curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regarding CVE-2016-9594 (uninitialized random)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 18 Feb 2017 11:14:08 +0100 (CET)

On Sat, 18 Feb 2017, Michael Felt wrote:

> I see warnings - frequently - from the IBM xlc compiler, but they seem to be
> missed or ignored by gcc (default flags).

We need to keep building curl with a set of different compilers on different
hardware and different operating systems to make sure we keep the warnings to
a minimum. That's one of the purposes of the autobuilds:
https://curl.haxx.se/dev/builds.html

I personally build with as picky compiler warnings as possibly in my every day
development as a way to at least address the most obvious problems early on.
And I browse the autobuilds every now and then to see what I can do to fix
more warnings.

> Anyway, I think I understand what is meant by "BREAK-CAST" - but it would be
> better if someone who really knows what it means (and I need to go check
> wiki/google) - give a small example and how it helps and how it leads to
> horrible things.

I don't know about the specific term "BREAK-CAST", I was more focusing on
typecasts in general as they are somewhat bad practice and should be kept to a
minimum. We get better type checks by the compilers and frankly better code by
avoiding typecasts.

But saying that and knowing that is one thing. Actually upholding those
principles in the code is harder. I do my very best. The typecasts we have
today were all added for reasons.

If anyone can fix up pieces of code to use less typecasts than they do now
without sacrificing readability, please do and send us the patch! And please
join us and review pull requests and commits and point out every subspicious
piece of code you see!

Related to this, you can also join curl on the Coverity scan project at
https://scan.coverity.com/projects/curl and see the static code analyzes done
by them on the curl code. I try to get a scan done about weekly.

We also run clang-analyzer scans on the code daily, and if there are issues
detected they appear here: https://curl.haxx.se/scans/ (it hasn't detected any
problems in a while).

Finally, we need to keep adding test cases so that as much functionality as
possible is automatically tested as then we notice easier and better when we
break things. Adding tests is a hard but noble work that never gets done. We
can *really* use more hands in that work (and Dan Fandrich is going to tell us
all about how to do this at curl://up in Nuremberg in a month!).

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-18