Fix Coverity Scan 1251560

client/client_shared.c

@@ -1620,6 +1620,10 @@ static int mosquitto__parse_socks_url(struct mosq_config *cfg, char *url)
 			in_ipv6_address = true;
 			start = i+1;
 		}else if(str[i] == ']'){
+			if(host){
+				err_printf(cfg, "Error: Duplicate IPv6 address.\n");
+				goto cleanup;
+			}
 			in_ipv6_address = false;
 
 			len = i-start;

lib/socks_mosq.c

@@ -406,13 +406,14 @@ int socks5__read(struct mosquitto *mosq)
 				packet__cleanup(&mosq->in_packet);
 				return MOSQ_ERR_PROTOCOL;
 			}
-			/* coverity[tainted_data] - we know the value of
+			/* We know the value of mosq->in_packet.packet_lenth is within a
-			 * mosq->in_packet.packet_lenth is within a bound. At the start of
+			 * bound. At the start of this if statement, it was 5. The next set
-			 * this if statement, it was 5. The next set of if statements add
+			 * of if statements add either (4+2-1)=5 to its value, or
-			 * either (4+2-1)=5 to its value, or (16+2-1)=17 to its value, or
+			 * (16+2-1)=17 to its value, or the contents of a uint8_t, which
-			 * the contents of a uint8_t, which can be a maximum of 255. So the
+			 * can be a maximum of 255. So the range is 10 to 260 bytes.
-			 * range is 10 to 260 bytes. Coverity most likely doesn't realise
+			 * Coverity most likely doesn't realise this because the +=
-			 * this because the += promotes to the size of packet_length. */
+			 * promotes to the size of packet_length. */
+			/* coverity[tainted_data] */
 			payload = mosquitto__realloc(mosq->in_packet.payload, mosq->in_packet.packet_length);
 			if(payload){
 				mosq->in_packet.payload = payload;