Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

264K
active users

mastodon.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.5.0-nightly.2025-10-03

daniel:// stenberg://

Joshua Rogers sent us a *massive* list of potential issues in that he found using his set of AI assisted tools. Code analyzer style nits all over. Mostly smaller bugs, but still bugs and there could be one or two actual security flaws in there. Actually truly awesome findings.

I have already landed 22(!) bugfixes thanks to this, and I have over twice that amount of issues left to go through. Wade through perhaps.

Credited "Reported in Joshua's sarif data" if you want to look for yourself

··Web
150boosts·2quotes·262favorites
*
daniel:// stenberg://

Here's a simple example where it reports that we considered a nread == 0 as reading a byte, when we shouldn't.

First-byte timestamp is set on zero-length (EOF) socket read in lib/cf-socket.c In lib/cf-socket.c the code calls sread(ctx->sock, buf, len) atline 1549 and, on the non-error path, unconditionally sets *pnread = (size_t)nread atline 1578. If nread == 0 (EOF / zero-length read) the function leaves result as CURLE_OK and the subsequent check at lines 1581-1584 (if (!result && !ctx->got_first_byte)) sets ctx->first_byte at = curlx_now() and ctx->got_first_byte = TRUE. This causes the connection to be marked as having received its “first byte” even though no bytes were actually read, corrupting time-to-first-byte metrics and any higher-level logic that relies on ctx->got_first_byte.
Wolf480pl

@bagder
so this is what an AI can do when wielded by a competent human?

daniel:// stenberg://

@wolf480pl yes! and this after three competent code analyzers already say "no issues found" ...

gnirre

@bagder Is Joshua Rogers a regular or a new contributor to cURL. Are these findings landing a lot of money in his pocket?

glyn

@bagder I wonder how many issues the AI tooling will find *after* those bugfixes are applied. Hopefully fewer!

Jodie Cunningham

@underlap @bagder oh, I imagine there are still plenty left to be found. :)

Ethan Black

@bagder Your run-in with AI + curl reports was on the YouTube channel Low Level, did you see it? youtu.be/-uxF4KNdTjQ
Sorry you have to deal with all that, that has to be frustrating... glad you're encountering good use of AI too

YouTubeliterally the dumbest thing I've ever readBy Low Level
Jinna

@bagder This is what I was hoping for when the ML stuff started taking off before the LLM apocalypse. Like, a model that can rummage through a given limited dataset like library source code or a car part shop's entire catalogue, and then be able to make inferences that are too laborious for a human. "Find me the cv joint boot that has these dimensions but isn't officially compatible."

But then what we got was this bullshit and it'll just make up a compatible part or function.

MrMagne

@bagder Nice, what tools was he using ?

*
Brodie Robertson

@bagder This is kind of happening in a lot of industries and should be expected, competent people will always be able to make the most of the tools they have available, but people who aren't will try to cut corners with new tools

daniel:// stenberg://

@BrodieOnLinux indeed. In this case I'm almost blown away by the quality of some of this...

Ed

@BrodieOnLinux @bagder reminds me of my Calculus class. We were first taught how to solve the problems the hard way then taught the shortcuts to solving problems. I see a big push to use LLMs as not learning the hard part first.

Christopher Snowhill

@bagder Am I reading this right, this looks like it describes an sread function call, then displays a code snippet of the exact line and there's no sread call.

daniel:// stenberg://

@chris the code snippet is off, but the description is 100% accurate

Christopher Snowhill

@bagder Oh, wow. Then I guess I misjudged this. So glad someone managed to make an LLM pay off and provide good code analysis.

daniel:// stenberg://

@chris look at this one, where the tool "knows" lots of details of the protocol neg details and can report this masterpiece on the curl telnet code:

Telnet subnegotiation writes unescaped user-controlled values (tn->subopt_ttype, tn->subopt_xdisploc, tn- >telnet_vars) into temp (lines 948-989) without escaping IAC (OxFF) In lib/telnet.c (lines 948-989) the code formats Telnet subnegotiation payloads into temp using msnprintf and inserts the user-controllable values tn->subopt_ttype (lines 948-951), tn->subopt_xdisploc (lines 960-963), and v- >data from tn->telnet_vars (lines 976-989) directly into the suboption data. The buffer temp is then written to the socket with swrite (lines 951, 963, 995) without duplicating CURL_IAC (OxFF) bytes. Telnet requires any IAC byte inside subnegotiation data to be escaped by doubling; because these values are not escaped, an OxFF byte in any of them will be interpreted as an IAC command and can break the subnegotiation stream and cause protocol errors or malfunction.
penguin42

@bagder @chris Oh wow - I've not seen AI get the underlying structure/protocol before.

Stefan Eissing

@bagder well, if the socket read returns ok and 0 length, we received the first reply from the server, eg that it closed the connection on its end.

That is what the senantics of „first_byte“ is supposed to track. The var would have been better named „first_reply“.

tldr

The code was correct, the naming was wrong.🤷🏻‍♂️

Ondřej Kolín

@bagder in the alt text the nread equals copyright 😅

daniel:// stenberg://

@ondrejkolin yeah sorry, I did not proof read the alt text properly

Daniel Carosone

@bagder a great example where tools can help humans, but it doesn't help when the humans are tools

TrendingLive feeds
About