14 files changed, 62 insertions, 52 deletions
diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c
index f1fa6f3..0075d0f 100644
--- a/daemon/bindings/net.c
+++ b/daemon/bindings/net.c
@@ -470,7 +470,7 @@ static int net_interfaces(lua_State *L)
 		/* Hardware address. */
 		char *p = buf;
 		for (int k = 0; k < sizeof(iface.phys_addr); ++k) {
-			sprintf(p, "%.2x:", (uint8_t)iface.phys_addr[k]);
+			(void)sprintf(p, "%.2x:", (uint8_t)iface.phys_addr[k]);
 			p += 3;
 		}
 		p[-1] = '\0';
@@ -794,7 +794,7 @@ static int net_tls_client(lua_State *L)
 		/* Sort the strings for easier comparison later. */
 		if (newcfg->ca_files.len) {
 			qsort(&newcfg->ca_files.at[0], newcfg->ca_files.len,
-				sizeof(newcfg->ca_files.at[0]), strcmp_p);
+				array_member_size(newcfg->ca_files), strcmp_p);
 		}
 	}
 	lua_pop(L, 1);
@@ -834,7 +834,7 @@ static int net_tls_client(lua_State *L)
 		/* Sort the raw strings for easier comparison later. */
 		if (newcfg->pins.len) {
 			qsort(&newcfg->pins.at[0], newcfg->pins.len,
-				sizeof(newcfg->pins.at[0]), cmp_sha256);
+				array_member_size(newcfg->pins), cmp_sha256);
 		}
 	}
 	lua_pop(L, 1);
@@ -1042,7 +1042,11 @@ static int net_tls_sticket_secret_file(lua_State *L)
 				STR(net_tls_sticket_MIN_SECRET_LEN) " bytes",
 			file_name);
 	}
-	fclose(fp);
+	if (fclose(fp) == EOF) {
+		lua_error_p(L,
+			"net.tls_sticket_secret_file - reading of file '%s' failed",
+			file_name);
+	}
 
 	struct network *net = &the_worker->engine->net;
 
diff --git a/daemon/engine.c b/daemon/engine.c
index 1d387ea..8c00a5b 100644
--- a/daemon/engine.c
+++ b/daemon/engine.c
@@ -52,9 +52,6 @@
 #define TCP_BACKLOG_DEFAULT 128
 #endif
 
-/* Cleanup engine state every 5 minutes */
-const size_t CLEANUP_TIMER = 5*60*1000;
-
 /* Execute byte code */
 #define l_dobytecode(L, arr, len, name) \
 	(luaL_loadbuffer((L), (arr), (len), (name)) || lua_pcall((L), 0, LUA_MULTRET, 0))
@@ -223,7 +220,6 @@ static int l_log_groups(lua_State *L)
 			goto bad_call;
 		kr_log_group_reset();
 
-		int idx = 1;
 		lua_pushnil(L);
 		while (lua_next(L, 1) != 0) {
 			const char *grp_str = lua_tostring(L, -1);
@@ -237,7 +233,6 @@ static int l_log_groups(lua_State *L)
 				kr_log_warning(SYSTEM, "WARNING: unknown log group '%s'\n", lua_tostring(L, -1));
 			}
 
-			++idx;
 			lua_pop(L, 1);
 		}
 	}
@@ -611,7 +606,7 @@ int init_lua(struct engine *engine) {
 	#pragma GCC diagnostic push
 	#pragma GCC diagnostic ignored "-Wformat" /* %1$ is not in C standard */
 	/* Save original package.path to package._path */
-	snprintf(l_paths, MAXPATHLEN - 1,
+	(void)snprintf(l_paths, MAXPATHLEN - 1,
 		 "if package._path == nil then package._path = package.path end\n"
 		 "package.path = '%1$s/?.lua;%1$s/?/init.lua;'..package._path\n"
 		 "if package._cpath == nil then package._cpath = package.cpath end\n"
diff --git a/daemon/io.c b/daemon/io.c
index 6d548d7..9299ff2 100644
--- a/daemon/io.c
+++ b/daemon/io.c
@@ -151,7 +151,7 @@ static int family_to_freebind_option(sa_family_t sa_family, int *level, int *nam
 #define LOG_NO_FB kr_log_error(NETWORK, "your system does not support 'freebind', " \
 				"please remove it from your configuration\n")
 	switch (sa_family) {
-	case AF_INET:
+	case AF_INET:  // NOLINT(bugprone-branch-clone): The branches are only cloned for specific macro configs
 		*level = IPPROTO_IP;
 #if defined(IP_FREEBIND)
 		*name = IP_FREEBIND;
@@ -510,7 +510,7 @@ static ssize_t tls_send(const uint8_t *buf, const size_t len, struct session *se
 }
 #endif
 
