[master]

[rt23833]
Clean up a number of items identified by the Coverity
static analysis tool.  Runs courtesy of Red Hat.

RELNOTES

@@ -142,6 +142,11 @@ work on other platforms. Please report any problems and suggested fixes to
   is only useful when doing load balancing within failover.
   [ISC-Bugs #26108]
 
+- Fix a set of issues that were discovered via a code inspection
+  tool.  Thanks to Jiri Popelka and Tomas Hozza Red Hat for the logs
+  and patches.
+  [ISC-Bugs #23833]
+
 			Changes since 4.2.3
 
 ! Add a check for a null pointer before calling the regexec function.

client/dhc6.c

@@ -214,8 +214,10 @@ dhcpv6_client_assignments(void)
 	memset(&DHCPv6DestAddr, 0, sizeof(DHCPv6DestAddr));
 	DHCPv6DestAddr.sin6_family = AF_INET6;
 	DHCPv6DestAddr.sin6_port = remote_port;
-	inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
-		  &DHCPv6DestAddr.sin6_addr);
+	if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
+		      &DHCPv6DestAddr.sin6_addr) <= 0) {
+		log_fatal("Bad address %s", All_DHCP_Relay_Agents_and_Servers);
+	}
 
 	code = D6O_CLIENTID;
 	if (!option_code_hash_lookup(&clientid_option,
@@ -656,7 +658,8 @@ dhc6_leaseify(struct packet *packet)
 	 * not sure based on what additional keys now).
 	 */
 	oc = lookup_option(&dhcpv6_universe, packet->options, D6O_SERVERID);
-	if (!evaluate_option_cache(&lease->server_id, packet, NULL, NULL,
+	if ((oc == NULL) ||
+	    !evaluate_option_cache(&lease->server_id, packet, NULL, NULL,
 				   lease->options, NULL, &global_scope,
 				   oc, MDL) ||
 	    lease->server_id.len == 0) {

common/alloc.c

@@ -3,7 +3,8 @@
    Memory allocation... */
 
 /*
- * Copyright (c) 2004-2007,2009 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2009,2012 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004-2007 by Internet Systems Consortium, Inc. ("ISC")
  * Copyright (c) 1996-2003 by Internet Software Consortium
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -831,11 +832,11 @@ int dns_host_entry_dereference (ptr, file, line)
 #endif
 	}
 
-	(*ptr) -> refcnt--;
-	rc_register (file, line, ptr, *ptr, (*ptr) -> refcnt, 1, RC_MISC);
-	if (!(*ptr) -> refcnt)
+	(*ptr)->refcnt--;
+	rc_register (file, line, ptr, *ptr, (*ptr)->refcnt, 1, RC_MISC);
+	if ((*ptr)->refcnt == 0) {
 		dfree ((*ptr), file, line);
-	if ((*ptr) -> refcnt < 0) {
+	} else if ((*ptr)->refcnt < 0) {
 		log_error ("%s(%d): negative refcnt!", file, line);
 #if defined (DEBUG_RC_HISTORY)
 		dump_rc_history (*ptr);

common/comapi.c

@@ -692,7 +692,6 @@ isc_result_t dhcp_subnet_signal_handler (omapi_object_t *h,
 	/* In this function h should be a (struct subnet *) */
 
 	isc_result_t status;
-	int updatep = 0;
 
 	if (h -> type != dhcp_type_subnet)
 		return DHCP_R_INVALIDARG;
@@ -706,8 +705,7 @@ isc_result_t dhcp_subnet_signal_handler (omapi_object_t *h,
 		if (status == ISC_R_SUCCESS)
 			return status;
 	}
-	if (updatep)
-		return ISC_R_SUCCESS;
+
 	return ISC_R_NOTFOUND;
 }
 
