Tor Daemon hardening: Fix complaints from FlawFinder.
I ran FlawFinder (http://www.dwheeler.com/flawfinder/), a C static source code analyzer, against the Tor source, maint-0.2.7 branch. FlawFinder reported the following results:
Hits = 2348 Lines analyzed = 239214 in 8.25 seconds (30879 lines/second) Physical Source Lines of Code (SLOC) = 171455 Hits@level = [0] 0 [1] 760 [2] 1550 [3] 14 [4] 14 [5] 10 Hits@level+ = [0+] 2348 [1+] 2348 [2+] 1588 [3+] 38 [4+] 24 [5+] 10 Hits/KSLOC@level+ = [0+] 13.6946 [1+] 13.6946 [2+] 9.26191 [3+] 0.221632 [4+] 0.139978 [5+] 0.0583243 Dot directories skipped = 11 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code!
I manually reviewed all hits level 3+. Most were false positives, but I did make several suggestions that can be found in my Tor repository (branch maint-0.2.7-codereview).
https://github.com/sturgix/tor/tree/maint-0.2.7-codereview
Trac:
Username: jsturgix