[Asterisk-Users] Asterisk Security vulnerability report
Chris Albertson
chrisalbertson90278 at yahoo.com
Wed Sep 10 09:29:20 MST 2003
What I do is periodically is a recursive "grep" of all
my source code for "strcat()" and the like. In EVERY
case, there is NO reason to use strcat() and it should
be replaced with either strlcat() or strncat() same
for sprintf, strcpy and so on. The "l" versions
should be prefreed over the "n" versions but some
UNIXes lack the "l" kinds so you need to use autoconf
and "ifdef HAVE_STRLCAT".
Every use of the non "l" or "n" functions is a
potential buffer overwrite exploit or a potential
segfalt. Yes you can do an analysis and determine the
no overflow is possible but then 2 years later someone
patches the code.
=====
Chris Albertson
Home: 310-376-1029 chrisalbertson90278 at yahoo.com
Cell: 310-990-7550
Office: 310-336-5189 Christopher.J.Albertson at aero.org
KG6OMK
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
More information about the asterisk-users
mailing list