tc/m_gact.c:176: dead_error_condition: The condition "!ok" cannot be true. iproute-4.11.0-0.el7/tc/m_gact.c:177: dead_error_line: Execution cannot reach this statement: "return -1;". # 175| # 176| if (!ok) # 177|-> return -1; # 178| # 179| tail = NLMSG_TAIL(n); Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/m_pedit.c:91: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/tc/m_pedit.c:91: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/tc/m_pedit.c:102: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/tc/m_pedit.c:109: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 107| p->next = pedit_list; # 108| pedit_list = p; # 109|-> return p; # 110| # 111| noexist: Error: STRING_OVERFLOW (CWE-120): iproute-4.11.0-0.el7/tc/m_xt.c:98: fixed_size_dest: You might overrun the 29-character fixed-size string "target->t->u.user.name" by copying "target->name" without checking the length. iproute-4.11.0-0.el7/tc/m_xt.c:98: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. # 96| target->t = xtables_calloc(1, size); # 97| target->t->u.target_size = size; # 98|-> strcpy(target->t->u.user.name, target->name); # 99| target->t->u.user.revision = target->revision; # 100| Error: BUFFER_SIZE_WARNING (CWE-120): iproute-4.11.0-0.el7/tc/m_xt.c:286: buffer_size_warning: Calling strncpy with a maximum size argument of 16 bytes on destination array "k" of size 16 bytes might leave the destination string unterminated. # 284| size = 1 + strlen(tname); # 285| } # 286|-> strncpy(k, tname, size); # 287| # 288| addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size); Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/tc/q_gred.c:233: check_return: Calling "get_rate" without checking return value (as is done elsewhere 14 out of 16 times). iproute-4.11.0-0.el7/tc/m_police.c:145: example_checked: Example 1: "get_rate(&p.rate.rate, *argv)" has its value checked in "get_rate(&p.rate.rate, *argv)". iproute-4.11.0-0.el7/tc/q_cbq.c:200: example_checked: Example 2: "get_rate(&r.rate, *argv)" has its value checked in "get_rate(&r.rate, *argv)". iproute-4.11.0-0.el7/tc/q_choke.c:57: example_checked: Example 3: "get_rate(&rate, *argv)" has its value checked in "get_rate(&rate, *argv)". iproute-4.11.0-0.el7/tc/q_fq.c:119: example_checked: Example 4: "get_rate(&maxrate, *argv)" has its value checked in "get_rate(&maxrate, *argv)". iproute-4.11.0-0.el7/tc/q_gred.c:203: example_checked: Example 5: "get_rate(&rate, *argv)" has its value checked in "get_rate(&rate, *argv)". # 231| } # 232| if (!rate) { # 233|-> get_rate(&rate, "10Mbit"); # 234| fprintf(stderr, "GRED: set bandwidth to 10Mbit\n"); # 235| } Error: CPPCHECK_WARNING (CWE-456): iproute-4.11.0-0.el7/tc/q_multiq.c:59: error[uninitvar]: Uninitialized variable: opt # 57| } # 58| # 59|-> addattr_l(n, 1024, TCA_OPTIONS, &opt, sizeof(opt)); # 60| return 0; # 61| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:194: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 192| if (get_size(&opt.limit, *argv)) { # 193| explain1("limit"); # 194|-> return -1; # 195| } # 196| } else if (matches(*argv, "latency") == 0 || Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:201: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 199| if (get_ticks(&opt.latency, *argv)) { # 200| explain1("latency"); # 201|-> return -1; # 202| } # 203| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:208: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 206| if (get_ticks(&opt.jitter, *argv)) { # 207| explain1("latency"); # 208|-> return -1; # 209| } # 210| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:216: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 214| if (get_percent(&cor.delay_corr, *argv)) { # 215| explain1("latency"); # 216|-> return -1; # 217| } # 218| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:224: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 222| if (opt.loss > 0 || loss_type != NETEM_LOSS_UNSPEC) { # 223| explain1("duplicate loss argument\n"); # 224|-> return -1; # 225| } # 226| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:237: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 235| if (get_percent(&opt.loss, *argv)) { # 236| explain1("loss percent"); # 237|-> return -1; # 238| } # 239| if (NEXT_IS_NUMBER()) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:244: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 242| if (get_percent(&cor.loss_corr, *argv)) { # 243| explain1("loss correllation"); # 244|-> return -1; # 245| } # 246| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:253: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 251| if (parse_percent(&p13, *argv)) { # 252| explain1("loss p13"); # 253|-> return -1; # 254| } # 255| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:299: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 297| if (get_percent(&gemodel.p, *argv)) { # 298| explain1("loss gemodel p"); # 299|-> return -1; # 300| } # 301| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:313: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 311| if (get_percent(&gemodel.r, *argv)) { # 312| explain1("loss gemodel r"); # 313|-> return -1; # 314| } # 315| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:321: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 319| if (get_percent(&gemodel.h, *argv)) { # 320| explain1("loss gemodel h"); # 321|-> return -1; # 322| } # 323| /* netem option is "1-h" but kernel Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:333: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 331| if (get_percent(&gemodel.k1, *argv)) { # 332| explain1("loss gemodel k"); # 333|-> return -1; # 334| } # 335| } else { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:338: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 336| fprintf(stderr, "Unknown loss parameter: %s\n", # 337| *argv); # 338|-> return -1; # 339| } # 340| } else if (matches(*argv, "ecn") == 0) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:347: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 345| if (get_percent(&reorder.probability, *argv)) { # 346| explain1("reorder"); # 347|-> return -1; # 348| } # 349| if (NEXT_IS_NUMBER()) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:354: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 352| if (get_percent(&reorder.correlation, *argv)) { # 353| explain1("reorder"); # 354|-> return -1; # 355| } # 356| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:362: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 360| if (get_percent(&corrupt.probability, *argv)) { # 361| explain1("corrupt"); # 362|-> return -1; # 363| } # 364| if (NEXT_IS_NUMBER()) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:369: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 367| if (get_percent(&corrupt.correlation, *argv)) { # 368| explain1("corrupt"); # 369|-> return -1; # 370| } # 371| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:376: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 374| if (get_u32(&opt.gap, *argv, 0)) { # 375| explain1("gap"); # 376|-> return -1; # 377| } # 378| } else if (matches(*argv, "duplicate") == 0) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:382: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 380| if (get_percent(&opt.duplicate, *argv)) { # 381| explain1("duplicate"); # 382|-> return -1; # 383| } # 384| if (NEXT_IS_NUMBER()) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:388: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 386| if (get_percent(&cor.dup_corr, *argv)) { # 387| explain1("duplicate"); # 388|-> return -1; # 389| } # 390| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:393: overwrite_var: Overwriting "dist_data" in "dist_data = calloc(2UL, 16384UL)" leaks the storage that "dist_data" points to. # 391| } else if (matches(*argv, "distribution") == 0) { # 392| NEXT_ARG(); # 393|-> dist_data = calloc(sizeof(dist_data[0]), MAX_DIST); # 394| dist_size = get_distribution(*argv, dist_data, MAX_DIST); # 395| if (dist_size <= 0) { Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:429: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 427| } else if (strcmp(*argv, "help") == 0) { # 428| explain(); # 429|-> return -1; # 430| } else { # 431| fprintf(stderr, "What is \"%s\"?\n", *argv); Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:433: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 431| fprintf(stderr, "What is \"%s\"?