curl-library
Re: Regarding CVE-2016-9594 (uninitialized random)
Date: Sat, 18 Feb 2017 09:41:09 +0100
On 17/02/2017 20:28, Rich Gray wrote:
>>
>> I do not understand what you mean by BREAK-CAST. Assuming I am not the
>> only one who does not understand it, putting it to the advisory would
>> hardly help.
>
> Yay! I'm not the only one! :)
>
> Rich
No you are not alone - after reading through this I am now wondering if
it is related to type casting and the compiler warnings I see when
macros are implying a type change from :
int *x;
char *y;
unsigned int *z();
And then code such as:
x = y;
or
*x = *y;
This comment - elsewhere in the discussions - woke me up:
> cast of (char *) to (unsigned char *)?
I see warnings - frequently - from the IBM xlc compiler, but they seem
to be missed or ignored by gcc (default flags).
In that same note: (author Andreas Mohr) says:
> My point was that*every* cast is a breaking operation,
> thus it should be precisely (and strongly) called out for the thing that it is: BREAK-CAST.
He also mentions unions as one way to deal with it (that was used to deal with it?), and new to me - flags to get gcc to report on it (at least now I think it is the gcc default to not report it).
Anyway, I think I understand what is meant by "BREAK-CAST" - but it would be better if someone who really knows what it means (and I need to go check wiki/google) - give a small example and how it helps and how it leads to horrible things.
The most important things I read (between the lines) from the curl team are: humility and due-diligence (just a bit of bad luck that they caught it two hours after rather than two hours before release).
In closing - thanks curl for a great project|program that we love and depend on!
Michael
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-18