@@ -861,7 +859,6 @@ isc_result_t dhcp_shared_network_signal_handler (omapi_object_t *h,
 	/* In this function h should be a (struct shared_network *) */
 
 	isc_result_t status;
-	int updatep = 0;
 
 	if (h -> type != dhcp_type_shared_network)
 		return DHCP_R_INVALIDARG;
@@ -875,8 +872,7 @@ isc_result_t dhcp_shared_network_signal_handler (omapi_object_t *h,
 		if (status == ISC_R_SUCCESS)
 			return status;
 	}
-	if (updatep)
-		return ISC_R_SUCCESS;
+
 	return ISC_R_NOTFOUND;
 }
 

common/lpf.c

@@ -4,7 +4,8 @@
    Support Services in Vancouver, B.C. */
 
 /*
- * Copyright (c) 2004,2007,2009 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2009,2012 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004,2007 by Internet Systems Consortium, Inc. ("ISC")
  * Copyright (c) 1996-2003 by Internet Software Consortium
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -463,9 +464,9 @@ get_hw_addr(const char *name, struct hardware *hw) {
 			memcpy(&hw->hbuf[1], sa->sa_data, 6);
 			break;
 		case ARPHRD_FDDI:
-			hw->hlen = 17;
+			hw->hlen = 7;
 			hw->hbuf[0] = HTYPE_FDDI;
-			memcpy(&hw->hbuf[1], sa->sa_data, 16);
+			memcpy(&hw->hbuf[1], sa->sa_data, 6);
 			break;
 		default:
 			log_fatal("Unsupported device type %ld for \"%s\"",

common/options.c

@@ -258,9 +258,14 @@ int parse_option_buffer (options, buffer, length, universe)
 				option_cache_reference(&op->next, nop, MDL);
 				option_cache_dereference(&nop, MDL);
 			} else {
-				save_option_buffer(universe, options, bp,
-						   bp->data + offset, len,
-						   code, 1);
+				if (save_option_buffer(universe, options, bp,
+						       bp->data + offset, len,
+						       code, 1) == 0) {
+					log_error("parse_option_buffer: "
+						  "save_option_buffer failed");
+					buffer_dereference(&bp, MDL);
+					return 0;
+				}
 			}
 		}
 		option_dereference(&option, MDL);
@@ -517,6 +522,8 @@ int fqdn_universe_decode (struct option_state *options,
  * Load all options into a buffer, and then split them out into the three
  * separate fields in the dhcp packet (options, file, and sname) where
  * options can be stored.
+ *
+ * returns 0 on error, length of packet on success
  */
 int
 cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
@@ -553,10 +560,10 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
 
 	if (inpacket &&
 	    (op = lookup_option(&dhcp_universe, inpacket->options,
-				 DHO_DHCP_MAX_MESSAGE_SIZE))) {
-		evaluate_option_cache(&ds, inpacket,
-				       lease, client_state, in_options,
-				       cfg_options, scope, op, MDL);
+				DHO_DHCP_MAX_MESSAGE_SIZE)) &&
+	    (evaluate_option_cache(&ds, inpacket, lease,
+				   client_state, in_options,
+				   cfg_options, scope, op, MDL) != 0)) {
 		if (ds.len >= sizeof (u_int16_t)) {
 			i = getUShort(ds.data);
 			if(!mms || (i < mms))
@@ -679,7 +686,7 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
 		 * in the packet if there is space.  Note that the option
 		 * may only be included if the client supplied one.
 		 */
-		if ((priority_len < PRIORITY_COUNT) &&
+		if ((inpacket != NULL) && (priority_len < PRIORITY_COUNT) &&
 		    (lookup_option(&fqdn_universe, inpacket->options,
 				   FQDN_ENCODED) != NULL))
 			priority_list[priority_len++] = DHO_FQDN;
@@ -695,7 +702,7 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
 		 * DHCPINFORM or DHCPLEASEQUERY responses (if the client
 		 * didn't request it).
 		 */
-		if ((priority_len < PRIORITY_COUNT) &&
+		if ((inpacket != NULL) && (priority_len < PRIORITY_COUNT) &&
 		    ((inpacket->packet_type == DHCPDISCOVER) ||
 		     (inpacket->packet_type == DHCPREQUEST)))
 			priority_list[priority_len++] = DHO_SUBNET_MASK;
@@ -1266,11 +1273,12 @@ store_options(int *ocount,
 						 cfg_options,
 						 vendor_cfg_option -> code);
 			    if (tmp)
-				evaluate_option_cache (&name, packet, lease,
-						       client_state,
-						       in_options,
-						       cfg_options,
-						       scope, tmp, MDL);
+				/* No need to check the return as we check name.len below */
+				(void) evaluate_option_cache (&name, packet, lease,
+							      client_state,
+							      in_options,
+							      cfg_options,
+							      scope, tmp, MDL);
 			} else if (vuname) {
 			    name.data = (unsigned char *)s;
 			    name.len = strlen (s);
@@ -1308,9 +1316,10 @@ store_options(int *ocount,
 	    /* Find the value of the option... */
 	    od.len = 0;
 	    if (oc) {
-		evaluate_option_cache (&od, packet,
-				       lease, client_state, in_options,
-				       cfg_options, scope, oc, MDL);
+		/* No need to check the return as we check od.len below */
+		(void) evaluate_option_cache (&od, packet,
+					      lease, client_state, in_options,
+					      cfg_options, scope, oc, MDL);
 
