From: Michael Altizer (mialtize) <mialtize@cisco.com>
Date: Tue, 9 Apr 2019 23:23:55 +0000 (-0400)
Subject: Merge pull request #1573 in SNORT/snort3 from ~MIALTIZE/snort3:cppcheck_cleanup to... 
X-Git-Tag: 3.0.0-252~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d8c79c7bfdd8d7fce9eb164e6619889ac559ced;p=thirdparty%2Fsnort3.git

Merge pull request #1573 in SNORT/snort3 from ~MIALTIZE/snort3:cppcheck_cleanup to master

Squashed commit of the following:

commit fdbec61b49b670ce9b989b6b48aba844f6c557b2
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 12:52:13 2019 -0400

    stream_ip: Fix some sign comparison and val-never-used issues in defrag

commit e9b23a5a11f182bd39b965387f0c89dbc9d2f525
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 12:45:39 2019 -0400

    sfip: Switch test debug flag to a cpp macro

commit c007faf4cc92dd726643c0db25d80595e7ea52b7
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 12:43:14 2019 -0400

    stream_tcp: Fix shadowed variable when profiling deeply

commit 157b86050f92c9b8e2c5b8a15d648b98f269f234
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 12:40:57 2019 -0400

    sip: Give SipSplitterUT a proper copy constructor

commit 136f8e27e2e7c64a9ce69f863485accb5e155201
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 01:01:34 2019 -0400

    http_inspect: Give HttpTestInput a destructor to clean up its file handle

commit 05042d60a741ef58aa29164ccd164740d7fb92e3
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 00:53:41 2019 -0400

    dce_rpc: Fix const cast warnings in dce_smb2

commit 96b0d5fa47ec75ecd1633fc791620efa0053f445
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 00:46:48 2019 -0400

    sfrt: Reduce variable scope in _dir_remove_less_specific()

commit 97349bea2c2feaa8720c1f4ae7c188c42c50ebec
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 00:05:53 2019 -0400

    sfip: Reduce variable scopes in sf_ipvar

commit e845b11895234406ca49f05691f16aa59cb1f2e3
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 00:03:12 2019 -0400

    http_inspect: Fix val-never-used warning in check_oversize_dir()

commit 0da57f68b476ffc7e21dde50c23b3fb2ef735b23
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Apr 5 00:02:36 2019 -0400

    ftp_telnet: Fix potential NULL pointer arithmetic in check_ftp()

commit 2e031f385815f68eb4593fcd70c0195d1cce9c60
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:50:24 2019 -0400

    ftp_telnet: Fix val-never-used warning in DoNextFormat()

commit 2109923caab495d186439e2ef90a92d87f247da2
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:43:39 2019 -0400

    port_scan: Reduce variable scope in configuration

commit 23479a1b23a7437517ba6869c5e2c95ca48c49ef
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:42:22 2019 -0400

    packet_tracer: Pass filename string parameter by reference

commit b568c8ac6dcca0265eac8e7e030929700080a82e
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:40:10 2019 -0400

    normalize: Remove redundant check during configuration

commit ffb8b99771b023d476f77fb62baf63e967ad3206
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:36:52 2019 -0400

    perf_monitor: Pass ModuleConfig string parameter by reference

commit 85c0f251a0a48dfcfffaf1916842f3ed8758b82e
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:33:45 2019 -0400

    appid: Reduce variable scope in service_rpc

commit 3703dd34e882a2f5f2e4f08b960574db97d75e98
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:31:38 2019 -0400

    appid: Reduce variable scope in service_mdns

commit 7e812350757fed73046dfb503ec1b1853572ce45
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:27:12 2019 -0400

    appid: Fix NetworkSet compilation on big-endian systems

commit 0822e9772599bfb271874d7ff4c3f4a019cad8ce
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:17:48 2019 -0400

    log: Fix potential NULL pointer arithmetic warning in log_text

commit 8b91170713267d0bbcf69267400a6b99830adaa4
Author: Michael Altizer <mialtize@cisco.com>
Date:   Thu Apr 4 23:09:53 2019 -0400

    codecs/ipv4: Use struct in_addr when calling inet_ntop()

... and 4 more commits
---

diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc
index 3460bf399..9fc599325 100644
--- a/src/codecs/ip/cd_ipv4.cc
+++ b/src/codecs/ip/cd_ipv4.cc
@@ -537,15 +537,6 @@ default_case:
  *********************  L O G G E R  ******************************
 *******************************************************************/
 
