|
http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=57 [º¹»ç]
Does that help?
´äº¯ÀÌ µÆ³ª¿ä?
Any other questions before we get move forward?
°è¼Ó ÁøÇàÇϱ⿡ ¾Õ¼ ¶Ç ´Ù¸¥ Áú¹® ÀÖ³ª¿ä?
ok, cool.
ÁÁ¾Æ¿ä
So, how do you review code?
±×·¡¼ ¾î¶»°Ô Äڵ带 ¸®ºäÇÒ±î¿ä?
Ah.. the next part I'll talk will be very interactive
´ÙÀ½ ÆÄÆ®´Â ´ëÈÇüÀÌ µÉ °ÍÀÔ´Ï´Ù.
I would like as much info from you guys as possible
¿©·¯ºÐµé¿¡°Ô¼ ¸¹Àº Á¤º¸µéÀ» ±â´ëÇÏ°Ú½À´Ï´Ù.
We have already talked about the major portions.
ÀÌ¹Ì Áß¿äÇÑ ºÎºÐµé¿¡ ´ëÇؼ´Â À̾߱⸦ ÇßÁö¿ä
And talked about threat analysis
±×¸®°í À§Çù ºÐ¼®¿¡ ´ëÇؼµµ À̾߱⸦ Çß°í¿ä
ok, the second step everyone should read code.
ÁÁ¾Æ¿ä, ´ÙÀ½ ´Ü°è·Î ¸ðµÎ°¡ ÄÚµå ¸®ºä¸¦ ÇØ¾ß ÇÕ´Ï´Ù
everyone should read code since they need to understand all the global variables and local variables.
¸ðµÎ°¡ ÄÚµå ¸®ºä¸¦ ÅëÇØ Àü¿ªº¯¼ö¿Í Áö¿ªº¯¼ö¸¦ ÀÌÇØÇϱâ À§ÇؼÀÔ´Ï´Ù.
It should be docummented and they should understand
ÀÌ°ÍÀº ¹®¼ÈµÅ¾ßÇÏ°í, ¸ðµÎ°¡ ÀÌÇØÇØ¾ß ÇÕ´Ï´Ù.
always always do 2 person reviews.
Ç×»ó 2¸íÀÌ ¸®ºä¸¦ ÇؾßÇÕ´Ï´Ù.
Not only the main person who is managing the code review project to lead it everyone should *** give a ** review of the code
ÄÚµå ¸®ºä ÇÁ·ÎÁ§Æ®¸¦ À̲ô´Â »ç¶÷»Ó¸¸ ¾Æ´Ï¶ó, ¸ðµÎ°¡ ÄÚµå ¸®ºä¸¦ ÇؾßÇÕ´Ï´Ù.
break the code into major chunks if you have done same thing with the DFD or broken the application into an application architecture or you own method
DFD¿Í °°Àº ¹æ½ÄÀ¸·Î Äڵ带 ³ª´©°Å³ª, ¾îÇø®ÄÉÀÌ¼Ç ¾ÆÅ°ÅØÃÄ ·¹º§·Î ³ª´©°Å³ª, ȤÀº ´ç½Å¸¸ÀÇ ¹æ¹ýÀ¸·Î ³ª´¯´Ï´Ù.
you want to break it down there because even indivisuals can't review major chunks of the code
°³°³ÀÎÀÌ ÄÚµåÀÇ ¸ÞÀÎ ¿µ¿ªÀ» ¸®ºäÇÒ ¼ö´Â ¾ø±â ¶§¹®¿¡ Äڵ带 ³ª´©¾î¾ß ÇÕ´Ï´Ù.
because you wont all the application code review by one person or one team ?***cal
¿Ö³Ä¸é ÇѸíÀÇ »ç¶÷¿¡ ÀÇÇØ ¸ðµç Äڵ尡 ¸®ºäµÇ±â¸¦ ¿øÇϱ⠶§¹®ÀÔ´Ï´Ù.
that communication constantly should not be at all
Áö¼ÓÀûÀ¸·Î Ä¿¹Â´ÏÄÉÀ̼ÇÇØ¾ß ÇÕ´Ï´Ù.
person access reviewing part of the documented code and person reviewing there's no real communication which happens all the time.
