* libmisc/limits.c: Avoid implicit conversion of integer to

boolean.
	* libmisc/basename.c: Avoid implicit conversion of pointer to
	boolean.
	* libmisc/basename.c, lib/prototypes.h (Basename): Return a
	constant string.
	* libmisc/basename.c, libmisc/obscure.c, lib/prototypes.h,
	libmisc/xmalloc.c, libmisc/getdate.h, libmisc/system.c,
	libmisc/getgr_nam_gid.c, libmisc/failure.c, libmisc/valid.c: Add
	splint annotations.
	* libmisc/chowndir.c: Avoid memory leak.
	* libmisc/chowndir.c: Do not check *printf/*puts return value.
	* libmisc/chowntty.c: Avoid implicit conversion between integer
	types.
	* libmisc/obscure.c: Return a bool when possible instead of int.
	* libmisc/shell.c: Do not check *printf/*puts return value.
	* libmisc/shell.c: Do not check execle return value.
	* libmisc/setupenv.c: Avoid implicit conversion between integer
	types.
	* libmisc/xmalloc.c: size should not be zero to avoid returning
	NULL pointers.
	* libmisc/hushed.c: Do not check *printf/*puts return value.
	* libmisc/system.c: Avoid implicit conversion of integer to
	boolean. safe_system last argument is a boolean.
	* libmisc/system.c: Check return value of dup2.
	* libmisc/system.c: Do not check *printf/*puts return value.
	* libmisc/system.c: Do not check execve return value. 
	* libmisc/salt.c: Do not check *printf/*puts return value.
	* libmisc/loginprompt.c: Do not check gethostname return value.
	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Do not check
	gr_rewind/pw_rewind return value.
	* libmisc/ttytype.c: Limit the number of parsed characters in the
	sscanf format.
	* libmisc/ttytype.c: Test if a type was really read.
	* libmisc/sub.c: Do not check *printf/*puts return value.
	* libmisc/sub.c: Avoid implicit conversion of integer to boolean.
	* src/userdel.c: Fix typo in comment.
	* src/userdel.c: Avoid implicit conversion of boolean to integer.
	* src/userdel.c: safe_system last argument is a boolean.
	* src/newusers.c: Avoid implicit conversion of boolean to integer.
	* src/newusers.c: Avoid implicit conversion of integer to boolean.
	* src/usermod.c: Add brackets.
	* src/usermod.c: Avoid implicit conversion of characters or
	integers to booleans.
	* src/vipw.c: Avoid implicit conversion of integer to boolean.
	* src/su.c: Avoid implicit conversion of integer to boolean.
	* src/su.c: Add brackets.
	* src/useradd.c: Avoid implicit conversion of characters or
	integers to booleans.

libmisc/basename.c

@@ -42,9 +42,9 @@
 
 #include "defines.h"
 #include "prototypes.h"
-char *Basename (char *str)
+/*@observer@*/const char *Basename (char *str)
 {
 	char *cp = strrchr (str, '/');
 
-	return cp ? cp + 1 : str;
+	return (NULL != cp) ? cp + 1 : str;
 }

libmisc/chowndir.c

@@ -78,6 +78,7 @@ int chown_tree (const char *root,
 	 */
 
 	if (access (root, F_OK) != 0) {
+		free (new_name);
 		return -1;
 	}
 
@@ -90,6 +91,7 @@ int chown_tree (const char *root,
 
 	dir = opendir (root);
 	if (NULL == dir) {
+		free (new_name);
 		return -1;
 	}
 
@@ -120,7 +122,7 @@ int chown_tree (const char *root,
 			new_name_len += 1024;
 		}
 
-		snprintf (new_name, new_name_len, "%s/%s", root, ent->d_name);
+		(void) snprintf (new_name, new_name_len, "%s/%s", root, ent->d_name);
 
