openssh-9.9p1-15.fc43

List of Findings

Error: SHELLCHECK_WARNING (CWE-758): [#def1]
/etc/profile.d/gnome-ssh-askpass.sh:1:1: error[SC2148]: Tips depend on target shell and yours is unknown. Add a shebang or a 'shell' directive.
#    1|-> SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
#    2|   export SSH_ASKPASS

Error: GCC_ANALYZER_WARNING: [#def2]
openssh-9.9p1/addr.c:239:9: warning[-Wanalyzer-overlapping-buffers]: overlapping buffers passed as arguments to ‘memcpy’
openssh-9.9p1/addr.c:361:1: enter_function: entry to ‘addr_host_to_all1s’
openssh-9.9p1/addr.c:365:13: call_function: calling ‘addr_hostmask’ from ‘addr_host_to_all1s’
openssh-9.9p1/addr.c:365:13: return_function: returning to ‘addr_host_to_all1s’ from ‘addr_hostmask’
openssh-9.9p1/addr.c:365:12: branch_false: following ‘false’ branch...
openssh-9.9p1/addr.c:367:13: branch_false: ...to here
openssh-9.9p1/addr.c:367:13: call_function: calling ‘addr_or’ from ‘addr_host_to_all1s’
#  237|   		return (-1);
#  238|   
#  239|-> 	memcpy(dst, a, sizeof(*dst));
#  240|   	switch (a->af) {
#  241|   	case AF_INET:

Error: GCC_ANALYZER_WARNING (CWE-476): [#def3]
openssh-9.9p1/auth-krb5.c:268:25: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
openssh-9.9p1/auth-krb5.c:246:12: branch_true: following ‘true’ branch...
openssh-9.9p1/auth-krb5.c:247:30: branch_true: ...to here
openssh-9.9p1/auth-krb5.c:256:20: branch_false: following ‘false’ branch...
openssh-9.9p1/auth-krb5.c:259:23: branch_false: ...to here
openssh-9.9p1/auth-krb5.c:264:27: branch_true: following ‘true’ branch...
openssh-9.9p1/auth-krb5.c:266:25: branch_true: ...to here
openssh-9.9p1/auth-krb5.c:268:25: danger: dereference of NULL ‘strchr(&krb5_ccname, 58)’
#  266|   			strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
#  267|   			krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
#  268|-> 			*krb5_ccname_dir_start++ = '\0';
#  269|   			if (strcmp(krb5_ccname, "DIR") == 0) {
#  270|   

Error: GCC_ANALYZER_WARNING (CWE-476): [#def4]
openssh-9.9p1/auth-krb5.c:361:25: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
openssh-9.9p1/auth-krb5.c:335:12: branch_false: following ‘false’ branch (when ‘template’ is non-NULL)...
openssh-9.9p1/auth-krb5.c:338:36: branch_false: ...to here
openssh-9.9p1/auth-krb5.c:341:16: branch_true: following ‘true’ branch (when ‘p_n’ is non-NULL)...
openssh-9.9p1/auth-krb5.c:343:18: branch_true: ...to here
openssh-9.9p1/auth-krb5.c:344:20: branch_false: following ‘false’ branch...
openssh-9.9p1/auth-krb5.c:347:21: branch_false: ...to here
openssh-9.9p1/auth-krb5.c:347:20: branch_false: following ‘false’ branch...
openssh-9.9p1/auth-krb5.c:354:25: branch_false: following ‘false’ branch...
openssh-9.9p1/auth-krb5.c:360:31: branch_false: ...to here
openssh-9.9p1/auth-krb5.c:361:25: danger: dereference of NULL ‘strchr(p_n, 125)’
#  359|   		} else {
#  360|   			p_o = strchr(p_n, '}') + 1;
#  361|-> 			*p_o = '\0';
#  362|   			debug_f("unsupported token %s in %s", p_n, template);
#  363|   			/* unknown token, fallback to the default */

Error: GCC_ANALYZER_WARNING (CWE-401): [#def5]
openssh-9.9p1/auth-pam.c:979:15: warning[-Wanalyzer-malloc-leak]: leak of ‘fake_password(*resp)’
openssh-9.9p1/auth-pam.c:990:1: enter_function: entry to ‘sshpam_respond’
openssh-9.9p1/auth-pam.c:1007:12: branch_false: following ‘false’ branch (when ‘num == 1’)...
openssh-9.9p1/auth-pam.c:1011:23: branch_false: ...to here
openssh-9.9p1/auth-pam.c:1011:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth-pam.c:1013:28: branch_false: ...to here
openssh-9.9p1/auth-pam.c:1019:24: call_function: calling ‘fake_password’ from ‘sshpam_respond’
openssh-9.9p1/auth-pam.c:1019:24: return_function: returning to ‘sshpam_respond’ from ‘fake_password’
openssh-9.9p1/auth-pam.c:979:15: danger: ‘fake_password(*resp)’ leaks here; was allocated at [(10)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/9)
#  977|   		fatal("%s: password length too long: %zu", __func__, l);
#  978|   
#  979|-> 	ret = malloc(l + 1);
#  980|   	if (ret == NULL)
#  981|   		return NULL;

Error: GCC_ANALYZER_WARNING (CWE-476): [#def6]
openssh-9.9p1/auth2-chall.c:328:17: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘response’
openssh-9.9p1/auth2-chall.c:300:12: branch_false: following ‘false’ branch (when ‘authctxt’ is non-NULL)...
openssh-9.9p1/auth2-chall.c:302:9: branch_false: ...to here
openssh-9.9p1/auth2-chall.c:303:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth2-chall.c:305:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth2-chall.c:308:9: branch_false: ...to here
openssh-9.9p1/auth2-chall.c:309:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth2-chall.c:311:22: branch_false: ...to here
openssh-9.9p1/auth2-chall.c:311:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth2-chall.c:313:12: branch_false: ...to here
openssh-9.9p1/auth2-chall.c:313:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth2-chall.c:315:12: branch_false: ...to here
openssh-9.9p1/auth2-chall.c:315:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth2-chall.c:322:18: branch_false: ...to here
openssh-9.9p1/auth2-chall.c:322:12: branch_false: following ‘false’ branch...
openssh-9.9p1/auth2-chall.c:325:15: branch_false: ...to here
openssh-9.9p1/auth2-chall.c:327:21: branch_true: following ‘true’ branch...
openssh-9.9p1/auth2-chall.c:328:60: branch_true: ...to here
openssh-9.9p1/auth2-chall.c:328:60: release_memory: ‘response’ is NULL
openssh-9.9p1/auth2-chall.c:328:17: danger: dereference of NULL ‘response + (long unsigned int)i * 8’
#  326|   
#  327|   	for (i = 0; i < nresp; i++) {
#  328|-> 		explicit_bzero(response[i], strlen(response[i]));
#  329|   		free(response[i]);
#  330|   	}

Error: COMPILER_WARNING: [#def7]
openssh-9.9p1/chacha.c:51:31: warning[-Wunterminated-string-initialization]: initializer-string for array of ‘char’ truncates NUL terminator but destination lacks ‘nonstring’ attribute (17 chars into 16 available)
#   51 | static const char sigma[16] = "expand 32-byte k";
#      |                               ^~~~~~~~~~~~~~~~~~
#   49|     c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
#   50|   
#   51|-> static const char sigma[16] = "expand 32-byte k";
#   52|   static const char tau[16] = "expand 16-byte k";
#   53|   

Error: COMPILER_WARNING: [#def8]
openssh-9.9p1/chacha.c:52:29: warning[-Wunterminated-string-initialization]: initializer-string for array of ‘char’ truncates NUL terminator but destination lacks ‘nonstring’ attribute (17 chars into 16 available)
#   52 | static const char tau[16] = "expand 16-byte k";
#      |                             ^~~~~~~~~~~~~~~~~~
#   50|   
#   51|   static const char sigma[16] = "expand 32-byte k";
#   52|-> static const char tau[16] = "expand 16-byte k";
#   53|   
#   54|   void

Error: CPPCHECK_WARNING (CWE-457): [#def9]
openssh-9.9p1/channels.c:5081: warning[uninitvar]: Uninitialized variable: port
# 5079|   			break;
# 5080|   	}
# 5081|-> 	if (display_number >= x11_max_displays || port < X11_PORT_MIN ) {
# 5082|   		error("Failed to allocate internet-domain X11 display socket.");
# 5083|   		return -1;

Error: COMPILER_WARNING (CWE-195): [#def10]
openssh-9.9p1/channels.c: scope_hint: In function ‘connect_local_xsocket_path’
openssh-9.9p1/channels.c:5128:17: warning[-Wsign-compare]: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’
# 5128 |         if (len > sizeof addr.sun_path)
#      |                 ^
# 5126|   	memset(&addr, 0, sizeof(addr));
# 5127|   	addr.sun_family = AF_UNIX;
# 5128|-> 	if (len > sizeof addr.sun_path)
# 5129|   		len = sizeof addr.sun_path;
# 5130|   	memcpy(addr.sun_path, pathname, len);

Error: COMPILER_WARNING (CWE-563): [#def11]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:136:21: warning[-Wunused-variable]: unused variable ‘failed’
#  136 |         const char *failed;
#      |                     ^~~~~~
#  134|   passphrase_dialog(char *message, int prompt_type)
#  135|   {
#  136|-> 	const char *failed;
#  137|   	char *passphrase, *local;
#  138|   	int result, grab_tries, grab_server, grab_pointer;

Error: COMPILER_WARNING (CWE-477): [#def12]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c: scope_hint: In function ‘passphrase_dialog’
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:184:17: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_fg’ is deprecated: Use 'gtk_widget_override_color' instead
#  184 |                 gtk_widget_modify_fg(dialog, GTK_STATE_NORMAL, &fg);
#      |                 ^~~~~~~~~~~~~~~~~~~~
/usr/include/gtk-3.0/gtk/gtk.h:277: included_from: Included from here.
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:61: included_from: Included from here.
/usr/include/gtk-3.0/gtk/deprecated/gtkstyle.h:749:13: note: declared here
#  749 | void        gtk_widget_modify_fg          (GtkWidget            *widget,
#      |             ^~~~~~~~~~~~~~~~~~~~
#  182|   
#  183|   	if (fg_set)
#  184|-> 		gtk_widget_modify_fg(dialog, GTK_STATE_NORMAL, &fg);
#  185|   	if (bg_set)
#  186|   		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);

Error: COMPILER_WARNING (CWE-477): [#def13]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:184:17: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_fg’ is deprecated: Use 'gtk_widget_override_color' instead
#  182|   
#  183|   	if (fg_set)
#  184|-> 		gtk_widget_modify_fg(dialog, GTK_STATE_NORMAL, &fg);
#  185|   	if (bg_set)
#  186|   		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);

Error: COMPILER_WARNING (CWE-477): [#def14]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:186:17: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_bg’ is deprecated: Use 'gtk_widget_override_background_color' instead
#  186 |                 gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
#      |                 ^~~~~~~~~~~~~~~~~~~~
/usr/include/gtk-3.0/gtk/deprecated/gtkstyle.h:753:13: note: declared here
#  753 | void        gtk_widget_modify_bg          (GtkWidget            *widget,
#      |             ^~~~~~~~~~~~~~~~~~~~
#  184|   		gtk_widget_modify_fg(dialog, GTK_STATE_NORMAL, &fg);
#  185|   	if (bg_set)
#  186|-> 		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
#  187|   
#  188|   	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {

Error: COMPILER_WARNING (CWE-477): [#def15]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:186:17: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_bg’ is deprecated: Use 'gtk_widget_override_background_color' instead
#  184|   		gtk_widget_modify_fg(dialog, GTK_STATE_NORMAL, &fg);
#  185|   	if (bg_set)
#  186|-> 		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
#  187|   
#  188|   	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {

Error: COMPILER_WARNING (CWE-477): [#def16]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:191:25: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_fg’ is deprecated: Use 'gtk_widget_override_color' instead
#  191 |                         gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
#      |                         ^~~~~~~~~~~~~~~~~~~~
/usr/include/gtk-3.0/gtk/deprecated/gtkstyle.h:749:13: note: declared here
#  749 | void        gtk_widget_modify_fg          (GtkWidget            *widget,
#      |             ^~~~~~~~~~~~~~~~~~~~
#  189|   		entry = gtk_entry_new();
#  190|   		if (fg_set)
#  191|-> 			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
#  192|   		if (bg_set)
#  193|   			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);

Error: COMPILER_WARNING (CWE-477): [#def17]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:191:25: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_fg’ is deprecated: Use 'gtk_widget_override_color' instead
#  189|   		entry = gtk_entry_new();
#  190|   		if (fg_set)
#  191|-> 			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
#  192|   		if (bg_set)
#  193|   			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);

Error: COMPILER_WARNING (CWE-477): [#def18]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:193:25: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_bg’ is deprecated: Use 'gtk_widget_override_background_color' instead
#  193 |                         gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
#      |                         ^~~~~~~~~~~~~~~~~~~~
/usr/include/gtk-3.0/gtk/deprecated/gtkstyle.h:753:13: note: declared here
#  753 | void        gtk_widget_modify_bg          (GtkWidget            *widget,
#      |             ^~~~~~~~~~~~~~~~~~~~
#  191|   			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
#  192|   		if (bg_set)
#  193|-> 			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
#  194|   		gtk_box_pack_start(
#  195|   		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),

Error: COMPILER_WARNING (CWE-477): [#def19]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:193:25: warning[-Wdeprecated-declarations]: ‘gtk_widget_modify_bg’ is deprecated: Use 'gtk_widget_override_background_color' instead
#  191|   			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
#  192|   		if (bg_set)
#  193|-> 			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
#  194|   		gtk_box_pack_start(
#  195|   		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),

Error: COMPILER_WARNING (CWE-457): [#def20]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:243:39: warning[-Wmaybe-uninitialized]: ‘entry’ may be used uninitialized
#  243 |                 passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
#      |                                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
openssh-9.9p1/contrib/gnome-ssh-askpass3.c: scope_hint: In function ‘main’
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:140:45: note: ‘entry’ was declared here
#  140 |         GtkWidget *parent_window, *dialog, *entry, *err;
#      |                                             ^~~~~
#  241|   	/* Report passphrase if user selected OK */
#  242|   	if (prompt_type == PROMPT_ENTRY) {
#  243|-> 		passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
#  244|   		if (result == GTK_RESPONSE_OK) {
#  245|   			local = g_locale_from_utf8(passphrase,

Error: GCC_ANALYZER_WARNING (CWE-688): [#def21]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:246:29: warning[-Wanalyzer-null-argument]: use of NULL where non-null expected
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:134:1: enter_function: entry to ‘passphrase_dialog’
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:188:12: branch_true: following ‘true’ branch...
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:189:25: branch_true: ...to here
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:242:12: branch_true: following ‘true’ branch (when ‘prompt_type == 0’)...
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:243:30: branch_true: ...to here
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:244:20: branch_true: following ‘true’ branch...
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:246:29: branch_true: ...to here
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:246:29: danger: argument 1 (‘<unknown>’) NULL where non-null expected
#argument 1 of ‘__builtin_strlen’ must be non-null
#  244|   		if (result == GTK_RESPONSE_OK) {
#  245|   			local = g_locale_from_utf8(passphrase,
#  246|-> 			    strlen(passphrase), NULL, NULL, NULL);
#  247|   			if (local != NULL) {
#  248|   				puts(local);

Error: GCC_ANALYZER_WARNING (CWE-688): [#def22]
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:256:17: warning[-Wanalyzer-null-argument]: use of NULL where non-null expected
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:134:1: enter_function: entry to ‘passphrase_dialog’
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:188:12: branch_true: following ‘true’ branch...
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:189:25: branch_true: ...to here
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:242:12: branch_true: following ‘true’ branch (when ‘prompt_type == 0’)...
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:243:30: branch_true: ...to here
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:244:20: branch_false: following ‘false’ branch...
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:256:17: branch_false: ...to here
openssh-9.9p1/contrib/gnome-ssh-askpass3.c:256:17: danger: argument 1 (‘<unknown>’) NULL where non-null expected
#argument 1 of ‘__builtin_strlen’ must be non-null
#  254|   		}
#  255|   		/* Zero passphrase in memory */
#  256|-> 		memset(passphrase, '\b', strlen(passphrase));
#  257|   		gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
#  258|   		memset(passphrase, '\0', strlen(passphrase));

