Most active commenters
  • corndoge(6)
  • MaulingMonkey(4)

←back to thread

Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

(blog.exodusintel.com)
387 points pedro84 | 24 comments | 26 Jul 17 19:51 UTC | HN request time: 0.88s | source | bottom
Show context
Animats ◴[26 Jul 17 22:28 UTC] No.14860964[source]
C's lack of array size info strikes again:

    memcpy(current_wmm_ie, ie->data, ie->len);
where "ie" points to data obtained from the net.
replies(2): >>14861129 #>>14861284 #
1. corndoge ◴[26 Jul 17 23:23 UTC] No.14861284[source]
Programmer's mistake for not validating data, not the fault of C language mechanics. Yes it would be easier if <hll features>, still gotta be careful. I've made plenty of these mistakes but never blamed the language.
replies(5): >>14861427 #>>14861944 #>>14861961 #>>14866096 #>>14871609 #
2. orf ◴[26 Jul 17 23:48 UTC] No.14861427[source]
If a manufacturer makes and sells a gun that keeps going off in people's holsters and shooting people in the foot, the answer is not to say "it's the user's fault for not using it properly. I've shot myself in the foot hundreds of times and I don't blame the manufacturer".

Or something. That analogy sounded better in my head than written down. The point is that IMO the blame lies squarely with the C language: it's a language that's used in a lot of complex parsing code and provides pretty much nothing to help with this, and if anything actually puts roadblocks in the way.

replies(4): >>14861447 #>>14863535 #>>14864749 #>>14872582 #
3. corndoge ◴[26 Jul 17 23:51 UTC] No.14861447[source]
I shot myself in the foot yet I don't blame the manufacturer for not putting a safety on the gun since I'm the one that bought it with full knowledge of the caveats
replies(4): >>14861489 #>>14861731 #>>14861881 #>>14861917 #
4. teraflop ◴[26 Jul 17 23:58 UTC] No.14861489{3}[source]
If thousands of people were repeatedly making the same mistake, and frequently shooting other innocent bystanders' feet, I would definitely put some blame on the manufacturer.
replies(1): >>14862397 #
5. simonh ◴[27 Jul 17 00:46 UTC] No.14861731{3}[source]
That doesn't mean that gun is well designed or worth buying and using. Criticising the lack of such a valuable or even essential feature and advising people not to use it would be fair comment. Right?
replies(1): >>14862394 #
6. sbierwagen ◴[27 Jul 17 01:16 UTC] No.14861881{3}[source]
You consented to it, sure. This bug affected millions of phones. It's more like a car manufacturer decided to put a particular explode-y gas tank in a car, because it provided greater performance.
replies(1): >>14862378 #
7. MaulingMonkey ◴[27 Jul 17 01:24 UTC] No.14861917{3}[source]
My experience is that most C programmers don't know about many of the caveats about the C programming language.

Are you aware that atoi("a"); is undefined behavior? It can crash, it can launch nethack, it can return 0.

replies(1): >>14862385 #
8. MaulingMonkey ◴[27 Jul 17 01:29 UTC] No.14861944[source]
> Programmer's mistake for not validating data, not the fault of C language mechanics.

If you outfitted a police force with guns without safeties and hair-pull triggers, and you have any sanity, you're not going to be surprised if the rate of accidental discharges goes up. Programmers use their programming languages a lot more frequently and with a lot less care.

So, sure, let's tell the programmers to be more careful. But the most careful of programmers know they'll still make mistakes, and seek out ways to aid themselves in catching those mistakes instead of hoping they can will them away. One such aid can be choosing another programming language that doesn't share C's language mechanics.

Put another way - programmer's mistake for choosing to use C's language mechanics. You could argue that's technically not saying it's the fault of C language mechanics, but I'd say that's splitting hairs at the best.

You could share the blame with a failure to properly fuzz, and insufficient use of static analysis. I'd be okay with that too.

9. justinjlynn ◴[27 Jul 17 01:34 UTC] No.14861961[source]
There's a reason "THIS SIDE TOWARDS ENEMY" is a thing.
replies(1): >>14868615 #
10. corndoge ◴[27 Jul 17 03:04 UTC] No.14862378{4}[source]
and they put a note in the manual that says "if you drive over 70mph on a hot day it will definitely explode so don't do that"

so if you buy that car and you do that, it's your fault regardless of how poor the car design is

replies(1): >>14862571 #
11. corndoge ◴[27 Jul 17 03:06 UTC] No.14862385{4}[source]
yes I'm aware that parsing a letter as an an integer is undefined behavior, it's in the manual
replies(1): >>14862540 #
12. corndoge ◴[27 Jul 17 03:08 UTC] No.14862394{4}[source]
never said C was a great language, merely indicated that it's important to distinguish between a mistake made by a programmer and a failure of the language

pretty sure trusting user provided data without validation is the programmers fault regardless of language

13. corndoge ◴[27 Jul 17 03:09 UTC] No.14862397{4}[source]
the parents analogy is quite bad since C doesn't shoot you in the foot unless you pull the trigger

closer to a gun without a safety, which plenty of manufacturers sell

14. MaulingMonkey ◴[27 Jul 17 03:43 UTC] No.14862540{5}[source]
> yes I'm aware that parsing a letter as an an integer is undefined behavior

Excellent!