-struct ip4_addr
-{
-    union
-    {
-        uint32_t addr32;
-        uint8_t addr8[4];
-    };
-};
-
 void Ipv4Codec::log(TextLog* const text_log, const uint8_t* raw_pkt,
     const uint16_t lyr_len)
 {
@@ -558,9 +549,9 @@ void Ipv4Codec::log(TextLog* const text_log, const uint8_t* raw_pkt,
     }
     else
     {
-        ip4_addr src, dst;
-        src.addr32 = ip4h->get_src();
-        dst.addr32 = ip4h->get_dst();
+        struct in_addr src, dst;
+        src.s_addr = ip4h->get_src();
+        dst.s_addr = ip4h->get_dst();
 
         char src_buf[INET_ADDRSTRLEN];
         char dst_buf[INET_ADDRSTRLEN];
diff --git a/src/detection/service_map.cc b/src/detection/service_map.cc
index eaeb66aa0..2b61a5407 100644
--- a/src/detection/service_map.cc
+++ b/src/detection/service_map.cc
@@ -237,7 +237,6 @@ int fpCreateServiceMaps(SnortConfig* sc)
     RuleTreeNode* rtn;
     GHashNode* hashNode;
     OptTreeNode* otn  = nullptr;
-    PolicyId policyId = 0;
     unsigned int svc_idx;
 
     for (hashNode = ghash_findfirst(sc->otn_map);
@@ -245,7 +244,7 @@ int fpCreateServiceMaps(SnortConfig* sc)
         hashNode = ghash_findnext(sc->otn_map))
     {
         otn = (OptTreeNode*)hashNode->data;
-        for ( policyId = 0;
+        for ( PolicyId policyId = 0;
             policyId < otn->proto_node_num;
             policyId++ )
         {
diff --git a/src/filters/sfthd.cc b/src/filters/sfthd.cc
index 4e281092c..091a50074 100644
--- a/src/filters/sfthd.cc
+++ b/src/filters/sfthd.cc
@@ -47,9 +47,6 @@ using namespace snort;
 //  Debug Printing
 //#define THD_DEBUG
 
-// This disables adding and testing of Threshold objects
-//#define CRIPPLE
-
 XHash* sfthd_new_hash(unsigned nbytes, size_t key, size_t data)
 {
     size_t size = key + data;
@@ -121,7 +118,6 @@ THD_STRUCT* sfthd_new(unsigned lbytes, unsigned gbytes)
     /* Create the THD struct */
     thd = (THD_STRUCT*)snort_calloc(sizeof(THD_STRUCT));
 
-#ifndef CRIPPLE
     /* Create hash table for all of the local IP Nodes */
     thd->ip_nodes = sfthd_local_new(lbytes);
     if ( !thd->ip_nodes )
@@ -147,7 +143,6 @@ THD_STRUCT* sfthd_new(unsigned lbytes, unsigned gbytes)
         snort_free(thd);
         return nullptr;
     }
-#endif
 
     return thd;
 }
@@ -237,13 +232,11 @@ void sfthd_free(THD_STRUCT* thd)
     if (thd == nullptr)
         return;
 
-#ifndef CRIPPLE
     if (thd->ip_nodes != nullptr)
         xhash_delete(thd->ip_nodes);
 
     if (thd->ip_gnodes != nullptr)
         xhash_delete(thd->ip_gnodes);
-#endif
 
     snort_free(thd);
 }
@@ -308,10 +301,6 @@ static int sfthd_create_threshold_local(
     if ( config->gen_id >= THD_MAX_GENID )
         return -1;
 
-#ifdef CRIPPLE
-    return 0;
-#endif
-
     /* Check for an existing 'gen_id' entry, if none found create one. */
     if (thd_objs->sfthd_array[config->gen_id] == nullptr)
     {
@@ -657,12 +646,10 @@ static char* printIP(unsigned u, char* buf, unsigned len)
 int sfthd_test_rule(XHash* rule_hash, THD_NODE* sfthd_node,
     const snort::SfIp* sip, const snort::SfIp* dip, long curtime)
 {
-    int status;
-
     if ((rule_hash == nullptr) || (sfthd_node == nullptr))
         return 0;
 
-    status = sfthd_test_local(rule_hash, sfthd_node, sip, dip, curtime);
+    int status = sfthd_test_local(rule_hash, sfthd_node, sip, dip, curtime);
 
     return (status < -1) ? 1 : status;
 }
@@ -860,7 +847,6 @@ int sfthd_test_local(
 {
     THD_IP_NODE_KEY key;
     THD_IP_NODE data,* sfthd_ip_node;
-    int status=0;
     const snort::SfIp* ip;
 
     PolicyId policy_id = snort::get_network_policy()->policy_id;
@@ -922,7 +908,7 @@ int sfthd_test_local(
     /*
      * Check for any Permanent sig_id objects for this gen_id  or add this one ...
      */
-    status = xhash_add(local_hash, (void*)&key, &data);
+    int status = xhash_add(local_hash, (void*)&key, &data);
     if (status == XHASH_INTABLE)
     {
         /* Already in the table */
@@ -959,7 +945,6 @@ static inline int sfthd_test_global(
     THD_IP_GNODE_KEY key;
     THD_IP_NODE data;
     THD_IP_NODE* sfthd_ip_node;
-    int status=0;
     const snort::SfIp* ip;
 
