Hi at all,
I would recommend to scan your code regularly with clang static
analyzer. It's pretty easy, just execute "scan-build make" if you have
clang installed. I have installed clang 3.5.0 on Linux.
See http://clang-analyzer.llvm.org/scan-build.html .
Some examples?
In crypto /x509v3 /v3_purp.c line 294 it is called:
xptable_free(xstandard + i);
xptable_free() makes an free() on this pointer, but xstandard was not
allocated with malloc(). See line 92:
static X509_PURPOSE xstandard[] = {
{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0,
check_purpose_ssl_client, "SSL client", "sslclient", NULL},
...
};
This is just an example...
Sure, static analyzer contain false positives. Never the less, they
should be used. Especially in security projects!
Best regards,
Stefano
