krb5: Fix warnings

This commit is contained in:
Nicolas Williams
2021-03-28 17:51:12 -05:00
parent 82a8744787
commit fb553dde1d
28 changed files with 166 additions and 106 deletions

View File

@@ -246,7 +246,7 @@ krb5_acl_match_file(krb5_context context,
...)
{
krb5_error_code ret;
struct acl_field *acl;
struct acl_field *acl = NULL;
char buf[256];
va_list ap;
FILE *f;

View File

@@ -525,7 +525,7 @@ arange_parse_addr (krb5_context context,
return ret;
}
if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) {
if(high.len != 1 || high.val[0].addr_type != low.val[0].addr_type) {
krb5_free_addresses(context, &low);
krb5_free_addresses(context, &high);
return -1;

View File

@@ -754,6 +754,9 @@ krb_enc_test(krb5_context context)
kb.keyvalue.data = krbencs[i].key;
ret = krb5_crypto_init(context, &kb, krbencs[i].enctype, &crypto);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_init failed with %d for test %d",
ret, i);
cipher.length = krbencs[i].elen;
cipher.data = krbencs[i].edata;
@@ -763,20 +766,24 @@ krb_enc_test(krb5_context context)
ret = krb_enc(context, crypto, krbencs[i].usage, &cipher, &plain);
if (ret)
errx(1, "krb_enc failed with %d for test %d", ret, i);
krb5_err(context, 1, ret, "krb_enc failed with %d for test %d",
ret, i);
ret = krb_enc_iov(context, crypto, krbencs[i].usage, &cipher, &plain);
if (ret)
errx(1, "krb_enc_iov failed with %d for test %d", ret, i);
krb5_err(context, 1, ret, "krb_enc_iov failed with %d for test %d",
ret, i);
ret = krb_enc_iov2(context, crypto, krbencs[i].usage,
cipher.length, &plain);
if (ret)
errx(1, "krb_enc_iov2 failed with %d for test %d", ret, i);
krb5_err(context, 1, ret, "krb_enc_iov2 failed with %d for test %d",
ret, i);
ret = krb_checksum_iov(context, crypto, krbencs[i].usage, &plain, NULL);
if (ret)
errx(1, "krb_checksum_iov failed with %d for test %d", ret, i);
krb5_err(context, 1, ret,
"krb_checksum_iov failed with %d for test %d", ret, i);
if (krbencs[i].cdata) {
krb5_data checksum;
@@ -787,7 +794,9 @@ krb_enc_test(krb5_context context)
ret = krb_checksum_iov(context, crypto, krbencs[i].usage,
&plain, &checksum);
if (ret)
errx(1, "krb_checksum_iov(2) failed with %d for test %d", ret, i);
krb5_err(context, 1, ret,
"krb_checksum_iov(2) failed with %d for test %d",
ret, i);
}
krb5_crypto_destroy(context, crypto);
@@ -795,7 +804,8 @@ krb_enc_test(krb5_context context)
ret = krb_enc_mit(context, krbencs[i].enctype, &kb,
krbencs[i].usage, &cipher, &plain);
if (ret)
errx(1, "krb_enc_mit failed with %d for test %d", ret, i);
krb5_err(context, 1, ret, "krb_enc_mit failed with %d for test %d",
ret, i);
}
return 0;

View File

@@ -78,7 +78,7 @@ _krb5_ticket2krb5_principal(krb5_context context,
const AuthorizationData *authenticator_ad)
{
krb5_error_code ret;
krb5_principal p;
krb5_principal p = NULL;
*principal = NULL;
@@ -127,7 +127,7 @@ _krb5_kdcrep2krb5_principal(krb5_context context,
const EncKDCRepPart *kdcrep)
{
krb5_error_code ret;
krb5_principal p;
krb5_principal p = NULL;
*principal = NULL;

View File

@@ -514,7 +514,7 @@ krb5_cc_get_subsidiary(krb5_context context, krb5_ccache id)
const char *name = NULL;
if (id->ops->version >= KRB5_CC_OPS_VERSION_5
&& id->ops->get_name_2 == NULL)
&& id->ops->get_name_2 != NULL)
(void) id->ops->get_name_2(context, id, NULL, NULL, &name);
return name;
}
@@ -923,7 +923,7 @@ krb5_cc_destroy(krb5_context context,
/*
* Destroy associated hx509 PKIX credential store created by krb5_kx509*().
*/
if ((ret = krb5_cc_get_config(context, id, NULL, "kx509store", &d)) == 0) {
if (krb5_cc_get_config(context, id, NULL, "kx509store", &d) == 0) {
char *name;
if ((name = strndup(d.data, d.length)) == NULL) {
@@ -1001,7 +1001,6 @@ krb5_cc_close(krb5_context context,
_krb5_debug(context, 2, "failed to fetch a certificate");
else
_krb5_debug(context, 2, "fetched a certificate");
ret = 0;
}
}

