Coverity

blacklists.c

@@ -918,6 +918,11 @@ static int parse_ip_net(char *in, int len, struct net *ipnet)
 	}
 
 	ip_tmp = (af == AF_INET) ? str2ip(&ip_s) : str2ip6(&ip_s);
+	if (!ip_tmp) {
+		LM_ERR("Invalid IP address\n");
+		return -1;
+	}
+
 	/* save the IP */
 	ip = *ip_tmp;
 

db/db_query.c

@@ -235,11 +235,14 @@ int db_do_insert(const db_con_t* _h, const db_key_t* _k, const db_val_t* _v,
 
 			for (i=0;i<no_rows;i++)
 			{
+				if (off + 1 >= SQL_BUF_LEN) goto error0;
 				sql_buf[off++]='(';
 				ret = db_print_values(_h, sql_buf + off, SQL_BUF_LEN - off,
 										CON_HAS_PS(_h)?_v:buffered_rows[i], _n, val2str);
 				if (ret < 0) goto error;
 				off += ret;
+
+				if (off + 1 >= SQL_BUF_LEN) goto error0;
 				sql_buf[off++]=')';
 
 				if (i != (no_rows -1))

dprint.c

@@ -181,6 +181,7 @@ int init_log_cee_hostname(void)
 		init_str(&cname, info->ai_canonname);
 		if (pkg_str_dup(&log_cee_hostname, &cname) < 0) {
 			LM_ERR("no more pkg memory\n");
+			freeaddrinfo(info);
 			return -1;
 		}
 	}

evi/event_interface.c

@@ -137,7 +137,7 @@ void evi_remove_expired_subs(event_id_t id) {
 	while (subs) {
 		if (!subs->reply_sock) {
 			LM_ERR("unknown destination\n");
-			continue;
+			goto next_sub;
 		}
 		/* check expire */
 		if (!(subs->reply_sock->flags & EVI_PENDING) &&
@@ -163,6 +163,8 @@ void evi_remove_expired_subs(event_id_t id) {
 			}
 			continue;
 		}
+next_sub:
+		prev = subs;
 		subs = subs->next;
 	}
 	lock_release(events[id].lock);
@@ -769,6 +771,9 @@ mi_response_t *w_mi_subscribers_list_1(const mi_params_t *params,
 		return init_mi_error(404, MI_SSTR("Event not published"));
 	/* get the event id & before printing the subs list check for any expired subscribers and remove them*/
 	evid = evi_get_id(&event_s);
+	if (evid == -1)
+		return init_mi_error(404, MI_SSTR("Can't get the id"));
+
 	evi_remove_expired_subs(evid);
 
 	return mi_subscribers_list(event, NULL);
@@ -790,6 +795,9 @@ mi_response_t *w_mi_subscribers_list_2(const mi_params_t *params,
 		return init_mi_error(404, MI_SSTR("Event not published"));
 	/* get the event id & before printing the subs list check for any expired subscribers and remove them*/
 	evid = evi_get_id(&event_s);
+	if (evid == -1)
+		return init_mi_error(404, MI_SSTR("Can't get the id"));
+
 	evi_remove_expired_subs(evid);
 
 	if (get_mi_string_param(params, "socket", &subs_s.s, &subs_s.len) < 0)

lib/reg/common.h

@@ -84,9 +84,9 @@ static inline time_t randomize_expires(unsigned int expires_ts)
 		expires_dur = max_expires;
 
 	ret = expires_dur + get_act_time();
-	LM_DBG("randomized expiry ts from %u to %lld (adj: %d/%d, "
+	LM_DBG("randomized expiry ts from %u to %lld (adj: %d/%lld, "
 	       "max_deviation: %d)\n", expires_ts, (long long)ret, expires_adj,
-	       (int)ret - (int)expires_ts, expires_max_deviation);
+	       (long long)ret - (long long)expires_ts, expires_max_deviation);
 
 	return ret;
 }

mem/rpm_mem.c

@@ -423,7 +423,9 @@ int load_rpm_file(void)
 	bytes_needed = sizeof(tmp);
 	do {
 		ret = read(fd, ((char *)&tmp) + bytes_read, bytes_needed);
-		if (ret < 0 && errno != EINTR) {
+		if (ret < 0) {
+			if (errno == EINTR)
+				continue;
 			LM_ERR("could not read from restart persistency file: %s (%d: %s)\n",
 					rpm_mem_file, errno, strerror(errno));
 			close(fd);

mem/shm_mem.c

@@ -766,6 +766,7 @@ int shm_dbg_mem_init(void)
 	default:
 		LM_ERR("current build does not include support for "
 		       "selected allocator (%s)\n", mm_str(mem_allocator_shm));
+		close(fd_dbg);
 		return -1;
 	}
 	#endif

