Functions with char* arguments are dangerous when used with casting
There are various functions in our codebase which receive char* arguments when they actually receive a byte array. That's I guess because of the old C standard when uint8_t didn't really exist, so we had to use char* for everything.
Still, these days we use uint8_t* and this means that we need to cast it to char* when we use those functions. This can cause security issues because this casting is silencing type-safety warnings (as an example see https://github.com/torproject/tor/pull/1843#discussion_r406191281 from legacy/trac#33545 (moved)).
For example, see how fast_mem_is_zero()
is used 75% of the time with casting its first argument. Instead of doing this, we could make a new fast_mem_is_zero_uint8t()
function that takes uint8_t as argument. Or even make a fast_mem_is_zero_char()
function that takes char*.
In other functions, it might be possible to replace the char*
with void*
but in the case of fast_mem_is_zero()
that's not possible because of the implementation of the function.
Other potential problem functions: base64_encode()
hex_str()
crypto_rand()
crypto_digest()
.