[Bug 3382] Software vulnerabilities detected using ESBMC-WR tool

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 20 15:01:03 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3382

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I think these are both false positives.

(In reply to janislley from comment #0)
[...]
> State 2 file syserr.c

There is no file with that name in OpenSSH.  There is (potentially, if
depending on autoconf) a strerror, however a) it's in bsd-misc.c and b)
Linuxes usually have a native strerror.

> line 4 function strerror thread 0

Line 4 in bsd-misc.c is in the middle of a comment block.

[...]
> State 3 file syserr.c line 108 function strerror thread 0

Line 108 in bsd-misc.c is a blank line after the strerror function.

In addition, the strerror replacement explicitly checks for errno<0:

const char *strerror(int e)
{
        extern int sys_nerr;
        extern char *sys_errlist[];

        if ((e >= 0) && (e < sys_nerr))
                return (sys_errlist[e]);
        return ("unlisted error");
}

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list