Resend: [PATCH] Avoid use of uninitialized values in guid.c
Chris Shoemaker
c.shoemaker at cox.net
Tue Feb 15 17:52:15 EST 2005
Derek, did you notice that this email didn't make it to the list? Did
it make it to you?
-chris
On Sun, Feb 13, 2005 at 08:26:52PM -0500, Chris Shoemaker wrote:
> On Sun, Feb 13, 2005 at 06:13:33PM -0500, Derek Atkins wrote:
> > I'm a bit concerned about a few aspects of this patch, so I haven't
> > applied it. More comments inline..
> >
> > Chris Shoemaker <c.shoemaker at cox.net> writes:
> >
> > > + char *tmp = "NULLGUID.EMPTY.";
> > >
> > > + /* 16th space for '\O' */
> > > for (i = 0; i < 16; i++)
> > > - null_guid.data[i] = 0;
> > > + null_guid.data[i] = tmp[i];
> >
> > What's your reasoning for changing the NULL GUID like this?
>
> human-friendly memory signature. It helped in debugging, and since
> the null guid isn't special, any value is as good as any other.
>
>
> >
> > > - md5_process_bytes(de, sizeof(struct dirent), &guid_context);
> > > - total += sizeof(struct dirent);
> > > + md5_process_bytes(de->d_name, strlen(de->d_name), &guid_context);
> > > + total += strlen(de->d_name);
> >
> > I'm concerned here that you're reducing the amount of entropy
> > included. Whereas before you were including the whole dirent object,
> > now you're just including the filename. That's leaving out the inode
> > number, offset, and recordlen, which can all add entropy to the mix.
>
> The problem with the original is that some (perhaps undocumented)
> parts of the struct can be uninitialized. IMHO all this entropy
> gathering is pointless anyway. There are several places that are
> clearly silly superstition.
>
> I mean, we only save 128 bytes of entropy, once. Once we have it,
> hashing more random data doesn't add anything. Why do we read 512
> bytes of presumably random data from /dev/urandom, and then hash it?
> Why hash data that's supposed to be already random? And in a way,
> that's the _least_ strange thing we do.
>
> I know much less about portable C coding than I do about PRNG, but I
> would be _very_ surprised if jumping through all these hoops provides
> _any_ more entropy than simply reading 128 bytes from /dev/random (not
> urandom).
>
> If you agree, I'd be glad to write the patch. Otherwise, I guess we
> could read each field of the struct individually, but I think it's
> pretty silly.
>
> The only thing I intended was to avoid the uninitialized read.
>
> >
> > > - guid_memchunk_init();
> > > + /* Not needed: taken care of on first malloc.
> > > + /* guid_memchunk_init(); */
> >
> > The problem is that you don't know which one is called first,
> > guid_init() or guid_malloc(). If you want to protect the
> > memchunk_init() from being double-called, that's fine.
> >
>
> AFAICS, it's not a problem. We don't use the memchunk until after the
> guid_malloc, so why init it earlier?
>
>
> > > main (int argc, char **argv)
> > > {
> > > - scm_boot_guile(argc, argv, main_helper, NULL);
> > > + /* scm_boot_guile(argc, argv, main_helper, NULL); */
> > > + main_helper(NULL, argc, argv);
> > > return 0;
> >
> > Why did you remove the scheme loading here?
>
> I don't remember. Feel free to drop it.
>
> Thanks for giving my patches attention.
>
> -chris
More information about the gnucash-patches
mailing list