File _service:tar_scm:openssh-6.7p1-coverity.patch of Package openssh

Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-coverity.patch

diff --git a/auth-krb5.c b/auth-krb5.c
index d80c3ab..71ea1e3 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
 		umask(old_umask);
 		if (tmpfd == -1) {
 			logit("mkstemp(): %.100s", strerror(oerrno));
+			free(ccname);
 			return oerrno;
 		}
 
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
 			oerrno = errno;
 			logit("fchmod(): %.100s", strerror(oerrno));
 			close(tmpfd);
+			free(ccname);
 			return oerrno;
 		}
 		/* make sure the KRB5CCNAME is set for non-standard location */
diff --git a/auth-options.c b/auth-options.c
index 7cb2a64..a4b1db4 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -723,6 +723,7 @@ serialise_array(struct sshbuf *m, char **a, size_t n)
 		return r;
 	}
 	/* success */
+	sshbuf_free(b);
 	return 0;
 }
 
diff --git a/channels.c b/channels.c
index 300c753..ea4d8da 100644
--- a/channels.c
+++ b/channels.c
@@ -4081,7 +4081,7 @@ int
 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 {
 	int r, success = 0, idx = -1;
-	char *host_to_connect, *listen_host, *listen_path;
+	char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
 	int port_to_connect, listen_port;
 
 	/* Send the forward request to the remote side. */
@@ -4109,7 +4109,6 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 	success = 1;
 	if (success) {
 		/* Record that connection to this host/port is permitted. */
-		host_to_connect = listen_host = listen_path = NULL;
 		port_to_connect = listen_port = 0;
 		if (fwd->connect_path != NULL) {
 			host_to_connect = xstrdup(fwd->connect_path);
@@ -4130,6 +4129,9 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 		    host_to_connect, port_to_connect,
 		    listen_host, listen_path, listen_port, NULL);
 	}
+	free(host_to_connect);
+	free(listen_host);
+	free(listen_path);
 	return idx;
 }
 
diff --git a/dns.c b/dns.c
index f2310be..15218f1 100644
--- a/dns.c
+++ b/dns.c
@@ -259,6 +259,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 		    &hostkey_digest, &hostkey_digest_len, hostkey)) {
 			error("Error calculating key fingerprint.");
 			freerrset(fingerprints);
+				free(dnskey_digest);
 			return -1;
 		}
 
diff --git a/gss-genr.c b/gss-genr.c
index 9f9745b..810b382 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -168,8 +168,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
 			enclen = __b64_ntop(digest,
 			    ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
 			    ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
-
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
 			cp = strncpy(s, kex, strlen(kex));
+#pragma pop
 			for ((p = strsep(&cp, ",")); p && *p != '\0';
 				(p = strsep(&cp, ","))) {
 				if (sshbuf_len(buf) != 0 &&
diff --git a/kexgssc.c b/kexgssc.c
index 1c62740..080cf04 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
 	default:
 		fatal_f("Unexpected KEX type %d", kex->kex_type);
 	}
-	if (r != 0)
+	if (r != 0) {
+		ssh_gssapi_delete_ctx(&ctxt);
 		return r;
+	}
 
 	token_ptr = GSS_C_NO_BUFFER;
 
diff --git a/krl.c b/krl.c
index 473a9d7..ae19762 100644
--- a/krl.c
+++ b/krl.c
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
 	sshkey_free(key);
 	sshbuf_free(copy);
 	sshbuf_free(sect);
+	/* coverity[leaked_storage : FALSE] */
 	return r;
 }
 
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
 	free(rb.blob);
+	rb.blob = NULL; /* make coverity happy */
 	if (erb != NULL) {
 		KRL_DBG(("revoked by key SHA1"));
 		return SSH_ERR_KEY_REVOKED;
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
 	free(rb.blob);
+	rb.blob = NULL; /* make coverity happy */
 	if (erb != NULL) {
 		KRL_DBG(("revoked by key SHA256"));
 		return SSH_ERR_KEY_REVOKED;
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
 	free(rb.blob);
+	rb.blob = NULL; /* make coverity happy */
 	if (erb != NULL) {
 		KRL_DBG(("revoked by explicit key"));
 		return SSH_ERR_KEY_REVOKED;
diff --git a/loginrec.c b/loginrec.c
index 4f21499..e0606be 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -691,9 +691,11 @@ construct_utmp(struct logininfo *li,
 	 */
 
 	/* Use strncpy because we don't necessarily want null termination */
+	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut->ut_name, li->username,
 	    MIN_SIZEOF(ut->ut_name, li->username));
 # ifdef HAVE_HOST_IN_UTMP
+	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut->ut_host, li->hostname,
 	    MIN_SIZEOF(ut->ut_host, li->hostname));
 # endif
@@ -1691,6 +1693,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
 
 	memset(&ut, 0, sizeof(ut));
 	/* strncpy because we don't necessarily want nul termination */
+	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut.ut_user, username, sizeof(ut.ut_user));
 	strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
 
@@ -1700,6 +1703,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
 	ut.ut_pid = getpid();
 
