Fix various issues highlighted by coverity scanner

Among others fix possible usage of large stack allocation.

diff --git a/common/hash.c b/common/hash.c
index 68a6d40f7f44bc9dc1c171b0f6c3c1d9c77cc4ea..5572085418d9fdf8d555ba53298e06cdb06199ed 100644 (file)
--- a/common/hash.c
+++ b/common/hash.c
@@ -143,6 +143,7 @@ p11_hash_murmur3 (void *hash,
                h1 = rotl (h1, 13);
                h1 = h1 * 5 + 0xe6546b64;
        }
+       va_end (va);
 
        /* tail */
 

diff --git a/common/lexer.c b/common/lexer.c
index 329881f045178563ee11a672385ddce09aeebbae..62534927f6e5493bc652a8c7c594de5c55227675 100644 (file)
--- a/common/lexer.c
+++ b/common/lexer.c
@@ -102,7 +102,8 @@ p11_lexer_next (p11_lexer *lexer,
        return_val_if_fail (lexer != NULL, false);
 
        clear_state (lexer);
-       *failed = false;
+       if (failed)
+               *failed = false;
 
        /* Go through lines and process them */
        while (lexer->remaining != 0) {

diff --git a/p11-kit/iter.c b/p11-kit/iter.c
index a59944a204a1a915c770cd436cbb36bb80824ceb..124d990131571988a7e16f051fdc1ca7ee37c5ba 100644 (file)
--- a/p11-kit/iter.c
+++ b/p11-kit/iter.c
@@ -87,12 +87,12 @@ struct p11_kit_iter {
        CK_OBJECT_HANDLE object;
 
        /* And various flags */
-       int searching : 1;
-       int searched : 1;
-       int iterating : 1;
-       int match_nothing : 1;
-       int keep_session : 1;
-       int preload_results : 1;
+       unsigned int searching : 1;
+       unsigned int searched : 1;
+       unsigned int iterating : 1;
+       unsigned int match_nothing : 1;
+       unsigned int keep_session : 1;
+       unsigned int preload_results : 1;
 };
 
 /**

diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c
index 28c6f4a8104f7c949a48fa7810461680f861bae3..34b9476ece25b96559556949fd731345af4a9f5e 100644 (file)
--- a/p11-kit/p11-kit.c
+++ b/p11-kit/p11-kit.c
@@ -84,6 +84,9 @@ p11_kit_external (int argc,
 
        /* At this point we have no command */
        p11_message ("'%s' is not a valid command. See 'p11-kit --help'", argv[0]);
+
+       free (filename);
+       free (path);
        return 2;
 }
 
@@ -109,6 +112,9 @@ p11_kit_extract (int argc,
 
        /* At this point we have no command */
        p11_message ("'%s' is not a valid command. See 'p11-kit --help'", argv[0]);
+
+       free (path);
+       free (args);
        return 2;
 }
 

diff --git a/p11-kit/tests/test-init.c b/p11-kit/tests/test-init.c
index 76805eec95550e581c612b41680e98420d8043d1..ebc0666bb0dc5234efc88f53eb2115a62ef0d1f2 100644 (file)
--- a/p11-kit/tests/test-init.c
+++ b/p11-kit/tests/test-init.c
@@ -233,8 +233,11 @@ test_threaded_initialization (void)
        module.C_Finalize = mock_C_Finalize__threaded_race;
 
        memset (&data, 0, sizeof (data));
+
+       p11_mutex_lock (&race_mutex);
        initialization_count = 0;
        finalization_count = 0;
+       p11_mutex_unlock (&race_mutex);
 
        p11_lock ();
 

diff --git a/trust/extract.c b/trust/extract.c
index b80fd8098b98ef5ee1c23a53b1e4f05aca45c4f6..1aec3e6b8f69e6882eff125d97496ace580561c4 100644 (file)
--- a/trust/extract.c
+++ b/trust/extract.c
@@ -353,39 +353,39 @@ p11_trust_extract (int argc,
                        break;
                case opt_filter:
                        if (!filter_argument (optarg, &uri, &match, &ex.flags))
-                               return 2;
+                               exit (2);
                        break;
                case opt_purpose:
                        if (!purpose_argument (optarg, &ex))
-                               return 2;
+                               exit (2);
                        break;
                case opt_format:
                        if (!format_argument (optarg, &format))
-                               return 2;
+                               exit (2);
                        break;
                case 'h':
                        p11_tool_usage (usages, options);
-                       return 0;
+                       exit (0);
                case '?':
-                       return 2;
+                       exit (2);
                default:
                        assert_not_reached ();
                        break;
                }
-       } while (opt != -1);
+       }
 
        argc -= optind;
        argv += optind;
 
        if (argc != 1) {
                p11_message ("specify one destination file or directory");
-               return 2;
+               exit (2);
        }
        ex.destination = argv[0];
 
        if (!format) {
                p11_message ("no output format specified");
-               return 2;
+               exit (2);
        }
 