Error: COMPILER_WARNING: [#def23]
openssh-9.9p1/gss-genr.c: scope_hint: In function ‘ssh_gssapi_kex_mechs’
openssh-9.9p1/gss-genr.c:172:30: warning[-Wstringop-truncation]: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length
#  172 |                         cp = strncpy(s, kex, strlen(kex));
#      |                              ^
openssh-9.9p1/gss-genr.c:172:46: note: length computed here
#  172 |                         cp = strncpy(s, kex, strlen(kex));
#      |                                              ^~~~~~~~~~~
#  170|   			    ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
#  171|   #pragma GCC diagnostic ignored "-Wstringop-overflow"
#  172|-> 			cp = strncpy(s, kex, strlen(kex));
#  173|   #pragma GCC diagnostic pop
#  174|   			for ((p = strsep(&cp, ",")); p && *p != '\0';

Error: GCC_ANALYZER_WARNING (CWE-457): [#def24]
openssh-9.9p1/kex.c:1304:47: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value ‘keys[<unknown>]’
openssh-9.9p1/kex.c:1272:1: enter_function: entry to ‘kex_derive_keys’
openssh-9.9p1/kex.c:1288:19: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/kex.c:1292:21: branch_true: following ‘true’ branch (when ‘i != 6’)...
openssh-9.9p1/kex.c:1293:26: branch_true: ...to here
openssh-9.9p1/kex.c:1293:26: call_function: calling ‘derive_key’ from ‘kex_derive_keys’
openssh-9.9p1/kex.c:1293:26: return_function: returning to ‘kex_derive_keys’ from ‘derive_key’
openssh-9.9p1/kex.c:1293:20: branch_false: following ‘false’ branch...
openssh-9.9p1/kex.c:1292:32: branch_false: ...to here
openssh-9.9p1/kex.c:1292:21: branch_false: following ‘false’ branch (when ‘i == 6’)...
 branch_false: ...to here
openssh-9.9p1/kex.c:1300:24: branch_true: following ‘true’ branch (when ‘mode != 2’)...
openssh-9.9p1/kex.c:1301:26: branch_true: ...to here
openssh-9.9p1/kex.c:1301:24: branch_true: following ‘true’ branch...
openssh-9.9p1/kex.c:1302:21: branch_true: ...to here
openssh-9.9p1/kex.c:1302:21: branch_true: following ‘true’ branch (when ‘mode == 0’)...
 branch_true: ...to here
openssh-9.9p1/kex.c:1304:52: branch_true: following ‘true’ branch...
openssh-9.9p1/kex.c:1304:17: branch_true: ...to here
openssh-9.9p1/kex.c:1304:47: danger: use of uninitialized value ‘keys[<unknown>]’ here
# 1302|   		    (kex->server && mode == MODE_IN);
# 1303|   		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
# 1304|-> 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
# 1305|   		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
# 1306|   	}

Error: GCC_ANALYZER_WARNING (CWE-457): [#def25]
openssh-9.9p1/kexecdh.c:273:9: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value ‘publen’
#  271|   	BN_clear_free(shared_secret);
#  272|   	freezero(kbuf, klen);
#  273|-> 	freezero(pub, publen);
#  274|   	sshbuf_free(buf);
#  275|   	return r;

Error: COMPILER_WARNING (CWE-195): [#def26]
openssh-9.9p1/kexgssc.c: scope_hint: In function ‘input_kexgssgex_group’
openssh-9.9p1/kexgssc.c:618:28: warning[-Wsign-compare]: comparison of integer expressions of different signedness: ‘int’ and ‘u_int’ {aka ‘unsigned int’}
#  618 |         if (BN_num_bits(p) < kex->min || BN_num_bits(p) > kex->max)
#      |                            ^
#  616|   		fatal("shpkt_get_bignum2 failed: %s", ssh_err(r));
#  617|   
#  618|-> 	if (BN_num_bits(p) < kex->min || BN_num_bits(p) > kex->max)
#  619|   		fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
#  620|   		    kex->min, BN_num_bits(p), kex->max);

Error: COMPILER_WARNING (CWE-195): [#def27]
openssh-9.9p1/kexgssc.c:618:57: warning[-Wsign-compare]: comparison of integer expressions of different signedness: ‘int’ and ‘u_int’ {aka ‘unsigned int’}
#  618 |         if (BN_num_bits(p) < kex->min || BN_num_bits(p) > kex->max)
#      |                                                         ^
#  616|   		fatal("shpkt_get_bignum2 failed: %s", ssh_err(r));
#  617|   
#  618|-> 	if (BN_num_bits(p) < kex->min || BN_num_bits(p) > kex->max)
#  619|   		fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
#  620|   		    kex->min, BN_num_bits(p), kex->max);

Error: COMPILER_WARNING: [#def28]
openssh-9.9p1/log.c: scope_hint: In function ‘do_log’
openssh-9.9p1/log.c:402:53: warning[-Wformat-truncation=]: ‘: ’ directive output may be truncated writing 2 bytes into a region of size between 1 and 1024
#  402 |                 snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", msgbuf, suffix);
#      |                                                     ^~
/usr/include/bits/stdio2.h:68:10: note: ‘__snprintf_chk’ output 3 or more bytes (assuming 1026) into a destination of size 1024
#   68 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
#      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   69 |                                    __glibc_objsize (__s), __fmt,
#      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   70 |                                    __va_arg_pack ());
#      |                                    ~~~~~~~~~~~~~~~~~
#  400|   	}
#  401|   	if (suffix != NULL) {
#  402|-> 		snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", msgbuf, suffix);
#  403|   		strlcpy(msgbuf, fmtbuf, sizeof(msgbuf));
#  404|   	}

Error: COMPILER_WARNING: [#def29]
openssh-9.9p1/log.c: scope_hint: In function ‘do_log’
openssh-9.9p1/log.c:414:58: warning: ‘
#   ’ directive output may be truncated writing 2 bytes into a region of size between 1 and 1024 [-Wformat-truncation=]
#  414 |                 snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n",
#      |                                                          ^~~~
/usr/include/bits/stdio2.h:68:10: note: ‘__snprintf_chk’ output between 3 and 1026 bytes into a destination of size 1024
#   68 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
#      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   69 |                                    __glibc_objsize (__s), __fmt,
#      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   70 |                                    __va_arg_pack ());
#      |                                    ~~~~~~~~~~~~~~~~~
#  412|   		log_handler = tmp_handler;
#  413|   	} else if (log_on_stderr) {
#  414|-> 		snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n",
#  415|   		    (log_on_stderr > 1) ? progname : "",
#  416|   		    (log_on_stderr > 1) ? ": " : "",

Error: COMPILER_WARNING: [#def30]
openssh-9.9p1/misc.c: scope_hint: In function ‘fmt_timeframe’
openssh-9.9p1/misc.c:712:40: warning[-Wformat-truncation=]: ‘%02llu’ directive output may be truncated writing between 2 and 14 bytes into a region of size 9
#  712 |                 snprintf(buf, TF_LEN, "%02lluw%01ud%02uh", week, day, hrs);
#      |                                        ^~~~~~
openssh-9.9p1/misc.c:712:39: note: directive argument in the range [1, 30500568904943]
#  712 |                 snprintf(buf, TF_LEN, "%02lluw%01ud%02uh", week, day, hrs);
#      |                                       ^~~~~~~~~~~~~~~~~~~
openssh-9.9p1/misc.c:712:39: note: directive argument in the range [0, 6]
openssh-9.9p1/misc.c:712:39: note: directive argument in the range [0, 23]
/usr/include/bits/stdio2.h:68:10: note: ‘__snprintf_chk’ output between 9 and 21 bytes into a destination of size 9
#   68 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
#      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   69 |                                    __glibc_objsize (__s), __fmt,
#      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   70 |                                    __va_arg_pack ());
#      |                                    ~~~~~~~~~~~~~~~~~
#  710|   
#  711|   	if (week > 0)
#  712|-> 		snprintf(buf, TF_LEN, "%02lluw%01ud%02uh", week, day, hrs);
#  713|   	else if (day > 0)
#  714|   		snprintf(buf, TF_LEN, "%01ud%02uh%02um", day, hrs, min);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def31]
openssh-9.9p1/misc.c:1551:28: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(open("/dev/null", 2), dupfd)’
openssh-9.9p1/misc.c:1543:12: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:1548:16: branch_true: following ‘true’ branch (when ‘dupfd <= 2’)...
openssh-9.9p1/misc.c:1550:21: branch_true: ...to here
openssh-9.9p1/misc.c:1550:20: branch_true: following ‘true’ branch...
openssh-9.9p1/misc.c:1551:29: acquire_resource: opened here
openssh-9.9p1/misc.c:1551:28: danger: ‘dup2(open("/dev/null", 2), dupfd)’ leaks here; was opened at [(7)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/6)
# 1549|   		/* Only populate closed fds. */
# 1550|   		if (fcntl(dupfd, F_GETFL) == -1 && errno == EBADF) {
# 1551|-> 			if (dup2(nullfd, dupfd) == -1) {
# 1552|   				fprintf(stderr, "dup2: %s\n", strerror(errno));
# 1553|   				exit(1);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def32]
openssh-9.9p1/misc.c:1551:28: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/null", 2)’
openssh-9.9p1/misc.c:1543:31: acquire_resource: opened here
openssh-9.9p1/misc.c:1543:12: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:1548:16: branch_true: following ‘true’ branch (when ‘dupfd <= 2’)...
openssh-9.9p1/misc.c:1550:21: branch_true: ...to here
openssh-9.9p1/misc.c:1548:16: branch_true: following ‘true’ branch (when ‘dupfd <= 2’)...
openssh-9.9p1/misc.c:1550:21: branch_true: ...to here
openssh-9.9p1/misc.c:1551:28: danger: ‘open("/dev/null", 2)’ leaks here; was opened at [(1)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/0)
# 1549|   		/* Only populate closed fds. */
# 1550|   		if (fcntl(dupfd, F_GETFL) == -1 && errno == EBADF) {
# 1551|-> 			if (dup2(nullfd, dupfd) == -1) {
# 1552|   				fprintf(stderr, "dup2: %s\n", strerror(errno));
# 1553|   				exit(1);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def33]
openssh-9.9p1/misc.c:1557:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/null", 2)’
openssh-9.9p1/misc.c:1543:31: acquire_resource: opened here
openssh-9.9p1/misc.c:1543:12: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:1548:16: branch_true: following ‘true’ branch (when ‘dupfd <= 2’)...
openssh-9.9p1/misc.c:1550:21: branch_true: ...to here
openssh-9.9p1/misc.c:1557:12: danger: ‘open("/dev/null", 2)’ leaks here; was opened at [(1)](sarif:/runs/0/results/2/codeFlows/0/threadFlows/0/locations/0)
# 1555|   		}
# 1556|   	}
# 1557|-> 	if (nullfd > STDERR_FILENO)
# 1558|   		close(nullfd);
# 1559|   	/* coverity[leaked_handle : FALSE]*/

Error: GCC_ANALYZER_WARNING (CWE-775): [#def34]
openssh-9.9p1/misc.c:1561:1: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dupfd’
openssh-9.9p1/misc.c:1543:31: acquire_resource: opened here
openssh-9.9p1/misc.c:1543:12: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:1548:16: branch_false: following ‘false’ branch (when ‘dupfd > 2’)...
openssh-9.9p1/misc.c:1557:12: branch_false: ...to here
openssh-9.9p1/misc.c:1557:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:1561:1: branch_false: ...to here
openssh-9.9p1/misc.c:1561:1: danger: ‘dupfd’ leaks here; was opened at [(1)](sarif:/runs/0/results/3/codeFlows/0/threadFlows/0/locations/0)
# 1559|   	/* coverity[leaked_handle : FALSE]*/
# 1560|   	/* coverity[leaked_handle : FALSE]*/
# 1561|-> }
# 1562|   
# 1563|   char *

Error: GCC_ANALYZER_WARNING (CWE-775): [#def35]
openssh-9.9p1/misc.c:2745:13: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(open("/dev/null", 2), 0)’
openssh-9.9p1/misc.c:2740:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2745:12: branch_false: ...to here
openssh-9.9p1/misc.c:2745:12: branch_true: following ‘true’ branch (when ‘do_stdin != 0’)...
openssh-9.9p1/misc.c:2745:26: branch_true: ...to here
openssh-9.9p1/misc.c:2745:26: acquire_resource: opened here
openssh-9.9p1/misc.c:2745:13: danger: ‘dup2(open("/dev/null", 2), 0)’ leaks here; was opened at [(5)](sarif:/runs/0/results/4/codeFlows/0/threadFlows/0/locations/4)
# 2743|   		return -1;
# 2744|   	}
# 2745|-> 	if ((do_stdin && dup2(devnull, STDIN_FILENO) == -1) ||
# 2746|   	    (do_stdout && dup2(devnull, STDOUT_FILENO) == -1) ||
# 2747|   	    (do_stderr && dup2(devnull, STDERR_FILENO) == -1)) {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def36]
openssh-9.9p1/misc.c:2746:13: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(open("/dev/null", 2), 1)’
openssh-9.9p1/misc.c:2740:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2745:12: branch_false: ...to here
openssh-9.9p1/misc.c:2745:13: branch_true: following ‘true’ branch (when ‘do_stdout != 0’)...
openssh-9.9p1/misc.c:2746:27: branch_true: ...to here
openssh-9.9p1/misc.c:2746:27: acquire_resource: opened here
openssh-9.9p1/misc.c:2746:13: danger: ‘dup2(open("/dev/null", 2), 1)’ leaks here; was opened at [(5)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/4)
# 2744|   	}
# 2745|   	if ((do_stdin && dup2(devnull, STDIN_FILENO) == -1) ||
# 2746|-> 	    (do_stdout && dup2(devnull, STDOUT_FILENO) == -1) ||
# 2747|   	    (do_stderr && dup2(devnull, STDERR_FILENO) == -1)) {
# 2748|   		error_f("dup2: %s", strerror(errno));

Error: GCC_ANALYZER_WARNING (CWE-775): [#def37]
openssh-9.9p1/misc.c:2747:13: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(open("/dev/null", 2), 2)’
openssh-9.9p1/misc.c:2740:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2745:12: branch_false: ...to here
openssh-9.9p1/misc.c:2745:13: branch_true: following ‘true’ branch (when ‘do_stderr != 0’)...
openssh-9.9p1/misc.c:2747:27: branch_true: ...to here
openssh-9.9p1/misc.c:2747:27: acquire_resource: opened here
openssh-9.9p1/misc.c:2747:13: danger: ‘dup2(open("/dev/null", 2), 2)’ leaks here; was opened at [(5)](sarif:/runs/0/results/6/codeFlows/0/threadFlows/0/locations/4)
# 2745|   	if ((do_stdin && dup2(devnull, STDIN_FILENO) == -1) ||
# 2746|   	    (do_stdout && dup2(devnull, STDOUT_FILENO) == -1) ||
# 2747|-> 	    (do_stderr && dup2(devnull, STDERR_FILENO) == -1)) {
# 2748|   		error_f("dup2: %s", strerror(errno));
# 2749|   		ret = -1;

Error: GCC_ANALYZER_WARNING (CWE-775): [#def38]
openssh-9.9p1/misc.c:2751:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/null", 2)’
openssh-9.9p1/misc.c:2740:24: acquire_resource: opened here
openssh-9.9p1/misc.c:2740:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2745:12: branch_false: ...to here
openssh-9.9p1/misc.c:2751:12: danger: ‘open("/dev/null", 2)’ leaks here; was opened at [(1)](sarif:/runs/0/results/7/codeFlows/0/threadFlows/0/locations/0)
# 2749|   		ret = -1;
# 2750|   	}
# 2751|-> 	if (devnull > STDERR_FILENO)
# 2752|   		close(devnull);
# 2753|   	/* coverity[leaked_handle : FALSE]*/

