Link. Linux memcmp() design flaw. “One in 256 times *any* password might get you in”. Pull the cord, we’re doing something really wrong.

Conclusions:

1. Never make assumptions when coding. If a function returns an int, accept that any value which fits in an int might be returned, regardless of what the developer, the manual and received wisdom tell you.

2. Patch your MySQL or MariaDB installations if you haven’t already.

3. Don’t expose database servers to external connectivity unless you really mean to. Even inside your corporate network, be very restrictive about who can reach database servers at all, let alone log in to them.

4. Watch out for speed optimisations. Invoke them only if you genuinely need extra speed – they may represent a less-travelled code path and thus expose your users to obscure bugs.