[omniORB] Short identifier for objects?
Luke Deller
ldeller@xplantechnology.com
Mon, 08 Oct 2001 16:12:54 +1000
Hi Duncan,
just a minor query about something you wrote..
Duncan Grisby wrote:
>On Thursday 4 October, "Keeley, Michael" wrote:
>
>>I know that you are not *supposed* to compare IOR string directly. However,
>>as they are both output from the same instance of a process, they will be
>>the same, right?
>>
>
>Wrong, I'm afraid. IORs contain some padding bytes that are not
>initialised by the ORB, so two IOR strings for the same object,
>created one after the other, may differ.
>
Shouldn't the ORB initialise *all* bytes which are sent across the
network? Otherwise secret information from deallocated areas of the
heap or stack could be unwittingly leaked through the uninitialised
padding bytes.
I guess that IIOP peers have to be trusted to some extent, but this
sounds like an unnecessary security weakness. Why not just zero out all
those padding bytes?
Regards,
Luke.