Todd Vierling <tv@wasabisystems.com> writes:

> On 8 Mar 2002, Nathan J. Williams wrote:
> 
> : I'm always stunned that people can write what they consider to be
> : security-important code in a language with as many safety pitfalls as
> : C. While [Open]SSH has had a handful of logic vulnerabilites, there
> : have also been quite a few bounds-check vulnerabilites of the kind
> : that language designers have known how to avoid for nearly thirty
> : years.
> 
> Bounds checking of any kind comes with a price, whether compile-time (in the
> form of less code flexibility, such that you can't do the low level things
> that C allows), or run-time (in the form of extra compiled code to do the
> bounds checking).

Yes, bounds checking comes with a price. However:

1) We have thirty years of compiler technology that can optimize out a
   large fraction of expensive bounds checks.

2) Isn't it worth paying a price for safety? That is the point of this
   thread, to me; SSH is an application that should be optimized for
   safety over speed.

3) The low-level things that C allows and that bounds-checking
   prohibits are almost always bad ideas, unless - and often not even
   then - you're pounding the metal in the low levels of the
   kernel. SSH is not doing that.

        - Nathan