mem/shm_mem.h

@@ -851,7 +851,8 @@ inline static void shm_force_unlock(void)
 			for (i = 0; i < HP_HASH_SIZE; i++)
 				lock_release(&mem_locks[i]);
 		} else {
-			shm_unlock();
+			if (mem_lock)
+				shm_unlock();
 		}
 #elif defined HP_MALLOC
 		int i;

modules/aaa_diameter/app_opensips/avps.c

@@ -581,6 +581,10 @@ int parse_attr_def(char *line, FILE *fp)
 		goto error;
 
 	nt_name = malloc(name_len + 1);
+	if (!nt_name) {
+		LOG_ERROR("Malloc failed\n");
+		return -1;
+	}
 	memcpy(nt_name, name, name_len);
 	nt_name[name_len] = '\0';
 
@@ -637,7 +641,6 @@ int parse_attr_def(char *line, FILE *fp)
 			goto error;
 
 		len -= newp - p;
-		p = newp;
 	}
 
 	if (avp_type != AVP_TYPE_GROUPED)
@@ -659,11 +662,13 @@ int parse_attr_def(char *line, FILE *fp)
 
 		if (avp_count >= 128) {
 			LOG_ERROR("max AVP count exceeded (128)\n");
+			free(nt_name);
 			return -1;
 		}
 
 		if (parse_avp_def(avps, &avp_count, p, len) != 0) {
 			LOG_ERROR("failed to parse Grouped sub-AVP line: '%s'\n", line);
+			free(nt_name);
 			return -1;
 		}
 	}
@@ -674,6 +679,7 @@ create_avp:;
 	if (enc_type != AVP_ENC_TYPE_NONE &&
 			dm_enc_add((vendor_id != -1?vendor_id:0), avp_code, enc_type) != 0) {
 		LOG_ERROR("failed to add encoding type\n");
+		free(nt_name);
 		return -1;
 	}
 
@@ -723,6 +729,7 @@ create_avp:;
 	return 0;
 error:
 	LOG_ERROR("failed to parse line: %s\n", line);
+	free(nt_name);
 	return -1;
 }
 

modules/aaa_diameter/dm_impl.c

@@ -2253,7 +2253,8 @@ int dm_enc_add(int vendor, int code, enum dict_avp_enc_type enc)
 			for (i = 0; i < dict_avp_enc_vendors_no; i++)
 				if (v[i].vendor > vendor)
 					break;
-			memmove(&v[i+1], &v[i], (dict_avp_enc_vendors_no - i) * sizeof *v);
+			if (i < dict_avp_enc_vendors_no)
+				memmove(&v[i+1], &v[i], (dict_avp_enc_vendors_no - i) * sizeof *v);
 			v = v + i;
 			dict_avp_enc_vendors_no++;
 			v->vendor = vendor;
@@ -2272,15 +2273,16 @@ int dm_enc_add(int vendor, int code, enum dict_avp_enc_type enc)
 	} else {
 		/* resize the avps */
 		a = realloc(v->avps, (v->avps_no + 1) * sizeof *a);
-		if (!v) {
+		if (!a) {
 			LM_ERR("oom for reallocating avps encoding\n");
 			return -1;
 		}
 		v->avps = a;
 		for (i = 0; i < v->avps_no; i++)
 			if (a[i].code > code)
 				break;
-		memmove(&a[i+1], &a[i], (v->avps_no - i) * sizeof *a);
+		if (i < v->avps_no)
+			memmove(&a[i+1], &a[i], (v->avps_no - i) * sizeof *a);
 		a = a + i;
 		v->avps_no++;
 	}

modules/aaa_radius/rad.c

@@ -67,7 +67,10 @@ uint32_t rc_get_ipaddr (char *host)
 	struct in_addr** addr_list;
 
 	he=resolvehost(host, 0/*do test if is ip*/);
-
+	if (!he) {
+		LM_ERR("Can't resolve host: %s\n", host);
+		return 0;
+	}
 	/* FIXME the function is not for IPV6 */
 	addr_list = (struct in_addr **)he->h_addr_list;
 	if (addr_list[0])

modules/acc/acc.c

@@ -322,7 +322,7 @@ int acc_log_request( struct sip_msg *rq, struct sip_msg *rpl)
 
 	if (ctx) {
 		/* get created value from context */
-		_created = ctx->created;
+		_created = (unsigned int)(unsigned long)ctx->created;
 		_setup_time = time(NULL) - _created;
 	}
 