     PolicyId policy_id = snort::get_network_policy()->policy_id;
@@ -1016,7 +1001,7 @@ static inline int sfthd_test_global(
     data.tstart = data.tlast = curtime; /* Event time */
 
     /* Check for any Permanent sig_id objects for this gen_id  or add this one ...  */
-    status = xhash_add(global_hash, (void*)&key, &data);
+    int status = xhash_add(global_hash, (void*)&key, &data);
     if (status == XHASH_INTABLE)
     {
         /* Already in the table */
@@ -1074,17 +1059,12 @@ int sfthd_test_threshold(
 #ifdef THD_DEBUG
     int cnt;
 #endif
-    int status=0;
 
     PolicyId policy_id = snort::get_network_policy()->policy_id;
 
     if ((thd_objs == nullptr) || (thd == nullptr))
         return 0;
 
-#ifdef CRIPPLE
-    return 0;
-#endif
-
 #ifdef THD_DEBUG
     printf("sfthd_test_threshold...\n"); fflush(stdout);
 #endif
@@ -1156,7 +1136,7 @@ int sfthd_test_threshold(
         /*
          *   Test SUPPRESSION and THRESHOLDING
          */
-        status = sfthd_test_local(thd->ip_nodes, sfthd_node, sip, dip, curtime);
+        int status = sfthd_test_local(thd->ip_nodes, sfthd_node, sip, dip, curtime);
 
         if ( status < 0 ) /* -1 == Don't log and stop looking */
         {
@@ -1197,8 +1177,7 @@ global_test:
 
     if ( g_thd_node )
     {
-        status = sfthd_test_global(
-            thd->ip_gnodes, g_thd_node, sig_id, sip, dip, curtime);
+        int status = sfthd_test_global(thd->ip_gnodes, g_thd_node, sig_id, sip, dip, curtime);
 
         if ( status < 0 ) /* -1 == Don't log and stop looking */
         {
diff --git a/src/ips_options/ips_isdataat.cc b/src/ips_options/ips_isdataat.cc
index eb8f2873c..f550a6f2e 100644
--- a/src/ips_options/ips_isdataat.cc
+++ b/src/ips_options/ips_isdataat.cc
@@ -134,7 +134,7 @@ IpsOption::EvalStatus IsDataAtOption::eval(Cursor& c, Packet*)
     int offset;
 
     // Get values from byte_extract variables, if present.
-    if (config.offset_var >= 0 && config.offset_var < NUM_IPS_OPTIONS_VARS)
+    if (config.offset_var != IPS_OPTIONS_NO_VAR && config.offset_var < NUM_IPS_OPTIONS_VARS)
     {
         uint32_t value;
         GetVarValueByIndex(&(value), config.offset_var);
@@ -192,8 +192,8 @@ static void isdataat_parse(const char* data, IsDataAtData* idx)
     /* set how many bytes to process from the packet */
     if (isdigit(offset[0]) || offset[0] == '-')
     {
+        idx->offset_var = IPS_OPTIONS_NO_VAR;
         idx->offset = strtol(offset, &endp, 10);
-        idx->offset_var = -1;
 
         if (offset == endp)
         {
@@ -206,7 +206,6 @@ static void isdataat_parse(const char* data, IsDataAtData* idx)
             ParseError("isdataat offset greater than max IPV4 packet size");
             return;
         }
-        idx->offset_var = IPS_OPTIONS_NO_VAR;
     }
     else
     {
diff --git a/src/log/log_text.cc b/src/log/log_text.cc
index b3bca2ece..d4e2b3f77 100644
--- a/src/log/log_text.cc
+++ b/src/log/log_text.cc
@@ -1078,15 +1078,13 @@ void LogXrefs(TextLog* log, const Event& e)
  */
 static void LogCharData(TextLog* log, const uint8_t* data, int len)
 {
+    if ( !data )
+        return;
+
     const uint8_t* pb = data;
     const uint8_t* end = data + len;
     int lineCount = 0;
 
-    if ( !data )
-    {
-        return;
-    }
-
     while ( pb < end )
     {
         if ( *pb > 0x1F && *pb < 0x7F)
diff --git a/src/network_inspectors/appid/appid_utils/network_set.h b/src/network_inspectors/appid/appid_utils/network_set.h
index 233dc472a..eed575e33 100644
--- a/src/network_inspectors/appid/appid_utils/network_set.h
+++ b/src/network_inspectors/appid/appid_utils/network_set.h
@@ -179,36 +179,28 @@ public:
         return 0;
     }
 
-#if defined(WORDS_BIGENDIAN)
-#define ntoh_ipv6(ip6) do { } while (0)
-#else
     static void ntoh_ipv6(NSIPv6Addr* ip6)
     {
+#if !defined(WORDS_BIGENDIAN)
         uint64_t tmp;
 
         tmp = BYTE_SWAP_64(ip6->hi);
         ip6->hi = BYTE_SWAP_64(ip6->lo);
         ip6->lo = tmp;
-    }
-
 #endif
+    }
 
