On Mon, Mar 07, 2016 at 04:30:29PM +0000, Richard Russon wrote: > This "feature" is small collection of bug fixes. > Some are from Karel Zak's Notmuch repository; the others are mine.
Are the changes implemented in the patches documented anywhere? I'm
interested to know more about some of these, as they sound potentially
unsafe or otherwise problematic. For instance:
[...]
> * Use unlocked libc IO everywhere.
How do you ensure data integrity of, say, an mbox mailstore if you're
not locking?
> * Remove TLS version notification
Is this a violation of the license?
> * Bye srandom() and random()
Why? Does Mutt use them in a way that is particularly sensitive to
very long repeating sequences? What do you do instead?
[...]
> * add strndup.c strnlen.c
Why? The standard "n" functions are almost always misused, and
usually introduce more problems than they solve, and should generally
be avoided. Though, if you really need them, the C standard has
provided these two since 2008, and GLIBC, and I'd imagine BSD libc,
for probably considerably longer (though I'm too lazy to actually
look). If your system is running an OS that's older than that, you
should probably set it on fire. =8^)
Why should they be avoided? Here:
char fu[] = { 'a', 'b', 'c' };
char *inp = "somerville";
char buf[11];
...
if (strncmp("somestuff", fu, 9) == 0) { // b0rk: overrun unterminated string! }
if (strncmp("somestuff", inp, 3) == 0) { // b0rk: unintended match! }
if (strncpy(buf, 11, inp)) { //b0rk: buf is NOT null-terminated! }
if (strncpy(buf, 10, inp)) { //b0rk: buf is STILL NOT null-terminated, AND
silently truncated }
if (strncpy(buf, 3, inp)) { //b0rk: getting the picture? :) }
If you're trying to use these functions to guard against buffer
overruns/unterminated strings, most probably You're Doing It Wrong.™
And you're providing a false sense of security in the process.
These cases are particularly bad because when they happen, the program
appears to work fine but produces wrong behavior *sometimes*, making
it hard to track down. Using strcpy() instead of strncpy() or
strcmp() instead of strncmp() will just crash if the input hasn't been
properly sanitized, which will tell you EXACTLY what's wrong.
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgpn1GgH6LKTY.pgp
Description: PGP signature