 		/* If we have encapsulation for this option, and an oc
 		 * lookup succeeded, but the evaluation failed, it is
@@ -3143,9 +3152,11 @@ int fqdn_option_space_encapsulate (result, packet, lease, client_state,
 		struct option_cache *oc = (struct option_cache *)(ocp -> car);
 		if (oc -> option -> code > FQDN_SUBOPTION_COUNT)
 			continue;
-		evaluate_option_cache (&results [oc -> option -> code],
-				       packet, lease, client_state, in_options,
-				       cfg_options, scope,  oc, MDL);
+		/* No need to check the return code, we check the length later */
+		(void) evaluate_option_cache (&results[oc->option->code],
+					      packet, lease, client_state,
+					      in_options, cfg_options, scope,
+					      oc, MDL);
 	}
 	/* We add a byte for the flags field.
 	 * We add two bytes for the two RCODE fields.
@@ -3310,10 +3321,10 @@ fqdn6_option_space_encapsulate(struct data_string *result,
 		oc = (struct option_cache *)(ocp->car);
 		if (oc->option->code > FQDN_SUBOPTION_COUNT)
 			log_fatal("Impossible condition at %s:%d.", MDL);
-
-		evaluate_option_cache(&results[oc->option->code], packet,
-				      lease, client_state, in_options,
-				      cfg_options, scope, oc, MDL);
+		/* No need to check the return code, we check the length later */
+		(void) evaluate_option_cache(&results[oc->option->code], packet,
+					     lease, client_state, in_options,
+					     cfg_options, scope, oc, MDL);
 	}
 
 	/* We add a byte for the flags field at the start of the option.

common/parse.c

@@ -675,7 +675,23 @@ void parse_lease_time (cfile, timep)
    the token specified in separator.  If max is zero, any number of
    numbers will be parsed; otherwise, exactly max numbers are
    expected.  Base and size tell us how to internalize the numbers
-   once they've been tokenized. */
+   once they've been tokenized.
+
+   buf - A pointer to space to return the parsed value, if it is null
+   then the function will allocate space for the return.
+
+   max - The maximum number of items to store.  If zero there is no
+   maximum.  When buf is null and the function needs to allocate space
+   it will do an allocation of max size at the beginning if max is non
+   zero.  If max is zero then the allocation will be done later, after
+   the function has determined the size necessary for the incoming
+   string.
+
+   returns NULL on errors or a pointer to the value string on success.
+   The pointer will either be buf if it was non-NULL or newly allocated
+   space if buf was NULL
+ */
+
 
 unsigned char *parse_numeric_aggregate (cfile, buf,
 					max, separator, base, size)
@@ -696,9 +712,8 @@ unsigned char *parse_numeric_aggregate (cfile, buf,
 		bufp = (unsigned char *)dmalloc (*max * size / 8, MDL);
 		if (!bufp)
 			log_fatal ("no space for numeric aggregate");
-		s = 0;
-	} else
-		s = bufp;
+	}
+	s = bufp;
 
 	do {
 		if (count) {
@@ -713,6 +728,9 @@ unsigned char *parse_numeric_aggregate (cfile, buf,
 				parse_warn (cfile, "too few numbers.");
 				if (token != SEMI)
 					skip_to_semi (cfile);
+				/* free bufp if it was allocated */
+				if ((bufp != NULL) && (bufp != buf))
+					dfree(bufp, MDL);
 				return (unsigned char *)0;
 			}
 			token = next_token (&val, (unsigned *)0, cfile);
@@ -729,7 +747,17 @@ unsigned char *parse_numeric_aggregate (cfile, buf,
 		    (base != 16 || token != NUMBER_OR_NAME)) {
 			parse_warn (cfile, "expecting numeric value.");
 			skip_to_semi (cfile);
-			return (unsigned char *)0;
+			/* free bufp if it was allocated */
+			if ((bufp != NULL) && (bufp != buf))
+				dfree(bufp, MDL);
+			/* free any linked numbers we may have allocated */
+			while (c) {
+				pair cdr = c->cdr;
+				dfree(c->car, MDL);
+				dfree(c, MDL);
+				c = cdr;
+			}
+			return (NULL);
 		}
 		/* If we can, convert the number now; otherwise, build
 		   a linked list of all the numbers. */
@@ -747,6 +775,10 @@ unsigned char *parse_numeric_aggregate (cfile, buf,
 
