[openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)

Dr. Matthias St. Pierre Matthias.St.Pierre at ncp-e.com
Sun Sep 9 23:10:36 UTC 2018

> > *** CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
> > 	work in progress...
> I think this one may be a false positive -- it's worried that EVP_MD_size()
> will return -1, but we've essentially already validated that the md is
> valid by the time we get there.  I didn't do a full check, though.
> -Ben

Yes, that's my suspicion, too. But I am also not sure yet.
As far as I understand it, EVP_MD_size() will be negative only if md == NULL. 
So it boils down to the question whether one can assert that mctx
always contains a valid md in line 261:

    const EVP_MD *md = EVP_MD_CTX_md(mctx);

If that is the case, then one can silence coverity by casting the sign of the
return value of EVP_MD_size(). But if not, some error handling is missing.


More information about the openssl-project mailing list