Error: GCC_ANALYZER_WARNING (CWE-401): [#def39]
openssh-9.9p1/misc.c:2783:24: warning[-Wanalyzer-malloc-leak]: leak of ‘f’
openssh-9.9p1/misc.c:2801:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2810:14: branch_false: ...to here
openssh-9.9p1/misc.c:2810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2814:12: branch_false: ...to here
openssh-9.9p1/misc.c:2816:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2821:13: branch_false: ...to here
openssh-9.9p1/misc.c:2827:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2834:12: branch_false: ...to here
openssh-9.9p1/misc.c:2922:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2924:23: branch_false: ...to here
openssh-9.9p1/misc.c:2924:23: acquire_memory: allocated here
openssh-9.9p1/misc.c:2924:17: branch_false: following ‘false’ branch (when ‘f’ is non-NULL)...
openssh-9.9p1/misc.c:2934:9: branch_false: ...to here
openssh-9.9p1/misc.c:2935:12: branch_false: following ‘false’ branch (when ‘child’ is NULL)...
 branch_false: ...to here
openssh-9.9p1/misc.c:2783:24: danger: ‘f’ leaks here; was allocated at [(14)](sarif:/runs/0/results/8/codeFlows/0/threadFlows/0/locations/13)
# 2781|   	if (drop_privs != NULL && (pw == NULL || restore_privs == NULL)) {
# 2782|   		error("%s: inconsistent arguments", tag); /* XXX fatal? */
# 2783|-> 		return 0;
# 2784|   	}
# 2785|   	if (pw == NULL && (pw = getpwuid(getuid())) == NULL) {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def40]
openssh-9.9p1/misc.c:2864:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(open("/dev/null", 2), 0)’
openssh-9.9p1/misc.c:2767:1: enter_function: entry to ‘subprocess’
openssh-9.9p1/misc.c:2801:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2810:14: branch_false: ...to here
openssh-9.9p1/misc.c:2810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2814:12: branch_false: ...to here
openssh-9.9p1/misc.c:2816:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2821:13: branch_false: ...to here
openssh-9.9p1/misc.c:2827:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2834:12: branch_false: ...to here
openssh-9.9p1/misc.c:2845:20: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:2856:29: branch_true: following ‘true’ branch (when ‘i != 65’)...
openssh-9.9p1/misc.c:2857:25: branch_true: ...to here
openssh-9.9p1/misc.c:2857:25: call_function: calling ‘ssh_signal’ from ‘subprocess’
openssh-9.9p1/misc.c:2857:25: return_function: returning to ‘subprocess’ from ‘ssh_signal’
openssh-9.9p1/misc.c:2859:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2864:21: branch_false: ...to here
openssh-9.9p1/misc.c:2864:21: acquire_resource: opened here
openssh-9.9p1/misc.c:2864:20: danger: ‘dup2(open("/dev/null", 2), 0)’ leaks here; was opened at [(24)](sarif:/runs/0/results/10/codeFlows/0/threadFlows/0/locations/23)
# 2862|   			_exit(1);
# 2863|   		}
# 2864|-> 		if (dup2(devnull, STDIN_FILENO) == -1) {
# 2865|   			error("%s: dup2: %s", tag, strerror(errno));
# 2866|   			_exit(1);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def41]
openssh-9.9p1/misc.c:2864:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/null", 2)’
openssh-9.9p1/misc.c:2767:1: enter_function: entry to ‘subprocess’
openssh-9.9p1/misc.c:2801:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2810:14: branch_false: ...to here
openssh-9.9p1/misc.c:2810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2814:12: branch_false: ...to here
openssh-9.9p1/misc.c:2816:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2821:13: branch_false: ...to here
openssh-9.9p1/misc.c:2827:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2834:12: branch_false: ...to here
openssh-9.9p1/misc.c:2845:20: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:2856:29: branch_true: following ‘true’ branch (when ‘i != 65’)...
openssh-9.9p1/misc.c:2857:25: branch_true: ...to here
openssh-9.9p1/misc.c:2857:25: call_function: calling ‘ssh_signal’ from ‘subprocess’
openssh-9.9p1/misc.c:2857:25: return_function: returning to ‘subprocess’ from ‘ssh_signal’
openssh-9.9p1/misc.c:2859:32: acquire_resource: opened here
openssh-9.9p1/misc.c:2859:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2864:21: branch_false: ...to here
openssh-9.9p1/misc.c:2864:20: danger: ‘open("/dev/null", 2)’ leaks here; was opened at [(22)](sarif:/runs/0/results/9/codeFlows/0/threadFlows/0/locations/21)
# 2862|   			_exit(1);
# 2863|   		}
# 2864|-> 		if (dup2(devnull, STDIN_FILENO) == -1) {
# 2865|   			error("%s: dup2: %s", tag, strerror(errno));
# 2866|   			_exit(1);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def42]
openssh-9.9p1/misc.c:2871:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/null", 2)’
openssh-9.9p1/misc.c:2767:1: enter_function: entry to ‘subprocess’
openssh-9.9p1/misc.c:2801:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2810:14: branch_false: ...to here
openssh-9.9p1/misc.c:2810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2814:12: branch_false: ...to here
openssh-9.9p1/misc.c:2816:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2821:13: branch_false: ...to here
openssh-9.9p1/misc.c:2827:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2834:12: branch_false: ...to here
openssh-9.9p1/misc.c:2845:20: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:2856:29: branch_true: following ‘true’ branch (when ‘i != 65’)...
openssh-9.9p1/misc.c:2857:25: branch_true: ...to here
openssh-9.9p1/misc.c:2857:25: call_function: calling ‘ssh_signal’ from ‘subprocess’
openssh-9.9p1/misc.c:2857:25: return_function: returning to ‘subprocess’ from ‘ssh_signal’
openssh-9.9p1/misc.c:2859:32: acquire_resource: opened here
openssh-9.9p1/misc.c:2859:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2864:21: branch_false: ...to here
openssh-9.9p1/misc.c:2864:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2871:20: branch_false: ...to here
openssh-9.9p1/misc.c:2871:20: danger: ‘open("/dev/null", 2)’ leaks here; was opened at [(22)](sarif:/runs/0/results/11/codeFlows/0/threadFlows/0/locations/21)
# 2869|   		/* Set up stdout as requested; leave stderr in place for now. */
# 2870|   		fd = -1;
# 2871|-> 		if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0)
# 2872|   			fd = p[1];
# 2873|   		else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)

Error: GCC_ANALYZER_WARNING (CWE-775): [#def43]
openssh-9.9p1/misc.c:2873:25: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/null", 2)’
openssh-9.9p1/misc.c:2767:1: enter_function: entry to ‘subprocess’
openssh-9.9p1/misc.c:2801:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2810:14: branch_false: ...to here
openssh-9.9p1/misc.c:2810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2814:12: branch_false: ...to here
openssh-9.9p1/misc.c:2816:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2821:13: branch_false: ...to here
openssh-9.9p1/misc.c:2827:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2834:12: branch_false: ...to here
openssh-9.9p1/misc.c:2845:20: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:2856:29: branch_true: following ‘true’ branch (when ‘i != 65’)...
openssh-9.9p1/misc.c:2857:25: branch_true: ...to here
openssh-9.9p1/misc.c:2857:25: call_function: calling ‘ssh_signal’ from ‘subprocess’
openssh-9.9p1/misc.c:2857:25: return_function: returning to ‘subprocess’ from ‘ssh_signal’
openssh-9.9p1/misc.c:2859:32: acquire_resource: opened here
openssh-9.9p1/misc.c:2859:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2864:21: branch_false: ...to here
openssh-9.9p1/misc.c:2864:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2871:20: branch_false: ...to here
openssh-9.9p1/misc.c:2871:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2873:25: branch_false: ...to here
openssh-9.9p1/misc.c:2873:25: danger: ‘open("/dev/null", 2)’ leaks here; was opened at [(22)](sarif:/runs/0/results/12/codeFlows/0/threadFlows/0/locations/21)
# 2871|   		if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0)
# 2872|   			fd = p[1];
# 2873|-> 		else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)
# 2874|   			fd = devnull;
# 2875|   		if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def44]
openssh-9.9p1/misc.c:2875:21: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(fd, 1)’
openssh-9.9p1/misc.c:2767:1: enter_function: entry to ‘subprocess’
openssh-9.9p1/misc.c:2801:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2810:14: branch_false: ...to here
openssh-9.9p1/misc.c:2810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2814:12: branch_false: ...to here
openssh-9.9p1/misc.c:2816:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2821:13: branch_false: ...to here
openssh-9.9p1/misc.c:2827:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2834:12: branch_false: ...to here
openssh-9.9p1/misc.c:2845:20: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:2856:29: branch_true: following ‘true’ branch (when ‘i != 65’)...
openssh-9.9p1/misc.c:2857:25: branch_true: ...to here
openssh-9.9p1/misc.c:2857:25: call_function: calling ‘ssh_signal’ from ‘subprocess’
openssh-9.9p1/misc.c:2857:25: return_function: returning to ‘subprocess’ from ‘ssh_signal’
openssh-9.9p1/misc.c:2859:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2864:21: branch_false: ...to here
openssh-9.9p1/misc.c:2864:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2871:20: branch_false: ...to here
openssh-9.9p1/misc.c:2871:20: branch_true: following ‘true’ branch...
openssh-9.9p1/misc.c:2872:25: branch_true: ...to here
openssh-9.9p1/misc.c:2875:20: branch_true: following ‘true’ branch (when ‘fd != -1’)...
openssh-9.9p1/misc.c:2875:33: branch_true: ...to here
openssh-9.9p1/misc.c:2875:33: acquire_resource: opened here
openssh-9.9p1/misc.c:2875:21: danger: ‘dup2(fd, 1)’ leaks here; was opened at [(30)](sarif:/runs/0/results/13/codeFlows/0/threadFlows/0/locations/29)
# 2873|   		else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)
# 2874|   			fd = devnull;
# 2875|-> 		if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) {
# 2876|   			error("%s: dup2: %s", tag, strerror(errno));
# 2877|   			_exit(1);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def45]
openssh-9.9p1/misc.c:2898:21: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(0, 2)’
openssh-9.9p1/misc.c:2767:1: enter_function: entry to ‘subprocess’
openssh-9.9p1/misc.c:2796:13: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2801:14: branch_false: ...to here
openssh-9.9p1/misc.c:2801:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2810:14: branch_false: ...to here
openssh-9.9p1/misc.c:2810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2814:12: branch_false: ...to here
openssh-9.9p1/misc.c:2816:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2821:13: branch_false: ...to here
openssh-9.9p1/misc.c:2827:12: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2834:12: branch_false: ...to here
openssh-9.9p1/misc.c:2845:20: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/misc.c:2856:29: branch_true: following ‘true’ branch (when ‘i != 65’)...
openssh-9.9p1/misc.c:2857:25: branch_true: ...to here
openssh-9.9p1/misc.c:2857:25: call_function: calling ‘ssh_signal’ from ‘subprocess’
openssh-9.9p1/misc.c:2857:25: return_function: returning to ‘subprocess’ from ‘ssh_signal’
openssh-9.9p1/misc.c:2859:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2864:21: branch_false: ...to here
openssh-9.9p1/misc.c:2864:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2871:20: branch_false: ...to here
openssh-9.9p1/misc.c:2871:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2873:25: branch_false: ...to here
openssh-9.9p1/misc.c:2873:25: branch_true: following ‘true’ branch...
openssh-9.9p1/misc.c:2875:20: branch_true: ...to here
openssh-9.9p1/misc.c:2875:20: branch_true: following ‘true’ branch (when ‘fd != -1’)...
openssh-9.9p1/misc.c:2875:33: branch_true: ...to here
openssh-9.9p1/misc.c:2875:21: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2879:17: branch_false: ...to here
openssh-9.9p1/misc.c:2887:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2892:21: branch_false: ...to here
openssh-9.9p1/misc.c:2892:20: branch_false: following ‘false’ branch...
openssh-9.9p1/misc.c:2898:20: branch_false: ...to here
openssh-9.9p1/misc.c:2898:20: branch_true: following ‘true’ branch...
openssh-9.9p1/misc.c:2899:21: branch_true: ...to here
openssh-9.9p1/misc.c:2899:21: acquire_resource: opened here
openssh-9.9p1/misc.c:2898:21: danger: ‘dup2(0, 2)’ leaks here; was opened at [(42)](sarif:/runs/0/results/14/codeFlows/0/threadFlows/0/locations/41)
# 2896|   		}
# 2897|   		/* stdin is pointed to /dev/null at this point */
# 2898|-> 		if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
# 2899|   		    dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
# 2900|   			error("%s: dup2: %s", tag, strerror(errno));

Error: COMPILER_WARNING (CWE-9001): [#def46]
openssh-9.9p1/ssh-keycat.c:57: included_from: Included from here.
openssh-9.9p1/misc.h:157:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  157 |     __attribute__((__bounded__( __minbytes__, 1, 8)));
#      |     ^~~~~~~~~~~~~
#  155|   /* Functions to extract or store big-endian words of various sizes */
#  156|   u_int64_t	get_u64(const void *)
#  157|->     __attribute__((__bounded__( __minbytes__, 1, 8)));
#  158|   u_int32_t	get_u32(const void *)
#  159|       __attribute__((__bounded__( __minbytes__, 1, 4)));

Error: COMPILER_WARNING (CWE-9001): [#def47]
openssh-9.9p1/misc.h:157:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  155|   /* Functions to extract or store big-endian words of various sizes */
#  156|   u_int64_t	get_u64(const void *)
#  157|->     __attribute__((__bounded__( __minbytes__, 1, 8)));
#  158|   u_int32_t	get_u32(const void *)
#  159|       __attribute__((__bounded__( __minbytes__, 1, 4)));

Error: COMPILER_WARNING (CWE-9001): [#def48]
openssh-9.9p1/misc.h:159:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  159 |     __attribute__((__bounded__( __minbytes__, 1, 4)));
#      |     ^~~~~~~~~~~~~
#  157|       __attribute__((__bounded__( __minbytes__, 1, 8)));
#  158|   u_int32_t	get_u32(const void *)
#  159|->     __attribute__((__bounded__( __minbytes__, 1, 4)));
#  160|   u_int16_t	get_u16(const void *)
#  161|       __attribute__((__bounded__( __minbytes__, 1, 2)));

Error: COMPILER_WARNING (CWE-9001): [#def49]
openssh-9.9p1/misc.h:159:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  157|       __attribute__((__bounded__( __minbytes__, 1, 8)));
#  158|   u_int32_t	get_u32(const void *)
#  159|->     __attribute__((__bounded__( __minbytes__, 1, 4)));
#  160|   u_int16_t	get_u16(const void *)
#  161|       __attribute__((__bounded__( __minbytes__, 1, 2)));

Error: COMPILER_WARNING (CWE-9001): [#def50]
openssh-9.9p1/misc.h:161:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  161 |     __attribute__((__bounded__( __minbytes__, 1, 2)));
#      |     ^~~~~~~~~~~~~
#  159|       __attribute__((__bounded__( __minbytes__, 1, 4)));
#  160|   u_int16_t	get_u16(const void *)
#  161|->     __attribute__((__bounded__( __minbytes__, 1, 2)));
#  162|   void		put_u64(void *, u_int64_t)
#  163|       __attribute__((__bounded__( __minbytes__, 1, 8)));

Error: COMPILER_WARNING (CWE-9001): [#def51]
openssh-9.9p1/misc.h:161:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  159|       __attribute__((__bounded__( __minbytes__, 1, 4)));
#  160|   u_int16_t	get_u16(const void *)
#  161|->     __attribute__((__bounded__( __minbytes__, 1, 2)));
#  162|   void		put_u64(void *, u_int64_t)
#  163|       __attribute__((__bounded__( __minbytes__, 1, 8)));

