Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 29 Jun 2013 16:56:42 +0200
From: Jens Gustedt <jens.gustedt@...ia.fr>
To: musl@...ts.openwall.com
Subject: Re: Use of size_t and ssize_t in mseek

Am Samstag, den 29.06.2013, 10:17 -0400 schrieb Rich Felker:
> Just that this is one of a multitude of places that such a check could
> be made, and I question the value of doing it in one place but not
> others. Examples include snprintf, strnlen, memchr, and basically any
> interface that takes a size_t representing the size of an already
> existing object. I'm against adding checks to all these places since
> it adds bloat and potentially hurts performance and for most of them
> there's nothing they could do except crash if the check failed. So
> what I'm questioning is the value of adding such a check to the one
> interface you ran into trouble with, when there are plenty more widely
> used functions that won't be checked; this inconsistency does not make
> sense to me. I'd like to hear what others think, though.

I think C11 has indentified this sort of specification problems and
therefore introduces rsize_t and RSIZE_MAX in the not-loved-by-many
appendix K "bounds-checking intefaces". Interfaces that are specified
with this type are required to check that the value isn't too large
for any object.

If you'd want to go that road (of checking for the size) I'd suggest
that you'd define and use RSIZE_MAX for such a thing, and maybe even
change the interfaces to use rsize_t. Since this is only a typedef
such a change should still be compatible with size_t as in the current
and future standard(s), and it would clearly mark the intent of bounds
checking.

Jens


-- 
:: INRIA Nancy Grand Est :: http://www.loria.fr/~gustedt/   ::
:: AlGorille ::::::::::::::: office Nancy : +33 383593090   ::
:: ICube :::::::::::::: office Strasbourg : +33 368854536   ::
:: ::::::::::::::::::::::::::: gsm France : +33 651400183   ::
:: :::::::::::::::::::: gsm international : +49 15737185122 ::



Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.