john-dev - Re: Static analysis of John using CppCheck

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <260dab9c3fe84b3fb648474b0155b131@smtp.hushmail.com>
Date: Mon, 21 Jan 2013 08:11:00 +0100
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Static analysis of John using CppCheck


On 21 Jan, 2013, at 8:06 , magnum <john.magnum@...hmail.com> wrote:

> 
> On 21 Jan, 2013, at 5:41 , Lukas Odzioba <lukas.odzioba@...il.com> wrote:
> 
>> Hi I used Cppcheck 1.55 (but newest is 1.58) to check unstable-jumbo.
>> Here is link to results: http://ideone.com/BO7XVd - over 600 lines so
>> I didn't want to post it here.
>> 
> I checked most of the claimed "Buffer access out-of-bounds" and they are just false positives. Example:
> 
> 	memcpy(block, AFS_long_IV, 8);
> 
> Size of both are 8 so this is not out of bounds. But block is ARCH_WORD_32 so it seems Cppcheck tries to apply pointer arithmetic where it shouldn't. Same red herring in all cases I checked.

From 1.57 changelog: "Fixed several false negatives in buffer overrun check". Perhaps latest would be better.

magnum

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.