Coverity scan fixes

apps/dtls/Makefile

@@ -7,10 +7,10 @@
 #
 
 MATRIXSSL_ROOT:=../..
+
 SERVER_SRC:=dtlsServer.c dtlsCommon.c
 CLIENT_SRC:=dtlsClient.c dtlsCommon.c
 
-# Generated files
 SERVER_EXE:=dtlsServer$(E)
 CLIENT_EXE:=dtlsClient$(E)
 
@@ -38,7 +38,6 @@ STATIC:=\
 CIPHER_OPTION=ID_RSA # The default cipher option
 CFLAGS+=-D$(CIPHER_OPTION)
 
-
 ifdef DTLS_PACKET_LOSS_TEST
 # Enable all packet-loss related tests
 CFLAGS+=-DDTLS_PACKET_LOSS_TEST -DTEST_DTLS_CLIENT_REHANDSHAKE=1 -DDTLS_TEST_LOST_CIPHERSPEC_CHANGE_REHANDSHAKE

apps/dtls/dtlsClient.c

@@ -36,7 +36,6 @@
 
 #ifdef USE_CLIENT_SIDE_SSL
 
-
 static int packet_loss_prob = 0; /* Reciprocal of packet loss probability
 									(i.e. P(packet loss) = 1/x).
 									Default value is 0 (no packet loss). */
@@ -221,7 +220,6 @@ static int32 certCb(ssl_t *ssl, psX509Cert_t *cert, int32 alert);
 static void closeConn(sslDtls_t *dtls, SOCKET fd);
 static int32 sendHelloWorld(sslDtls_t *dtlsCtx);
 
-
 /******************************************************************************/
 /*
 	Allocate the data structure to manage the socket and ssl combo of
@@ -555,7 +553,9 @@ static int32 sendHelloWorld(sslDtls_t *dtlsCtx)
 	avail = min(avail, len);
 	strncpy((char*)buf, (char*)helloWorld, avail);
 
-	matrixSslEncodeWritebuf(dtlsCtx->ssl, avail);
+	if ((ret = matrixSslEncodeWritebuf(dtlsCtx->ssl, avail)) < 0) {
+		return ret;
+	}
 /*
 	Get the encoded buffer and write it out
 */
@@ -563,8 +563,8 @@ static int32 sendHelloWorld(sslDtls_t *dtlsCtx)
 		ret = (int32)sendto(dtlsCtx->fd, buf, len, 0,
 			(struct sockaddr*)&dtlsCtx->addr, sizeof(struct sockaddr_in));
 		if (ret == -1) {
-				perror("sendto");
-				exit(1);
+			perror("sendto");
+			exit(1);
 		}
 		matrixDtlsSentData(dtlsCtx->ssl, len);
 	}
@@ -855,6 +855,7 @@ int32 main(int32 argc, char **argv)
 	if (CAstreamLen > 0) {
 		CAstream = psMalloc(NULL, CAstreamLen);
 	} else {
+		/* coverity[dead_error_line] */
 		CAstream = NULL;
 	}
 

apps/dtls/dtlsServer.c

@@ -41,7 +41,6 @@
 #include "dtlsCommon.h"
 #include "../../crypto/cryptoApi.h"
 
-
 /* #define USE_CERT_VALIDATOR */
 
 #define DTLS_PORT 4433
@@ -980,9 +979,9 @@ static int32 handleResends(SOCKET sock)
 	ssl_t			*ssl;
 	psTime_t		now;
 	unsigned char	*sslBuf;
-	int16			i;
-	int32			sendLen, rc;
-	uint32			timeout, sslBufLen, clientCount;
+	int16_t			i;
+	int32_t			sendLen, sslBufLen, rc;
+	uint32_t			timeout, clientCount;
 
 	clientCount = 0; /* return code is number of active clients or < 0 on error */
 	psGetTime(&now, NULL);
@@ -1071,7 +1070,7 @@ static void setSocketOptions(SOCKET fd)
 