View File

@@ -106,7 +106,7 @@ init_context_from_config_file(krb5_context context)
krb5_error_code ret;
const char * tmp;
char **s;
krb5_enctype *tmptypes;
krb5_enctype *tmptypes = NULL;
INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");

View File

@@ -2152,7 +2152,10 @@ krb5_crypto_length(krb5_context context,
*len = 0;
return 0;
case KRB5_CRYPTO_TYPE_TRAILER:
*len = CHECKSUMSIZE(crypto->et->keyed_checksum);
if (crypto->et->keyed_checksum)
*len = CHECKSUMSIZE(crypto->et->keyed_checksum);
else
*len = 0;
return 0;
case KRB5_CRYPTO_TYPE_CHECKSUM:
if (crypto->et->keyed_checksum)

View File

@@ -681,12 +681,12 @@ dcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
}
if ((iter->d = opendir(iter->dc->dir)) == NULL) {
free(iter->dc->dir);
free(iter->dc);
free(iter);
krb5_set_error_message(context, KRB5_CC_FORMAT,
N_("Can't open DIR %s: %s", ""),
iter->dc->dir, strerror(errno));
free(iter->dc->dir);
free(iter->dc);
free(iter);
return KRB5_CC_FORMAT;
}
@@ -709,8 +709,8 @@ dcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
/* Emit primary subsidiary first */
if (iter->first &&
(ret = get_default_cache(context, iter->dc, NULL, &iter->primary)) == 0 &&
is_filename_cacheish(iter->primary)) {
get_default_cache(context, iter->dc, NULL, &iter->primary) == 0 &&
iter->primary && is_filename_cacheish(iter->primary)) {
iter->first = 0;
ret = KRB5_CC_END;
if (asprintf(&p, "FILE:%s/%s", iter->dc->dir, iter->primary) > -1 && p != NULL &&

View File

@@ -324,15 +324,13 @@ krb5_keytab_key_proc (krb5_context context,
ret = krb5_kt_get_entry (context, real_keytab, principal,
0, enctype, &entry);
if (ret == 0) {
ret = krb5_copy_keyblock (context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
}
if (keytab == NULL)
krb5_kt_close (context, real_keytab);
if (ret)
return ret;
ret = krb5_copy_keyblock (context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
return ret;
}

View File

@@ -33,10 +33,10 @@
#include "krb5_locl.h"
#undef krb5_enomem
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_enomem(krb5_context context)
{
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}

View File

@@ -477,7 +477,6 @@ fcc_open(krb5_context context,
return krb5_einval(context, 2);
if ((flags & O_EXCL)) {
flags &= ~O_EXCL;
/*
* FIXME Instead of mkostemp()... we could instead try to use a .new
* file... with care. Or the O_TMPFILE / linkat() extensions. We need

View File

@@ -1375,6 +1375,8 @@ _krb5_get_cred_kdc_any(krb5_context context,
krb5_deltat offset;
krb5_data data;
krb5_data_zero(&data);
/*
* If we are using LKDC, lets pull out the addreses from the
* ticket and use that.
@@ -1382,23 +1384,19 @@ _krb5_get_cred_kdc_any(krb5_context context,
ret = krb5_cc_get_config(context, ccache, NULL, "lkdc-hostname", &data);
if (ret == 0) {
kdc_hostname = malloc(data.length + 1);
if (kdc_hostname == NULL)
return krb5_enomem(context);
memcpy(kdc_hostname, data.data, data.length);
kdc_hostname[data.length] = '\0';
if ((kdc_hostname = strndup(data.data, data.length)) == NULL) {
ret = krb5_enomem(context);
goto out;
}
krb5_data_free(&data);
}
ret = krb5_cc_get_config(context, ccache, NULL, "sitename", &data);
if (ret == 0) {
sitename = malloc(data.length + 1);
if (sitename == NULL)
return krb5_enomem(context);
memcpy(sitename, data.data, data.length);
sitename[data.length] = '\0';
if ((sitename = strndup(data.data, data.length)) == NULL) {
ret = krb5_enomem(context);
goto out;
}
krb5_data_free(&data);
}
@@ -1441,9 +1439,9 @@ _krb5_get_cred_kdc_any(krb5_context context,
out_creds);
out:
krb5_data_free(&data);
free(kdc_hostname);
free(sitename);
return ret;
}

