[PATCH] Fix two CIDs

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Nov 22 15:09:29 UTC 2017

On Wed, Nov 22, 2017 at 07:54:05AM -0700, David Mulder via samba-technical wrote:
> On 11/21/2017 01:04 PM, Volker Lendecke via samba-technical wrote:
> > Hi!
> >
> > This NEWLY pushed file so severely needs overhaul to match
> > README.Coding :-(
> >
> > For example there are several if-statements without {} around the
> > code. There's a reason why we don't want this: CVE 2014-1266, which
> > was an early one with a famous name. Is this file so completely immune
> > to any security-relevant exposure that this does not matter here? How
> > have we verified that this is irrelevant to security?
> I think security does matter here, since we're authenticating and
> pulling info from the sysvol.
> Not putting {} around if statements is a bad habit of mine.
> > I'm not talking about the cosmetic 80-column thingy, something which
> > this file does not follow either. I am talking about our way to
> > protect from one aspect of security-aware coding, and a very easily
> > implemented one.
> Actually, if you set your tabwidth to 4 chars, the file abides by the
> 80-column width (my bad).
> Obviously that was a mistake.

This is not about you, none of this is. It's about our insufficent
review process that does not catch them.

Sorry you got involved,


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list