From 2d5a016ad471f3d6963628f359738729a36e2c3a Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 6 Dec 2022 15:35:49 -0500
Subject: [PATCH] Tweak various issues for static analysis.

For autocons, though it's copying from a static source, use strncpy anyway,
despite the length being hardcoded already.  This makes static analysis happier.

Terminate the buff with a NULL.  This is superfluous as the strcpies that preceed
are guaranteed to null terminate, or exit the program.

In clortho, free(tmps), which is a valid leak, though clortho isn't long running.
Also, explicitly return 0, which is ultimately returned by main().

Static analysis could not figure out that padneeded implies that keylen is short of
chunk size, so change the check to be expressly the scenario that static analysis
was worried about directly, rather than indirectly.

Hint to static analysis that we don't care about the time as a time value by masking the
lower 32 bit explicitly.  This was already happening, but static analysis was afraid
that we wanted this as time instead of just some mutating value.
---
 confluent_osdeploy/utils/autocons.c | 9 +++++----
 confluent_osdeploy/utils/clortho.c  | 2 ++
 confluent_osdeploy/utils/sha-256.c  | 4 ++--
 confluent_osdeploy/utils/sha-256.h  | 2 +-
 confluent_osdeploy/utils/urlmount.c | 2 +-
 5 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/confluent_osdeploy/utils/autocons.c b/confluent_osdeploy/utils/autocons.c
index a12aa924..d3ac0b9a 100644
--- a/confluent_osdeploy/utils/autocons.c
+++ b/confluent_osdeploy/utils/autocons.c
@@ -68,16 +68,16 @@ int main(int argc, char* argv[]) {
     }
     if (currspeed == SPEED9600) {
         cspeed = B9600;
-        strcpy(offset, ",9600");
+        strncpy(offset, ",9600", 6);
     } else if (currspeed == SPEED19200) {
         cspeed = B19200;
-        strcpy(offset, ",19200");
+        strncpy(offset, ",19200", 7);
     } else if (currspeed == SPEED57600) {
         cspeed = B57600;
-        strcpy(offset, ",57600");
+        strncpy(offset, ",57600", 7);
     } else if (currspeed == SPEED115200) {
         cspeed = B115200;
-        strcpy(offset, ",115200");
+        strncpy(offset, ",115200", 8);
     } else {
         exit(0);
     }
@@ -86,6 +86,7 @@ int main(int argc, char* argv[]) {
         cfsetospeed(&tty, cspeed);
         cfsetispeed(&tty, cspeed);
     }
+    buff[127] = 0;
     printf("%s\n", buff);
     tcgetattr(ttyf, &tty2);
     cfmakeraw(&tty2);
diff --git a/confluent_osdeploy/utils/clortho.c b/confluent_osdeploy/utils/clortho.c
index c5dd88fd..3faefc8a 100644
--- a/confluent_osdeploy/utils/clortho.c
+++ b/confluent_osdeploy/utils/clortho.c
@@ -90,6 +90,7 @@ int getpasshmac(int argc, char* argv[]) {
     tmps = genpasswd(16);
     memcpy(buffer, "$5$", 3);
     memcpy(buffer + 3, tmps, 16);
+    free(tmps);
     buffer[19] = 0;
     fwrite(passwd, 1, 48, outfile);
     fclose(outfile);
@@ -105,6 +106,7 @@ int getpasshmac(int argc, char* argv[]) {
     free(hmac64);
     free(passwd);
     free(buffer);
+    return 0;
 }
 
 int main(int argc, char* argv[]) {
diff --git a/confluent_osdeploy/utils/sha-256.c b/confluent_osdeploy/utils/sha-256.c
index e219217b..d0350992 100644
--- a/confluent_osdeploy/utils/sha-256.c
+++ b/confluent_osdeploy/utils/sha-256.c
@@ -3,7 +3,7 @@
 
 #define TOTAL_LEN_LEN 8
 
-void hmac_sha256(uint8_t* hmac, char* msg, int msglen, char* key, int keylen) {
+void hmac_sha256(uint8_t* hmac, char* msg, int msglen, char* key, unsigned int keylen) {
     uint8_t *scratch;
     uint8_t keyprime[SIZE_OF_SHA_256_CHUNK];
     uint8_t keymod[SIZE_OF_SHA_256_CHUNK];
@@ -15,7 +15,7 @@ void hmac_sha256(uint8_t* hmac, char* msg, int msglen, char* key, int keylen) {
         memcpy(keyprime, key, keylen);
     }
     padneeded = SIZE_OF_SHA_256_CHUNK - keylen;
-    if (padneeded) {
+    if (keylen < SIZE_OF_SHA_256_CHUNK) {
         memset(keyprime + keylen, 0, padneeded);
     }
     for (padneeded=0; padneeded < SIZE_OF_SHA_256_CHUNK; padneeded++) {
diff --git a/confluent_osdeploy/utils/sha-256.h b/confluent_osdeploy/utils/sha-256.h
index e71b28f3..a33ff5db 100644
--- a/confluent_osdeploy/utils/sha-256.h
+++ b/confluent_osdeploy/utils/sha-256.h
@@ -61,7 +61,7 @@ void calc_sha_256(uint8_t hash[SIZE_OF_SHA_256_HASH], const void *input, size_t
  *
  * @note If either of the passed pointers is NULL, the results are unpredictable.
  */
-void hmac_sha256(uint8_t* hmac, char* msg, int msglen, char* key, int keylen);
+void hmac_sha256(uint8_t* hmac, char* msg, int msglen, char* key, unsigned int keylen);
 void sha_256_init(struct Sha_256 *sha_256, uint8_t hash[SIZE_OF_SHA_256_HASH]);
 
 /*
diff --git a/confluent_osdeploy/utils/urlmount.c b/confluent_osdeploy/utils/urlmount.c
index 62fc11c8..33614ad1 100644
--- a/confluent_osdeploy/utils/urlmount.c
+++ b/confluent_osdeploy/utils/urlmount.c
@@ -49,7 +49,7 @@ void *http_rechecker(void *argp) {
     int tmpidx, tmpval;
     tmpidx = open("/dev/urandom", O_RDONLY);
     if (tmpidx <= 0 || read(tmpidx, (char*)&tmpval, 4) < 0)
-        tmpval = time(NULL);
+        tmpval = time(NULL) & 0xffffffff;
     if (tmpidx >= 0)
         close(tmpidx);
     srand(tmpval);