<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">On 04/25/2014 09:44 PM, Joe Julian

      wrote:<br>

    </div>

    <blockquote cite="mid:535A89F8.9080207@julianfamily.org" type="cite">

      <meta http-equiv="content-type" content="text/html;

        charset=ISO-8859-1">

      GlusterFS was rejected during the security analysis with these

      comments:<br>

      <blockquote type="cite">

        <p id="yui_3_10_3_1_1398442245235_54" style="margin: 0px 0px

          0.8em; padding: 0px; width: auto; max-width: 45em; color:

          rgb(51, 51, 51); font-family: 'Ubuntu Mono', monospace;

          font-size: 12px; font-style: normal; font-variant: normal;

          font-weight: normal; letter-spacing: normal; line-height:

          18px; orphans: auto; text-align: left; text-indent: 0px;

          text-transform: none; white-space: normal; widows: auto;

          word-spacing: 0px; -webkit-text-stroke-width: 0px;

          background-color: rgb(255, 255, 255);">here's just a list of

          what I found while reading the code:</p>

        <p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;

          max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu

          Mono', monospace; font-size: 12px; font-style: normal;

          font-variant: normal; font-weight: normal; letter-spacing:

          normal; line-height: 18px; orphans: auto; text-align: left;

          text-indent: 0px; text-transform: none; white-space: normal;

          widows: auto; word-spacing: 0px; -webkit-text-stroke-width:

          0px; background-color: rgb(255, 255, 255);">- cppcheck reports

          ~20 real coding mistakes, perhaps a few false positives<br>

          - get_uuid_<wbr>via_daemon(<wbr>) doesn't check fork() for

          error return<br>

          - rdd_valid_config() buffer overflow rdd_config.<wbr>out_file.<wbr>path<br>

          - gf_cli_<wbr>print_limit_<wbr>list() doesn't check

          sprintf(abspath) return value<br>

          - rb_malloc() and rb_free() ignore their allocator argument<br>

          &nbsp;&nbsp;Not a security problem, but might be very surprising<br>

          - int_to_data() data_from_<wbr>[u]int{<wbr>64,32,16,<wbr>8}()

          data_from_double()<br>

          &nbsp;&nbsp;all re-calculate the length rather than use the return value

          from<br>

          &nbsp;&nbsp;gf_asprintf(). (Not a security problem, just redundant.)</p>

      </blockquote>

      Should we add cppcheck to Jenkins?<br>

      <br>

    </blockquote>

    <br>

    Yes, we must.&nbsp; There is a Jenkins plug-in present for Cppcheck[1].

    Also we should update the page for Cppcheck in gluster wiki[2]<br>

    <br>

    [1] <a class="moz-txt-link-freetext" href="https://wiki.jenkins-ci.org/display/JENKINS/Cppcheck+Plugin">https://wiki.jenkins-ci.org/display/JENKINS/Cppcheck+Plugin</a><br>

    [2]

<a class="moz-txt-link-freetext" href="http://www.gluster.org/community/documentation/index.php/Fixing_Issues_Reported_By_Tools_For_Static_Code_Analysis">http://www.gluster.org/community/documentation/index.php/Fixing_Issues_Reported_By_Tools_For_Static_Code_Analysis</a><br>

    <br>

    -Lala<br>

  </body>

</html>