[Cryptography] bounded pointers in C
Benjamin Kreuter
brk7bx at virginia.edu
Sun Apr 20 20:07:21 EDT 2014
On Sat, 2014-04-19 at 17:58 +1000, Dave Horsfall wrote:
> On Fri, 18 Apr 2014, Bill Stewart wrote:
>
> > I'm skeptical - one of the attractions of C is being able to write
> > constructs like
> > while (*output++ = *input++) ;
>
> If you were working for me and wrote code like that, you would receive
> your first (and only) warning. Spell it out, and make it clear; this is
> crypto-programming, after all, not kiddie-programming.
Yeah but even spelled out, there is the potential for disastrous
behaviors in C++. Here is an obvious problem that can easily become
non-obvious:
unique_ptr<Foo> bar(new Foo);
unique_ptr<Foo> baz(bar.get());
That kind of bug could be introduced across several modules in multiple
patches, and could easily escape even diligent reviewers. Sure a tool
like Valgrind might pick it up -- or it might not, depending on what
code paths are executed.
The problem here is not sloppy coding. The problem is that pointers in
C, and by extension in C++, allow you to break any abstraction. It is
not just about array boundaries; stack frames, private class members,
control structures, etc. can all be violated. Modern C++ helps, but it
also gives you all these escape hatches (which should really be called
landmines) and retains an enormous amount of undefined behavior that
surprises even experts with years of experience.
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140420/3096db01/attachment.pgp>
More information about the cryptography
mailing list