Changeset 3e61371 in mod_gnutls

Timestamp:

Oct 11, 2020, 1:32:17 PM (10 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, master

Children:

305ea31

Parents:

90d750d (diff), d54572e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge CppCheck? code scanning

Files:

• .github/workflows/analysis.yaml (modified) (3 diffs)
• src/gnutls_hooks.c (modified) (6 diffs)
• src/gnutls_io.c (modified) (7 diffs)
• src/gnutls_ocsp.c (modified) (1 diff)
• src/gnutls_proxy.c (modified) (3 diffs)
• src/gnutls_util.c (modified) (1 diff)

.github/workflows/analysis.yaml

@@ -14 +14 @@
 
 jobs:
+
   clang:
     runs-on: ubuntu-20.04
@@ -24 +25 @@
           export DEBIAN_FRONTEND=noninteractive
           apt-get update
-          apt-get -y install python3-yaml apache2-bin apache2-dev curl gnutls-bin libapr1-dev libgnutls28-dev openssl pkg-config procps clang-10 clang-tools-10 libmsv-dev
+          apt-get -y install python3-yaml apache2-bin apache2-dev gnutls-bin libapr1-dev libgnutls28-dev pkg-config procps clang-10 clang-tools-10 libmsv-dev
       - name: find usable IPs for tests
         run: |
@@ -51 +52 @@
           sarif_file: ${{ env.SARIF_DIR }}
           checkout_path: ${{ env.CONTAINER_WORKSPACE }}
+
+  cppcheck:
+    runs-on: ubuntu-20.04
+    container: debian:sid
+    name: cppcheck
+    steps:
+      - uses: actions/checkout@v2
+      - name: install dependencies
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update
+          apt-get -y install python3-yaml apache2-bin apache2-dev gnutls-bin libapr1-dev libgnutls28-dev libmsv-dev pkg-config procps bear cppcheck
+      - name: autoreconf
+        run: autoreconf -fiv
+      - name: configure
+        run: ./configure APACHE_MUTEX=pthread
+      - name: make and create compile_commands.json
+        run: bear make -j4
+      - name: cppcheck
+        run: |
+          cppcheck --project=compile_commands.json -DAF_UNIX=1 --enable=warning,style,unusedFunction --xml 2>cppcheck.xml
+      - uses: airtower-luna/convert-to-sarif@main
+        with:
+          tool: 'CppCheck'
+          input_file: 'cppcheck.xml'
+          sarif_file: 'cppcheck.sarif'
+      - name: define CONTAINER_WORKSPACE
+        run: |
+          echo "CONTAINER_WORKSPACE=${PWD}" >> ${GITHUB_ENV}
+      - name: upload SARIF results
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'cppcheck.sarif'
+          checkout_path: ${{ env.CONTAINER_WORKSPACE }}

src/gnutls_hooks.c

@@ -577 +577 @@
     int rv;
     server_rec *s;
-    mgs_srvconf_rec *sc;
     mgs_srvconf_rec *sc_base;
 
@@ -646 +645 @@
     for (s = base_server; s; s = s->next)
     {
-        sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
+        mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+            ap_get_module_config(s->module_config, &gnutls_module);
         sc->s = s;
         sc->cache_enable = sc_base->cache_enable;
@@ -942 +942 @@
 static int vhost_cb(void *baton, conn_rec *conn, server_rec * s)
 {
-    mgs_srvconf_rec *tsc;
     vhost_cb_rec *x = baton;
-    int ret;
-
+    mgs_srvconf_rec *tsc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
-            &gnutls_module);
 
     if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
@@ -957 +954 @@
         /* this check is there to warn administrator of any missing hostname
          * in the certificate. */
-        ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_crt_chain[0], s->server_hostname);
+        int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_crt_chain[0],
+                                                 s->server_hostname);
         if (0 == ret)
             ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
@@ -1608 +1606 @@
     for (int i = 0; !(ret < 0); i++)
     {
-        const char *san, *sanlabel;
         len = 0;
         ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
@@ -1624 +1621 @@
             tmp2[len] = 0;
 
+            const char *san, *sanlabel;
             sanlabel = apr_psprintf(r->pool, "%s%u", MGS_SIDE("_S_AN"), i);
             if (ret == GNUTLS_SAN_DNSNAME) {

src/gnutls_io.c

@@ -103 +103 @@
         const char *str;
         apr_size_t str_len;
-        apr_size_t consume;
 
