OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Chad Perrin
code at apotheon.net
Thu Apr 24 17:49:23 UTC 2014
On Thu, Apr 24, 2014 at 01:59:10PM +0200, Erik Cederstrand wrote:
> Den 24/04/2014 kl. 13.07 skrev Ronald F. Guilmette <rfg at tristatelogic.com>:
> >
> > Sir, does not the following trivial and obvious single line modification
> > to the above code eliminate the warning? And does it not do so *without*
> > the need for ``considerable effort''?
> >
> > int x = -1;
> >
> > I thank you for providing me with the example above, and thus also this
> > opportunity to so perfectly illustrate my fundamental point.
>
> The example I gave is of course trivial to rewrite. It was the
> shortest possible example I could think of to illustrate the
> situation. It was condensed from a really convoluted if-else case
> which was not incorrect but quite difficult to untangle. And yes, it's
> laudable to rewrite it for the sake of readability, but it doesn't fix
> any security issues.
I'm generally of the opinion that, all else being equal, making your
code readable is a way to find bugs you did not know existed. Even more
amazingly, making your code readable fixes bugs that have not yet been
written.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
More information about the freebsd-security
mailing list