Re: timed contains buffer overflows, and more
:Yet another patch...
:
:Alright, I decided to go through the LEGACY functions one-by-one.. ftime()
:isn't found anywhere in the source code, however, cftime() is, of which the
:manual states:
:
: The cftime() and ascftime() functions are made obsolete by strftime(3).
:
: Use of the functions cftime() and ascftime() is strongly deprecated,
: since there is no way to check for a buffer overflow condition. Use
: strftime(3) instead.
:
:some of the files that I came across cftime() in belong to the timed daemon.
:While checking the code I found buffer overflows all over the place, just as
:ambigious (void) casts aswell as #ifdef's that should have been removed
:century's ago. These #ifdef's contained the calls to cftime() which is part
:of some ancient SGI log message generation system. You can find the
:(somewhat huge) patch here:
:
:http://leaf.dragonflybsd.org/~virtus/timed.diff
I'm going through these now but I would like to request that you not
separate declaration/assignment combinations in future multi-change patch
sets.
e.g. don't change 'int x = 4; to 'int x; ..... x = 4;' when its part
of a larger patch set. It takes a long time to verify that those
assignment breakups are correct relative to the short time it takes
to simply check the (void) removals and strcpy->strlcpy changes and
such. And it doesn't add enough value to the patch. There are
millions of declaration/assignments combos in the source tree.
-Matt
討論串 (同標題文章)
完整討論串 (本文為第 2 之 7 篇):