cf-https-connect: silence clang-tidy v21 false positive

content_encoding: another one ``` /Users/runner/work/curl/curl/lib/content_encoding.c:657:5: error: Out of bound access to memory preceding 'all' [clang-analyzer-security.ArrayBound,-warnings-as-errors] 657 | p[-2] = '\0'; | ^ ``` Ref: https://github.com/curl/curl/actions/runs/17295803554/job/49093573741?pr=18422#step:11:40 mime.c /Users/runner/work/curl/curl/lib/mime.c:1756:12: error: Out of bound access to memory after the end of the string literal [clang-analyzer-security.ArrayBound,-warnings-as-errors] 1756 | switch(contenttype[len]) { | ^ https://github.com/curl/curl/actions/runs/17295955998/job/49094149140?pr=18422#step:11:127 ntlm.c ``` /Users/runner/work/curl/curl/lib/vauth/ntlm.c:414:5: error: Out of bound access to memory after the end of 'ntlmbuf' [clang-analyzer-security.ArrayBound,-warnings-as-errors] 414 | dest[2 * i] = (unsigned char)src[i]; | ^ ``` https://github.com/curl/curl/actions/runs/17296813157/job/49097003881?pr=18422#step:11:157 ntlm.c more /Users/runner/work/curl/curl/lib/vauth/ntlm.c:836:17: error: Out of bound access to memory after the end of 'ntlmbuf' [clang-analyzer-security.ArrayBound,-warnings-as-errors] 836 | unicodecpy(&ntlmbuf[size], host, hostlen / 2); | ^~~~~~~~~~~~~ https://github.com/curl/curl/actions/runs/17296961941/job/49097574789?pr=18422#step:11:157 silence bunch more https://github.com/curl/curl/actions/runs/17297304862/job/49098795447?pr=18422 silence bunch more 2 more odd cases in vtls.c
2026-06-12 08:14:15 +03:00 · 2025-08-28 14:26:43 +02:00 · 2025-08-28 14:26:43 +02:00 · 36e08e5e62
commit 36e08e5e62
parent f08ecdc586
12 changed files with 21 additions and 0 deletions
--- a/lib/cf-https-connect.c
+++ b/lib/cf-https-connect.c
@ -75,6 +75,7 @@ static void cf_hc_baller_reset(struct cf_hc_baller *b,

 static bool cf_hc_baller_is_active(struct cf_hc_baller *b)
 {
+  /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
  return b->cf && !b->result;
 }

--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
@ -654,6 +654,7 @@ void Curl_all_content_encodings(char *buf, size_t blen)
        *p++ = ' ';
      }
    }
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    p[-2] = '\0';
  }
 }
--- a/lib/mime.c
+++ b/lib/mime.c
@ -1753,6 +1753,7 @@ static bool content_type_match(const char *contenttype,
                               const char *target, size_t len)
 {
  if(contenttype && curl_strnequal(contenttype, target, len))
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    switch(contenttype[len]) {
    case '\0':
    case '\t':
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@ -411,6 +411,7 @@ static void unicodecpy(unsigned char *dest, const char *src, size_t length)
 {
  size_t i;
  for(i = 0; i < length; i++) {
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    dest[2 * i] = (unsigned char)src[i];
    dest[2 * i + 1] = '\0';
  }
@ -832,6 +833,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,

  DEBUGASSERT(size == hostoff);
  if(unicode)
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    unicodecpy(&ntlmbuf[size], host, hostlen / 2);
  else
    memcpy(&ntlmbuf[size], host, hostlen);
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@ -1048,6 +1048,7 @@ static size_t multissl_version(char *buffer, size_t size)

    backends[0] = '\0';

+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    for(i = 0; available_backends[i]; ++i) {
      char vb[200];
      bool paren = (selected != available_backends[i]);
@ -1088,6 +1089,7 @@ static int multissl_setup(const struct Curl_ssl *backend)

  env = curl_getenv("CURL_SSL_BACKEND");
  if(env) {
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    for(i = 0; available_backends[i]; i++) {
      if(curl_strequal(env, available_backends[i]->info.name)) {
        Curl_ssl = available_backends[i];
@ -1134,6 +1136,7 @@ CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
           CURLSSLSET_UNKNOWN_BACKEND;
 #endif

+  /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
  for(i = 0; available_backends[i]; i++) {
    if(available_backends[i]->info.id == id ||
       (name && curl_strequal(available_backends[i]->info.name, name))) {
--- a/tests/server/dnsd.c
+++ b/tests/server/dnsd.c
@ -180,6 +180,7 @@ static void add_answer(unsigned char *bytes, size_t *w,
  size_t i = *w;

