[tor-bugs] #17852 [Tor]: Tor Daemon hardening
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 14 14:23:11 UTC 2015
#17852: Tor Daemon hardening
--------------------------+------------------------
Reporter: jsturgix | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor | Version: Tor: 0.2.7
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
--------------------------+------------------------
I ran FlawFinder (http://www.dwheeler.com/flawfinder/), a C static source
code analyzer, against the Tor source, maint-0.2.7 branch. FlawFinder
reported the following results:
Hits = 2348
Lines analyzed = 239214 in 8.25 seconds (30879 lines/second)
Physical Source Lines of Code (SLOC) = 171455
Hits at level = [0] 0 [1] 760 [2] 1550 [3] 14 [4] 14 [5] 10
Hits at level+ = [0+] 2348 [1+] 2348 [2+] 1588 [3+] 38 [4+] 24 [5+] 10
Hits/KSLOC at level+ = [0+] 13.6946 [1+] 13.6946 [2+] 9.26191 [3+] 0.221632
[4+] 0.139978 [5+] 0.0583243
Dot directories skipped = 11 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
I manually reviewed all hits level 3+. Most were false positives, but I
did make several suggestions that can be found in my Tor repository
(branch maint-0.2.7-codereview).
https://github.com/sturgix/tor/tree/maint-0.2.7-codereview
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17852>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list