On Tue, 17 Apr 2012, Lubomír Sedlář wrote:
I would like to ask if any static analysis tool was ever used to detect
possible problems in OpenSSL source code. Is some tool used regularly?
I tried running Clang Static Analyzer [1] on the source of OpenSSL.
Julia Lawall a écrit :
A few years ago, we did some experiments on finding problems in error
handling in OpenSSL using Coccinelle:
Finding Error Handling Bugs in OpenSSL using Coccinelle
http://coccinelle.lip6.fr/papers/edcc10.pdf
It's a bit surprising if none of those tools could identify the badness
of the code involved in the just published memory corruption vulnerability.
I fail to see anything subtle in that vulnerability.
Now, the trouble might be in the eye of the reviewer who'd assume way
too easily that the downcasting of a long is OK.
I think it would be really interesting to understand *why* this wasn't
seen earlier, and check all the rest of the code for potentially similar
problem. Or similar case of assuming that "doing this is not very clean
but won't hurt us" instead of cleaning the code to do things properly.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
