lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


> On a related note, I think because of Heartbleed we should never reuse
> buffers ever again.  Seems logical, right?  Can't trust programmers
> anyway, we're all just simple beings that can't figure out better...

There are a few lessons one could learn from it. For example, if you already have a custom allocator in place in a security critical software, use memset() to zero out any new allocated memory with may have been left holding security relevant information. This really are only a few cycles worth it. Or memset() to zero security relevant memory before you free() it. Or -- and this plays into Luas miminimalism princriple -- there is little reason to active an obscure source tree by default for everybody that is only used by a few users and maintained and looked at by few developers. Or -- and this has also been argued by a few -- reconsider the decision to write security critical stuff in C. With most highlevel languages this bug could not have happened this way. Or -- there should be more code review in security critical stuff. Or -- etc. etc.

Yes, we improve as coders by generalized learning. There are a few options in which way to go and develop -- Yes, there is not one "true" way, since ages of arguing about coding, but to deny any possible generalizations gained from experience like you did is sure one wrong way.




On Mon, Aug 25, 2014 at 12:30 PM, Coroutines <coroutines@gmail.com> wrote:
On Sun, Aug 24, 2014 at 7:50 PM, Javier Guerra Giraldez
<javier@guerrag.com> wrote:
> On Sun, Aug 24, 2014 at 9:25 PM, Sean Conner <sean@conman.org> wrote:
>>   Reusing a buffer was the cause of the recent Heartbleed bug that affected
>> OpenSSL and just about everything that relied upon it.
>
>
> I think it was more like failing to sanitize an input (http://xkcd.com/1354/)

On a related note, I think because of Heartbleed we should never reuse
buffers ever again.  Seems logical, right?  Can't trust programmers
anyway, we're all just simple beings that can't figure out better...

(I'm not mad at you, I think Sean is getting ridiculous -- Appeal to
Fear and all that...)