[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS: cvs.openbsd.org: src
- To: source-changes_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
- Subject: CVS: cvs.openbsd.org: src
- From: Theo de Raadt <deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org>
- Date: Tue, 12 Apr 2005 21:46:28 -0600 (MDT)
Module name: src
Changes by: deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org 2005/04/12 21:46:28
usr.sbin/user : user.c
very unlikely overflow. but sticking to the idiom is important: thereby,
example by example, we teach people how to actually use snprintf. because
it is clear (especially judging by code coming from netbsd hint hint perhaps
if i say it like this they will finally learn) that people are not paying
attention, and replacing one security problem with another.
in the early days we replaced buffer the typical ANSI-C standardized function
buffer overflows (by which I mean strcpy, strcat, and sprintf) with
non-overflowing ones -- range checking varients. We knew we were fixing
a major problem. The damn overflows. But we did not have time in all cases
to handle the next problem we were not handling: string truncation. Now we
need to (I hope not slowly) start fixing the string truncations.
Anyone going to help?
Visit your host, monkey.org