Error: COMPILER_WARNING (CWE-9001): [#def52]
openssh-9.9p1/misc.h:163:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  163 |     __attribute__((__bounded__( __minbytes__, 1, 8)));
#      |     ^~~~~~~~~~~~~
#  161|       __attribute__((__bounded__( __minbytes__, 1, 2)));
#  162|   void		put_u64(void *, u_int64_t)
#  163|->     __attribute__((__bounded__( __minbytes__, 1, 8)));
#  164|   void		put_u32(void *, u_int32_t)
#  165|       __attribute__((__bounded__( __minbytes__, 1, 4)));

Error: COMPILER_WARNING (CWE-9001): [#def53]
openssh-9.9p1/misc.h:163:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  161|       __attribute__((__bounded__( __minbytes__, 1, 2)));
#  162|   void		put_u64(void *, u_int64_t)
#  163|->     __attribute__((__bounded__( __minbytes__, 1, 8)));
#  164|   void		put_u32(void *, u_int32_t)
#  165|       __attribute__((__bounded__( __minbytes__, 1, 4)));

Error: COMPILER_WARNING (CWE-9001): [#def54]
openssh-9.9p1/misc.h:165:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  165 |     __attribute__((__bounded__( __minbytes__, 1, 4)));
#      |     ^~~~~~~~~~~~~
#  163|       __attribute__((__bounded__( __minbytes__, 1, 8)));
#  164|   void		put_u32(void *, u_int32_t)
#  165|->     __attribute__((__bounded__( __minbytes__, 1, 4)));
#  166|   void		put_u16(void *, u_int16_t)
#  167|       __attribute__((__bounded__( __minbytes__, 1, 2)));

Error: COMPILER_WARNING (CWE-9001): [#def55]
openssh-9.9p1/misc.h:165:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  163|       __attribute__((__bounded__( __minbytes__, 1, 8)));
#  164|   void		put_u32(void *, u_int32_t)
#  165|->     __attribute__((__bounded__( __minbytes__, 1, 4)));
#  166|   void		put_u16(void *, u_int16_t)
#  167|       __attribute__((__bounded__( __minbytes__, 1, 2)));

Error: COMPILER_WARNING (CWE-9001): [#def56]
openssh-9.9p1/misc.h:167:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  167 |     __attribute__((__bounded__( __minbytes__, 1, 2)));
#      |     ^~~~~~~~~~~~~
#  165|       __attribute__((__bounded__( __minbytes__, 1, 4)));
#  166|   void		put_u16(void *, u_int16_t)
#  167|->     __attribute__((__bounded__( __minbytes__, 1, 2)));
#  168|   
#  169|   /* Little-endian store/load, used by umac.c */

Error: COMPILER_WARNING (CWE-9001): [#def57]
openssh-9.9p1/misc.h:167:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  165|       __attribute__((__bounded__( __minbytes__, 1, 4)));
#  166|   void		put_u16(void *, u_int16_t)
#  167|->     __attribute__((__bounded__( __minbytes__, 1, 2)));
#  168|   
#  169|   /* Little-endian store/load, used by umac.c */

Error: COMPILER_WARNING (CWE-9001): [#def58]
openssh-9.9p1/misc.h:171:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  171 |     __attribute__((__bounded__(__minbytes__, 1, 4)));
#      |     ^~~~~~~~~~~~~
#  169|   /* Little-endian store/load, used by umac.c */
#  170|   u_int32_t	get_u32_le(const void *)
#  171|->     __attribute__((__bounded__(__minbytes__, 1, 4)));
#  172|   void		put_u32_le(void *, u_int32_t)
#  173|       __attribute__((__bounded__(__minbytes__, 1, 4)));

Error: COMPILER_WARNING (CWE-9001): [#def59]
openssh-9.9p1/misc.h:171:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  169|   /* Little-endian store/load, used by umac.c */
#  170|   u_int32_t	get_u32_le(const void *)
#  171|->     __attribute__((__bounded__(__minbytes__, 1, 4)));
#  172|   void		put_u32_le(void *, u_int32_t)
#  173|       __attribute__((__bounded__(__minbytes__, 1, 4)));

Error: COMPILER_WARNING (CWE-9001): [#def60]
openssh-9.9p1/misc.h:173:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  173 |     __attribute__((__bounded__(__minbytes__, 1, 4)));
#      |     ^~~~~~~~~~~~~
#  171|       __attribute__((__bounded__(__minbytes__, 1, 4)));
#  172|   void		put_u32_le(void *, u_int32_t)
#  173|->     __attribute__((__bounded__(__minbytes__, 1, 4)));
#  174|   
#  175|   struct bwlimit {

Error: COMPILER_WARNING (CWE-9001): [#def61]
openssh-9.9p1/misc.h:173:5: warning[-Wattributes]: ‘bounded’ attribute directive ignored
#  171|       __attribute__((__bounded__(__minbytes__, 1, 4)));
#  172|   void		put_u32_le(void *, u_int32_t)
#  173|->     __attribute__((__bounded__(__minbytes__, 1, 4)));
#  174|   
#  175|   struct bwlimit {

Error: COMPILER_WARNING (CWE-704): [#def62]
openssh-9.9p1/monitor.c: scope_hint: In function ‘mm_answer_sign’
openssh-9.9p1/monitor.c:732:39: warning[-Wdiscarded-qualifiers]: assignment discards ‘const’ qualifier from pointer target type
#  732 |                         effective_alg = safe_rsa;
#      |                                       ^
#  730|   		if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
#  731|   				&& (sshkey_type_plain(key->type) == KEY_RSA)) {
#  732|-> 			effective_alg = safe_rsa;
#  733|   		} else {
#  734|   			effective_alg = alg;

Error: COMPILER_WARNING (CWE-704): [#def63]
openssh-9.9p1/monitor.c:732:39: warning[-Wdiscarded-qualifiers]: assignment discards ‘const’ qualifier from pointer target type
#  730|   		if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
#  731|   				&& (sshkey_type_plain(key->type) == KEY_RSA)) {
#  732|-> 			effective_alg = safe_rsa;
#  733|   		} else {
#  734|   			effective_alg = alg;

Error: COMPILER_WARNING (CWE-704): [#def64]
openssh-9.9p1/monitor.c:743:39: warning[-Wdiscarded-qualifiers]: assignment discards ‘const’ qualifier from pointer target type
#  743 |                         effective_alg = safe_rsa;
#      |                                       ^
#  741|   		if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
#  742|   				&& (sshkey_type_plain(key->type) == KEY_RSA)) {
#  743|-> 			effective_alg = safe_rsa;
#  744|   		} else {
#  745|   			effective_alg = alg;

Error: COMPILER_WARNING (CWE-704): [#def65]
openssh-9.9p1/monitor.c:743:39: warning[-Wdiscarded-qualifiers]: assignment discards ‘const’ qualifier from pointer target type
#  741|   		if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
#  742|   				&& (sshkey_type_plain(key->type) == KEY_RSA)) {
#  743|-> 			effective_alg = safe_rsa;
#  744|   		} else {
#  745|   			effective_alg = alg;

Error: COMPILER_WARNING (CWE-195): [#def66]
openssh-9.9p1/monitor.c: scope_hint: In function ‘mm_answer_keyverify’
openssh-9.9p1/monitor.c:1531:18: warning[-Wsign-compare]: comparison of integer expressions of different signedness: ‘int’ and ‘u_int’ {aka ‘unsigned int’}
# 1531 |         if (type != key_blobtype)
#      |                  ^~
# 1529|   	  !monitor_allowed_key(blob, bloblen))
# 1530|   		fatal_f("bad key, not previously allowed");
# 1531|-> 	if (type != key_blobtype)
# 1532|   		fatal_f("bad key type");
# 1533|   

Error: GCC_ANALYZER_WARNING (CWE-775): [#def67]
openssh-9.9p1/monitor.c:1701:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(*<unknown>.ttyfd, 0)’
openssh-9.9p1/monitor.c:1686:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1688:9: branch_false: ...to here
openssh-9.9p1/monitor.c:1692:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1694:30: branch_false: ...to here
openssh-9.9p1/monitor.c:1696:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1697:18: branch_false: ...to here
openssh-9.9p1/monitor.c:1696:13: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1701:13: branch_false: ...to here
openssh-9.9p1/monitor.c:1701:13: acquire_resource: opened here
openssh-9.9p1/monitor.c:1701:12: danger: ‘dup2(*<unknown>.ttyfd, 0)’ leaks here; was opened at [(9)](sarif:/runs/0/results/2/codeFlows/0/threadFlows/0/locations/8)
# 1699|   
# 1700|   	/* We need to trick ttyslot */
# 1701|-> 	if (dup2(s->ttyfd, 0) == -1)
# 1702|   		fatal_f("dup2");
# 1703|   

Error: GCC_ANALYZER_WARNING (CWE-775): [#def68]
openssh-9.9p1/monitor.c:1723:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/null", 0)’
openssh-9.9p1/monitor.c:1686:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1688:9: branch_false: ...to here
openssh-9.9p1/monitor.c:1692:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1694:30: branch_false: ...to here
openssh-9.9p1/monitor.c:1696:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1697:18: branch_false: ...to here
openssh-9.9p1/monitor.c:1696:13: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1701:13: branch_false: ...to here
openssh-9.9p1/monitor.c:1701:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1704:41: branch_false: ...to here
openssh-9.9p1/monitor.c:1710:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1712:9: branch_false: ...to here
openssh-9.9p1/monitor.c:1716:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1717:13: branch_false: ...to here
openssh-9.9p1/monitor.c:1716:13: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1721:20: branch_false: ...to here
openssh-9.9p1/monitor.c:1721:20: acquire_resource: opened here
openssh-9.9p1/monitor.c:1721:12: branch_false: following ‘false’ branch...
openssh-9.9p1/monitor.c:1723:12: branch_false: ...to here
openssh-9.9p1/monitor.c:1723:12: danger: ‘open("/dev/null", 0)’ leaks here; was opened at [(17)](sarif:/runs/0/results/3/codeFlows/0/threadFlows/0/locations/16)
# 1721|   	if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) == -1)
# 1722|   		fatal_f("open(/dev/null): %s", strerror(errno));
# 1723|-> 	if (fd0 != 0)
# 1724|   		error_f("fd0 %d != 0", fd0);
# 1725|   

Error: GCC_ANALYZER_WARNING (CWE-775): [#def69]
openssh-9.9p1/monitor_wrap.c:674:24: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘tmp1’
openssh-9.9p1/monitor_wrap.c:669:21: acquire_resource: opened here
openssh-9.9p1/monitor_wrap.c:669:12: branch_false: following ‘false’ branch (when ‘tmp1 != -1’)...
openssh-9.9p1/monitor_wrap.c:670:33: branch_false: ...to here
openssh-9.9p1/monitor_wrap.c:669:13: branch_true: following ‘true’ branch (when ‘tmp2 == -1’)...
openssh-9.9p1/monitor_wrap.c:671:17: branch_true: ...to here
openssh-9.9p1/monitor_wrap.c:672:20: branch_false: following ‘false’ branch (when ‘tmp1 < 0’)...
openssh-9.9p1/monitor_wrap.c:674:24: branch_false: ...to here
openssh-9.9p1/monitor_wrap.c:674:24: danger: ‘tmp1’ leaks here; was opened at [(1)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/0)
#  672|   		if (tmp1 >= 0)
#  673|   			close(tmp1);
#  674|-> 		return 0;
#  675|   	}
#  676|   	close(tmp1);

Error: COMPILER_WARNING: [#def70]
openssh-9.9p1/openbsd-compat/bcrypt_pbkdf.c: scope_hint: In function ‘bcrypt_hash’
openssh-9.9p1/openbsd-compat/bcrypt_pbkdf.c:77:13: warning[-Wunterminated-string-initialization]: initializer-string for array of ‘unsigned char’ truncates NUL terminator but destination lacks ‘nonstring’ attribute (33 chars into 32 available)
#   77 |             "OxychromaticBlowfishSwatDynamite";
#      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   75|   	blf_ctx state;
#   76|   	uint8_t ciphertext[BCRYPT_HASHSIZE] =
#   77|-> 	    "OxychromaticBlowfishSwatDynamite";
#   78|   	uint32_t cdata[BCRYPT_WORDS];
#   79|   	int i;

Error: GCC_ANALYZER_WARNING (CWE-401): [#def71]
openssh-9.9p1/openbsd-compat/glob.c:835:17: warning[-Wanalyzer-malloc-leak]: leak of ‘pathv’
openssh-9.9p1/openbsd-compat/glob.c:810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/openbsd-compat/glob.c:810:13: branch_false: following ‘false’ branch (when ‘newn <= 2305843009213693950’)...
openssh-9.9p1/openbsd-compat/glob.c:830:30: branch_false: ...to here
openssh-9.9p1/openbsd-compat/glob.c:830:17: acquire_memory: allocated here
openssh-9.9p1/openbsd-compat/glob.c:831:12: branch_false: following ‘false’ branch (when ‘pathv’ is non-NULL)...
openssh-9.9p1/openbsd-compat/glob.c:833:13: branch_false: ...to here
openssh-9.9p1/openbsd-compat/glob.c:833:12: branch_true: following ‘true’ branch...
openssh-9.9p1/openbsd-compat/glob.c:836:42: branch_true: following ‘true’ branch (when ‘i != 0’)...
openssh-9.9p1/openbsd-compat/glob.c:837:25: branch_true: ...to here
openssh-9.9p1/openbsd-compat/glob.c:843:20: branch_false: following ‘false’ branch (when ‘statv’ is non-NULL)...
openssh-9.9p1/openbsd-compat/glob.c:845:21: branch_false: ...to here
openssh-9.9p1/openbsd-compat/glob.c:835:17: danger: ‘pathv’ leaks here; was allocated at [(5)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/4)
#  833|   	if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
#  834|   		/* first time around -- clear initial gl_offs items */
#  835|-> 		pathv += pglob->gl_offs;
#  836|   		for (i = pglob->gl_offs; i > 0; i--)
#  837|   			*--pathv = NULL;

Error: GCC_ANALYZER_WARNING (CWE-401): [#def72]
openssh-9.9p1/openbsd-compat/glob.c:847:25: warning[-Wanalyzer-malloc-leak]: leak of ‘statv’
openssh-9.9p1/openbsd-compat/glob.c:810:12: branch_false: following ‘false’ branch...
openssh-9.9p1/openbsd-compat/glob.c:810:13: branch_false: following ‘false’ branch (when ‘newn <= 2305843009213693950’)...
openssh-9.9p1/openbsd-compat/glob.c:830:30: branch_false: ...to here
openssh-9.9p1/openbsd-compat/glob.c:831:12: branch_false: following ‘false’ branch (when ‘pathv’ is non-NULL)...
openssh-9.9p1/openbsd-compat/glob.c:833:13: branch_false: ...to here
openssh-9.9p1/openbsd-compat/glob.c:841:12: branch_true: following ‘true’ branch...
openssh-9.9p1/openbsd-compat/glob.c:842:38: branch_true: ...to here
openssh-9.9p1/openbsd-compat/glob.c:842:25: acquire_memory: allocated here
openssh-9.9p1/openbsd-compat/glob.c:843:20: branch_false: following ‘false’ branch (when ‘statv’ is non-NULL)...
openssh-9.9p1/openbsd-compat/glob.c:845:21: branch_false: ...to here
openssh-9.9p1/openbsd-compat/glob.c:845:20: branch_true: following ‘true’ branch...
openssh-9.9p1/openbsd-compat/glob.c:848:50: branch_true: following ‘true’ branch (when ‘i != 0’)...
openssh-9.9p1/openbsd-compat/glob.c:849:33: branch_true: ...to here
openssh-9.9p1/openbsd-compat/glob.c:852:20: branch_false: following ‘false’ branch (when ‘sb’ is non-NULL)...
openssh-9.9p1/openbsd-compat/glob.c:855:25: branch_false: ...to here
openssh-9.9p1/openbsd-compat/glob.c:856:28: branch_true: following ‘true’ branch...
openssh-9.9p1/openbsd-compat/glob.c:847:25: danger: ‘statv’ leaks here; was allocated at [(9)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/8)
#  845|   		if (pglob->gl_statv == NULL && pglob->gl_offs > 0) {
#  846|   			/* first time around -- clear initial gl_offs items */
#  847|-> 			statv += pglob->gl_offs;
#  848|   			for (i = pglob->gl_offs; i > 0; i--)
#  849|   				*--statv = NULL;