\n", *argv); # 432| explain(); # 433|-> return -1; # 434| } # 435| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:443: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 441| fprintf(stderr, "reordering not possible without specifying some delay\n"); # 442| explain(); # 443|-> return -1; # 444| } # 445| if (opt.gap == 0) Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:450: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 448| fprintf(stderr, "gap specified without reorder probability\n"); # 449| explain(); # 450|-> return -1; # 451| } # 452| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:457: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 455| fprintf(stderr, "ecn requested without loss model\n"); # 456| explain(); # 457|-> return -1; # 458| } # 459| } Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:464: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 462| fprintf(stderr, "distribution specified but no latency and jitter values\n"); # 463| explain(); # 464|-> return -1; # 465| } # 466| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/q_netem.c:393: alloc_fn: Storage is returned from allocation function "calloc". iproute-4.11.0-0.el7/tc/q_netem.c:393: var_assign: Assigning: "dist_data" = storage returned from "calloc(2UL, 16384UL)". iproute-4.11.0-0.el7/tc/q_netem.c:394: noescape: Resource "dist_data" is not freed or pointed-to in "get_distribution". iproute-4.11.0-0.el7/tc/q_netem.c:107:54: noescape: "get_distribution(char const *, __s16 *, int)" does not free or save its parameter "data". iproute-4.11.0-0.el7/tc/q_netem.c:468: leaked_storage: Variable "dist_data" going out of scope leaks the storage it points to. # 466| # 467| if (addattr_l(n, 1024, TCA_OPTIONS, &opt, sizeof(opt)) < 0) # 468|-> return -1; # 469| # 470| if (present[TCA_NETEM_CORR] && Error: REVERSE_INULL (CWE-476): iproute-4.11.0-0.el7/tc/q_netem.c:541: deref_ptr: Directly dereferencing pointer "opt". iproute-4.11.0-0.el7/tc/q_netem.c:546: check_after_deref: Null-checking "opt" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. # 544| SPRINT_BUF(b1); # 545| # 546|-> if (opt == NULL) # 547| return 0; # 548| Error: CLANG_WARNING: iproute-4.11.0-0.el7/tc/q_prio.c:110:34: warning: Access to field 'bands' results in a dereference of a null pointer (loaded from variable 'qopt') # fprintf(f, "bands %u priomap ", qopt->bands); # ^~~~ iproute-4.11.0-0.el7/tc/q_prio.c:103:6: note: Assuming 'opt' is not equal to null # if (opt == NULL) # ^~~~~~~~~~~ iproute-4.11.0-0.el7/tc/q_prio.c:103:2: note: Taking false branch # if (opt == NULL) # ^ iproute-4.11.0-0.el7/tc/q_prio.c:106:6: note: '?' condition is false # if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt, # ^ iproute-4.11.0-0.el7/include/libnetlink.h:142:12: note: expanded from macro 'parse_rtattr_nested_compat' # ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL; \ # ^ iproute-4.11.0-0.el7/include/uapi/linux/rtnetlink.h:183:26: note: expanded from macro 'RTA_PAYLOAD' ##define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0)) # ^ iproute-4.11.0-0.el7/tc/q_prio.c:106:56: note: Null pointer value stored to 'qopt' # if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt, # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~ iproute-4.11.0-0.el7/include/libnetlink.h:142:5: note: expanded from macro 'parse_rtattr_nested_compat' # ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL; \ # ^ iproute-4.11.0-0.el7/tc/q_prio.c:106:2: note: Taking false branch # if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt, # ^ iproute-4.11.0-0.el7/tc/q_prio.c:110:34: note: Access to field 'bands' results in a dereference of a null pointer (loaded from variable 'qopt') # fprintf(f, "bands %u priomap ", qopt->bands); # ^~~~ # 108| return -1; # 109| # 110|-> fprintf(f, "bands %u priomap ", qopt->bands); # 111| for (i = 0; i <= TC_PRIO_MAX; i++) # 112| fprintf(f, " %d", qopt->priomap[i]); Error: CHECKED_RETURN (CWE-252): iproute-4.11.0-0.el7/tc/q_red.c:125: check_return: Calling "get_rate" without checking return value (as is done elsewhere 14 out of 16 times). iproute-4.11.0-0.el7/tc/m_police.c:145: example_checked: Example 1: "get_rate(&p.rate.rate, *argv)" has its value checked in "get_rate(&p.rate.rate, *argv)". iproute-4.11.0-0.el7/tc/q_cbq.c:200: example_checked: Example 2: "get_rate(&r.rate, *argv)" has its value checked in "get_rate(&r.rate, *argv)". iproute-4.11.0-0.el7/tc/q_choke.c:57: example_checked: Example 3: "get_rate(&rate, *argv)" has its value checked in "get_rate(&rate, *argv)". iproute-4.11.0-0.el7/tc/q_fq.c:119: example_checked: Example 4: "get_rate(&maxrate, *argv)" has its value checked in "get_rate(&maxrate, *argv)". iproute-4.11.0-0.el7/tc/q_gred.c:203: example_checked: Example 5: "get_rate(&rate, *argv)" has its value checked in "get_rate(&rate, *argv)". # 123| burst = (2 * opt.qth_min + opt.qth_max) / (3 * avpkt); # 124| if (!rate) { # 125|-> get_rate(&rate, "10Mbit"); # 126| fprintf(stderr, "RED: set bandwidth to 10Mbit\n"); # 127| } Error: CLANG_WARNING: iproute-4.11.0-0.el7/tc/q_rr.c:105:34: warning: Access to field 'bands' results in a dereference of a null pointer (loaded from