PVS-Studio + openssl 1.0.2m

[pavel-pimenov]

V590 Consider inspecting the 'atype != - 1 && atype == 5' expression. The expression is excessive or contains a misprint. dh_ameth.c 670

Warning:

V501 There are identical sub-expressions '(c == ' ')' to the left and to the right of the '||' operator. a_print.c 77
V501 There are identical sub-expressions 'type' to the left and to the right of the '&&' operator. d1_pkt.c 856
V512 A call of the 'memcpy' function will lead to underflow of the buffer '& data->peer'. bss_dgram.c 566
V512 A call of the 'memcpy' function will lead to the 'to' buffer becoming out of range. bss_dgram.c 570
V512 A call of the 'memcpy' function will lead to underflow of the buffer '& data->peer'. bss_dgram.c 697
V512 A call of the 'memcpy' function will lead to the 'to' buffer becoming out of range. bss_dgram.c 701
V512 A call of the 'memcpy' function will lead to underflow of the buffer '& data->peer'. bss_dgram.c 735
V512 A call of the 'memcpy' function will lead to the 'to' buffer becoming out of range. bss_dgram.c 739
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'c->buf'. e_aes.c 1235
V523 The 'then' statement is equivalent to the 'else' statement. bss_file.c 234
V547 Expression 'i == 8' is always true. a_gentm.c 222
V547 Expression 'i == 7' is always true. a_utctm.c 192
V547 Expression 'i == 0' is always true. bf_buff.c 184
V547 Expression 'i == 0' is always true. bf_buff.c 202
V547 Expression 'i == 0' is always true. bf_buff.c 251
V547 Expression 'i == 0' is always true. bf_buff.c 273
V547 Expression 'i == 0' is always true. bf_buff.c 505
V547 Expression 'i == 0' is always true. bf_lbuf.c 214
V547 Expression 'i == 0' is always true. bf_lbuf.c 241
V547 Expression 'ret == 0' is always true. b_sock.c 948
V547 Expression 'blocksize <= 2' is always false. ec_mult.c 856
V547 Expression 'ps >= 1' is always true. ui_openssl.c 465
V547 Expression 'c == '\0'' is always false. by_dir.c 344
V547 Expression 'type == 2' is always true. by_dir.c 369
V547 Expression 'version != 0x0002' is always true. s23_clnt.c 360
V547 Expression 'version == 0x0301' is always true. s23_clnt.c 403
V547 Expression 'os.length != 3' is always true. ssl_asn1.c 419
V547 Expression 'os.length != 2' is always true. ssl_asn1.c 430
V571 Recurring check. The 'if (in->peer != NULL)' condition was already verified in line 289. ssl_asn1.c 290
V571 Recurring check. The 'if (in->peer != NULL)' condition was already verified in line 342. ssl_asn1.c 343
V590 Consider inspecting the 'atype != - 1 && atype == 5' expression. The expression is excessive or contains a misprint. dh_ameth.c 670
V591 Non-void function should return a value. vms-helper.c 68
V593 Consider reviewing the expression of the 'A = B >= C' kind. The expression is calculated as following: 'A = (B >= C)'. ts_rsp_verify.c 722
V595 The 'pkey->ameth' pointer was utilized before it was verified against nullptr. Check lines: 252, 271. a_sign.c 252
V595 The 'storage' pointer was utilized before it was verified against nullptr. Check lines: 449, 452. ex_data.c 449
V595 The 'storage' pointer was utilized before it was verified against nullptr. Check lines: 501, 504. ex_data.c 501
V595 The 'policy' pointer was utilized before it was verified against nullptr. Check lines: 119, 122. pcy_data.c 119
V595 The 'name' pointer was utilized before it was verified against nullptr. Check lines: 101, 108. x509_vpm.c 101
V595 The 'os.data' pointer was utilized before it was verified against nullptr. Check lines: 492, 493. ssl_asn1.c 492
V595 The 'curr->prev' pointer was utilized before it was verified against nullptr. Check lines: 1087, 1093. ssl_ciph.c 1087
V609 Divide by zero. Denominator range [-16..16]. b_dump.c 103
V610 Undefined behavior. Check the shift operator '>>'. The right operand ('rb' = [1..32]) is greater than or equal to the length in bits of the promoted left operand. bn_shift.c 160
V610 Undefined behavior. Check the shift operator '<<'. The right operand ('lb' = [1..32]) is greater than or equal to the length in bits of the promoted left operand. bn_shift.c 217
V753 The '&=' operation always sets a value of 'mask' variable to zero. s23_clnt.c 348
V763 Parameter 'field' is always rewritten in function body before being used. bn_nist.c 387
V763 Parameter 'field' is always rewritten in function body before being used. bn_nist.c 532
V763 Parameter 'field' is always rewritten in function body before being used. bn_nist.c 713
V763 Parameter 'field' is always rewritten in function body before being used. bn_nist.c 959
V763 Parameter 'field' is always rewritten in function body before being used. bn_nist.c 1217
V814 Decreased performance. The 'strlen' function was called multiple times inside the body of a loop. ssl_rsa.c 999
V814 Decreased performance. The 'strlen' function was called multiple times inside the body of a loop. ssl_rsa.c 1004
V817 It is more efficient to seek '/' character rather than a string. dso_win32.c 583
V817 It is more efficient to seek '\' character rather than a string. dso_win32.c 584
V817 It is more efficient to seek ':' character rather than a string. dso_win32.c 585

