Bug 1429776 - Various coverity issues on TLS 1.3 branch, r=ekr

author: Martin Thomson <martin.thomson@gmail.com> 2017-11-27 10:08:54 +1100
committer: Martin Thomson <martin.thomson@gmail.com> 2017-11-27 10:08:54 +1100
commit: f852983e8308bcb29139ef94a6ebd7efb3bd751f (patch)
tree: c9311e3ebd7f3912222c4e833a663f2a7a31b59c
parent: 54bcffa1be6c2408126be455e567baee7d4474c2 (diff)
download: nss-hg-f852983e8308bcb29139ef94a6ebd7efb3bd751f.tar.gz
7 files changed, 16 insertions, 8 deletions
diff --git a/gtests/ssl_gtest/ssl_custext_unittest.cc b/gtests/ssl_gtest/ssl_custext_unittest.cc
index f1ead3e9a..4a7769cea 100644
--- a/gtests/ssl_gtest/ssl_custext_unittest.cc
+++ b/gtests/ssl_gtest/ssl_custext_unittest.cc
@@ -77,7 +77,7 @@ void InstallManyWriters(std::shared_ptr<TlsAgent> agent,
                         SSLExtensionWriter writer, size_t *installed = nullptr,
                         size_t *called = nullptr) {
   for (size_t i = 0; i < PR_ARRAY_SIZE(kManyExtensions); ++i) {
-    SSLExtensionSupport support;
+    SSLExtensionSupport support = ssl_ext_none;
     SECStatus rv = SSL_GetExtensionSupport(kManyExtensions[i], &support);
     ASSERT_EQ(SECSuccess, rv) << "SSL_GetExtensionSupport cannot fail";
 
diff --git a/gtests/ssl_gtest/ssl_drop_unittest.cc b/gtests/ssl_gtest/ssl_drop_unittest.cc
index da4f6626c..c059e9938 100644
--- a/gtests/ssl_gtest/ssl_drop_unittest.cc
+++ b/gtests/ssl_gtest/ssl_drop_unittest.cc
@@ -352,6 +352,9 @@ TEST_F(TlsDropDatagram13, DropSecondHalfOfServerCertificate) {
 // overlapping message ranges are handled properly; and that extra
 // retransmissions are handled properly.
 class TlsFragmentationAndRecoveryTest : public TlsDropDatagram13 {
+ public:
+  TlsFragmentationAndRecoveryTest() : cert_len_(0) {}
+
  protected:
   void RunTest(size_t dropped_half) {
     FirstFlightDropCertificate();
diff --git a/lib/ssl/dtls13con.c b/lib/ssl/dtls13con.c
index e11a7d72a..aba0f62ab 100644
--- a/lib/ssl/dtls13con.c
+++ b/lib/ssl/dtls13con.c
@@ -78,7 +78,7 @@ dtls13_RememberFragment(sslSocket *ss,
 SECStatus
 dtls13_SendAck(sslSocket *ss)
 {
-    sslBuffer buf = { NULL, 0, 0 };
+    sslBuffer buf = SSL_BUFFER_EMPTY;
     SECStatus rv = SECSuccess;
     PRCList *cursor;
     PRInt32 sent;
diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c
index d490836a5..ade280903 100644
--- a/lib/ssl/ssl3ext.c
+++ b/lib/ssl/ssl3ext.c
@@ -619,7 +619,7 @@ static SECStatus
 ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf,
                                SSLHandshakeType message)
 {
-    sslBuffer tail = { NULL, 0, 0 };
+    sslBuffer tail = SSL_BUFFER_EMPTY;
     SECStatus rv;
     PRCList *cursor;
 
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
index 9476f4fd1..c0fbda7ab 100644
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -665,7 +665,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket,
                          PK11SymKey *secret, SECItem *ticket_data)
 {
     SECStatus rv;
-    sslBuffer plaintext = { NULL, 0, 0 };
+    sslBuffer plaintext = SSL_BUFFER_EMPTY;
     SECItem ticket_buf = { 0, NULL, 0 };
     sslSessionID sid;
     unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
diff --git a/lib/ssl/sslspec.c b/lib/ssl/sslspec.c
index 4a251d08a..26c3eb546 100644
--- a/lib/ssl/sslspec.c
+++ b/lib/ssl/sslspec.c
@@ -252,7 +252,8 @@ void
 ssl_DestroyCipherSpecs(PRCList *list)
 {
     while (!PR_CLIST_IS_EMPTY(list)) {
-        ssl_FreeCipherSpec((ssl3CipherSpec *)PR_LIST_TAIL(list));
+        ssl3CipherSpec *spec = (ssl3CipherSpec *)PR_LIST_TAIL(list);
+        ssl_FreeCipherSpec(spec);
     }
 }
 
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
index e2ec28023..360beae2f 100644
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -3075,7 +3075,7 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type,
     /* We use the epoch for cipher suite identification, so increment
      * it in both TLS and DTLS. */
     if ((*specp)->epoch == PR_UINT16_MAX) {
-        return SECFailure;
+        goto loser;
     }
     spec->epoch = (PRUint16)type;
     spec->seqNum = 0;
@@ -3086,12 +3086,12 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type,
     /* This depends on spec having a valid direction and epoch. */
     rv = tls13_SetupPendingCipherSpec(ss, spec);
     if (rv != SECSuccess) {
-        return SECFailure;
+        goto loser;
     }
 
     rv = tls13_DeriveTrafficKeys(ss, spec, type, deleteSecret);
     if (rv != SECSuccess) {
-        return SECFailure;
+        goto loser;
     }
 
     /* Now that we've set almost everything up, finally cut over. */
@@ -3109,6 +3109,10 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type,
                                        direction == CipherSpecWrite, spec);
     }
     return SECSuccess;
+
+loser:
+    ssl_CipherSpecRelease(spec);
+    return SECFailure;
 }
 
 SECStatus
author	Martin Thomson <martin.thomson@gmail.com>	2017-11-27 10:08:54 +1100
committer	Martin Thomson <martin.thomson@gmail.com>	2017-11-27 10:08:54 +1100
commit	f852983e8308bcb29139ef94a6ebd7efb3bd751f (patch)
tree	c9311e3ebd7f3912222c4e833a663f2a7a31b59c
parent	54bcffa1be6c2408126be455e567baee7d4474c2 (diff)
download	nss-hg-f852983e8308bcb29139ef94a6ebd7efb3bd751f.tar.gz