Has anyone looked into adding -D_FORTIFY_SOURCE=3 to some applications that directly interact with data from the Internet, such as t eh , web browser or parts of the Tor implementation?
More info: "GCC's new fortification level: The gains and costs"
https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
It appears to make buffer overflows much harder to exploit, but the code needs to
not access memory after freeing (good idea anyway) & there's *some* performance impact.
It's unclear how much the performance impact is; probably the only way to know is to try it.
--- David A. Wheeler