This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Set the warn_unused_result attribute on crypt?

From: Russ Allbery <rra at stanford dot edu>
To: libc-alpha at sourceware dot org
Date: Wed, 25 Sep 2013 09:55:47 -0700
Subject: Set the warn_unused_result attribute on crypt?
Authentication-results: sourceware.org; auth=none

Apologies if this has already been discussed.  I don't remember seeing it.

As folks here are probably aware, there have been a few recent security
vulnerabilities for DoS attacks in software using the crypt() function now
that it can return NULL in more cases, such as invalid salt.  In a
discussion of this on debian-devel, the warn_unused_result attribute was
raised as a possible way of helping developers find other cases of this
latent bug.

I checked the current Git repository, and I don't think crypt() currently
has that attribute.  Would it make sense to add it?  Presumably crypt_r()
should be flagged the same way if that change is made.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Follow-Ups:
- Re: Set the warn_unused_result attribute on crypt?
  - From: Russ Allbery

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]