February 24, 2014
filed in the late afternoon by dr_who in: from the grid,hacking
average time to read 0:50 minutes

On Friday Apple released an iOS bug fix for an issue with their SSL implementation. Adam Langley analyzed the patch and found out that the same problem is also present in the Mac OSX implementation. For so far unknown reasons (though the rumors range from merge error to NSA induced bug) a goto fail; line got duplicated (highlighted below):

(code excerpt taken from Apple’s open-sourced code)

The effect is that the sslRawVerify code never gets called — allowing an easy MITM attack on iPhone, iPads, Macs. Unfortunately, Apple did something rather stupid and only released the iOS patch and not concurrently the Mac OSX patch. As a consequence all Maverick Macs are currently potential victims…

Anyhow, had Apple enforced cautious coding guidelines and mandated that if-then-else blocks always have to use squiggly braces, the code in question would not have been an issue:

By encapsulating the then-block, the second goto fail would have been dead code and nothing would have happened (the compiler might even have flagged this).

So: always use squiggly braces for your if-then-else statements!

m4s0n501
all content posted on these pages is an expression of my own mind. my employer is welcome to share these opinions but then again he might not want to.

2 comments »

  1. “apple’s bad coding guidelines…” somebody is probably feeling stupid. http://t.co/IWZ6E8EBBT

    comment by dirkk — February 25, 2014 @ 06:43

  2. RT @dirkk: “apple’s bad coding guidelines…” somebody is probably feeling stupid. http://t.co/IWZ6E8EBBT

    comment by PhilReinking — February 25, 2014 @ 07:27

RSS feed for comments on this post. TrackBack URI

Leave a comment