NLnetLabs
diff --git a/‎dnssec.c
+13-8 b/‎dnssec.c
+13-8
diff --git a/‎dnssec_sign.c
+36-11 b/‎dnssec_sign.c
+36-11
diff --git a/‎dnssec_verify.c
+2-2 b/‎dnssec_verify.c
+2-2
diff --git a/‎dnssec_zone.c
+10-16 b/‎dnssec_zone.c
+10-16
diff --git a/‎higher.c
+1-1 b/‎higher.c
+1-1
@@ -378,10 +378,12 @@ ldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
+#ifndef S_SPLINT_S
 	dsa->p = P;
 	dsa->q = Q;
 	dsa->g = G;
 	dsa->pub_key = Y;
+#endif /* splint */
 
 	return dsa;
 }
@@ -444,8 +446,10 @@ ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
+#ifndef S_SPLINT_S
 	rsa->n = modulus;
 	rsa->e = exponent;
+#endif /* splint */
 
 	return rsa;
 }
@@ -623,7 +627,7 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
 			return NULL;
 		}
 		tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
-		                            EVP_MD_size(md),
+		                            (size_t)EVP_MD_size(md),
 		                            digest);
 		ldns_rr_push_rdf(ds, tmp);
 #endif
@@ -916,7 +920,7 @@ ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
 
 	ldns_rr *nsec = NULL;
 	ldns_rr_type i_type_list[65536];
-	int type_count = 0;
+	size_t type_count = 0;
 
 	nsec = ldns_rr_new();
 	ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC);
@@ -1134,7 +1138,7 @@ ldns_create_nsec3(ldns_rdf *cur_owner,
 	ldns_status status;
 
     ldns_rr_type i_type_list[1024];
-	int type_count = 0;
+	size_t type_count = 0;
 
 	hashed_owner = ldns_nsec3_hash_name(cur_owner,
 								 algorithm,
@@ -1679,8 +1683,8 @@ ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
         }
         BN_bn2bin(ecdsa_sig->r, data);
         BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r));
-	rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64,
-                BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s), data);
+	rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(
+		BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data);
         ECDSA_SIG_free(ecdsa_sig);
         return rdf;
 }
@@ -1691,7 +1695,7 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
 {
         ECDSA_SIG* sig;
 	int raw_sig_len;
-        long bnsize = ldns_rdf_size(sig_rdf) / 2;
+        long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
         /* if too short, or not even length, do not bother */
         if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
                 return LDNS_STATUS_ERR;
@@ -1710,9 +1714,10 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
 
 	raw_sig_len = i2d_ECDSA_SIG(sig, NULL);
 	if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
-                unsigned char* pp = ldns_buffer_current(target_buffer);
+                unsigned char* pp = (unsigned char*)
+			ldns_buffer_current(target_buffer);
 	        raw_sig_len = i2d_ECDSA_SIG(sig, &pp);
-                ldns_buffer_skip(target_buffer, (size_t) raw_sig_len);
+                ldns_buffer_skip(target_buffer, (ssize_t) raw_sig_len);
 	}
         ECDSA_SIG_free(sig);
 
 
@@ -120,7 +120,7 @@ ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
 
 	switch(ldns_key_algorithm(current_key)) {
 	case LDNS_SIGN_DSA:
-	case LDNS_DSA_NSEC3:
+	case LDNS_SIGN_DSA_NSEC3:
 		b64rdf = ldns_sign_public_evp(
 				   sign_buf,
 				   ldns_key_evp_key(current_key),
@@ -357,6 +357,7 @@ ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
 }
 
 #ifdef USE_ECDSA
+#ifndef S_SPLINT_S
 static int
 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
 {
@@ -380,6 +381,7 @@ ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
         EC_KEY_free(ec);
         return 0;
 }
+#endif /* splint */
 #endif /* USE_ECDSA */
 