 		/* Don't follow symbolic links! */
 		if (LSTAT (new_name, &sb) == -1) {

libmisc/chowntty.c

@@ -72,7 +72,7 @@ void chown_tty (const struct passwd *info)
 	 */
 
 	if (   (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)
-	    || (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {
+	    || (fchmod (STDIN_FILENO, (mode_t)getdef_num ("TTYPERM", 0600)) != 0)) {
 		int err = errno;
 
 		fprintf (stderr,

libmisc/failure.c

@@ -273,12 +273,14 @@ void failprint (const struct faillog *fail)
 		lasttime++;
 	}
 #endif
+	/*@-formatconst@*/
 	(void) printf (ngettext ("%d failure since last login.\n"
 	                         "Last was %s on %s.\n",
 	                         "%d failures since last login.\n"
 	                         "Last was %s on %s.\n",
 	                         (unsigned long) fail->fail_cnt),
 	               fail->fail_cnt, lasttime, fail->fail_line);
+	/*@=formatconst@*/
 }
 
 /*

libmisc/find_new_gid.c

@@ -115,7 +115,7 @@ int find_new_gid (bool sys_group,
 			}
 		}
 
-		gr_rewind ();
+		(void) gr_rewind ();
 		while ((grp = gr_next ()) != NULL) {
 			if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) {
 				group_id = grp->gr_gid - 1;
@@ -139,7 +139,7 @@ int find_new_gid (bool sys_group,
 		}
 		endgrent ();
 
-		gr_rewind ();
+		(void) gr_rewind ();
 		while ((grp = gr_next ()) != NULL) {
 			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
 				group_id = grp->gr_gid + 1;

libmisc/find_new_uid.c

@@ -115,7 +115,7 @@ int find_new_uid (bool sys_user,
 			}
 		}
 
-		pw_rewind ();
+		(void) pw_rewind ();
 		while ((pwd = pw_next ()) != NULL) {
 			if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) {
 				user_id = pwd->pw_uid - 1;
@@ -139,7 +139,7 @@ int find_new_uid (bool sys_user,
 		}
 		endpwent ();
 
-		pw_rewind ();
+		(void) pw_rewind ();
 		while ((pwd = pw_next ()) != NULL) {
 			if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
 				user_id = pwd->pw_uid + 1;

libmisc/getdate.h

@@ -35,5 +35,5 @@
 #include <config.h>
 #include "defines.h"
 
-time_t get_date (const char *, const time_t *);
+time_t get_date (const char *p, /*@null@*/const time_t *now);
 #endif

libmisc/getgr_nam_gid.c

@@ -44,7 +44,7 @@
  * The string may be a valid GID or a valid groupname.
  * If the group does not exist on the system, NULL is returned.
  */
-extern /*@null@*/struct group *getgr_nam_gid (const char *grname)
+extern /*@null@*/struct group *getgr_nam_gid (/*@null@*/const char *grname)
 {
 	long long int gid;
 	char *endptr;

libmisc/hushed.c

@@ -76,7 +76,7 @@ bool hushed (const char *username)
 	 */
 
 	if (hushfile[0] != '/') {
-		snprintf (buf, sizeof (buf), "%s/%s", pw->pw_dir, hushfile);
+		(void) snprintf (buf, sizeof (buf), "%s/%s", pw->pw_dir, hushfile);
 		return (access (buf, F_OK) == 0);
 	}
 

libmisc/limits.c

@@ -547,8 +547,7 @@ void setup_limits (const struct passwd *info)
 	if (getdef_bool ("QUOTAS_ENAB")) {
 #ifdef LIMITS
 		if (info->pw_uid != 0) {
-			if (setup_user_limits (info->pw_name) &
-			    LOGIN_ERROR_LOGIN) {
+			if ((setup_user_limits (info->pw_name) & LOGIN_ERROR_LOGIN) != 0) {
 				(void) fputs (_("Too many logins.\n"), stderr);
 				(void) sleep (2); /* XXX: Should be FAIL_DELAY */
 				exit (EXIT_FAILURE);

libmisc/loginprompt.c

@@ -98,7 +98,7 @@ void login_prompt (const char *prompt, char *name, int namesize)
 				(void) fclose (fp);
 			}
 		}
-		gethostname (buf, sizeof buf);
+		(void) gethostname (buf, sizeof buf);
 		printf (prompt, buf);
 		(void) fflush (stdout);
 	}

libmisc/obscure.c

@@ -69,7 +69,7 @@ static bool palindrome (unused const char *old, const char *new)
  * more than half of the characters are different ones.
  */
 
-static bool similar (const char *old, const char *new)
+static bool similar (/*@notnull@*/const char *old, /*@notnull@*/const char *new)
 {
 	int i, j;
 
