Merge branch 'tmp-add-scan-build' into 'master'

Add clang's static analyzer to CI

See merge request openconnect/openconnect!139

.gitlab-ci.yml

@@ -441,3 +441,39 @@ MinGW64/OpenSSL:
     when: on_failure
     paths:
       - tests/*.log
+
+static-analyzer/GnuTLS/Fedora:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:buildenv-fedora
+  script:
+  - ./autogen.sh
+  - scan-build ./configure
+  - scan-build --status-bugs -o scan-build-src make -j4
+  tags:
+  - shared
+  - linux
+  except:
+  - tags
+  - schedules
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - scan-build-src/*
+
+static-analyzer/OpenSSL/Fedora:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:buildenv-fedora
+  script:
+  - ./autogen.sh
+  - scan-build ./configure --without-gnutls --with-openssl --without-openssl-version-check
+  - scan-build --status-bugs -o scan-build-src make -j4
+  tags:
+  - shared
+  - linux
+  except:
+  - tags
+  - schedules
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - scan-build-src/*

auth-globalprotect.c

@@ -74,7 +74,7 @@ const char *gpst_os_name(struct openconnect_info *vpninfo)
 static int parse_prelogin_xml(struct openconnect_info *vpninfo, xmlNode *xml_node, void *cb_data)
 {
 	struct login_context *ctx = cb_data;
-	struct oc_auth_form *form = ctx->form;
+	struct oc_auth_form *form = NULL;
 	struct oc_form_opt *opt, *opt2;
 	char *prompt = NULL, *username_label = NULL, *password_label = NULL;
 	char *saml_method = NULL, *saml_path = NULL;
@@ -133,7 +133,6 @@ static int parse_prelogin_xml(struct openconnect_info *vpninfo, xmlNode *xml_nod
 	}
 
 	/* Replace old form */
-	free_auth_form(ctx->form);
 	form = ctx->form = calloc(1, sizeof(*form));
 	if (!form) {
 	nomem:

cstp.c

@@ -157,19 +157,16 @@ static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *
 static void append_compr_types(struct oc_text_buf *buf, const char *proto, int avail)
 {
 	if (avail) {
-		char sep = ' ';
+		const char sep = ',';
 		buf_append(buf, "X-%s-Accept-Encoding:", proto);
 		if (avail & COMPR_LZ4) {
 			buf_append(buf, "%coc-lz4", sep);
-			sep = ',';
 		}
 		if (avail & COMPR_LZS) {
 			buf_append(buf, "%clzs", sep);
-			sep = ',';
 		}
 		if (avail & COMPR_DEFLATE) {
 			buf_append(buf, "%cdeflate", sep);
-			sep = ',';
 		}
 		buf_append(buf, "\r\n");
 	}
@@ -393,7 +390,7 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 		if (!strncmp(buf, "HTTP/1.1 503 ", 13)) {
 			/* "Service Unavailable. Why? */
 			const char *reason = "<unknown>";
-			while ((i = vpninfo->ssl_gets(vpninfo, buf, sizeof(buf)))) {
+			while ((vpninfo->ssl_gets(vpninfo, buf, sizeof(buf)))) {
 				if (!strncmp(buf, "X-Reason: ", 10)) {
 					reason = buf + 10;
 					break;

dtls.c

@@ -682,7 +682,7 @@ static int probe_mtu(struct openconnect_info *vpninfo, unsigned char *buf)
 
 void dtls_detect_mtu(struct openconnect_info *vpninfo)
 {
-	int mtu = vpninfo->ip_info.mtu;
+	int mtu;
 	int prev_mtu = vpninfo->ip_info.mtu;
 	unsigned char *buf;
 

gnutls.c

@@ -583,7 +583,7 @@ static int assign_privkey(struct openconnect_info *vpninfo,
 			  unsigned int nr_certs,
 			  uint8_t *free_certs)
 {
-	gnutls_pcert_st *pcerts = calloc(nr_certs, sizeof(*pcerts));
+	gnutls_pcert_st *pcerts = gnutls_calloc(nr_certs, sizeof(*pcerts));
 	int i, err;
 
 	if (!pcerts)
@@ -1092,7 +1092,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
 	if (!nr_extra_certs)
 		nr_extra_certs = 1; /* wtf? Oh well, we'll fail later... */
 
