[multiple] fix coverity warnings

2021-01-17 14:32:46 -05:00 · 2021-01-17 14:32:46 -05:00 · 0e2a14921e
parent 5b0aed8c32
commit 0e2a14921e
4 changed files with 41 additions and 8 deletions
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@ -350,7 +350,16 @@ mod_gnutls_session_ticket_key_file (const char *fn)
    if (buf[0] == 0) { /*(format version 0)*/
        session_ticket_keys[0].active_ts = buf[1];
        session_ticket_keys[0].expire_ts = buf[2];
+      #ifndef __COVERITY__
        memcpy(&session_ticket_keys[0].tick_key_name, buf+3, 80);
+      #else
+        memcpy(&session_ticket_keys[0].tick_key_name,
+               buf+3, TLSEXT_KEYNAME_LENGTH);
+        memcpy(&session_ticket_keys[0].tick_hmac_key,
+               buf+7, TLSEXT_TICK_KEY_LENGTH);
+        memcpy(&session_ticket_keys[0].tick_aes_key,
+               buf+15, TLSEXT_TICK_KEY_LENGTH);
+      #endif
        rc = 1;
    }

@ -378,7 +387,13 @@ mod_gnutls_session_ticket_key_check (server *srv, const plugin_data *p, const ti
            }
            memcpy(session_ticket_key.data,
                   stek->tick_key_name, TICKET_MASTER_KEY_SIZE);
+          #ifndef __COVERITY__
            gnutls_memset(stek->tick_key_name, 0, TICKET_MASTER_KEY_SIZE);
+          #else
+            gnutls_memset(stek->tick_key_name, 0, TLSEXT_KEYNAME_LENGTH);
+            gnutls_memset(stek->tick_hmac_key, 0, TLSEXT_TICK_KEY_LENGTH);
+            gnutls_memset(stek->tick_aes_key, 0, TLSEXT_TICK_KEY_LENGTH);
+          #endif
        }
        if (stek->expire_ts < cur_ts)
            mod_gnutls_session_ticket_key_free();
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@ -313,7 +313,16 @@ mod_mbedtls_session_ticket_key_file (const char *fn)
    if (buf[0] == 0) { /*(format version 0)*/
        session_ticket_keys[0].active_ts = buf[1];
        session_ticket_keys[0].expire_ts = buf[2];
+      #ifndef __COVERITY__
        memcpy(&session_ticket_keys[0].tick_key_name, buf+3, 80);
+      #else
+        memcpy(&session_ticket_keys[0].tick_key_name,
+               buf+3, TLSEXT_KEYNAME_LENGTH);
+        memcpy(&session_ticket_keys[0].tick_hmac_key,
+               buf+7, TLSEXT_TICK_KEY_LENGTH);
+        memcpy(&session_ticket_keys[0].tick_aes_key,
+               buf+15, TLSEXT_TICK_KEY_LENGTH);
+      #endif
        rc = 1;
    }

@ -2292,7 +2301,10 @@ http_cgi_ssl_env (request_st * const r, handler_ctx * const hctx)
    s = cipher_info->name;
    http_header_env_set(r, CONST_STR_LEN("SSL_CIPHER"), s, strlen(s));

-    if (cipher_info != NULL) {
+  #if 0 /*(for use with mbedtls_cipher_info_from_type() above)*/
+    if (cipher_info != NULL)
+  #endif
+    {
        /* SSL_CIPHER_ALGKEYSIZE - Number of cipher bits (possible) */
        /* SSL_CIPHER_USEKEYSIZE - Number of cipher bits (actually used) */
        /* XXX: is usekeysize correct? XXX: reaching into ssl_internal.h here */
@ -3598,7 +3610,7 @@ mod_mbedtls_ssl_conf_proto (server *srv, plugin_config_socket *s, const buffer *
      #ifdef MBEDTLS_SSL_MINOR_VERSION_4
        v = max ? MBEDTLS_SSL_MINOR_VERSION_4 : MBEDTLS_SSL_MINOR_VERSION_3;
      #else
-        v = max ? MBEDTLS_SSL_MINOR_VERSION_3 : MBEDTLS_SSL_MINOR_VERSION_3;
+        v = MBEDTLS_SSL_MINOR_VERSION_3;
      #endif
    else if (buffer_eq_icase_slen(b, CONST_STR_LEN("None"))) /*"disable" limit*/
        v = max
--- a/src/mod_nss.c
+++ b/src/mod_nss.c
@ -2228,8 +2228,10 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
        /* the other end closed the connection -> KEEP-ALIVE */

