Considering ignoring Coverity 'tainted' checks

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi List,

Since (not so) recently the Coverity code analysis has added a checker for so called tainted data. This data is 
considered coming from an external source (eg. the network) hence suspicious until validated. Using these tainted 
values is considered a risk. In general this is true, Wireshark on the other hand is intended and designed to handle 
suspicious / (very) possibly wrong network data (that’s what we’re using it for, amongst other things). So even though 
data is tainted, many cases the use of the TVB, etc. protects us from the problems envisioned by the checker writers.

So what to so with these Coverity issues. Before we start to implement all kinds of arbitrary checks (duplicating 
effort already handled by the tvb code) and limits (mostly arbitrary) we should consider is this checker is really 
valuable in this context. 

Kind regards,
Jaap

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe