| Summary: | Bugs found by static tests | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | tester7632 |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | normal | CC: | djm |
| Priority: | P5 | ||
| Version: | 8.2p1 | ||
| Hardware: | All | ||
| OS: | All | ||
|
Description
tester7632
2020-05-20 09:24:47 AEST
(In reply to tester7632 from comment #0) > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_cwVij8m0Z5KWuok&resolved=false&types=B > UG obvious false positive - the static analyser doesn't seem to consider that an expression may have side-effects. > > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_cwVij8m0Z5KWuop&resolved=false&types=B > UG likewise > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_cwxij8m0Z5KWutU&resolved=false&types=B > UG static analyser seems to not understand that variable 'p' is updated here. > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c8Tij8m0Z5KWvbw&resolved=false&types=B > UG also false positive. Analyser misses that resolved_len is set around https://sonarcloud.io/code?id=openssh-portable_allfeatures&selected=openssh-portable_allfeatures%3Asftp-realpath.c&line=99 > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c2tij8m0Z5KWvEw&resolved=false&types=B > UG Another false positive. The path the analyser took demonstrates that the posited overflow can't occur. > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c21ij8m0Z5KWvE9&resolved=false&types=B > UG analyser misses the sshbuf_free() call on the very line before the putative memleak occurs :( > > The complete report can be found here: > https://sonarcloud.io/project/issues?id=openssh- > portable_allfeatures&open=AXIu_c21ij8m0Z5KWvE9&resolved=false&types=B > UG > > > At a first glance I found also issues in the test cases: > > https://sonarcloud.io/project/issues?id=openssh-portable- > tests&open=AXIu8yLf_34BaxGawOJ2&resolved=false&tags=pitfall&types=BUG > > https://sonarcloud.io/project/issues?id=openssh-portable- > tests&open=AXIu8yLf_34BaxGawOKT&resolved=false&severities=CRITICAL&ty > pes=BUG I think the first one of these at least was fixed in the upstream version of netcat. I'll sync the OpenSSH copy against that > https://sonarcloud.io/project/issues?id=openssh-portable- > tests&open=AXIu8yLf_34BaxGawOKT&resolved=false&severities=CRITICAL&ty > pes=BUG This one is another false positive. The analyser misses that the unix_listener() call is only reachable when family==AF_UNIX and there there is a check that ensures "host" is not NULL for that case: https://sonarcloud.io/code?id=openssh-portable-tests&selected=openssh-portable-tests%3Aregress%2Fnetcat.c&line=296 I've synced regress/netcat.c with upstream to fix the duplicate ==-1 check in the other report. close bugs that were resolved in OpenSSH 8.5 release cycle |