Error: COMPILER_WARNING (CWE-477): [#def73]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:68:1: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#   68 | sshd_selinux_send_audit_message(int success, security_context_t default_context,
#      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   66|   /* Send audit message */
#   67|   static int
#   68|-> sshd_selinux_send_audit_message(int success, security_context_t default_context,
#   69|   		       security_context_t selected_context)
#   70|   {

Error: COMPILER_WARNING (CWE-477): [#def74]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:68:1: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#   66|   /* Send audit message */
#   67|   static int
#   68|-> sshd_selinux_send_audit_message(int success, security_context_t default_context,
#   69|   		       security_context_t selected_context)
#   70|   {

Error: COMPILER_WARNING (CWE-477): [#def75]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:69:24: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#   69 |                        security_context_t selected_context)
#      |                        ^~~~~~~~~~~~~~~~~~
#   67|   static int
#   68|   sshd_selinux_send_audit_message(int success, security_context_t default_context,
#   69|-> 		       security_context_t selected_context)
#   70|   {
#   71|   	int rc=0;

Error: COMPILER_WARNING (CWE-477): [#def76]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:69:24: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#   67|   static int
#   68|   sshd_selinux_send_audit_message(int success, security_context_t default_context,
#   69|-> 		       security_context_t selected_context)
#   70|   {
#   71|   	int rc=0;

Error: COMPILER_WARNING (CWE-477): [#def77]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:115:1: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  115 | mls_range_allowed(security_context_t src, security_context_t dst)
#      | ^~~~~~~~~~~~~~~~~
#  113|   
#  114|   static int
#  115|-> mls_range_allowed(security_context_t src, security_context_t dst)
#  116|   {
#  117|   	struct av_decision avd;

Error: COMPILER_WARNING (CWE-477): [#def78]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:115:1: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  113|   
#  114|   static int
#  115|-> mls_range_allowed(security_context_t src, security_context_t dst)
#  116|   {
#  117|   	struct av_decision avd;

Error: COMPILER_WARNING (CWE-477): [#def79]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:142:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  142 |         security_context_t *sc) {
#      |         ^~~~~~~~~~~~~~~~~~
#  140|   static int
#  141|   get_user_context(const char *sename, const char *role, const char *lvl,
#  142|-> 	security_context_t *sc) {
#  143|   #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
#  144|   	if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {

Error: COMPILER_WARNING (CWE-477): [#def80]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:142:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  140|   static int
#  141|   get_user_context(const char *sename, const char *role, const char *lvl,
#  142|-> 	security_context_t *sc) {
#  143|   #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
#  144|   	if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {

Error: COMPILER_WARNING (CWE-477): [#def81]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c: scope_hint: In function ‘get_user_context’
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:180:17: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  180 |                 security_context_t obtained_raw;
#      |                 ^~~~~~~~~~~~~~~~~~
#  178|   		/* verify that the requested range is obtained */
#  179|   		context_t con;
#  180|-> 		security_context_t obtained_raw;
#  181|   		security_context_t requested_raw;
#  182|   		con = context_new(*sc);

Error: COMPILER_WARNING (CWE-477): [#def82]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:180:17: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  178|   		/* verify that the requested range is obtained */
#  179|   		context_t con;
#  180|-> 		security_context_t obtained_raw;
#  181|   		security_context_t requested_raw;
#  182|   		con = context_new(*sc);

Error: COMPILER_WARNING (CWE-477): [#def83]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:181:17: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  181 |                 security_context_t requested_raw;
#      |                 ^~~~~~~~~~~~~~~~~~
#  179|   		context_t con;
#  180|   		security_context_t obtained_raw;
#  181|-> 		security_context_t requested_raw;
#  182|   		con = context_new(*sc);
#  183|   		if (!con) {

Error: COMPILER_WARNING (CWE-477): [#def84]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:181:17: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  179|   		context_t con;
#  180|   		security_context_t obtained_raw;
#  181|-> 		security_context_t requested_raw;
#  182|   		con = context_new(*sc);
#  183|   		if (!con) {

Error: COMPILER_WARNING (CWE-477): [#def85]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c: scope_hint: At top level
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:240:1: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  240 | sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
#      | ^~~~~~~~~~~~~~~~~~~~~~~~~
#  238|   /* Return the default security context for the given username */
#  239|   static int
#  240|-> sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
#  241|       security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
#  242|   {

Error: COMPILER_WARNING (CWE-477): [#def86]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:240:1: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  238|   /* Return the default security context for the given username */
#  239|   static int
#  240|-> sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
#  241|       security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
#  242|   {

Error: COMPILER_WARNING (CWE-477): [#def87]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:241:5: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  241 |     security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
#      |     ^~~~~~~~~~~~~~~~~~
#  239|   static int
#  240|   sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
#  241|->     security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
#  242|   {
#  243|   	char *sename, *lvl;

Error: COMPILER_WARNING (CWE-477): [#def88]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:241:5: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  239|   static int
#  240|   sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
#  241|->     security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
#  242|   {
#  243|   	char *sename, *lvl;

Error: COMPILER_WARNING (CWE-477): [#def89]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c: scope_hint: In function ‘sshd_selinux_getctxbyname’
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:272:25: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  272 |                         security_context_t sshdsc=NULL;
#      |                         ^~~~~~~~~~~~~~~~~~
#  270|   		/* If launched from xinetd, we must use current level */
#  271|   		if (inetd) {
#  272|-> 			security_context_t sshdsc=NULL;
#  273|   
#  274|   			if (getcon_raw(&sshdsc) < 0)

Error: COMPILER_WARNING (CWE-477): [#def90]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:272:25: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  270|   		/* If launched from xinetd, we must use current level */
#  271|   		if (inetd) {
#  272|-> 			security_context_t sshdsc=NULL;
#  273|   
#  274|   			if (getcon_raw(&sshdsc) < 0)

Error: COMPILER_WARNING (CWE-477): [#def91]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:293:33: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  293 |                                 security_context_t default_level_sc = *default_sc;
#      |                                 ^~~~~~~~~~~~~~~~~~
#  291|   
#  292|   			if (r == 0 && reqlvl != NULL && reqlvl[0]) {
#  293|-> 				security_context_t default_level_sc = *default_sc;
#  294|   				if (role != NULL && role[0]) {
#  295|   					if (get_user_context(sename, role, lvl, &default_level_sc) < 0)

Error: COMPILER_WARNING (CWE-477): [#def92]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:293:33: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  291|   
#  292|   			if (r == 0 && reqlvl != NULL && reqlvl[0]) {
#  293|-> 				security_context_t default_level_sc = *default_sc;
#  294|   				if (role != NULL && role[0]) {
#  295|   					if (get_user_context(sename, role, lvl, &default_level_sc) < 0)

Error: COMPILER_WARNING (CWE-477): [#def93]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c: scope_hint: In function ‘sshd_selinux_setup_exec_context’
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:386:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  386 |         security_context_t user_ctx = NULL;
#      |         ^~~~~~~~~~~~~~~~~~
#  384|       int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
#  385|   {
#  386|-> 	security_context_t user_ctx = NULL;
#  387|   	int r = 0;
#  388|   	security_context_t default_ctx = NULL;

Error: COMPILER_WARNING (CWE-477): [#def94]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:386:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  384|       int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
#  385|   {
#  386|-> 	security_context_t user_ctx = NULL;
#  387|   	int r = 0;
#  388|   	security_context_t default_ctx = NULL;

Error: COMPILER_WARNING (CWE-477): [#def95]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:388:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  388 |         security_context_t default_ctx = NULL;
#      |         ^~~~~~~~~~~~~~~~~~
#  386|   	security_context_t user_ctx = NULL;
#  387|   	int r = 0;
#  388|-> 	security_context_t default_ctx = NULL;
#  389|   	Authctxt *authctxt = (Authctxt *) the_authctxt;
#  390|   

Error: COMPILER_WARNING (CWE-477): [#def96]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:388:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  386|   	security_context_t user_ctx = NULL;
#  387|   	int r = 0;
#  388|-> 	security_context_t default_ctx = NULL;
#  389|   	Authctxt *authctxt = (Authctxt *) the_authctxt;
#  390|   

Error: COMPILER_WARNING (CWE-477): [#def97]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c: scope_hint: In function ‘sshd_selinux_copy_context’
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:461:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  461 |         if (getexeccon((security_context_t *)&ctx) != 0) {
#      |         ^~
#  459|   		return;
#  460|   
#  461|-> 	if (getexeccon((security_context_t *)&ctx) != 0) {
#  462|   		logit_f("getexeccon failed with %s", strerror(errno));
#  463|   		return;

Error: COMPILER_WARNING (CWE-477): [#def98]
openssh-9.9p1/openbsd-compat/port-linux-sshd.c:461:9: warning[-Wdeprecated-declarations]: ‘security_context_t’ is deprecated
#  459|   		return;
#  460|   
#  461|-> 	if (getexeccon((security_context_t *)&ctx) != 0) {
#  462|   		logit_f("getexeccon failed with %s", strerror(errno));
#  463|   		return;

Error: COMPILER_WARNING (CWE-1164): [#def99]
openssh-9.9p1/openbsd-compat/port-linux.c:68:1: warning[-Wunused-function]: ‘ssh_selinux_getctxbyname’ defined but not used
#   68 | ssh_selinux_getctxbyname(char *pwname)
#      | ^~~~~~~~~~~~~~~~~~~~~~~~
#   66|   /* Return the default security context for the given username */
#   67|   static char *
#   68|-> ssh_selinux_getctxbyname(char *pwname)
#   69|   {
#   70|   	char *sc = NULL, *sename = NULL, *lvl = NULL;

Error: GCC_ANALYZER_WARNING (CWE-775): [#def100]
openssh-9.9p1/openbsd-compat/readpassphrase.c:94:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open("/dev/tty", 2)’
openssh-9.9p1/openbsd-compat/readpassphrase.c:64:12: branch_false: following ‘false’ branch (when ‘bufsiz != 0’)...
 branch_false: ...to here
openssh-9.9p1/openbsd-compat/readpassphrase.c:70:21: branch_true: following ‘true’ branch (when ‘i != 65’)...
openssh-9.9p1/openbsd-compat/readpassphrase.c:71:17: branch_true: ...to here
openssh-9.9p1/openbsd-compat/readpassphrase.c:79:12: branch_false: following ‘false’ branch...
openssh-9.9p1/openbsd-compat/readpassphrase.c:80:31: branch_false: ...to here
openssh-9.9p1/openbsd-compat/readpassphrase.c:80:31: acquire_resource: opened here
openssh-9.9p1/openbsd-compat/readpassphrase.c:79:13: branch_false: following ‘false’ branch...
openssh-9.9p1/openbsd-compat/readpassphrase.c:94:12: branch_false: ...to here
openssh-9.9p1/openbsd-compat/readpassphrase.c:94:12: danger: ‘open("/dev/tty", 2)’ leaks here; was opened at [(7)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/6)
#   92|   	 * generate SIGTTOU, so do it *before* installing the signal handlers.
#   93|   	 */
#   94|-> 	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
#   95|   		memcpy(&term, &oterm, sizeof(term));
#   96|   		if (!(flags & RPP_ECHO_ON))

Error: COMPILER_WARNING: [#def101]
openssh-9.9p1/openbsd-compat/vis.c: scope_hint: In function ‘stravis’
openssh-9.9p1/openbsd-compat/vis.c:229:23: warning[-Wuse-after-free]: pointer ‘buf_15’ may be used after ‘realloc’
#  229 |                 *outp = buf;
#      |                 ~~~~~~^~~~~
openssh-9.9p1/openbsd-compat/vis.c:227:17: note: call to ‘realloc’ here
#  227 |         *outp = realloc(buf, len + 1);
#      |                 ^~~~~~~~~~~~~~~~~~~~~
#  227|   	*outp = realloc(buf, len + 1);
#  228|   	if (*outp == NULL) {
#  229|-> 		*outp = buf;
#  230|   		errno = serrno;
#  231|   	}

Error: GCC_ANALYZER_WARNING (CWE-476): [#def102]
openssh-9.9p1/readconf.c:808:25: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘arg’
openssh-9.9p1/readconf.c:2545:1: enter_function: entry to ‘read_config_file_depth’
openssh-9.9p1/readconf.c:2550:15: release_memory: ‘line’ is NULL
openssh-9.9p1/readconf.c:2555:12: branch_false: following ‘false’ branch...
openssh-9.9p1/readconf.c:2558:18: branch_false: ...to here
openssh-9.9p1/readconf.c:2558:12: branch_false: following ‘false’ branch...
openssh-9.9p1/readconf.c:2561:13: branch_false: ...to here
openssh-9.9p1/readconf.c:2578:16: branch_true: following ‘true’ branch...
openssh-9.9p1/readconf.c:2580:17: branch_true: ...to here
openssh-9.9p1/readconf.c:2586:21: call_function: calling ‘process_config_line_depth’ from ‘read_config_file_depth’
#  806|   		    strprefix(attrib, "exec=", 1) != NULL) {
#  807|   			arg = strchr(attrib, '=');
#  808|-> 			*(arg++) = '\0';
#  809|   		} else {
#  810|   			arg = argv_next(acp, avp);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def103]
openssh-9.9p1/readconf.c:2561:13: warning[-Wanalyzer-file-leak]: leak of FILE ‘fopen(filename, "r")’
openssh-9.9p1/readconf.c:2555:12: branch_false: following ‘false’ branch...
openssh-9.9p1/readconf.c:2558:18: branch_false: ...to here
openssh-9.9p1/readconf.c:2558:18: acquire_resource: opened here
openssh-9.9p1/readconf.c:2558:12: branch_false: following ‘false’ branch...
openssh-9.9p1/readconf.c:2561:13: branch_false: ...to here
openssh-9.9p1/readconf.c:2561:12: branch_true: following ‘true’ branch...
openssh-9.9p1/readconf.c:2564:21: branch_true: ...to here
openssh-9.9p1/readconf.c:2561:13: danger: ‘fopen(filename, "r")’ leaks here; was opened at [(3)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/2)
# 2559|   		return 0;
# 2560|   
# 2561|-> 	if (flags & SSHCONF_CHECKPERM) {
# 2562|   		struct stat sb;
# 2563|   

Error: GCC_ANALYZER_WARNING (CWE-401): [#def104]
openssh-9.9p1/readconf.c:2561:13: warning[-Wanalyzer-malloc-leak]: leak of ‘fopen(filename, "r")’
openssh-9.9p1/readconf.c:2555:12: branch_false: following ‘false’ branch...
openssh-9.9p1/readconf.c:2558:18: branch_false: ...to here
openssh-9.9p1/readconf.c:2558:18: acquire_memory: allocated here
openssh-9.9p1/readconf.c:2558:12: branch_false: following ‘false’ branch...
openssh-9.9p1/readconf.c:2561:13: branch_false: ...to here
openssh-9.9p1/readconf.c:2561:12: branch_true: following ‘true’ branch...
openssh-9.9p1/readconf.c:2564:21: branch_true: ...to here
openssh-9.9p1/readconf.c:2561:13: danger: ‘fopen(filename, "r")’ leaks here; was allocated at [(3)](sarif:/runs/0/results/2/codeFlows/0/threadFlows/0/locations/2)
# 2559|   		return 0;
# 2560|   
# 2561|-> 	if (flags & SSHCONF_CHECKPERM) {
# 2562|   		struct stat sb;
# 2563|   