-	extra_certs = calloc(nr_extra_certs, sizeof(cert));
+	extra_certs = gnutls_calloc(nr_extra_certs, sizeof(cert));
 	if (!extra_certs) {
 		nr_extra_certs = 0;
 		ret = -ENOMEM;
@@ -1115,7 +1115,6 @@ static int load_certificate(struct openconnect_info *vpninfo)
 		goto out;
 	}
 	nr_extra_certs = err;
-	err = 0;
 
 	goto got_certs;
  got_certs:
@@ -2667,13 +2666,20 @@ void *establish_eap_ttls(struct openconnect_info *vpninfo)
 
 	err = gnutls_priority_set_direct(ttls_sess,
 				   vpninfo->ciphersuite_config, NULL);
+	if (err < 0) {
+		vpn_progress(vpninfo, PRG_TRACE,
+			     _("Could not set ciphersuites: %s\n"), vpninfo->ciphersuite_config);
+		goto fail;
+	}
 
 	err = gnutls_handshake(ttls_sess);
 	if (!err) {
 		vpn_progress(vpninfo, PRG_TRACE,
 			     _("Established EAP-TTLS session\n"));
 		return ttls_sess;
 	}
+
+fail:
 	gnutls_deinit(ttls_sess);
 	return NULL;
 }

gpst.c

@@ -909,14 +909,17 @@ static int run_hip_script(struct openconnect_info *vpninfo)
 	if (pipe2(pipefd, O_CLOEXEC))
 #endif
 	{
-		if (pipe(pipefd))
-			goto out;
+		if (pipe(pipefd)) {
+			vpn_progress(vpninfo, PRG_ERR, _("Failed to create pipe for HIP script\n"));
+			return -EPERM;
+		}
 		set_fd_cloexec(pipefd[0]);
 		set_fd_cloexec(pipefd[1]);
 	}
 	child = fork();
 	if (child == -1) {
-		goto out;
+		vpn_progress(vpninfo, PRG_ERR, _("Failed to fork for HIP script\n"));
+		return -EPERM;
 	} else if (child > 0) {
 		/* in parent: read report from child */
 		struct oc_text_buf *report_buf = buf_alloc();
@@ -979,7 +982,6 @@ static int run_hip_script(struct openconnect_info *vpninfo)
 		hip_argv[i++] = NULL;
 		execv(hip_argv[0], (char **)hip_argv);
 
-	out:
 		vpn_progress(vpninfo, PRG_ERR,
 				 _("Failed to exec HIP script %s\n"), hip_argv[0]);
 		exit(1);

gssapi.c

@@ -158,6 +158,9 @@ void cleanup_gssapi_auth(struct openconnect_info *vpninfo,
 {
 	OM_uint32 minor;
 
+	if (!auth_state)
+		return;
+
 	if (auth_state->gss_target_name != GSS_C_NO_NAME)
 		gss_release_name(&minor, &auth_state->gss_target_name);
 

http.c

@@ -478,8 +478,6 @@ int process_http_response(struct openconnect_info *vpninfo, int connect,
 				     strerror(-ret));
 			goto err;
 		}
-		/* Default error case */
-		ret = -EINVAL;
 
 		/* Empty line ends headers */
 		if (!hdrbuf->pos)
@@ -684,6 +682,7 @@ int process_http_response(struct openconnect_info *vpninfo, int connect,
 			vpn_progress(vpninfo, PRG_ERR,
 				     _("Cannot receive HTTP 1.0 body without closing connection\n"));
 			openconnect_close_https(vpninfo, 0);
+			buf_free(hdrbuf);
 			return -EINVAL;
 		}
 
