>>>>> On Sun, 05 Mar 2006 22:51:32 -0800, Ben Chelf <[EMAIL PROTECTED]> said:
Ben> I'm the CTO of Coverity, Inc., a company that does static source Ben> code analysis to look for defects in code. Hi Ben, I'm the founder and lead-developer of Net-SNMP. I've registered with your site to look at your results... I can't offer much more help until my registration is approved. We certainly do appreciate being able to look at the results of your analysis and would certainly like to fix as many bugs as possible that you've found. Ben> Because of this second point, I'd ask that if you are interested Ben> in really digging into the results a bit further for your Ben> project, please have a couple of core maintainers (or group Ben> nominated individuals) reach out to me to request access. I don't mind being the funneling point to the rest of the developers here on this project if that would help. It's unclear what the re-distribution policy is for your results at this time (I haven't looked for release information). Your rational for limiting the initial access certainly contains valid general reasons. What I'm not sure of is whether if I want to open the results to a greater audience (but channel the results back through me to you to limit your needed work load), would that be acceptable or not? Ben> Many thanks for reading this far... You're the one that's doing a lot of good work. Thanks for keeping us informed! I'm not surprised that Net-SNMP contains a number of bugs. I'm aware of a lot in the low-level MIB code and they're even difficult to fix at times. What I want to make absolutely sure of first and foremost is that the path to get to those low level MIB objects is as secure as possible. My first priority is always from the network down to the authentication and authorization stack. Beyond that it is important to try and maintain good solid code as well, but it's not *as* important as ensuring that packets are authorized to even get to the more touchy points in the code. One of the other thing that makes our stack hard is that there is a huge amount of ifdef'ed architecture-specific code. The end result is that there is likely less bugs per 1000 lines on any given real instance of the software than there is in the whole package, because I believe the core routines are safer than the lower level per-architecture code. The ifdef structures also make automated scanning likely difficult. SNMP agents are a very architecture specific piece of work. That being said, I hope you found a bunch of valid bugs! I only hope that they're easy to analyze ;-) [Also on a side note: we've actually confirmed a few cases of other security detectors falsely interpreting some of our code as being bad because we use a large number of fairly, um, interesting structures and techniques to achieve some of our goals. The sad thing is that when some of these reports come in we take a lot of time analyzing it to end up agreeing that it's not really a problem. I'm sure your report will contain many real points of interest, of course, and look forward to reading it] -- Wes Hardaker Sparta, Inc. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Net-snmp-coders mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
