[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: [agc-netpgp-standalone] src/crypto/external/bsd/netpgp/dist/src
On Fri, Oct 26, 2012 at 08:47:39AM +0200, Alistair Crooks wrote:
> > What happens if $HOME is undefined ?
> If $HOME is undefined, then the default public keyring will not be
> found. If the default public keyring is not found, then the
> verification will fail.
I thought the code would probably call
snprintf(buf, sizeof buf, "%s/%s", NULL, "string");
Which is allowed to core dump (and will on Solaris).
> > What happens if $HOME is very long ?
> If $HOME is very long, then the snprintf will truncate the MAXPATHLEN
> buffer further down the call tree. If the buffer is truncated, the
> correct default public keyring will not be found. If the default
> public keyring is not found, the verification will fail.
Silent truncation seems a bad thing to do in security code.
David Laight: david%l8s.co.uk@localhost
Main Index |
Thread Index |