Review use of manual slicing operations
Ideally we would avoid, as much as possible, manual slicing operations on any kind of buffers. We should use abstractions which avoid mistaken lengths etc. We're pretty good with this for parsing/writing binary messages, but it mostly goes out of the window when we do cryptography.
This should be improved. The work involves reviewing existing code, designing new abstractions, and deploying them.
16:10 <+Diziet> [much context elided]
https://security-tracker.debian.org/tracker/CVE-2022-2097
16:10 <+Diziet> Nowadays I always read things like this wearing my RESF beanie.
16:10 <+Diziet> And I wondered, could we have a bug like this?
16:11 <+Diziet> And sadly the answer is yes, because our pattern for applying a
stream cipher is to apply it to &mut [u8]
16:12 <+Diziet> And we sometimes slice and dice buffers rather than using
Readers and things.