lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 27 Nov 2023 14:10:45 +0100
From: Jann Horn <jannh@...gle.com>
To: David Howells <dhowells@...hat.com>
Cc: Boris Pismenny <borisp@...dia.com>, John Fastabend <john.fastabend@...il.com>, 
	Jakub Kicinski <kuba@...nel.org>, "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] tls: fix NULL deref on tls_sw_splice_eof() with empty record

On Mon, Nov 27, 2023 at 10:04 AM David Howells <dhowells@...hat.com> wrote:
> Jann Horn <jannh@...gle.com> wrote:
>
> > +     /* same checks as in tls_sw_push_pending_record() */
>
> Wouldn't it be better to say what you're checking rather than referring off to
> another function that might one day disappear or be renamed?

Hm, maybe? My thought was that since this is kind of a special version
of what tls_sw_push_pending_record() does, it's clearer to refer to
sort of the canonical version of these checks. And if that ever
disappears or gets renamed or whatever, and someone misses the
comment, you'll still have git history to look at.

And if, in the future, someone decides to add more checks to
tls_sw_push_pending_record() for whatever reason, commenting it this
way will make it clearer that tls_sw_splice_eof() could potentially
require the same checks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