variable 'qopt') # fprintf(f, "bands %u priomap ", qopt->bands); # ^~~~ iproute-4.11.0-0.el7/tc/q_rr.c:98:6: note: Assuming 'opt' is not equal to null # if (opt == NULL) # ^~~~~~~~~~~ iproute-4.11.0-0.el7/tc/q_rr.c:98:2: note: Taking false branch # if (opt == NULL) # ^ iproute-4.11.0-0.el7/tc/q_rr.c:101:6: note: '?' condition is false # if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt, # ^ iproute-4.11.0-0.el7/include/libnetlink.h:142:12: note: expanded from macro 'parse_rtattr_nested_compat' # ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL; \ # ^ iproute-4.11.0-0.el7/include/uapi/linux/rtnetlink.h:183:26: note: expanded from macro 'RTA_PAYLOAD' ##define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0)) # ^ iproute-4.11.0-0.el7/tc/q_rr.c:101:56: note: Null pointer value stored to 'qopt' # if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt, # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~ iproute-4.11.0-0.el7/include/libnetlink.h:142:5: note: expanded from macro 'parse_rtattr_nested_compat' # ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL; \ # ^ iproute-4.11.0-0.el7/tc/q_rr.c:101:2: note: Taking false branch # if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt, # ^ iproute-4.11.0-0.el7/tc/q_rr.c:105:34: note: Access to field 'bands' results in a dereference of a null pointer (loaded from variable 'qopt') # fprintf(f, "bands %u priomap ", qopt->bands); # ^~~~ # 103| return -1; # 104| # 105|-> fprintf(f, "bands %u priomap ", qopt->bands); # 106| for (i = 0; i <= TC_PRIO_MAX; i++) # 107| fprintf(f, " %d", qopt->priomap[i]); Error: TAINTED_STRING (CWE-20): iproute-4.11.0-0.el7/tc/tc.c:114: tainted_string_return_content: "get_tc_lib" returns tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: tainted_string_return_content: Function "getenv" returning tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: var_assign: Assigning: "lib_dir" = "getenv("TC_LIB_DIR")", which taints "lib_dir". iproute-4.11.0-0.el7/tc/tc_util.c:73:2: return_tainted_string: Returning tainted string "lib_dir". iproute-4.11.0-0.el7/tc/tc.c:114: vararg_transitive: Call to "snprintf" with tainted argument "get_tc_lib()" taints "buf". iproute-4.11.0-0.el7/tc/tc.c:115: tainted_string: Passing tainted string "buf" to "dlopen", which cannot accept tainted data. # 113| # 114| snprintf(buf, sizeof(buf), "%s/q_%s.so", get_tc_lib(), str); # 115|-> dlh = dlopen(buf, RTLD_LAZY); # 116| if (!dlh) { # 117| /* look in current binary, only open once */ Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/tc.c:115: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/tc/tc.c:115: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/tc/tc.c:127: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/tc/tc.c:134: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 132| q->next = qdisc_list; # 133| qdisc_list = q; # 134|-> return q; # 135| # 136| noexist: Error: TAINTED_STRING (CWE-20): iproute-4.11.0-0.el7/tc/tc.c:158: tainted_string_return_content: "get_tc_lib" returns tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: tainted_string_return_content: Function "getenv" returning tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: var_assign: Assigning: "lib_dir" = "getenv("TC_LIB_DIR")", which taints "lib_dir". iproute-4.11.0-0.el7/tc/tc_util.c:73:2: return_tainted_string: Returning tainted string "lib_dir". iproute-4.11.0-0.el7/tc/tc.c:158: vararg_transitive: Call to "snprintf" with tainted argument "get_tc_lib()" taints "buf". iproute-4.11.0-0.el7/tc/tc.c:159: tainted_string: Passing tainted string "buf" to "dlopen", which cannot accept tainted data. # 157| # 158| snprintf(buf, sizeof(buf), "%s/f_%s.so", get_tc_lib(), str); # 159|-> dlh = dlopen(buf, RTLD_LAZY); # 160| if (dlh == NULL) { # 161| dlh = BODY; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/tc.c:159: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/tc/tc.c:159: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/tc/tc.c:170: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/tc/tc.c:177: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 175| q->next = filter_list; # 176| filter_list = q; # 177|-> return q; # 178| noexist: # 179| q = calloc(1, sizeof(*q)); Error: TAINTED_STRING (CWE-20): iproute-4.11.0-0.el7/tc/tc.c:349: tainted_string: Passing tainted string "argv + 1" to "do_cmd", which cannot accept tainted data. iproute-4.11.0-0.el7/tc/tc.c:201:3: tainted_string_sink_content_lv_call: Passing tainted string "argv + 1" to "do_qdisc", which depends on