Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp

From: David Wagner
Date: Fri Nov 13 2009 - 22:44:20 EST

Next message: Joe Perches: "Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp"
Previous message: Larry Finger: "Re: 64-bit DMA problems with BCM4312 using b43"
In reply to: Casey Schaufler: "Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp"
Next in thread: Joe Perches: "Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler wrote:
> No, but I hate arguing with people who think that every time
> they see strcmp that they have found a security flaw.

Valdis.Kletnieks@xxxxxx wrote:
> How do you feel about people who think every time they see strcmp()
> "Oh crap, something that needs auditing"? ;)

Casey Schaufler wrote:
> They have my deep sympathy. Which is why I'm advocating leaving
> the perfectly functional and correct use of strncmp() as it is.

Personally, I think this is catering to irrational kneejerk responses,
from hypothetical people who may or may not exist. I have yet to see a
single person stand up on the linux-kernel mailing list, endorse such
a position, and put their own name behind it. That's no surprise,
because it looks to me like an illogical and unjustified position that
would reflect poorly on anyone who adopted such a position in this case.
I do not think it makes sense to make a decision based upon the hypothesis
that maybe unidentified others will think that way, particularly when
no one can put forward a convincing argument that "thinking that way"
is reasonable in light of the technical facts.

I personally don't find
strncmp(foo, "constant", sizeof("constant")) // first snippet
to be more readable, auditable, or obviously correct than
strcmp(foo, "constant"). // second snippet
Do you? Does anyone?

Of course, those two code snippets have exactly the same behavior, so
there is no difference in their actual security properties. The only
possible difference I can imagine would be if one code snippet is
more readable, intuitive, or obviously correct than the other -- but I
would think strcmp() is no worse under those criteria, and if anything
modestly better. Is there a technical basis for arguing that the first
snippet is better than the second snippet?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Joe Perches: "Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp"
Previous message: Larry Finger: "Re: 64-bit DMA problems with BCM4312 using b43"
In reply to: Casey Schaufler: "Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp"
Next in thread: Joe Perches: "Re: [PATCH 3/4] security/selinux: decrement sizeof size in strncmp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]