-#if defined(WORDS_BIGENDIAN)
 
     static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h)
     {
+#if defined(WORDS_BIGENDIAN)
         ip6h->hi = ip6->hi;
         ip6h->lo = ip6->lo;
-    }
-
 #else
-    static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h)
-    {
         ip6h->hi = BYTE_SWAP_64(ip6->lo);
         ip6h->lo = BYTE_SWAP_64(ip6->hi);
-    }
-
 #endif
+    }
 
     static void ntoh_swap_ipv6(const ip::snort_in6_addr* ip6, NSIPv6Addr* ip6h)
     {
diff --git a/src/network_inspectors/appid/service_plugins/service_mdns.cc b/src/network_inspectors/appid/service_plugins/service_mdns.cc
index c9b608275..fc694a0f3 100644
--- a/src/network_inspectors/appid/service_plugins/service_mdns.cc
+++ b/src/network_inspectors/appid/service_plugins/service_mdns.cc
@@ -269,7 +269,6 @@ int MdnsServiceDetector::reference_pointer(const char* start_ptr, const char** r
 int MdnsServiceDetector::analyze_user(AppIdSession& asd, const Packet* pkt, uint16_t size)
 {
     int start_index = 0;
-    uint8_t user_name_len = 0;
     uint16_t data_size = size;
 
     /* Scan for MDNS response, decided on Query value */
@@ -290,7 +289,7 @@ int MdnsServiceDetector::analyze_user(AppIdSession& asd, const Packet* pkt, uint
             processed_ans++ )
         {
             // Call Decode Reference pointer function if referenced value instead of direct value
-            user_name_len = 0;
+            uint8_t user_name_len = 0;
             int ret_value = reference_pointer(srv_original, &resp_endptr,  &start_index, data_size,
                 &user_name_len, size);
             int user_index =0;
diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc
index 0ebfe0cef..77270eab0 100644
--- a/src/network_inspectors/appid/service_plugins/service_rpc.cc
+++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc
@@ -283,8 +283,6 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
     uint32_t val = 0;
     const uint8_t* end = nullptr;
     const RPCProgram* rprog = nullptr;
-    // FIXIT-M - Avoid thread locals
-    static THREAD_LOCAL SnortProtocolId sunrpc_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
 
     if (!size)
         return APPID_INPROCESS;
@@ -401,6 +399,9 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
                     pmr = (const ServiceRPCPortmapReply*)data;
                     if (pmr->port)
                     {
+                        // FIXIT-M - Avoid thread locals
+                        static THREAD_LOCAL SnortProtocolId sunrpc_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
+
                         if(sunrpc_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
                             sunrpc_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("sunrpc");
 
diff --git a/src/network_inspectors/normalize/norm_module.cc b/src/network_inspectors/normalize/norm_module.cc
index a1ca852af..21e91e2fa 100644
--- a/src/network_inspectors/normalize/norm_module.cc
+++ b/src/network_inspectors/normalize/norm_module.cc
@@ -372,9 +372,7 @@ bool NormalizeModule::end(const char* fqn, int, SnortConfig* sc)
         {
             if ( Norm_IsEnabled(&config, NORM_IP4_BASE) )
                 Norm_Enable(&config, NORM_IP4_TTL);
-        }
-        if ( (policy->new_ttl > 1) && (policy->new_ttl >= policy->min_ttl) )
-        {
+
             if ( Norm_IsEnabled(&config, NORM_IP6_BASE) )
                 Norm_Enable(&config, NORM_IP6_TTL);
         }
diff --git a/src/network_inspectors/perf_monitor/perf_module.cc b/src/network_inspectors/perf_monitor/perf_module.cc
index 4faffb829..4a61e3270 100644
--- a/src/network_inspectors/perf_monitor/perf_module.cc
+++ b/src/network_inspectors/perf_monitor/perf_module.cc
@@ -222,7 +222,7 @@ const PegInfo* PerfMonModule::get_pegs() const
 PegCount* PerfMonModule::get_counts() const
 { return (PegCount*)&pmstats; }
 
-void ModuleConfig::set_name(std::string name)
+void ModuleConfig::set_name(const std::string& name)
 { this->name = name; }
 
 void ModuleConfig::set_peg_names(Value& peg_names)
diff --git a/src/network_inspectors/perf_monitor/perf_module.h b/src/network_inspectors/perf_monitor/perf_module.h
index 9ff575159..14353deef 100644
--- a/src/network_inspectors/perf_monitor/perf_module.h
+++ b/src/network_inspectors/perf_monitor/perf_module.h
@@ -63,7 +63,7 @@ struct ModuleConfig
     snort::Module* ptr;
     IndexVec pegs;
 