@@ -100,7 +100,7 @@ static bool similar (const char *old, const char *new)
  * a nice mix of characters.
  */
 
-static int simple (unused const char *old, const char *new)
+static bool simple (unused const char *old, const char *new)
 {
 	bool digits = false;
 	bool uppers = false;
@@ -147,7 +147,7 @@ static int simple (unused const char *old, const char *new)
 	return true;
 }
 
-static char *str_lower (char *string)
+static char *str_lower (/*@returned@*/char *string)
 {
 	char *cp;
 
@@ -157,8 +157,10 @@ static char *str_lower (char *string)
 	return string;
 }
 
-static const char *password_check (const char *old, const char *new,
-				   const struct passwd *pwdp)
+static /*@observer@*//*@null@*/const char *password_check (
+	/*@notnull@*/const char *old,
+	/*@notnull@*/const char *new,
+	/*@notnull@*/const struct passwd *pwdp)
 {
 	const char *msg = NULL;
 	char *oldmono, *newmono, *wrapped;
@@ -219,9 +221,10 @@ static const char *password_check (const char *old, const char *new,
 	return msg;
 }
 
-/*ARGSUSED*/
-static const char *obscure_msg (const char *old, const char *new,
-				    const struct passwd *pwdp)
+static /*@observer@*//*@null@*/const char *obscure_msg (
+	/*@notnull@*/const char *old,
+	/*@notnull@*/const char *new,
+	/*@notnull@*/const struct passwd *pwdp)
 {
 	size_t maxlen, oldlen, newlen;
 	char *new1, *old1;

libmisc/salt.c

@@ -150,7 +150,7 @@ static /*@observer@*/const char *SHA_salt_rounds (/*@null@*/int *prefered_rounds
 		rounds = ROUNDS_MAX;
 	}
 
-	snprintf (rounds_prefix, 18, "rounds=%ld$", rounds);
+	(void) snprintf (rounds_prefix, 18, "rounds=%ld$", rounds);
 
 	/* Sanity checks. That should not be necessary. */
 	rounds_prefix[17] = '\0';

libmisc/setupenv.c

@@ -74,7 +74,7 @@ static void read_env_file (const char *filename)
 	if (NULL == fp) {
 		return;
 	}
-	while (fgets (buf, sizeof buf, fp) == buf) {
+	while (fgets (buf, (int)(sizeof buf), fp) == buf) {
 		cp = strrchr (buf, '\n');
 		if (NULL == cp) {
 			break;

libmisc/shell.c

@@ -68,7 +68,8 @@ int shell (const char *file, /*@null@*/const char *arg, char *const envp[])
 	 * don't want to tell us what it is themselves.
 	 */
 	if (arg == (char *) 0) {
-		snprintf (arg0, sizeof arg0, "-%s", Basename ((char *) file));
+		(void) snprintf (arg0, sizeof arg0, "-%s", Basename ((char *) file));
+		arg0[sizeof arg0 - 1] = '\0';
 		arg = arg0;
 	}
 
@@ -77,7 +78,7 @@ int shell (const char *file, /*@null@*/const char *arg, char *const envp[])
 	 * able to figure out what we are up to without too much
 	 * grief.
 	 */
-	execle (file, arg, (char *) 0, envp);
+	(void) execle (file, arg, (char *) 0, envp);
 	err = errno;
 
 	if (access (file, R_OK|X_OK) == 0) {
@@ -85,7 +86,7 @@ int shell (const char *file, /*@null@*/const char *arg, char *const envp[])
 		 * Assume this is a shell script (with no shebang).
 		 * Interpret it with /bin/sh
 		 */
-		execle (SHELL, "sh", "-", file, (char *)0, envp);
+		(void) execle (SHELL, "sh", "-", file, (char *)0, envp);
 		err = errno;
 	}
 
@@ -94,7 +95,7 @@ int shell (const char *file, /*@null@*/const char *arg, char *const envp[])
 	 * how to execute this stupid shell, so I might as well give
 	 * up in disgust ...
 	 */
-	snprintf (arg0, sizeof arg0, _("Cannot execute %s"), file);
+	(void) snprintf (arg0, sizeof arg0, _("Cannot execute %s"), file);
 	errno = err;
 	perror (arg0);
 	return err;

libmisc/sub.c

@@ -66,11 +66,13 @@ void subsystem (const struct passwd *pw)
 	 * must be able to change into it.
 	 */
 
