Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget

From:	Tim Ruehsen
Subject:	Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget
Date:	Wed, 19 Nov 2014 14:32:44 +0100
User-agent:	KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; )

On Wednesday 19 November 2014 18:17:15 Darshit Shah wrote:
> I just ran the latest HEAD of our repository through Coverity's static
> analysis engine.
> 
> Here is the report it returned.
> 
> Anyone who wishes to look at the full reports, please send a request
> through coverity and I'll grant you permissions.

We should use random() if available... (I'll make up a patch)
About random number security:
http://www.onlamp.com/pub/a/onlamp/excerpt/PUIS3_chap16/index4.html?page=2

ftp-basic.c already fixed, patch comes within the next hour.

http.c seems to be a false positive (looking at the current git code).

Tim

> 
> 
> ---------- Forwarded message ----------
> From:  <address@hidden>
> Date: Wed, Nov 19, 2014 at 6:13 PM
> Subject: New Defects reported by Coverity Scan for GNU Wget
> To: address@hidden
> 
> 
> 
> Hi,
> 
> Please find the latest report on new defect(s) introduced to GNU Wget
> found with Coverity Scan.
> 
> 4 new defect(s) introduced to GNU Wget found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> 
> New defect(s) Reported-by: Coverity Scan
> Showing 4 of 4 defect(s)
> 
> 
> ** CID 1230447:  Don't call  (DC.WEAK_CRYPTO)
> /src/utils.c: 1890 in random_float()
> 
> ** CID 1255317:  Don't call  (DC.WEAK_CRYPTO)
> /src/utils.c: 1855 in random_number()
> 
> ** CID 1255316:  Logically dead code  (DEADCODE)
> /src/ftp-basic.c: 792 in ftp_epsv()
> 
> ** CID 1255315:  Logically dead code  (DEADCODE)
> /src/http.c: 3822 in digest_authentication_encode()
> 
> 
> ____________________________________________________________________________
> ____________________________ *** CID 1230447:  Don't call  (DC.WEAK_CRYPTO)
> /src/utils.c: 1890 in random_float()
> 
> ____________________________________________________________________________
> ____________________________ *** CID 1255317:  Don't call  (DC.WEAK_CRYPTO)
> /src/utils.c: 1855 in random_number()
> 
> ____________________________________________________________________________
> ____________________________ *** CID 1255316:  Logically dead code 
> (DEADCODE)
> /src/ftp-basic.c: 792 in ftp_epsv()
> 786       /* Finally, get the port number */
> 787       tport = 0;
> 788       for (i = 1; c_isdigit (*s); s++)
> 789         {
> 790           if (i > 5)
> 791             {
> 
> >>>     CID 1255316:  Logically dead code  (DEADCODE)
> >>>     Execution cannot reach this statement: "free(respline);".
> 
> 792               xfree (respline);
> 793               return FTPINVPASV;
> 794             }
> 795           tport = (*s - '0') + 10 * tport;
> 796         }
> 797
> 
> ____________________________________________________________________________
> ____________________________ *** CID 1255315:  Logically dead code 
> (DEADCODE)
> /src/http.c: 3822 in digest_authentication_encode()
> 3816       if (qop != NULL && strcmp(qop,"auth"))
> 3817         {
> 3818           logprintf (LOG_NOTQUIET, _("Unsupported quality of
> protection '%s'.\n"), qop);
> 3819           xfree_null (qop); /* force freeing mem and return */
> 3820           qop = NULL;
> 3821         }
> 
> >>>     CID 1255315:  Logically dead code  (DEADCODE)
> >>>     Execution cannot reach the expression "strcmp(algorithm, "MD5")"
> >>>     inside this statement: "if (algorithm != NULL && st...".
> 3822       else if (algorithm != NULL && strcmp (algorithm,"MD5") &&
> strcmp (algorithm,"MD5-sess"))
> 3823         {
> 3824           logprintf (LOG_NOTQUIET, _("Unsupported algorithm
> '%s'.\n"), algorithm);
> 3825           xfree_null (qop); /* force freeing mem and return */
> 3826           qop = NULL;
> 3827         }
> 
> 
> ____________________________________________________________________________
> ____________________________ To view the defects in Coverity Scan visit,
> http://scan.coverity.com/projects/555?tab=overview
> 
> To unsubscribe from the email notification for new defects,
> http://scan5.coverity.com/cgi-bin/unsubscribe.py

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget, Darshit Shah, 2014/11/19
- Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget, Tim Ruehsen <=
  - Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget, Darshit Shah, 2014/11/19
- Re: [Bug-wget] [PATCH] Patch for Coverity reports, Tim Ruehsen, 2014/11/19
  - Re: [Bug-wget] [PATCH] Patch for Coverity reports, Darshit Shah, 2014/11/19
    - Re: [Bug-wget] [PATCH] Patch for Coverity reports, Tim Ruehsen, 2014/11/19

Prev by Date: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget
Next by Date: Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget
Previous by thread: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget
Next by thread: Re: [Bug-wget] Fwd: New Defects reported by Coverity Scan for GNU Wget
Index(es):
- Date
- Thread