Randy Terbush liltingly intones:
>
>
> > Here is a patch for all the buffer overflow and potential buffer overflows
> > in apache that I noticed in my run through the source. First, a few Q&A
> > that I asked myself.
>
> Few of these changes seem to apply to anything but the error code.
>
> Based on that, I don't have a big problem with adding them. A few
> comments though.
>
> * Ben added the vbprintf() code awhile back. Seems like a fair chunk
> of that code could be used to supply an snprintf() that could be
> used more effectively to keep these sorts of problems from creeping
> back in.
>
> * IF we decide to include these changes, seems that it would be nice
> to get them in a fair bit _before_ the proposed changes that Ben
> will be making to the API just to make it a bit easier to pin down
> problem causers if there are any.
>
Xinetd also has strx_nprint() and strx_nprintv() functions to do this. I
sent mail to Mark about these, if they'd be of help.
It's a tough job, and I'm glad Mark's doing it.
chuck
Chuck Murcko N2K Inc. Wayne PA chuck@telebase.com
And now, on a lighter note:
This is the LAST time I take travel suggestions from Ray Bradbury!
|