https://bugzilla.mindrot.org/show_bug.cgi?id=3167
Damien Miller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Damien Miller <[email protected]> --- (In reply to tester7632 from comment #0) > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_cwVij8m0Z5KWuok&resolved=false&types=B > UG obvious false positive - the static analyser doesn't seem to consider that an expression may have side-effects. > > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_cwVij8m0Z5KWuop&resolved=false&types=B > UG likewise > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_cwxij8m0Z5KWutU&resolved=false&types=B > UG static analyser seems to not understand that variable 'p' is updated here. > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c8Tij8m0Z5KWvbw&resolved=false&types=B > UG also false positive. Analyser misses that resolved_len is set around https://sonarcloud.io/code?id=openssh-portable_allfeatures&selected=openssh-portable_allfeatures%3Asftp-realpath.c&line=99 > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c2tij8m0Z5KWvEw&resolved=false&types=B > UG Another false positive. The path the analyser took demonstrates that the posited overflow can't occur. > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c21ij8m0Z5KWvE9&resolved=false&types=B > UG analyser misses the sshbuf_free() call on the very line before the putative memleak occurs :( > > The complete report can be found here: > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c21ij8m0Z5KWvE9&resolved=false&types=B > UG > > > At a first glance I found also issues in the test cases: > > https://sonarcloud.io/project/issues?id=openssh-portable- > tests&open=AXIu8yLf_34BaxGawOJ2&resolved=false&tags=pitfall&types=BUG > > https://sonarcloud.io/project/issues?id=openssh-portable- > tests&open=AXIu8yLf_34BaxGawOKT&resolved=false&severities=CRITICAL&ty > pes=BUG I think the first one of these at least was fixed in the upstream version of netcat. I'll sync the OpenSSH copy against that -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