Error: GCC_ANALYZER_WARNING (CWE-775): [#def105]
openssh-9.9p1/readpass.c:76:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(p[1], 1)’
openssh-9.9p1/readpass.c:62:12: branch_false: following ‘false’ branch (when ‘askpass’ is non-NULL)...
openssh-9.9p1/readpass.c:64:13: branch_false: ...to here
openssh-9.9p1/readpass.c:64:12: branch_false: following ‘false’ branch...
openssh-9.9p1/readpass.c:68:20: branch_false: ...to here
openssh-9.9p1/readpass.c:69:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/readpass.c:74:12: branch_false: ...to here
openssh-9.9p1/readpass.c:74:12: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/readpass.c:75:17: branch_true: ...to here
openssh-9.9p1/readpass.c:76:21: acquire_resource: opened here
openssh-9.9p1/readpass.c:76:20: danger: ‘dup2(p[1], 1)’ leaks here; was opened at [(10)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/9)
#   74|   	if (pid == 0) {
#   75|   		close(p[0]);
#   76|-> 		if (dup2(p[1], STDOUT_FILENO) == -1)
#   77|   			fatal_f("dup2: %s", strerror(errno));
#   78|   		if (env_hint != NULL)

Error: GCC_ANALYZER_WARNING (CWE-401): [#def106]
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:255:9: warning[-Wanalyzer-malloc-leak]: leak of ‘response’
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:243:12: branch_false: following ‘false’ branch (when ‘enroll_response’ is non-NULL)...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:247:9: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:248:12: branch_false: following ‘false’ branch...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:250:25: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:250:25: acquire_memory: allocated here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:250:12: branch_false: following ‘false’ branch (when ‘response’ is non-NULL)...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:254:9: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:255:9: danger: ‘response’ leaks here; was allocated at [(5)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/4)
#  253|   	}
#  254|   	response->flags = flags;
#  255|-> 	switch(alg) {
#  256|   	case SSH_SK_ECDSA:
#  257|   		if (pack_key_ecdsa(response) != 0)

Error: GCC_ANALYZER_WARNING (CWE-415): [#def107]
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:280:17: warning[-Wanalyzer-double-free]: double-‘free’ of ‘*response.public_key’
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:234:1: enter_function: entry to ‘sk_enroll’
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:243:12: branch_false: following ‘false’ branch (when ‘enroll_response’ is non-NULL)...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:247:9: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:248:12: branch_false: following ‘false’ branch...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:250:25: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:250:12: branch_false: following ‘false’ branch (when ‘response’ is non-NULL)...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:254:9: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:261:21: call_function: calling ‘pack_key_ed25519’ from ‘sk_enroll’
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:261:21: return_function: returning to ‘sk_enroll’ from ‘pack_key_ed25519’
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:261:20: branch_true: following ‘true’ branch...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:262:25: branch_true: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:280:17: danger: second ‘free’ here; first ‘free’ was at [(18)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/17)
#  278|    out:
#  279|   	if (response != NULL) {
#  280|-> 		free(response->public_key);
#  281|   		free(response->key_handle);
#  282|   		free(response->signature);

Error: GCC_ANALYZER_WARNING (CWE-401): [#def108]
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:523:24: warning[-Wanalyzer-malloc-leak]: leak of ‘response’
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:492:12: branch_false: following ‘false’ branch (when ‘sign_response’ is non-NULL)...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:496:9: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:497:12: branch_false: following ‘false’ branch...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:499:25: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:499:25: acquire_memory: allocated here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:499:12: branch_false: following ‘false’ branch (when ‘response’ is non-NULL)...
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:503:9: branch_false: ...to here
openssh-9.9p1/regress/misc/sk-dummy/sk-dummy.c:523:24: danger: ‘response’ leaks here; was allocated at [(5)](sarif:/runs/0/results/2/codeFlows/0/threadFlows/0/locations/4)
#  521|   	default:
#  522|   		skdebug(__func__, "unsupported key type %d", alg);
#  523|-> 		return -1;
#  524|   	}
#  525|   	*sign_response = response;

Error: COMPILER_WARNING: [#def109]
openssh-9.9p1/scp.c: scope_hint: In function ‘rsource’
openssh-9.9p1/scp.c:1555:56: warning[-Wformat-truncation=]: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size between 2 and 4095
# 1555 |                 (void) snprintf(path, sizeof path, "%s/%s", name, dp->d_name);
#      |                                                        ^~
/usr/include/bits/stdio2.h:68:10: note: ‘__snprintf_chk’ output between 2 and 4350 bytes into a destination of size 4096
#   68 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
#      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   69 |                                    __glibc_objsize (__s), __fmt,
#      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   70 |                                    __va_arg_pack ());
#      |                                    ~~~~~~~~~~~~~~~~~
# 1553|   			continue;
# 1554|   		}
# 1555|-> 		(void) snprintf(path, sizeof path, "%s/%s", name, dp->d_name);
# 1556|   		vect[0] = path;
# 1557|   		source(1, vect);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def110]
openssh-9.9p1/session.c:489:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pin[0], 0)’
openssh-9.9p1/session.c:2300:1: enter_function: entry to ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: call_function: calling ‘session_by_channel’ from ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: return_function: returning to ‘session_input_channel_req’ from ‘session_by_channel’
openssh-9.9p1/session.c:2305:12: branch_false: following ‘false’ branch...
openssh-9.9p1/session.c:2309:9: branch_false: ...to here
openssh-9.9p1/session.c:2315:12: branch_true: following ‘true’ branch...
openssh-9.9p1/session.c:2316:21: branch_true: ...to here
openssh-9.9p1/session.c:2316:20: branch_true: following ‘true’ branch (when the strings are equal)...
openssh-9.9p1/session.c:2317:35: branch_true: ...to here
openssh-9.9p1/session.c:2317:35: call_function: calling ‘session_shell_req’ from ‘session_input_channel_req’
#  487|   		 */
#  488|   		close(pin[1]);
#  489|-> 		if (dup2(pin[0], 0) == -1)
#  490|   			perror("dup2 stdin");
#  491|   		close(pin[0]);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def111]
openssh-9.9p1/session.c:495:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pout[1], 1)’
openssh-9.9p1/session.c:2300:1: enter_function: entry to ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: call_function: calling ‘session_by_channel’ from ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: return_function: returning to ‘session_input_channel_req’ from ‘session_by_channel’
openssh-9.9p1/session.c:2305:12: branch_false: following ‘false’ branch...
openssh-9.9p1/session.c:2309:9: branch_false: ...to here
openssh-9.9p1/session.c:2315:12: branch_true: following ‘true’ branch...
openssh-9.9p1/session.c:2316:21: branch_true: ...to here
openssh-9.9p1/session.c:2316:20: branch_true: following ‘true’ branch (when the strings are equal)...
openssh-9.9p1/session.c:2317:35: branch_true: ...to here
openssh-9.9p1/session.c:2317:35: call_function: calling ‘session_shell_req’ from ‘session_input_channel_req’
#  493|   		/* Redirect stdout. */
#  494|   		close(pout[0]);
#  495|-> 		if (dup2(pout[1], 1) == -1)
#  496|   			perror("dup2 stdout");
#  497|   		close(pout[1]);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def112]
openssh-9.9p1/session.c:501:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(perr[1], 2)’
openssh-9.9p1/session.c:2300:1: enter_function: entry to ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: call_function: calling ‘session_by_channel’ from ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: return_function: returning to ‘session_input_channel_req’ from ‘session_by_channel’
openssh-9.9p1/session.c:2305:12: branch_false: following ‘false’ branch...
openssh-9.9p1/session.c:2309:9: branch_false: ...to here
openssh-9.9p1/session.c:2315:12: branch_true: following ‘true’ branch...
openssh-9.9p1/session.c:2316:21: branch_true: ...to here
openssh-9.9p1/session.c:2316:20: branch_true: following ‘true’ branch (when the strings are equal)...
openssh-9.9p1/session.c:2317:35: branch_true: ...to here
openssh-9.9p1/session.c:2317:35: call_function: calling ‘session_shell_req’ from ‘session_input_channel_req’
#  499|   		/* Redirect stderr. */
#  500|   		close(perr[0]);
#  501|-> 		if (dup2(perr[1], 2) == -1)
#  502|   			perror("dup2 stderr");
#  503|   		close(perr[1]);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def113]
openssh-9.9p1/session.c:631:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(ttyfd, 0)’
openssh-9.9p1/session.c:2300:1: enter_function: entry to ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: call_function: calling ‘session_by_channel’ from ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: return_function: returning to ‘session_input_channel_req’ from ‘session_by_channel’
openssh-9.9p1/session.c:2305:12: branch_false: following ‘false’ branch...
openssh-9.9p1/session.c:2309:9: branch_false: ...to here
openssh-9.9p1/session.c:2315:12: branch_true: following ‘true’ branch...
openssh-9.9p1/session.c:2316:21: branch_true: ...to here
openssh-9.9p1/session.c:2316:20: branch_true: following ‘true’ branch (when the strings are equal)...
openssh-9.9p1/session.c:2317:35: branch_true: ...to here
openssh-9.9p1/session.c:2317:35: call_function: calling ‘session_shell_req’ from ‘session_input_channel_req’
#  629|   
#  630|   		/* Redirect stdin/stdout/stderr from the pseudo tty. */
#  631|-> 		if (dup2(ttyfd, 0) == -1)
#  632|   			error("dup2 stdin: %s", strerror(errno));
#  633|   		if (dup2(ttyfd, 1) == -1)

Error: GCC_ANALYZER_WARNING (CWE-775): [#def114]
openssh-9.9p1/session.c:633:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(ttyfd, 1)’
openssh-9.9p1/session.c:2300:1: enter_function: entry to ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: call_function: calling ‘session_by_channel’ from ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: return_function: returning to ‘session_input_channel_req’ from ‘session_by_channel’
openssh-9.9p1/session.c:2305:12: branch_false: following ‘false’ branch...
openssh-9.9p1/session.c:2309:9: branch_false: ...to here
openssh-9.9p1/session.c:2315:12: branch_true: following ‘true’ branch...
openssh-9.9p1/session.c:2316:21: branch_true: ...to here
openssh-9.9p1/session.c:2316:20: branch_true: following ‘true’ branch (when the strings are equal)...
openssh-9.9p1/session.c:2317:35: branch_true: ...to here
openssh-9.9p1/session.c:2317:35: call_function: calling ‘session_shell_req’ from ‘session_input_channel_req’
#  631|   		if (dup2(ttyfd, 0) == -1)
#  632|   			error("dup2 stdin: %s", strerror(errno));
#  633|-> 		if (dup2(ttyfd, 1) == -1)
#  634|   			error("dup2 stdout: %s", strerror(errno));
#  635|   		if (dup2(ttyfd, 2) == -1)

Error: GCC_ANALYZER_WARNING (CWE-775): [#def115]
openssh-9.9p1/session.c:635:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(ttyfd, 2)’
openssh-9.9p1/session.c:2300:1: enter_function: entry to ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: call_function: calling ‘session_by_channel’ from ‘session_input_channel_req’
openssh-9.9p1/session.c:2305:18: return_function: returning to ‘session_input_channel_req’ from ‘session_by_channel’
openssh-9.9p1/session.c:2305:12: branch_false: following ‘false’ branch...
openssh-9.9p1/session.c:2309:9: branch_false: ...to here
openssh-9.9p1/session.c:2315:12: branch_true: following ‘true’ branch...
openssh-9.9p1/session.c:2316:21: branch_true: ...to here
openssh-9.9p1/session.c:2316:20: branch_true: following ‘true’ branch (when the strings are equal)...
openssh-9.9p1/session.c:2317:35: branch_true: ...to here
openssh-9.9p1/session.c:2317:35: call_function: calling ‘session_shell_req’ from ‘session_input_channel_req’
#  633|   		if (dup2(ttyfd, 1) == -1)
#  634|   			error("dup2 stdout: %s", strerror(errno));
#  635|-> 		if (dup2(ttyfd, 2) == -1)
#  636|   			error("dup2 stderr: %s", strerror(errno));
#  637|   

Error: GCC_ANALYZER_WARNING (CWE-401): [#def116]
openssh-9.9p1/sftp-glob.c:155:24: warning[-Wanalyzer-malloc-leak]: leak of ‘s’
openssh-9.9p1/sftp-glob.c:137:1: enter_function: entry to ‘sftp_glob’
openssh-9.9p1/sftp-glob.c:154:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp-glob.c:167:13: branch_false: ...to here
openssh-9.9p1/sftp-glob.c:167:12: branch_true: following ‘true’ branch...
openssh-9.9p1/sftp-glob.c:168:13: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:167:13: branch_true: following ‘true’ branch...
openssh-9.9p1/sftp-glob.c:168:38: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:167:13: branch_true: following ‘true’ branch...
openssh-9.9p1/sftp-glob.c:169:13: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:167:13: branch_true: following ‘true’ branch...
openssh-9.9p1/sftp-glob.c:169:42: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:167:13: branch_true: following ‘true’ branch (when ‘s’ is non-NULL)...
openssh-9.9p1/sftp-glob.c:170:18: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:167:13: branch_true: following ‘true’ branch (when ‘l != 0’)...
openssh-9.9p1/sftp-glob.c:170:37: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:167:13: branch_true: following ‘true’ branch...
openssh-9.9p1/sftp-glob.c:171:21: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:171:21: call_function: calling ‘fudge_stat’ from ‘sftp_glob’
openssh-9.9p1/sftp-glob.c:171:21: return_function: returning to ‘sftp_glob’ from ‘fudge_stat’
openssh-9.9p1/sftp-glob.c:171:20: branch_true: following ‘true’ branch...
openssh-9.9p1/sftp-glob.c:173:28: branch_true: following ‘true’ branch (when ‘s’ is non-NULL)...
openssh-9.9p1/sftp-glob.c:174:40: branch_true: ...to here
openssh-9.9p1/sftp-glob.c:155:24: danger: ‘s’ leaks here; was allocated at [(25)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/24)
#  153|   
#  154|   	if ((r = glob(pattern, flags | GLOB_ALTDIRFUNC, errfunc, pglob)) != 0)
#  155|-> 		return r;
#  156|   	/*
#  157|   	 * When both GLOB_NOCHECK and GLOB_MARK are active, a single gl_pathv

Error: CPPCHECK_WARNING (CWE-401): [#def117]
openssh-9.9p1/sftp-glob.c:173: error[memleakOnRealloc]: Common realloc mistake: 's' nulled but not freed upon failure
#  171|   		if (fudge_stat(s, &sb) == 0 && S_ISDIR(sb.st_mode)) {
#  172|   			/* NOCHECK on a directory; annotate */
#  173|-> 			if ((s = realloc(s, l + 2)) != NULL) {
#  174|   				memcpy(s + l, "/", 2);
#  175|   				pglob->gl_pathv[0] = s;

Error: CPPCHECK_WARNING (CWE-401): [#def118]
openssh-9.9p1/sftp-server.c:833: error[memleakOnRealloc]: Common realloc mistake: 'buf' nulled but not freed upon failure
#  831|   	if (len > buflen) {
#  832|   		debug3_f("allocate %zu => %u", buflen, len);
#  833|-> 		if ((buf = realloc(buf, len)) == NULL)
#  834|   			fatal_f("realloc failed");
#  835|   		buflen = len;

Error: GCC_ANALYZER_WARNING (CWE-688): [#def119]
openssh-9.9p1/sftp.c:1497:27: warning[-Wanalyzer-null-argument]: use of NULL where non-null expected
openssh-9.9p1/sftp.c:2438:1: enter_function: entry to ‘main’
openssh-9.9p1/sftp.c:2602:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2605:12: branch_false: ...to here
openssh-9.9p1/sftp.c:2610:12: branch_true: following ‘true’ branch (when ‘sftp_direct’ is NULL)...
openssh-9.9p1/sftp.c:2611:21: branch_true: ...to here
openssh-9.9p1/sftp.c:2611:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2639:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2644:20: branch_false: ...to here
openssh-9.9p1/sftp.c:2652:20: branch_true: following ‘true’ branch (when ‘sftp_server’ is NULL)...
openssh-9.9p1/sftp.c:2653:25: branch_true: ...to here
openssh-9.9p1/sftp.c:2657:17: branch_false: following ‘false’ branch (when ‘sftp_server’ is NULL)...
 branch_false: ...to here
openssh-9.9p1/sftp.c:2660:17: call_function: calling ‘connect_to_server’ from ‘main’
openssh-9.9p1/sftp.c:2660:17: return_function: returning to ‘main’ from ‘connect_to_server’
openssh-9.9p1/sftp.c:2672:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2675:13: branch_false: ...to here
openssh-9.9p1/sftp.c:2682:15: call_function: calling ‘interactive_loop’ from ‘main’
#argument 1 of ‘__builtin_strlen’ must be non-null
# 1495|   	case I_LLS:
# 1496|   		/* Skip ls command and following whitespace */
# 1497|-> 		cp = cp + strlen(cmd) + strspn(cp, WHITESPACE);
# 1498|   	case I_SHELL:
# 1499|   		/* Uses the rest of the line */

