"goto fail"

Inspired by James Dempsey and the Breakpoints’ latest song, as well as Frozen of course, I present to you another *ahem* cover for NaCreSoMo: goto fail.

If you’re on a slow internet connection, you might want to download the audio instead.

The views expressed in this song do not reflect those of my employer, or really my own views either. Hyperbole employed for artistic and humorous purposes.

The code glows bright on the screen tonight
And next to it is my name
The security flaw of the decade
And it looks like I’m to blame
The press is howling, how could Apple let this ship
Net is insecure, from this one small slip

It’s open source so they all see
The mistake in verifying SSL signing keys
If I had asked what the compiler had known
It would have shown

goto fail
goto fail
The indentation’s wrong
goto fail
goto fail
Should have turned more warnings on
Now we can’t trust what servers say
Let the blogs rage on
The iOS update went out yesterday.

It’s funny how one single line
And two words oh so small
Can affect an entire platform
And no one noticed at all

It’s time to see what we can do
Why wasn’t this caught in code review?
We need our tools to help us out
About

goto fail
goto fail
One innocent doubled line
goto fail
goto fail
Braces would have worked just fine
I hear we topped Hacker News today
Let the blogs rage on

The function checks secure connections several ways
It runs through several tests and if they all pass it’s okay
But “goto fail” and we skip right over the rest
It never checks for error…it just returns success!

goto fail
goto fail
With optimizations on
goto fail
goto fail
The rest of the code is gone
Tell your friends to update today.
Let the blogs rage on
GNU had the same problem anyway.

You can read more about Apple’s goto fail bug as well as the superficially similar bug in GnuTLS. And please please keep your software up-to-date!

blog comments powered by Disqus