obnox at samba.org
Tue Jul 28 04:26:02 MDT 2009
and Sam, Metze, Simo, ...
tridge at samba.org wrote:
> Hi Michael,
> > I am deliberately not going into technical details
> > since I wanted to emphasize this superficial higher level
> > point of view of the callers.
> The technical details really do matter.
Sure they do.
I was thinking about what the proper design would be (IMHO)
without thinking about existing users.
> As the example I gave shows, the proposals from Sam can create
> security holes in existing code that followed the API
> documentation as given. Regardless of the high level
> aspirations of the proposed changes we can't just ignore this.
Ok, that is of course not good at all and should not be ignored.
But let me return to the higher level view for a bit.
I think we still need to clarify things more generally.
We are in principle facing the following situation:
1. Prior to Tridge's changes, talloc code was broken by design
with respect to references. So we can say, yes the callers
correctly used talloc as described told by the API docs.
2. With Tridge's changes, all users of talloc_free() need to
be reviewed. Those that conciously want to free a reference
need changing, but those callers that use talloc_free()
on simply allocated talloc contexts are potentially broken
too, because they need to know whether there are references,
so they need changing, too.
3. With the changes proposed by Sam and Metze, the "naive" users
of talloc/talloc_free are ok as they are. But the users of
references that want to free the reference need to be changed.
Have I misunderstood anything basic here?
So whatever solution we finally take (2. or 3.), the change that
fixes the internal workings of talloc, will change the API
documentation and hence potentially break code using this.
With Tridge's changes, we need to change even more callers than
with the Sam/Metze approach. The point I was trying to make in my
previous email was that I think that it is _very_ important
to keep at least the simple "talloc()/talloc_free()" use scheme
as it is. This should really be safe to use, and the caller
should not need to use more complicated calls or even need
to know about how the funcions it calls act on the memory it
> Auditing the entire code base for such a change is an enormous
> task, and it isn't a task that anyone has volunteered to do.
I will gladly help out in auditing (parts of) the code.
> I also don't think a code inspection audit will be sufficient - we
> need a programmatic way of finding all existing use cases that are
> That is why I added the location variable to the talloc reference
> structure, so that when code hit a situation that has changed we get a
> very clear message that allows for a quick fix. With the changes
> proposed by Sam and the patches in Metze's tree we would instead
> either get an abort() or we would get code dereferencing memory that
> has been freed. Both are not good outcomes.
But the way in which the code reacts to the error is not implied
by the design that the respective approach implements.
We could well change metze's code to thow the same sort of
error messages instead of aborting. Just like yours.
I still think that the benefit of the sam/metze aproach is that
the basic users need no change. And the users of talloc_reference
need to be audited and changed.
So the general path to proceed should be the following:
1. decide which design we want to implement in principle
2. implement it with error messages like Tridge, already did.
3. audit all the callers, changing deprecared ones to the new
4. once all callers are fixed, we can even think about adding
aborts -- _after_ those helpful error messages
5. we should then (IMHO) re-audit the code to reduce the use of
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 206 bytes
Desc: not available
More information about the samba-technical