[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Calysto v1.5 reports on openldap_v2.4.4alpha


On 8/20/07, Kurt Zeilenga <kurt@openldap.org> wrote:
> On Aug 20, 2007, at 12:02 PM, Domagoj Babic wrote:
> > Could you please check them out and replace ??? with Yes/No, and
> > if it's a false positive, write a short explanation.
> It seems that most (if not all) of this is simply dereferencing the
> NULL result of a failed malloc (or the like) memory allocation.  I
> don't consider such derefs of NULL to be bugs in OpenLDAP Software as
> it done intentionally.  That is, the expected behavior of OpenLDAP
> Software, in general, is to failure abruptly upon malloc(3) failure,
> either by dereferencing NULL or abort(3)ing.

I've analyzed quite a few applications out there, and my recommendation
would be to insert NULL-checks, and print an appropriate message.
If users experience an unexplained crash, they will contribute it to
bad code quality, not the current conditions on the machine. The
message is clearly useful to the developers.

Probably the highest quality code I've seen so far is ISC BIND, they
check every single pointer before dereference, and every single
data structure for consistency.

So, I guess I can consider ??? marked VCs to be conditions that
would crash openldap, right?

> > calysto v1.5 on openldap_v2.4.4alpha: ??/20
> FYI, 2.4.4 is old code.

Are you interested in having the newer one checked?


        Domagoj Babic