Comments (2)
bmorel
commented on April 20, 2024
I took some time to reduce the number of warnings emitted by clang --analyzer, I am joining the patch to this comment.
To be honest, it's mostly marking where a patch would actually solve the issue. For several of those, I have no idea how to fix properly the problem.
There are still 2 potential double free and one garbage comparison that I could not find where to patch to avoid them.
Finally, I fixed a false positive using a C11 feature: _Noreturn. I do not know if you support it though.
some.analysis.patch.tar.gz
from uacme.
ndilieto
commented on April 20, 2024
TL;DR waste of my time
Please note that I check the code for memory leaks, uninitialized variable assignments and other unpleasantries using valgrind, which unlike the analyzer you used actually runs the code instead of trying to figure it out by just looking at it.
I've checked the supposed "problems" you reported and they are all false alarms. All are notices, only some are warnings. As you have wasted enough of my scarce time and haven't even bothered to understand what the code does, I will only comment on the first warning for the sake of transparency. Here is the analysis:
crypto.c:2396:25: warning: Null pointer passed as an argument to a 'nonnull' parameter
The analyzer is ignoring context and can't figure out that the strcasecmp call it laments about happens only when when the earlier calls to gnutls_x509_crq_get_dn_by_oid or gnutls_x509_crq_get_subject_alt_name have returned a success code, which means buf is guaranteed not to be null to start with. The falltthrough from GNUTLS_SAN_IPADDRESS, which you'll see I marked as intentional, happens when buf is first freed then replaced by ip, which also is checked for null beforehand.
do {
r = cn ?
gnutls_x509_crq_get_dn_by_oid(crq, GNUTLS_OID_X520_COMMON_NAME,
ncn, 0, buf, &size) :
gnutls_x509_crq_get_subject_alt_name(crq, nsan, buf, &size,
NULL, NULL);
switch (r) {
case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
if (cn) {
cn = false;
r = GNUTLS_E_SUCCESS;
}
break;
case GNUTLS_E_SHORT_MEMORY_BUFFER:
buf = calloc(1, size);
if (!buf) {
warn("csr_names: calloc failed");
goto out;
}
break;
case GNUTLS_SAN_IPADDRESS:
ip = calloc(1, INET6_ADDRSTRLEN);
if (!ip) {
warnx("csr_names: calloc failed");
goto out;
}
if (!inet_ntop(size == 4 ? AF_INET : AF_INET6, buf, ip,
INET6_ADDRSTRLEN)) {
warnx("csr_names: invalid IP address in Subj Alt Name");
free(ip);
ip = NULL;
continue;
}
free(buf);
buf = ip;
ip = NULL;
// intentional fallthrough
case GNUTLS_E_SUCCESS:
case GNUTLS_SAN_DNSNAME:
for (i = 0; i < n; i++) {
if (strcasecmp(buf, names[i]) == 0)
break;
}
Edit: and your supposed "patch" just contains the following garbage, no actual changes.
Sur la branche master
Votre branche est à jour avec 'origin/master'.
Modifications qui ne seront pas validées :
(utilisez "git add <fichier>..." pour mettre à jour ce qui sera validé)
(utilisez "git checkout -- <fichier>..." pour annuler les modifications dans la copie de travail)
modifié : crypto.c
modifié : json.c
modifié : uacme.c
modifié : ualpn.c
aucune modification n'a été ajoutée à la validation (utilisez "git add" ou "git commit -a")
from uacme.
Related Issues (20)
- please add options to specify keys & certificates locations HOT 3
- No joy with install on Raspbian / Buster HOT 1
- FYI: httpd-challenge-hook.sh HOT 1
- nsupdate.sh may fail silently with exit status to be 0
- Allow creating private keys and directory with g+rX HOT 1
- uacme.sh can generate invalid challenge due to echo -n HOT 1
- Incompatibility with Mac OS X Monterrey HOT 1
- Return code from --version should probably be 0 HOT 1
- 1.7.1 release tarball is missing configure script HOT 1
- Works only on POSIX filesystems: hardlink required HOT 1
- chain and fullchain.pem HOT 4
- Best way to ensure cert.pem is world readable? HOT 2
- Tests
- Debian package uses libcurl3-gnutls but OpenWrt use libcurl4 HOT 2
- Specify which network interface to use for ACME requests HOT 7
- Security issue in uacme.sh HOT 1
- Set CA bundle to verify ACME Server against HOT 1
- Feature support for ACME Renewal Information (ARI)
- Password files HOT 1
- How to find the account id of my letsencrypt account HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from uacme.