[pavel-pimenov]

warnings (medium level):

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'ctx->iv'. e_aes.c 1953
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'sha1tmp'. e_des3.c 450
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'ctx->iv'. e_des3.c 455
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'ctx->Yi.c'. gcm128.c 915
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'A'. wrap128.c 83
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'A'. wrap128.c 99
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'A'. wrap128.c 115
V512 A call of the 'memcmp' function will lead to underflow of the buffer 'A'. wrap128.c 133
V519 The 'b->init' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 379, 384. bss_acpt.c 384
V519 The 'env->version' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 907, 908. cms_env.c 908
V519 The 'm->order' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 507, 509. mem_dbg.c 509
V519 The 'saved_state.epoch' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 1283, 1284. d1_both.c 1284
V547 Expression '!nl' is always true. asn1_par.c 295
V547 Expression '!nl' is always true. asn1_par.c 364
V547 Expression 'len > 2147483647' is always false. a_bitstr.c 140
V547 Expression 'b != NULL' is always true. a_d2i_fp.c 281
V547 Expression 'c > 0xffffffffL' is always false. a_strex.c 130
V547 Expression 'os != NULL' is always true. evp_asn1.c 190
V547 Expression 'ai != NULL' is always true. evp_asn1.c 192
V547 Expression 'm != NULL' is always false. t_x509.c 261
V547 Expression 'alg' is always true. x_algor.c 91
V547 Expression 'ret != NULL' is always true. x_attrib.c 119
V547 Expression 'ptr != NULL' is always true. bss_acpt.c 367
V547 Expression 'ret > 2147483647' is always false. bss_bio.c 839
V547 Expression 'ret > 2147483647' is always false. bss_bio.c 870
V547 Expression 'a->flags & 0' is always false. bss_file.c 231
V547 Expression 'b->flags & 0' is always false. bss_file.c 248
V547 Expression 'b->flags & 0' is always false. bss_file.c 268
V547 Expression 'b->flags & 0' is always false. bss_file.c 295
V547 Expression 'b->flags & 0' is always false. bss_file.c 301
V547 Expression 'b->flags & 0' is always false. bss_file.c 308
V547 Expression 'b->flags & 0' is always false. bss_file.c 431
V547 Expression 'bp->flags & 0' is always false. bss_file.c 460
V547 Expression 'str != NULL' is always true. b_sock.c 796
V547 Expression 'ret != NULL' is always true. bn_blind.c 170
V547 Expression 'cms' is always true. cms_dd.c 92
V547 Expression 'pctx' is always true. cms_env.c 405
V547 Expression 'ktri->pctx' is always true. cms_env.c 479
V547 Expression '!md' is always false. cms_sd.c 319
V547 Expression 'v != NULL' is always true. conf_def.c 437
V547 Expression 'buf != NULL' is always true. conf_def.c 630
V547 Expression '!enc' is always false. cbc3_enc.c 76
V547 Expression 'out != NULL' is always true. cbc_cksm.c 89
V547 Expression 'prkey != NULL' is always false. dh_ameth.c 302
V547 Expression 'm != NULL' is always true. dh_ameth.c 430
V547 Expression 'prkey != NULL' is always false. dsa_ameth.c 335
V547 Expression 'ctx' is always true. ec2_smpl.c 657
V547 Expression 'ctx' is always true. ec2_smpl.c 711
V547 Expression 'ctx' is always true. ec2_smpl.c 754
V547 Expression 'b' is always true. ec_asn1.c 903
V547 Expression 'priv_key' is always true. ec_asn1.c 1116
V547 Expression 't' is always true. ec_lib.c 276
V547 Expression 'ktmp' is always true. ec_pmeth.c 273
V547 Expression '!init' is always false. err.c 592
