HACKING: New code _MUST_ use a bounded-buffer in handling untrusted data.
* Guidelines: New code must use a bounded-buffer abstraction that provides
at least some level of sanity checks on accesses. Direct pointer
twiddling based on untrustable buffers is not generally acceptable in new
code in Quagga.
Tested-by: NetDEF CI System <cisystem@netdef.org>
diff --git a/HACKING.md b/HACKING.md
index 85ae299..f926ed6 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -64,6 +64,13 @@
Be particularly careful not to break platforms/protocols that you
cannot test.
+Parsers or packet-writers of data from untrusted parties, particularly
+remote ones, *MUST* use the lib/stream bounded-buffer abstraction, and use
+its checked getters and putters. Twiddling of pointers based on contents of
+untrusted data is _strongly_ discouraged - any such code is not acceptable,
+unless there are very good reasons (e.g. compatibility with external or old
+code that is not easily rewritten).
+
New code should have good comments, which explain why the code is correct.
Changes to existing code should in many cases upgrade the comments when
necessary for a reviewer to conclude that the change has no unintended