 static SOCKET newUdpSocket(char *ip, short port, int *err)
 {
-	struct sockaddr_in	addr;
+	struct sockaddr_in	addr = { 0 };
 	SOCKET				fd;
 
 	if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
@@ -1087,6 +1086,7 @@ static SOCKET newUdpSocket(char *ip, short port, int *err)
 	if (ip == NULL) {
 		addr.sin_addr.s_addr = INADDR_ANY;
 		if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
+			close(fd);
 			_psTrace("Can't bind socket. Port in use or permission problem\n");
 			*err = SOCKET_ERRNO;
 			return INVALID_SOCKET;
@@ -1234,9 +1234,10 @@ static void clearClient(serverDtls_t *dtls)
 	/* Quick attempt to send a closure alert, don't worry about failure */
 	if (matrixSslEncodeClosureAlert(ssl) >= 0) {
 		if ((len = matrixDtlsGetOutdata(ssl, &buf)) > 0) {
-			sendto(dtls->fd, buf, len, 0, (struct sockaddr*)&dtls->addr,
-					sizeof(struct sockaddr_in));
-			matrixDtlsSentData(ssl, len);
+			if (sendto(dtls->fd, buf, len, 0, (struct sockaddr*)&dtls->addr,
+					sizeof(struct sockaddr_in)) >= 0) {
+				matrixDtlsSentData(ssl, len);
+			}
 		}
 	}
 	matrixSslDeleteSession(ssl);

apps/ssl/Makefile

@@ -9,10 +9,11 @@
 MATRIXSSL_ROOT:=../..
 SERVER_SRC:=server.c http.c
 CLIENT_SRC:=client.c http.c
+SRC=$(SERVER_SRC) $(CLIENT_SRC)
 
-# Generated files
 SERVER_EXE:=server$(E)
 CLIENT_EXE:=client$(E)
+EXE=$(SERVER_EXE) $(CLIENT_EXE)
 
 #The Mac OS X Xcode project has a target name of 'server' or 'client'
 ifneq (,$(TARGET_NAME))
@@ -25,8 +26,6 @@ ifneq (,$(TARGET_NAME))
  endif
 endif
 
-SRC:=$(SERVER_SRC) $(CLIENT_SRC)
-
 include $(MATRIXSSL_ROOT)/common.mk
 
 # Linked files
@@ -35,13 +34,12 @@ STATIC:=\
 	$(MATRIXSSL_ROOT)/crypto/libcrypt_s.a \
 	$(MATRIXSSL_ROOT)/core/libcore_s.a
 
-
 CIPHER_OPTION=ID_RSA # The default cipher option
 CFLAGS+=-D$(CIPHER_OPTION)
 
 all: compile
 
-compile: $(OBJS) $(SERVER_EXE) $(CLIENT_EXE)
+compile: $(OBJS) $(EXE)
 
 # Additional Dependencies
 $(OBJS): $(MATRIXSSL_ROOT)/common.mk Makefile $(wildcard *.h)
@@ -53,5 +51,5 @@ $(CLIENT_EXE): $(CLIENT_SRC:.c=.o) $(STATIC)
 	$(CC) -o $@ $^ $(LDFLAGS) $(CFLAGS)
 
 clean:
-	rm -f $(SERVER_EXE) $(CLIENT_EXE) $(OBJS) TLS_*.tmp SSL_*.tmp
+	rm -f $(EXE) $(OBJS) TLS_*.tmp SSL_*.tmp
 

apps/ssl/app.h

@@ -67,7 +67,6 @@ extern "C" {
 #endif
 #endif /* WIN32 */
 
-
 /******************************************************************************/
 /*
 	 Platform independent socket defines for convenience

apps/ssl/client.c

@@ -876,7 +876,6 @@ int32 main(int32 argc, char **argv)
 		return rc;
 	}
 
-
 	if (matrixSslNewKeys(&keys, NULL) < 0) {
 		_psTrace("MatrixSSL library key init failure.  Exiting\n");
 		return -1;
@@ -924,6 +923,7 @@ int32 main(int32 argc, char **argv)
 	if (CAstreamLen > 0) {
 		CAstream = psMalloc(NULL, CAstreamLen);
 	} else {
+		/* coverity[dead_error_line] */
 		CAstream = NULL;
 	}
 
