This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [open-source] Re: Wish for 2002 ...

On Fri, Jan 11, 2002 at 04:55:51PM -0800, Paul Eggert wrote:
> 		strlcpy(phost, (char *)krb_get_phost(localhost),
> 		    sizeof(phost));
> 
> Now, phost is of size INST_SZ, which is 40 (on OpenBSD 2.9 at least; I
> assume other krb4 implementations are similar).  So, if the Kerberos
> ticket-granting instance name is 40 bytes or longer, this code
> silently misbehaves.

why should it be longer? it's limited to INST_SZ.

even _if_ there is the check for truncation missing,
then this does not make the interface of strncpy/strncat
more consistent, faster or saver to use than strlcpy/strlcat.

> Possibly this misbehavior can lead to a security
> hole, and possibly not; I haven't checked.

how do you spell FUD?
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]