[Asterisk-Dev] Re: [Asterisk-Users] Asterisk Security vulnerability report

Chris Albertson chrisalbertson90278 at yahoo.com
Wed Sep 10 09:29:20 MST 2003


What I do is periodically is a recursive "grep" of all
my source code for "strcat()" and the like.  In EVERY
case, there is NO reason to use strcat() and it should
be replaced with either strlcat() or strncat() same
for sprintf, strcpy and so on.  The "l" versions
should be prefreed over the "n" versions but some
UNIXes lack the "l" kinds so you need to use autoconf
and "ifdef HAVE_STRLCAT".

Every use of the non "l" or "n" functions is a
potential buffer overwrite exploit or a potential
segfalt.  Yes you can do an analysis and determine the
no overflow is possible but then 2 years later someone
patches the code.

=====
Chris Albertson
  Home:   310-376-1029  chrisalbertson90278 at yahoo.com
  Cell:   310-990-7550
  Office: 310-336-5189  Christopher.J.Albertson at aero.org
  KG6OMK

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com



More information about the asterisk-dev mailing list