-	if (chdir (pw->pw_dir) || chroot (pw->pw_dir)) {
-		printf (_("Can't change root directory to '%s'\n"),
-			pw->pw_dir);
+	if (   (chdir (pw->pw_dir) != 0)
+	    || (chroot (pw->pw_dir) != 0)) {
+		(void) printf (_("Can't change root directory to '%s'\n"),
+		               pw->pw_dir);
 		SYSLOG ((LOG_WARN, NO_SUBROOT2, pw->pw_dir, pw->pw_name));
 		closelog ();
 		exit (EXIT_FAILURE);
 	}
 }
+

libmisc/system.c

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2009       , Dan Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2010       , Nicolas François
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38,8 +39,8 @@
 
 int safe_system (const char *command,
                  const char *argv[],
-                 const char *env[],
-                 int ignore_stderr)
+                 /*@null@*/const char *env[],
+                 bool ignore_stderr)
 {
 	int status = -1;
 	int fd;
@@ -50,7 +51,7 @@ int safe_system (const char *command,
 		return -1;
 	}
 
-	if (pid) {       /* Parent */
+	if (pid != 0) {       /* Parent */
 		if (waitpid (pid, &status, 0) > 0) {
 			return status;
 		} else {
@@ -60,13 +61,19 @@ int safe_system (const char *command,
 
 	fd = open ("/dev/null", O_RDWR);
 	/* Child */
-	dup2 (fd, 0);           /* Close Stdin */
+	/* Close Stdin */
+	if (dup2 (fd, 0) == -1) {
+		exit (EXIT_FAILURE);
+	}
 	if (ignore_stderr) {
-		dup2 (fd, 2);   /* Close Stderr */
+		/* Close Stderr */
+		if (dup2 (fd, 2) == -1) {
+			exit (EXIT_FAILURE);
+		}
 	}
 
-	execve (command, (char *const *) argv, (char *const *) env);
-	fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]);
+	(void) execve (command, (char *const *) argv, (char *const *) env);
+	(void) fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]);
 	exit (EXIT_FAILURE);
 }
 

libmisc/ttytype.c

@@ -47,8 +47,8 @@ void ttytype (const char *line)
 	char buf[BUFSIZ];
 	const char *typefile;
 	char *cp;
-	char type[BUFSIZ];
-	char port[BUFSIZ];
+	char type[1024] = "";
+	char port[1024];
 
 	if (getenv ("TERM") != NULL) {
 		return;
@@ -76,12 +76,12 @@ void ttytype (const char *line)
 			*cp = '\0';
 		}
 
-		if ((sscanf (buf, "%s %s", type, port) == 2) &&
-		    (strcmp (line, port) == 0)) {
+		if (   (sscanf (buf, "%1023s %1023s", type, port) == 2)
+		    && (strcmp (line, port) == 0)) {
 			break;
 		}
 	}
-	if ((feof (fp) == 0) && (ferror (fp) == 0)) {
+	if ((feof (fp) == 0) && (ferror (fp) == 0) && (type[0] != '\0')) {
 		addenv ("TERM", type);
 	}
 

libmisc/valid.c

@@ -52,7 +52,7 @@
 bool valid (const char *password, const struct passwd *ent)
 {
 	const char *encrypted;
-	const char *salt;
+	/*@observer@*/const char *salt;
 
 	/*
 	 * Start with blank or empty password entries.  Always encrypt

libmisc/xmalloc.c

@@ -47,19 +47,19 @@
 #include "defines.h"
 #include "prototypes.h"
 
-char *xmalloc (size_t size)
+/*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/char *xmalloc (size_t size)
 {
 	char *ptr;
 
 	ptr = (char *) malloc (size);
-	if ((NULL == ptr) && (0 != size)) {
-		fprintf (stderr, _("malloc(%d) failed\n"), (int) size);
+	if (NULL == ptr) {
+		(void) fprintf (stderr, _("malloc(%d) failed\n"), (int) size);
 		exit (13);
 	}
 	return ptr;
 }
 
-char *xstrdup (const char *str)
+/*@maynotreturn@*/ /*@only@*//*@notnull@*/char *xstrdup (const char *str)
 {
 	return strcpy (xmalloc (strlen (str) + 1), str);
 }