        return -2;
+  #ifndef __COVERITY__
    } else {
        return 0;
+  #endif
    }
 }

@ -3490,10 +3492,9 @@ mod_nss_ssl_conf_ciphersuites (server *srv, plugin_config_socket *s, buffer *cip
    char *ciphers = strdup(cipherstring->ptr);/*(string modified during parse)*/
    if (NULL == ciphers) return 0;

-    if (nss_parse_ciphers(srv->errh, ciphers, cipher_state) == -1)
-        return 0;
-
+    int rc = nss_parse_ciphers(srv->errh, ciphers, cipher_state);
    free(ciphers);
+    if (-1 == rc) return 0;

    if (((s->protos.min && s->protos.min <= SSL_LIBRARY_VERSION_3_0)
         || s->ssl_use_sslv3)
--- a/src/mod_wolfssl.c
+++ b/src/mod_wolfssl.c
@ -744,6 +744,7 @@ mod_wolfssl_evp_pkey_load_pem_file (const char *fn, log_error_st *errh)

    if (rc < 0) {
        log_error(errh, __FILE__, __LINE__, "%s() %s", __func__, fn);
+        buffer_free(pkey);
        return NULL;
    }

@ -783,7 +784,7 @@ mod_wolfssl_load_client_CA_file (const buffer *ssl_ca_file, log_error_st *errh)
    /* similar to wolfSSL_load_client_CA_file(), plus some processing */
    buffer **certs = NULL;
    if (NULL == mod_wolfssl_load_pem_file(ssl_ca_file->ptr, errh, &certs)) {
-      #ifdef __clang_analyzer__
+      #if defined(__clang_analyzer__) || defined(__COVERITY__)
        mod_wolfssl_free_der_certs(certs); /*unnecessary; quiet clang analyzer*/
      #endif
        return NULL;
@ -831,7 +832,7 @@ mod_wolfssl_load_cacerts (const buffer *ssl_ca_file, log_error_st *errh)
    /* similar to wolfSSL_load_client_CA_file(), plus some processing */
    buffer **certs = NULL;
    if (NULL == mod_wolfssl_load_pem_file(ssl_ca_file->ptr, errh, &certs)) {
-      #ifdef __clang_analyzer__
+      #if defined(__clang_analyzer__) || defined(__COVERITY__)
        mod_wolfssl_free_der_certs(certs); /*unnecessary; quiet clang analyzer*/
      #endif
        return NULL;
@ -1527,8 +1528,12 @@ network_openssl_load_pemfile (server *srv, const buffer *pemfile, const buffer *
    buffer **ssl_pemfile_chain = NULL;
    buffer *ssl_pemfile_x509 =
      mod_wolfssl_load_pem_file(pemfile->ptr, srv->errh, &ssl_pemfile_chain);
-    if (NULL == ssl_pemfile_x509)
+    if (NULL == ssl_pemfile_x509) {
+      #if defined(__clang_analyzer__) || defined(__COVERITY__)
+        mod_wolfssl_free_der_certs(ssl_pemfile_chain); /*unnecessary*/
+      #endif
        return NULL;
+    }

    buffer *ssl_pemfile_pkey =
      mod_wolfssl_evp_pkey_load_pem_file(privkey->ptr, srv->errh);