[Cryptography] bounded pointers in C
Bill Stewart
billstewart at pobox.com
Sun Apr 20 01:33:51 EDT 2014
At 12:58 AM 4/19/2014, Dave Horsfall wrote:
>On Fri, 18 Apr 2014, Bill Stewart wrote:
>
> > I'm skeptical - one of the attractions of C is being able to write
> > constructs like
> > while (*output++ = *input++) ;
>
>If you were working for me and wrote code like that, you would receive
>your first (and only) warning. Spell it out, and make it clear; this is
>crypto-programming, after all, not kiddie-programming.
I wouldn't be writing crypto-code like that,
at least not without explicitly setting everything up properly and
putting sentinels in the right places
just before running a construct like that,
with comments explaining what it was doing.
But C does invite you to write that kind of code,
promising that (at least if you run it on a PDP-11-like architecture)
it'll really do what you told it to do in the most directly obvious way.
It's your foot, and the compiler isn't going to jog your elbow when
you shoot it.
If you run lint, it'll print out "Warning: Dude, that's your foot!"
on some code, but it'll still compile.
Sometimes there's enough information that a compiler could add bounds-checking,
and on some architectures there's probably even an instruction like
if (++pointer == bound) branch
that doesn't cost you much more time than just pointer++,
but normally if you want bounds checking you have to ask for it
and somebody's going to decide that
while (output<bound) { *output++ = *input++; }
is too expensive or just not think about it or want to write a
strcpy() routine.
More information about the cryptography
mailing list