From owner-freebsd-security@FreeBSD.ORG Wed Apr 23 23:36:08 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B76951A8 for ; Wed, 23 Apr 2014 23:36:08 +0000 (UTC) Received: from mail-out.apple.com (crispin.apple.com [17.151.62.50]) (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 916A716AF for ; Wed, 23 Apr 2014 23:36:07 +0000 (UTC) MIME-version: 1.0 Received: from mail-out.apple.com by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) id <0N4I00300BZCWD00@local.mail-out.apple.com> for freebsd-security@freebsd.org; Wed, 23 Apr 2014 16:36:06 -0700 (PDT) Received: from relay8.apple.com ([17.128.113.102]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0N4I000EUC7XM021@local.mail-out.apple.com>; Wed, 23 Apr 2014 16:36:06 -0700 (PDT) X-AuditID: 11807166-f79c26d000001623-eb-53584e664d37 Received: from [17.149.224.243] (Unknown_Domain [17.149.224.243]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay8.apple.com (Apple SCV relay) with SMTP id B9.5B.05667.66E48535; Wed, 23 Apr 2014 16:36:06 -0700 (PDT) Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? From: Charles Swiger In-reply-to: <546CE3A8-FC87-472F-8A63-0497D0D28789@cederstrand.dk> Date: Wed, 23 Apr 2014 16:36:05 -0700 Message-id: References: <10999.1398215531@server1.tristatelogic.com> <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk> <546CE3A8-FC87-472F-8A63-0497D0D28789@cederstrand.dk> To: Erik Cederstrand X-Mailer: Apple Mail (2.1510) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKLMWRmVeSWpSXmKPExsUiOPXBZ900v4hggzdPFC2evrW36Nn0hM2B yaN5+WJ2jxmf5rMEMEVx2aSk5mSWpRbp2yVwZdzbuoS54LFGRcvylUwNjM+Vuhg5OSQETCQ+ TZ/GBmGLSVy4tx7MFhLoZ5LY/qsGxGYWSJB43/6JtYuRg4NXQA8oLAdiCgv4SDw4Ygxisgmo SUyYyANSzCngJLG3/QYjiM0ioCpx6vhpFoghjhJTpnwDs3kFrCQWT/nK3sXIBbToMqPE1PZb zCAJEQEDiRMf3zNDXCMrcfrcc5YJjHyzkBwxC+EIiLC2xLKFr5lBwswCOhKTFzKiCkPYH88f YVrAyLaKUaAoNSex0kIvsaAgJ1UvOT93EyMoMBsK03YwNi23OsQowMGoxMMrcTk8WIg1say4 MvcQowQHs5IIb55HRLAQb0piZVVqUX58UWlOavEhRmkOFiVxXgYuoGqB9MSS1OzU1ILUIpgs EwenVANjY6C2r9uN5PNe/ltENv449Z83+dXW3YH7D8X4HFyblq9ZaLm9hNd77571eo92XY99 mlzv2fc00m9zWvW3CeEflOyOKD+YcULklmf2N+7n6e4n8yx2JvwIL2I1eKKx+dpj+TUGW83s bc33brzbqabWPN/cc07sGl6W7BdS1xeeCo2frim5/Uq5EktxRqKhFnNRcSIAjN81pEgCAAA= Content-Type: text/plain; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 23:36:08 -0000 On Apr 23, 2014, at 1:21 PM, Erik Cederstrand wrote: [ ... ] >> Not only are both of these shorter and they pass clang's static analyzer without a warning, I'd argue that the second version is noticeably cleaner. > > I don't disagree with you, but rewriting 1000 if-else cases in single-threaded userland programs just so the analyzer understands them is 1) tedious and 2) bound to accidentally introduce at least 50 new bugs, since most real-life examples are considerably more complicated than the minimal example I posted. Any change comes with some risk. If you want to say that fixing minor issues like not free()ing memory or explicitly close()ing a FD rather than just exit()ing and letting the system clean up afterwards is not worth bothering in something like cal or some other utility that isn't running root or setuid, doesn't listen on the network, doesn't process untrusted data, etc...well, OK-- by themselves, such things probably are harmless. However, being sloppy about fixing warnings from the compiler or code analyzers seems to be habit-forming. And as you start moving towards software which does run with elevated permissions, or acts as a network server, or processes random multimedia files from untrusted web pages (I'm thinking a codec like VP8), much less is used to provide transport layer security for credit card and banking transactions, well, you also move from harmless to Heartbleed. Regards, -- -Chuck