From 20072fcde3e9448afad035ec7ea50e9fb268bddc Mon Sep 17 00:00:00 2001
From: James Jones <jejones3141@gmail.com>
Date: Tue, 24 Sep 2024 17:17:43 -0500
Subject: [PATCH] Switch Coverity-only code to assert (CID #1619299)

fr_nbo_from_uint64v() does not have an error return--it doesn't
need one. The buffers are big enough, the "| 0x80" means it will
always use as least one byte, so fr_high_bit_pos() won't return 0
even if num == 0. So adding a bogus error return check for Coverity
actually misleads Coverity about any call to fr_nbo_from_uint64v(),
making it the probable cause of the CID.
---
 src/lib/util/nbo.h | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/lib/util/nbo.h b/src/lib/util/nbo.h
index f19bb2c0ade0..27dff67f11fb 100644
--- a/src/lib/util/nbo.h
+++ b/src/lib/util/nbo.h
@@ -123,10 +123,12 @@ static inline size_t fr_nbo_from_uint64v(uint8_t out[static sizeof(uint64_t)], u
 	ret = ROUND_UP_DIV((size_t)fr_high_bit_pos(num | 0x80), 8);
 #ifdef __COVERITY__
 	/*
-	 * 	Coverity doesn't realize that ret is necessarily <= 8,
-	 * 	so we give it a hint.
+	 * Coverity doesn't realize that the fr_high_bit_pos() call will always
+	 * return a value between 1 and 8 inclusive, the former thanks to the
+	 * "| 0x80". and this function doesn't specify an error return value,
+	 * so we use a Coverity-only assert.
 	 */
-	if (ret > 8) return 0;
+	fr_assert(ret >= 1 && ret <= 8);
 #endif
 
 	fr_nbo_from_uint64(swapped, num);