 	/* If we had to cons up a list, convert it now. */
 	if (c) {
+		/*
+		 * No need to cleanup bufp, to get here we didn't allocate
+		 * bufp above
+		 */
 		bufp = (unsigned char *)dmalloc (count * size / 8, MDL);
 		if (!bufp)
 			log_fatal ("no space for numeric aggregate.");
@@ -1870,7 +1902,7 @@ int parse_base64 (data, cfile)
 		parse_warn (cfile, "can't allocate buffer for base64 data.");
 		data -> len = 0;
 		data -> data = (unsigned char *)0;
-		return 0;
+		goto out;
 	}
 		
 	j = k = 0;
@@ -5258,6 +5290,8 @@ int parse_option_token (rv, cfile, fmt, expr, uniform, lookups)
 			return 0;
 		}
 		*fmt = g;
+		/* FALL THROUGH */
+		/* to get string value for the option */
 	      case 'X':
 		token = peek_token (&val, (unsigned *)0, cfile);
 		if (token == NUMBER_OR_NAME || token == NUMBER) {
@@ -5549,6 +5583,8 @@ int parse_option_decl (oc, cfile)
 						    "encapsulation format");
 					goto parse_exit;
 				}
+				/* FALL THROUGH */
+				/* to get string value for the option */
 			      case 'X':
 				len = parse_X (cfile, &hunkbuf [hunkix],
 					       sizeof hunkbuf - hunkix);
@@ -5760,8 +5796,6 @@ int parse_option_decl (oc, cfile)
 	bp = (struct buffer *)0;
 	if (!buffer_allocate (&bp, hunkix + nul_term, MDL))
 		log_fatal ("no memory to store option declaration.");
-	if (!bp -> data)
-		log_fatal ("out of memory allocating option data.");
 	memcpy (bp -> data, hunkbuf, hunkix + nul_term);
 	
 	if (!option_cache_allocate (oc, MDL))

common/print.c

@@ -1134,6 +1134,7 @@ static unsigned print_subexpression (expr, buf, len)
 			buf [rv] = 0;
 			return rv;
 		}
+		break;
 
 	      case expr_gethostname:
 		if (len > 13) {
@@ -1245,7 +1246,12 @@ int token_print_indent (FILE *file, int col, int indent,
 			const char *prefix,
 			const char *suffix, const char *buf)
 {
-	int len = strlen (buf) + strlen (prefix);
+	int len = 0;
+	if (prefix != NULL)
+		len = strlen (prefix);
+	if (buf != NULL)
+		len += strlen (buf);
+
 	if (col + len > 79) {
 		if (indent + len < 79) {
 			indent_spaces (file, indent);
@@ -1258,8 +1264,10 @@ int token_print_indent (FILE *file, int col, int indent,
 		fputs (prefix, file);
 		col += strlen (prefix);
 	}
-	fputs (buf, file);
-	col += len;
+	if ((buf != NULL) && (*buf != 0)) {
+		fputs (buf, file);
+		col += strlen(buf);
+	}
 	if (suffix && *suffix) {
 		if (col + strlen (suffix) > 79) {
 			indent_spaces (file, indent);

common/tree.c

@@ -2902,10 +2902,17 @@ int evaluate_numeric_expression (result, packet, lease, client_state,
 	return 0;
 }
 