 ldns_rdf *
@@ -431,6 +433,7 @@ ldns_sign_public_evp(ldns_buffer *to_sign,
 	}
 
 	/* unfortunately, OpenSSL output is differenct from DNS DSA format */
+#ifndef S_SPLINT_S
 	if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
 		sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
 #ifdef USE_ECDSA
@@ -443,6 +446,7 @@ ldns_sign_public_evp(ldns_buffer *to_sign,
 		sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
 									 ldns_buffer_begin(b64sig));
 	}
+#endif /* splint */
 	ldns_buffer_free(b64sig);
 	EVP_MD_CTX_cleanup(&ctx);
 	return sigdata_rdf;
@@ -640,7 +644,10 @@ ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
 		                                  next_name,
 		                                  LDNS_RR_TYPE_NSEC);
 		ldns_rr_set_ttl(nsec_rr, nsec_ttl);
-		ldns_dnssec_name_add_rr(cur_name, nsec_rr);
+		if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
+			ldns_rr_free(nsec_rr);
+			return LDNS_STATUS_ERR;
+		}
 		ldns_rr_list_push_rr(new_rrs, nsec_rr);
 		cur_node = next_node;
 		if (cur_node) {
@@ -656,7 +663,10 @@ ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
 		                                  next_name,
 		                                  LDNS_RR_TYPE_NSEC);
 		ldns_rr_set_ttl(nsec_rr, nsec_ttl);
-		ldns_dnssec_name_add_rr(cur_name, nsec_rr);
+		if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
+			ldns_rr_free(nsec_rr);
+			return LDNS_STATUS_ERR;
+		}
 		ldns_rr_list_push_rr(new_rrs, nsec_rr);
 	} else {
 		printf("error\n");
@@ -727,15 +737,18 @@ ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
 			ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr));
 		}
 		ldns_rr_set_ttl(nsec_rr, nsec_ttl);
-		ldns_dnssec_name_add_rr(current_name, nsec_rr);
+		result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
 		ldns_rr_list_push_rr(new_rrs, nsec_rr);
 		ldns_rr_list_push_rr(nsec3_list, nsec_rr);
 		current_name_node = ldns_dnssec_name_node_next_nonglue(
 		                   ldns_rbtree_next(current_name_node));
 	}
+	if (result != LDNS_STATUS_OK) {
+		return result;
+	}
 
 	ldns_rr_list_sort_nsec3(nsec3_list);
-	ldns_dnssec_chain_nsec3_list(nsec3_list);
+	result = ldns_dnssec_chain_nsec3_list(nsec3_list);
 	if (result != LDNS_STATUS_OK) {
 		return result;
 	}
@@ -963,7 +976,7 @@ ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
 					siglist = ldns_sign_public(rr_list, key_list);
 					for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
 						if (cur_rrset->signatures) {
-							ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
+							result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
 											   ldns_rr_list_rr(siglist,
 														    i));
 						} else {
@@ -998,7 +1011,7 @@ ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
 
 			for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
 				if (cur_name->nsec_signatures) {
-					ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
+					result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
 									   ldns_rr_list_rr(siglist, i));
 				} else {
 					cur_name->nsec_signatures = ldns_dnssec_rrs_new();
@@ -1044,7 +1057,10 @@ ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
 	}
 
 	/* zone is already sorted */
-	ldns_dnssec_zone_mark_glue(zone);
+	result = ldns_dnssec_zone_mark_glue(zone);
+	if (result != LDNS_STATUS_OK) {
+		return result;
+	}
 
 	/* check whether we need to add nsecs */
 	if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
@@ -1097,14 +1113,20 @@ ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
 	ldns_status result = LDNS_STATUS_OK;
 
 	/* zone is already sorted */
-	ldns_dnssec_zone_mark_glue(zone);
+	result = ldns_dnssec_zone_mark_glue(zone);
+	if (result != LDNS_STATUS_OK) {
+		return result;
+	}
 
 	/* TODO if there are already nsec3s presents and their
 	 * parameters are the same as these, we don't have to recreate
 	 */
 	if (zone->names) {
 		/* add empty nonterminals */
-		ldns_dnssec_zone_add_empty_nonterminals(zone);
+		result = ldns_dnssec_zone_add_empty_nonterminals(zone);
+		if (result != LDNS_STATUS_OK) {
+			return result;
+		}
 
 		nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
 		if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
@@ -1127,7 +1149,10 @@ ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
 				/* always set bit 7 of the flags to zero, according to
 				 * rfc5155 section 11 */
 				ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3params, 1)), 7, 0);
-				ldns_dnssec_zone_add_rr(zone, nsec3params);
+				result = ldns_dnssec_zone_add_rr(zone, nsec3params);
+				if (result != LDNS_STATUS_OK) {
+					return result;
+				}
 				ldns_rr_list_push_rr(new_rrs, nsec3params);
 			}
 			result = ldns_dnssec_zone_create_nsec3s(zone,
 
@@ -1536,7 +1536,7 @@ ldns_gost2pkey_raw(unsigned char* key, size_t keylen)
 	memmove(encoded+37, key, 64);
 	pp = (unsigned char*)&encoded[0];
 
