> On Nov 21, 2016, at 5:44 PM, Mc Security <mcs...@gmail.com> wrote:
>
> I see that there is careful memory allocation done for DNS_RR and
> TLS_SCACHE_ENTRY in in dns_rr.c and tls_scache.c respectively so that buffer
> overflow is not caused. However, a confirmation would be great.
I think the correct protocol for reporting static analysis results
is that the triage effort is the responsibility of the reporter, not
the upstream maintainer.
It makes little sense for upstream maintainers to pursue every unverified
report that some new tool spits out. These tools unavoidably have
non-negligible FP rates, and require human attention to separate reality
from fiction.
So if you don't see a problem, we're done. If you do find a credible
problem in a report, please do forward it along. If such a problem is
potentially remotely exploitable, report it off-list.
--
Viktor.
