[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

Russ Allbery <rra <at> debian.org> writes:

> (consider resource exhaustion errors in the crypt implementation, for

No, the standard said it would either always fail or never, but independent
on the input data.

> Your proposed solution on libc-alpha was ingenious, but I think it breaks
> the crypt contract in even more serious ways, since it means that crypt
> could now return a string matching the disabled password field in

No, it cannot, because you pass the “password field” as seed, hence
the comparison: if the password field is disabled by ‘*’ you get ‘x’,
if it’s disabled by ‘x’ got get ‘*’. It always returns something not

And prevents serious security issues in legacy code (which, by the
way, often predates the standard and thus is allowed to not follow


Reply to: