Date: Thu, 24 Apr 2014 11:49:14 -0600 From: Chad Perrin <code@apotheon.net> To: freebsd-security@freebsd.org Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <20140424174914.GC3850@glaze.hydra> In-Reply-To: <697C2D01-D8F7-4BC4-BBED-6B4A93105E62@cederstrand.dk> References: <23494.1398337629@server1.tristatelogic.com> <697C2D01-D8F7-4BC4-BBED-6B4A93105E62@cederstrand.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 24, 2014 at 01:59:10PM +0200, Erik Cederstrand wrote: > Den 24/04/2014 kl. 13.07 skrev Ronald F. Guilmette <rfg@tristatelogic.com>: > > > > Sir, does not the following trivial and obvious single line modification > > to the above code eliminate the warning? And does it not do so *without* > > the need for ``considerable effort''? > > > > int x = -1; > > > > I thank you for providing me with the example above, and thus also this > > opportunity to so perfectly illustrate my fundamental point. > > The example I gave is of course trivial to rewrite. It was the > shortest possible example I could think of to illustrate the > situation. It was condensed from a really convoluted if-else case > which was not incorrect but quite difficult to untangle. And yes, it's > laudable to rewrite it for the sake of readability, but it doesn't fix > any security issues. I'm generally of the opinion that, all else being equal, making your code readable is a way to find bugs you did not know existed. Even more amazingly, making your code readable fixes bugs that have not yet been written. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140424174914.GC3850>