There are currently no responses for this story.

Be the first to respond.

Recently the OpenSSL 3.0.0 library was released. We decided to look at the project’s code quality and checked it with the PVS-Studio static analyzer. The code quality is excellent. Thus, we cannot write a long article about errors, as we usually do. However, there was one beautiful mistake, and I couldn’t ignore it.

No one knows how to write comparison functions. I even wrote an article about it: “The Evil within the comparison functions”. And here’s a beautiful confirmation in the OpenSSL code :).

static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b){  return
    ossl_ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params,
                        a->ameth != &ossl_dhx_asn1_meth);}

PVS-Studio warns: “V751 Parameter ‘b’ is not used inside function body. dh_ameth.c 312”. The analyzer detected a suspicious function where one of the parameters is never used while another parameter is used several times. It may indicate an error in the code.

The a pointer points to an object that is compared to itself. The b pointer is not used.

That’s all. Be careful and vigilant!

Note. It makes little sense to use the analyzer once. Usually, you won’t find anything interesting in code. Th analyzer must be used regularly, checking new and low-level code. If you want to read about it in more details, here’s an article: “Errors that static code analysis does not find because it is not used”. If you are just getting acquainted with the methodology of static code analysis, I highly recommend you to read it.

Thank you for your time. Come and try PVS-Studio for your projects.