-    void set_name(std::string name);
+    void set_name(const std::string& name);
     void set_peg_names(snort::Value& peg_names);
     bool confirm_parse();
     bool resolve();
diff --git a/src/network_inspectors/port_scan/ps_module.cc b/src/network_inspectors/port_scan/ps_module.cc
index fb3912a45..f7ff05edb 100644
--- a/src/network_inspectors/port_scan/ps_module.cc
+++ b/src/network_inspectors/port_scan/ps_module.cc
@@ -327,10 +327,10 @@ bool PortScanModule::set(const char* fqn, Value& v, SnortConfig*)
 
 bool PortScanModule::end(const char* fqn, int, SnortConfig*)
 {
-    static size_t saved_memcap = 0;
-
     if (strcmp(fqn, "port_scan") == 0)
     {
+        static size_t saved_memcap = 0;
+
         if (saved_memcap != 0  )
         {
             if (config->memcap != saved_memcap)
diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc
index 7cb72a2b5..2874fbc35 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2.cc
@@ -735,7 +735,7 @@ void DCE2_Smb2Process(DCE2_SmbSsnData* ssd)
             DCE2_Smb2Inspect(ssd, smb_hdr, data_ptr +  data_len);
             /* In case of message compounding, find the offset of the next smb command */
             next_command_offset = alignedNtohl(&(smb_hdr->next_command));
-            if (next_command_offset + (uint8_t *)smb_hdr > (uint8_t* )(data_ptr +  data_len))
+            if (next_command_offset + (const uint8_t *)smb_hdr > (data_ptr + data_len))
             {
                 dce_alert(GID_DCE2, DCE2_SMB_BAD_NEXT_COMMAND_OFFSET,
                         (dce2CommonStats*)&dce2_smb_stats, ssd->sd);
@@ -744,7 +744,7 @@ void DCE2_Smb2Process(DCE2_SmbSsnData* ssd)
             }
             if (next_command_offset)
             {
-                smb_hdr = (Smb2Hdr *)((uint8_t *)smb_hdr + next_command_offset);
+                smb_hdr = (const Smb2Hdr *)((const uint8_t *)smb_hdr + next_command_offset);
             }
         } while (next_command_offset && smb_hdr);
     }
diff --git a/src/service_inspectors/dns/dns.cc b/src/service_inspectors/dns/dns.cc
index 5d9f65177..b98283b7c 100644
--- a/src/service_inspectors/dns/dns.cc
+++ b/src/service_inspectors/dns/dns.cc
@@ -129,119 +129,145 @@ static uint16_t ParseDNSHeader(
     case DNS_RESP_STATE_LENGTH:
         /* First two bytes are length in TCP */
         dnsSessionData->length = ((uint8_t)*data) << 8;
-        dnsSessionData->state = DNS_RESP_STATE_LENGTH_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_LENGTH_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_LENGTH_PART:
         dnsSessionData->length |= ((uint8_t)*data);
-        dnsSessionData->state = DNS_RESP_STATE_HDR_ID;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_ID;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_ID:
         dnsSessionData->hdr.id = (uint8_t)*data << 8;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_ID_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_ID_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_ID_PART:
         dnsSessionData->hdr.id |= (uint8_t)*data;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_FLAGS;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_FLAGS;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_FLAGS:
         dnsSessionData->hdr.flags = (uint8_t)*data << 8;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_FLAGS_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_FLAGS_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_FLAGS_PART:
         dnsSessionData->hdr.flags |= (uint8_t)*data;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_QS;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_QS;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_QS:
         dnsSessionData->hdr.questions = (uint8_t)*data << 8;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_QS_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_QS_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_QS_PART:
         dnsSessionData->hdr.questions |= (uint8_t)*data;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_ANSS;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_ANSS;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_ANSS:
         dnsSessionData->hdr.answers = (uint8_t)*data << 8;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_ANSS_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_ANSS_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_ANSS_PART:
         dnsSessionData->hdr.answers |= (uint8_t)*data;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_AUTHS;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_AUTHS;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_AUTHS:
         dnsSessionData->hdr.authorities = (uint8_t)*data << 8;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_AUTHS_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_AUTHS_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_AUTHS_PART:
         dnsSessionData->hdr.authorities |= (uint8_t)*data;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_ADDS;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_ADDS;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_ADDS:
         dnsSessionData->hdr.additionals = (uint8_t)*data << 8;
-        dnsSessionData->state = DNS_RESP_STATE_HDR_ADDS_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->state = DNS_RESP_STATE_HDR_ADDS_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_HDR_ADDS_PART:
@@ -377,29 +403,35 @@ static uint16_t ParseDNSQuestion(
     {
     case DNS_RESP_STATE_Q_TYPE:
         dnsSessionData->curr_q.type = (uint8_t)*data << 8;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_TYPE_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_TYPE_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_Q_TYPE_PART:
         dnsSessionData->curr_q.type |= (uint8_t)*data;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_CLASS;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_CLASS;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_Q_CLASS:
         dnsSessionData->curr_q.dns_class = (uint8_t)*data << 8;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_CLASS_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_CLASS_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_Q_CLASS_PART:
@@ -439,38 +471,46 @@ static uint16_t ParseDNSAnswer(
     {
     case DNS_RESP_STATE_RR_TYPE:
         dnsSessionData->curr_rr.type = (uint8_t)*data << 8;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_TYPE_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_TYPE_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_RR_TYPE_PART:
         dnsSessionData->curr_rr.type |= (uint8_t)*data;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_CLASS;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_CLASS;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_RR_CLASS:
         dnsSessionData->curr_rr.dns_class = (uint8_t)*data << 8;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_CLASS_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_CLASS_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_RR_CLASS_PART:
         dnsSessionData->curr_rr.dns_class |= (uint8_t)*data;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_TTL;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_TTL;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_RR_TTL:
@@ -499,11 +539,13 @@ static uint16_t ParseDNSAnswer(
 
