On 14/03/19 11:51, Peter Maydell wrote: > Our coverity model of g_strdup() includes: > __coverity_string_size_sink__(s); > > This seems to be causing Coverity to report false positives like > CID1399705 and 1399699 where we take a string from getenv() and > pass it to g_strdup() The getenv() string is untrusted data of unknown > length, and g_strdup() being marked as a size-sink makes Coverity > think the function wants "a string of a particular size". > > Markus, you wrote this model initially -- can you remember why it's > marked as a size-sink? Unfortunately I can't find any documentation > online about what the coverity model annotation here means :-(
I think it means that we don't want a g_strdup that can potentially do an unbounded allocation. Old versions of Coverity distributed the internal models as source, but unfortunately the new ones don't. I would not be surprised if it was just a cut-and-paste of the original strdup model, just with a different marker for the g_malloc/g_free family of allocation functions. Paolo > Should we just mark up the issues as false-positives, or should > we change our model ? > > thanks > -- PMM >