@@ -993,6 +993,7 @@ int32 main(int32 argc, char **argv)
 		CAstream = psMalloc(NULL, CAstreamLen);
 		memset(CAstream, 0x0, CAstreamLen);
 	} else {
+		/* coverity[dead_error_line] */
 		CAstream = NULL;
 	}
 
@@ -1160,17 +1161,19 @@ int32 main(int32 argc, char **argv)
 static void closeConn(ssl_t *ssl, SOCKET fd)
 {
 	unsigned char	*buf;
-	int32			len;
+	int32			len, rc;
 
 	if (g_send_closure_alert) {
 #if 1
 	/* Set the socket to non-blocking to flush remaining data */
 #ifdef POSIX
-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
+	rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
+	psAssert(rc >= 0);
 #endif
 #ifdef WIN32
 	len = 1;		/* 1 for non-block, 0 for block */
-	ioctlsocket(fd, FIONBIO, &len);
+	rc = ioctlsocket(fd, FIONBIO, &len);
+	psAssert(rc);
 #endif
 	/* Quick attempt to send a closure alert, don't worry about failure */
 	if (matrixSslEncodeClosureAlert(ssl) >= 0) {
@@ -1505,7 +1508,8 @@ static SOCKET lsocketConnect(char *ip, int32 port, int32 *err)
 		return INVALID_SOCKET;
 	}
 #ifdef POSIX
-	fcntl(fd, F_SETFD, FD_CLOEXEC);
+	rc = fcntl(fd, F_SETFD, FD_CLOEXEC);
+	psAssert(rc >= 0);
 #endif
 #if 0
 	{
@@ -1525,24 +1529,24 @@ static SOCKET lsocketConnect(char *ip, int32 port, int32 *err)
 	}
 #endif
 #ifdef POSIX
-	rc = 1;
+//	rc = 1;
 //	setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *)&rc, sizeof(rc));
 //	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
 #elif defined(WIN32)
-	rc = 1;     /* 1 for non-block, 0 for block */
+//	rc = 1;     /* 1 for non-block, 0 for block */
 //	ioctlsocket(fd, FIONBIO, &rc);
 #endif
 #ifdef __APPLE__  /* MAC OS X */
 	rc = 1;
 	setsockopt(fd, SOL_SOCKET, SO_NOSIGPIPE, (void *)&rc, sizeof(rc));
 #endif
-
 	memset((char *) &addr, 0x0, sizeof(addr));
 	addr.sin_family = AF_INET;
 	addr.sin_port = htons((short)port);
 	addr.sin_addr.s_addr = inet_addr(ip);
 	rc = connect(fd, (struct sockaddr *)&addr, sizeof(addr));
 	if (rc < 0) {
+		close(fd);
 		perror("connect()");
 		*err = SOCKET_ERRNO;
 	} else {

apps/ssl/server.c

@@ -92,7 +92,7 @@ static unsigned char	g_httpResponseHdr[] = "HTTP/1.0 200 OK\r\n"
 
 static int32 selectLoop(sslKeys_t *keys, SOCKET lfd);
 static int32 httpWriteResponse(httpConn_t *conn);
-static void setSocketOptions(SOCKET fd);
+static int setSocketOptions(SOCKET fd);
 static SOCKET lsocketListen(short port, int32 *err);
 static void closeConn(httpConn_t *cp, int32 reason);
 