V547 Expression 'line != NULL' is always true. err.c 845
V547 Expression 'line != NULL' is always true. err.c 849
V547 Expression 'arg' is always true. e_aes.c 1201
V547 Expression 'mac_ctx' is always true. pmeth_gn.c 219
V547 Expression 'sn != NULL' is always false. obj_lib.c 118
V547 Expression 'r != NULL' is always true. obj_lib.c 122
V547 Expression 'buf' is always true. pvkfmt.c 791
V547 Expression 'pkcs12 != NULL' is always true. p12_init.c 89
V547 Expression 'ocerts' is always true. p12_kiss.c 160
V547 Expression 'pkey' is always true. pk7_doit.c 183
V547 Expression 'pctx' is always true. pk7_doit.c 185
V547 Expression 'pctx' is always true. pk7_doit.c 244
V547 Expression 'rsa->blinding == NULL' is always true. rsa_eay.c 269
V547 Expression 'rsa->mt_blinding == NULL' is always true. rsa_eay.c 299
V547 Expression 'ret != NULL' is always true. txt_db.c 195
V547 Expression 'cancel_chars_copy' is always false. ui_lib.c 347
V547 Expression 'tree' is always true. pcy_tree.c 818
V547 Expression 'ctx->db_meth->get_string' is always true. v3_conf.c 399
V547 Expression 'ctx->db_meth->get_section' is always true. v3_conf.c 411
V547 Expression 'pci' is always false. v3_pci.c 310
V547 Expression 'hexbuf' is always false. v3_utl.c 491
V547 Expression 'buf != NULL' is always true. bio_ssl.c 519
V547 Expression 'con != NULL' is always true. bio_ssl.c 540
V547 Expression 'len > 2147483647' is always false. d1_both.c 370
V547 Expression 'cookie_len > sizeof (s->d1->cookie)' is always false. d1_clnt.c 860
V547 Expression '32 < ch_len' is always false. s23_clnt.c 466
V547 Expression 'ecdh_clnt_cert' is always false. s3_clnt.c 2893
V547 Expression 'ecdh_clnt_cert' is always false. s3_clnt.c 2945
V547 Expression 'encodedPoint != NULL' is always true. s3_clnt.c 2985
V547 Expression 'clnt_ecdh != NULL' is always true. s3_clnt.c 2987
V547 Expression 'cookie_len > sizeof (s->d1->rcvd_cookie)' is always false. s3_srvr.c 1085
V547 Expression 'sk != NULL' is always false. s3_srvr.c 3385
V547 Expression 'senc' is always true. s3_srvr.c 3576
V547 Expression 'ai.data != NULL' is always false. ssl_asn1.c 399
V547 Expression 'ai.data != NULL' is always false. ssl_asn1.c 409
V547 Expression '(ret = ssl_x509_store_ctx_idx) < 0' is always true. ssl_cert.c 149
V547 Expression 'sk != NULL' is always true. ssl_cert.c 922
V547 Expression 'in != NULL' is always true. ssl_cert.c 924
V547 Expression 'in != NULL' is always true. ssl_cert.c 985
V547 Expression 'x->cipher == NULL' is always false. ssl_txt.c 149
V555 The expression 'buf_len - bn_len > 0' will work as 'buf_len != bn_len'. ec_asn1.c 1164
V555 The expression of the 'A - B > 0' kind will work as 'A != B'. bio_ok.c 245
V557 Array underrun is possible. The value of 'i - 2' index could reach -1. des_enc.c 139
V557 Array underrun is possible. The value of 'i - 2' index could reach -1. des_enc.c 229
V557 Array underrun is possible. The value of 'i - 1' index could reach -1. rc2_skey.c 152
V560 A part of conditional expression is always true: (xclass == 0). asn1_par.c 380
V560 A part of conditional expression is always true: str. asn1_gen.c 659
V560 A part of conditional expression is always false: len > 2147483647. a_object.c 285
V560 A part of conditional expression is always false: (b->flags & 0). bss_file.c 253
V560 A part of conditional expression is always false: a->top == 0. bn_shift.c 190
V560 A part of conditional expression is always true: tmpout. cms_smime.c 96
V560 A part of conditional expression is always true: (p != NULL). eck_prn.c 284
