[Asterisk-Users] Asterisk Security Audit?

Steven Critchfield critch at basesys.com
Tue Mar 30 22:03:55 MST 2004

On Tue, 2004-03-30 at 16:53, Jim Rosenberg wrote:
> Has Asterisk ever been audited for common security holes, such as buffer
> overruns?
> A quick grep through the source for routines that should never be used,
> like strcpy, strcat, etc., reveals a lot of it. I fear I fear.

These functions aren't as bad as you make out. They are only dangerous
when used with unchecked buffers that where accepted from outside
sources. There are quite a few instances of strcpy and strcat that are
using string constants and therefore are safe. 

Don't take that as an argument against checking other possible security
concerns. Just as a reminder that the mere existence of certain
functions doesn't mean it is unsafe.

Also this discussion is probably better dealt with on the -dev list
where the noise level is better suited for the developers you need to
target to actually see this message. 
Steven Critchfield  <critch at basesys.com>

More information about the asterisk-users mailing list