talloc issues

tridge at samba.org tridge at samba.org
Tue Jul 28 05:09:58 MDT 2009


Hi Sam,

 > However it is only reasoning that can certify a use, so it can't be done
 > by machine.

This is where we fundamentally disagree. Any change that requires
'reasoning' to prove it is correct is fundamentally flawed with such a
large code base. That is why I took an approach that did it completely
by machine and that guarantees to produce a clear warning for any case
where semantics have changed.

Until you propose a method of accurately auditing the entire code base
in a way that is definately reliable then I am strongly opposed to
considering your proposed changes. I don't want to be chasing security
holes for years to come.

The machine auditing needs to:

  - warn in any case when semantics have changed

  - where possible produce a benign behaviour when semantics have
    changed, so existing code can still work

 > also indirectly by calling talloc_steal or talloc_free and then watching
 > for a dangling pointer later (that's how I found it).

nope, that is why talloc_steal now fails when a pointer has a
reference. 

If you can still produce a dangling pointer with the current code then
please send me a test case and I'll have a look at it.

 > That's fine as a position as long as we know it wasn't the specialness
 > that was the original problem, just inconsistent specialness. We don't
 > need to be afraid of specialness.

I do thing treating different parents in different ways was the root
cause of the problem. When I made talloc allow multiple parents for a
pointer in the first place I should have stopped the asymmetry at that
point.

Cheers, Tridge


More information about the samba-technical mailing list