hardening: add insurance to exit on a failed ASSERT()

The code behind our ASSERT() macro is pretty complex.  Although it seems
to be correct, make it trivially clear we will never return from a failed
assert by adding an _exit(1) call.  As was suggested by Sebastian Krahmer
of the SuSE security team.

To make sure they that tools like clang static analyzer and coverity
understand that assert_failed() will not return, add an
__attribute__((__noreturn__)) annotation.

v2: use __attribute__ instead of inline to convince static analysers.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445414886-11052-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10349
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 77b6cec06baabe9b25a195458e6dd9fa2f7ca31b..66f37f3b9a411fe3675c667196780beb0f598ab6 100644 (file)
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -397,6 +397,7 @@ void
 assert_failed (const char *filename, int line)
 {
   msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
+  _exit(1);
 }
 
 /*

diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index d5204f3f38041b49edfbfd21a3d86a7c171f27b4..4d338439d74be9983c051158cc8326c32f4c11a5 100644 (file)
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -210,7 +210,7 @@ FILE *msg_fp(const unsigned int flags);
 /* Fatal logic errors */
 #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while (false)
 
-void assert_failed (const char *filename, int line);
+void assert_failed (const char *filename, int line) __attribute__((__noreturn__));
 
 #ifdef ENABLE_DEBUG
 void crash (void); /* force a segfault (debugging only) */