Review the history of bugs that went wrong with a single line of code

News · 2014/03/04 seated

The recent apple bug code that does not verify SSL certificates has caused a lot of noise. In fact, there are a lot of similar code in history. Let’s review:

X

Back in 2006, X Server checked to see if the user was root and forgot to call the check function.

#! Diff - hw/xfree86 / common/xf86Init. C + + + hw/xfree86 / common/xf86Init. @ @ + 1677-1677, 7, 7 c @ @} the if (! strcmp(argv[i], "-configure")) { - if (getuid() ! = 0 && geteuid == 0) { + if (getuid() ! = 0 && geteuid() == 0) { ErrorF("The '-configure' option can only be used by root.\n"); exit(1); }Copy the code

Isn’t it strange that no one sees the warning when compiling?

Debian OpenSSL

In 2008, Debian released a release key that could have been guessed

#! Diff openssl - a/md_rand. C + + + openssl - b/md_rand. C @ @ - 271, 271, 7 + @ @ the else MD_Update (& m, & (state [st_idx]), j); -/* - * Don't add uninitialised data. MD_Update(&m,buf,j); -*/ MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); MD_Final(&m,local_md); md_c[1]++;Copy the code

Well, this is three lines of fix code, don’t understand what happened when the code was audited.

OpenSSL

Also OpenSSL, also in 2008, OpenSSL 0.9.8i and earlier did not properly check the return value of the EVP_VerifyFinal function, allowing remote attackers to bypass certificate authentication.

#! Diff -- lib/libssl/ SRC/SSL /s3_srvr.c +++ lib/libssl/ SRC/SSL /s3_srvr.c @@-2009 7 +2009 7 @@static int ssl3_get_client_certificate(S else { i=ssl_verify_cert_chain(s,sk); - if (! i) + if (i <= 0) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);Copy the code

This is probably the worst security problem you could imagine, right?

Android

This time in 2010, fix details:

#! Diff -- libc-a/memset.c +++ libc-b/memset.c @@-1,6 +1,6 @@@void *memset(void *_p, unsigned v, unsigned count) { unsigned char *p = _p; - while(count-- > 0) *p++ = 0; + while(count-- > 0) *p++ = v; return _p; }Copy the code

And there’s no one compiling warning there’s an unused parameter message, okay?

Tarsnap

In 2011, the AES-CTR code was refactored:

#! Diff -- tarsnap-autoconf-1.0.27/lib/crypto/crypto_file.c +++ tarsnap-autoconf-1.0.28/lib/crypto/crypto_file.c @@-108,7 Encrypt the data. */ if ((stream = -crypto_aesctr_init (&encr_aes->key, encr_aes->nonce)) == NULL) + crypto_aesctr_init(&encr_aes->key, encr_aes->nonce++)) == NULL) goto err0; crypto_aesctr_stream(stream, buf, filebuf + CRYPTO_FILE_HLEN, len); crypto_aesctr_free(stream);Copy the code

Original: www.tedunangst.com/flak/post/a…