Me: OpenSSH is one of the most secure apps ever written, even in C C Haters: no it’s not! Several RCE bugs! Me: prove it. Show me a working exploit. *crickets* FUD and Security pedanticism is unbecoming of our insustry, Pals.
Yup, I screwed that one up. Might post an actually UB example later (really, just pass the element size as an int parameter to get it).
-
-
But you're not demonstrating undefined behaviour, you're demonstrating using the wrong type for the job (int rather than size_t)
-
The UB follows from that mistake. It's easy to make though, once the type is hidden behind a typedef, or some API chooses to use negative values for error codes.
-
Right, but I don't believe this is something that is a surprise to most engineers and auditors. Sure, the actual issues resulting from it might, but checking the types are appropriate (e.g. size_t/ssize_t for sizes and counts) is an important and well-known step.
-
The argument is not that it is impossible to write correct code. Just that it takes effort and skilled people. It's still hard to get right, and easy to get wrong.
-
The only undefined behaviour that I've seen catch someone out (although it didn't cause any actual issues in practice, with any optimization level) was the left-shift casting to a 32-bit signed integer (e.g. (0x80 << 24) is an int, rather than an unsigned int).
-
Now, my point is that this undefined behaviour that you're talking about generally does not catch out engineers (especially with warnings emitted by modern compilers). I understand what you're trying to say but I don't find your examples compelling.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
. Besides, having bugs isn’t the issue. Resolving, reducing, and remaining well architected is the point.