From: Andres Avila Segura (aavilase) <aavilase@cisco.com>
Date: Wed, 29 Oct 2025 19:34:04 +0000 (+0000)
Subject: Pull request #4946: appid: solve coverity warnings
X-Git-Tag: 3.9.7.0~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfc93c1f00351201ca9fadd04bfaa6fce2c33907;p=thirdparty%2Fsnort3.git

Pull request #4946: appid: solve coverity warnings

Merge in SNORT/snort3 from ~AAVILASE/snort3:address_coverity_warnings to master

Squashed commit of the following:

commit b100d38c8fbf510e5e6daf9f4b5cfe37de1d8352
Author: Andres Avila <aavilase@cisco.com>
Date:   Thu Oct 16 10:33:30 2025 -0400

    appid: solve coverity warnings
---

diff --git a/src/network_inspectors/appid/appid_cpu_profile_table.cc b/src/network_inspectors/appid/appid_cpu_profile_table.cc
index 47e1bbad3..ea97d65cd 100644
--- a/src/network_inspectors/appid/appid_cpu_profile_table.cc
+++ b/src/network_inspectors/appid/appid_cpu_profile_table.cc
@@ -149,8 +149,7 @@ AppidCpuTableDisplayStatus AppidCPUProfilingManager::display_appid_cpu_profiler_
 
     while (!sorted_appid_cpu_profiler_table.empty() and rows_displayed < display_rows_limit)
     {
-        auto entry = sorted_appid_cpu_profiler_table.top();
-        sorted_appid_cpu_profiler_table.pop();
+        const auto& entry = sorted_appid_cpu_profiler_table.top();
         if (!entry.second.processed_packets or !entry.second.per_appid_sessions)
             continue;
 
@@ -161,6 +160,7 @@ AppidCpuTableDisplayStatus AppidCPUProfilingManager::display_appid_cpu_profiler_
                 FormatWithCommas(entry.second.max_processing_time_per_session).c_str(), static_cast<double>(entry.second.processing_time) / total_processing_time * 100.0);
 
         rows_displayed += 1;
+        sorted_appid_cpu_profiler_table.pop();
     }
 
     print_log(ctrlcon, output_type, TRACE_INFO_LEVEL, partition);
diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
index ed107ca00..003f77865 100644
--- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
@@ -353,7 +353,8 @@ APPID_STATUS_CODE DnsValidator::dns_validate_label(const uint8_t* data, uint16_t
             offset += offsetof(DNSLabel, name);
             if (!lbl->len)
             {
-                len--;    // take off the extra '.' at the end
+                if (len > 0)
+                    len--;    // take off the extra '.' at the end
                 return APPID_SUCCESS;
             }
             offset += lbl->len;
diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc
index 017631e34..af93127f0 100644
--- a/src/network_inspectors/appid/lua_detector_api.cc
+++ b/src/network_inspectors/appid/lua_detector_api.cc
@@ -746,7 +746,7 @@ static int detector_get_pcre_groups(lua_State* L)
     if (re == nullptr)
     {
         pcre2_get_error_message(errorcode, error, 128);
-        APPID_LOG(lsd->ldp.pkt, TRACE_ERROR_LEVEL, "PCRE compilation failed at offset %d: %s\n", erroffset, error);
+        APPID_LOG(lsd->ldp.pkt, TRACE_ERROR_LEVEL, "PCRE compilation failed at offset %zu: %s\n", erroffset, error);
         return 0;
     }
 
diff --git a/src/network_inspectors/appid/service_plugins/service_ftp.cc b/src/network_inspectors/appid/service_plugins/service_ftp.cc
index 0f119ba55..d72fddbd8 100644
--- a/src/network_inspectors/appid/service_plugins/service_ftp.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ftp.cc
@@ -151,7 +151,8 @@ static inline void CopyVersionString(ServiceFTPData& fd, const uint8_t* version,
     {
         copyLen--;
     }
-    memcpy(fd.version, version, copyLen);
+    if (copyLen > 0)
+        memcpy(fd.version, version, copyLen);
     fd.version[copyLen] = '\0';
 }
 
diff --git a/src/network_inspectors/appid/service_plugins/service_irc.cc b/src/network_inspectors/appid/service_plugins/service_irc.cc
index b9b659e07..0dfe067fd 100644
--- a/src/network_inspectors/appid/service_plugins/service_irc.cc
+++ b/src/network_inspectors/appid/service_plugins/service_irc.cc
@@ -23,6 +23,7 @@
 #include "config.h"
 #endif
 
