[Bug 2687] Coverity scan fixes

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Mar 3 21:08:17 AEDT 2023 

https://bugzilla.mindrot.org/show_bug.cgi?id=2687

--- Comment #29 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 2954
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2954
2nd part with lower priority

>diff --git a/krl.c b/krl.c
> 			/* Handled above, but still need to stay in synch */
>-			sshbuf_reset(sect);
>+			sshbuf_free(sect);

This one is done.

>@@ -1288,7 +1288,8 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
> 	debug2("%s: checking KRL %s", __func__, path);
> 	r = ssh_krl_check_key(krl, key);
>  out:
>-	close(fd);
>+	if (fd != -1)
>+		close(fd);

This function doesn't do any descriptor handling any more.

>diff --git a/readconf.c b/readconf.c
>index acc1391..c4dff15 100644
>--- a/readconf.c
>+++ b/readconf.c
>@@ -1185,7 +1185,7 @@ parse_int:
> 		value = cipher_number(arg);
> 		if (value == -1)
> 			fatal("%.200s line %d: Bad cipher '%s'.",
>-			    filename, linenum, arg ? arg : "<NONE>");
>+			    filename, linenum, arg);

This code is gone (I think it was part of SSH1 handling).

> 		if (*activep && *intptr == -1)
> 			*intptr = value;
> 		break;
>@@ -1196,7 +1196,7 @@ parse_int:
> 			fatal("%.200s line %d: Missing argument.", filename, linenum);
> 		if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
> 			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
>-			    filename, linenum, arg ? arg : "<NONE>");
>+			    filename, linenum, arg);

I think this one is wrong: it'll potentially cause a NULL pointer deref
platforms whose string libs don't guard against it (eg Solaris).  Same
for the following instances of the same thing.

>diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
>index aaf712d..62a76b3 100644
>--- a/ssh-pkcs11.c
>+++ b/ssh-pkcs11.c
>@@ -536,8 +536,8 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,

This function has been removed.

>diff --git a/sshconnect1.c b/sshconnect1.c

SSH1 support has been removed.

>diff --git a/sshkey.c b/sshkey.c
>index 58c1051..6afacb5 100644
>--- a/sshkey.c
>+++ b/sshkey.c
>@@ -1239,6 +1239,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
> 	u_long bits;
> #endif /* WITH_SSH1 */
> 
>+	if (ret == NULL)
>+		return SSH_ERR_INVALID_ARGUMENT;

This has already been fixed.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list