OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?

[Charles Swiger]

On Apr 23, 2014, at 1:21 PM, Erik Cederstrand <erik+lists at cederstrand.dk> wrote:
[ ... ]
>> Not only are both of these shorter and they pass clang's static analyzer without a warning, I'd argue that the second version is noticeably cleaner.
> 
> I don't disagree with you, but rewriting 1000 if-else cases in single-threaded userland programs just so the analyzer understands them is 1) tedious and 2) bound to accidentally introduce at least 50 new bugs, since most real-life examples are considerably more complicated than the minimal example I posted.


Any change comes with some risk.

If you want to say that fixing minor issues like not free()ing memory or explicitly close()ing a FD rather than just exit()ing and letting the system clean up afterwards is not worth bothering in something like cal or some other utility that isn't running root or setuid, doesn't listen on the network, doesn't process untrusted data, etc...well, OK-- by themselves, such things probably are harmless.

However, being sloppy about fixing warnings from the compiler or code analyzers seems to be habit-forming.

And as you start moving towards software which does run with elevated permissions, or acts as a network server, or processes random multimedia files from untrusted web pages (I'm thinking a codec like VP8), much less is used to provide transport layer security for credit card and banking transactions, well, you also move from harmless to Heartbleed.

Regards,
-- 
-Chuck