hardening: add insurance to exit on a failed ASSERT()

The code behind our ASSERT() macro is pretty complex.  Although it seems
to be correct, make it trivially clear we will never return from a failed
assert by adding an _exit(1) call.  As was suggested by Sebastian Krahmer
of the SuSE security team.

To make sure they that tools like clang static analyzer and coverity
understand that assert_failed() will not return, add an
__attribute__((__noreturn__)) annotation.

v2: use __attribute__ instead of inline to convince static analysers.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445414886-11052-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10349
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8a9e3203bf00605dae000d31095076ae038491c)

diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 6848425e0841235317c79e105e23a969aa0d86be..de2fc49a9eef6565725b86d47c4d5cb9ed3a0b50 100644 (file)
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -400,6 +400,7 @@ void
 assert_failed (const char *filename, int line)
 {
   msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
+  _exit(1);
 }
 
 /*

diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 27c48b692b9708dc33aa80b7dbb756c079c28b0a..e9564ac4258ea8df18b1b9812df0cf4f0aaed0ac 100644 (file)
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -213,7 +213,7 @@ FILE *msg_fp(const unsigned int flags);
 /* Fatal logic errors */
 #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while (false)
 
-void assert_failed (const char *filename, int line);
+void assert_failed (const char *filename, int line) __attribute__((__noreturn__));
 
 #ifdef ENABLE_DEBUG
 void crash (void); /* force a segfault (debugging only) */