From owner-svn-src-head@FreeBSD.ORG Thu Aug 8 16:34:54 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 23B5F5BF; Thu, 8 Aug 2013 16:34:54 +0000 (UTC) (envelope-from uqs@FreeBSD.org) Received: from acme.spoerlein.net (acme.spoerlein.net [IPv6:2a01:4f8:131:23c2::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9959922BF; Thu, 8 Aug 2013 16:34:53 +0000 (UTC) Received: from localhost (acme.spoerlein.net [IPv6:2a01:4f8:131:23c2::1]) by acme.spoerlein.net (8.14.7/8.14.7) with ESMTP id r78GYpEp068869 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Aug 2013 18:34:51 +0200 (CEST) (envelope-from uqs@FreeBSD.org) Date: Thu, 8 Aug 2013 18:34:51 +0200 From: Ulrich =?utf-8?B?U3DDtnJsZWlu?= To: Dag-Erling =?utf-8?B?U23Dg8W+cmdyYXY=?= Subject: Re: svn commit: r253680 - in head: lib/libfetch usr.bin/fetch Message-ID: <20130808163451.GB54133@acme.spoerlein.net> Mail-Followup-To: Ulrich =?utf-8?B?U3DDtnJsZWlu?= , Dag-Erling =?utf-8?B?U23Dg8W+cmdyYXY=?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201307261553.r6QFrhwu084667@svn.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <201307261553.r6QFrhwu084667@svn.freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Aug 2013 16:34:54 -0000 On Fri, 2013-07-26 at 15:53:43 +0000, Dag-Erling SmÞrgrav wrote: > Modified: head/lib/libfetch/common.c > ============================================================================== > --- head/lib/libfetch/common.c Fri Jul 26 14:43:38 2013 (r253679) > +++ head/lib/libfetch/common.c Fri Jul 26 15:53:43 2013 (r253680) > +static struct addrinfo * > +fetch_ssl_get_numeric_addrinfo(const char *hostname, size_t len) > +{ > + struct addrinfo hints, *res; > + char *host; > + > + host = (char *)malloc(len + 1); > + memcpy(host, hostname, len); > + host[len] = '\0'; > + memset(&hints, 0, sizeof(hints)); > + hints.ai_family = PF_UNSPEC; > + hints.ai_socktype = SOCK_STREAM; > + hints.ai_protocol = 0; > + hints.ai_flags = AI_NUMERICHOST; > + /* port is not relevant for this purpose */ > + getaddrinfo(host, "443", &hints, &res); We check the return value for getaddrinfo() 210 out of 217 times in our tree, please check it here too. Thanks! CID 1061016 > +static int > +fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) > +{ > + X509_LOOKUP *crl_lookup; > + X509_STORE *crl_store; > + const char *ca_cert_file, *ca_cert_path, *crl_file; > + > + if (getenv("SSL_NO_VERIFY_PEER") == NULL) { > + ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ? > + getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem"; > + ca_cert_path = getenv("SSL_CA_CERT_PATH"); > + if (verbose) { > + fetch_info("Peer verification enabled"); > + if (ca_cert_file != NULL) > + fetch_info("Using CA cert file: %s", > + ca_cert_file); > + if (ca_cert_path != NULL) > + fetch_info("Using CA cert path: %s", > + ca_cert_path); > + } > + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, > + fetch_ssl_cb_verify_crt); The return value is unchecked here. Coverity claims we check it 4 out of 5 times in our tree, please fix this one too. CID 1061015 Cheers, Uli