We are running static analyzers on new code. There is many false positives, but between them we can find some real issues, that would be worth fixing, including some double-free, use-after-free, buffer-overruns or usage of uninitialized variables
The fixes are attached in the following patch:
Analysis was executed on version 2.4.4, patches are for master.
Thanks for running the analyzer. We need to have a closer look at the suggested fixes. For example initializing a variable needs a reason and should not be done as a general precaution because that may hide other errors.
The TPM parts anyway require a rework because fprintf to stderr is used instead of the standard debug functions. This would hide error messages from the common log files.
Thanks for running the analyzer. We need to have a closer look at the suggested fixes. For example initializing a variable needs a reason and should not be done as a general precaution because that may hide other errors.
Indeed! The cases where the analyzer was obviously wrong are not part of the changes. These are only the cases after manual review, where the variable could be used uninitialized on some code path, if it was not clear.
I do not understand why there should be an integer overflow:
+++ b/common/iobuf.c
@@ -520,7 +520,7 @@ file_filter (void *opaque, int control, iobuf_t chain, byte * buf,
#else
- int n;
+ ssize_t n;
nbytes = 0;
read_more:
@@ -529,7 +529,7 @@ file_filter (void *opaque, int control, iobuf_t chain, byte * buf,
n = read (f, buf + nbytes, size - nbytes);
}
while (n == -1 && errno == EINTR);
- if (n > 0)
+ if (n > 0 && n < (SIZE_MAX - nbytes))SIZE is the length of the caller provided buffer and thus for sure less than INT_MAX. Sure, a static analyzer won't be able to detect this but SIZE_MAX is not universally available and we would run here into the same problems as any caller of read with huge buffers (2^31 bytes on a 32bit int platform). read is not as well defined as ReadFile and any implementation of read returning the theoretically allowed maximum value allowed by ssize_t (i.e. 2^63) would cause more problems than it solves.
Thus I won't apply this fix. Iff there is really a need for a fix, better check that size is small enough.
Fair enough. This is more theoretical and could happen only on huge reads. Using ssize_t for read() return value is safe option, but really does not make sense to adhere to it in cases where the reads must be smaller.
In PATCH GnuPG 12/15] sm: Avoid use of uninitialized variable I can't see where ERR was not initialized.
You are right. This was an issue in the release the static analyzer was running, but it was fixed in the meantime in master with 375c3a238ab67be9d52d1c4436f9855324c3f5dd, which I missed. Thanks for double-checking!