     case DNS_RESP_STATE_RR_RDLENGTH:
         dnsSessionData->curr_rr.length = (uint8_t)*data << 8;
-        dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_RDLENGTH_PART;
         data++;
 
         if ( !--bytes_unused )
+        {
+            dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_RDLENGTH_PART;
             return 0;
+        }
         // Fall through
 
     case DNS_RESP_STATE_RR_RDLENGTH_PART:
diff --git a/src/service_inspectors/ftp_telnet/ftp_parse.cc b/src/service_inspectors/ftp_telnet/ftp_parse.cc
index c1ebe125a..7121512c4 100644
--- a/src/service_inspectors/ftp_telnet/ftp_parse.cc
+++ b/src/service_inspectors/ftp_telnet/ftp_parse.cc
@@ -355,7 +355,7 @@ static int DoNextFormat(FTP_PARAM_FMT* ThisFmt, int allocated,
     char* ErrorString, int ErrStrLen)
 {
     FTP_PARAM_FMT* NextFmt;
-    int iRet = FTPP_SUCCESS;
+    int iRet;
     char* fmt = NextToken(CONF_SEPARATORS);
 
     if (!fmt)
diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc
index b4199ecde..5f2e0a1c7 100644
--- a/src/service_inspectors/ftp_telnet/pp_ftp.cc
+++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc
@@ -1598,6 +1598,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode)
                 read_ptr++;
                 req->param_begin = nullptr;
                 req->param_end = nullptr;
+                req->param_size = 0;
             }
             else if (space || ftpssn->server.response.state != 0)
             {
@@ -1607,6 +1608,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode)
                 if ((read_ptr = (unsigned char*)memchr(read_ptr, CR, end - read_ptr)) == nullptr)
                     read_ptr = end;
                 req->param_end = (const char*)read_ptr;
+                req->param_size = req->param_end - req->param_begin;
                 read_ptr++;
 
                 if (read_ptr < end)
@@ -1625,6 +1627,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode)
             /* Nothing left --> no parameters/message.  Not even an LF */
             req->param_begin = nullptr;
             req->param_end = nullptr;
+            req->param_size = 0;
         }
 
         /* Set the pointer for the next request/response
@@ -1634,7 +1637,6 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode)
         else
             req->pipeline_req = nullptr;
 
-        req->param_size = req->param_end - req->param_begin;
         switch (state)
         {
         case FTP_CMD_INV:
diff --git a/src/service_inspectors/http_inspect/http_test_input.cc b/src/service_inspectors/http_inspect/http_test_input.cc
index ff02339f2..d50a1446d 100644
--- a/src/service_inspectors/http_inspect/http_test_input.cc
+++ b/src/service_inspectors/http_inspect/http_test_input.cc
@@ -49,6 +49,11 @@ HttpTestInput::HttpTestInput(const char* file_name)
         throw std::runtime_error("Cannot open test input file");
 }
 
+HttpTestInput::~HttpTestInput()
+{
+    fclose(test_data_file);
+}
+
 void HttpTestInput::reset()
 {
     flushed = false;
diff --git a/src/service_inspectors/http_inspect/http_test_input.h b/src/service_inspectors/http_inspect/http_test_input.h
index 6848897dd..b674d55a4 100644
--- a/src/service_inspectors/http_inspect/http_test_input.h
+++ b/src/service_inspectors/http_inspect/http_test_input.h
@@ -31,6 +31,7 @@ class HttpTestInput
 {
 public:
     HttpTestInput(const char* fileName);
+    ~HttpTestInput();
     void scan(uint8_t*& data, uint32_t& length, HttpEnums::SourceId source_id, uint64_t seq_num);
     void flush(uint32_t num_octets);
     void reassemble(uint8_t** buffer, unsigned& length, HttpEnums::SourceId source_id,
diff --git a/src/service_inspectors/http_inspect/http_uri.cc b/src/service_inspectors/http_inspect/http_uri.cc
index 9a497b313..c27fb119c 100644
--- a/src/service_inspectors/http_inspect/http_uri.cc
+++ b/src/service_inspectors/http_inspect/http_uri.cc
@@ -146,7 +146,6 @@ void HttpUri::parse_abs_path()
 