View File

@@ -2701,27 +2701,23 @@ keytab_key_proc(krb5_context context, krb5_enctype enctype,
krb5_keytab keytab = args->keytab;
krb5_principal principal = args->principal;
krb5_error_code ret;
krb5_keytab real_keytab;
krb5_keytab real_keytab = NULL;
krb5_keytab_entry entry;
if (keytab == NULL) {
ret = krb5_kt_default(context, &real_keytab);
if (ret)
return ret;
} else
real_keytab = keytab;
keytab = real_keytab;
}
ret = krb5_kt_get_entry (context, real_keytab, principal,
0, enctype, &entry);
ret = krb5_kt_get_entry (context, keytab, principal, 0, enctype, &entry);
if (ret == 0) {
ret = krb5_copy_keyblock(context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
}
if (keytab == NULL)
krb5_kt_close (context, real_keytab);
if (ret)
return ret;
ret = krb5_copy_keyblock (context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
krb5_kt_close(context, real_keytab);
return ret;
}
@@ -4009,7 +4005,7 @@ _krb5_init_creds_init_gss(krb5_context context,
const struct gss_OID_desc_struct *gss_mech,
unsigned int flags)
{
krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
krb5_gss_init_ctx gssic;
gssic = calloc(1, sizeof(*gssic));
if (gssic == NULL)

View File

@@ -358,10 +358,11 @@ krb5_kt_read_service_key(krb5_context context,
krb5_enctype enctype,
krb5_keyblock **key)
{
krb5_keytab keytab;
krb5_keytab keytab = NULL; /* Quiet lint */
krb5_keytab_entry entry;
krb5_error_code ret;
memset(&entry, 0, sizeof(entry));
if (keyprocarg)
ret = krb5_kt_resolve (context, keyprocarg, &keytab);
else
@@ -371,11 +372,11 @@ krb5_kt_read_service_key(krb5_context context,
return ret;
ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
if (ret == 0) {
ret = krb5_copy_keyblock (context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
}
krb5_kt_close (context, keytab);
if (ret)
return ret;
ret = krb5_copy_keyblock (context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
return ret;
}
@@ -482,11 +483,13 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_kt_close(krb5_context context,
krb5_keytab id)
{
krb5_error_code ret;
krb5_error_code ret = 0;
ret = (*id->close)(context, id);
memset(id, 0, sizeof(*id));
free(id);
if (id) {
ret = (id->close)(context, id);
memset(id, 0, sizeof(*id));
free(id);
}
return ret;
}
@@ -620,6 +623,7 @@ krb5_kt_get_entry_wrapped(krb5_context context,
if(id->get)
return (*id->get)(context, id, principal, kvno, enctype, entry);
memset(&tmp, 0, sizeof(tmp));
ret = krb5_kt_start_seq_get (context, id, &cursor);
if (ret) {
/* This is needed for krb5_verify_init_creds, but keep error
@@ -731,21 +735,21 @@ krb5_kt_copy_entry_contents(krb5_context context,
krb5_error_code ret;
memset(out, 0, sizeof(*out));
out->vno = in->vno;
ret = krb5_copy_principal (context, in->principal, &out->principal);
if (ret)
goto fail;
return ret;
ret = krb5_copy_keyblock_contents (context,
&in->keyblock,
&out->keyblock);
if (ret)
goto fail;
if (ret) {
krb5_free_principal(context, out->principal);
memset(out, 0, sizeof(*out));
return ret;
}
out->vno = in->vno;
out->timestamp = in->timestamp;
return 0;
fail:
krb5_kt_free_entry (context, out);
return ret;
}
/**
@@ -927,6 +931,7 @@ krb5_kt_have_content(krb5_context context,
krb5_error_code ret;
char *name;
memset(&entry, 0, sizeof(entry));
ret = krb5_kt_start_seq_get(context, id, &cursor);
if (ret)
goto notfound;

View File

@@ -371,6 +371,7 @@ fkt_start_seq_get_int(krb5_context context,
struct fkt_data *d = id->data;
const char *stdio_mode = "rb";
memset(c, 0, sizeof(*c));
c->fd = open (d->filename, flags);
if (c->fd < 0) {
ret = errno;

