[openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Sun Sep 9 23:10:36 UTC 2018
> > *** CID 1439137: Integer handling issues (NEGATIVE_RETURNS)
> > work in progress...
> I think this one may be a false positive -- it's worried that EVP_MD_size()
> will return -1, but we've essentially already validated that the md is
> valid by the time we get there. I didn't do a full check, though.
Yes, that's my suspicion, too. But I am also not sure yet.
As far as I understand it, EVP_MD_size() will be negative only if md == NULL.
So it boils down to the question whether one can assert that mctx
always contains a valid md in line 261:
const EVP_MD *md = EVP_MD_CTX_md(mctx);
If that is the case, then one can silence coverity by casting the sign of the
return value of EVP_MD_size(). But if not, some error handling is missing.
More information about the openssl-project