Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: syssrc



I'd also like to point out that the code in question is edge case debug
output code which can be removed as well. The most well-written software
disappears.

On Sun, 5 Dec 1999, Allen Briggs wrote:

> > > Make sure we have a big enough buffer to sprintf into (noticed by
> > > deraadt%openbsd.org@localhost).
> > Why not use snprintf instead?
> 
> In many cases, just substituting snprintf() for sprintf() will fix
> an overflow, but leave the code just as broken (but not exploitably
> so, perhaps).  Of course, I'd rather have the overflows fixed than
> not, but I'd much rather have code that was designed to prevent or
> at least handle the overflows in the first place.
> 
> Well-written software should rarely need snprintf() to protect itself.
> 
> -allen
> 




Home | Main Index | Thread Index | Old Index