On 04/25/2014 09:44 PM, Joe Julian wrote:
> GlusterFS was rejected during the security analysis with these comments:
>>
>> here's just a list of what I found while reading the code:
>>
>> - cppcheck reports ~20 real coding mistakes, perhaps a few false
>> positives
>> - get_uuid_via_daemon() doesn't check fork() for error return
>> - rdd_valid_config() buffer overflow rdd_config.out_file.path
>> - gf_cli_print_limit_list() doesn't check sprintf(abspath) return value
>> - rb_malloc() and rb_free() ignore their allocator argument
>> Not a security problem, but might be very surprising
>> - int_to_data() data_from_[u]int{64,32,16,8}() data_from_double()
>> all re-calculate the length rather than use the return value from
>> gf_asprintf(). (Not a security problem, just redundant.)
>>
> Should we add cppcheck to Jenkins?
>
Yes, we must. There is a Jenkins plug-in present for Cppcheck[1]. Also
we should update the page for Cppcheck in gluster wiki[2]
[1] https://wiki.jenkins-ci.org/display/JENKINS/Cppcheck+Plugin
[2]
http://www.gluster.org/community/documentation/index.php/Fixing_Issues_Reported_By_Tools_For_Static_Code_Analysis
-Lala
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://supercolony.gluster.org/pipermail/gluster-devel/attachments/20140426/8c06bb0a/attachment.html>
