[Dnsmasq-discuss] [dnsmasq] Errors found by static analysis of source code (Coverity)

Simon Kelley simon at thekelleys.org.uk
Tue Feb 5 14:58:04 GMT 2013


On 04/02/13 10:24, Tomas Hozza wrote:
> Hello Simon.
> 
> We at Red Hat are scanning a lot of open source packages
> with static analysis tool named Coverity. I have been scanning
> and reviewing group of network daemons where dnsmasq falls
> in, too.
> 
> I scanned the latest dnsmasq-2.66-test13 source with Coverity
> version 6.5.1. It found 115 errors from which a lot of are just
> false positives or are not worth fixing. I wrote patches for
> issues that I think should be fixed. Please review and
> consider fixing these issues. I'm also including the Coverity
> scan log, so you can have a look at all errors.
> 
> Coverity is also running a project where they allow open source
> project to be scanned for FREE. If you find it interesting
> you can find more information on http://scan.coverity.com/.
> 
> If you have any questions about the scan or want to do more scanning,
> don't hesitate to write me back.
> 
> 

More patches:

0018-RESOURCE_LEAK-CWE-404.patch
Taken, but only a problem if one malloc succeeds and a second fails -
then we leak the first block. I won't lose sleep over that.

0019-REVERSE_INULL-CWE-476.patch
Fixed. !cp should be !*cp

0020-STRING_OVERFLOW-CWE-120.patch
Not taken, same as 0001-STRING_OVERFLOW.....

0021-UNUSED_VALUE-CWE-563.patch
Taken. straightforward.

0022-USE_AFTER_FREE-CWE-416.patch
Taken. New code in 2.66test*

0023-USE_AFTER_FREE-CWE-416.patch
Taken, changed style of fix to match other code.



A very worthwhile exercise, thanks Tomas.

I've pushed the fixes into git.


Cheers,

Simon.




More information about the Dnsmasq-discuss mailing list