-	return d2i_PUBKEY(NULL, &pp, sizeof(encoded));
+	return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded));
 }
 
 static ldns_status
@@ -1585,7 +1585,7 @@ ldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 	 * of openssl) for uncompressed data */
 	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
 	memmove(buf+1, key, keylen);
-        if(!o2i_ECPublicKey(&ec, &pp, keylen+1)) {
+        if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) {
                 EC_KEY_free(ec);
                 return NULL;
         }
 
@@ -320,7 +320,10 @@ ldns_dnssec_name_new_frm_rr(ldns_rr *rr)
 	ldns_dnssec_name *new_name = ldns_dnssec_name_new();
 
 	new_name->name = ldns_rr_owner(rr);
-	ldns_dnssec_name_add_rr(new_name, rr);
+	if(ldns_dnssec_name_add_rr(new_name, rr) != LDNS_STATUS_OK) {
+		ldns_dnssec_name_free(new_name);
+		return NULL;
+	}
 
 	return new_name;
 }
@@ -458,7 +461,7 @@ ldns_dnssec_name_add_rr(ldns_dnssec_name *name,
 	} else if (typecovered == LDNS_RR_TYPE_NSEC ||
 			 typecovered == LDNS_RR_TYPE_NSEC3) {
 		if (name->nsec_signatures) {
-			ldns_dnssec_rrs_add_rr(name->nsec_signatures, rr);
+			result = ldns_dnssec_rrs_add_rr(name->nsec_signatures, rr);
 		} else {
 			name->nsec_signatures = ldns_dnssec_rrs_new();
 			name->nsec_signatures->rr = rr;
@@ -516,15 +519,6 @@ ldns_dnssec_zone_find_rrset(ldns_dnssec_zone *zone,
 	}
 }
 
-static inline void
-print_indent(FILE *out, int c)
-{
-	int i;
-	for (i=0; i<c; i++) {
-		fprintf(out, "    ");
-	}
-}
-
 void
 ldns_dnssec_name_print_soa(FILE *out, ldns_dnssec_name *name, bool show_soa)
 {
@@ -686,10 +680,10 @@ ldns_dnssec_zone_add_rr(ldns_dnssec_zone *zone, ldns_rr *rr)
                 }
 		cur_node->key = ldns_rr_owner(rr);
 		cur_node->data = cur_name;
-		ldns_rbtree_insert(zone->names, cur_node);
+		(void)ldns_rbtree_insert(zone->names, cur_node);
 	} else {
 		cur_name = (ldns_dnssec_name *) cur_node->data;
-		ldns_dnssec_name_add_rr(cur_name, rr);
+		result = ldns_dnssec_name_add_rr(cur_name, rr);
 	}
 
 	if (result != LDNS_STATUS_OK) {
@@ -793,9 +787,9 @@ ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
 		 * label in the current name (counting from the end)
 		 */
 		for (i = 1; i < next_label_count - soa_label_count; i++) {
-			lpos = cur_label_count - next_label_count + i;
+			lpos = (int)cur_label_count - (int)next_label_count + (int)i;
 			if (lpos >= 0) {
-				l1 = ldns_dname_label(cur_name, lpos);
+				l1 = ldns_dname_label(cur_name, (uint8_t)lpos);
 			} else {
 				l1 = NULL;
 			}
@@ -823,7 +817,7 @@ ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
 				}
 				new_node->key = new_name->name;
 				new_node->data = new_name;
-				ldns_rbtree_insert(zone->names, new_node);
+				(void)ldns_rbtree_insert(zone->names, new_node);
 			}
 			ldns_rdf_deep_free(l1);
 			ldns_rdf_deep_free(l2);
 
@@ -212,7 +212,7 @@ ldns_get_rr_list_hosts_frm_fp_l(FILE *fp, int *line_nr)
 						break;
 					}
 				}
-				strlcpy(addr, word, LDNS_MAX_LINELEN+1);
+				(void)strlcpy(addr, word, LDNS_MAX_LINELEN+1);
 			} else {
 				/* la al la la */
 				if (ip6) {
Original file line number	Diff line number	Diff line change
`@@ -212,7 +212,7 @@ ldns_get_rr_list_hosts_frm_fp_l(FILE fp, int line_nr)`
`212`	`212`	`break;`
`213`	`213`	`}`
`214`	`214`	`}`
`215`		`- strlcpy(addr, word, LDNS_MAX_LINELEN+1);`
	`215`	`+ (void)strlcpy(addr, word, LDNS_MAX_LINELEN+1);`
`216`	`216`	`} else {`
`217`	`217`	`/* la al la la */`
`218`	`218`	`if (ip6) {`