View File

@@ -1044,5 +1044,24 @@ extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring;
/* clang analyzer workarounds */
#ifdef __clang_analyzer__
/*
* The clang analyzer (lint) can't know that krb5_enomem() always returns
* non-zero, so code like:
*
* if ((x = malloc(...)) == NULL)
* ret = krb5_enomem(context)
* if (ret == 0)
* *x = ...;
*
* causes false positives.
*
* The fix is to make krb5_enomem() a macro that always evaluates to ENOMEM.
*/
#define krb5_enomem(c) (krb5_enomem(c), ENOMEM)
#endif
#endif /* __KRB5_H__ */

View File

@@ -110,6 +110,12 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
if(rr->type == rk_ns_t_srv)
num_srv++;
if (num_srv == 0) {
_krb5_debug(context, 0,
"DNS SRV RR lookup domain nodata: %s", domain);
return KRB5_KDC_UNREACH;
}
*res = malloc(num_srv * sizeof(**res));
if(*res == NULL) {
rk_dns_free_data(r);

View File

@@ -473,7 +473,7 @@ make_subsidiary_residual(krb5_context context,
char **presidual)
{
if (asprintf(presidual, "%s:%s:%s", anchor_name, collection_name,
subsidiary_name) < 0) {
subsidiary_name ? subsidiary_name : "tkt") < 0) {
*presidual = NULL;
return krb5_enomem(context);
}
@@ -498,6 +498,9 @@ get_collection(krb5_context context,
heim_base_atomic_init(pcollection_id, 0);
if (!anchor_name || !collection_name)
return KRB5_KCC_INVALID_ANCHOR;
if (strcmp(anchor_name, KRCC_PERSISTENT_ANCHOR) == 0) {
/*
* The collection name is a uid (or empty for the current effective
@@ -1262,7 +1265,7 @@ alloc_cache(krb5_context context,
subsidiary_name, &data->krc_name);
if (ret ||
(data->krc_collection = strdup(collection_name)) == NULL ||
(data->krc_subsidiary = strdup(subsidiary_name)) == NULL) {
(data->krc_subsidiary = strdup(subsidiary_name ? subsidiary_name : "tkt")) == NULL) {
if (data) {
free(data->krc_collection);
free(data->krc_name);
@@ -1887,7 +1890,8 @@ krcc_get_cache_next(krb5_context context,
continue;
/* Don't repeat the primary cache. */
if (strcmp(subsidiary_name, iter->primary_name) == 0)
if (iter->primary_name &&
strcmp(subsidiary_name ? subsidiary_name : "tkt", iter->primary_name) == 0)
continue;
/* We found a valid key */

View File

@@ -1262,7 +1262,9 @@ krb5_kx509(krb5_context context, krb5_ccache cc, const char *realm)
char *store_exp = NULL;
ret = krb5_kx509_ctx_init(context, &kx509_ctx);
if (ret == 0 && realm)
if (ret)
return ret;
if (realm)
ret = krb5_kx509_ctx_set_realm(context, kx509_ctx, realm);
/*

View File

@@ -120,10 +120,10 @@ again:
if (strcmp(m->name, m_c->name) == 0)
break;
if (m_c) {
free(m->name);
free(m);
if (name) {
/* We raced with another thread to create this cache */
free(m->name);
free(m);
m = m_c;
HEIMDAL_MUTEX_lock(&(m->mutex));
m->refcnt++;

View File

@@ -258,15 +258,16 @@ _krb5_mk_ncred(krb5_context context,
*/
ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret == 0)
ret = krb5_encrypt_EncryptedData(context,
crypto,
KRB5_KU_KRB_CRED,
buf,
len,
0,
&cred.enc_part);
if (ret)
goto out;
ret = krb5_encrypt_EncryptedData(context,
crypto,
KRB5_KU_KRB_CRED,
buf,
len,
0,
&cred.enc_part);
DISOWN_BUF(buf);
krb5_crypto_destroy(context, crypto);
}

View File

@@ -114,6 +114,14 @@ select_dh_group(krb5_context context, DH *dh, unsigned long bits,
{
const struct krb5_dh_moduli *m;
if (moduli[0] == NULL) {
krb5_set_error_message(context, EINVAL,
N_("Did not find a DH group parameter "
"matching requirement of %lu bits", ""),
bits);
return EINVAL;
}
if (bits == 0) {
m = moduli[1]; /* XXX */
if (m == NULL)
@@ -1198,11 +1206,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
&contentType,
&unwrapped,
&host);
if (ret == 0) {
krb5_data_free(&content);
ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&unwrapped);
}
if (ret)
goto out;
krb5_data_free(&content);
ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&unwrapped);
heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR),
"KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set");
@@ -1857,7 +1867,7 @@ _krb5_pk_load_id(krb5_context context,
{
struct krb5_pk_identity *id = NULL;
struct prompter p;
int ret;
krb5_error_code ret;
*ret_id = NULL;
@@ -2100,7 +2110,6 @@ _krb5_parse_moduli_line(krb5_context context,
m1->q.length = 0;
m1->q.data = 0;
krb5_clear_error_message(context);
ret = 0;
}
*m = m1;

