[Snort-devel] Undefined variable/garbage values encountered in snort-2.9.7.5

Nageswara Rao A.V.K (navk) navk at ...3461...
Sun Aug 9 03:59:17 EDT 2015


Hello Bill,
    It looks clang-analyzer is not able to analyze variable initialization spread across functions/files.
Please find my response below.

From: Bill Parker [mailto:wp02855 at ...2499...]
Sent: Sunday, August 09, 2015 1:29 AM
To: snort-devel at lists.sourceforge.net; vroemer at ...3461...
Subject: [Snort-devel] Undefined variable/garbage values encountered in snort-2.9.7.5

Hello All,

   In processing snort-2.9.7.5 through clang-analyzer 3.5.0, in
'detection-plugins', file 'sp_respond3', module/function 'Resp3_parse',
at line 213: while (i < num_toks), while i is set to zero on line
212, it would appear num_toks is declared at line 204, but it is
never assigned a value (i.e. - un-initialized) before it is compared
at line 213 (thus, it could be anything).

ANR>> ‘num_toks’ is initiated in ‘mSplit’ function, called at line 207.
Refer ‘mSplit’ function definition in mstring.c file at line 138.
If ‘type’ is NULL, program will be shut down in FatalError at line 209.
So,  num_toks will have valid value at line 213.

======================================================================

In 'detection-plugins', file 'detection_options.c', module/function
'detection_option_node_evaluate' at line 1212, the expansion of the
macro 'NODE_PROFILE_TMPEND' which is below:

if (ScProfileRules()) { { uint32_t a, d; __asm__ __volatile__
 ("rdtsc" : "=a" (a), "=d" (d)); node_ticks_end = ((uint64_t)
a) | (((uint64_t)d) << 32); }; node_ticks_delta = node_ticks_end
 - node_ticks_start; node_deltas += node_ticks_delta; }

results in the right operand of '-' is a garbage value (which
appears to be variable 'node_ticks_start'), and does not
appear to be initialized inside of the macro itself.

ANR>> ‘node_ticks_start’ is initialized in macro ‘NODE_PROFILE_START’ called at line 905.
‘node_ticks_start’ is initialized with get_clockticks(), in above macro path.

NODE_PROFILE_START(node)-> PROFILE_START_NAMED(node)-> get_clockticks(node_ticks_start)

======================================================================

In 'detection-plugins', file 'detection_options.c', module/function
'detection_option_node_evaluate' at lines 1163, 1172, 1199, the
macro expansion of 'NODE_PROFILE_END_NOMATCH' which is below:

if (ScProfileRules()) { { uint32_t a, d; __asm__ __volatile__
 ("rdtsc" : "=a" (a), "=d" (d)); node_ticks_end = ((uint64_t)
a) | (((uint64_t)d) << 32); }; node_ticks_delta = node_ticks_end
 - node_ticks_start; node->ticks += node_ticks_delta + node_deltas
; node->ticks_no_match += node_ticks_delta + node_deltas; }

results in the right operand of '-' is a garbage value (which
appears to be variable 'node_ticks_start'), and does not
appear to be initialized inside of the macro itself.

ANR>> Same as above.

=======================================================================

I am attaching the HTML output from clang-analyzer to this bug report.

Bill Parker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150809/40698f61/attachment.html>


More information about the Snort-devel mailing list