Hi, I've ran my static checker Calysto ( http://www.calysto.org/ ) on krb 5.1.6. Here's the postprocessed report:
+ krb5-1.6/src/util/support/fake-addrinfo.c:1336 krb5int_getaddrinfo is a function with external linkage, which calls getaddrinfo (fake-addrinfo.c:1097), passing aip as the fourth parameter (received as **result). Without checking whether result is NULL or not, getaddrinfo passes it to system_getaddrinfo (which is actually getaddrinfo in netdb.h). system_getaddrinfo can set result to NULL if the system is out of memory. Code at krb5-1.6/src/util/support/fake-addrinfo.c:1143 dereferences result, without checking it. + krb5-1.6/src/util/support/gmt_mktime.c:54 krb5int_gmt_mktime is a function with external linkage, dereferences parameter t without checking it. + krb5-1.6/src/util/support/errors.c:155 same as above, for parameter ep. + krb5-1.6/src/util/support/errors.c:77 same as above, same param. + krb5-1.6/src/util/support/errors.c:54 similar as above - function krb5int_set_error calls krb5int_vset_error passing it ep pointer without checking it, which then krb5int_vset_error dereferences. + krb5-1.6/src/util/support/plugins.c:647 pointer ptrs dereferenced without being checked first. Function also has external linkage. + krb5-1.6/src/util/support/plugins.c:588 same as above. + krb5-1.6/src/util/support/plugins.c:528 same as above, for parameter dirhandle. + krb5-1.6/src/util/support/plugins.c:428 same as above, for parameter dirnames. + krb5-1.6/src/util/support/plugins.c:515, same as above, for parameter dirhandle. + krb5-1.6/src/util/support/plugins.c:260, same, parameter h + krb5-1.6/src/util/support/plugins.c:189, same, param h + krb5-1.6/src/util/support/plugins.c:251, same, param ptr + krb5-1.6/src/util/support/plugins.c:230, same, param ptr + krb5-1.6/src/util/support/threads.c:651, same, param m + krb5-1.6/src/util/support/threads.c:646, same, param m + krb5-1.6/src/util/support/threads.c:637, same, param m + krb5-1.6/src/util/support/threads.c:631, same, param m Note: Calysto reports warnings about unchecked dereferenced parameters only if a function F: 1) has external linkage, 2) parameter is dereferenced in F or any function called by F, 3) there is a feasible path from the entry block of F to the statement that dereferences the pointer, and 4) F is not called from any other function - in that case, Calysto has no context information about the parameters, and has to consider them to be undefined. None of the functions mentioned above seem to be called from any other function in the compiled binary (compiled with llvm-gcc http://llvm.org/ ), although in the source I see that some are called from the code that didn't end up in the binary for some reason. Hence, Calysto assumes that those functions are library-like functions. I'd appreciate if you could let me know whether you consider these to be bugs or not and why. Besides these reports, there seem to be no other unckecked dereferences in krb, which certainly says a lot about the code quality - other open source projects I've checked so far have a larger number of non-trivial NULL ptr dereferences. Kind regards, -- Domagoj Babic http://www.domagoj.info/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
