On Tue, 28 Jul 2015, Lennart Sorensen wrote:
I personally hate asserts. They are a crappy way to deal with errors. Do something sane if an error happens, don't just explode.
They are indeed, for errors that can happen. They can be a security issue if in the path of network input handling (DoS).
For "caller is completely broken and confused about the API", it'd be better to have contracts that at least flag the issue earlier rather than
In lib/stream, they're usually turning a much worse security issue into a DoS, which surely is good. ;)
It would be nice to do better than that. To add another interface that returned an error and set the stream to an idempotent error state. This would make error handling in upper-level parsers simpler and easier to make robust. However, till then a DoS is still better than remote code execution.
The biggest issue perhaps is we have network parsing code /not/ availing of the protection of lib/stream, and sometimes even new code.
regards, -- Paul Jakma [email protected] @pjakma Key ID: 64A2FF6A Fortune: Catastrophic failure of the IDE cable???. What are you doing to the poor thing, jumping on it? - Beau Kuiper on linux-kernel _______________________________________________ Quagga-dev mailing list [email protected] https://lists.quagga.net/mailman/listinfo/quagga-dev
