We had analyzed the iptables-1.4.10 code with Coverity. Coverity is commercial enterprise level tool for static analysis (analysis based only on compiling of sources, not based on running of binary) of the code. As a result I have the following patches that should fix some possible problems. There's a respective part(s) of the Coverity error log in each commit comment. You could also find this link useful: https://www.securecoding.cert.org/confluence/display/seccode/Coverity+Prevent Jiri Popelka (8): iptables: Coverity: DEADCODE iptables: Coverity: FORWARD_NULL iptables: Coverity: NEGATIVE_RETURNS iptables: Coverity: REVERSE_INULL iptables: Coverity: UNINIT iptables: Coverity: VARARGS iptables: Coverity: OVERRUN_STATIC iptables: Coverity: RESOURCE_LEAK extensions/libip6t_REJECT.c | 13 +++++++------ extensions/libipt_REJECT.c | 11 ++++++----- extensions/libxt_multiport.c | 2 -- extensions/libxt_sctp.c | 2 +- iptables/ip6tables-restore.c | 3 +-- iptables/ip6tables.c | 5 ++++- iptables/iptables-restore.c | 5 ++--- iptables/iptables-xml.c | 6 +++--- iptables/iptables.c | 8 ++++++-- iptables/xtables.c | 15 +++++++++++---- libipq/libipq.c | 1 - libiptc/libiptc.c | 8 +++----- 12 files changed, 44 insertions(+), 35 deletions(-) -- 1.7.5.2 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
