From 95eadb506816ed6b1bffdf8f0b7dfc7a8f16c3fb Mon Sep 17 00:00:00 2001
From: Carmine Scarpitta <cscarpit@cisco.com>
Date: Fri, 15 Sep 2023 12:13:45 +0200
Subject: [PATCH 1/4] isisd: Fix CID 1568129 (Null pointer dereference)

Fix this coverity issue:

*** CID 1568129:  Null pointer dereferences  (REVERSE_INULL)
/isisd/isis_tlvs.c: 2813 in unpack_item_srv6_end_sid()
2807                    sid->subsubtlvs = NULL;
2808            }
2809
2810            append_item(&subtlvs->srv6_end_sids, (struct isis_item *)sid);
2811            return 0;
2812     out:
>>>     CID 1568129:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "sid" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
2813            if (sid)
2814                    free_item_srv6_end_sid((struct isis_item *)sid);
2815            return 1;
2816     }
2817
2818     /* Functions related to TLVs 1 Area Addresses */

Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
---
 isisd/isis_tlvs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index cd7b3b8842..ecf43faa70 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -2751,7 +2751,7 @@ static int unpack_item_srv6_end_sid(uint16_t mtid, uint8_t len,
 				    void *dest, int indent)
 {
 	struct isis_subtlvs *subtlvs = dest;
-	struct isis_srv6_end_sid_subtlv *sid;
+	struct isis_srv6_end_sid_subtlv *sid = NULL;
 	size_t consume;
 	uint8_t subsubtlv_len;
 
@@ -2763,7 +2763,7 @@ static int unpack_item_srv6_end_sid(uint16_t mtid, uint8_t len,
 			log, indent,
 			"Not enough data left. (expected 19 or more bytes, got %hhu)\n",
 			len);
-		return 1;
+		goto out;
 	}
 
 	sid = XCALLOC(MTYPE_ISIS_SUBTLV, sizeof(*sid));

From f3b4e6664fb8476342dbc90bb6016dac20c5cace Mon Sep 17 00:00:00 2001
From: Carmine Scarpitta <cscarpit@cisco.com>
Date: Fri, 15 Sep 2023 12:25:50 +0200
Subject: [PATCH 2/4] isisd: Fix CID 1568132 (Null pointer dereference)

Null checking the `sra` pointer after dereferencing it causes a
coverity issue. Let's perform the null check before dereferencing the
pointer.

Fixes this coverity issue:

*** CID 1568132:  Null pointer dereferences  (REVERSE_INULL)
/isisd/isis_zebra.c: 1023 in isis_zebra_srv6_adj_sid_install()
1017            struct seg6local_context ctx = {};
1018            uint16_t prefixlen = IPV6_MAX_BITLEN;
1019            struct interface *ifp;
1020            struct isis_circuit *circuit = sra->adj->circuit;
1021            struct isis_area *area = circuit->area;
1022
>>>     CID 1568132:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "sra" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1023            if (!sra)
1024                    return;
1025
1026            sr_debug("ISIS-SRv6 (%s): setting adjacency SID %pI6", area->area_tag,
1027                     &sra->sid);
1028

Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
---
 isisd/isis_zebra.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/isisd/isis_zebra.c b/isisd/isis_zebra.c
index ada8f1ad29..6b9507136a 100644
--- a/isisd/isis_zebra.c
+++ b/isisd/isis_zebra.c
@@ -1017,12 +1017,15 @@ void isis_zebra_srv6_adj_sid_install(struct srv6_adjacency *sra)
 	struct seg6local_context ctx = {};
 	uint16_t prefixlen = IPV6_MAX_BITLEN;
 	struct interface *ifp;
-	struct isis_circuit *circuit = sra->adj->circuit;
-	struct isis_area *area = circuit->area;
+	struct isis_circuit *circuit;
+	struct isis_area *area;
 
 	if (!sra)
 		return;
 
+	circuit = sra->adj->circuit;
+	area = circuit->area;
+
 	sr_debug("ISIS-SRv6 (%s): setting adjacency SID %pI6", area->area_tag,
 		 &sra->sid);
 

From 9de5b3bf58988b4ec5d663aaebda8906126ad29f Mon Sep 17 00:00:00 2001
From: Carmine Scarpitta <cscarpit@cisco.com>
Date: Fri, 15 Sep 2023 12:30:39 +0200
Subject: [PATCH 3/4] isisd: Fix CID 1568133 (Null pointer dereference)

Null checking the `sra` pointer after dereferencing it causes a
coverity issue. Let's perform the null check before dereferencing the
pointer.