> it's in the manual

It's not in MSDN: https://msdn.microsoft.com/en-us/library/yd5xkb5c.aspx

It's not in the manpages: https://linux.die.net/man/3/atoi

Cppreference understates it has having an undefined return value, rather than undefined behavior outright: http://en.cppreference.com/w/cpp/string/byte/atoi

Tutorialspoint defines the behavior as returning 0, and fresh2refresh makes no mention of undefined behavior.

My eighth google hit for atoi finally, finally, gets it right: http://pubs.opengroup.org/onlinepubs/9699919799/functions/at...

If you buy or pirate a copy of e.g. the C89 standard, or refer to one of the free draft versions, it's of course properly documented there too. Neither shows up in the first 50 google results, naturally.

And, of course, by google result 9, we're back to square one - incorrectly defining the behavior as being "returning 0": https://en.wikibooks.org/wiki/C_Programming/stdlib.h/atoi

15. MaulingMonkey ◴[27 Jul 17 03:52 UTC] No.14862571{5}[source]
There's likely to be a government mandated recall if your car "spontaneously" explodes - some designs are so poor they fail to meet entirely reasonably regulatory standards. Burying the lede in the fine print is not a get out of jail free card for obvious reasons.
16. _pmf_ ◴[27 Jul 17 08:24 UTC] No.14863535[source]
> That analogy sounded better in my head than written down.

Probably, because it's really bad.

17. moocowtruck ◴[27 Jul 17 12:48 UTC] No.14864749[source]
Tools exist that find this error in C code, more to blame the company that didn't use those tools and released code this important. Blaming the language solely... not sure it's productive. If the gun went off in my holster WITH the safety on then I'd blame the manufacturer. Same goes with using the right tools with C, if all steps were taken to do the right thing then I can say we should blame C. But there's not any information here on how broadcom developers their code internally.
replies(1): >>14865601 #
18. philipodonnell ◴[27 Jul 17 14:29 UTC] No.14865601{3}[source]
Its really hard to find an objective line in these things. Your 'tools exist to find this so they should buy them' is someone else's 'good developers should know this so hire good developers' or 'customers should know to be careful so its their fault' or 'Other languages are better about array length checking so they should use them'.
19. red75prime ◴[27 Jul 17 15:19 UTC] No.14866096[source]
You prefer to blame something that can't realistically be changed instead of something that could be changed. How is it useful?
20. Animats ◴[27 Jul 17 19:33 UTC] No.14868615[source]
It's actually

       FRONT

    TOWARD ENEMY
[1] https://en.wikipedia.org/wiki/M18_Claymore_mine
replies(1): >>14879304 #
21. loonattic ◴[28 Jul 17 03:02 UTC] No.14871609[source]
It's 2017. It's about time we had a better, well designed language (ie Rust, but I'm not sure if it's well designed enough, depends on what you want it for, too). There have been many advances in language research since the 70's that could be very useful for the kind of work C is used for. Saying we should stick to C because it's well established is like saying we should stick to assembly if it was well established. Except it's not portable, but close enough.
replies(1): >>14877927 #
22. vsl ◴[28 Jul 17 07:23 UTC] No.14872582[source]
> that keeps going off

If the C language (not even a compiler, the language) somehow magically inserted bad code or rewrote your good code to be buggy on its own, you'd have a point.

23. throwaway47861 ◴[28 Jul 17 21:57 UTC] No.14877927[source]
I've noticed that C and C++ have pretty fanatical and very narrow-minded fanbase. And I am talking about people of ages 50+ as well -- I was acquainted with several of them (in the real physical world) as well.

So IMO it's absolutely pointless trying to argue with them in the first place. They are set in their ways and while a good chunk of them are pretty strict and excellent in what they do, they are not open to any changes.

I would be the first to agree that Go and Rust aren't ready to start replacing drivers but IMO people should start trying! (Or invest in LLVM some more?)

C/C++'s faults aren't ever going away. They're too convenient in their target area. I am against the overly-used "disruption" term -- I happen to believe the USA tech blogosphere bastardized the term long ago -- but IMO the systems programming area is very, VERY overdue for disruption.

It's time.

24. justinjlynn ◴[29 Jul 17 03:17 UTC] No.14879304{3}[source]
Fair enough. Thanks for the correction and additional information.