[airplay] Coverity fixups

src/outputs/airplay.c

@@ -559,7 +559,8 @@ device_id_colon_parse(uint64_t *id, const char *id_str)
   char *ptr;
   int ret;
 
-  s = calloc(1, strlen(id_str) + 1);
+  CHECK_NULL(L_AIRPLAY, s = calloc(1, strlen(id_str) + 1));
+
   for (ptr = s; *id_str != '\0'; id_str++)
     {
       if (*id_str == ':')

src/outputs/raop.c

@@ -931,7 +931,7 @@ static int
 raop_parse_auth(struct raop_session *rs, struct evrtsp_request *req)
 {
   const char *param;
-  char *auth;
+  char *auth = NULL;
   char *token;
   char *ptr;
 
@@ -951,8 +951,7 @@ raop_parse_auth(struct raop_session *rs, struct evrtsp_request *req)
   if (!param)
     {
       DPRINTF(E_LOG, L_RAOP, "WWW-Authenticate header not found\n");
-
-      return -1;
+      goto error;
     }
 
   DPRINTF(E_DBG, L_RAOP, "WWW-Authenticate: %s\n", param);
@@ -960,19 +959,23 @@ raop_parse_auth(struct raop_session *rs, struct evrtsp_request *req)
   if (strncmp(param, "Digest ", strlen("Digest ")) != 0)
     {
       DPRINTF(E_LOG, L_RAOP, "Unsupported authentication method: %s\n", param);
-
-      return -1;
+      goto error;
     }
 
   auth = strdup(param);
   if (!auth)
     {
       DPRINTF(E_LOG, L_RAOP, "Out of memory for WWW-Authenticate header copy\n");
-
-      return -1;
+      goto error;
     }
 
   token = strchr(auth, ' ');
+  if (!token)
+    {
+      DPRINTF(E_LOG, L_RAOP, "Unexpected WWW-Authenticate auth\n");
+      goto error;
+    }
+
   token++;
 
   token = strtok_r(token, " =", &ptr);
@@ -998,8 +1001,6 @@ raop_parse_auth(struct raop_session *rs, struct evrtsp_request *req)
       token = strtok_r(NULL, " =", &ptr);
     }
 
-  free(auth);
-
   if (!rs->realm || !rs->nonce)
     {
       DPRINTF(E_LOG, L_RAOP, "Could not find realm/nonce in WWW-Authenticate header\n");
@@ -1016,12 +1017,17 @@ raop_parse_auth(struct raop_session *rs, struct evrtsp_request *req)
 	  rs->nonce = NULL;
 	}
 
-      return -1;
+      goto error;
     }
 
   DPRINTF(E_DBG, L_RAOP, "Found realm: [%s], nonce: [%s]\n", rs->realm, rs->nonce);
 
+  free(auth);
   return 0;
+
+ error:
+  free(auth);
+  return -1;
 }
 
 static int
@@ -3363,6 +3369,14 @@ raop_cb_startup_setup(struct evrtsp_request *req, void *arg)
     }
 
   token = strchr(transport, ';');
+  if (!token)
+    {
+      DPRINTF(E_LOG, L_RAOP, "Missing semicolon in Transport header: %s\n", transport);
+
+      free(transport);
+      goto cleanup;
+    }
+
   token++;
 
   token = strtok_r(token, ";=", &ptr);

src/pair_ap/pair-tlv.c

@@ -70,6 +70,9 @@ pair_tlv_new() {
 
 void
 pair_tlv_free(pair_tlv_values_t *values) {
+    if (!values)
+        return;
+
     pair_tlv_t *t = values->head;
     while (t) {
         pair_tlv_t *t2 = t;

src/pair_ap/pair_fruit.c

@@ -347,7 +347,7 @@ srp_user_process_challenge(struct SRPUser *usr, const unsigned char *bytes_s, in
   bnum u, x;
 
   *len_M = 0;
-  *bytes_M = 0;
+  *bytes_M = NULL;
 
   bnum_bin2bn(s, bytes_s, len_s);
   bnum_bin2bn(B, bytes_B, len_B);
@@ -384,14 +384,7 @@ srp_user_process_challenge(struct SRPUser *usr, const unsigned char *bytes_s, in
       calculate_H_AMK(usr->alg, usr->H_AMK, usr->A, usr->M, usr->session_key, usr->session_key_len);
 
       *bytes_M = usr->M;
-      if (len_M)
-        *len_M = hash_length(usr->alg);
-    }
-  else
-    {
-      *bytes_M = NULL;
-      if (len_M)
-        *len_M   = 0;
+      *len_M = hash_length(usr->alg);
     }
 
  cleanup2:

src/pair_ap/pair_homekit.c

@@ -55,6 +55,8 @@
 #define REQUEST_BUFSIZE 4096
 #define ENCRYPTED_LEN_MAX 0x400
 
+// #define DEBUG_SHORT_A 1
+
 enum pair_keys
 {
   PAIR_SETUP_MSG01 = 0,
@@ -418,6 +420,14 @@ srp_user_get_session_key(struct SRPUser *usr, int *key_length)
   return usr->session_key;
 }
 
+#ifdef DEBUG_SHORT_A
+// This value of "a" will yield a 383 byte A
+static uint8_t short_a[] = {
+ 0xef, 0xb5, 0x93, 0xf5, 0x03, 0x97, 0x69, 0x8e, 0x15, 0xed, 0xee, 0x5b, 0xf2, 0xf9, 0x23, 0x6c,
+ 0xf0, 0x59, 0x6c, 0xe2, 0x77, 0xf2, 0x14, 0x16, 0xac, 0x99, 0xfa, 0x31, 0xae, 0x2b, 0xd3, 0x41,
+};
+#endif
+
 /* Output: username, bytes_A, len_A */
 static void
 srp_user_start_authentication(struct SRPUser *usr, const char **username,
@@ -425,6 +435,9 @@ srp_user_start_authentication(struct SRPUser *usr, const char **username,
 {
 //  BN_hex2bn(&(usr->a), "D929DFB605687233C9E9030C2280156D03BDB9FDCF3CCE3BC27D9CCFCB5FF6A1");
   bnum_random(usr->a, 256);
+#ifdef DEBUG_SHORT_A
+  bnum_bin2bn(usr->a, short_a, sizeof(short_a));
+#endif
 #ifdef DEBUG_PAIR
   bnum_dump("Random value of usr->a:\n", usr->a);
 #endif
@@ -459,7 +472,7 @@ srp_user_process_challenge(struct SRPUser *usr, const unsigned char *bytes_s, in
   bnum u, x;
 
   *len_M = 0;
-  *bytes_M = 0;
+  *bytes_M = NULL;
 
   bnum_bin2bn(s, bytes_s, len_s);
   bnum_bin2bn(B, bytes_B, len_B);
@@ -499,14 +512,7 @@ srp_user_process_challenge(struct SRPUser *usr, const unsigned char *bytes_s, in
       calculate_H_AMK(usr->alg, usr->H_AMK, usr->A, usr->M, usr->session_key, usr->session_key_len);
 
       *bytes_M = usr->M;
-      if (len_M)
-        *len_M = hash_length(usr->alg);
-    }
-  else
-    {
-      *bytes_M = NULL;
-      if (len_M)
-        *len_M   = 0;
+      *len_M = hash_length(usr->alg);
     }
 
  cleanup2:
@@ -1936,6 +1942,7 @@ client_verify_response2(struct pair_verify_context *handle, const uint8_t *data,
 
   handle->status = PAIR_STATUS_COMPLETED;
 
+  pair_tlv_free(response);
   return 0;
 }