 void HttpUri::check_oversize_dir(Field& uri_field)
 {
-    int32_t total_length = 0;
     const uint8_t* last_dir = nullptr;
     const uint8_t* cur;
     const uint8_t* end;
@@ -163,7 +162,7 @@ void HttpUri::check_oversize_dir(Field& uri_field)
         {
             if ( last_dir )
             {
-                total_length = cur - last_dir - 1;
+                int32_t total_length = cur - last_dir - 1;
 
                 if ( total_length > uri_param.oversize_dir_length )
                 {
diff --git a/src/service_inspectors/sip/test/sip_splitter_test.h b/src/service_inspectors/sip/test/sip_splitter_test.h
index 755ba09d7..c94cf8d78 100644
--- a/src/service_inspectors/sip/test/sip_splitter_test.h
+++ b/src/service_inspectors/sip/test/sip_splitter_test.h
@@ -42,7 +42,7 @@ const uint8_t blanks[] = {' ', '\t' };
 class SipSplitterUT
 {
 public:
-    SipSplitterUT(SipSplitter ss) : ss(ss) { };
+    SipSplitterUT(const SipSplitter& ss) : ss(ss) { };
 
     bool splitter_is_paf()
     { 
diff --git a/src/sfip/sf_ipvar.cc b/src/sfip/sf_ipvar.cc
index ab56e53dc..9f332fe08 100644
--- a/src/sfip/sf_ipvar.cc
+++ b/src/sfip/sf_ipvar.cc
@@ -232,7 +232,6 @@ sfip_var_t* sfvar_deep_copy(const sfip_var_t* var)
 static sfip_node_t* merge_lists(sfip_node_t* list1, sfip_node_t* list2, uint16_t list1_len,
     uint16_t list2_len, uint32_t& merge_len)
 {
-    SfIpRet ret = SFIP_SUCCESS;
     sfip_node_t* listHead = nullptr, * merge_list = nullptr, * tmp = nullptr, * node = nullptr;
     uint16_t num_nodes = 0;
 
@@ -270,7 +269,7 @@ static sfip_node_t* merge_lists(sfip_node_t* list1, sfip_node_t* list2, uint16_t
     /*Iterate till one of the list is NULL. Append each node to merge_list*/
     while (list1 && list2)
     {
-        ret = list1->ip->compare(*(list2->ip));
+        SfIpRet ret = list1->ip->compare(*(list2->ip));
         if (ret == SFIP_LESSER)
         {
             node = list1;
@@ -391,7 +390,6 @@ static SfIpRet sfvar_add_node(sfip_var_t* var, sfip_node_t* node, int negated)
 
     /* "Anys" should always be inserted first
        Otherwise, check if this IP is less than the head's IP */
-    SfIpRet node_cmp_ret = SFIP_SUCCESS;
     if (node->flags & SFIP_ANY)
     {
         sfip_node_t* tmp;
@@ -408,7 +406,7 @@ static SfIpRet sfvar_add_node(sfip_var_t* var, sfip_node_t* node, int negated)
     }
     else
     {
-        node_cmp_ret = node->ip->compare(*((*head)->ip));
+        SfIpRet node_cmp_ret = node->ip->compare(*((*head)->ip));
         if (node_cmp_ret == SFIP_EQUAL)
         {
             sfip_node_free(node);
@@ -444,7 +442,7 @@ static SfIpRet sfvar_add_node(sfip_var_t* var, sfip_node_t* node, int negated)
     /* Insertion sort */
     for (p = *head; p->next; p=p->next)
     {
-        node_cmp_ret = node->ip->compare(*(p->next->ip));
+        SfIpRet node_cmp_ret = node->ip->compare(*(p->next->ip));
         if (node_cmp_ret == SFIP_EQUAL)
         {
             sfip_node_free(node);
diff --git a/src/sfip/sfip_test.cc b/src/sfip/sfip_test.cc
index 8c4d16318..56a085faa 100644
--- a/src/sfip/sfip_test.cc
+++ b/src/sfip/sfip_test.cc
@@ -32,7 +32,7 @@ using namespace snort;
 