         /* Justin points out this is an http-ism that might
@@ -140 +139 @@
 
             /* Assure we don't overflow. */
-            consume =
-                    (str_len + actual >
-                    *len) ? *len - actual : str_len;
+            apr_size_t consume =
+                (str_len + actual > *len) ? *len - actual : str_len;
 
             memcpy(c, str, consume);
@@ -177 +175 @@
     apr_size_t wanted = *len;
     apr_size_t bytes = 0;
-    int rc;
 
     *len = 0;
@@ -221 +218 @@
     {
         /* Note: The pull function sets ctxt->input_rc */
-        rc = gnutls_record_recv(ctxt->session, buf + bytes, wanted - bytes);
+        int rc = gnutls_record_recv(ctxt->session,
+                                    buf + bytes, wanted - bytes);
 
         if (rc > 0) {
@@ -311 +309 @@
         char *buf, apr_size_t * len) {
     const char *pos = NULL;
-    apr_status_t status;
     apr_size_t tmplen = *len, buflen = *len, offset = 0;
 
     *len = 0;
 
-    while (tmplen > 0) {
-        status = gnutls_io_input_read(ctxt, buf + offset, &tmplen);
+    while (tmplen > 0)
+    {
+        apr_status_t status =
+            gnutls_io_input_read(ctxt, buf + offset, &tmplen);
 
         if (status != APR_SUCCESS) {
@@ -959 +958 @@
 {
     mgs_handle_t *ctxt = ptr;
-    apr_status_t rc;
     apr_size_t in = len;
     apr_read_type_e block = ctxt->input_block;
@@ -980 +978 @@
     if (APR_BRIGADE_EMPTY(ctxt->input_bb))
     {
-        rc = ap_get_brigade(ctxt->input_filter->next,
-                            ctxt->input_bb, AP_MODE_READBYTES,
-                            ctxt->input_block, in);
+        apr_status_t rc = ap_get_brigade(ctxt->input_filter->next,
+                                         ctxt->input_bb, AP_MODE_READBYTES,
+                                         ctxt->input_block, in);
 
         /* Not a problem, there was simply no data ready yet.

src/gnutls_ocsp.c

@@ -1125 +1125 @@
         ocsp_response.size = OCSP_RESP_SIZE_MAX;
 
-        apr_status_t rv = mgs_cache_fetch(sc->ocsp_cache, server,
-                                          ocsp_data->fingerprint,
-                                          &ocsp_response,
-                                          pool);
+        rv = mgs_cache_fetch(sc->ocsp_cache, server, ocsp_data->fingerprint,
+                             &ocsp_response, pool);
 
         if (rv != APR_SUCCESS || (IS_FAILURE_RESPONSE(&ocsp_response)))

src/gnutls_proxy.c

@@ -133 +133 @@
         return APR_EGENERAL;
 
-    apr_status_t ret = APR_EINIT;
-    int err = GNUTLS_E_SUCCESS;
-
     /* Cleanup function for the GnuTLS structures allocated below */
     apr_pool_cleanup_register(pconf, sc, cleanup_proxy_x509_credentials,
@@ -142 +139 @@
     /* Function pool, gets destroyed before exit. */
     apr_pool_t *pool;
-    ret = apr_pool_create(&pool, ptemp);
+    apr_status_t ret = apr_pool_create(&pool, ptemp);
     if (ret != APR_SUCCESS)
     {
@@ -151 +148 @@
 
     /* allocate credentials structures */
-    err = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
+    int err = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
     if (err != GNUTLS_E_SUCCESS)
     {

src/gnutls_util.c

@@ -100 +100 @@
                              gnutls_datum_t *datum)
 {
-    apr_status_t rv = APR_EINIT;
     apr_file_t *file;
     apr_finfo_t finfo;
     apr_size_t br = 0;
-    rv = apr_file_open(&file, filename,
-                       APR_READ | APR_BINARY, APR_OS_DEFAULT, p);
+
+    apr_status_t rv = apr_file_open(&file, filename,
+                                    APR_READ | APR_BINARY, APR_OS_DEFAULT, p);
     if (rv != APR_SUCCESS)
         return rv;