FYI. Lukasz
-------- Forwarded Message --------
Subject: Re: [EGI #8464] Buffer overflow vulnerability in xrootd client
Date: Wed, 15 Apr 2015 11:33:53 +0200
From: ljanyst via RT <[log in to unmask]>
Reply-To: [log in to unmask]
<URL: https://rt.egi.eu/rt/Ticket/Display.html?id=8464 >
Hi Mischa,
we appreciate your looking at the code. We find this kind of tools
pretty unreliable, but if you found actual bugs then please report them
at https://github.com/xrootd/xrootd/issues We treat this kind of stuff
seriously and will definitely look into fixing them.
Cheers,
Lukasz (xrootd development team)
On 04/15/2015 11:23 AM, Mischa Salle via RT wrote:
>
> <URL: https://rt.egi.eu/rt/Ticket/Display.html?id=8464 >
>
> Hi Gerd,
> I think you are right (and in any case you have already shown that you got
> memory you weren't supposed to).
>
> By the way, I'm just learning to use cppcheck, and also ran it over the xrootd
> code. There are some actual bugs in the code, including wrong usage of
> assignment versus comparison, closing already closed files, off-by-one errors
> etc. Obviously there are many things it doesn't find (including the current
> vulnerability as far as I can see), but it is very useful.
>
> I think it would be useful if the developers at some point would do the same
> check. For reference I did the following inside the xrootd-4.1.1 directory
> using the 1.68 release of cppcheck:
> cppcheck --enable=all --force src 2> cppcheck.err
> followed by a
> grep -v 'The scope of the variable .* can be reduced' cppcheck.err
> You can do more clever things, but this should be a start.
> I would in particular check all warnings and errors given.
>
> Cheers,
> Mischa
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
