[asterisk-dev] Re: Security Through Obscurity

Tzafrir Cohen tzafrir.cohen at xorcom.com
Mon Mar 5 03:31:07 MST 2007

On Mon, Mar 05, 2007 at 10:57:36AM +0100, Hans Petter Selasky wrote:
> On Monday 05 March 2007 06:11, Kevin P. Fleming wrote:
> > Matthew Rubenstein wrote:
> > > 	This security reality is well known in the programming industry. I'm
> > > disappointed to see Digium acting as if it weren't.
> >
> I had a look at the source code of "chan_sip.c", and what we are talking about 
> is a NULL pointer exception. It is not going to do much harm from what I can 
> see.

That's your conclusion.

> By the way, conserning security in "chan_sip.c", I see several "strcpy()" 
> function calls. Isn't it time to change these into the BSD 
> derived "strlcpy()"?

Could you point to a specific one?

There has already been a discussion regarding strncpy . strlcpy has been
suggested, but it the final cunclusion was to write ast_copy_string and
use it where appropriate.

               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir at jabber.org
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-dev mailing list