lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 14 Nov 2009 03:44:14 +0000 (UTC)
From:	daw@...berkeley.edu (David Wagner)
To:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp

Casey Schaufler  wrote:
> No, but I hate arguing with people who think that every time
> they see strcmp that they have found a security flaw.

Valdis.Kletnieks@...edu wrote:
> How do you feel about people who think every time they see strcmp()
> "Oh crap, something that needs auditing"? ;)

Casey Schaufler  wrote:
> They have my deep sympathy. Which is why I'm advocating leaving
> the perfectly functional and correct use of strncmp() as it is.

Personally, I think this is catering to irrational kneejerk responses,
from hypothetical people who may or may not exist.  I have yet to see a
single person stand up on the linux-kernel mailing list, endorse such
a position, and put their own name behind it.  That's no surprise,
because it looks to me like an illogical and unjustified position that
would reflect poorly on anyone who adopted such a position in this case.
I do not think it makes sense to make a decision based upon the hypothesis
that maybe unidentified others will think that way, particularly when
no one can put forward a convincing argument that "thinking that way"
is reasonable in light of the technical facts.

I personally don't find
    strncmp(foo, "constant", sizeof("constant"))        // first snippet
to be more readable, auditable, or obviously correct than
    strcmp(foo, "constant").                            // second snippet
Do you?  Does anyone?

Of course, those two code snippets have exactly the same behavior, so
there is no difference in their actual security properties.  The only
possible difference I can imagine would be if one code snippet is
more readable, intuitive, or obviously correct than the other -- but I
would think strcmp() is no worse under those criteria, and if anything
modestly better.  Is there a technical basis for arguing that the first
snippet is better than the second snippet?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