[asterisk-dev] Re: Security Through Obscurity

Hans Petter Selasky hselasky at c2i.net
Mon Mar 5 04:07:48 MST 2007

On Monday 05 March 2007 11:31, Tzafrir Cohen wrote:
> On Mon, Mar 05, 2007 at 10:57:36AM +0100, Hans Petter Selasky wrote:
> > On Monday 05 March 2007 06:11, Kevin P. Fleming wrote:
> > > Matthew Rubenstein wrote:
> > > > 	This security reality is well known in the programming industry. I'm
> > > > disappointed to see Digium acting as if it weren't.
> >
> > I had a look at the source code of "chan_sip.c", and what we are talking
> > about is a NULL pointer exception. It is not going to do much harm from
> > what I can see.
> That's your conclusion.
> > By the way, conserning security in "chan_sip.c", I see several "strcpy()"
> > function calls. Isn't it time to change these into the BSD
> > derived "strlcpy()"?
> Could you point to a specific one?

I don't have a specific one. Just grep for "strcpy" in "chan_sip.c". Probably 
most of the copies are OK, but it is very easy to make working code fail in 
the future, if the length of certain strings are ever changed.

> There has already been a discussion regarding strncpy . strlcpy has been
> suggested, but it the final cunclusion was to write ast_copy_string and
> use it where appropriate.


More information about the asterisk-dev mailing list