Re: [PATCH] ndp: Suppress Coverity false positive for random()

14 May 2026

On Thu, May 14, 2026 at 01:08:26AM +0200, Stefano Brivio wrote:
...
On Wed, 13 May 2026 12:26:17 +0200
Laurent Vivier  wrote:
...
Coverity flags the random() call in ndp_timer() with the dont_call
checker, warning that it should not be used for security-related
applications.
This is a false positive: random() is used here to jitter the interval
between unsolicited Router Advertisements as required by RFC 4861, to
prevent synchronisation between routers on a link.  No cryptographic
strength is needed.
Suppress the warning with an inline Coverity annotation.
Signed-off-by: Laurent Vivier 
---
 ndp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ndp.c b/ndp.c
index 1f2bcb0cc7ea..614932ac5829 100644
--- a/ndp.c
+++ b/ndp.c
@@ -441,6 +441,7 @@ void ndp_timer(const struct ctx *c, const struct timespec *now)
   * again, it's close enough for our purposes.
   */
  interval = min_rtr_adv_interval +
+		/* coverity[dont_call:FALSE] */
Sorry, I should have mentioned this to you explicitly, but we discussed
this in the past and we decided against having explicit suppressions
for warnings from Coverity Scan (at least, that would be my strong
preference).
The reason is that I would like to avoid referring to trademarks as
much as possible, as they might raise "interesting" legal questions,
and at the same time we have very little control or visibility into how
these suppressions evolve in future versions of the checker.
If this suppression format also works for the sort-of-public
scan.coverity.com, that mitigates those later concerns somewhat.
Still doesn't remove the kind of implicit endorsement of including a
trademark, which I can understand why we'd want to avoid.
...
In this case, by the way, despite the fact that we use this to add some
randomness to the timing of router advertisements as required by RFC
4861, I started wondering recently if an attacker (I'm mostly thinking
about denials of service) could actually gain anything from making
these intervals predictable.
If that's the case, perhaps we could just switch to getrandom() and
be done with it.
Hm, maybe, yes.  These announcements are infrequent enuogh that the
extra cost of getrandom() shouldn't really be a problem.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

    