Subject: Re: CVS commit: src/libexec/comsat
To: Jarle Greipsland <email@example.com>
From: Valeriy E. Ushakov <firstname.lastname@example.org>
Date: 09/21/2003 16:34:02
On Sun, Sep 21, 2003 at 12:56:51 +0200, Jarle Greipsland wrote:
> > Wouldn't it be sufficient to just add a comment saying that this behavior
> > is ok because we exit if there's a failure?
> What if an application had registered one or more functions with
> atexit(3)? Granted, the comsat application does not, and it is
> fairly small and can be understood fairly easily. However, for
> bigger applications, this might not be the case, and some
> programmer might decide to introduce the clearing of memory on
> exit using an atexit-function, without performing an audit of the
> code pattern for all instances of realloc() in the application.
Let me once again note that, *unlike* the ssh buffer.c bug, in this
case if realloc fails the buf variable will be NULL. You cannot do a
lot of clean up on the NULL pointer.
Also, if the data in the buffer is so sensitive in the first place,
then if a successfull realloc has to free the old copy, the old copy
is no longer accessible for the program to clean up. So it's not
enough to zero-out all your buffers accessible via live pointers,
email@example.com | Zu Grunde kommen
http://www.ptc.spbu.ru/~uwe/ | Ist zu Grunde gehen