¹®¼ÈµÈ Äڵ忡 Á¢±ÙÇÏ´Â »ç¶÷°ú ½ÇÁ¦ ¸®ºäÇÏ°í ÀÖ´Â »ç¶÷ »çÀÌ¿¡ Ç×»ó Ä¿¹Â´ÏÄÉÀ̼ÇÀÌ ÀÌ·ç¾îÁöÁö´Â ¾Ê½À´Ï´Ù.
maintain code notes with the reviewer's name simply because of questions
¸®ºä¾îÀÇ À̸§À» ÀûÀ¸¸é¼ Äڵ带 °ü¸®ÇØ¾ß ÇÏ´Â ÀÌÀ¯ÀÔ´Ï´Ù.
that happens so many times that uh.. somebody has gone through a function
ÀÌ·± ÀÏÀÌ Á¾Á¾ ¹ß»ýÇÕ´Ï´Ù. ´©±º°¡ ÇÔ¼ö Àüü¸¦ ¸®ºäÇß½À´Ï´Ù.
he's not written notes definetly his name when talk to him about it ** entire file
±×·±µ¥ ±×¿¡ ´ëÇÑ À̸§¸¦ ³²±âÁö ¾Ê¾Ò½À´Ï´Ù.
why do ***** it helps reduce among the effort
±×°ÍÀÌ ³ë·ÂÀ» ÁÙ¿©Áֱ⠶§¹®ÀÔ´Ï´Ù.
detailed code analysis.
ÀÚ¼¼ÇÑ ÄÚµå ºÐ¼®
before we go into detailed code analysis,
Á»´õ ÀÚ¼¼ÇÑ ÄÚµå ºÐ¼®À¸·Î ³ª¾Æ°¡±â Àü¿¡
we will talk about one of the different techniques of doing a detailed code analysis.
ÀÚ¼¼ÇÑ ÄÚµå ºÐ¼®À» À§ÇÑ ¸î°¡Áö ´Ù¸¥ ¹æ¹ý¿¡ ´ëÇØ À̾߱âÇØ º¾½Ã´Ù
I recommend always always come up with a major lists of issues that you should review so that everyone game on the same page ok?
Àú´Â ¿©·¯ºÐÀÌ Ç×»ó Áß¿äÇÑ ÄÚµå ¸®ºä ¸®½ºÆ®¸¦ ¸¸µé°í, ¸ðµÎ°¡ ¶È°°Àº ÄÚµå ¸®ºä¸¦ ÇÒ¼ö ÀÖµµ·Ï Çϱ⸦ ±ÇÀåÇÕ´Ï´Ù.
So reviewing code I'm gonna talk about just three major issues, termination issues, validation issues, and calculation issues.
Àú´Â ¿©±â¼ ¼¼ °¡Áö Áß¿äÇÑ ÁÖÁ¦¿¡ ´ëÇؼ¸¸ À̾߱â ÇÏ°Ú½À´Ï´Ù. Á¾°á ¹®Á¦, À¯È¿¼º ¹®Á¦, ±×¸®°í °è»ê ¹®Á¦ÀÔ´Ï´Ù.
termination issues are again devided into major categories.
Á¾°á ¹®Á¦´Â ´Ù½Ã ¸î°¡Áö Áß¿äÇÑ ºÎºÐµé·Î ³ª´µ¾î Áý´Ï´Ù.
null termination and strlen, null termination and strncpy, condtional termination, and premature termination
NULL Á¾°á°ú strlen, NULL Á¾°á°ú strncpy, Á¶°ÇºÎ Á¾°á, ±×¸®°í ³Ê¹« À̸¥ Á¾°á
so, there's where I need your input.
ÀÚ, ¿©±âºÎÅÍ´Â ¿©·¯ºÐÀÇ Âü¿©°¡ ÇÊ¿äÇÕ´Ï´Ù.
I'm gonna put the point out there hopely you guys will be little more interactive
¿©·¯ºÐÀÌ Á»´õ Àû±ØÀûÀ¸·Î ÀÌ Äڵ忡¼ ¾î¶² ¹®Á¦ÀÇ °¡´É¼ºÀÌ ÀÖ´ÂÁö ã¾Æ³» Áֽøé ÁÁ°Ú±º¿ä
and tell me what the possible problems will be in this piece of code.