@@ -862,7 +862,7 @@ int acc_aaa_request( struct sip_msg *req, struct sip_msg *rpl)
 	}
 
 	if (ctx) {
-		_created = ctx->created;
+		_created = (unsigned int)(unsigned long)ctx->created;
 		_setup_time = time(NULL) - _created;
 	}
 
@@ -1012,7 +1012,7 @@ int acc_aaa_cdrs(struct dlg_cell *dlg, struct sip_msg *msg, acc_ctx_t* ctx)
 	ADD_AAA_AVPAIR( offset + nr_leg_vals + 2, &av_type, -1);
 
 	/* Sip-Call-Created (229) */
-	av_type = ctx->created;
+	av_type = (uint32_t)(unsigned long)ctx->created;
 	ADD_AAA_AVPAIR( offset + nr_leg_vals + 3, &av_type, -1);
 
 	/* Sip-Call-MSDuration (230) */
@@ -1234,7 +1234,7 @@ int acc_evi_request( struct sip_msg *rq, struct sip_msg *rpl, int missed_flag)
 		return 1;
 
 	if (ctx) {
-		_created = ctx->created;
+		_created = (unsigned int)(unsigned long)ctx->created;
 		_setup_time = time(NULL) - _created;
 	}
 
@@ -1255,12 +1255,14 @@ int acc_evi_request( struct sip_msg *rq, struct sip_msg *rpl, int missed_flag)
 
 	for (extra=evi_leg_tags, nr_leg_vals=0; extra; extra=extra->next, nr_leg_vals++);
 
+	/* coverity[overrun-buffer-val: FALSE] */
 	if (missed_flag && evi_param_set_int(acc_env.ev_params[m+nr_leg_vals],
 		&_setup_time) < 0) {
 		LM_ERR("cannot set setuptime parameter\n");
 		goto end;
 	}
 
+	/* coverity[overrun-buffer-val: FALSE] */
 	if (missed_flag && evi_param_set_int(acc_env.ev_params[m+nr_leg_vals+1],
 		&_created) < 0) {
 		LM_ERR("cannot set created parameter\n");
@@ -1369,20 +1371,26 @@ int acc_evi_cdrs(struct dlg_cell *dlg, struct sip_msg *msg, acc_ctx_t* ctx)
 
 	ms_duration = TIMEVAL_MS_DIFF(start_time, ctx->bye_time);
 	duration = ceil((double)ms_duration/1000);
+
+	/* coverity[overrun-buffer-val: FALSE] */
 	if (evi_param_set_int(evi_cdr_params[ret+nr_leg_vals+1], &duration) < 0) {
 		LM_ERR("cannot set duration parameter\n");
 		goto end;
 	}
 
+	/* coverity[overrun-buffer-val: FALSE] */
 	if (evi_param_set_int(evi_cdr_params[ret+nr_leg_vals+2], &ms_duration) < 0) {
 		LM_ERR("cannot set duration parameter\n");
 		goto end;
 	}
 	setup_duration = start_time.tv_sec - ctx->created;
+
+	/* coverity[overrun-buffer-val: FALSE] */
 	if (evi_param_set_int(evi_cdr_params[ret+nr_leg_vals+3], &setup_duration) < 0) {
 		LM_ERR("cannot set setuptime parameter\n");
 		goto end;
 	}
+
 	if (evi_param_set_int(evi_cdr_params[ret+nr_leg_vals+4], &ctx->created) < 0) {
 		LM_ERR("cannot set created parameter\n");
 		goto end;

modules/acc/acc_logic.c

@@ -457,6 +457,7 @@ static inline void acc_onreply_in(struct cell *t, struct sip_msg *req,
 				|| (is_invite(t)
 					&& code >= 300
 					&& is_mc_acc_on(ctx->flags)))) {
+		/* coverity[check_return: FALSE] */
 		parse_headers(reply, HDR_TO_F, 0 );
 	}
 }

modules/auth_aka/aka_av_mgm.c

@@ -351,7 +351,7 @@ int aka_av_get_new_wait(struct aka_user *user, int algmask,
 					*av = aka_av_get_state(user, algmask, AKA_AV_NEW); /* one last time */
 					if (cond_has_timedout(&user->cond))
 						break;
-					if (!av) {
+					if (*av == NULL) {
 						/* compute the drift/reminder */
 						clock_gettime(CLOCK_REALTIME, &end);
 						milliseconds -= (end.tv_sec - begin.tv_sec) * 1000 +

modules/auth_aka/auth_aka.c

@@ -737,7 +737,7 @@ static int aka_challenge(struct sip_msg *_msg, struct aka_av_mgm *mgm, str *_rea
 
 	realm = (_realm?*_realm:str_init(""));
 	if (count > 1) {
-		avs = pkg_malloc(count * sizeof *av);
+		avs = pkg_malloc(count * sizeof *avs);
 		if (!avs) {
 			LM_ERR("could not allocate %d AVs\n", count);
 			return -1;

modules/auth_jwt/auth_jwt_certops.c

@@ -44,17 +44,18 @@ int extract_pub_key_from_cert(struct sip_msg* _msg, str* cert,
 
