[omniORB] Short identifier for objects?

Luke Deller ldeller@xplantechnology.com
Mon, 08 Oct 2001 16:12:54 +1000


Hi Duncan,
just a minor query about something you wrote..

Duncan Grisby wrote:

>On Thursday 4 October, "Keeley, Michael" wrote:
>
>>I know that you are not *supposed* to compare IOR string directly. However,
>>as they are both output from the same instance of a process, they will be
>>the same, right?
>>
>
>Wrong, I'm afraid. IORs contain some padding bytes that are not
>initialised by the ORB, so two IOR strings for the same object,
>created one after the other, may differ.
>
Shouldn't the ORB initialise *all* bytes which are sent across the 
network?  Otherwise secret information from deallocated areas of the 
heap or stack could be unwittingly leaked through the uninitialised 
padding bytes.

I guess that IIOP peers have to be trusted to some extent, but this 
sounds like an unnecessary security weakness.  Why not just zero out all 
those padding bytes?

Regards,
Luke.