 //---------------------------------------------------------------
 
-static int s_debug = 0;
+//#define SFIP_TEST_DEBUG
 
 static const char* const codes[] =
 {
@@ -339,15 +339,19 @@ static int FuncCheck(int i)
     {
         status = "Failed";
     }
-    if ( result != f->expected || s_debug )
+#ifndef SFIP_TEST_DEBUG
+    if ( result != f->expected )
     {
+#endif
         if ( f->arg2 )
             printf("[%d] %s: %s(%s, %s) = %s\n",
                 i, status, f->func, f->arg1, f->arg2, code);
         else
             printf("[%d] %s: %s(%s) = %s\n",
                 i, status, f->func, f->arg1, code);
+#ifndef SFIP_TEST_DEBUG
     }
+#endif
     return result == f->expected;
 }
 
diff --git a/src/sfrt/sfrt_dir.cc b/src/sfrt/sfrt_dir.cc
index ce3e2fdd4..7dbc84ea9 100644
--- a/src/sfrt/sfrt_dir.cc
+++ b/src/sfrt/sfrt_dir.cc
@@ -312,14 +312,13 @@ static inline uint32_t _dir_remove_less_specific(uint32_t* allocated, int index,
     word length, dir_sub_table_t* table)
 {
     uint32_t valueIndexRet = 0;
-    uint32_t valueIndex = 0;
 
     for (; index < fill; index++)
     {
         if ( !table->lengths[index] && table->entries[index])
         {
             dir_sub_table_t* next = (dir_sub_table_t*)table->entries[index];
-            valueIndex = _dir_remove_less_specific(allocated, 0, 1 << next->width, length, next);
+            uint32_t valueIndex = _dir_remove_less_specific(allocated, 0, 1 << next->width, length, next);
             if (valueIndex)
             {
                 valueIndexRet = valueIndex;
diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc
index 15bd874aa..1a133efc8 100644
--- a/src/stream/ip/ip_defrag.cc
+++ b/src/stream/ip/ip_defrag.cc
@@ -1084,25 +1084,25 @@ void Defrag::process(Packet* p, FragTracker* ft)
  */
 int Defrag::insert(Packet* p, FragTracker* ft, FragEngine* fe)
 {
-    uint16_t orig_offset;    /* offset specified in this fragment header */
-    uint16_t frag_offset;    /* calculated offset for this fragment */
-    uint16_t frag_end;       /* calculated end point for this fragment */
+    uint16_t orig_offset;   /* offset specified in this fragment header */
+    uint16_t frag_offset;   /* calculated offset for this fragment */
+    uint16_t frag_end;      /* calculated end point for this fragment */
     int16_t trunc = 0;      /* we truncate off the tail */
-    int32_t overlap = 0;    /* we overlap on either end of the frag */
+    int32_t overlap;        /* we overlap on either end of the frag */
     int16_t len = 0;        /* calculated size of the fragment */
     int16_t slide = 0;      /* slide up the front of the current frag */
     int done = 0;           /* flag for right-side overlap handling loop */
-    int addthis = 1;           /* flag for right-side overlap handling loop */
+    int addthis = 1;        /* flag for right-side overlap handling loop */
     int i = 0;              /* counter */
     int firstLastOk;
     int ret = FRAG_INSERT_OK;
-    unsigned char lastfrag = 0; /* Set to 1 when this is the 'last' frag */
+    unsigned char lastfrag = 0;     /* Set to 1 when this is the 'last' frag */
     unsigned char alerted_overlap = 0; /* Set to 1 when alerted */
-    Fragment* right = nullptr; /* frag ptr for right-side overlap loop */
-    Fragment* newfrag = nullptr;  /* new frag container */
-    Fragment* left = nullptr;     /* left-side overlap fragment ptr */
-    Fragment* idx = nullptr;      /* indexing fragment pointer for loops */
-    Fragment* dump_me = nullptr;  /* frag ptr for complete overlaps to dump */
+    Fragment* right = nullptr;      /* frag ptr for right-side overlap loop */
+    Fragment* newfrag = nullptr;    /* new frag container */
+    Fragment* left = nullptr;       /* left-side overlap fragment ptr */
+    Fragment* idx = nullptr;        /* indexing fragment pointer for loops */
+    Fragment* dump_me = nullptr;    /* frag ptr for complete overlaps to dump */
     const uint8_t* fragStart;
     int16_t fragLength;
     const uint16_t net_frag_offset = p->ptrs.ip_api.off();
@@ -1404,7 +1404,7 @@ left_overlap_last:
                     "truncating old pkt (offset: %d overlap: %d)\n",
                     left->offset, overlap);
 
-                if (left->size <= 0)
+                if (left->size == 0)
                 {
                     dump_me = left;
 
@@ -1526,7 +1526,7 @@ left_overlap_last:
                     "overlap: %d)\n", right->offset, overlap);
                 trace_log(stream_ip,
                     "Exiting right overlap loop...\n");
-                if (right->size <= 0)
+                if (right->size == 0)
                 {
                     dump_me = right;
 
diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index 6a0593de4..afded4843 100644
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -1038,7 +1038,7 @@ int TcpSession::process(Packet* p)
         return ACTION_NOTHING;
     else
     {
-        DeepProfile profile(s5TcpStatePerfStats);
+        DeepProfile tcp_state_profile(s5TcpStatePerfStats);
 
         if ( tsm->eval(tsd, *talker, *listener) )
         {