Error: GCC_ANALYZER_WARNING (CWE-775): [#def120]
openssh-9.9p1/sftp.c:2387:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(c_out, 0)’
openssh-9.9p1/sftp.c:2438:1: enter_function: entry to ‘main’
openssh-9.9p1/sftp.c:2470:16: branch_true: following ‘true’ branch (when ‘ch != -1’)...
openssh-9.9p1/sftp.c:2472:17: branch_true: ...to here
openssh-9.9p1/sftp.c:2470:16: branch_false: following ‘false’ branch (when ‘ch == -1’)...
openssh-9.9p1/sftp.c:2600:9: branch_false: ...to here
openssh-9.9p1/sftp.c:2602:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2605:12: branch_false: ...to here
openssh-9.9p1/sftp.c:2610:12: branch_false: following ‘false’ branch (when ‘sftp_direct’ is non-NULL)...
openssh-9.9p1/sftp.c:2662:26: branch_false: ...to here
openssh-9.9p1/sftp.c:2662:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2664:21: branch_false: ...to here
openssh-9.9p1/sftp.c:2664:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2666:17: branch_false: ...to here
openssh-9.9p1/sftp.c:2666:17: call_function: calling ‘connect_to_server’ from ‘main’
# 2385|   		fatal("fork: %s", strerror(errno));
# 2386|   	else if (sshpid == 0) {
# 2387|-> 		if ((dup2(c_in, STDIN_FILENO) == -1) ||
# 2388|   		    (dup2(c_out, STDOUT_FILENO) == -1)) {
# 2389|   			fprintf(stderr, "dup2: %s\n", strerror(errno));

Error: GCC_ANALYZER_WARNING (CWE-775): [#def121]
openssh-9.9p1/sftp.c:2387:21: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(c_out, 1)’
openssh-9.9p1/sftp.c:2438:1: enter_function: entry to ‘main’
openssh-9.9p1/sftp.c:2470:16: branch_true: following ‘true’ branch (when ‘ch != -1’)...
openssh-9.9p1/sftp.c:2472:17: branch_true: ...to here
openssh-9.9p1/sftp.c:2470:16: branch_false: following ‘false’ branch (when ‘ch == -1’)...
openssh-9.9p1/sftp.c:2600:9: branch_false: ...to here
openssh-9.9p1/sftp.c:2602:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2605:12: branch_false: ...to here
openssh-9.9p1/sftp.c:2610:12: branch_false: following ‘false’ branch (when ‘sftp_direct’ is non-NULL)...
openssh-9.9p1/sftp.c:2662:26: branch_false: ...to here
openssh-9.9p1/sftp.c:2662:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2664:21: branch_false: ...to here
openssh-9.9p1/sftp.c:2664:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2666:17: branch_false: ...to here
openssh-9.9p1/sftp.c:2666:17: call_function: calling ‘connect_to_server’ from ‘main’
# 2385|   		fatal("fork: %s", strerror(errno));
# 2386|   	else if (sshpid == 0) {
# 2387|-> 		if ((dup2(c_in, STDIN_FILENO) == -1) ||
# 2388|   		    (dup2(c_out, STDOUT_FILENO) == -1)) {
# 2389|   			fprintf(stderr, "dup2: %s\n", strerror(errno));

Error: GCC_ANALYZER_WARNING (CWE-1341): [#def122]
openssh-9.9p1/sftp.c:2393:17: warning[-Wanalyzer-fd-double-close]: double ‘close’ of file descriptor ‘in’
openssh-9.9p1/sftp.c:2438:1: enter_function: entry to ‘main’
openssh-9.9p1/sftp.c:2470:16: branch_true: following ‘true’ branch (when ‘ch != -1’)...
openssh-9.9p1/sftp.c:2472:17: branch_true: ...to here
openssh-9.9p1/sftp.c:2470:16: branch_false: following ‘false’ branch (when ‘ch == -1’)...
openssh-9.9p1/sftp.c:2600:9: branch_false: ...to here
openssh-9.9p1/sftp.c:2602:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2605:12: branch_false: ...to here
openssh-9.9p1/sftp.c:2610:12: branch_false: following ‘false’ branch (when ‘sftp_direct’ is non-NULL)...
openssh-9.9p1/sftp.c:2662:26: branch_false: ...to here
openssh-9.9p1/sftp.c:2662:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2664:21: branch_false: ...to here
openssh-9.9p1/sftp.c:2664:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2666:17: branch_false: ...to here
openssh-9.9p1/sftp.c:2666:17: call_function: calling ‘connect_to_server’ from ‘main’
# 2391|   		}
# 2392|   		close(*in);
# 2393|-> 		close(*out);
# 2394|   		close(c_in);
# 2395|   		close(c_out);

Error: GCC_ANALYZER_WARNING (CWE-1341): [#def123]
openssh-9.9p1/sftp.c:2395:17: warning[-Wanalyzer-fd-double-close]: double ‘close’ of file descriptor ‘c_out’
openssh-9.9p1/sftp.c:2438:1: enter_function: entry to ‘main’
openssh-9.9p1/sftp.c:2470:16: branch_true: following ‘true’ branch (when ‘ch != -1’)...
openssh-9.9p1/sftp.c:2472:17: branch_true: ...to here
openssh-9.9p1/sftp.c:2470:16: branch_false: following ‘false’ branch (when ‘ch == -1’)...
openssh-9.9p1/sftp.c:2600:9: branch_false: ...to here
openssh-9.9p1/sftp.c:2602:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2605:12: branch_false: ...to here
openssh-9.9p1/sftp.c:2610:12: branch_false: following ‘false’ branch (when ‘sftp_direct’ is non-NULL)...
openssh-9.9p1/sftp.c:2662:26: branch_false: ...to here
openssh-9.9p1/sftp.c:2662:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2664:21: branch_false: ...to here
openssh-9.9p1/sftp.c:2664:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2666:17: branch_false: ...to here
openssh-9.9p1/sftp.c:2666:17: call_function: calling ‘connect_to_server’ from ‘main’
# 2393|   		close(*out);
# 2394|   		close(c_in);
# 2395|-> 		close(c_out);
# 2396|   
# 2397|   		/*

Error: GCC_ANALYZER_WARNING (CWE-1341): [#def124]
openssh-9.9p1/sftp.c:2419:9: warning[-Wanalyzer-fd-double-close]: double ‘close’ of file descriptor ‘c_out’
openssh-9.9p1/sftp.c:2438:1: enter_function: entry to ‘main’
openssh-9.9p1/sftp.c:2470:16: branch_true: following ‘true’ branch (when ‘ch != -1’)...
openssh-9.9p1/sftp.c:2472:17: branch_true: ...to here
openssh-9.9p1/sftp.c:2470:16: branch_false: following ‘false’ branch (when ‘ch == -1’)...
openssh-9.9p1/sftp.c:2600:9: branch_false: ...to here
openssh-9.9p1/sftp.c:2602:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2605:12: branch_false: ...to here
openssh-9.9p1/sftp.c:2610:12: branch_false: following ‘false’ branch (when ‘sftp_direct’ is non-NULL)...
openssh-9.9p1/sftp.c:2662:26: branch_false: ...to here
openssh-9.9p1/sftp.c:2662:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2664:21: branch_false: ...to here
openssh-9.9p1/sftp.c:2664:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sftp.c:2666:17: branch_false: ...to here
openssh-9.9p1/sftp.c:2666:17: call_function: calling ‘connect_to_server’ from ‘main’
# 2417|   	ssh_signal(SIGCHLD, sigchld_handler);
# 2418|   	close(c_in);
# 2419|-> 	close(c_out);
# 2420|   }
# 2421|   

Error: GCC_ANALYZER_WARNING (CWE-775): [#def125]
openssh-9.9p1/ssh-add.c:305:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open(filename, 0)’
openssh-9.9p1/ssh-add.c:848:1: enter_function: entry to ‘main’
openssh-9.9p1/ssh-add.c:903:25: call_function: calling ‘stringlist_append’ from ‘main’
openssh-9.9p1/ssh-add.c:903:25: return_function: returning to ‘main’ from ‘stringlist_append’
openssh-9.9p1/ssh-add.c:889:16: branch_false: following ‘false’ branch (when ‘ch == -1’)...
openssh-9.9p1/ssh-add.c:984:9: branch_false: ...to here
openssh-9.9p1/ssh-add.c:986:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-add.c:988:17: branch_false: ...to here
openssh-9.9p1/ssh-add.c:988:17: branch_false: following ‘false’ branch (when ‘xflag == 0’)...
openssh-9.9p1/ssh-add.c:992:19: branch_false: ...to here
openssh-9.9p1/ssh-add.c:992:19: branch_false: following ‘false’ branch (when ‘lflag == 0’)...
openssh-9.9p1/ssh-add.c:996:19: branch_false: ...to here
openssh-9.9p1/ssh-add.c:996:19: branch_false: following ‘false’ branch (when ‘Dflag == 0’)...
openssh-9.9p1/ssh-add.c:1003:12: branch_false: ...to here
openssh-9.9p1/ssh-add.c:1023:12: branch_false: following ‘false’ branch (when ‘Tflag == 0’)...
openssh-9.9p1/ssh-add.c:1031:12: branch_false: ...to here
openssh-9.9p1/ssh-add.c:1031:12: branch_false: following ‘false’ branch (when ‘pkcs11provider’ is NULL)...
openssh-9.9p1/ssh-add.c:1048:12: branch_false: ...to here
openssh-9.9p1/ssh-add.c:1048:12: branch_false: following ‘false’ branch (when ‘do_download == 0’)...
openssh-9.9p1/ssh-add.c:1056:12: branch_false: ...to here
openssh-9.9p1/ssh-add.c:1056:12: branch_true: following ‘true’ branch (when ‘argc == 0’)...
openssh-9.9p1/ssh-add.c:1062:27: branch_true: ...to here
openssh-9.9p1/ssh-add.c:1062:20: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/ssh-add.c:1069:29: branch_true: following ‘true’ branch...
openssh-9.9p1/ssh-add.c:1070:25: branch_true: ...to here
openssh-9.9p1/ssh-add.c:1072:28: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-add.c:1074:29: branch_false: ...to here
openssh-9.9p1/ssh-add.c:1074:29: call_function: calling ‘do_file’ from ‘main’
#  303|   	 * will occur multiple times, so check perms first and bail if wrong.
#  304|   	 */
#  305|-> 	if (fd != STDIN_FILENO) {
#  306|   		if (sshkey_perm_ok(fd, filename) != 0) {
#  307|   			close(fd);

Error: GCC_ANALYZER_WARNING (CWE-476): [#def126]
openssh-9.9p1/ssh-agent.c:276:17: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
openssh-9.9p1/ssh-agent.c:1538:1: enter_function: entry to ‘add_p11_identity’
openssh-9.9p1/ssh-agent.c:1555:32: call_function: calling ‘dup_dest_constraints’ from ‘add_p11_identity’
#  274|   		    &(out->keys[i]))) != 0)
#  275|   			fatal_fr(r, "copy key");
#  276|-> 		out->key_is_ca[i] = dch->key_is_ca[i];
#  277|   	}
#  278|   }

Error: COMPILER_WARNING: [#def127]
openssh-9.9p1/ssh-keycat.c:39:9: warning: ‘_GNU_SOURCE’ redefined
#   39 | #define _GNU_SOURCE
#      |         ^~~~~~~~~~~
<command-line>: note: this is the location of the previous definition
#   37|   */
#   38|   
#   39|-> #define _GNU_SOURCE
#   40|   
#   41|   #include "config.h"

Error: COMPILER_WARNING: [#def128]
openssh-9.9p1/ssh-keycat.c:39:9: warning[warning]: ‘_GNU_SOURCE’ redefined
#   37|   */
#   38|   
#   39|-> #define _GNU_SOURCE
#   40|   
#   41|   #include "config.h"

Error: COMPILER_WARNING: [#def129]
openssh-9.9p1/ssh-keygen.c: scope_hint: In function ‘do_convert_to’
openssh-9.9p1/ssh-keygen.c:370:41: warning[-Wformat-truncation=]: ‘%s’ directive output may be truncated writing up to 1024 bytes into a region of size 39
#  370 |             "%u-bit %s, converted by %s@%s from OpenSSH",
#      |                                         ^~
#  371 |             sshkey_size(k), sshkey_type(k),
#  372 |             pw->pw_name, hostname);
#      |                          ~~~~~~~~        
/usr/include/bits/stdio2.h:68:10: note: ‘__snprintf_chk’ output 36 or more bytes (assuming 1060) into a destination of size 61
#   68 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
#      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   69 |                                    __glibc_objsize (__s), __fmt,
#      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   70 |                                    __va_arg_pack ());
#      |                                    ~~~~~~~~~~~~~~~~~
#  368|   	/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */
#  369|   	snprintf(comment, sizeof(comment),
#  370|-> 	    "%u-bit %s, converted by %s@%s from OpenSSH",
#  371|   	    sshkey_size(k), sshkey_type(k),
#  372|   	    pw->pw_name, hostname);

Error: COMPILER_WARNING: [#def130]
openssh-9.9p1/ssh-keygen.c: scope_hint: In function ‘do_gen_all_hostkeys’
openssh-9.9p1/ssh-keygen.c:1180:55: warning[-Wformat-truncation=]: ‘%s’ directive output may be truncated writing up to 1024 bytes into a region of size 1023
# 1180 |                 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
#      |                                                       ^~
# 1181 |                     hostname);
#      |                     ~~~~~~~~                           
/usr/include/bits/stdio2.h:68:10: note: ‘__snprintf_chk’ output 2 or more bytes (assuming 1026) into a destination of size 1024
#   68 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
#      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   69 |                                    __glibc_objsize (__s), __fmt,
#      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   70 |                                    __va_arg_pack ());
#      |                                    ~~~~~~~~~~~~~~~~~
# 1178|   		if ((r = sshkey_from_private(private, &public)) != 0)
# 1179|   			fatal_fr(r, "sshkey_from_private");
# 1180|-> 		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
# 1181|   		    hostname);
# 1182|   		if ((r = sshkey_save_private(private, prv_tmp, "",

Error: COMPILER_WARNING: [#def131]
openssh-9.9p1/ssh-keygen.c: scope_hint: In function ‘main’
openssh-9.9p1/ssh-keygen.c:3976:55: warning[-Wformat-truncation=]: ‘%s’ directive output may be truncated writing up to 1024 bytes into a region of size 1023
# 3976 |                 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
#      |                                                       ^~                ~~~~~~~~
/usr/include/bits/stdio2.h:68:10: note: ‘__snprintf_chk’ output 2 or more bytes (assuming 1026) into a destination of size 1024
#   68 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
#      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   69 |                                    __glibc_objsize (__s), __fmt,
#      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   70 |                                    __va_arg_pack ());
#      |                                    ~~~~~~~~~~~~~~~~~
# 3974|   	} else {
# 3975|   		/* Create default comment field for the passphrase. */
# 3976|-> 		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
# 3977|   	}
# 3978|   

