It is hard to come up with a universal solution. The user has to decide for themselves. If their site is high liability site, anything suspecius occurs and they should shut down. This prevent any further possible exploit. If their liability is not very high and availability is important, they may decide to stay up even..... -----Original Message----- From: Ralf S. Engelschall <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Cc: Apache-SSL ML <[EMAIL PROTECTED]> Date: Saturday, October 31, 1998 12:22 PM Subject: Re: [apache-ssl] Assertions considered bad!? (was: Re: [apache-ssl] Invalid method in request) >On Sat, Oct 31, 1998, Ben Laurie wrote: > >> > > >[...] >> > > > | nRead=saferead(nFD,&usLength,sizeof usLength); >> > > > | assert(nRead == sizeof usLength); >> > > > >> > > > Here the assert makes sure that really the requested number of bytes are read. >> > > > But when an I/O error or some other communication problem occurs the actual >> > > > number of read bytes can be different. Then the gcache process falls down. >> > > > And I've seen exactly gcache exits with this assertion on my boxes (Solaris >> > > > 2.6) while I was mostly sure that no personal attacker was involved. Instead >> > > > I really assume it was just some I/O communication error... >> > > >> > > This is exactly where it failed when gcache was crashing because of a >> > > bug. Could it be that you assumed there was a network error instead? >> > > Since gcache was fixed I have had no reports of this assertion failing. >> > >> > May be, I've the error messages no longer available. >> >> I assume you log something when it happens. Do you see the log message? > >It was in the error_log, yes. But a quick grep over my error log archive of >www.engelschall.com currently results in nothing. Either it was not this >particular box or I've to search in even older error logs. I'll search for >the entry in more depth the next days, Ben. > >>[...] >> > But always do good prevention is another good maxim, too ;-) >> >> I do. That's why I back my assumption up with an assertion. The >> assertion is not intended to catch a condition I believe will ever occur >> in normal operation. It is a symptom that something is wrong. Isn't this >> where we came in? > >Yes, and the only problem is that although we both are the opinion that >something is wrong under those situations we still differ in the opinion which >action should be done. I'm still convinced that it's not really reasonable to >use assertions (which do the exit of the process). But as we discovered by our >discussion now there is no generally correct way. So your assertion-based >approach can be acceptable although it makes life of the users nasty. >Nevertheless I _personally_ prefer non-assertion based error checking where >error codes are passed up to the callers and where the processed don't die. > >And I would appreciate when Apache-SSL's gcache would use the same approach. >That's why we discussed this topic. > > Ralf S. Engelschall > [EMAIL PROTECTED] > www.engelschall.com >______________________________________________________________________ >Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ >Official Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
