This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.
Hi Robert, We have made internal checks for buffer overflows in the netCDF C library, using our extensive test suite and tools such as Electric Fence, dbx "check access" tools, and the libumem library on Solaris. Most tools that are good for finding memory leaks can also check for buffer overflows and other memory access violations that can be exploited. We don't believe there are remaining buffer overflows our code, but would like better tools for detecting these and other security problems. NOAA has a license for a commercial tool that scans C, C++, and Java code for possible security problems. They have run this on netCDF, but so far won't share the results with us. The tool costs about $15k, and we couldn't justify purchasing it without knowing whether it could find any actual problems. Our latest approach has been to request a scan of our code from Coverity http://scan.coverity.com/about.html who donates analysis of Open Source projects to the developers to help improve the security of Open Source software. We initially requested a scan in January 2008, but got no response, so I have just requested analysis of a smaller subset of our software by Coverity. You might try the same approach after reading the FAQ on the web site above. --Russ Russ Rew UCAR Unidata Program address@hidden http://www.unidata.ucar.edu Ticket Details =================== Ticket ID: BDF-181549 Department: Support netCDF Priority: Normal Status: Closed