-static void _tcp_accept(uv_stream_t *master, int status, bool tls, bool http)
+static void tcp_accept_internal(uv_stream_t *master, int status, bool tls, bool http)
 {
  	if (status != 0) {
 		return;
@@ -631,18 +631,18 @@ static void _tcp_accept(uv_stream_t *master, int status, bool tls, bool http)
 
 static void tcp_accept(uv_stream_t *master, int status)
 {
-	_tcp_accept(master, status, false, false);
+	tcp_accept_internal(master, status, false, false);
 }
 
 static void tls_accept(uv_stream_t *master, int status)
 {
-	_tcp_accept(master, status, true, false);
+	tcp_accept_internal(master, status, true, false);
 }
 
 #if ENABLE_DOH2
 static void https_accept(uv_stream_t *master, int status)
 {
-	_tcp_accept(master, status, true, true);
+	tcp_accept_internal(master, status, true, true);
 }
 #endif
 
@@ -834,16 +834,25 @@ void io_tty_process_input(uv_stream_t *stream, ssize_t nread, const uv_buf_t *bu
 				len_s = 0;
 			}
 			uint32_t len_n = htonl(len_s);
-			fwrite(&len_n, sizeof(len_n), 1, out);
-			if (len_s > 0)
-				fwrite(message, len_s, 1, out);
+			if (fwrite(&len_n, sizeof(len_n), 1, out) != 1)
+				goto finish;
+			if (len_s > 0) {
+				if (fwrite(message, len_s, 1, out) != 1)
+					goto finish;
+			}
 		} else {
-			if (message)
-				fprintf(out, "%s", message);
-			if (message || !args->quiet)
-				fprintf(out, "\n");
-			if (!args->quiet)
-				fprintf(out, "> ");
+			if (message) {
+				if (fprintf(out, "%s", message) < 0)
+					goto finish;
+			}
+			if (message || !args->quiet) {
+				if (fprintf(out, "\n") < 0)
+					goto finish;
+			}
+			if (!args->quiet) {
+				if (fprintf(out, "> ") < 0)
+					goto finish;
+			}
 		}
 
 		/* Duplicate command and output to logs */
@@ -865,7 +874,7 @@ void io_tty_process_input(uv_stream_t *stream, ssize_t nread, const uv_buf_t *bu
 finish:
 	/* Close if redirected */
 	if (stream_fd != STDIN_FILENO) {
-		fclose(out);
+		(void)fclose(out);
 	}
 }
 
diff --git a/daemon/main.c b/daemon/main.c
index 41a55ad..a346a5c 100644
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -425,9 +425,9 @@ int main(int argc, char **argv)
 {
 	kr_log_group_reset();
 	if (setvbuf(stdout, NULL, _IONBF, 0) || setvbuf(stderr, NULL, _IONBF, 0)) {
-		kr_log_error(SYSTEM, "failed to to set output buffering (ignored): %s\n",
+		kr_log_error(SYSTEM, "failed to set output buffering (ignored): %s\n",
 				strerror(errno));
-		fflush(stderr);
+		(void)fflush(stderr);
 	}
 	if (strcmp("linux", OPERATING_SYSTEM) != 0)
 		kr_log_warning(SYSTEM, "Knot Resolver is tested on Linux, other platforms might exhibit bugs.\n"
@@ -490,7 +490,7 @@ int main(int argc, char **argv)
 	if (ret) {
 		kr_log_error(SYSTEM, "failed to get or set file-descriptor limit: %s\n",
 				strerror(errno));
-	} else if (rlim.rlim_cur < 512*1024) {
+	} else if (rlim.rlim_cur < (rlim_t)512 * 1024) {
 		kr_log_warning(SYSTEM, "warning: hard limit for number of file-descriptors is only %ld but recommended value is 524288\n",
 				(long)rlim.rlim_cur);
 	}
diff --git a/daemon/meson.build b/daemon/meson.build
index 68a2646..8446b82 100644
--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -65,4 +65,5 @@ kresd = executable(
   export_dynamic: true,
   install: true,
   install_dir: get_option('sbindir'),
+  install_rpath: rpath,
 )
diff --git a/daemon/proxyv2.c b/daemon/proxyv2.c
index aedbb91..8197003 100644
--- a/daemon/proxyv2.c
+++ b/daemon/proxyv2.c
@@ -279,6 +279,7 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 				&addr->ipv6_addr.dst_addr,
 				sizeof(out->dst_addr.ip6.sin6_addr.s6_addr));
 		break;
+	default:; /* Keep zero from initializer. */
 	}
 
