From 70cb9d1a5ce2a06b197093efbca71f649a227d43 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Wed, 20 Aug 2025 15:06:48 +0530
Subject: [PATCH 1/2] fix(esp_http_client): address coverity generated warnings

---
 components/esp_http_client/esp_http_client.c | 98 ++++++++++----------
 components/esp_http_client/lib/http_auth.c   |  4 +-
 components/esp_http_client/lib/http_header.c | 12 ++-
 3 files changed, 59 insertions(+), 55 deletions(-)

diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c
index 5e298e39a1..e32452653f 100644
--- a/components/esp_http_client/esp_http_client.c
+++ b/components/esp_http_client/esp_http_client.c
@@ -1941,59 +1941,59 @@ esp_err_t esp_http_client_add_auth(esp_http_client_handle_t client)
     }
 
     char *auth_header = client->auth_header;
-    if (auth_header) {
-        http_utils_trim_whitespace(&auth_header);
-        ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
-        client->redirect_counter++;
-#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
-        if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
-            ESP_LOGD(TAG, "type = Digest");
-            client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
-        } else {
-#endif
-#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
-        if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
-            ESP_LOGD(TAG, "type = Basic");
-            client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
-        } else {
-#endif
-            client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
-            ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
-            return ESP_ERR_NOT_SUPPORTED;
-#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
-        }
-#endif
-#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
-        }
-#endif
-
-        _clear_auth_data(client);
-
-        client->auth_data->method = strdup(HTTP_METHOD_MAPPING[client->connection_info.method]);
-
-        client->auth_data->nc = 1;
-        HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "realm=\"", "\"", &client->auth_data->realm), TAG, "Unable to extract substring between specified strings");
-        HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "algorithm=", ",", &client->auth_data->algorithm), TAG, "Unable to extract substring between specified strings");
-
-        if (client->auth_data->algorithm == NULL) {
-            HTTP_RET_ON_ERR_DBG(http_utils_get_string_after(auth_header, "algorithm=", &client->auth_data->algorithm), TAG, "Unable to extract substring after specified string");
-        }
-
-        if (client->auth_data->algorithm == NULL) {
-            client->auth_data->algorithm = strdup("MD5");
-        }
-
-        HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "qop=\"", "\"", &client->auth_data->qop), TAG, "Unable to extract substring between specified strings");
-        HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "nonce=\"", "\"", &client->auth_data->nonce), TAG, "Unable to extract substring between specified strings");
-        HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "opaque=\"", "\"", &client->auth_data->opaque), TAG, "Unable to extract substring between specified strings");
-        client->process_again = 1;
-
-        return ESP_OK;
-    } else {
+    if (!auth_header) {
         client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
         ESP_LOGW(TAG, "This request requires authentication, but does not provide header information for that");
         return ESP_ERR_NOT_SUPPORTED;
     }
+
+    http_utils_trim_whitespace(&auth_header);
+    ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
+    client->redirect_counter++;
+
+    // Check for supported authentication types
+#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
+    if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
+        ESP_LOGD(TAG, "type = Digest");
+        client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
+    } else
+#endif
+#if CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
+    if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
+        ESP_LOGD(TAG, "type = Basic");
+        client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
+    } else
+#endif
+    {
+        client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
+        ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
+        return ESP_ERR_NOT_SUPPORTED;
+    }
+
+#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH || CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
+
+    _clear_auth_data(client);
+
+    client->auth_data->method = strdup(HTTP_METHOD_MAPPING[client->connection_info.method]);
+    client->auth_data->nc = 1;
+    HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "realm=\"", "\"", &client->auth_data->realm), TAG, "Unable to extract substring between specified strings");
+    HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "algorithm=", ",", &client->auth_data->algorithm), TAG, "Unable to extract substring between specified strings");
+
+    if (client->auth_data->algorithm == NULL) {
+        HTTP_RET_ON_ERR_DBG(http_utils_get_string_after(auth_header, "algorithm=", &client->auth_data->algorithm), TAG, "Unable to extract substring after specified string");
+    }
+
+    if (client->auth_data->algorithm == NULL) {
+        client->auth_data->algorithm = strdup("MD5");
+    }
+
+    HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "qop=\"", "\"", &client->auth_data->qop), TAG, "Unable to extract substring between specified strings");
+    HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "nonce=\"", "\"", &client->auth_data->nonce), TAG, "Unable to extract substring between specified strings");
+    HTTP_RET_ON_ERR_DBG(http_utils_get_string_between(auth_header, "opaque=\"", "\"", &client->auth_data->opaque), TAG, "Unable to extract substring between specified strings");
+    client->process_again = 1;
+
+    return ESP_OK;
+#endif // CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH || CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
 }
 