its content. iproute-4.11.0-0.el7/tc/tc_qdisc.c:346:3: tainted_string_sink_content_lv_call: Passing tainted string "argv[1]" to "tc_qdisc_modify", which depends on its content. iproute-4.11.0-0.el7/tc/tc_qdisc.c:128:4: tainted_data_transitive: Call to function "strncpy" with tainted argument "*argv" transitively taints "k". [Note: The source code implementation of the function has been overridden by a builtin model.] iproute-4.11.0-0.el7/tc/tc_qdisc.c:130:4: tainted_string_sink_content_lv_call: Passing tainted string "k" to "get_qdisc_kind", which depends on its content. iproute-4.11.0-0.el7/tc/tc.c:114:2: vararg_transitive: Call to "snprintf" with tainted argument "str" taints "buf". iproute-4.11.0-0.el7/tc/tc.c:115:2: tainted_string_sink_content_lv_call: Passing tainted string "buf" to "dlopen", which depends on its content. # 347| } # 348| # 349|-> ret = do_cmd(argc-1, argv+1); # 350| Exit: # 351| rtnl_close(&rth); Error: TAINTED_STRING (CWE-20): iproute-4.11.0-0.el7/tc/tc_exec.c:53: tainted_string_return_content: "get_tc_lib" returns tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: tainted_string_return_content: Function "getenv" returning tainted string content. iproute-4.11.0-0.el7/tc/tc_util.c:69:2: var_assign: Assigning: "lib_dir" = "getenv("TC_LIB_DIR")", which taints "lib_dir". iproute-4.11.0-0.el7/tc/tc_util.c:73:2: return_tainted_string: Returning tainted string "lib_dir". iproute-4.11.0-0.el7/tc/tc_exec.c:53: vararg_transitive: Call to "snprintf" with tainted argument "get_tc_lib()" taints "buf". iproute-4.11.0-0.el7/tc/tc_exec.c:54: tainted_string: Passing tainted string "buf" to "dlopen", which cannot accept tainted data. # 52| # 53| snprintf(buf, sizeof(buf), "%s/e_%s.so", get_tc_lib(), name); # 54|-> dlh = dlopen(buf, RTLD_LAZY); # 55| if (dlh == NULL) { # 56| dlh = BODY; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tc/tc_exec.c:54: alloc_fn: Storage is returned from allocation function "dlopen". iproute-4.11.0-0.el7/tc/tc_exec.c:54: var_assign: Assigning: "dlh" = storage returned from "dlopen(buf, 1)". iproute-4.11.0-0.el7/tc/tc_exec.c:65: noescape: Resource "dlh" is not freed or pointed-to in "dlsym". iproute-4.11.0-0.el7/tc/tc_exec.c:72: leaked_storage: Variable "dlh" going out of scope leaks the storage it points to. # 70| exec_list = eu; # 71| # 72|-> return eu; # 73| noexist: # 74| eu = calloc(1, sizeof(*eu)); Error: FORWARD_NULL (CWE-476): iproute-4.11.0-0.el7/tc/tc_filter.c:311: assign_zero: Assigning: "q" = "NULL". iproute-4.11.0-0.el7/tc/tc_filter.c:417: var_deref_op: Dereferencing null pointer "q". # 415| } # 416| # 417|-> if (q->parse_fopt(q, fhandle, argc, argv, &req.n)) # 418| return 1; # 419| Error: OVERRUN (CWE-119): iproute-4.11.0-0.el7/tc/tc_qdisc.c:59: assignment: Assigning: "req.n.nlmsg_len" = "36U". iproute-4.11.0-0.el7/tc/tc_qdisc.c:168: alias: Assigning: "tail" = "(void *)&req.n + (req.n.nlmsg_len + 4U - 1U & 0xfffffffcU)". "tail" now points to element 9 of "req.n" (which consists of 4 4-byte elements). iproute-4.11.0-0.el7/tc/tc_qdisc.c:175: overrun-local: Overrunning array of 4 4-byte elements at element index 9 (byte offset 36) by dereferencing pointer "tail". # 173| addattr_l(&req.n, sizeof(req), TCA_STAB_DATA, stab.data, # 174| stab.szopts.tsize * sizeof(__u16)); # 175|-> tail->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)tail; # 176| if (stab.data) # 177| free(stab.data); Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/bearer.c:85:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/bearer.c:85:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 83| static int get_netid_cb(const struct nlmsghdr *nlh, void *data) # 84| { # 85|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 86| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 87| struct nlattr *attrs[TIPC_NLA_NET_MAX + 1] = {}; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tipc/bearer.c:157: alloc_arg: "getaddrinfo" allocates memory that is stored into "loc". iproute-4.11.0-0.el7/tipc/bearer.c:166: leaked_storage: Variable "loc" going out of scope leaks the storage it points to. # 164| if (generate_multicast(loc->ai_family, buf, sizeof(buf))) { # 165| fprintf(stderr, "Failed to generate multicast address\n"); # 166|-> return -EINVAL; # 167| } # 168| remip = buf; Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tipc/bearer.c:157: alloc_arg: "getaddrinfo" allocates memory that is stored into "loc". iproute-4.11.0-0.el7/tipc/bearer.c:180: leaked_storage: Variable "loc" going out of scope leaks the