-/* Return data hanging off of an option cache structure, or if there
-   isn't any, evaluate the expression hanging off of it and return the
-   result of that evaluation.   There should never be both an expression
-   and a valid data_string. */
+/*
+ * Return data hanging off of an option cache structure, or if there
+ * isn't any, evaluate the expression hanging off of it and return the
+ * result of that evaluation.   There should never be both an expression
+ * and a valid data_string.
+ *
+ * returns 0 if there wasn't an expression or it couldn't be evaluated
+ * returns non-zero if there was an expression or string that was evaluated
+ * When it returns zero the arguements, in particualr resutl,  should not
+ * be modified
+ */
 
 int evaluate_option_cache (result, packet, lease, client_state,
 			   in_options, cfg_options, scope, oc, file, line)
@@ -3613,6 +3620,7 @@ int write_expression (file, expr, col, indent, firstp)
 		col = write_expression (file, expr -> data.suffix.len,
 					col, scol, 0);
 		col = token_print_indent (file, col, indent, "", "", ")");
+		break;
 
 	      case expr_lcase:
 		col = token_print_indent(file, col, indent, "", "", "lcase");
@@ -4148,19 +4156,10 @@ int fundef_dereference (ptr, file, line)
 	const char *file;
 	int line;
 {
-	struct fundef *bp = *ptr;
+	struct fundef *bp;
 	struct string_list *sp, *next;
 
-	if (!ptr) {
-		log_error ("%s(%d): null pointer", file, line);
-#if defined (POINTER_DEBUG)
-		abort ();
-#else
-		return 0;
-#endif
-	}
-
-	if (!bp) {
+	if ((ptr == NULL) || (*ptr == NULL)) {
 		log_error ("%s(%d): null pointer", file, line);
 #if defined (POINTER_DEBUG)
 		abort ();
@@ -4169,6 +4168,7 @@ int fundef_dereference (ptr, file, line)
 #endif
 	}
 
+	bp = *ptr;
 	bp -> refcnt--;
 	rc_register (file, line, ptr, bp, bp -> refcnt, 1, RC_MISC);
 	if (bp -> refcnt < 0) {
@@ -4440,11 +4440,11 @@ int find_bound_string (struct data_string *value,
 	if (binding -> value -> value.data.terminated) {
 		data_string_copy (value, &binding -> value -> value.data, MDL);
 	} else {
-		buffer_allocate (&value -> buffer,
-				 binding -> value -> value.data.len,
-				 MDL);
-		if (!value -> buffer)
+		if (buffer_allocate (&value->buffer,
+				     binding->value->value.data.len,
+				     MDL) == 0) {
 			return 0;
+		}
 
 		memcpy (value -> buffer -> data,
 			binding -> value -> value.data.data,

dst/dst_api.c

@@ -349,7 +349,7 @@ dst_read_key(const char *in_keyname, const unsigned in_id,
 		EREPORT(("dst_read_private_key(): Null key name passed in\n"));
 		return (NULL);
 	} else
-		strcpy(keyname, in_keyname);
+		strncpy(keyname, in_keyname, PATH_MAX);
 
 	/* before I read in the public key, check if it is allowed to sign */
 	if ((pubkey = dst_s_read_public_key(keyname, in_id, in_alg)) == NULL)
@@ -443,6 +443,7 @@ dst_s_write_private_key(const DST_KEY *key)
 		if ((nn = fwrite(encoded_block, 1, len, fp)) != len) {
 			EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n",
 				 file, out_len, nn, errno));
+			fclose(fp);
 			return (-5);
 		}
 		fclose(fp);
@@ -663,7 +664,7 @@ dst_dnskey_to_key(const char *in_name,
 	int alg ;
 	int start = DST_KEY_START;
 
-	if (rdata == NULL || len <= DST_KEY_ALG) /* no data */
+	if (in_name == NULL || rdata == NULL || len <= DST_KEY_ALG) /* no data */
 		return (NULL);
 	alg = (u_int8_t) rdata[DST_KEY_ALG];
 	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
@@ -674,8 +675,6 @@ dst_dnskey_to_key(const char *in_name,
 	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
 		return (NULL);
 
-	if (in_name == NULL)
-		return (NULL);
 	key_st->dk_flags = dst_s_get_int16(rdata);
 	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
 	if (key_st->dk_flags & DST_EXTEND_FLAG) {
@@ -795,10 +794,12 @@ dst_buffer_to_key(const char *key_name,		/* name of the key */
 	    dkey->dk_func->from_dns_key != NULL) {
 		if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
 			EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
-			return (dst_free_key(dkey));
+			(void) (dst_free_key(dkey));
+			return (NULL);
 		}
 		return (dkey);
 	}
+	(void) (dst_free_key(dkey));
 	return (NULL);
 }
 