 	/* Process additional information */
@@ -287,7 +288,7 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 		case TLV_TYPE_SSL:
 			out->has_tls = true;
 			break;
-		/* TODO: add more TLV types if needed */
+		default:; /* Ignore others - add more if needed */
 		}
 	}
 
diff --git a/daemon/session.c b/daemon/session.c
index ed0ff68..91d3c39 100644
--- a/daemon/session.c
+++ b/daemon/session.c
@@ -13,7 +13,7 @@
 #include "daemon/proxyv2.h"
 #include "lib/generic/queue.h"
 
-#define TLS_CHUNK_SIZE (16 * 1024)
+#define TLS_CHUNK_SIZE ((size_t)16 * 1024)
 
 /* Initial max frame size: https://tools.ietf.org/html/rfc7540#section-6.5.2 */
 #define HTTP_MAX_FRAME_SIZE 16384
diff --git a/daemon/tls.c b/daemon/tls.c
index 2e1631b..0ab3968 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -23,7 +23,7 @@
 #include "daemon/worker.h"
 #include "daemon/session.h"
 
-#define EPHEMERAL_CERT_EXPIRATION_SECONDS_RENEW_BEFORE (60*60*24*7)
+#define EPHEMERAL_CERT_EXPIRATION_SECONDS_RENEW_BEFORE ((time_t)60*60*24*7)
 #define GNUTLS_PIN_MIN_VERSION  0x030400
 
 #define VERBOSE_MSG(cl_side, ...)\
@@ -659,7 +659,7 @@ static int str_replace(char **where_ptr, const char *with)
 	return kr_ok();
 }
 
-static time_t _get_end_entity_expiration(gnutls_certificate_credentials_t creds)
+static time_t get_end_entity_expiration(gnutls_certificate_credentials_t creds)
 {
 	gnutls_datum_t data;
 	gnutls_x509_crt_t cert = NULL;
@@ -731,7 +731,7 @@ int tls_certificate_set(struct network *net, const char *tls_cert, const char *t
 		return kr_error(EINVAL);
 	}
 	/* record the expiration date: */
-	tls_credentials->valid_until = _get_end_entity_expiration(tls_credentials->credentials);
+	tls_credentials->valid_until = get_end_entity_expiration(tls_credentials->credentials);
 
 	/* Exchange the x509 credentials */
 	struct tls_credentials *old_credentials = net->tls_credentials;
diff --git a/daemon/tls.h b/daemon/tls.h
index af1f5c9..c30444b 100644
--- a/daemon/tls.h
+++ b/daemon/tls.h
@@ -30,7 +30,7 @@
  * So it takes 2 RTT.
  * As we use session tickets, there are additional messages, add one RTT mode.
  */
- #define TLS_MAX_HANDSHAKE_TIME (KR_CONN_RTT_MAX * 3)
+ #define TLS_MAX_HANDSHAKE_TIME (KR_CONN_RTT_MAX * (uint64_t)3)
 
 /** Transport session (opaque). */
 struct session;
diff --git a/daemon/tls_ephemeral_credentials.c b/daemon/tls_ephemeral_credentials.c
index ff4682f..2b928fa 100644
--- a/daemon/tls_ephemeral_credentials.c
+++ b/daemon/tls_ephemeral_credentials.c
@@ -17,19 +17,19 @@
 
