openssh unix dev - Jun 2007 - NULL ptr dereferences found with Calysto static checker

Hi,

I've ran my static checker Calysto on openssh and found the following bug:

Possible NULL-ptr deref (vc536):
@/work/benchmarks/SOURCES/openssh-4.6p1/moduli.c:173
+ ptr gtm returned from gmtime dereferenced without checking (gmtime can
return NULL).

There are probably more possible NULL-ptr dereferences, but Calysto
currently does not check the usage of library functions (for instance,
if external library function foo dereferences a pointer, Calysto can't
figure
that out unless the code for foo was compiled into the same module).

Specification of external libraries will be done by early Aug.

Regards,

-- 
        Domagoj Babic

        http://www.domagoj.info/
        http://www.calysto.org/

Hi,

On Wed, Jun 20, 2007 at 11:06:31AM -0700, Domagoj Babic
wrote:
> I've ran my static checker Calysto on openssh and found the following
bug:
> 
> Possible NULL-ptr deref (vc536):
> @/work/benchmarks/SOURCES/openssh-4.6p1/moduli.c:173
> + ptr gtm returned from gmtime dereferenced without checking (gmtime can
> return NULL).
Now this surprises me a bit - I've checked FreeBSD 4 and 6 man pages,
and neither mentions that the return ptr could be NULL.

Checking older SVR3 man pages, I can see the reason:

--------------- quote ---------------
 Note

    The return values for ctime, localtime and gmtime point to static data
    whose content is overwritten by each call.
--------------- quote ---------------

So under which circumstances can it be NULL?

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at
greenie.muc.de
fax: +49-89-35655025                        gert at
net.informatik.tu-muenchen.de