From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.mhcomputing.net (master.mhcomputing.net [74.208.228.170]) by dpdk.org (Postfix) with ESMTP id 729699223 for ; Thu, 12 Nov 2015 23:55:12 +0100 (CET) Received: by mail.mhcomputing.net (Postfix, from userid 1000) id BE509381; Thu, 12 Nov 2015 17:55:11 -0500 (EST) Date: Thu, 12 Nov 2015 17:55:11 -0500 From: Matthew Hall To: Stephen Hemminger Message-ID: <20151112225511.GA10012@mhcomputing.net> References: <20151112140508.79489210@xeon-e3> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151112140508.79489210@xeon-e3> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: dev@dpdk.org Subject: Re: [dpdk-dev] Coverity policy for upstream (base) drivers. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 22:55:12 -0000 On Thu, Nov 12, 2015 at 02:05:08PM -0800, Stephen Hemminger wrote: > Looking at the Coverity scan for DPDK, it looks like all the base > drivers are marked to be ignored. > > Although the changes to base drivers should not be done directly through > DPDK list. I think it is still valuable to have these driver scanned and > notify (badger) the vendors to fix there code. > > Since lots of the bugs could be there, just blindly ignoring warnings > and issues is being naive. I am with Stephen. Ignoring base driver vulns is a bad practice. With these L1-L4 bugs the chances are good somebody could trigger these and find 0days using tools as old and simple as this one: http://isic.sourceforge.net/ Matthew.