 #define EPHEMERAL_PRIVKEY_FILENAME "ephemeral_key.pem"
 #define INVALID_HOSTNAME "dns-over-tls.invalid"
-#define EPHEMERAL_CERT_EXPIRATION_SECONDS (60*60*24*90)
+#define EPHEMERAL_CERT_EXPIRATION_SECONDS ((time_t)60*60*24*90)
 
 /* This is an attempt to grab an exclusive, advisory, non-blocking
  * lock based on a filename.  At the moment it's POSIX-only, but it
  * should be abstract enough of an interface to make an implementation
  * for non-posix systems if anyone cares. */
 typedef int lock_t;
-static bool _lock_is_invalid(lock_t lock)
+static bool lock_is_invalid(lock_t lock)
 {
 	return lock == -1;
 }
 /* a blocking lock on a given filename */
-static lock_t _lock_filename(const char *fname)
+static lock_t lock_filename(const char *fname)
 {
 	lock_t lockfd = open(fname, O_RDONLY|O_CREAT, 0400);
 	if (lockfd == -1)
@@ -41,9 +41,9 @@ static lock_t _lock_filename(const char *fname)
 	}
 	return lockfd; /* for cleanup later */
 }
-static void _lock_unlock(lock_t *lock, const char *fname)
+static void lock_unlock(lock_t *lock, const char *fname)
 {
-	if (lock && !_lock_is_invalid(*lock)) {
+	if (lock && !lock_is_invalid(*lock)) {
 		flock(*lock, LOCK_UN);
 		close(*lock);
 		*lock = -1;
@@ -61,8 +61,8 @@ static gnutls_x509_privkey_t get_ephemeral_privkey (void)
 
