Hi,I enabled -fanalyzer for GnuPG in my project. It reports quite a few findings. Some of them (or even the majority) might be false positives. I haven't checked that, though. However, the one I quote below seems like a true positive (the line numbers in current master slightly deviate, but the picture is simple anyway: md has to be initialized to NULL when declared).
Just as a suggestion from me to add a flag to the configure script to enable this gcc feature. I am still looking for a way to inform the static analyzer in the source code about certain semantics (i.e. restrictions on the values returned by functions in external libraries), this would be very helpful to suppress false positives.
- Falkosign.c:1760:3: warning: use of uninitialized value ‘md’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
1760 | gcry_md_close (md); | ^~~~~~~~~~~~~~~~~~ ‘sign_symencrypt_file’: events 1-7 | | 1587 | gcry_md_hd_t md; | | ^~ | | | | | (1) region created on stack here | | (2) capacity: 8 bytes |...... | 1618 | if (rc) | | ~ | | | | | (3) following ‘true’ branch (when ‘rc != 0’)... | 1619 | goto leave; | | ~~~~ | | | | | (4) ...to here |...... | 1751 | if (rc) | | ~ | | | | | (5) following ‘true’ branch (when ‘rc != 0’)... | 1752 | iobuf_cancel (out); | | ~~~~~~~~~~~~~~~~~~ | | | | | (6) ...to here |...... | 1760 | gcry_md_close (md); | | ~~~~~~~~~~~~~~~~~~ | | | | | (7) use of uninitialized value ‘md’ here | -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: [email protected] Web: mtg.de <https://www.mtg.de> <https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false> Follow us ------------------------------------------------------------------------<https://www.mtg.de/de/aktuelles/MTG-AG-erhaelt-Innovationspreis-des-Bundesverbands-IT-Sicherheit-e.V-00001.-TeleTrust/> <https://www.itsa365.de/de-de/companies/m/mtg-ag>
MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas MildeThis email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted.
Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
smime.p7s
Description: Kryptografische S/MIME-Signatur
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
