Merge pull request #18042 from FRRouting/mergify/bp/dev/10.3/pr-17865

Coverity 2024 new hotness (backport #17865)

5 files changed, 32 insertions, 3 deletions

diff --git a/bgpd/bgp_fsm.c b/bgpd/bgp_fsm.c
index c7b7f9e284..c7a4c6928a 100644
--- a/bgpd/bgp_fsm.c
+++ b/bgpd/bgp_fsm.c
@@ -525,8 +525,9 @@ static void bgp_holdtime_timer(struct event *thread)
 	 * for systems where we are heavily loaded for one
 	 * reason or another.
 	 */
-	inq_count = atomic_load_explicit(&connection->ibuf->count,
-					 memory_order_relaxed);
+	frr_with_mutex (&connection->io_mtx) {
+		inq_count = atomic_load_explicit(&connection->ibuf->count, memory_order_relaxed);
+	}
 	if (inq_count)
 		BGP_TIMER_ON(connection->t_holdtime, bgp_holdtime_timer,
 			     peer->v_holdtime);
diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c
index 213ee8c1fd..cfc13fcc53 100644
--- a/ospfd/ospf_api.c
+++ b/ospfd/ospf_api.c
@@ -514,6 +514,12 @@ struct msg *new_msg_originate_request(uint32_t seqnum, struct in_addr ifaddr,
 	omsglen += sizeof(struct msg_originate_request)
 		   - sizeof(struct lsa_header);
 
+	if (omsglen > UINT16_MAX) {
+		zlog_warn("%s: LSA specified is bigger than maximum LSA size, something is wrong",
+			  __func__);
+		omsglen = UINT16_MAX;
+	}
+
 	return msg_new(MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen);
 }
 
@@ -639,6 +645,12 @@ struct msg *new_msg_lsa_change_notify(uint8_t msgtype, uint32_t seqnum,
 	memcpy(nmsg_data, data, len);
 	len += sizeof(struct msg_lsa_change_notify) - sizeof(struct lsa_header);
 
+	if (len > UINT16_MAX) {
+		zlog_warn("%s: LSA specified is bigger than maximum LSA size, something is wrong",
+			  __func__);
+		len = UINT16_MAX;
+	}
+
 	return msg_new(msgtype, nmsg, seqnum, len);
 }
 
@@ -666,6 +678,12 @@ struct msg *new_msg_reachable_change(uint32_t seqnum, uint16_t nadd,
 	nmsg->nremove = htons(nremove);
 	len = sizeof(*nmsg) + insz * (nadd + nremove);
 
+	if (len > UINT16_MAX) {
+		zlog_warn("%s: LSA specified is bigger than maximum LSA size, something is wrong",
+			  __func__);
+		len = UINT16_MAX;
+	}
+
 	return msg_new(MSG_REACHABLE_CHANGE, nmsg, seqnum, len);
 }
 
diff --git a/zebra/zebra_dplane.c b/zebra/zebra_dplane.c
index 9acdb4b2f8..9c252cc63c 100644
--- a/zebra/zebra_dplane.c
+++ b/zebra/zebra_dplane.c
@@ -7703,7 +7703,10 @@ static void zebra_dplane_init_internal(void)
 
 	dplane_prov_list_init(&zdplane_info.dg_providers);
 
-	dplane_ctx_list_init(&zdplane_info.dg_update_list);
+	frr_with_mutex (&zdplane_info.dg_mutex) {
+		dplane_ctx_list_init(&zdplane_info.dg_update_list);
+	}
+
 	zns_info_list_init(&zdplane_info.dg_zns_list);
 
 	zdplane_info.dg_updates_per_cycle = DPLANE_DEFAULT_NEW_WORK;
diff --git a/zebra/zserv.c b/zebra/zserv.c
index 7ef3582329..6965c285cd 100644
--- a/zebra/zserv.c
+++ b/zebra/zserv.c
@@ -937,6 +937,10 @@ void zserv_close(void)
 /*
  * Open zebra's ZAPI listener socket. This is done early during startup,
  * before zebra is ready to listen and accept client connections.
+ *
+ * This function should only ever be called from the startup pthread
+ * from main.c.  If it is called multiple times it will cause problems
+ * because it causes the zsock global variable to be setup.
  */
 void zserv_open(const char *path)
 {
diff --git a/zebra/zserv.h b/zebra/zserv.h
index ce47ef19fa..1ff7ccd981 100644
--- a/zebra/zserv.h
+++ b/zebra/zserv.h
@@ -262,6 +262,9 @@ extern void zserv_close(void);
  *
  * path
  *    where to place the Unix domain socket
+ *
+ * This function *should* only ever be called from
+ * main() and only every from 1 pthread.
  */
 extern void zserv_open(const char *path);