On 2021-05-07 at 13:58:42, Matheus Tavares Bernardino wrote: > Hi, brian Hey, > 1. Make oidcpy() only copy `hash_algos[src->algo].rawsz` bytes. (But > then we would probably need to branch in case `src->algo` is zero, > right?) Yeah, this will likely incur a performance cost. I'd recommend avoiding this if possible. > 2. Reintroduce the oid_pad_buffer() function from your v1, and use it > in parallel-checkout.c:send_one_item(), after oidcpy(). This would > then zero out the copied uninitialized bytes (with the cost of one > additional memcpy() per item, but this might be neglectable here). This is fine with me. I didn't have a use for it anymore, but you've clearly found one, and I think this is probably the best approach here. > 3. Use oidcpy() as-is, without additional padding, and let Valgrind > warn. This false-positive warn might not be so problematic after all, > and maybe I'm just overthinking things :) I'm okay with this, but I don't know if the other end is security sensitive and might need unused data zeroed. If so, we should definitely avoid this option. -- brian m. carlson (he/him or they/them) Houston, Texas, US
Attachment:
signature.asc
Description: PGP signature