curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regarding CVE-2016-9594 (uninitialized random)

From: Michael Felt <michael_at_felt.demon.nl>
Date: Sat, 18 Feb 2017 09:41:09 +0100

On 17/02/2017 20:28, Rich Gray wrote:
>>
>> I do not understand what you mean by BREAK-CAST. Assuming I am not the
>> only one who does not understand it, putting it to the advisory would
>> hardly help.
>
> Yay! I'm not the only one! :)
>
> Rich

No you are not alone - after reading through this I am now wondering if
it is related to type casting and the compiler warnings I see when
macros are implying a type change from :

     int *x;
    char *y;
    unsigned int *z();

And then code such as:

    x = y;

or

    *x = *y;

This comment - elsewhere in the discussions - woke me up:

> cast of (char *) to (unsigned char *)?

I see warnings - frequently - from the IBM xlc compiler, but they seem
to be missed or ignored by gcc (default flags).

In that same note: (author Andreas Mohr) says:

> My point was that*every* cast is a breaking operation,
> thus it should be precisely (and strongly) called out for the thing that it is: BREAK-CAST.

He also mentions unions as one way to deal with it (that was used to deal with it?), and new to me - flags to get gcc to report on it (at least now I think it is the gcc default to not report it).

Anyway, I think I understand what is meant by "BREAK-CAST" - but it would be better if someone who really knows what it means (and I need to go check wiki/google) - give a small example and how it helps and how it leads to horrible things.

The most important things I read (between the lines) from the curl team are: humility and due-diligence (just a bit of bad luck that they caught it two hours after rather than two hours before release).

In closing - thanks curl for a great project|program that we love and depend on!

Michael

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-18