From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=FHJYINCV; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 9A7B75A0265 for ; Thu, 14 May 2026 03:10:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202602; t=1778721049; bh=c3dack/qfWkoT0Kst0BpnEbcDLrHo3T3VjU1lDTyKgw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FHJYINCV+9S8DPvVu23GFQMd+htyoxe35PcvE3Bf4dSifb/7Hkt+4N5yuGXLxkRl7 1+3q8xWpQMk72h5EJXYfeKcYUQQejrpWPv8cfnDC0WR7jlOzpkw/2jjWwFyPQc8BvZ eqh08ZSAJ0FwHIPkeW11e+XMHPek5Gkc0ZTrYAP/EVptnBy1Xn1fTGDErEphxWv259 zSFnA4ZwAHhG1XIYytOv4P4wqtMFVvzsBxMoY+B+suN0Z93BRo3xjjrO2bhxqQ0IwX YzBmtCR8g5lnkl3BIN8/YR1W4kSz2J0n4OenhDXbLekZE4r+EwrIQAtECOn7eziizA diNqMMWqBw1hQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4gGC2128BMz4wM8; Thu, 14 May 2026 11:10:49 +1000 (AEST) Date: Thu, 14 May 2026 11:10:42 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] ndp: Suppress Coverity false positive for random() Message-ID: References: <20260513102617.1325915-1-lvivier@redhat.com> <20260514010825.21c12443@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="24XND+cPu2+qdedK" Content-Disposition: inline In-Reply-To: <20260514010825.21c12443@elisabeth> Message-ID-Hash: 7BHH5527XWCNXHYHEGO7UPK6NJSTHBXR X-Message-ID-Hash: 7BHH5527XWCNXHYHEGO7UPK6NJSTHBXR X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Laurent Vivier , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --24XND+cPu2+qdedK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 14, 2026 at 01:08:26AM +0200, Stefano Brivio wrote: > On Wed, 13 May 2026 12:26:17 +0200 > Laurent Vivier wrote: >=20 > > Coverity flags the random() call in ndp_timer() with the dont_call > > checker, warning that it should not be used for security-related > > applications. > >=20 > > This is a false positive: random() is used here to jitter the interval > > between unsolicited Router Advertisements as required by RFC 4861, to > > prevent synchronisation between routers on a link. No cryptographic > > strength is needed. > >=20 > > Suppress the warning with an inline Coverity annotation. > >=20 > > Signed-off-by: Laurent Vivier > > --- > > ndp.c | 1 + > > 1 file changed, 1 insertion(+) > >=20 > > diff --git a/ndp.c b/ndp.c > > index 1f2bcb0cc7ea..614932ac5829 100644 > > --- a/ndp.c > > +++ b/ndp.c > > @@ -441,6 +441,7 @@ void ndp_timer(const struct ctx *c, const struct ti= mespec *now) > > * again, it's close enough for our purposes. > > */ > > interval =3D min_rtr_adv_interval + > > + /* coverity[dont_call:FALSE] */ >=20 > Sorry, I should have mentioned this to you explicitly, but we discussed > this in the past and we decided against having explicit suppressions > for warnings from Coverity Scan (at least, that would be my strong > preference). >=20 > The reason is that I would like to avoid referring to trademarks as > much as possible, as they might raise "interesting" legal questions, > and at the same time we have very little control or visibility into how > these suppressions evolve in future versions of the checker. If this suppression format also works for the sort-of-public scan.coverity.com, that mitigates those later concerns somewhat. Still doesn't remove the kind of implicit endorsement of including a trademark, which I can understand why we'd want to avoid. > In this case, by the way, despite the fact that we use this to add some > randomness to the timing of router advertisements as required by RFC > 4861, I started wondering recently if an attacker (I'm mostly thinking > about denials of service) could actually gain anything from making > these intervals predictable. >=20 > If that's the case, perhaps we could just switch to getrandom() and > be done with it. Hm, maybe, yes. These announcements are infrequent enuogh that the extra cost of getrandom() shouldn't really be a problem. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --24XND+cPu2+qdedK Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmoFIREACgkQzQJF27ox 2Gdf/A/+Ptob0JzeYCYQk2yL4fMyX0UEhodCHMG66k3+jjfMYxcjRIv6kDH4mHLV 6humQZzPzhh7ndCPzOfulB6D93PU0v3pOt1mOhBp2VIxY2BhQS15DvbSuFUB/weS 6N3aPkrnRypUNhJifr35VM952s4BxrzlWtAhc9PbqEKRQlLdrScXO01Htl/or4Ux Et/0VTs+yxLE9Lb7jcanzHzk6s/71Vzo4swfMt9OWWhSwrW0SBrEgRyD9hX9ZQei EqyfQ0eUvyL4OyaJj5Db1u8iC1OPBepl1UksW512dvQqR2QJ8S+XwwPISUS0Zq6X X/O+iKQqgXLCPdziA7ys8sga10v9mFgb3F+tXY/P5kM8ZaM7TDALW8LboHHsnNQu eY3+GPyjYasJxEUeH94ZEWMzp6vxs5FB99L3cQhxZXIt1nNHdLkxDmPQFPxzhoN+ tURWSpfsRQ20C/jKcQuAq41uSg7sGxD1AGrhMeCMe6PqzHX7z6RJF1U3l2WLpYM4 fvgURK7tHfYT7lJcBK06POzhhkvCawfDr3GPjKewa/8z0SNoMNRZBjO1dtZdjyZ6 PA5gXlylg5bTxtJmn7rhsXkvc0HH90oSP1+tsraR/Wp463WdfSP9gpd/+NTdC35q PbuJgfUtD8c6amwu4PZk5l2VBMuxMd+B2XSIx2Jiv//kJjx+7+s= =Xs8z -----END PGP SIGNATURE----- --24XND+cPu2+qdedK--