This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Don't bind to registered ports in bindresvport

From: Roland McGrath <roland at hack dot frob dot com>
To: Carlos O'Donell <carlos_odonell at mentor dot com>
Cc: Petr Baudis <pasky at ucw dot cz>, Dan Nicholson <dbn dot lists at gmail dot com>, <libc-alpha at sourceware dot org>
Date: Wed, 6 Jun 2012 13:51:49 -0700 (PDT)
Subject: Re: [PATCH] Don't bind to registered ports in bindresvport
References: <20120531153241.GA21672@buster.dwcab.com><CADZpyiyzShWCe1OgA0b+vZW6NQGT0Q9WUK4=jev5MRu7pUxKtQ@mail.gmail.com><20120601200113.GA24584@buster.dwcab.com><CADZpyizNLJkWKZKPhmb1GRZr33jsBR8wMkwE8EnN3nU8Mu_0cw@mail.gmail.com><20120606004617.GD24309@machine.or.cz><4FCFBB9D.5030407@mentor.com>

> Using alloca can create a security risk by putting the buffer in
> in the same location every time relative to the stack pointer or
> call sequence. While with malloc the allocation locations can be 
> random.

This kind of rationale is a very generic one.  Throughout libc, we
have decided that using alloca (or VLAs) is the appropriate thing to
do because of the performance benefit despite this kind of concern.
(It's also the case that for reasonably small sizes alloca can "never"
fail--i.e. the only way it can fail is a stack-extending page fault
that cannot be serviced, crashing the program--while using malloc
requires handling the ENOMEM case explicitly.)  There is always a
trade-off between performance and "hardening" and other such concerns.
I think we should be more systematic about this than simply going with
the preference of whoever happens to be writing or reviewing the code.

This particular case is one where the interface is not at all
performance-sensitive (if it were, even considering having it call NSS
modules and such things would be entirely out of the question--as it
stands, I just think it's quite dubious, but others feel differently)
and the API doesn't make it particularly difficult to fail gracefully
for the ENOMEM case.  So that may be good reason to choose malloc over
alloca here.  It's probably right that the decision should be made
case-by-case considering these sorts of issues.  But I don't think the
decision should ever be ad hoc like this.

The existing standard is that using alloca in libc is always fine,
given appropriate use of the size-cutoff macros.  Before objecting to
use of alloca is considered a valid reason to reject a libc change,
we need to have a clear and systematic policy about how the decision
is made.


Thanks,
Roland

Follow-Ups:
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Carlos O'Donell

References:
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Dan Nicholson
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Carlos O'Donell
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Petr Baudis
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]