|
Hi,
We recently ran Coverity, a static source analysis tool, against OpenSSL 0.9.7 and 0.9.8. We found a number of problems such as the potential to access null pointers, lack of error checking on return codes, etc. There are in the neighborhood of 25 errors that we considered worth fixing.
Some of these problems are in code paths that are not likely to be reached in normal conditions. OpenSSL has been extremely robust for us, so these problems must not be in the normal paths of execution. I am not an expert in finding exploits so I don’t know if any of these could result in vulnerabilities. However, these are things that probably should be fixed.
Would you like us to contribute these fixes back to the project? If so, what would be the best format for submitting them? Would you like the diffs or raw sources? Also, which branch would be best? Most of these problems were seen in both 0.9.7i and 0.9.8. We could provide the changes for either.
Thanks -David
David Hartman Software Engineer SIGSEC Symantec Corporation ----------------------------------------------------- Office: (650) 527-4028 Email: [EMAIL PROTECTED] -----------------------------------------------------
|
- Problems Identified in Static Source Analysis David Hartman
- Re: Problems Identified in Static Source Analysis Andy Polyakov
- RE: Problems Identified in Static Source Analysis David Hartman
- RE: Problems Identified in Static Source Analysis Yair Elharrar
- Re: Problems Identified in Static Source Analysis Nils Larsch
- Re: Problems Identified in Static Source Analysis Kyle Hamilton
- Re: Problems Identified in Static Source Analys... Richard Salz
- Re: Problems Identified in Static Source Analys... Nils Larsch