Fixes this coverity issue:

*** CID 1568133:  Null pointer dereferences  (REVERSE_INULL)
/isisd/isis_zebra.c: 1077 in isis_zebra_srv6_adj_sid_uninstall()
1071            enum seg6local_action_t action = ZEBRA_SEG6_LOCAL_ACTION_UNSPEC;
1072            struct interface *ifp;
1073            uint16_t prefixlen = IPV6_MAX_BITLEN;
1074            struct isis_circuit *circuit = sra->adj->circuit;
1075            struct isis_area *area = circuit->area;
1076
>>>     CID 1568133:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "sra" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1077            if (!sra)
1078                    return;
1079
1080            switch (sra->behavior) {
1081            case SRV6_ENDPOINT_BEHAVIOR_END_X:
1082                    prefixlen = IPV6_MAX_BITLEN;

Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
---
 isisd/isis_zebra.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/isisd/isis_zebra.c b/isisd/isis_zebra.c
index 6b9507136a..378d78efe4 100644
--- a/isisd/isis_zebra.c
+++ b/isisd/isis_zebra.c
@@ -1074,12 +1074,15 @@ void isis_zebra_srv6_adj_sid_uninstall(struct srv6_adjacency *sra)
 	enum seg6local_action_t action = ZEBRA_SEG6_LOCAL_ACTION_UNSPEC;
 	struct interface *ifp;
 	uint16_t prefixlen = IPV6_MAX_BITLEN;
-	struct isis_circuit *circuit = sra->adj->circuit;
-	struct isis_area *area = circuit->area;
+	struct isis_circuit *circuit;
+	struct isis_area *area;
 
 	if (!sra)
 		return;
 
+	circuit = sra->adj->circuit;
+	area = circuit->area;
+
 	switch (sra->behavior) {
 	case SRV6_ENDPOINT_BEHAVIOR_END_X:
 		prefixlen = IPV6_MAX_BITLEN;

From 6ae2a525cf57079adf244510d18bf7647007ce47 Mon Sep 17 00:00:00 2001
From: Carmine Scarpitta <cscarpit@cisco.com>
Date: Fri, 15 Sep 2023 12:36:30 +0200
Subject: [PATCH 4/4] isisd: Fix CID 1568134 (Null pointer dereference)

Null check `isis` pointer before dereferencing it.

Fixes this coverity issue:

*** CID 1568134:  Null pointer dereferences  (NULL_RETURNS)
/isisd/isis_zebra.c: 1146 in isis_zebra_process_srv6_locator_chunk()
1140                    "prefix %pFX, block_len %u, node_len %u, func_len %u, arg_len %u",
1141                    chunk->locator_name, &chunk->prefix, chunk->block_bits_length,
1142                    chunk->node_bits_length, chunk->function_bits_length,
1143                    chunk->argument_bits_length);
1144
1145            /* Walk through all areas of the ISIS instance */
>>>     CID 1568134:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing "isis", which is known to be "NULL".
1146            for (ALL_LIST_ELEMENTS_RO(isis->area_list, node, area)) {
1147                    if (strncmp(area->srv6db.config.srv6_locator_name,
1148                                chunk->locator_name,
1149                                sizeof(area->srv6db.config.srv6_locator_name)) != 0)
1150                            continue;
1151

Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
---
 isisd/isis_zebra.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/isisd/isis_zebra.c b/isisd/isis_zebra.c
index 378d78efe4..788618ef8b 100644
--- a/isisd/isis_zebra.c
+++ b/isisd/isis_zebra.c
@@ -1136,6 +1136,9 @@ static int isis_zebra_process_srv6_locator_chunk(ZAPI_CALLBACK_ARGS)
 	enum srv6_endpoint_behavior_codepoint behavior;
 	bool allocated = false;
 
+	if (!isis)
+		return -1;
+
 	/* Decode the received zebra message */
 	s = zclient->ibuf;
 	if (zapi_srv6_locator_chunk_decode(s, chunk) < 0)