@@ -1012,11 +1013,9 @@ dst_free_key(DST_KEY *f_key)
 	else {
 		EREPORT(("dst_free_key(): Unknown key alg %d\n",
 			 f_key->dk_alg));
-		free(f_key->dk_KEY_struct);	/* SHOULD NOT happen */
 	}
 	if (f_key->dk_KEY_struct) {
-		free(f_key->dk_KEY_struct);
-		f_key->dk_KEY_struct = NULL;
+		SAFE_FREE(f_key->dk_KEY_struct);
 	}
 	if (f_key->dk_key_name)
 		SAFE_FREE(f_key->dk_key_name);

dst/dst_support.c

@@ -4,6 +4,7 @@ static const char rcsid[] = "$Header: /tmp/cvstest/DHCP/dst/dst_support.c,v 1.7
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
  * Portions Copyright (c) 2007,2009 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 2012 by Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -58,6 +59,7 @@ dst_s_conv_bignum_u8_to_b64(char *out_buf, const unsigned out_len,
 {
 	const u_char *bp = bin_data;
 	char *op = out_buf;
+	int res = 0;
 	unsigned lenh = 0, len64 = 0;
 	unsigned local_in_len = bin_len;
 	unsigned local_out_len = out_len;
@@ -81,9 +83,10 @@ dst_s_conv_bignum_u8_to_b64(char *out_buf, const unsigned out_len,
 		local_out_len -= lenh;
 		op += lenh;
 	}
-	len64 = b64_ntop(bp, local_in_len, op, local_out_len - 2);
-	if (len64 < 0)
+	res = b64_ntop(bp, local_in_len, op, local_out_len - 2);
+	if (res < 0)
 		return (-1);
+	len64 = (unsigned) res;
 	op += len64++;
 	*(op++) = '\n';		/* put CR in the output */
 	*op = '\0';		/* make sure output is 0 terminated */
@@ -150,6 +153,7 @@ dst_s_conv_bignum_b64_to_u8(const char **buf,
 	unsigned blen;
 	char *bp;
 	u_char bstr[RAW_KEY_SIZE];
+	int res = 0;
 
 	if (buf == NULL || *buf == NULL) {	/* error checks */
 		EREPORT(("dst_s_conv_bignum_b64_to_u8: null input buffer.\n"));
@@ -159,12 +163,13 @@ dst_s_conv_bignum_b64_to_u8(const char **buf,
 	if (bp != NULL)
 		*bp = '\0';
 
-	blen = b64_pton(*buf, bstr, sizeof(bstr));
-	if (blen <= 0) {
+	res = b64_pton(*buf, bstr, sizeof(bstr));
+	if (res <= 0) {
 		EREPORT(("dst_s_conv_bignum_b64_to_u8: decoded value is null.\n"));
 		return (0);
 	}
-	else if (loclen < blen) {
+	blen = (unsigned) res;
+	if (loclen < blen) {
 		EREPORT(("dst_s_conv_bignum_b64_to_u8: decoded value is longer than output buffer.\n"));
 		return (0);
 	}
@@ -429,7 +434,7 @@ dst_s_fopen(const char *filename, const char *mode, unsigned perm)
 	unsigned plen = sizeof(pathname);
 
 	if (*dst_path != '\0') {
-		strcpy(pathname, dst_path);
+		strncpy(pathname, dst_path, PATH_MAX);
 		plen -= strlen(pathname);
 	}
 	else 

dst/hmac_link.c

@@ -5,6 +5,7 @@ static const char rcsid[] = "$Header: /tmp/cvstest/DHCP/dst/hmac_link.c,v 1.6 20
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
  * Portions Copyright (c) 2007,2009 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 2012 by Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -87,6 +88,10 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	int sign_len = 0;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+	key = (HMAC_Key *) d_key->dk_KEY_struct;
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -94,10 +99,6 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-	key = (HMAC_Key *) d_key->dk_KEY_struct;
-
 	if (mode & SIG_MODE_INIT) {
 		MD5Init(ctx);
 		MD5Update(ctx, key->hk_ipad, HMAC_LEN);
@@ -154,6 +155,10 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	HMAC_Key *key;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+	key = (HMAC_Key *) d_key->dk_KEY_struct;
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -161,10 +166,6 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-