“FIXME: Not A Good Idea To Do This!” … Hunting For Bugs in Comments

If you read some source code, and you came across comments such as this, you would probably worry that the code wasn’t that professional:

/* FIXME: setting this via a completely different prototype seems like a crap idea */
/* NB: if compression is in operation the first packet
 * may not be of even length so the padding bug check
 * cannot be performed. This bug workaround has been
 * around since SSLeay so hopefully it is either fixed
 * now or no buggy implementation supports compression */
/* actually a client application bug */
 al=SSL_AD_ILLEGAL_PARAMETER;
 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
 }
 s->hit=1;
 }
 else /* a miss or crap from the other end */

But this from a program that plays a core part of the security of the Internet: OpenSSL. Its C++ code takes a bit of reading to understand, and it has been held together by part-time developers with little in the way of funding.

So this week a researcher at Qualys spotted a new bug from reading the comments on a code review of OpenSSH:

delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. Reported by Dariusz Tytko and Michal…