[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strcat()->strncat() safety changes (ITS#518)

> Full_Name: Nalin Dahyabhai
> Version: 1.2.10
> OS: Linux 2.2.14
> URL: http://people.redhat.com/nalin/patches/openldap-1.2.9-strings.patch
> Submission from: (NULL) (
> While fixing a misconfigured set of defaults for a security errata, we took a
> look
> at some of the string-handling code.  A number of locations in the OpenLDAP
> sources
> use strcat() on fixed-size buffers.  We changed the more obvious places where
> this
> was happening to use strncat() instead.  Please feel free to review the changes
> and
> include them in subsequent releases if you find them useful.

I looked at some of this patch file.  It is noteable at the top that
you have a RedHat copyright -- I don't know if it would make it incompatable
for contribution back to the OpenLDAP codebase, but it seems for minor changes
like those that such a copyright is unfounded.

Also, a number of those changes are unnecessary, and just add extra code.
For example, when you start with a 255 char buffer, and you are squeezing
extra spaces out, but definition you are not going to overrun that buffer.