[Asterisk-Dev] Is anyone thinking anymore?

Dr. Rich Murphey rich at WhiteOakLabs.com
Sun Jul 25 09:56:15 MST 2004


 From a practical standpoint, this also reduces the cost (effort, time, etc.)
for maintaining security audits.

August is a popular month for exploits to be released.  I'm glad were better
prepared.

Cheers,
Rich


> -----Original Message-----
> From: asterisk-dev-admin at lists.digium.com 
> [mailto:asterisk-dev-admin at lists.digium.com] On Behalf Of 
> Peter Svensson
> Sent: Sunday, July 25, 2004 4:42 AM
> To: asterisk-dev at lists.digium.com
> Subject: Re: [Asterisk-Dev] Is anyone thinking anymore?
> 
> On Sun, 25 Jul 2004, Karl Brose wrote:
> 
> > In recent CVS updates we can observe code changes (strangely called 
> > "source audits") such as those quoted below.
> > The old code is perfectly legal, stable, safe, technically 
> sound, and 
> > readable.
> 
> Both of the changes below appear to be what one can call 
> defensive programming. Used consistently they reduce the risk 
> of a future change introducing an unintended behaviour such 
> as a buffer overflow. For it to have the best effect the 
> rules the programmers are to follow need to be available. 
> 
> It is a trade-off between execution speed and the future cost 
> of maintanence. In C you as a programmer get somewhat less 
> support for this from the compiler than in some other languages. 
> 
> > -       char ilimits[40];
> > -       char olimits[40];
> > +       char ilimits[40] = "";
> > +       char olimits[40] = "";
> 
> [snip]
> 
> > -                       strcpy(ilimits, "N/A");
> > +                       strncpy(ilimits, "N/A", 
> sizeof(ilimits) - 1);
> [snip]
> > -                       strcpy(olimits, "N/A");
> > +                       strncpy(olimits, "N/A", 
> sizeof(olimits) - 1);
> 
> Peter
> --
> Peter Svensson      ! Pgp key available by finger, fingerprint:
> <petersv at psv.nu>    ! 8A E9 20 98 C1 FF 43 E3  07 FD B9 0A 80 72 70 AF
> --------------------------------------------------------------
> ----------
> Remember, Luke, your source will be with you... always...
> 
> 
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> 





More information about the asterisk-dev mailing list