 	/* TODO - if x5c just add beggining & end */
 
+	if (cert == NULL) {
+		LM_ERR("Failed to parse certificate\n");
+		return -1;
+	}
+
 	bio = BIO_new_mem_buf((void*)cert->s,cert->len);
 	if (!bio) {
 		LM_ERR("Unable to create BIO buf\n");
 		return -1;
 	}
 
 	x509cert = PEM_read_bio_X509(bio, NULL, 0, NULL);
-	if (cert == NULL) {
-		LM_ERR("Failed to parse certificate\n");
-		goto err_free;
-	}
 
 	if ((pubkey = X509_get_pubkey(x509cert)) == NULL) {
 		LM_ERR("Failed to get pub key from certificate\n");

modules/b2b_entities/b2be_load.h

@@ -217,12 +217,12 @@ static inline b2b_dlginfo_t *b2b_new_dlginfo(str *callid, str *fromtag, str *tot
 	dlg->callid.s = (char *)(dlg + 1);
 	dlg->callid.len = callid->len;
 	memcpy(dlg->callid.s, callid->s, callid->len);
-	if (totag->s) {
+	if (totag && totag->s) {
 		dlg->totag.len = totag->len;
 		dlg->totag.s = dlg->callid.s + dlg->callid.len;
 		memcpy(dlg->totag.s, totag->s, totag->len);
 	}
-	if (fromtag->s) {
+	if (fromtag && fromtag->s) {
 		dlg->fromtag.len = fromtag->len;
 		dlg->fromtag.s = dlg->callid.s + dlg->callid.len + dlg->totag.len;
 		memcpy(dlg->fromtag.s, fromtag->s, fromtag->len);

modules/b2b_entities/dlg.c

@@ -3046,6 +3046,7 @@ void b2b_tm_cback(struct cell *t, b2b_table htable, struct tmcb_params *ps)
 	}
 	else
 	{
+		/* coverity[var_deref_model] */
 		dlg = b2b_search_htable_dlg(htable, hash_index, local_index,
 			&from_tag, (method_id==METHOD_CANCEL)?NULL:&to_tag, &callid);
 	}
@@ -3100,6 +3101,7 @@ void b2b_tm_cback(struct cell *t, b2b_table htable, struct tmcb_params *ps)
 			"transaction [%p]\n", dlg, dlg->uac_tran, t);
 		if(dlg_based_search)
 			/* coverity[swapped_arguments] */
+			/* coverity[var_deref_model] */
 			dlg = b2b_search_htable_next_dlg( previous_dlg, htable, hash_index,
 				local_index, &from_tag, &to_tag, &callid);
 		else

modules/b2b_entities/ua_api.c

@@ -319,8 +319,10 @@ struct ua_sess_t_list *insert_ua_sess_tl(str *b2b_key, unsigned int timeout)
 				tl->next = tmp;
 				ua_dlg_timer->first = tl;
 			} else {
-				tmp->prev->next = tl;
-				tl->prev = tmp->prev;
+				if (tmp->prev) {
+					tmp->prev->next = tl;
+					tl->prev = tmp->prev;
+				}
 				tl->next = tmp;
 				tmp->prev = tl;
 			}

modules/b2b_logic/b2b_logic.c

@@ -1728,7 +1728,7 @@ int pv_get_entity(struct sip_msg *msg, pv_param_t *param, pv_value_t *res)
 	b2bl_entity_id_t *curr_entities[MAX_BRIDGE_ENT];
 	b2bl_entity_id_t dummy_entity;
 	b2b_dlginfo_t dummy_dlginfo;
-	str callid;
+	str callid = {NULL, 0};
 	int i;
 	int locked = 0;
 
@@ -2168,11 +2168,8 @@ static str *b2bl_get_key(void)
 	int locked = 0;
 	b2bl_tuple_t *tuple = get_ctx_tuple(&locked);
 
-	if (!tuple) {
-		if (locked)
-			B2BL_LOCK_RELEASE_AUX(tuple->hash_index);
+	if (!tuple)
 		return NULL;
-	}
 
 	ret.s = buf;
 	ret.len = 0;