[bind10-dev] Robustness in BIND 10, was whether/when to use exceptions
Shane Kerr
shane at isc.org
Fri Oct 16 10:27:17 UTC 2009
Jinmei,
On Thu, 2009-10-15 at 12:19 -0700, JINMEI Tatuya / 神明達哉 wrote:
> My concern is that we'll often not be so sure about the reason and
> seriousness of assumption mismatch in DB::findrdataset(). Even though
> this may seem to be a minor error of missing validation at the caller
> side, this might actually happen because 'type' is taken from a
> collapsed object in memory, which may also indicate that the system is
> fundamentally broken and cannot be recovered from it safely.
>
> Since we cannot be sure, if we want to be safe we'll end up doing:
>
> DB::findrdataset(..., const RRType& type)
> {
> if (type == RRType::Any) {
> // oops, perhaps something very bad happened.
> // throw a fatal exception, which is not
> // supposed to be caught explicitly, or is supposed to
> // cause exiting in the process of exception handling.
> throw (FatalError("assertion check failed"));
> }
> ...
> }
>
> Of course, this is just a possibility and we can only be sure by
> actually experimenting it. But I hope we won't know that by having an
> arbitrary-code-execution bug due to our underestimation of severity
> about an assumption mismatch.
I think we are in agreement about the facts.
I also appreciate you pointing out that we need to be conservative. A
denial-of-service bug is less scary than an arbitrary-code-execution
bug. Fortunately this is something that we can refine over time, I
think.
--
Shane
More information about the bind10-dev
mailing list