Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Aug 2013 18:34:51 +0200
From:      Ulrich =?utf-8?B?U3DDtnJsZWlu?= <uqs@FreeBSD.org>
To:        Dag-Erling =?utf-8?B?U23Dg8W+cmdyYXY=?= <des@FreeBSD.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r253680 - in head: lib/libfetch usr.bin/fetch
Message-ID:  <20130808163451.GB54133@acme.spoerlein.net>
In-Reply-To: <201307261553.r6QFrhwu084667@svn.freebsd.org>
References:  <201307261553.r6QFrhwu084667@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 2013-07-26 at 15:53:43 +0000, Dag-Erling SmÞrgrav wrote:
> Modified: head/lib/libfetch/common.c
> ==============================================================================
> --- head/lib/libfetch/common.c	Fri Jul 26 14:43:38 2013	(r253679)
> +++ head/lib/libfetch/common.c	Fri Jul 26 15:53:43 2013	(r253680)
> +static struct addrinfo *
> +fetch_ssl_get_numeric_addrinfo(const char *hostname, size_t len)
> +{
> +	struct addrinfo hints, *res;
> +	char *host;
> +
> +	host = (char *)malloc(len + 1);
> +	memcpy(host, hostname, len);
> +	host[len] = '\0';
> +	memset(&hints, 0, sizeof(hints));
> +	hints.ai_family = PF_UNSPEC;
> +	hints.ai_socktype = SOCK_STREAM;
> +	hints.ai_protocol = 0;
> +	hints.ai_flags = AI_NUMERICHOST;
> +	/* port is not relevant for this purpose */
> +	getaddrinfo(host, "443", &hints, &res);

We check the return value for getaddrinfo() 210 out of 217 times in our
tree, please check it here too. Thanks! CID 1061016

> +static int
> +fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
> +{
> +	X509_LOOKUP *crl_lookup;
> +	X509_STORE *crl_store;
> +	const char *ca_cert_file, *ca_cert_path, *crl_file;
> +
> +	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
> +		ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
> +		    getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
> +		ca_cert_path = getenv("SSL_CA_CERT_PATH");
> +		if (verbose) {
> +			fetch_info("Peer verification enabled");
> +			if (ca_cert_file != NULL)
> +				fetch_info("Using CA cert file: %s",
> +				    ca_cert_file);
> +			if (ca_cert_path != NULL)
> +				fetch_info("Using CA cert path: %s",
> +				    ca_cert_path);
> +		}
> +		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
> +		    fetch_ssl_cb_verify_crt);

The return value is unchecked here. Coverity claims we check it 4 out of
5 times in our tree, please fix this one too. CID 1061015


Cheers,
Uli

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130808163451.GB54133>