From 3f016fcc5a5d9dbce9eb62e5c7b8b2ab03453aea Mon Sep 17 00:00:00 2001
From: Simon Goldschmidt <goldsimon@gmx.de>
Date: Sun, 6 Apr 2014 21:43:37 +0200
Subject: [PATCH] Multiple small/minor issues: bug #36492 Static Analysis on
 code 1.4.0

---
 src/api/api_msg.c       | 9 ++++++---
 src/api/tcpip.c         | 5 +++++
 src/core/dhcp.c         | 2 +-
 src/core/ipv4/ip_frag.c | 2 +-
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/api/api_msg.c b/src/api/api_msg.c
index f39d7359..f3e4f9a3 100644
--- a/src/api/api_msg.c
+++ b/src/api/api_msg.c
@@ -1235,9 +1235,8 @@ lwip_netconn_do_writemore(struct netconn *conn)
   u16_t len, available;
   u8_t write_finished = 0;
   size_t diff;
-  u8_t dontblock = netconn_is_nonblocking(conn) ||
-       (conn->current_msg->msg.w.apiflags & NETCONN_DONTBLOCK);
-  u8_t apiflags = conn->current_msg->msg.w.apiflags;
+  u8_t dontblock;
+  u8_t apiflags;
 
   LWIP_ASSERT("conn != NULL", conn != NULL);
   LWIP_ASSERT("conn->state == NETCONN_WRITE", (conn->state == NETCONN_WRITE));
@@ -1246,6 +1245,10 @@ lwip_netconn_do_writemore(struct netconn *conn)
   LWIP_ASSERT("conn->write_offset < conn->current_msg->msg.w.len",
     conn->write_offset < conn->current_msg->msg.w.len);
 
+  dontblock = netconn_is_nonblocking(conn) ||
+       (conn->current_msg->msg.w.apiflags & NETCONN_DONTBLOCK);
+  apiflags = conn->current_msg->msg.w.apiflags;
+
 #if LWIP_SO_SNDTIMEO
   if ((conn->send_timeout != 0) &&
       ((s32_t)(sys_now() - conn->current_msg->msg.w.time_started) >= conn->send_timeout)) {
diff --git a/src/api/tcpip.c b/src/api/tcpip.c
index 31e7c924..06ff3c79 100644
--- a/src/api/tcpip.c
+++ b/src/api/tcpip.c
@@ -93,6 +93,11 @@ tcpip_thread(void *arg)
     /* wait for a message, timeouts are processed while waiting */
     sys_timeouts_mbox_fetch(&mbox, (void **)&msg);
     LOCK_TCPIP_CORE();
+    if (msg == NULL) {
+      LWIP_DEBUGF(TCPIP_DEBUG, ("tcpip_thread: invalid message: NULL\n"));
+      LWIP_ASSERT("tcpip_thread: invalid message", 0);
+      continue;
+    }
     switch (msg->type) {
 #if LWIP_NETCONN
     case TCPIP_MSG_API:
diff --git a/src/core/dhcp.c b/src/core/dhcp.c
index 32307461..28c594d9 100644
--- a/src/core/dhcp.c
+++ b/src/core/dhcp.c
@@ -1563,7 +1563,7 @@ dhcp_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, ip_addr_t *addr, u16_t
     goto free_pbuf_and_return;
   }
   /* iterate through hardware address and match against DHCP message */
-  for (i = 0; i < netif->hwaddr_len; i++) {
+  for (i = 0; i < netif->hwaddr_len && i < NETIF_MAX_HWADDR_LEN && i < DHCP_CHADDR_LEN; i++) {
     if (netif->hwaddr[i] != reply_msg->chaddr[i]) {
       LWIP_DEBUGF(DHCP_DEBUG | LWIP_DBG_TRACE | LWIP_DBG_LEVEL_WARNING,
         ("netif->hwaddr[%"U16_F"]==%02"X16_F" != reply_msg->chaddr[%"U16_F"]==%02"X16_F"\n",
diff --git a/src/core/ipv4/ip_frag.c b/src/core/ipv4/ip_frag.c
index 1b549834..8bf8141f 100644
--- a/src/core/ipv4/ip_frag.c
+++ b/src/core/ipv4/ip_frag.c
@@ -423,7 +423,7 @@ ip_reass_chain_frag_into_datagram_and_validate(struct ip_reassdata *ipr, struct
     if (valid) {
       /* then check if the rest of the fragments is here */
       /* Check if the queue starts with the first datagram */
-      if (((struct ip_reass_helper*)ipr->p->payload)->start != 0) {
+      if ((ipr->p == NULL) || (((struct ip_reass_helper*)ipr->p->payload)->start != 0)) {
         valid = 0;
       } else {
         /* and check that there are no wholes after this datagram */