"Secure coding" audit checkers and Kerberos

Greg Hudson ghudson at MIT.EDU
Tue Oct 14 23:32:00 EDT 2008

I'm trying to let this conversation run its course for a bit without
responding to every message, but I do want to raise one point for
further discussion.

On Tue, 2008-10-14 at 19:36 -0700, Russ Allbery wrote:
> Every approach requires error handling.

For the usual case (concatenation), this is usually true.  Either you're
allocating a buffer, in which case you have to check for allocation
failure, or you're using a fixed-sized buffer, in which case you have to
check for overflow.  Note that in both cases, you have to measure the
length of the source strings, which gives you the material you need for
a later memcpy(), which is why I favor that approach.

There are some simple cases which do not require error handling.
Copying a short constant string into a big buffer is one.  Formatting an
integer into a "big enough" buffer is arguably another.

When error handling is necessary, it's often better if there is one
error path and not many.  If we are concatenating three strings into an
allocated buffer, I do not want to see unreachable and untestable error
paths on each of the three string-copy calls.

More information about the krbdev mailing list