+#include <cstring>
 #include "service_irc.h"
 
 #define IRC_COUNT_THRESHOLD 10
@@ -169,9 +170,9 @@ int IrcServiceDetector::validate(AppIdDiscoveryArgs& args)
             *state = IRC_STATE_MID_COMMAND;
             break;
         case IRC_STATE_MID_COMMAND:
-            if (*data != (*command)[*pos])
+            if (*command != nullptr && *data != (*command)[*pos])
             {
-                if (*command == IRC_PONG && *pos == 1 && *data == IRC_PING[1])
+                if ((std::strcmp(*command, IRC_PONG) == 0) && *pos == 1 && *data == IRC_PING[1])
                 {
                     *command = IRC_PING;
                 }
@@ -179,7 +180,7 @@ int IrcServiceDetector::validate(AppIdDiscoveryArgs& args)
                     goto fail;
             }
             (*pos)++;
-            if (!(*command)[*pos])
+            if (*command != nullptr && !(*command)[*pos])
             {
                 if (args.dir == APP_ID_FROM_RESPONDER)
                 {
diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc
index 9f2d837c0..a8dc6ee5c 100644
--- a/src/network_inspectors/appid/service_plugins/service_ssl.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc
@@ -269,6 +269,8 @@ int SslServiceDetector::validate(AppIdDiscoveryArgs& args)
         if (ss->cached_data)
         {
             reallocated_data = (uint8_t*)snort_calloc(ss->cached_len + size, sizeof(uint8_t));
+            if (reallocated_data == nullptr)
+                goto inprocess;
             memcpy(reallocated_data, args.data, args.size);
             memcpy(reallocated_data + args.size, ss->cached_data, ss->cached_len);
             size = ss->cached_len + args.size;
@@ -288,6 +290,8 @@ int SslServiceDetector::validate(AppIdDiscoveryArgs& args)
         if ( (ss->cached_client_data and (args.dir == APP_ID_FROM_INITIATOR)) or (!ss->cached_client_data and (args.dir == APP_ID_FROM_RESPONDER)) )
         {
             reallocated_data = (uint8_t*)snort_calloc(ss->cached_len + size, sizeof(uint8_t));
+            if (reallocated_data == nullptr)
+                goto inprocess;
             memcpy(reallocated_data, ss->cached_data, ss->cached_len);
             memcpy(reallocated_data + ss->cached_len, args.data, args.size);
             size = ss->cached_len + args.size;
diff --git a/src/network_inspectors/appid/tp_lib_handler.cc b/src/network_inspectors/appid/tp_lib_handler.cc
index aedfdf2b3..654f7d3e4 100644
--- a/src/network_inspectors/appid/tp_lib_handler.cc
+++ b/src/network_inspectors/appid/tp_lib_handler.cc
@@ -144,7 +144,7 @@ void TPLibHandler::tp_mp_init(ThirdPartyAppIdContext& tp_appid_ctxt)
 
     if (ret != 0)
     {
-        APPID_LOG(nullptr, TRACE_ERROR_LEVEL, "Could not subscribe to the appid tp syncevent\n", ret);
+        APPID_LOG(nullptr, TRACE_ERROR_LEVEL, "Could not subscribe to the appid tp syncevent ret = %d\n", ret);
         return;
     }
 
diff --git a/src/network_inspectors/appid/user_data_map.cc b/src/network_inspectors/appid/user_data_map.cc
index c185ff862..c8dea7551 100644
--- a/src/network_inspectors/appid/user_data_map.cc
+++ b/src/network_inspectors/appid/user_data_map.cc
@@ -67,7 +67,7 @@ bool UserDataMap::add_user_data(const std::string &table, const std::string &key
     {
         std::unordered_map<std::string, std::string> user_map;
         user_map[key] = item;
-        user_data_maps[table] = user_map;
+        user_data_maps[table] = std::move(user_map);
     }
 
     return true;