Static analyzer appeasement

Remove-null-check-in-krb5_gss_duplicate_name.patch

@@ -0,0 +1,28 @@
+From 7016aa77499732446d7bc838b95810c8cdf5b15b Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 30 Aug 2019 11:19:52 -0400
+Subject: [PATCH] Remove null check in krb5_gss_duplicate_name()
+
+Within the krb5 mechanism, we require minor_status to be writable
+without checking.  Remove the null check in krb5_gss_duplicate_name()
+to squash a forward-null defect.
+
+(cherry picked from commit 9fd7bc179f0bd74fc83c1edf0247dcfd87fc73e6)
+---
+ src/lib/gssapi/krb5/duplicate_name.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/duplicate_name.c b/src/lib/gssapi/krb5/duplicate_name.c
+index b88d97d9d..ea53e9c0d 100644
+--- a/src/lib/gssapi/krb5/duplicate_name.c
++++ b/src/lib/gssapi/krb5/duplicate_name.c
+@@ -34,8 +34,7 @@ krb5_gss_duplicate_name(OM_uint32 *minor_status, const gss_name_t input_name,
+     krb5_error_code code;
+     krb5_gss_name_t princ, outprinc;
+ 
+-    if (minor_status)
+-        *minor_status = 0;
++    *minor_status = 0;
+ 
+     code = krb5_gss_init_context(&context);
+     if (code) {

Squash-apparent-forward-null-in-clnttcp_create.patch

@@ -0,0 +1,34 @@
+From e2087bcf8a10fa0ecc4f0663e8df9b7ef5752805 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 30 Aug 2019 11:16:58 -0400
+Subject: [PATCH] Squash apparent forward-null in clnttcp_create()
+
+clnttcp_create() only allows raddr to be NULL if *sockp is set.
+Static analyzers cannot know this, so can report a forward null
+defect.  Add an raddr check before calling connect() to squash the
+defect.
+
+[ghudson@mit.edu: rewrote commit message]
+
+(cherry picked from commit b2f688eedd4bcca525201ef9485749a8c20b808a)
+---
+ src/lib/rpc/clnt_tcp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c
+index 87761906c..dbd62d0a7 100644
+--- a/src/lib/rpc/clnt_tcp.c
++++ b/src/lib/rpc/clnt_tcp.c
+@@ -168,9 +168,9 @@ clnttcp_create(
+ 	if (*sockp < 0) {
+ 		*sockp = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+ 		(void)bindresvport_sa(*sockp, NULL);
+-		if ((*sockp < 0)
+-		    || (connect(*sockp, (struct sockaddr *)raddr,
+-		    sizeof(*raddr)) < 0)) {
++		if (*sockp < 0 || raddr == NULL ||
++		    connect(*sockp, (struct sockaddr *)raddr,
++			    sizeof(*raddr)) < 0) {
+ 			rpc_createerr.cf_stat = RPC_SYSTEMERROR;
+ 			rpc_createerr.cf_error.re_errno = errno;
+                         (void)closesocket(*sockp);

krb5.spec

@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 43%{?dist}
+Release: 44%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@@ -121,6 +121,8 @@ Patch159: Initialize-life-rlife-in-kdcpolicy-interface.patch
 Patch160: Fix-KCM-client-time-offset-propagation.patch
 Patch161: krb5-1.17post5-FIPS-with-PRNG-and-RADIUS-without-SPA.patch
 Patch162: Simplify-krb5_dbe_def_search_enctype.patch
+Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch
+Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -727,6 +729,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Thu Sep 12 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-44
+- Static analyzer appeasement
+
 * Tue Aug 27 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-43
 - Simplify krb5_dbe_def_search_enctype()