 	/* strncpy because we don't necessarily want nul termination */
+	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
 
 	if (ssh_packet_connection_is_on_socket(ssh) &&
diff --git a/misc.c b/misc.c
index e4d3120..5420e24 100644
--- a/misc.c
+++ b/misc.c
@@ -1492,6 +1492,8 @@ sanitise_stdfd(void)
 	}
 	if (nullfd > STDERR_FILENO)
 		close(nullfd);
+	/* coverity[leaked_handle : FALSE]*/
+	/* coverity[leaked_handle : FALSE]*/
 }
 
 char *
@@ -2625,6 +2627,7 @@ stdfd_devnull(int do_stdin, int do_stdout, int do_stderr)
 	}
 	if (devnull > STDERR_FILENO)
 		close(devnull);
+	/* coverity[leaked_handle : FALSE]*/
 	return ret;
 }
 
diff --git a/moduli.c b/moduli.c
index 9f660ef..2669edd 100644
--- a/moduli.c
+++ b/moduli.c
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t lineno)
 	else
 		logit("failed to write to checkpoint file '%s': %s", cpfile,
 		    strerror(errno));
+	/* coverity[leaked_storage : FALSE] */
 }
 
 static unsigned long
diff --git a/monitor.c b/monitor.c
index fc05db6..dca2fe7 100644
--- a/monitor.c
+++ b/monitor.c
@@ -397,7 +397,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
 	mm_get_keystate(ssh, pmonitor);
 
 	/* Drain any buffered messages from the child */
-	while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+	while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
 		;
 
 	if (pmonitor->m_recvfd >= 0)
@@ -1684,7 +1684,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
 	s->ptymaster = s->ptyfd;
 
 	debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
-
+	/* coverity[leaked_handle : FALSE] */
 	return (0);
 
  error:
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e125eca..c394d68 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -612,10 +612,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error_f("cannot allocate fds for pty");
-		if (tmp1 > 0)
+		if (tmp1 >= 0)
 			close(tmp1);
-		if (tmp2 > 0)
-			close(tmp2);
+		/*DEAD CODE if (tmp2 >= 0)
+			close(tmp2);*/
 		return 0;
 	}
 	close(tmp1);
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 346c7fe..f42792f 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -59,7 +59,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
 	u_int16_t port;
-	socklen_t salen;
+	socklen_t salen = sizeof(struct sockaddr_storage);
 	int i;
 
 	if (sa == NULL) {
diff --git a/openbsd-compat/bsd-pselect.c b/openbsd-compat/bsd-pselect.c
index b363208..cf7157c 100644
--- a/openbsd-compat/bsd-pselect.c
+++ b/openbsd-compat/bsd-pselect.c
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
 static void
 pselect_notify_parent(void)
 {
-	if (notify_pipe[1] != -1)
+	if (notify_pipe[1] >= 0)
 		(void)write(notify_pipe[1], "", 1);
 }
 static void
 pselect_notify_prepare(fd_set *readset)
 {
-	if (notify_pipe[0] != -1)
+	if (notify_pipe[0] >= 0)
 		FD_SET(notify_pipe[0], readset);
 }
 static void
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
 {
 	char c;
 
-	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
-		while (read(notify_pipe[0], &c, 1) != -1)
+	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
+		while (read(notify_pipe[0], &c, 1) >= 0)
 			debug2_f("reading");
 		FD_CLR(notify_pipe[0], readset);
 	}
diff --git a/readconf.c b/readconf.c
index 1e1b78d..b6c998e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1933,6 +1933,7 @@ parse_pubkey_algos:
 			} else if (r != 0) {
 				error("%.200s line %d: glob failed for %s.",
 				    filename, linenum, arg2);
+				free(arg2);
 				goto out;
 			}
 			free(arg2);
diff --git a/scp.c b/scp.c
index 6146260..74f5b10 100644
--- a/scp.c
+++ b/scp.c
@@ -187,11 +187,11 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
 		kill(do_cmd_pid, signo ? signo : SIGTERM);
-		waitpid(do_cmd_pid, NULL, 0);
+		(void) waitpid(do_cmd_pid, NULL, 0);
 	}
 	if (do_cmd_pid2 > 1) {
 		kill(do_cmd_pid2, signo ? signo : SIGTERM);
-		waitpid(do_cmd_pid2, NULL, 0);
+		(void) waitpid(do_cmd_pid2, NULL, 0);
 	}
 
 	if (signo)
diff --git a/servconf.c b/servconf.c
index 8b9540d..d72fb62 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2081,8 +2081,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
-			if (intptr != NULL)
-				*intptr = *intptr + 1;
+			/* DEAD CODE intptr is still NULL ;)
+  			 if (intptr != NULL)
+				*intptr = *intptr + 1; */
 		}
 		break;
 
diff --git a/serverloop.c b/serverloop.c
index b4c0d82..62c7e90 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -546,7 +546,7 @@ server_request_tun(struct ssh *ssh)
 		debug_f("invalid tun");
 		goto done;
 	}
-	if (auth_opts->force_tun_device != -1) {
+	if (auth_opts->force_tun_device >= 0) {
 		if (tun != SSH_TUNID_ANY &&
 		    auth_opts->force_tun_device != (int)tun)
 			goto done;
diff --git a/session.c b/session.c
index 58cf557..cdb301b 100644
--- a/session.c
+++ b/session.c
@@ -1222,12 +1222,14 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
 	/* Environment specified by admin */
 	for (i = 0; i < options.num_setenv; i++) {
 		cp = xstrdup(options.setenv[i]);
+		/* coverity[overwrite_var : FALSE] */
 		if ((value = strchr(cp, '=')) == NULL) {
 			/* shouldn't happen; vars are checked in servconf.c */
 			fatal("Invalid config SetEnv: %s", options.setenv[i]);
 		}
 		*value++ = '\0';
 		child_set_env(&env, &envsize, cp, value);
+		free(cp);
 	}
 
