FYI. Lukasz -------- Forwarded Message -------- Subject: Re: [EGI #8464] Buffer overflow vulnerability in xrootd client Date: Wed, 15 Apr 2015 11:33:53 +0200 From: ljanyst via RT <[log in to unmask]> Reply-To: [log in to unmask] <URL: https://rt.egi.eu/rt/Ticket/Display.html?id=8464 > Hi Mischa, we appreciate your looking at the code. We find this kind of tools pretty unreliable, but if you found actual bugs then please report them at https://github.com/xrootd/xrootd/issues We treat this kind of stuff seriously and will definitely look into fixing them. Cheers, Lukasz (xrootd development team) On 04/15/2015 11:23 AM, Mischa Salle via RT wrote: > > <URL: https://rt.egi.eu/rt/Ticket/Display.html?id=8464 > > > Hi Gerd, > I think you are right (and in any case you have already shown that you got > memory you weren't supposed to). > > By the way, I'm just learning to use cppcheck, and also ran it over the xrootd > code. There are some actual bugs in the code, including wrong usage of > assignment versus comparison, closing already closed files, off-by-one errors > etc. Obviously there are many things it doesn't find (including the current > vulnerability as far as I can see), but it is very useful. > > I think it would be useful if the developers at some point would do the same > check. For reference I did the following inside the xrootd-4.1.1 directory > using the 1.68 release of cppcheck: > cppcheck --enable=all --force src 2> cppcheck.err > followed by a > grep -v 'The scope of the variable .* can be reduced' cppcheck.err > You can do more clever things, but this should be a start. > I would in particular check all warnings and errors given. > > Cheers, > Mischa ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1