This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Set the warn_unused_result attribute on crypt?
- From: Russ Allbery <rra at stanford dot edu>
- To: libc-alpha at sourceware dot org
- Date: Wed, 25 Sep 2013 09:55:47 -0700
- Subject: Set the warn_unused_result attribute on crypt?
- Authentication-results: sourceware.org; auth=none
Apologies if this has already been discussed. I don't remember seeing it.
As folks here are probably aware, there have been a few recent security
vulnerabilities for DoS attacks in software using the crypt() function now
that it can return NULL in more cases, such as invalid salt. In a
discussion of this on debian-devel, the warn_unused_result attribute was
raised as a possible way of helping developers find other cases of this
latent bug.
I checked the current Git repository, and I don't think crypt() currently
has that attribute. Would it make sense to add it? Presumably crypt_r()
should be flagged the same way if that change is made.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>