[ccan] [PATCH 4/7] crypto/hmac_sha256: Remove undefined memset()

[Timothy B. Terriberry]

Rusty Russell wrote:
>> Well.. more precisely, my understanding is that memset(p, x, 0) can't
>> be counted on not to dereference p.
>
> That seems nonsensical, though.

It is nonsensical, but welcome to standards.

C99 Section 7.21.1 "String function conventions" (which includes memset, 
as it is in string.h):

"Where an argument declared as size_t n specifies the length of the 
array for a function, n can have the value zero on a call to that 
function. Unless explicitly stated otherwise in the description of a 
particular function in this subclause, pointer arguments on such a call 
shall still have valid values, as described in 7.1.4"

C99 Section 7.1.4 "Use of library functions":

"If an argument to a function has an invalid value (such as a value 
outside the domain of the function, or a pointer outside the address 
space of the program, or a null pointer, or a pointer to non-modifiable 
storage when the corresponding parameter is not const-qualified) or a 
type (after promotion) not expected by a function with variable number 
of arguments, the behavior is undefined."

C99 Section 7.21.6.1 defines memset() as taking an argument size_t n 
that specifies the length of the array for that function, but does not 
explicitly state that it can be a null pointer, so people have 
interpreted this to mean that passing it NULL is undefined behavior.


C89 said the same thing, albeit more briefly:

C89 Section 4.1.6 "Use of library functions":

"Each of the following statements applies unless explicitly stated 
otherwise in the detailed descriptions that follow. If an argument to a 
function has an invalid value (such as a value outside the domain of the 
function, or a pointer outside the address space of the program, or a 
null pointer), the behavior is undefined."

The detailed description of memcpy() in Section 4.11.2.1 does not 
explicitly state otherwise.