V560 A part of conditional expression is always true: (p != NULL). eck_prn.c 288
V560 A part of conditional expression is always true: (a != NULL). eck_prn.c 291
V560 A part of conditional expression is always true: (b != NULL). eck_prn.c 293
V560 A part of conditional expression is always true: (gen != NULL). eck_prn.c 296
V560 A part of conditional expression is always true: (gen != NULL). eck_prn.c 300
V560 A part of conditional expression is always true: (gen != NULL). eck_prn.c 305
V560 A part of conditional expression is always true: (order != NULL). eck_prn.c 309
V560 A part of conditional expression is always true: (cofactor != NULL). eck_prn.c 312
V560 A part of conditional expression is always false: blocks > (1U << 28). ctr128.c 225
V560 A part of conditional expression is always false: (o == NULL). obj_dat.c 766
V560 A part of conditional expression is always true: s. randfile.c 343
V560 A part of conditional expression is always true: name. x509_vpm.c 99
V560 A part of conditional expression is always true: type. d1_pkt.c 857
V560 A part of conditional expression is always false: (type > 3). s23_srvr.c 641
V560 A part of conditional expression is always false: (j > 32). s3_clnt.c 987
V560 A part of conditional expression is always false: pkey_ctx == NULL. s3_clnt.c 3035
V560 A part of conditional expression is always false: (j < 0). s3_srvr.c 1017
V560 A part of conditional expression is always true: s->version != 0x0100. s3_srvr.c 2234
V560 A part of conditional expression is always false: (in == NULL). ssl_asn1.c 145
V560 A part of conditional expression is always false: (i >= 14). ssl_ciph.c 589
V560 A part of conditional expression is always false: (i >= 6). ssl_ciph.c 621
V580 An odd explicit type casting: (DES_cblock *) & (ctx->iv[0]). Consider verifying it. e_xcbc_d.c 118
V580 An odd explicit type casting: (DES_cblock *) & (ctx->iv[0]). Consider verifying it. e_xcbc_d.c 126
V581 The conditional expressions of the 'if' statements situated alongside each other are identical. Check lines: 211, 213. ech_ossl.c 213
V614 Potentially uninitialized variable 'niv1' used. Consider checking the second actual argument of the 'memcpy' function. cbc3_enc.c 93
V614 Potentially uninitialized variable 'niv2' used. Consider checking the second actual argument of the 'memcpy' function. cbc3_enc.c 94
V614 Potentially uninitialized variable 'md' used. Consider checking the fourth actual argument of the 'EVP_PKEY_verify' function. m_sigver.c 202
V614 Potentially uninitialized variable 'mdlen' used. Consider checking the fifth actual argument of the 'EVP_PKEY_verify' function. m_sigver.c 202
V614 Potentially uninitialized variable 'iv' used. Consider checking the fifth actual argument of the 'EVP_CipherInit_ex' function. pk7_doit.c 349
V614 Potentially uninitialized variable 'ext_len' used. v3_conf.c 298
V656 Variables 'c->pkeys[1].digest', 'c->pkeys[0].digest' are initialized through the call to the same function. It's probably an error or un-optimized code. Consider inspecting the 'EVP_sha1()' expression. Check lines: 3928, 3929. t1_lib.c 3929
V707 Giving short names to global variables is considered to be bad practice. It is suggested to rename 'mh' variable. mem_dbg.c 137
V728 An excessive check 'type' can be simplified. The '||' operator is surrounded by opposite expressions. digest.c 168
V728 An excessive check 'cipher' can be simplified. The '||' operator is surrounded by opposite expressions. evp_enc.c 121
