This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: [open-source] Re: Wish for 2002 ...
On Fri, Jan 11, 2002 at 04:55:51PM -0800, Paul Eggert wrote:
> strlcpy(phost, (char *)krb_get_phost(localhost),
> sizeof(phost));
>
> Now, phost is of size INST_SZ, which is 40 (on OpenBSD 2.9 at least; I
> assume other krb4 implementations are similar). So, if the Kerberos
> ticket-granting instance name is 40 bytes or longer, this code
> silently misbehaves.
why should it be longer? it's limited to INST_SZ.
even _if_ there is the check for truncation missing,
then this does not make the interface of strncpy/strncat
more consistent, faster or saver to use than strlcpy/strlcat.
> Possibly this misbehavior can lead to a security
> hole, and possibly not; I haven't checked.
how do you spell FUD?