Re: Problems Identified in Static Source Analysis

2006-02-15 Thread Nils Larsch
Kyle Hamilton wrote: ... agree, the current code is not really consistent here. If we assume that EC_GROUP::meth cannot be NULL in a valid EC_GROUP object the check for "group->meth != NULL" is superfluous and misleading and should be removed. Done. The check for group->meth != NULL should be

Re: Problems Identified in Static Source Analysis

2006-02-08 Thread Richard Salz
> Robustness demands checking of everything passed into a function for > possible failures -- such as an inappropriate NULL pointer. That depends. Often returning a run-time error will just mask the problem, while a segfault means the programming error will be fixed. You're supposed to check f

Re: Problems Identified in Static Source Analysis

2006-02-08 Thread Kyle Hamilton
On 2/8/06, Nils Larsch <[EMAIL PROTECTED]> wrote: > David Hartman wrote: > >>>Index: crypto/bio/b_print.c > > >>>retrieving revision 1.1.1.1 > >>>diff -u -b -r1.1.1.1 b_print.c > >>>--- crypto/bio/b_print.c 30 Aug 2005 19:33:35 - 1.1.1.1 > >>>+++ crypto/bio/b_print.c 29 Dec 2005 23

Re: Problems Identified in Static Source Analysis

2006-02-08 Thread Nils Larsch
David Hartman wrote: ... Index: crypto/aes/aes_cfb.c === RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/aes/aes_cfb.c ,v retrieving revision 1.1.1.1 diff -u -b -r1.1.1.1 aes_cfb.c --- crypto/aes/aes_cfb.c

Re: Problems Identified in Static Source Analysis

2006-01-29 Thread Nils Larsch
David Hartman wrote: ... We have a copy of 0.9.8a in our source tree, and I made the changes to our copy of 0.9.8a. I attached the diffs. ... Index: crypto/aes/aes_cfb.c === RCS file: /local/cvs/master/pspOpenSSL/Current/source/o

RE: Problems Identified in Static Source Analysis

2006-01-09 Thread Yair Elharrar
: Monday, January 09, 2006 11:19 PM To: Andy Polyakov; openssl-dev@openssl.org Cc: Andrew Schnable Subject: RE: Problems Identified in Static Source Analysis Hi Andy, It turns out there was no easy way to give you the Coverity test results directly. For the runs to be useful, you really need a

RE: Problems Identified in Static Source Analysis

2006-01-09 Thread David Hartman
5 7:41 AM > To: openssl-dev@openssl.org; David Hartman > Cc: Andrew Schnable > Subject: Re: Problems Identified in Static Source Analysis > > Hi, > > > We recently ran Coverity, a static source analysis tool, against OpenSSL > > 0.9.7 and 0.9.8. We found a number of probl

Re: Problems Identified in Static Source Analysis

2005-12-18 Thread Andy Polyakov
Hi, We recently ran Coverity, a static source analysis tool, against OpenSSL 0.9.7 and 0.9.8. We found a number of problems such as the potential to access null pointers, lack of error checking on return codes, etc. There are in the neighborhood of 25 errors that we considered worth fixing.

Problems Identified in Static Source Analysis

2005-12-16 Thread David Hartman
Hi,   We recently ran Coverity, a static source analysis tool, against OpenSSL 0.9.7 and 0.9.8.  We found a number of problems such as the potential to access null pointers, lack of error checking on return codes, etc.  There are in the neighborhood of 25 errors that we considered worth f