Static analyzer appeasement

This commit is contained in:
Robbie Harwood 2019-09-12 10:15:52 -04:00
parent 6ea5e5fa9a
commit bff738a25d
3 changed files with 68 additions and 1 deletions

View File

@ -0,0 +1,28 @@
From 7016aa77499732446d7bc838b95810c8cdf5b15b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 30 Aug 2019 11:19:52 -0400
Subject: [PATCH] Remove null check in krb5_gss_duplicate_name()
Within the krb5 mechanism, we require minor_status to be writable
without checking. Remove the null check in krb5_gss_duplicate_name()
to squash a forward-null defect.
(cherry picked from commit 9fd7bc179f0bd74fc83c1edf0247dcfd87fc73e6)
---
src/lib/gssapi/krb5/duplicate_name.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lib/gssapi/krb5/duplicate_name.c b/src/lib/gssapi/krb5/duplicate_name.c
index b88d97d9d..ea53e9c0d 100644
--- a/src/lib/gssapi/krb5/duplicate_name.c
+++ b/src/lib/gssapi/krb5/duplicate_name.c
@@ -34,8 +34,7 @@ krb5_gss_duplicate_name(OM_uint32 *minor_status, const gss_name_t input_name,
krb5_error_code code;
krb5_gss_name_t princ, outprinc;
- if (minor_status)
- *minor_status = 0;
+ *minor_status = 0;
code = krb5_gss_init_context(&context);
if (code) {

View File

@ -0,0 +1,34 @@
From e2087bcf8a10fa0ecc4f0663e8df9b7ef5752805 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 30 Aug 2019 11:16:58 -0400
Subject: [PATCH] Squash apparent forward-null in clnttcp_create()
clnttcp_create() only allows raddr to be NULL if *sockp is set.
Static analyzers cannot know this, so can report a forward null
defect. Add an raddr check before calling connect() to squash the
defect.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit b2f688eedd4bcca525201ef9485749a8c20b808a)
---
src/lib/rpc/clnt_tcp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c
index 87761906c..dbd62d0a7 100644
--- a/src/lib/rpc/clnt_tcp.c
+++ b/src/lib/rpc/clnt_tcp.c
@@ -168,9 +168,9 @@ clnttcp_create(
if (*sockp < 0) {
*sockp = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
(void)bindresvport_sa(*sockp, NULL);
- if ((*sockp < 0)
- || (connect(*sockp, (struct sockaddr *)raddr,
- sizeof(*raddr)) < 0)) {
+ if (*sockp < 0 || raddr == NULL ||
+ connect(*sockp, (struct sockaddr *)raddr,
+ sizeof(*raddr)) < 0) {
rpc_createerr.cf_stat = RPC_SYSTEMERROR;
rpc_createerr.cf_error.re_errno = errno;
(void)closesocket(*sockp);

View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 43%{?dist}
Release: 44%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -121,6 +121,8 @@ Patch159: Initialize-life-rlife-in-kdcpolicy-interface.patch
Patch160: Fix-KCM-client-time-offset-propagation.patch
Patch161: krb5-1.17post5-FIPS-with-PRNG-and-RADIUS-without-SPA.patch
Patch162: Simplify-krb5_dbe_def_search_enctype.patch
Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch
Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -727,6 +729,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Thu Sep 12 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-44
- Static analyzer appeasement
* Tue Aug 27 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-43
- Simplify krb5_dbe_def_search_enctype()