“FIXME: Not A Good Idea To Do This!” … Hunting For Bugs in Comments
Published in
9 min readAug 23, 2018
If you read some source code, and you came across comments such as this, you would probably worry that the code wasn’t that professional:
/* FIXME: setting this via a completely different prototype seems like a crap idea *//* NB: if compression is in operation the first packet
* may not be of even length so the padding bug check
* cannot be performed. This bug workaround has been
* around since SSLeay so hopefully it is either fixed
* now or no buggy implementation supports compression *//* actually a client application bug */
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
}
s->hit=1;
}
else /* a miss or crap from the other end */
But this from a program that plays a core part of the security of the Internet: OpenSSL. Its C++ code takes a bit of reading to understand, and it has been held together by part-time developers with little in the way of funding.
So this week a researcher at Qualys spotted a new bug from reading the comments on a code review of OpenSSH:
delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. Reported by Dariusz Tytko and Michal…