[tptacek]

Am I allowed to be concerned that this is C code that opens up random files to be decrypted, slurps a 32 bit integer directly out of the file, passes that value to malloc, and then just a few lines later loops memcpy'ing into that buffer?

https://github.com/TLINDEN/pcp/blob/master/libpcp/crypto.c#L...

That's, like, 5 minutes worth of looking, most of it spent working out how to get from main() to the part of the code that actually starts taking attacker-controlled inputs; we're about 10 lines into the code that handles those inputs. Is that a real vulnerability? Hell if I know, but I'm scared of this code.

Which is not to say I don't like it. There's a small utility function in there I'm stealing! The author is clearly smart and I hope this was an interesting project for them. But I don't recommend using this for real --- and I think neither does the author.

[sigcode]

You are allowed to be concerned. I probably read too much into your comment. But I think you all understand my point. I was concerned that some mortals might be scared off from experimenting with NaCl. "Experts only."

Some years ago, there was another fellow who wrote a set of NaCl utilities that were very simple, UNIX filters. While I was "scared of the code" because he's not a renown cryptographer (does he need to be?), I was thankful for a simple, working example. There really weren't any publicly available at the time.

I really appreciate when people share these self-learning projects.

[screw-loose]

Good find, I'll take a look into that.

And yes I do not recommend using this for serious purposes (that is, I am the author).