On 11/19, Tim Rühsen wrote:
Agreed. While random_number() is not being used for any cryptography related things here, it *is* being used for Digest Authentication. We should make it atleast a bit more secure.On Wednesday 19 November 2014 18:17:15 Darshit Shah wrote:I just ran the latest HEAD of our repository through Coverity's static analysis engine.Here is the report it returned. Anyone who wishes to look at the full reports, please send a request through coverity and I'll grant you permissions.We should use random() if available... (I'll make up a patch) About random number security: http://www.onlamp.com/pub/a/onlamp/excerpt/PUIS3_chap16/index4.html?page=2
ftp-basic.c already fixed, patch comes within the next hour.
Great to hear that! I was going to look into it, but I'll leave it to you then
http.c seems to be a false positive (looking at the current git code).
Yes, it is a false positive.The static analyzer failed to realize that options[4] is &algorithm and hence it'll be assigned a value during the execution of the while() loop on line 3802.
I haven't yet figured out how to write coverity's modeling files for explicitly marking such code paths as false positives.
There's also quite a few more issues that coverity has identified in the past. A lot of them seem to be similar false positives. I'm going to go through as many of them as I can.
Tim---------- Forwarded message ---------- From: <[email protected]> Date: Wed, Nov 19, 2014 at 6:13 PM Subject: New Defects reported by Coverity Scan for GNU Wget To: [email protected] Hi, Please find the latest report on new defect(s) introduced to GNU Wget found with Coverity Scan. 4 new defect(s) introduced to GNU Wget found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 4 of 4 defect(s) ** CID 1230447: Don't call (DC.WEAK_CRYPTO) /src/utils.c: 1890 in random_float() ** CID 1255317: Don't call (DC.WEAK_CRYPTO) /src/utils.c: 1855 in random_number() ** CID 1255316: Logically dead code (DEADCODE) /src/ftp-basic.c: 792 in ftp_epsv() ** CID 1255315: Logically dead code (DEADCODE) /src/http.c: 3822 in digest_authentication_encode() ____________________________________________________________________________ ____________________________ *** CID 1230447: Don't call (DC.WEAK_CRYPTO) /src/utils.c: 1890 in random_float() ____________________________________________________________________________ ____________________________ *** CID 1255317: Don't call (DC.WEAK_CRYPTO) /src/utils.c: 1855 in random_number() ____________________________________________________________________________ ____________________________ *** CID 1255316: Logically dead code (DEADCODE) /src/ftp-basic.c: 792 in ftp_epsv() 786 /* Finally, get the port number */ 787 tport = 0; 788 for (i = 1; c_isdigit (*s); s++) 789 { 790 if (i > 5) 791 { >>> CID 1255316: Logically dead code (DEADCODE) >>> Execution cannot reach this statement: "free(respline);". 792 xfree (respline); 793 return FTPINVPASV; 794 } 795 tport = (*s - '0') + 10 * tport; 796 } 797 ____________________________________________________________________________ ____________________________ *** CID 1255315: Logically dead code (DEADCODE) /src/http.c: 3822 in digest_authentication_encode() 3816 if (qop != NULL && strcmp(qop,"auth")) 3817 { 3818 logprintf (LOG_NOTQUIET, _("Unsupported quality of protection '%s'.\n"), qop); 3819 xfree_null (qop); /* force freeing mem and return */ 3820 qop = NULL; 3821 } >>> CID 1255315: Logically dead code (DEADCODE) >>> Execution cannot reach the expression "strcmp(algorithm, "MD5")" >>> inside this statement: "if (algorithm != NULL && st...". 3822 else if (algorithm != NULL && strcmp (algorithm,"MD5") && strcmp (algorithm,"MD5-sess")) 3823 { 3824 logprintf (LOG_NOTQUIET, _("Unsupported algorithm '%s'.\n"), algorithm); 3825 xfree_null (qop); /* force freeing mem and return */ 3826 qop = NULL; 3827 } ____________________________________________________________________________ ____________________________ To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/555?tab=overview To unsubscribe from the email notification for new defects, http://scan5.coverity.com/cgi-bin/unsubscribe.py
--- end quoted text --- -- Thanking You, Darshit Shah
pgpGgGyt_Vs7K.pgp
Description: PGP signature