View File

@@ -1762,7 +1762,7 @@ _krb5_get_name_canon_rules(krb5_context context, krb5_name_canon_rule *rules)
"libdefaults", "safe_name_canon", NULL))
make_rules_safe(context, *rules);
heim_assert(rules != NULL && (*rules)[0].type != KRB5_NCRT_BOGUS,
heim_assert((*rules)[0].type != KRB5_NCRT_BOGUS,
"internal error in parsing principal name "
"canonicalization rules");

View File

@@ -807,11 +807,10 @@ get_key_from_keytab(krb5_context context,
kvno,
ap_req->ticket.enc_part.etype,
&entry);
if(ret)
goto out;
ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
krb5_kt_free_entry (context, &entry);
out:
if(ret == 0) {
ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
krb5_kt_free_entry(context, &entry);
}
if(keytab == NULL)
krb5_kt_close(context, real_keytab);

View File

@@ -1370,16 +1370,18 @@ krb5_ret_times(krb5_storage *sp, krb5_times *times)
{
int ret;
int32_t tmp;
ret = krb5_ret_int32(sp, &tmp);
if (ret) return ret;
times->authtime = tmp;
if(ret) return ret;
ret = krb5_ret_int32(sp, &tmp);
if (ret) return ret;
times->starttime = tmp;
if(ret) return ret;
ret = krb5_ret_int32(sp, &tmp);
if (ret) return ret;
times->endtime = tmp;
if(ret) return ret;
ret = krb5_ret_int32(sp, &tmp);
if (ret) return ret;
times->renew_till = tmp;
return ret;
}

View File

@@ -670,6 +670,8 @@ test_move(krb5_context context, const char *type)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_move(context, fromid, toid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_move");
ret = krb5_cc_get_principal(context, toid, &p2);
if (ret)

View File

@@ -48,11 +48,11 @@ expand_hostname(krb5_context context, const char *host)
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host);
free(h);
if (debug_flag)
printf("hostname: %s -> %s\n", host, h);
free(h);
ret = krb5_expand_hostname_realms(context, host, &h, &r);
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host);

View File

@@ -274,13 +274,17 @@ decode_realms(krb5_context context,
}
if(tr[i] == ','){
tmp = malloc(tr + i - start + 1);
if(tmp == NULL)
if(tmp == NULL) {
free_realms(*realms);
*realms = NULL;
return krb5_enomem(context);
}
memcpy(tmp, start, tr + i - start);
tmp[tr + i - start] = '\0';
r = make_realm(tmp);
if(r == NULL){
free_realms(*realms);
*realms = NULL;
return krb5_enomem(context);
}
*realms = append_realm(*realms, r);
@@ -289,7 +293,8 @@ decode_realms(krb5_context context,
}
tmp = malloc(tr + i - start + 1);
if(tmp == NULL){
free(*realms);
free_realms(*realms);
*realms = NULL;
return krb5_enomem(context);
}
memcpy(tmp, start, tr + i - start);
@@ -297,6 +302,7 @@ decode_realms(krb5_context context,
r = make_realm(tmp);
if(r == NULL){
free_realms(*realms);
*realms = NULL;
return krb5_enomem(context);
}
*realms = append_realm(*realms, r);
@@ -353,8 +359,6 @@ krb5_domain_x500_decode(krb5_context context,
{
char **R;
R = malloc((*num_realms + 1) * sizeof(*R));
if (R == NULL)
return krb5_enomem(context);
*realms = R;
while(r){
*R++ = r->realm;
@@ -362,6 +366,8 @@ krb5_domain_x500_decode(krb5_context context,
free(r);
r = p;
}
if (*realms == NULL)
return krb5_enomem(context);
}
return 0;
}
@@ -621,11 +627,12 @@ krb5_check_transited(krb5_context context,
return ret;
for (i = 0; i < num_realms; i++) {
for (j = 0; j < num_capath; ++j) {
for (j = 0; j < num_capath && capath[j]; ++j) {
/* `capath[j]' can't be NULL, but compilers be dumb */
if (strcmp(realms[i], capath[j]) == 0)
break;
}
if (j == num_capath) {
if (j == num_capath || !capath[j]) {
_krb5_free_capath(context, capath);
krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT,
N_("no transit allowed "