On Thu, 20 Jul 2017, John Stoffel wrote:
> Mikulas> In the early days when I was programming, I was adding checks for NULL
> Mikulas> pointers "just in case - so that it doesn't crash". But these checks
> Mikulas> didn't make the code any more understandable - they made the code less
> Mikulas> understandable - because if a function return value is checked for NULL,
> Mikulas> the programmer believes that the function could return NULL. And the
> Mikulas> programmer no longer knows what is the contract of the function - could
> Mikulas> the function really return NULL or not?
>
> In this case, maybe it would make more sense to clamp the values to
> the maximums in case they do exceed their limits? The check is
> simply:
>
> if (unlikely(section >= ic->journal_sections) ||
> unlikely(offset >= limit)) {
>
> So I'm arguing that when you set the section or offset, shouldn't they
> be clamped to their limits there?
>
> Thanks for your time,
> John
Returning invalid data is directly against the purpose of the dm-integrity
target.
If you think that clamping array indices that are out of range improves
software reliability - so write some program that uses this technique and
we will see how reliable or unreliable it is. You can persuade people by
writing software, you can't persuade them by preaching what should they
do.
Mikulas
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