 	/* Take a lock to ensure that two daemons started concurrently
 	 * with a shared cache don't both create the same privkey: */
-	lock = _lock_filename(EPHEMERAL_PRIVKEY_FILENAME ".lock");
-	if (_lock_is_invalid(lock)) {
+	lock = lock_filename(EPHEMERAL_PRIVKEY_FILENAME ".lock");
+	if (lock_is_invalid(lock)) {
 		kr_log_error(TLS, "unable to lock lockfile " EPHEMERAL_PRIVKEY_FILENAME ".lock\n");
 		goto done;
 	}
@@ -91,7 +91,7 @@ static gnutls_x509_privkey_t get_ephemeral_privkey (void)
 		}
 		data.size = stat.st_size;
 		bytes_read = read(datafd, data.data, stat.st_size);
-		if (bytes_read != stat.st_size) {
+		if (bytes_read < 0 || bytes_read != stat.st_size) {
 			kr_log_error(TLS, "unable to read ephemeral private key\n");
 			goto bad_data;
 		}
@@ -141,7 +141,7 @@ static gnutls_x509_privkey_t get_ephemeral_privkey (void)
 		}
 	}
  done:
-	_lock_unlock(&lock, EPHEMERAL_PRIVKEY_FILENAME ".lock");
+	lock_unlock(&lock, EPHEMERAL_PRIVKEY_FILENAME ".lock");
 	if (datafd != -1) {
 		close(datafd);
 	}
@@ -219,7 +219,7 @@ struct tls_credentials * tls_get_ephemeral_credentials(struct engine *engine)
 	if ((privkey = get_ephemeral_privkey()) == NULL) {
 		goto failure;
 	}
-	if ((cert = get_ephemeral_cert(privkey, creds->ephemeral_servicename, now - 60*15, creds->valid_until)) == NULL) {
+	if ((cert = get_ephemeral_cert(privkey, creds->ephemeral_servicename, now - ((time_t)60 * 15), creds->valid_until)) == NULL) {
 		goto failure;
 	}
 	if ((err = gnutls_certificate_set_x509_key(creds->credentials, &cert, 1, privkey)) < 0) {
diff --git a/daemon/tls_session_ticket-srv.c b/daemon/tls_session_ticket-srv.c
index b198903..26d4186 100644
--- a/daemon/tls_session_ticket-srv.c
+++ b/daemon/tls_session_ticket-srv.c
@@ -188,7 +188,7 @@ static void tst_key_check(uv_timer_t *timer, bool force_update)
 	const uint64_t remain_ms = (tv_sec_next - now.tv_sec - 1) * (uint64_t)1000
 				 + ms_until_second + 1;
 	/* ^ +1 because we don't want to wake up half a millisecond before the epoch! */
-	if (kr_fails_assert(remain_ms < (TST_KEY_LIFETIME + 1 /*rounding tolerance*/) * 1000))
+	if (kr_fails_assert(remain_ms < ((uint64_t)TST_KEY_LIFETIME + 1 /*rounding tolerance*/) * 1000))
 		return;
 	kr_log_debug(TLS, "session ticket: epoch %"PRIu64
 			", scheduling rotation check in %"PRIu64" ms\n",
diff --git a/daemon/udp_queue.c b/daemon/udp_queue.c
index 1f8ff39..7ed600a 100644
--- a/daemon/udp_queue.c
+++ b/daemon/udp_queue.c
@@ -110,11 +110,11 @@ void udp_queue_push(int fd, struct kr_request *req, struct qr_task *task)
 	/* Get a valid correct queue. */
 	if (fd >= state.udp_queues_len) {
 		const int new_len = fd + 1;
-		state.udp_queues = realloc(state.udp_queues,
-					sizeof(state.udp_queues[0]) * new_len);
+		state.udp_queues = realloc(state.udp_queues, // NOLINT(bugprone-suspicious-realloc-usage): we just abort() below, so it's fine
+					sizeof(state.udp_queues[0]) * new_len); // NOLINT(bugprone-sizeof-expression): false-positive
 		if (!state.udp_queues) abort();
 		memset(state.udp_queues + state.udp_queues_len, 0,
-			sizeof(state.udp_queues[0]) * (new_len - state.udp_queues_len));
+			sizeof(state.udp_queues[0]) * (new_len - state.udp_queues_len)); // NOLINT(bugprone-sizeof-expression): false-positive
 		state.udp_queues_len = new_len;
 	}
 	if (unlikely(state.udp_queues[fd] == NULL))
diff --git a/daemon/worker.c b/daemon/worker.c
index 8b6b49e..12c08f1 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -195,7 +195,7 @@ static inline struct mempool *pool_borrow(struct worker_ctx *worker)
 {
 	/* The implementation used to have extra caching layer,
 	 * but it didn't work well.  Now it's very simple. */
-	return mp_new(16 * 1024);
+	return mp_new((size_t)16 * 1024);
 }
 /** Return a mempool. */
 static inline void pool_release(struct worker_ctx *worker, struct mempool *mp)
diff --git a/daemon/zimport.c b/daemon/zimport.c
index af21a15..39799b6 100644
--- a/daemon/zimport.c
+++ b/daemon/zimport.c
@@ -98,7 +98,7 @@ static int key_get(char buf[KEY_LEN], const knot_dname_t *name,
 	char *lf = (char *)knot_dname_lf(name, (uint8_t *)buf);
 	if (kr_fails_assert(lf && key_p))
 		return kr_error(EINVAL);
-	int len = lf[0];
+	int len = (unsigned char)lf[0];
 	lf++;  // point to start of data
 	*key_p = lf;
 	// Check that LF is right-aligned to KNOT_DNAME_MAXLEN in buf.
@@ -282,7 +282,7 @@ do_digest:
 		// hexdump the hash for logging
 		char hash_str[digs[i].size * 2 + 1];
 		for (ssize_t j = 0; j < digs[i].size; ++j)
-			sprintf(hash_str + 2*j, "%02x", digs[i].data[j]);
+			(void)sprintf(hash_str + 2*j, "%02x", digs[i].data[j]);
 
 		if (!z_import->digests[i].expected) {
 			kr_log_error(PREFILL, "no ZONEMD found; computed hash: %s\n",
@@ -560,7 +560,7 @@ int zi_zone_import(const zi_config_t config)
 	if (kr_fails_assert(c && c->zone_file))
 		return kr_error(EINVAL);
 
-	knot_mm_t *pool = mm_ctx_mempool2(1024 * 1024);
+	knot_mm_t *pool = mm_ctx_mempool2((size_t)1024 * 1024);
 	zone_import_ctx_t *z_import = mm_calloc(pool, 1, sizeof(*z_import));
 	if (!z_import) return kr_error(ENOMEM);
 	z_import->pool = pool;