Error: GCC_ANALYZER_WARNING (CWE-775): [#def132]
openssh-9.9p1/ssh-pkcs11-client.c:595:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pair[1], 0)’
openssh-9.9p1/ssh-pkcs11-client.c:564:1: enter_function: entry to ‘pkcs11_start_helper’
openssh-9.9p1/ssh-pkcs11-client.c:571:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11-client.c:573:9: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:574:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11-client.c:578:18: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:579:13: call_function: calling ‘pkcs11_start_helper_methods’ from ‘pkcs11_start_helper’
openssh-9.9p1/ssh-pkcs11-client.c:579:13: return_function: returning to ‘pkcs11_start_helper’ from ‘pkcs11_start_helper_methods’
openssh-9.9p1/ssh-pkcs11-client.c:579:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11-client.c:583:20: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:583:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/ssh-pkcs11-client.c:594:19: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:594:19: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/ssh-pkcs11-client.c:595:22: branch_true: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:595:22: acquire_resource: opened here
openssh-9.9p1/ssh-pkcs11-client.c:595:20: danger: ‘dup2(pair[1], 0)’ leaks here; was opened at [(23)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/22)
#  593|   		return NULL;
#  594|   	} else if (pid == 0) {
#  595|-> 		if ((dup2(pair[1], STDIN_FILENO) == -1) ||
#  596|   		    (dup2(pair[1], STDOUT_FILENO) == -1)) {
#  597|   			fprintf(stderr, "dup2: %s\n", strerror(errno));

Error: GCC_ANALYZER_WARNING (CWE-775): [#def133]
openssh-9.9p1/ssh-pkcs11-client.c:595:21: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pair[1], 1)’
openssh-9.9p1/ssh-pkcs11-client.c:564:1: enter_function: entry to ‘pkcs11_start_helper’
openssh-9.9p1/ssh-pkcs11-client.c:571:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11-client.c:573:9: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:574:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11-client.c:578:18: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:579:13: call_function: calling ‘pkcs11_start_helper_methods’ from ‘pkcs11_start_helper’
openssh-9.9p1/ssh-pkcs11-client.c:579:13: return_function: returning to ‘pkcs11_start_helper’ from ‘pkcs11_start_helper_methods’
openssh-9.9p1/ssh-pkcs11-client.c:579:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11-client.c:583:20: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:583:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/ssh-pkcs11-client.c:594:19: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:594:19: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/ssh-pkcs11-client.c:595:22: branch_true: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:595:20: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11-client.c:596:22: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11-client.c:596:22: acquire_resource: opened here
openssh-9.9p1/ssh-pkcs11-client.c:595:21: danger: ‘dup2(pair[1], 1)’ leaks here; was opened at [(25)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/24)
#  593|   		return NULL;
#  594|   	} else if (pid == 0) {
#  595|-> 		if ((dup2(pair[1], STDIN_FILENO) == -1) ||
#  596|   		    (dup2(pair[1], STDOUT_FILENO) == -1)) {
#  597|   			fprintf(stderr, "dup2: %s\n", strerror(errno));

Error: GCC_ANALYZER_WARNING (CWE-688): [#def134]
openssh-9.9p1/ssh-pkcs11.c:212:22: warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL ‘module_path’ where non-null expected
openssh-9.9p1/ssh-pkcs11.c:2067:1: enter_function: entry to ‘pkcs11_add_provider’
openssh-9.9p1/ssh-pkcs11.c:2074:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11.c:2077:13: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11.c:2077:12: branch_true: following ‘true’ branch...
openssh-9.9p1/ssh-pkcs11.c:2078:13: branch_true: ...to here
openssh-9.9p1/ssh-pkcs11.c:2077:13: branch_true: following ‘true’ branch...
openssh-9.9p1/ssh-pkcs11.c:2079:21: branch_true: ...to here
openssh-9.9p1/ssh-pkcs11.c:2079:20: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-pkcs11.c:2085:17: branch_false: ...to here
openssh-9.9p1/ssh-pkcs11.c:2085:17: call_function: calling ‘pkcs11_add_provider_by_uri’ from ‘pkcs11_add_provider’
#  210|   	TAILQ_FOREACH(p, &pkcs11_providers, next) {
#  211|   		debug("check %p %s (%s)", p, p->name, p->module->module_path);
#  212|-> 		if (!strcmp(module_path, p->module->module_path))
#  213|   			return (p->module);
#  214|   	}

Error: COMPILER_WARNING (CWE-1164): [#def135]
openssh-9.9p1/ssh-pkcs11.c:2011:1: warning[-Wunused-function]: ‘pkcs11_register_provider’ defined but not used
# 2011 | pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp,
#      | ^~~~~~~~~~~~~~~~~~~~~~~~
# 2009|   
# 2010|   static int
# 2011|-> pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp,
# 2012|       char ***labelsp, struct pkcs11_provider **providerp, CK_ULONG user)
# 2013|   {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def136]
openssh-9.9p1/ssh-sk-client.c:87:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pair[1], 0)’
openssh-9.9p1/ssh-sk-client.c:61:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-sk-client.c:72:13: branch_false: ...to here
openssh-9.9p1/ssh-sk-client.c:72:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-sk-client.c:76:20: branch_false: ...to here
openssh-9.9p1/ssh-sk-client.c:77:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/ssh-sk-client.c:86:12: branch_false: ...to here
openssh-9.9p1/ssh-sk-client.c:86:12: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/ssh-sk-client.c:87:22: branch_true: ...to here
openssh-9.9p1/ssh-sk-client.c:87:22: acquire_resource: opened here
openssh-9.9p1/ssh-sk-client.c:87:20: danger: ‘dup2(pair[1], 0)’ leaks here; was opened at [(9)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/8)
#   85|   	}
#   86|   	if (pid == 0) {
#   87|-> 		if ((dup2(pair[1], STDIN_FILENO) == -1) ||
#   88|   		    (dup2(pair[1], STDOUT_FILENO) == -1)) {
#   89|   			error_f("dup2: %s", strerror(errno));

Error: GCC_ANALYZER_WARNING (CWE-775): [#def137]
openssh-9.9p1/ssh-sk-client.c:87:21: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pair[1], 1)’
openssh-9.9p1/ssh-sk-client.c:61:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-sk-client.c:72:13: branch_false: ...to here
openssh-9.9p1/ssh-sk-client.c:72:12: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-sk-client.c:76:20: branch_false: ...to here
openssh-9.9p1/ssh-sk-client.c:77:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/ssh-sk-client.c:86:12: branch_false: ...to here
openssh-9.9p1/ssh-sk-client.c:86:12: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/ssh-sk-client.c:87:22: branch_true: ...to here
openssh-9.9p1/ssh-sk-client.c:87:20: branch_false: following ‘false’ branch...
openssh-9.9p1/ssh-sk-client.c:88:22: branch_false: ...to here
openssh-9.9p1/ssh-sk-client.c:88:22: acquire_resource: opened here
openssh-9.9p1/ssh-sk-client.c:87:21: danger: ‘dup2(pair[1], 1)’ leaks here; was opened at [(11)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/10)
#   85|   	}
#   86|   	if (pid == 0) {
#   87|-> 		if ((dup2(pair[1], STDIN_FILENO) == -1) ||
#   88|   		    (dup2(pair[1], STDOUT_FILENO) == -1)) {
#   89|   			error_f("dup2: %s", strerror(errno));

Error: GCC_ANALYZER_WARNING (CWE-1341): [#def138]
openssh-9.9p1/sshbuf-io.c:110:17: warning[-Wanalyzer-fd-double-close]: double ‘close’ of file descriptor ‘open(path, 577, 420)’
openssh-9.9p1/sshbuf-io.c:105:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshbuf-io.c:107:13: branch_false: ...to here
openssh-9.9p1/sshbuf-io.c:107:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshbuf-io.c:108:52: branch_false: ...to here
openssh-9.9p1/sshbuf-io.c:108:52: release_resource: first ‘close’ here
openssh-9.9p1/sshbuf-io.c:107:13: branch_true: following ‘true’ branch...
openssh-9.9p1/sshbuf-io.c:109:26: branch_true: ...to here
openssh-9.9p1/sshbuf-io.c:110:17: danger: second ‘close’ here; first ‘close’ was at [(5)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/4)
#  108|   	    sshbuf_len(buf)) != sshbuf_len(buf) || close(fd) != 0) {
#  109|   		oerrno = errno;
#  110|-> 		close(fd);
#  111|   		unlink(path);
#  112|   		errno = oerrno;

Error: GCC_ANALYZER_WARNING (CWE-476): [#def139]
openssh-9.9p1/sshconnect.c:731:13: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘key’
openssh-9.9p1/sshconnect.c:1471:1: enter_function: entry to ‘verify_host_key’
openssh-9.9p1/sshconnect.c:1479:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect.c:1486:13: branch_false: ...to here
openssh-9.9p1/sshconnect.c:1486:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect.c:1507:17: branch_false: ...to here
openssh-9.9p1/sshconnect.c:1510:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect.c:1518:13: branch_false: ...to here
openssh-9.9p1/sshconnect.c:1538:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect.c:1569:13: branch_false: ...to here
openssh-9.9p1/sshconnect.c:1566:13: call_function: calling ‘check_host_key’ from ‘verify_host_key’
#  729|   	const char *hostkeyalgs = options.hostkeyalgorithms;
#  730|   
#  731|-> 	if (key->type == KEY_UNSPEC)
#  732|   		return 0;
#  733|   	if (key->type == KEY_RSA &&

Error: GCC_ANALYZER_WARNING (CWE-775): [#def140]
openssh-9.9p1/sshconnect2.c:2206:24: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘from[0]’
openssh-9.9p1/sshconnect2.c:2204:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2208:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2208:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2212:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2212:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2216:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2216:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2220:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2220:12: branch_true: following ‘true’ branch (when ‘pid == -1’)...
openssh-9.9p1/sshconnect2.c:2221:17: branch_true: ...to here
openssh-9.9p1/sshconnect2.c:2206:24: danger: ‘from[0]’ leaks here
# 2204|   	if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
# 2205|   		error_f("not installed: %s", strerror(errno));
# 2206|-> 		return -1;
# 2207|   	}
# 2208|   	if (fflush(stdout) != 0) {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def141]
openssh-9.9p1/sshconnect2.c:2206:24: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘from[1]’
openssh-9.9p1/sshconnect2.c:2204:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2208:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2208:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2212:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2212:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2216:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2216:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2220:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2220:12: branch_true: following ‘true’ branch (when ‘pid == -1’)...
openssh-9.9p1/sshconnect2.c:2221:17: branch_true: ...to here
openssh-9.9p1/sshconnect2.c:2206:24: danger: ‘from[1]’ leaks here
# 2204|   	if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
# 2205|   		error_f("not installed: %s", strerror(errno));
# 2206|-> 		return -1;
# 2207|   	}
# 2208|   	if (fflush(stdout) != 0) {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def142]
openssh-9.9p1/sshconnect2.c:2206:24: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘to[0]’
openssh-9.9p1/sshconnect2.c:2204:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2208:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2208:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2212:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2212:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2216:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2216:12: branch_true: following ‘true’ branch...
openssh-9.9p1/sshconnect2.c:2217:17: branch_true: ...to here
openssh-9.9p1/sshconnect2.c:2206:24: danger: ‘to[0]’ leaks here
# 2204|   	if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
# 2205|   		error_f("not installed: %s", strerror(errno));
# 2206|-> 		return -1;
# 2207|   	}
# 2208|   	if (fflush(stdout) != 0) {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def143]
openssh-9.9p1/sshconnect2.c:2206:24: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘to[1]’
openssh-9.9p1/sshconnect2.c:2204:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2208:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2208:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2212:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2212:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2216:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2216:12: branch_true: following ‘true’ branch...
openssh-9.9p1/sshconnect2.c:2217:17: branch_true: ...to here
openssh-9.9p1/sshconnect2.c:2206:24: danger: ‘to[1]’ leaks here
# 2204|   	if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
# 2205|   		error_f("not installed: %s", strerror(errno));
# 2206|-> 		return -1;
# 2207|   	}
# 2208|   	if (fflush(stdout) != 0) {

Error: GCC_ANALYZER_WARNING (CWE-775): [#def144]
openssh-9.9p1/sshconnect2.c:2227:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(from[1], 1)’
openssh-9.9p1/sshconnect2.c:2204:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2208:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2208:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2212:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2212:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2216:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2216:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2220:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2220:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/sshconnect2.c:2224:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2225:12: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/sshconnect2.c:2226:17: branch_true: ...to here
openssh-9.9p1/sshconnect2.c:2227:21: acquire_resource: opened here
openssh-9.9p1/sshconnect2.c:2227:20: danger: ‘dup2(from[1], 1)’ leaks here; was opened at [(15)](sarif:/runs/0/results/4/codeFlows/0/threadFlows/0/locations/14)
# 2225|   	if (pid == 0) {
# 2226|   		close(from[0]);
# 2227|-> 		if (dup2(from[1], STDOUT_FILENO) == -1)
# 2228|   			fatal_f("dup2: %s", strerror(errno));
# 2229|   		close(to[1]);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def145]
openssh-9.9p1/sshconnect2.c:2230:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(to[0], 0)’
openssh-9.9p1/sshconnect2.c:2204:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2208:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2208:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2212:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2212:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2216:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2216:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2220:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2220:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/sshconnect2.c:2224:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2225:12: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/sshconnect2.c:2226:17: branch_true: ...to here
openssh-9.9p1/sshconnect2.c:2227:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2229:17: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2230:21: acquire_resource: opened here
openssh-9.9p1/sshconnect2.c:2230:20: danger: ‘dup2(to[0], 0)’ leaks here; was opened at [(17)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/16)
# 2228|   			fatal_f("dup2: %s", strerror(errno));
# 2229|   		close(to[1]);
# 2230|-> 		if (dup2(to[0], STDIN_FILENO) == -1)
# 2231|   			fatal_f("dup2: %s", strerror(errno));
# 2232|   		close(from[1]);

Error: GCC_ANALYZER_WARNING (CWE-775): [#def146]
openssh-9.9p1/sshconnect2.c:2235:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(ssh_packet_get_connection_in(ssh), 3)’
openssh-9.9p1/sshconnect2.c:2204:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2208:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2208:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2212:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2212:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2216:13: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2216:12: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2220:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2220:12: branch_false: following ‘false’ branch (when ‘pid != -1’)...
openssh-9.9p1/sshconnect2.c:2224:20: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2225:12: branch_true: following ‘true’ branch (when ‘pid == 0’)...
openssh-9.9p1/sshconnect2.c:2226:17: branch_true: ...to here
openssh-9.9p1/sshconnect2.c:2227:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2229:17: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2230:20: branch_false: following ‘false’ branch...
openssh-9.9p1/sshconnect2.c:2232:17: branch_false: ...to here
openssh-9.9p1/sshconnect2.c:2235:21: acquire_resource: opened here
openssh-9.9p1/sshconnect2.c:2235:20: danger: ‘dup2(ssh_packet_get_connection_in(ssh), 3)’ leaks here; was opened at [(19)](sarif:/runs/0/results/6/codeFlows/0/threadFlows/0/locations/18)
# 2233|   		close(to[0]);
# 2234|   
# 2235|-> 		if (dup2(sock, STDERR_FILENO + 1) == -1)
# 2236|   			fatal_f("dup2: %s", strerror(errno));
# 2237|   		sock = STDERR_FILENO + 1;

Error: GCC_ANALYZER_WARNING (CWE-775): [#def147]
openssh-9.9p1/sshd.c:1372:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘devnull’
openssh-9.9p1/sshd.c:1363:13: branch_false: following ‘false’ branch...
openssh-9.9p1/sshd.c:1366:9: branch_false: ...to here
openssh-9.9p1/sshd.c:1369:24: acquire_resource: opened here
openssh-9.9p1/sshd.c:1369:12: branch_false: following ‘false’ branch...
 branch_false: ...to here
openssh-9.9p1/sshd.c:1371:16: branch_true: following ‘true’ branch (when ‘devnull <= 5’)...
openssh-9.9p1/sshd.c:1372:32: branch_true: ...to here
openssh-9.9p1/sshd.c:1372:20: branch_false: following ‘false’ branch (when ‘devnull != -1’)...
 branch_false: ...to here
openssh-9.9p1/sshd.c:1372:20: danger: ‘devnull’ leaks here; was opened at [(3)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/2)
# 1370|   		fatal("open %s: %s", _PATH_DEVNULL, strerror(errno));
# 1371|   	while (devnull < REEXEC_MIN_FREE_FD) {
# 1372|-> 		if ((devnull = dup(devnull)) == -1)
# 1373|   			fatal("dup %s: %s", _PATH_DEVNULL, strerror(errno));
# 1374|   	}

Scan Properties