httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <>
Subject Re: snprintf()
Date Tue, 07 Jan 1997 03:56:24 GMT
Marc Slemko liltingly intones:
> There is the one Jim suggested from sendmail (I think) and the one Chuck
> suggested from xinetd.  The one from xinetd seems to have more features,
> the one from sendmail would probably be simpler to put in and easier to be
> sure it won't blow up on many platforms.
> I think there is close to 100% agreement to put a snprintf in, but should
> it be before 1.2?  I asked for opinions on that and didn't get too much
> back.
To make the job of cleaning up potential fixed-length buffer problems
easier, I'm +1 for this for 1.2. I won't vote on which snprintf() to use,
since I'm partial, though I will point out there have been less CERT alerts
about xinetd than about sendmail. 8^)

> If I get enough feedback saying "do it, should be in 1.2", then I
> will adapt my patch (and fit the snprintf into a form that can go into
> util.c or something) ASAP.  If I get enough feedback saying "perhaps
> we should leave it until after 1.2; too risky for now" then I will
> say ok, go to sleep and put it together more slowly in a couple of
> weeks/months so testing could be started.  
No, do it now. I think we're talking about more than just a couple of months
'till next release. This is good stuff, bug fixing before they're reported
or we get a CERT alert ourselves.

> Note that I think any implementation, especially if it is done
> before 1.2, needs to have a quick define that can be easily done
> to make it just a wrapper around sprintf in case the snprintf won't
> compile on a particular platform.
This is a Good Thing.

> If I get no feedback I will do nothing.
Chuck Murcko	N2K Inc.	Wayne PA
And now, on a lighter note:
After living in New York, you trust nobody, but you believe
everything.  Just in case.

View raw message