        /* If nothing that was useful to enumerate was specified, then bail */
@@ -395,7 +395,7 @@ p11_trust_extract (int argc,
        }
 
        if (!validate_filter_and_format (&ex, format, match))
-               return 1;
+               exit (1);
 
        if (uri && p11_kit_uri_any_unrecognized (uri))
                p11_message ("uri contained unrecognized components, nothing will be extracted");
@@ -410,7 +410,7 @@ p11_trust_extract (int argc,
 
        modules = p11_kit_modules_load_and_initialize (flags);
        if (!modules)
-               return 1;
+               exit (1);
 
        if (modules[0] == NULL)
                p11_message ("no modules containing trust policy are registered");

diff --git a/trust/index.c b/trust/index.c
index 5707714d3778fbbd8dd7aaa415d0991210f71823..83f0dc03eabd163df222d9b51a93c7171a861e26 100644 (file)
--- a/trust/index.c
+++ b/trust/index.c
@@ -728,7 +728,7 @@ index_select (p11_index *index,
               index_sink sink,
               void *data)
 {
-       index_bucket *buckets[NUM_BUCKETS];
+       index_bucket *selected[MAX_SELECT];
        CK_OBJECT_HANDLE handle;
        index_object *obj;
        unsigned int hash;
@@ -741,10 +741,10 @@ index_select (p11_index *index,
        for (n = 0, num = 0; n < count && num < MAX_SELECT; n++) {
                if (is_indexable (index, match[n].type)) {
                        hash = p11_attr_hash (match + n);
-                       buckets[num] = index->buckets + (hash % NUM_BUCKETS);
+                       selected[num] = index->buckets + (hash % NUM_BUCKETS);
 
                        /* If any index is empty, then obviously no match */
-                       if (!buckets[num]->num)
+                       if (!selected[num]->num)
                                return;
 
                        num++;
@@ -761,15 +761,15 @@ index_select (p11_index *index,
                return;
        }
 
-       for (i = 0; i < buckets[0]->num; i++) {
+       for (i = 0; i < selected[0]->num; i++) {
                /* A candidate match from first bucket */
-               handle = buckets[0]->elem[i];
+               handle = selected[0]->elem[i];
 
                /* Check if the candidate is in other buckets */
                for (j = 1; j < num; j++) {
-                       assert (buckets[j]->elem); /* checked above */
-                       at = binary_search (buckets[j]->elem, 0, buckets[j]->num, handle);
-                       if (at >= buckets[j]->num || buckets[j]->elem[at] != handle) {
+                       assert (selected[j]->elem); /* checked above */
+                       at = binary_search (selected[j]->elem, 0, selected[j]->num, handle);
+                       if (at >= selected[j]->num || selected[j]->elem[at] != handle) {
                                handle = 0;
                                break;
                        }
@@ -874,7 +874,7 @@ p11_index_snapshot (p11_index *index,
 
        return_val_if_fail (index != NULL, NULL);
 
-       if (count < 0)
+       if (count < (CK_ULONG)0UL)
                count = p11_attrs_count (attrs);
 
        index_select (index, attrs, count, sink_any, &handles);

diff --git a/trust/parser.c b/trust/parser.c
index 97f549d173e9e33f72a8f5be5e36365e6e8d9f27..b4335085ceb43bea7c41f0bbf7104275c7adaddc 100644 (file)
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -454,7 +454,7 @@ build_openssl_extensions (p11_parser *parser,
         * Otherwise a 'TRUSTED CERTIFICATE' in an input directory is enough to
         * mark this as a trusted certificate.
         */
-       } else if (p11_dict_size (trust) > 0) {
+       } else if (trust && p11_dict_size (trust) > 0) {
                trusted = CK_TRUE;
                distrust = CK_FALSE;
        }

diff --git a/trust/tests/frob-nss-trust.c b/trust/tests/frob-nss-trust.c
index fd74db760dfb263b10e59ed4c0ac885795bee597..fd6957369e8b2bf6d6d6ca3abf4adb874a36eae0 100644 (file)
--- a/trust/tests/frob-nss-trust.c
+++ b/trust/tests/frob-nss-trust.c
@@ -73,6 +73,7 @@ dump_object (P11KitIter *iter,
        free (string);
 
        free (label.pValue);
+       free (name);
 }
 
 static int

diff --git a/trust/tests/test-index.c b/trust/tests/test-index.c
index cf856eeae1b58aef62059c9a13c7c9341eb22fe6..074ab2dcf43ca382fdc69ac35c7e71ae84a564b7 100644 (file)
--- a/trust/tests/test-index.c
+++ b/trust/tests/test-index.c
@@ -397,6 +397,7 @@ handles_are (CK_OBJECT_HANDLE *handles,
              ...)
 {
        CK_OBJECT_HANDLE handle;
+       bool matched = true;
        int count;
        int num;
        va_list va;
@@ -410,7 +411,7 @@ handles_are (CK_OBJECT_HANDLE *handles,
 
        va_start (va, handles);
 
-       for (count = 0; true; count++) {
+       for (count = 0; matched; count++) {
                handle = va_arg (va, CK_OBJECT_HANDLE);
                if (handle == 0)
                        break;
@@ -421,12 +422,12 @@ handles_are (CK_OBJECT_HANDLE *handles,
                }
 
                if (handles[i] != handle)
-                       return false;
+                       matched = false;
        }
 
        va_end (va);
 
-       return (count == num);
+       return matched && (count == num);
 }
 
 static void