[Dnsmasq-discuss] Bug report for dnsmasq 2.90

Geert Stappers stappers at stappers.nl
Sat Feb 15 14:22:01 UTC 2025 

On Fri, Feb 14, 2025 at 10:43:56AM +0000, Jakub Bronicki wrote:
> Hello there,

Hello dnsmasq-discuss at lists.thekelleys.org.uk subscriber

 
> I hope you're having a great day.
> 
> Using the https://github.com/Ericsson/codechecker tool,

Text from that URL:
  CodeChecker is a static analysis infrastructure built on the LLVM/Clang
  Static Analyzer toolchain, replacing scan-build in a Linux or macOS
  (OS X) development environment.

> we conducted a static analysis of your software. We detected some
> potentially critical vulnerabilities related to different areas.
> 
> Please check the attached csv file

<previously_attached_CSV_file>
path,line no,error
dnsmasq-2.90/src/rfc1035.c,546,The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage
dnsmasq-2.90/src/forward.c,1129,The left operand of '==' is a garbage value
dnsmasq-2.90/src/cache.c,480,Dereference of null pointer
dnsmasq-2.90/src/cache.c,480,Dereference of null pointer
dnsmasq-2.90/src/network.c,1389,Division by zero
dnsmasq-2.90/src/edns0.c,502,Memory copy function accesses out-of-bound array element
dnsmasq-2.90/src/rrfilter.c,432,Array is indexed with a negative value. Possible integer overflow
dnsmasq-2.90/src/util.c,776,Array is indexed with a negative value. Possible integer overflow
dnsmasq-2.90/src/util.c,778,Array is indexed with a negative value. Possible integer overflow
dnsmasq-2.90/src/domain-match.c,280,Array is indexed with a negative value. Possible integer overflow
dnsmasq-2.90/src/domain-match.c,280,Array is indexed with a negative value. Possible integer overflow
dnsmasq-2.90/src/domain-match.c,291,Array is indexed with a negative value. Possible integer overflow
dnsmasq-2.90/src/domain-match.c,305,Array is indexed with a negative value. Possible integer overflow
dnsmasq-2.90/src/option.c,2657,Shifting 64-bit value by 64 bits is undefined behaviour. See condition at line 2663.
</previously_attached_CSV_file>

> and make corrections.

Oh, transmission error detected.  But that doesn't mind.

I do like the idea of static analysis of on software. I'm fairly sure
that the very same idea would be much better when against latest version
in SCM, Source Code Management, ( "git" ).


> Best regards,
> Ericsson Team


Regards
Geert Stappers
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list