 	/* SSH_CLIENT deprecated */
diff --git a/sftp.c b/sftp.c
index c3c347e..c18a354 100644
--- a/sftp.c
+++ b/sftp.c
@@ -226,7 +226,7 @@ killchild(int signo)
 	pid = sshpid;
 	if (pid > 1) {
 		kill(pid, SIGTERM);
-		waitpid(pid, NULL, 0);
+		(void) waitpid(pid, NULL, 0);
 	}
 
 	_exit(1);
@@ -1029,6 +1029,7 @@ do_globbed_ls(struct sftp_conn *conn, const char *path,
 		if (lflag & LS_LONG_VIEW) {
 			if (g.gl_statv[i] == NULL) {
 				error("no stat information for %s", fname);
+				free(fname);
 				continue;
 			}
 			lname = ls_file(fname, g.gl_statv[i], 1,
diff --git a/ssh-agent.c b/ssh-agent.c
index 50d0638..a292a9e 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1391,6 +1391,7 @@ sanitize_pkcs11_provider(const char *provider)
 
 		if (pkcs11_uri_parse(provider, uri) != 0) {
 			error("Failed to parse PKCS#11 URI");
+			pkcs11_uri_cleanup(uri);
 			return NULL;
 		}
 		/* validate also provider from URI */
@@ -2080,8 +2081,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 
 	/* drop */
-	setegid(getgid());
-	setgid(getgid());
+	(void) setegid(getgid());
+	(void) setgid(getgid());
 
 	platform_disable_tracing(0);	/* strict=no */
 
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 6ae72ab..076dd33 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -2365,6 +2365,9 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
 			r = ssh_krl_revoke_key_sha256(krl, blob, blen);
 			if (r != 0)
 				fatal_fr(r, "revoke key failed");
+			freezero(blob, blen);
+			blob = NULL;
+			blen = 0;
 		} else {
 			if (strncasecmp(cp, "key:", 4) == 0) {
 				cp += 4;
@@ -3023,6 +3026,7 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
 		} else if (strncmp(opts[i], "start-line=", 11) == 0) {
 			start_lineno = strtoul(opts[i]+11, NULL, 10);
 		} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
+			free(checkpoint);
 			checkpoint = xstrdup(opts[i]+11);
 		} else if (strncmp(opts[i], "generator=", 10) == 0) {
 			generator_wanted = (u_int32_t)strtonum(
@@ -3064,6 +3068,9 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
 #else /* WITH_OPENSSL */
 	fatal("Moduli screening is not supported");
 #endif /* WITH_OPENSSL */
+	free(checkpoint);
+	if (in != stdin)
+		fclose(in);
 }
 
 /* Read and confirm a passphrase */
diff --git a/ssh.c b/ssh.c
index a5155f4..68558d4 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1755,6 +1755,7 @@ control_persist_detach(void)
 		close(muxserver_sock);
 		muxserver_sock = -1;
 		options.control_master = SSHCTL_MASTER_NO;
+		/* coverity[leaked_handle: FALSE]*/
 		muxclient(options.control_path);
 		/* muxclient() doesn't return on success. */
 		fatal("Failed to connect to new control master");
diff --git a/sshd.c b/sshd.c
index e05dd82..a4a1b79 100644
--- a/sshd.c
+++ b/sshd.c
@@ -595,8 +595,10 @@ privsep_preauth(struct ssh *ssh)
 
 		privsep_preauth_child(ssh);
 		setproctitle("%s", "[net]");
-		if (box != NULL)
+		if (box != NULL) {
 			ssh_sandbox_child(box);
+			free(box);
+		}
 
 		return 0;
 	}
@@ -2560,8 +2562,11 @@ do_ssh2_kex(struct ssh *ssh)
 
 	if (newstr)
 		myproposal[PROPOSAL_KEX_ALGS] = newstr;
-	else
+	else {
 		fatal("No supported key exchange algorithms");
+		free(gss);
+	     }
+	     /* coverity[leaked_storage: FALSE]*/
 	}
 #endif
 
diff --git a/sshsig.c b/sshsig.c
index eb2a931..3e91c14 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -551,6 +551,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 	oerrno = errno;
 	sshbuf_free(b);
 	ssh_digest_free(ctx);
+	ctx = NULL;
 	explicit_bzero(hash, sizeof(hash));
 	errno = oerrno;
 	return r;
-- 
2.27.0