curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regarding CVE-2016-9594 (uninitialized random)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 17 Feb 2017 23:53:48 +0100 (CET)

On Fri, 17 Feb 2017, Andreas Mohr wrote:

> Any cast in code transitions introduces persisting weaknesses - these
> weaknesses aren't relevant during development only

Sure, every typecast in the code is a sort of compromise and I too would like
to see the amount of those to be as few as possible. I'll welcome patches and
pull requests that reduce the amount.

Just blindly sprinkling unions is however not automatically better (== easily
understood and debugged) or more foolproof code. Avoiding typecasts can at
times be worse than the typecasts themselves. It needs to be done properly.

When I casually look back to past security issues and even regular bugs, I
don't think our use of typecasts is a very frequent source of bugs. Or maybe
I'm just blind for them.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-17