V782 There is no sense in evaluating the distance between elements from different arrays: 'bufp - buf'. mem_dbg.c 646
V782 There is no sense in evaluating the distance between elements from different arrays: 'bufp - buf'. mem_dbg.c 651
V782 There is no sense in evaluating the distance between elements from different arrays: 'bufp - buf'. mem_dbg.c 656
V782 There is no sense in evaluating the distance between elements from different arrays: 'bufp - buf'. mem_dbg.c 661
V782 There is no sense in evaluating the distance between elements from different arrays: 'p_end - p'. ts_rsp_sign.c 968
V796 It is possible that 'break' statement is missing in switch statement. b_print.c 346
V796 It is possible that 'break' statement is missing in switch statement. b_print.c 354
V801 Decreased performance. It is better to redefine the first function argument as a pointer. Consider replacing 'const .. curve' with 'const .. *curve'. ec_curve.c 3051
V802 On 32-bit platform, structure size can be reduced from 44 to 40 bytes by rearranging the fields according to their sizes in decreasing order. dtls1.h 147
V804 Decreased performance. The 'strlen' function is called twice in the specified expression to calculate length of the same string. s3_lib.c 3859
V805 Decreased performance. It is inefficient to identify an empty string by using 'strlen(str) > 0' construct. A more efficient way is to check: str[0] != '\0'. ssl_ciph.c 1613
V810 Decreased performance. The 'SSL_get_rbio(s)' function was called several times with identical arguments. The result should possibly be saved to a temporary variable, which then could be used while calling the 'SSL_set_bio' function. ssl_lib.c 766
V810 Decreased performance. The 'SSL_get_wbio(s)' function was called several times with identical arguments. The result should possibly be saved to a temporary variable, which then could be used while calling the 'SSL_set_bio' function. ssl_lib.c 788
V1001 The 'ret' variable is assigned but is not used until the end of the function. aes_x86core.c 71
V1001 The 'l' variable is assigned but is not used until the end of the function. bf_ecb.c 99
V1001 The 'l' variable is assigned but is not used until the end of the function. c_ecb.c 82
V1001 The 'v0' variable is assigned but is not used until the end of the function. cfb64ede.c 248
V1001 The 'v0' variable is assigned but is not used until the end of the function. cfb_enc.c 198
V1001 The 'l' variable is assigned but is not used until the end of the function. ecb_enc.c 123
V1001 The 'v0' variable is assigned but is not used until the end of the function. ofb_enc.c 130
V1001 The 'sin0' variable is assigned but is not used until the end of the function. pcbc_enc.c 114
V1001 The 'l0' variable is assigned but is not used until the end of the function. i_ecb.c 87
V1001 The 'l' variable is assigned but is not used until the end of the function. rc2_ecb.c 91

[richsalz]

This is interesting, but we are unlikely to fix these in the 1.0.2 branch. They're sub-optimal code, perhaps, and not really bugs. Can you run it against master?

[dot-asm]

In the context it's worth keeping in mind that there are conscious constant conditions in code. Given the nature of this software they are likely to show up in report. But since it's conscious choice, they won't be qualified for resolution. Just in case for reference, rationale behind constant conditions is to subject code that would otherwise likely to end up in #ifdef to at least parsing. This is to avoid unnecessary/unpleasant surprises on rare platforms.