[asterisk-dev] Re: Security Through Obscurity
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Mon Mar 5 03:31:07 MST 2007
On Mon, Mar 05, 2007 at 10:57:36AM +0100, Hans Petter Selasky wrote:
> On Monday 05 March 2007 06:11, Kevin P. Fleming wrote:
> > Matthew Rubenstein wrote:
> > > This security reality is well known in the programming industry. I'm
> > > disappointed to see Digium acting as if it weren't.
> >
>
> I had a look at the source code of "chan_sip.c", and what we are talking about
> is a NULL pointer exception. It is not going to do much harm from what I can
> see.
That's your conclusion.
>
> By the way, conserning security in "chan_sip.c", I see several "strcpy()"
> function calls. Isn't it time to change these into the BSD
> derived "strlcpy()"?
Could you point to a specific one?
There has already been a discussion regarding strncpy . strlcpy has been
suggested, but it the final cunclusion was to write ast_copy_string and
use it where appropriate.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir at jabber.org
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list