@@ -116,7 +116,8 @@ static void displayStats(void)
 	if (g_handshakes > s_handshakes) {
 		t = time(NULL);
 		if (t > s_t) {
-			printf("%llu CPS\n", (g_handshakes - s_handshakes) / (t - s_t));
+			printf("%u CPS\n",
+				(uint32_t)(g_handshakes - s_handshakes) / (uint32_t)(t - s_t));
 			s_handshakes = g_handshakes;
 			s_t = t;
 		}
@@ -215,8 +216,15 @@ static int32 selectLoop(sslKeys_t *keys, SOCKET lfd)
 			if (fd == INVALID_SOCKET) {
 				break;	/* Nothing more to accept; next listener */
 			}
-			setSocketOptions(fd);
+			if (setSocketOptions(fd) < 0) {
+				close(fd);
+				return PS_PLATFORM_FAIL;
+			}
 			cp = malloc(sizeof(httpConn_t));
+			if (cp == NULL) {
+				close(fd);
+				return PS_MEM_FAIL;
+			}
 			memset(cp, 0x0, sizeof(httpConn_t));
 
 			memset(&options, 0x0, sizeof(sslSessOpts_t));
@@ -224,12 +232,11 @@ static int32 selectLoop(sslKeys_t *keys, SOCKET lfd)
 
 			if ((rc = matrixSslNewServerSession(&cp->ssl, keys,	NULL,
 					&options)) < 0) {
-				close(fd); fd = INVALID_SOCKET;
+				close(fd);
 				continue;
 			}
 
 			cp->fd = fd;
-			fd = INVALID_SOCKET;
 			cp->timeout = SSL_TIMEOUT;
 			psGetTime(&cp->time, NULL);
 			cp->parsebuf = NULL;
@@ -406,7 +413,8 @@ PROCESS_MORE:
 					if (len >= 15 &&
 							strncmp((char*)buf, "MATRIX_SHUTDOWN", 15) == 0) {
 						g_exitFlag = 1;
-						matrixSslEncodeClosureAlert(cp->ssl);
+						rc = matrixSslEncodeClosureAlert(cp->ssl);
+						psAssert(rc >= 0);
 						_psTrace("Got MATRIX_SHUTDOWN.  Exiting\n");
 						goto WRITE_MORE;
 					}
@@ -428,7 +436,8 @@ PROCESS_MORE:
 						 close after parsing a single HTTP request */
 						/* Ignore return of closure alert, it's optional */
 #ifdef SEND_CLOSURE_ALERT
-//						matrixSslEncodeClosureAlert(cp->ssl);
+//						rc = matrixSslEncodeClosureAlert(cp->ssl);
+//						psAssert(rc >= 0);
 #endif
 						rc = matrixSslProcessedData(cp->ssl, &buf, (uint32*)&len);
 						if (rc > 0) {
@@ -513,11 +522,15 @@ static int32 httpWriteResponse(httpConn_t *cp)
 		*/
 		while (cp->bytes_sent < cp->bytes_requested) {
 			len = cp->bytes_requested - cp->bytes_sent;
+			if (len < 0) {
+				return PS_MEM_FAIL;
+			}
 			if (len > RESPONSE_REC_LEN) {
 				len = RESPONSE_REC_LEN;
 			}
-			psAssert(len > 0);
-			rc = matrixSslGetWritebuf(ssl, &buf, len);
+			if ((rc = matrixSslGetWritebuf(ssl, &buf, len)) < 1) {
+				return PS_MEM_FAIL;
+			}
 			if (rc < len) {
 				len = rc; /* could have been shortened due to max_frag */
 			}
@@ -536,12 +549,11 @@ static int32 httpWriteResponse(httpConn_t *cp)
 				generated records. We could flush after each record encode,
 				or only on a multiple of record encodes.
 			*/
-			if ((len = matrixSslGetOutdata(ssl, &buf)) > (RESPONSE_REC_LEN * 4)) {
+			if (matrixSslGetOutdata(ssl, &buf) > (RESPONSE_REC_LEN * 4)) {
 				if ((len = (int32)send(cp->fd, buf, len, MSG_DONTWAIT)) > 0) {
 					rc = matrixSslSentData(ssl, len);
 //					psAssert(rc != MATRIXSSL_REQUEST_SEND); /* Some data remains */
 				}
-//				psAssert(len > 0); /* Probably an EWOULDBLOCK */
 			}
 		}
 		return MATRIXSSL_REQUEST_SEND;
@@ -591,7 +603,6 @@ int32 main(int32 argc, char **argv)
 	WSAStartup(MAKEWORD(1, 1), &wsaData);
 #endif
 
