[Freeswitch-dev] Static analysis tool Cppcheck discovered many errors in FreeSWITCH code

Michael Jerris mike at jerris.com
Thu Sep 8 18:22:48 MSD 2016 

Please see previous responses on the list about how to handle these issues.  Please stop sending big lists of completely unvetted possible vulnerabilities to the list. If you are going to actually do the hard work of researching these and determining which are real, we welcome that work and will review the bug reports in lira when they are filed.



> On Sep 7, 2016, at 7:31 AM, Vladimir Mancic <vmancic at ooma.com> wrote:
> 
> I run cppcheck for freeswitch 1.6.10, result is also in attached file, but in short: 
> - memleak (62 occurances)
> - memleakOnRealloc (9 occurances)
> - resourceLeak (24 occurances)
> - doubleFree (more than 100 occurances)
> 
> Regards,
> Vladimir
> 
> Od: freeswitch-dev-bounces at lists.freeswitch.org <mailto:freeswitch-dev-bounces at lists.freeswitch.org> [freeswitch-dev-bounces at lists.freeswitch.org <mailto:freeswitch-dev-bounces at lists.freeswitch.org>] u ime korisnika Vladimir Mancic [vmancic at ooma.com <mailto:vmancic at ooma.com>]
> Poslato: 31. avgust 2016 11:02
> Za: freeswitch-dev at lists.freeswitch.org <mailto:freeswitch-dev at lists.freeswitch.org>
> Tema: Re: [Freeswitch-dev] Static analysis tool Cppcheck discovered many errors in FreeSWITCH code
> 
> Thanks!
> 
> Od: freeswitch-dev-bounces at lists.freeswitch.org [freeswitch-dev-bounces at lists.freeswitch.org] u ime korisnika Ken Rice [krice at freeswitch.org]
> Poslato: 30. avgust 2016 19:34
> Za: freeswitch-dev at lists.freeswitch.org
> Tema: Re: [Freeswitch-dev] Static analysis tool Cppcheck discovered many errors in FreeSWITCH code
> 
> Easiest way is via git… see https://freeswitch.org/stash/projects/FS/repos/freeswitch/browse <https://freeswitch.org/stash/projects/FS/repos/freeswitch/browse>  (we use stash which is bitbucket or sorta like github)
>  
> From: freeswitch-dev-bounces at lists.freeswitch.org [mailto:freeswitch-dev-bounces at lists.freeswitch.org]On Behalf Of Vladimir Mancic
> Sent: Tuesday, August 30, 2016 12:19 PM
> To: freeswitch-dev at lists.freeswitch.org
> Subject: Re: [Freeswitch-dev] Static analysis tool Cppcheck discovered many errors in FreeSWITCH code
>  
> Thank you.
>  
> And how to get the latest master branch?
>  
> Vladimir
>  
> Od: freeswitch-dev-bounces at lists.freeswitch.org <mailto:freeswitch-dev-bounces at lists.freeswitch.org> [freeswitch-dev-bounces at lists.freeswitch.org] u ime korisnika Michael Jerris [mike at jerris.com]
> Poslato: 30. avgust 2016 16:05
> Za: freeswitch-dev at lists.freeswitch.org <mailto:freeswitch-dev at lists.freeswitch.org>
> Tema: Re: [Freeswitch-dev] Static analysis tool Cppcheck discovered many errors in FreeSWITCH code
> 
> The correct way to do this would be to run this on the latest master branch of freeswitch and file and potential issues as security issues in Jira.  Yes, many hundreds of issues have been fixed since 1.4 (1.4 is now eol) and we make use of static analysis tools.  Static analysis tools in general have very high false positive rate, we do our best to address issues found with them, but they require much more than running a tool and getting a report.  Every single one of those reports needs to be investigated, confirmed if its actually valid (typically 80%+ are not), reported.
>  
>  
> On Aug 30, 2016, at 9:07 AM, Vladimir Mancic <vmancic at ooma.com <mailto:vmancic at ooma.com>> wrote:
>  
> Hi,
>  
> Static analysis tool Cppcheck discovered many errors in FreeSWITCH v1.4 code (memory leaks, resource leaks, double frees,...):
>  
> - memleak (76 occurances)
> - memleakOnRealloc (12 occurances)
> - resourceLeak (21 occurances)
> - doubleFree (more than 100 occurances)
>  
> Is this known to the FreeSWITCH community, and has there been any work on it in more recent versions of FreeSWITCH?
>  
>  
> Thanks,
> Vladimir
> <FreeSwitch-Cppcheck-Results.xml>_________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://wiki.freeswitch.org <http://wiki.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-dev mailing list
> FreeSWITCH-dev at lists.freeswitch.org <mailto:FreeSWITCH-dev at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev <http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-dev <http://lists.freeswitch.org/mailman/options/freeswitch-dev>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>  
> <freeswitch_1_6_10_cppcheck_results.xml>_________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-dev mailing list
> FreeSWITCH-dev at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-dev
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-dev/attachments/20160908/5cb37824/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-dev mailing list