Pull request #4946: appid: solve coverity warnings

Merge in SNORT/snort3 from ~AAVILASE/snort3:address_coverity_warnings to master

Squashed commit of the following:

commit b100d38c8fbf510e5e6daf9f4b5cfe37de1d8352
Author: Andres Avila <aavilase@cisco.com>
Date:   Thu Oct 16 10:33:30 2025 -0400

    appid: solve coverity warnings

diff --git a/src/network_inspectors/appid/appid_cpu_profile_table.cc b/src/network_inspectors/appid/appid_cpu_profile_table.cc
index 47e1bbad3d89b7108b36c62bfc6ff8e67e00dc61..ea97d65cd3a3773bc45f818993358a946f23101e 100644 (file)
--- a/src/network_inspectors/appid/appid_cpu_profile_table.cc
+++ b/src/network_inspectors/appid/appid_cpu_profile_table.cc
@@ -149,8 +149,7 @@ AppidCpuTableDisplayStatus AppidCPUProfilingManager::display_appid_cpu_profiler_
 
     while (!sorted_appid_cpu_profiler_table.empty() and rows_displayed < display_rows_limit)
     {
-        auto entry = sorted_appid_cpu_profiler_table.top();
-        sorted_appid_cpu_profiler_table.pop();
+        const auto& entry = sorted_appid_cpu_profiler_table.top();
         if (!entry.second.processed_packets or !entry.second.per_appid_sessions)
             continue;
 
@@ -161,6 +160,7 @@ AppidCpuTableDisplayStatus AppidCPUProfilingManager::display_appid_cpu_profiler_
                 FormatWithCommas(entry.second.max_processing_time_per_session).c_str(), static_cast<double>(entry.second.processing_time) / total_processing_time * 100.0);
 
         rows_displayed += 1;
+        sorted_appid_cpu_profiler_table.pop();
     }
 
     print_log(ctrlcon, output_type, TRACE_INFO_LEVEL, partition);

diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
index ed107ca00b2d28630193791c906bfbac01646332..003f7786547ec00c38f96221c9d394deac24d930 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
@@ -353,7 +353,8 @@ APPID_STATUS_CODE DnsValidator::dns_validate_label(const uint8_t* data, uint16_t
             offset += offsetof(DNSLabel, name);
             if (!lbl->len)
             {
-                len--;    // take off the extra '.' at the end
+                if (len > 0)
+                    len--;    // take off the extra '.' at the end
                 return APPID_SUCCESS;
             }
             offset += lbl->len;

diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc
index 017631e349511c15f3368e5d62f76d1edbf23eb5..af93127f0120ccb8416decb8bd977fbae81ff5e5 100644 (file)
--- a/src/network_inspectors/appid/lua_detector_api.cc
+++ b/src/network_inspectors/appid/lua_detector_api.cc
@@ -746,7 +746,7 @@ static int detector_get_pcre_groups(lua_State* L)
     if (re == nullptr)
     {
         pcre2_get_error_message(errorcode, error, 128);
-        APPID_LOG(lsd->ldp.pkt, TRACE_ERROR_LEVEL, "PCRE compilation failed at offset %d: %s\n", erroffset, error);
+        APPID_LOG(lsd->ldp.pkt, TRACE_ERROR_LEVEL, "PCRE compilation failed at offset %zu: %s\n", erroffset, error);
         return 0;
     }
 

diff --git a/src/network_inspectors/appid/service_plugins/service_ftp.cc b/src/network_inspectors/appid/service_plugins/service_ftp.cc
index 0f119ba55ebf2e9249732f9e4dce2640965f2547..d72fddbd8dc43636e68cc283b2de91ee58a0b862 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_ftp.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ftp.cc
@@ -151,7 +151,8 @@ static inline void CopyVersionString(ServiceFTPData& fd, const uint8_t* version,
     {
         copyLen--;
     }
-    memcpy(fd.version, version, copyLen);
+    if (copyLen > 0)
+        memcpy(fd.version, version, copyLen);
     fd.version[copyLen] = '\0';
 }
 

diff --git a/src/network_inspectors/appid/service_plugins/service_irc.cc b/src/network_inspectors/appid/service_plugins/service_irc.cc
index b9b659e07880e9cb589523dfb574540df32e1183..0dfe067fd83bf5adaa5bc8b1abd3dd81334a0235 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_irc.cc
+++ b/src/network_inspectors/appid/service_plugins/service_irc.cc
@@ -23,6 +23,7 @@
 #include "config.h"
 #endif
 