@@ -764,8 +763,10 @@ int internal_parse_url(const char *url, char **res_proto, char **res_host,
 		if (!*end) {
 			*port_str = 0;
 			port = new_port;
-			if (port <= 0 || port > 0xffff)
+			if (port <= 0 || port > 0xffff) {
+				free(host);
 				return -EINVAL;
+			}
 		}
 	}
 
@@ -1055,7 +1056,7 @@ int do_https_request(struct openconnect_info *vpninfo, const char *method,
 		rq_retry = 1;
 	} else {
 		rq_retry = 0;
-		if ((result = openconnect_open_https(vpninfo))) {
+		if ((openconnect_open_https(vpninfo))) {
 			vpn_progress(vpninfo, PRG_ERR,
 				     _("Failed to open HTTPS connection to %s\n"),
 				     vpninfo->hostname);

main.c

@@ -2445,7 +2445,7 @@ static int lock_token(void *tokdata)
 	err = openconnect_set_token_mode(vpninfo, vpninfo->token_mode, file_token);
 	free(file_token);
 
-	return 0;
+	return err;
 }
 
 static int unlock_token(void *tokdata, const char *new_tok)

ntlm.c

@@ -873,6 +873,8 @@ static int ntlm_manual_challenge(struct openconnect_info *vpninfo, int proxy,
 	int token_len = -EINVAL;
 	int ntlmver;
 
+	memset(hash, 0, sizeof(hash));
+
 	if (!auth_state->challenge)
 		return -EINVAL;
 

oath.c

@@ -132,6 +132,9 @@ static char *parse_hex(const char *tok, int len)
 {
 	unsigned char *data, *p;
 
+	if (len <= 1)
+		return NULL;
+
 	data = malloc((len + 1) / 2);
 	if (!data)
 		return NULL;

oncp.c

@@ -780,12 +780,13 @@ int oncp_connect(struct openconnect_info *vpninfo)
 	vpn_progress(vpninfo, PRG_DEBUG, _("oNCP negotiation request outgoing:\n"));
 	dump_buf_hex(vpninfo, PRG_DEBUG, '>', (void *)reqbuf->data, reqbuf->pos);
 	ret = vpninfo->ssl_write(vpninfo, reqbuf->data, reqbuf->pos);
-	if (ret == reqbuf->pos)
-		ret = 0;
-	else if (ret >= 0) {
-		vpn_progress(vpninfo, PRG_ERR,
-			     _("Short write in oNCP negotiation\n"));
-		ret = -EIO;
+	if (ret != reqbuf->pos) {
+		if (ret >= 0) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Short write in oNCP negotiation\n"));
+			ret = -EIO;
+		}
+		goto out;
 	}
 
 	ret = check_address_sanity(vpninfo, old_addr, old_netmask, NULL, NULL);

stoken.c

@@ -121,10 +121,8 @@ static int decrypt_stoken(struct openconnect_info *vpninfo)
 	while (1) {
 		nuke_opt_values(opts);
 
-		if (!opts[0].type) {
-			/* don't bug the user if there's nothing to enter */
-			ret = 0;
-		} else {
+		/* don't bug the user if there's nothing to enter */
+		if (opts[0].type) {
 			int some_empty = 0, all_empty = 1;
 
 			/* < 0 for error; 1 if cancelled */

yubikey.c

@@ -151,7 +151,7 @@ static int buf_tlv(struct oc_text_buf *buf, int *loc, unsigned char *type)
 			return -EINVAL;
 		len = (unsigned char)buf->data[(*loc)++];
 		len <<= 8;
-		len = (unsigned char)buf->data[(*loc)++];
+		len |= (unsigned char)buf->data[(*loc)++];
 		left -= 2;
 	}