apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r107007 - /apr/apr/trunk/CHANGES /apr/apr/trunk/include/apr_lib.h /apr/apr/trunk/passwd/apr_getpass.c
Date Wed, 01 Dec 2004 12:04:14 GMT
On Tue, Nov 30, 2004 at 10:11:02AM -0500, Jeff Trawick wrote:
> On 30 Nov 2004 14:41:33 -0000, trawick@apache.org <trawick@apache.org> wrote:
> > apr_password_get(): Fix the check for buffer overflow.
> > --- apr/apr/trunk/include/apr_lib.h     (original)
> > +++ apr/apr/trunk/include/apr_lib.h     Tue Nov 30 06:41:31 2004
> > @@ -168,6 +168,8 @@
> >   * @param prompt The prompt to display
> >   * @param pwbuf Buffer to store the password
> >   * @param bufsize The length of the password buffer.
> > + * @remark If the password entered must be truncated to fit in
> > + * the provided buffer, APR_ENAMETOOLONG will be returned.
> >   */
> >  APR_DECLARE(apr_status_t) apr_password_get(const char *prompt, char *pwbuf,
> >                                             apr_size_t *bufsize);
> 
> another disturbance: we force caller to go to the trouble to pass by
> address, but we don't update the size on output to indicate either the
> number of bytes stored or the number of bytes needed; shrug or "fix"?

I think "shrug" - any callers might as well call strlen() than rely on a
future version of the function which updates *bufsize.  I've updated to
the docco to fix that in stone, hope that's OK.

joe

Mime
View raw message