-
 	DLListInit(&g_conns);
 	g_exitFlag = 0;
 	lfd = INVALID_SOCKET;
@@ -607,7 +618,6 @@ int32 main(int32 argc, char **argv)
 		return rc;
 	}
 	
-
 	if (matrixSslNewKeys(&keys, NULL) < 0) {
 		return -1;
 	}
@@ -638,6 +648,15 @@ int32 main(int32 argc, char **argv)
 		displayStats();
 	}
 
+	/* Close any active connections */
+	while (!DLListIsEmpty(&g_conns)) {
+		httpConn_t		*cp;
+		DLListEntry		*pList;
+		pList = DLListGetHead(&g_conns);
+		cp = DLListGetContainer(pList, httpConn_t, List);
+		closeConn(cp, PS_SUCCESS);
+	}
+
 L_EXIT:
 	if (lfd != INVALID_SOCKET) close(lfd);
 	matrixSslClose();
@@ -693,7 +712,7 @@ static void closeConn(httpConn_t *cp, int32 reason)
  */
 static SOCKET lsocketListen(short port, int32 *err)
 {
-	struct sockaddr_in	addr;
+	struct sockaddr_in	addr = { 0 };
 	SOCKET				fd;
 
 	if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) {
@@ -702,17 +721,21 @@ static SOCKET lsocketListen(short port, int32 *err)
 		return INVALID_SOCKET;
 	}
 
-	setSocketOptions(fd);
-
+	if (setSocketOptions(fd) < 0) {
+		close(fd);
+		return INVALID_SOCKET;
+	}
 	addr.sin_family = AF_INET;
 	addr.sin_port = htons(port);
 	addr.sin_addr.s_addr = INADDR_ANY;
 	if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
+		close(fd);
 		_psTrace("Can't bind socket. Port in use or insufficient privilege\n");
 		*err = SOCKET_ERRNO;
 		return INVALID_SOCKET;
 	}
 	if (listen(fd, SOMAXCONN) < 0) {
+		close(fd);
 		_psTrace("Error listening on socket\n");
 		*err = SOCKET_ERRNO;
 		return INVALID_SOCKET;
@@ -727,27 +750,40 @@ static SOCKET lsocketListen(short port, int32 *err)
 	Set the REUSE flag to minimize the number of sockets in TIME_WAIT
 	Then we set REUSEADDR, NODELAY and NONBLOCK on the socket
 */
-static void setSocketOptions(SOCKET fd)
+static int setSocketOptions(SOCKET fd)
 {
-	int32 rc;
+	int rc;
 
 #ifdef POSIX
-	fcntl(fd, F_SETFD, FD_CLOEXEC);
+	if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
 #endif
 	rc = 1;
-	setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc));
+	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc)) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
 #ifdef POSIX
 	rc = 1;
-	setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *)&rc, sizeof(rc));
-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
+	if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *)&rc, sizeof(rc)) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
+	if (fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
 #elif defined(WIN32)
 	rc = 1;		/* 1 for non-block, 0 for block */
-	ioctlsocket(fd, FIONBIO, &rc);
+	if (ioctlsocket(fd, FIONBIO, &rc) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
 #endif
 #ifdef __APPLE__  /* MAC OS X */
 	rc = 1;
-	setsockopt(fd, SOL_SOCKET, SO_NOSIGPIPE, (void *)&rc, sizeof(rc));
+	if (setsockopt(fd, SOL_SOCKET, SO_NOSIGPIPE, (void *)&rc, sizeof(rc)) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
 #endif
+	return PS_SUCCESS;
 }
 
 #ifdef POSIX