[Asterisk-Users] Asterisk Security Audit?
Steven Critchfield
critch at basesys.com
Tue Mar 30 22:03:55 MST 2004
On Tue, 2004-03-30 at 16:53, Jim Rosenberg wrote:
> Has Asterisk ever been audited for common security holes, such as buffer
> overruns?
>
> A quick grep through the source for routines that should never be used,
> like strcpy, strcat, etc., reveals a lot of it. I fear I fear.
These functions aren't as bad as you make out. They are only dangerous
when used with unchecked buffers that where accepted from outside
sources. There are quite a few instances of strcpy and strcat that are
using string constants and therefore are safe.
Don't take that as an argument against checking other possible security
concerns. Just as a reminder that the mere existence of certain
functions doesn't mean it is unsafe.
Also this discussion is probably better dealt with on the -dev list
where the noise level is better suited for the developers you need to
target to actually see this message.
--
Steven Critchfield <critch at basesys.com>
More information about the asterisk-users
mailing list