+#include <cstring>
 #include "service_irc.h"
 
 #define IRC_COUNT_THRESHOLD 10
@@ -169,9 +170,9 @@ int IrcServiceDetector::validate(AppIdDiscoveryArgs& args)
             *state = IRC_STATE_MID_COMMAND;
             break;
         case IRC_STATE_MID_COMMAND:
-            if (*data != (*command)[*pos])
+            if (*command != nullptr && *data != (*command)[*pos])
             {
-                if (*command == IRC_PONG && *pos == 1 && *data == IRC_PING[1])
+                if ((std::strcmp(*command, IRC_PONG) == 0) && *pos == 1 && *data == IRC_PING[1])
                 {
                     *command = IRC_PING;
                 }
@@ -179,7 +180,7 @@ int IrcServiceDetector::validate(AppIdDiscoveryArgs& args)
                     goto fail;
             }
             (*pos)++;
-            if (!(*command)[*pos])
+            if (*command != nullptr && !(*command)[*pos])
             {
                 if (args.dir == APP_ID_FROM_RESPONDER)
                 {

diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc
index 9f2d837c0b171f005369f566820256d1c32c8ca5..a8dc6ee5cf2b86231d4f61f6e5ebfb375c3c304d 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_ssl.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc
@@ -269,6 +269,8 @@ int SslServiceDetector::validate(AppIdDiscoveryArgs& args)
         if (ss->cached_data)
         {
             reallocated_data = (uint8_t*)snort_calloc(ss->cached_len + size, sizeof(uint8_t));
+            if (reallocated_data == nullptr)
+                goto inprocess;
             memcpy(reallocated_data, args.data, args.size);
             memcpy(reallocated_data + args.size, ss->cached_data, ss->cached_len);
             size = ss->cached_len + args.size;
@@ -288,6 +290,8 @@ int SslServiceDetector::validate(AppIdDiscoveryArgs& args)
         if ( (ss->cached_client_data and (args.dir == APP_ID_FROM_INITIATOR)) or (!ss->cached_client_data and (args.dir == APP_ID_FROM_RESPONDER)) )
         {
             reallocated_data = (uint8_t*)snort_calloc(ss->cached_len + size, sizeof(uint8_t));
+            if (reallocated_data == nullptr)
+                goto inprocess;
             memcpy(reallocated_data, ss->cached_data, ss->cached_len);
             memcpy(reallocated_data + ss->cached_len, args.data, args.size);
             size = ss->cached_len + args.size;

diff --git a/src/network_inspectors/appid/tp_lib_handler.cc b/src/network_inspectors/appid/tp_lib_handler.cc
index aedfdf2b3626c98cc4a2dd0e99039c8da07bc70c..654f7d3e475fdc1e2aa9379b54464dd35b419428 100644 (file)
--- a/src/network_inspectors/appid/tp_lib_handler.cc
+++ b/src/network_inspectors/appid/tp_lib_handler.cc
@@ -144,7 +144,7 @@ void TPLibHandler::tp_mp_init(ThirdPartyAppIdContext& tp_appid_ctxt)
 
     if (ret != 0)
     {
-        APPID_LOG(nullptr, TRACE_ERROR_LEVEL, "Could not subscribe to the appid tp syncevent\n", ret);
+        APPID_LOG(nullptr, TRACE_ERROR_LEVEL, "Could not subscribe to the appid tp syncevent ret = %d\n", ret);
         return;
     }
 

diff --git a/src/network_inspectors/appid/user_data_map.cc b/src/network_inspectors/appid/user_data_map.cc
index c185ff862546287a5c0b3d3e5a03d327c699b819..c8dea7551e2f71489c026f530a16724409de0737 100644 (file)
--- a/src/network_inspectors/appid/user_data_map.cc
+++ b/src/network_inspectors/appid/user_data_map.cc
@@ -67,7 +67,7 @@ bool UserDataMap::add_user_data(const std::string &table, const std::string &key
     {
         std::unordered_map<std::string, std::string> user_map;
         user_map[key] = item;
-        user_data_maps[table] = user_map;
+        user_data_maps[table] = std::move(user_map);
     }
 
     return true;