±×¸®°í ÀÌ ÄÚµå ¾È¿¡ ¾î¶°ÇÑ ÀáÀçÀûÀÎ ¹®Á¦°¡ ÀÖ´ÂÁö Àú¿¡°Ô ¸»ÇØÁÖ¼¼¿ä.
Yes sir
¿¹ ±×ÂʺÐ
Integer overflow
Á¤¼ö ¿À¹öÇ÷οì ÀÔ´Ï´Ù.
Integer overflow? why?
Á¤¼ö ¿À¹öÇ÷οì¶ó°í¿ä? ¿ÖÁö¿ä?
*************************
´äº¯
perfect
¿Ïº®ÇÕ´Ï´Ù.
so, you said it's integer overflow and the reason is simply because strlen
ÀÚ, ÀúºÐ²²¼ ´äÀÌ Á¤¼ö ¿À¹öÇ÷οì¶ó°í Çß°í, ±× ÀÌÀ¯´Â strlenÀ̱⠶§¹®À̶ó°í Çß½À´Ï´Ù.
what is strlen do?
strlenÀÌ ÇÏ´Â°Ô ¹¹Áö¿ä?
it does not count for the NULL
NULLÀ» ¼¼Áö ¾Ê½À´Ï´Ù.
and you need to ban and have one more place or there ****** integer overflow
ÇÑ ¹ÙÀÌÆ®ÀÇ °ø°£ÀÌ ´õ ÇÊ¿äÇÕ´Ï´Ù. ±×·¸Áö ¾ÊÀ¸¸é integer overflow°¡ ¹ß»ýÇÕ´Ï´Ù.
Any questions on that?
ÀÌ¿¡ ´ëÇØ Áú¹® ÀÖ³ª¿ä?
*************************
[Áú¹®]
right right. that would be. another technical
¸Â½À´Ï´Ù. ±×°Ç ´Ù¸¥ ±â¼úÀÔ´Ï´Ù.
ok uh.. the next one is null termination and strncpy.
ÁÁ¾Æ¿ä ´ÙÀ½Àº strncpy¿¡¼ÀÇ NULL Á¾°á ¹®Á¦ÀÔ´Ï´Ù.
This should be pretty similar to what you just said
´ç½ÅÀÌ ¸»Çß´ø °Í°ú »ó´çÈ÷ ºñ½ÁÇÒ °ÍÀÔ´Ï´Ù.
Yes sir.
¿¹ ±×ÂʺÐ
*************************
[´äº¯]
absolutely correct
Á¤È®È÷ ¸Â½À´Ï´Ù.
So this is something slightly unique and lot of developments forget about this.
±×·¯´Ï±î ÀÌ°Ç ¾à°£ Ưº°ÇÏ°í ¸¹Àº °³¹ßÀÚµéÀÌ Àؾî¹ö¸®´Â °ÍÀÔ´Ï´Ù.
As MSDN actually exquisitely states this
MSDNÀº ½ÇÁ¦·Î ÀÌ°ÍÀ» ÀÚ¼¼È÷ ¾ð±ÞÇÏ°í ÀÖ½À´Ï´Ù.
that if this strncpy copy function copy that initial count by count that mean the size of what you putting over there.
strncpy´Â »ç¿ëÀÚ¿¡ ÀÇÇØ ÁöÁ¤µÈ count °ª¸¸Å º¹»ç¸¦ ÇÕ´Ï´Ù.
the characters of the string source to string dest
sourceÀÇ ¹®ÀÚ¿µéÀ» dest·Î º¹»ç¸¦ ÇÕ´Ï´Ù.
right?
¸ÂÁö¿ä?
the count is if less then or equal to the length of the source an none character is not appended
Ä«¿îÆ® °ªÀÌ ¼Ò½ºÀÇ ±æÀ̺¸´Ù °ªÀÌ À۰ųª °°´Ù¸é, ¹®ÀÚ°¡ Ãß°¡µÇÁö ¾ÊÀ» °Ì´Ï´Ù.
|
Hit : 1695 Date : 2011/06/02 05:57
|
97, 
3/4 
¸Û¸Û
