Ethereal-dev: Re: [Fwd: [Ethereal-dev] Coverity Open Source Defect Scan of Ethereal]
On Mon, Mar 06, 2006 at 09:52:35AM -0600, Gerald Combs wrote:
> There are 143 defects for Ethereal listed at
http://scan.coverity.com .
> I'd like to see them fixed before the next release. If you want to
> help out, please send a note to Ben and CC me.
IMNSHO, the list should be made public now. We haven't had any problems
with early disclosure in the past. We already have some critical
bugfixes in the code that will just be delayed by fixing all the new
ones, so it doesn't make a difference from a security point of view to
keep the new ones secret, while the old ones are already known. Maybe
just (automatically) opening bug-reports with blocker for each of thems
would be a good way to proceed?
Personally, I'd like to work on some of the issues, so in case we can't
work on these things in public then yes, I'd like an account. But I'd
really like an answer to why this list cannot be made public for the
Ethereal project (I'm not talking about other projects here).
Maybe we could post explanations on certain Coverity bugs, for instance on parts we're not that familiar with. For instance, I reviewed the dead code issue (CID 17) on the HTTP dissector, and I can only tell that it is indeed a bug however I cannot provide a fix as I am not familiar (anymore) with the chunked byte coding part...
FWIW, here's my review comment for this issue: "This is a bug: chunk_size can only be zero *after* the while {} loop from lines 1229--1352, but definitely not after the break statement at line 1259. I am not familiar with the HTTP chunked byte coding, so I cannot provide a fix for this issue."
One very fun aspect of this Coverity scan is that we already got rid of 103 issues over the past few days, and at the same time we kept developing :)
Cheers!
Olivier