storage it points to. # 178| if (rem->ai_family != loc->ai_family) { # 179| fprintf(stderr, "UDP local and remote AF mismatch\n"); # 180|-> return -EINVAL; # 181| } # 182| Error: RESOURCE_LEAK (CWE-772): iproute-4.11.0-0.el7/tipc/bearer.c:171: alloc_arg: "getaddrinfo" allocates memory that is stored into "rem". iproute-4.11.0-0.el7/tipc/bearer.c:180: leaked_storage: Variable "rem" going out of scope leaks the storage it points to. # 178| if (rem->ai_family != loc->ai_family) { # 179| fprintf(stderr, "UDP local and remote AF mismatch\n"); # 180|-> return -EINVAL; # 181| } # 182| Error: NULL_RETURNS (CWE-476): iproute-4.11.0-0.el7/tipc/bearer.c:438: returned_null: "get_opt" returns null (checked 22 out of 23 times). iproute-4.11.0-0.el7/tipc/cmdl.c:62:2: return_null: Explicitly returning null. iproute-4.11.0-0.el7/tipc/bearer.c:218: example_checked: Example 1: "get_opt(opts, "media")" has its value checked in "opt = get_opt(opts, "media")". iproute-4.11.0-0.el7/tipc/bearer.c:273: example_checked: Example 2: "get_opt(opts, "remoteport")" has its value checked in "opt = get_opt(opts, "remoteport")". iproute-4.11.0-0.el7/tipc/bearer.c:276: example_checked: Example 3: "get_opt(opts, "remoteip")" has its value checked in "opt = get_opt(opts, "remoteip")". iproute-4.11.0-0.el7/tipc/bearer.c:141: example_checked: Example 4: "get_opt(opts, "localip")" has its value checked in "opt = get_opt(opts, "localip")". iproute-4.11.0-0.el7/tipc/bearer.c:148: example_checked: Example 5: "get_opt(opts, "remoteip")" has its value checked in "opt = get_opt(opts, "remoteip")". iproute-4.11.0-0.el7/tipc/bearer.c:438: var_assigned: Assigning: "opt" = null return value from "get_opt". iproute-4.11.0-0.el7/tipc/bearer.c:439: dereference: Dereferencing a null pointer "opt". # 437| # 438| opt = get_opt(opts, "media"); # 439|-> if (strcmp(opt->val, "udp") == 0) { # 440| err = nl_add_udp_enable_opts(nlh, opts, cmdl); # 441| if (err) Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/bearer.c:636:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/bearer.c:636:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 634| { # 635| struct sockaddr_storage *addr; # 636|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 637| struct nlattr *info[TIPC_NLA_UDP_MAX + 1] = {}; # 638| Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/bearer.c:672:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/bearer.c:672:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 670| struct cb_data *cb_data = (struct cb_data *) data; # 671| struct sockaddr_storage *addr; # 672|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 673| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 674| struct nlattr *attrs[TIPC_NLA_BEARER_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/bearer.c:744:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/bearer.c:744:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 742| { # 743| int *prop = data; # 744|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 745| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 746| struct nlattr *attrs[TIPC_NLA_BEARER_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/bearer.c:913:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/bearer.c:913:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 911| static int bearer_list_cb(const struct nlmsghdr *nlh, void *data) # 912| { # 913|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 914| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 915| struct nlattr *attrs[TIPC_NLA_BEARER_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/link.c:29:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/link.c:29:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 27| static int link_list_cb(const struct nlmsghdr *nlh, void *data) # 28| { # 29|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 30| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 31| struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/link.c:73:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/link.c:73:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 71| { # 72| int *prop = data; # 73|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 74| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 75| struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/link.c:325:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/link.c:325:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 323| const char *name; # 324| const char *link = data; # 325|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 326| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 327| struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/link.c:530:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/link.c:530:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 528| static int link_mon_summary_cb(const struct nlmsghdr *nlh, void *data) # 529| { # 530|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 531| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 532| struct nlattr *attrs[TIPC_NLA_MON_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/link.c:644:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/link.c:644:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 642| static int link_mon_peer_list_cb(const struct nlmsghdr *nlh, void *data) # 643| { # 644|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 645| struct nlattr *attrs[TIPC_NLA_MON_PEER_MAX + 1] = {}; # 646| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/link.c:718:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/link.c:718:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 716| static int link_mon_list_cb(const struct nlmsghdr *nlh, void *data) # 717| { # 718|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 719| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 720| struct nlattr *attrs[TIPC_NLA_MON_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/link.c:840:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/link.c:840:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 838| static int link_mon_get_cb(const struct nlmsghdr *nlh, void *data) # 839| { # 840|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 841| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 842| struct nlattr *attrs[TIPC_NLA_MON_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/media.c:28:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/media.c:28:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 26| static int media_list_cb(const struct nlmsghdr *nlh, void *data) # 27| { # 28|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 29| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 30| struct nlattr *attrs[TIPC_NLA_MEDIA_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/media.c:66:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/media.c:66:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 64| { # 65| int *prop = data; # 66|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 67| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 68| struct nlattr *attrs[TIPC_NLA_MEDIA_MAX + 1] = {}; Error: NO_EFFECT (CWE-398): iproute-4.11.0-0.el7/tipc/misc.c:30: unsigned_compare: This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "z >= 0U". iproute-4.11.0-0.el7/tipc/misc.c:30: unsigned_compare: This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "c >= 0U". iproute-4.11.0-0.el7/tipc/misc.c:30: unsigned_compare: This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "n >= 0U". # 28| } # 29| # 30|-> if (IN_RANGE(z, 0, 255) && IN_RANGE(c, 0, 4095) && IN_RANGE(n, 0, 4095)) # 31| return tipc_addr(z, c, n); # 32| Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/msg.c:36:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:36:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 34| { # 35| struct nlattr *tb[CTRL_ATTR_MAX + 1] = {}; # 36|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 37| int *id = data; # 38| Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/msg.c:134:2: warning: Undefined or garbage value returned to caller # return nl_family; # ^ iproute-4.11.0-0.el7/tipc/msg.c:155:11: note: Calling 'get_family' # family = get_family(); # ^~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:115:2: note: 'nl_family' declared without an initial value # int nl_family; # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:131:13: note: Calling 'msg_query' # if ((err = msg_query(nlh, family_id_cb, &nl_family))) # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:105:7: note: Calling 'msg_send' # nl = msg_send(nlh); # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:54:6: note: Assuming 'nl' is not equal to null # if (nl == NULL) { # ^~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:54:2: note: Taking false branch # if (nl == NULL) { # ^ iproute-4.11.0-0.el7/tipc/msg.c:60:6: note: Assuming 'ret' is >= 0 # if (ret < 0) { # ^~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:60:2: note: Taking false branch # if (ret < 0) { # ^ iproute-4.11.0-0.el7/tipc/msg.c:66:6: note: Assuming 'ret' is >= 0 # if (ret < 0) { # ^~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:66:2: note: Taking false branch # if (ret < 0) { # ^ iproute-4.11.0-0.el7/tipc/msg.c:105:7: note: Returning from 'msg_send' # nl = msg_send(nlh); # ^~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:106:2: note: Taking false branch # if (!nl) # ^ iproute-4.11.0-0.el7/tipc/msg.c:109:9: note: Calling 'msg_recv' # return msg_recv(nl, callback, data, seq); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:78:11: note: '?' condition is false # char buf[MNL_SOCKET_BUFFER_SIZE]; # ^ /usr/include/libmnl/libmnl.h:25:33: note: expanded from macro 'MNL_SOCKET_BUFFER_SIZE' ##define MNL_SOCKET_BUFFER_SIZE (getpagesize() < 8192L ? getpagesize() : 8192L) # ^ iproute-4.11.0-0.el7/tipc/msg.c:83:9: note: Assuming 'ret' is <= 0 # while (ret > 0) { # ^~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:83:2: note: Loop condition is false. Execution continues on line 89 # while (ret > 0) { # ^ iproute-4.11.0-0.el7/tipc/msg.c:89:2: note: Taking false branch # if (ret == -1) # ^ iproute-4.11.0-0.el7/tipc/msg.c:109:9: note: Returning from 'msg_recv' # return msg_recv(nl, callback, data, seq); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:131:13: note: Returning from 'msg_query' # if ((err = msg_query(nlh, family_id_cb, &nl_family))) # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/msg.c:131:7: note: Assuming 'err' is zero # if ((err = msg_query(nlh, family_id_cb, &nl_family))) # ^~~ iproute-4.11.0-0.el7/tipc/msg.c:131:2: note: Taking false branch # if ((err = msg_query(nlh, family_id_cb, &nl_family))) # ^ iproute-4.11.0-0.el7/tipc/msg.c:134:2: note: Undefined or garbage value returned to caller # return nl_family; # ^ ~~~~~~~~~ # 132| return err; # 133| # 134|-> return nl_family; # 135| } # 136| Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/nametable.c:30:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/nametable.c:30:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 28| int *iteration = data; # 29| char port_id[PORTID_STR_LEN]; # 30|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 31| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 32| struct nlattr *attrs[TIPC_NLA_NAME_TABLE_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/node.c:30:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/node.c:30:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 28| { # 29| uint32_t addr; # 30|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 31| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 32| struct nlattr *attrs[TIPC_NLA_NODE_MAX + 1] = {}; Error: NEGATIVE_RETURNS (CWE-394): iproute-4.11.0-0.el7/tipc/node.c:112: negative_return_fn: Function "socket(30, SOCK_RDM, 0)" returns a negative number. iproute-4.11.0-0.el7/tipc/node.c:112: var_assign: Assigning: signed variable "sk" = "socket". iproute-4.11.0-0.el7/tipc/node.c:117: negative_returns: "sk" is passed to a parameter that cannot be negative. # 115| } # 116| # 117|-> if (getsockname(sk, (struct sockaddr *)&addr, &sz) < 0) { # 118| fprintf(stderr, "getting TIPC socket address: %s\n", # 119| strerror(errno)); Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/node.c:135:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/node.c:135:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 133| static int netid_get_cb(const struct nlmsghdr *nlh, void *data) # 134| { # 135|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 136| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 137| struct nlattr *attrs[TIPC_NLA_NET_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/socket.c:28:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/socket.c:28:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 26| static int publ_list_cb(const struct nlmsghdr *nlh, void *data) # 27| { # 28|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 29| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 30| struct nlattr *attrs[TIPC_NLA_SOCK_MAX + 1] = {}; Error: CLANG_WARNING: iproute-4.11.0-0.el7/tipc/socket.c:66:21: warning: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ iproute-4.11.0-0.el7/tipc/socket.c:66:21: note: Value stored to 'genl' during its initialization is never read # struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ # 64| static int sock_list_cb(const struct nlmsghdr *nlh, void *data) # 65| { # 66|-> struct genlmsghdr *genl = mnl_nlmsg_get_payload(nlh); # 67| struct nlattr *info[TIPC_NLA_MAX + 1] = {}; # 68| struct nlattr *attrs[TIPC_NLA_SOCK_MAX + 1] = {};