That was my assumption also. Thanks for the feedback. We use a tool called Coverity to identify potential problems in source code. I have fixed a number of issues in our local copy of OpenSSL but it would ideal if the issues and resolutions could be fed back into the OpenSSL code base so the problems don't reoccur in future releases. Being new to this mail list and the OpenSSL community in general, I was wondering if there is an official mechanism for reporting issues and/or submitting potential fixes for review.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad House Sent: Wednesday, April 09, 2008 8:44 AM To: [email protected] Subject: Re: Interesting logic in dso_lib.c (libcrypto) I'd have to look at the context of what is actually happening here but it looks like by intention, filespec1 should be allowed to be NULL as it can be retrieved from dso, but I see no additional sanity checks for filespec2, most likely, I would assume, the filespec1 reference on line 397 should _actually_ be filespec2, but again, that's just a cursory look (without evaluating how DSO_merge is actually called). -Brad Salivar.William wrote: > That is what I got out of it. What is the process for getting code > issues submitted and resolved for OpenSSL? > > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Sendroiu Eugen > *Sent:* Wednesday, April 09, 2008 4:41 AM > *To:* [email protected] > *Subject:* Re: Interesting logic in dso_lib.c (libcrypto) > > > > If filespec1 is NULL, it doesn't matter what dso is, it will not pass > the first if, so the latter checks for dso and filespec1 are useless. > > > > ================================== > > Eugen Sendroiu > Address: str. Horia nr 3, > bl a8, sc 2, ap 7, Craiova > Dolj - 200490, Romania > Home : +40(0)351 401134 > Mobile : +40(0)743 055244 > +40(0)730 006760 > E-mail : [EMAIL PROTECTED] > [EMAIL PROTECTED] > > > > =================================== > > > > ----- Original Message ---- > From: Michael Saladin <[EMAIL PROTECTED]> > To: [email protected] > Sent: Wednesday, April 9, 2008 9:06:14 AM > Subject: RE: Interesting logic in dso_lib.c (libcrypto) > > The first 'if' just guarantees that dso OR filespec1 are not NULL, each > of those parameters could be NULL individually. > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Salivar.William > *Sent:* Mittwoch, 9. April 2008 00:04 > *To:* [email protected] > *Subject:* Interesting logic in dso_lib.c (libcrypto) > > The first ¡if¢ guarantees that filespec1 will not be NULL. And yet > there are two tests for NULL in the code following the ¡if¢. This is > from OpenSSL 0.9.8g. > > > > > > *393 * char *DSO_merge > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=637&lxfile=45002>(DSO > > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=638&lxfile=45002> > *dso, const char *filespec1, const char *filespec2) > > *394 * { > > *395 * char *result > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=642&lxfile=45002> > = NULL; > > *396 * > > Event *cannot_single*: After this line (or expression), the value of > "filespec1" cannot be 0 > > 397 if(dso == NULL || filespec1 == NULL) > > *398 * { > > *399 * DSOerr(DSO_F_DSO_MERGE,ERR_R_PASSED_NULL_PARAMETER); > > *400 * > > * * return(NULL); > > *401 * } > > Event *dead_error_condition*: On this path, the condition "filespec1 == 0" > could not be true > > 402 if(filespec1 > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=662&lxfile=45002> > == NULL) > > Event *dead_error_line*: Cannot reach this line of code, beginning "dso" > > 403 filespec1 > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=665&lxfile=45002> > = dso->filename; > > *404 * if(filespec1 > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=668&lxfile=45002> > == NULL) > > *405 * { > > *406 * DSOerr(DSO_F_DSO_MERGE,DSO_R_NO_FILE_SPECIFICATION); > > *407 * return(NULL); > > *408 * > > * * } > > *409 * if((dso->flags > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=682&lxfile=45002> > & DSO_FLAG_NO_NAME_TRANSLATION > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=683&lxfile=45002>) > == 0) > > *410 * { > > *411 * if(dso->merger > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=685&lxfile=45002> > != NULL > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=686&lxfile=45002>) > > *412 * result = dso->merger(dso, filespec1, > filespec2 > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=693&lxfile=45002>); > > *413 * else if(dso->meth->dso_merger > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=696&lxfile=45002> > != NULL) > > *414 * result = dso->meth > <http://engapp30:5467/cov.cgi?clicked=1&events=845739&line=0&prec=%2Fcov.cgi%3Fc%3DAAAAAADA7g%26hstate%3D1%26owner%3D86%26q%3D6%26runs%3D95%26t%3D6%26v%3D1&run=95&t=12&v=1&xref=701&lxfile=45002>->dso_merger(dso, > > *415 * filespec1, filespec2); > > *416 * } > > *417 * return(result); > > *418 * } > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
