On 03/19/2006 05:17 PM, Darren Reed wrote: > [ Charset ISO-8859-1 unsupported, converting... ] >>Question more about Coverity than about IP Filter: did Coverity turn up >>any genuine security issues? > > No. > > The worst is there are some race conditions in boundary > cases for SMP machines that could make it leak memory.
Cool. I would have pretty surprised if it had, so that's good to hear. Fairly often people pitch Coverity and the like to me as security auditing tools. Maybe I'm just a stick in the mud but my view is that finding non-trivial security problems is far beyond the capability of current AI, while trivial security problems (e.g. buffer overflows, printf format vulns) should be caught by the coder. If a quick review turns up trivial problems, you don't need to do much more than tell the coder to go buy a clue and then examine his own code before resubmitting. Either way, I don't expect an automated tool to be much use, but I'm prepared to be surprised. The two cases where I could see the use of an automated tool in a code audit would be: 1. Checking the resubmission from a bozo coder who is still breaking in his brand new purchase from Clue-mart. 2. No time for a real audit, but don't want to end up victim to something that an automated tool would find. I'm actually a little surprised that an automated tool found an SMP race condition. Apoloties, if this is too off-topic for folx. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> "Never try to retrieve anything from a bear."--National Park Service
