[Dnsmasq-discuss] [dnsmasq] Errors found by static analysis of source code (Coverity)
Gene Czarcinski
gene at czarc.net
Tue Feb 5 18:24:06 GMT 2013
On 02/05/2013 10:30 AM, Tomas Hozza wrote:
> ----- Original Message -----
>> On 04/02/13 10:24, Tomas Hozza wrote:
>>> Hello Simon.
>>>
>>> We at Red Hat are scanning a lot of open source packages
>>> with static analysis tool named Coverity. I have been scanning
>>> and reviewing group of network daemons where dnsmasq falls
>>> in, too.
>>>
>>> I scanned the latest dnsmasq-2.66-test13 source with Coverity
>>> version 6.5.1. It found 115 errors from which a lot of are just
>>> false positives or are not worth fixing. I wrote patches for
>>> issues that I think should be fixed. Please review and
>>> consider fixing these issues. I'm also including the Coverity
>>> scan log, so you can have a look at all errors.
>>>
>>> Coverity is also running a project where they allow open source
>>> project to be scanned for FREE. If you find it interesting
>>> you can find more information on http://scan.coverity.com/.
>>>
>>> If you have any questions about the scan or want to do more
>>> scanning,
>>> don't hesitate to write me back.
>>>
>>>
>> More patches:
>>
>> 0018-RESOURCE_LEAK-CWE-404.patch
>> Taken, but only a problem if one malloc succeeds and a second fails -
>> then we leak the first block. I won't lose sleep over that.
>>
>> 0019-REVERSE_INULL-CWE-476.patch
>> Fixed. !cp should be !*cp
>>
>> 0020-STRING_OVERFLOW-CWE-120.patch
>> Not taken, same as 0001-STRING_OVERFLOW.....
>>
>> 0021-UNUSED_VALUE-CWE-563.patch
>> Taken. straightforward.
>>
>> 0022-USE_AFTER_FREE-CWE-416.patch
>> Taken. New code in 2.66test*
>>
>> 0023-USE_AFTER_FREE-CWE-416.patch
>> Taken, changed style of fix to match other code.
>>
>>
>>
>> A very worthwhile exercise, thanks Tomas.
>>
>> I've pushed the fixes into git.
> No problem. You are welcome. Thank you for reviewing my patches and
> including some of them in git.
>
> Anyway, did you consider participating in the Coverity program for
> scanning open source projects? If not I will at least try to do
> a diff scan between latest dnsmasq versions to catch newly added errors.
>
The "bad" thing is that there are a number of different
versions/releases of dnsmasq running on different distributions and
different releases of those distributions.
The question I have for all of these identified fixes, how many of them
would be considered a "security" problem? If there are any, you might
get those fixes applied but distributions are reluctant to just update
to the latest dnsmasq just because it is better and fixes some things
... they are concerned about what will it break.
A difficult decision. Anyway, I also thank you for your efforts.
Gene
More information about the Dnsmasq-discuss
mailing list