  /* add answer */
+  /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
  bytes[i++] = 0xc0;
  bytes[i++] = 0x0c; /* points to the query at this fixed packet index */

--- a/tests/server/getpart.c
+++ b/tests/server/getpart.c
@ -99,6 +99,7 @@ static int readline(char **buffer, size_t *bufsize, size_t *length,
    }

    *length = offset + line_length(*buffer + offset, bytestoread);
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    if(*(*buffer + *length - 1) == '\n')
      break;
    offset = *length;
--- a/tests/server/rtspd.c
+++ b/tests/server/rtspd.c
@ -655,6 +655,7 @@ static int rtspd_get_request(curl_socket_t sock, struct rtspd_httprequest *req)
    logmsg("Read %zd bytes", got);

    req->offset += (size_t)got;
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    reqbuf[req->offset] = '\0';

    done_processing = rtspd_ProcessRequest(req);
--- a/tests/server/sockfilt.c
+++ b/tests/server/sockfilt.c
@ -1023,6 +1023,7 @@ static bool juggle(curl_socket_t *sockfdp,
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Warith-conversion"
 #endif
+      /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
      FD_SET(sockfd, &fds_read);
 #ifdef __DJGPP__
 #pragma GCC diagnostic pop
--- a/tests/server/socksd.c
+++ b/tests/server/socksd.c
@ -560,6 +560,7 @@ static int tunnel(struct perclient *cp, fd_set *fds)
  ssize_t nread;
  ssize_t nwrite;
  char buffer[512];
+  /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
  if(FD_ISSET(cp->clientfd, fds)) {
    /* read from client, send to remote */
    nread = recv(cp->clientfd, buffer, sizeof(buffer), 0);
@ -573,6 +574,7 @@ static int tunnel(struct perclient *cp, fd_set *fds)
    else
      return 1;
  }
+  /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
  if(FD_ISSET(cp->remotefd, fds)) {
    /* read from remote, send to client */
    nread = recv(cp->remotefd, buffer, sizeof(buffer), 0);
@ -680,6 +682,7 @@ static bool socksd_incoming(curl_socket_t listenfd)
      return FALSE;
    }

+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    if((clients < 2) && FD_ISSET(sockfd, &fds_read)) {
      curl_socket_t newfd = accept(sockfd, NULL, NULL);
      if(CURL_SOCKET_BAD == newfd) {
--- a/tests/server/sws.c
+++ b/tests/server/sws.c
@ -1311,6 +1311,7 @@ static curl_socket_t connect_to(const char *ipaddr, unsigned short port)
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Warith-conversion"
 #endif
+      /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
      FD_SET(serverfd, &output);
 #ifdef __DJGPP__
 #pragma GCC diagnostic pop
@ -1490,6 +1491,7 @@ static void http_connect(curl_socket_t *infdp,
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Warith-conversion"
 #endif
+          /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
          FD_SET(serverfd[i], &input);
 #ifdef __DJGPP__
 #pragma GCC diagnostic pop
@ -1607,6 +1609,7 @@ static void http_connect(curl_socket_t *infdp,
        size_t len;
        if(clientfd[i] != CURL_SOCKET_BAD) {
          len = sizeof(readclient[i]) - tos[i];
+          /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
          if(len && FD_ISSET(clientfd[i], &input)) {
            /* read from client */
            rc = sread(clientfd[i], &readclient[i][tos[i]], len);
@ -1625,6 +1628,7 @@ static void http_connect(curl_socket_t *infdp,
        }
        if(serverfd[i] != CURL_SOCKET_BAD) {
          len = sizeof(readserver[i])-toc[i];
+          /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
          if(len && FD_ISSET(serverfd[i], &input)) {
            /* read from server */
            rc = sread(serverfd[i], &readserver[i][toc[i]], len);
@ -1662,6 +1666,7 @@ static void http_connect(curl_socket_t *infdp,
          }
        }
        if(serverfd[i] != CURL_SOCKET_BAD) {
+          /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
          if(tos[i] && FD_ISSET(serverfd[i], &output)) {
            /* write to server */
            rc = swrite(serverfd[i], readclient[i], tos[i]);
--- a/tests/server/tftpd.c
+++ b/tests/server/tftpd.c
@ -913,6 +913,7 @@ static int do_tftp(struct testcase *test, struct tftphdr *tp, ssize_t size)
  filename = cp;
  do {
    bool endofit = true;
+    /* NOLINTNEXTLINE(clang-analyzer-security.ArrayBound) */
    while(cp < &trsbuf.storage[size]) {
      if(*cp == '\0') {
        endofit = false;