 int esp_http_client_read_response(esp_http_client_handle_t client, char *buffer, int len)
diff --git a/components/esp_http_client/lib/http_auth.c b/components/esp_http_client/lib/http_auth.c
index 6ba025933e..0bbe054f66 100644
--- a/components/esp_http_client/lib/http_auth.c
+++ b/components/esp_http_client/lib/http_auth.c
@@ -41,7 +41,7 @@ static int md5_printf(char *md, const char *fmt, ...)
     unsigned char digest[MD5_MAX_LEN];
     int len, i;
     md5_context_t md5_ctx;
-    va_list ap;
+    va_list ap = {0};
     va_start(ap, fmt);
     len = vasprintf((char **)&buf, fmt, ap);
     if (buf == NULL) {
@@ -76,7 +76,7 @@ static int sha256_sprintf(char *sha, const char *fmt, ...)
     unsigned char *buf;
     unsigned char digest[SHA256_LEN];
     int len, i;
-    va_list ap;
+    va_list ap = {0};
     va_start(ap, fmt);
     len = vasprintf((char **)&buf, fmt, ap);
     if (buf == NULL) {
diff --git a/components/esp_http_client/lib/http_header.c b/components/esp_http_client/lib/http_header.c
index 023930f137..f75c309027 100644
--- a/components/esp_http_client/lib/http_header.c
+++ b/components/esp_http_client/lib/http_header.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -88,8 +88,12 @@ static esp_err_t http_header_new_item(http_header_handle_t header, const char *k
     STAILQ_INSERT_TAIL(header, item, next);
     return ret;
 _header_new_item_exit:
-    free(item->key);
-    free(item->value);
+    if (item->key) {
+        free(item->key);
+    }
+    if (item->value) {
+        free(item->value);
+    }
     free(item);
     return ret;
 }
@@ -150,7 +154,7 @@ esp_err_t http_header_delete(http_header_handle_t header, const char *key)
 
 int http_header_set_format(http_header_handle_t header, const char *key, const char *format, ...)
 {
-    va_list argptr;
+    va_list argptr = {0};
     int len = 0;
     char *buf = NULL;
     va_start(argptr, format);

From ed201f4f77e2974dfc346c65ea323c010e45f868 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Fri, 22 Aug 2025 19:14:52 +0530
Subject: [PATCH 2/2] fix(esp_tee): address coverity warnings

---
 components/esp_tee/src/esp_tee.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/esp_tee/src/esp_tee.c b/components/esp_tee/src/esp_tee.c
index 3079c5ae9e..dadd1b0cc6 100644
--- a/components/esp_tee/src/esp_tee.c
+++ b/components/esp_tee/src/esp_tee.c
@@ -40,7 +40,7 @@ uint32_t IRAM_ATTR esp_tee_service_call(int argc, ...)
     init_mutex();
 
     uint32_t val = UINT32_MAX;
-    va_list ap;
+    va_list ap = {0};
     va_start(ap, argc);
 
     if (xTaskGetSchedulerState() == taskSCHEDULER_RUNNING) {
@@ -59,7 +59,7 @@ uint32_t IRAM_ATTR esp_tee_service_call(int argc, ...)
 uint32_t IRAM_ATTR esp_tee_service_call_with_noniram_intr_disabled(int argc, ...)
 {
     uint32_t val = UINT32_MAX;
-    va_list ap;
+    va_list ap = {0};
     va_start(ap, argc);
 
     /* NOTE: Disabling the scheduler and non-IRAM residing interrupts */