[Daniel's week] October 11, 2024

Fri Oct 11 19:19:40 CEST 2024

Hi,

I learned that the 7-day week is a concept way over 2,000 years old. And now 
yet another work week ends here. I got stuff done this week as well...

## no more strncpy

This week I removed the last few uses of the strncpy() used in code present in
the curl code repository. I also celebrated this moment by making a graph
showing its use over time [1].

strncpy is of course a function that can be used correctly and has its use
case. However, due to its nature of not null-terminating if the buffer is too
small, and the weird padding it does, it has turned out to be a fairly decent
marker for code that needs attention.

In many cases, copying just a piece of the source because the destination is
too small, is not at all a good idea. If you want the full thing copied, it is
not a good idea to just stick with piece of it. It is then much better to add
a length check and return an error if the target buffer is too small, and it
the target buffer is not too small we can use plain old memcpy or strcpy.

With the removal of every strncpy() in curl code, we also make sure that our
code checker tool *checksrc* now warns when it detects it in use. This should
effectively prevent anyone from accidentally reintroducing use of it in future
PRs.

## complexity

This week I decided to run the 'pmccabe' tool on the curl source code. Its man
page describes its purpose to "calculate McCabe cyclomatic complexity or
non-commented line counts for C and C++ programs.

While code complexity is partially a matter of opinion and religion, this tool
at least measures and shows functions that are large and have a lot of
statements in them. I don't think there is any debate over the fact that large
functions are harder to read and follow than small functions.

I decided to try to improve the current situation somewhat and had a go at
simplifying some of the top contender functions the tool identified. I spent
several hours with an approach I believed in to cleanup the huge switch in
setopt.c (>2000 lines big), but it turned out to grow the source code
significantly and even the resulting object code was so much bigger after that
attempt that I had to ditch that take. I need to rethink. While reducing
complexity is good, the code also needs to be efficient and not become
unnecessarily large.

I did however greatly simplify the main cookie parser function by splitting it
up into several sub functions and by changing some of it to use generic helper
functions where we have such and then I did something similar to the huge
state machine function we have for SSH transfers using the libssh2 library.

## CVE

While working on a blog post with curl bug-bounty stats [2] this week, we
received a new report over at HackerOne that we after some deliberating are
treating as a security vulnerability with severity low. It is now queued up to
be published in association with the pending curl 8.11.0 release in early
November.

## Pie chart

When working on the blog post mentioned above, I wanted to check how the CVE
severity distribution has been for curl so far and to my horror I realized
that out of all the graphs I have already created, this data was not already
covered. So I fixed that. I googled around, did some copy and pasting from
examples and voilá, now there is a pie chart [6] on the dashboard showing this
distribution. Maybe I can think of some other data to display in additional
pies going forward.

## TLS early data

Today, just the day before we will close the curl feature window for this
cycle, we merged TLS 1.3 early data support [3] (written by Stefan Eissing).
This is initially only supported with the GnuTLS backend, but we expect the
support to be brought to more TLS libraries soon. Hopefully getting it done
for this single backend first can serve as a feedback vehicle that we can
learn from and use that knowledge when widening the support going forward.

### MVP

I received my Microsoft MVP glass trophy. It is quite nice and I added a photo
of it to the blog post of mine from last week [4].

## cURL closet

My favorite image of the week was posted by Jef Spaleta and I reposted it [5]
on Mastodon.

It is a sign on a closet door, allegedly found in the San Fransisco bay area
curling club, that says "cURL closet". With that casing.

I'm not aware of anything else in the world than the curl project that ever
used that way to write curl. It certainly makes me curious how on earth this
happened.

## Coming up

- the curl feature window closes tomorrow
- snaxx-44 on Monday [7]

## Links

[1] = https://curl.se/dashboard1.html#strncpy
[2] = https://daniel.haxx.se/blog/2024/10/09/curl-bug-bounty-stats/
[3] = https://github.com/curl/curl/pull/15211
[4] = https://daniel.haxx.se/blog/2024/10/02/im-a-professional/
[5] = https://mastodon.social/@bagder/113274010343214368
[6] = https://curl.se/dashboard1.html#cve-pie
[7] = https://snaxx.se/44/

-- 

  / daniel.haxx.se