talloc issues
tridge at samba.org
tridge at samba.org
Tue Jul 28 05:09:58 MDT 2009
Hi Sam,
> However it is only reasoning that can certify a use, so it can't be done
> by machine.
This is where we fundamentally disagree. Any change that requires
'reasoning' to prove it is correct is fundamentally flawed with such a
large code base. That is why I took an approach that did it completely
by machine and that guarantees to produce a clear warning for any case
where semantics have changed.
Until you propose a method of accurately auditing the entire code base
in a way that is definately reliable then I am strongly opposed to
considering your proposed changes. I don't want to be chasing security
holes for years to come.
The machine auditing needs to:
- warn in any case when semantics have changed
- where possible produce a benign behaviour when semantics have
changed, so existing code can still work
> also indirectly by calling talloc_steal or talloc_free and then watching
> for a dangling pointer later (that's how I found it).
nope, that is why talloc_steal now fails when a pointer has a
reference.
If you can still produce a dangling pointer with the current code then
please send me a test case and I'll have a look at it.
> That's fine as a position as long as we know it wasn't the specialness
> that was the original problem, just inconsistent specialness. We don't
> need to be afraid of specialness.
I do thing treating different parents in different ways was the root
cause of the problem. When I made talloc allow multiple parents for a
pointer in the first place I should have stopped the asymmetry at that
point.
Cheers, Tridge
More information about the samba-technical
mailing list