[Dnsmasq-discuss] [dnsmasq] Errors found by static analysis of source code (Coverity)

Tomas Hozza thozza at redhat.com
Tue Feb 5 20:13:45 GMT 2013


----- Original Message -----
> On 02/05/2013 10:30 AM, Tomas Hozza wrote:
> > ----- Original Message -----
> >> On 04/02/13 10:24, Tomas Hozza wrote:
> >>> Hello Simon.
> >>>
> >>> We at Red Hat are scanning a lot of open source packages
> >>> with static analysis tool named Coverity. I have been scanning
> >>> and reviewing group of network daemons where dnsmasq falls
> >>> in, too.
> >>>
> >>> I scanned the latest dnsmasq-2.66-test13 source with Coverity
> >>> version 6.5.1. It found 115 errors from which a lot of are just
> >>> false positives or are not worth fixing. I wrote patches for
> >>> issues that I think should be fixed. Please review and
> >>> consider fixing these issues. I'm also including the Coverity
> >>> scan log, so you can have a look at all errors.
> >>>
> >>> Coverity is also running a project where they allow open source
> >>> project to be scanned for FREE. If you find it interesting
> >>> you can find more information on http://scan.coverity.com/.
> >>>
> >>> If you have any questions about the scan or want to do more
> >>> scanning,
> >>> don't hesitate to write me back.
> >>>
> >>>
> >> More patches:
> >>
> >> 0018-RESOURCE_LEAK-CWE-404.patch
> >> Taken, but only a problem if one malloc succeeds and a second
> >> fails -
> >> then we leak the first block. I won't lose sleep over that.
> >>
> >> 0019-REVERSE_INULL-CWE-476.patch
> >> Fixed. !cp should be !*cp
> >>
> >> 0020-STRING_OVERFLOW-CWE-120.patch
> >> Not taken, same as 0001-STRING_OVERFLOW.....
> >>
> >> 0021-UNUSED_VALUE-CWE-563.patch
> >> Taken. straightforward.
> >>
> >> 0022-USE_AFTER_FREE-CWE-416.patch
> >> Taken. New code in 2.66test*
> >>
> >> 0023-USE_AFTER_FREE-CWE-416.patch
> >> Taken, changed style of fix to match other code.
> >>
> >>
> >>
> >> A very worthwhile exercise, thanks Tomas.
> >>
> >> I've pushed the fixes into git.
> > No problem. You are welcome. Thank you for reviewing my patches and
> > including some of them in git.
> >
> > Anyway, did you consider participating in the Coverity program for
> > scanning open source projects? If not I will at least try to do
> > a diff scan between latest dnsmasq versions to catch newly added
> > errors.
> >
> The "bad" thing is that there are a number of different
> versions/releases of dnsmasq running on different distributions and
> different releases of those distributions.

This is true, but since there is only one git tree branch and the
development is going always forward it is just up to maintainers of
dnsmasq in all those distributions to backport fixes or to update
dnsmasq. I can do that and doing my best in Fedora and RHEL.  

> The question I have for all of these identified fixes, how many of
> them
> would be considered a "security" problem?  If there are any, you
> might
> get those fixes applied but distributions are reluctant to just
> update
> to the latest dnsmasq just because it is better and fixes some things
> ... they are concerned about what will it break.

I had in my mind the possibility of a security problem when reviewing
found errors. From my point of view none of those problems could be
used for a remote attack.

Maybe only http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=25c4198f7c4ba2c84a89b4c23aff2ec21b1e0d40
could be used for attack causing dnsmasq to crash. But you would have to
compile dnsmasq with DBus and explicitly enable DBus interface.  

There are only two recent security vulnerabilities, CVE-2013-0198
and CVE-2012-3411. But these are issues of the libvirt's dnsmasq
usage. There might be something else, but I'm not aware of anything else.

Regards,

Tomas Hozza



More information about the Dnsmasq-discuss mailing list