Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Aug 2003 13:19:51 +0200
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        "Chris Knight" <chris@e-easy.com.au>
Cc:        audit@freebsd.org
Subject:   Re: SecFix for databases/firebird, please review
Message-ID:  <20030818131951.5690fa0e.Alexander@Leidinger.net>
In-Reply-To: <03e001c3652c$08a826f0$020aa8c0@aims.private>
References:  <20030817133824.GA71246@madman.celabo.org> <03e001c3652c$08a826f0$020aa8c0@aims.private>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 18 Aug 2003 11:57:08 +1000
"Chris Knight" <chris@e-easy.com.au> wrote:

> > This is bogus... this function should be rewritten so that it passes
> > in the size of the `string' argument.  One can't just assume it is
> > MAXPATHLEN.  Also, strlcat would be much nicer and safer here.  If you
> > can't use strlcat, then one must explicitly NUL-terminate the buffer,
> > because strncat may fail to do so.
> > 
> That's what I'm currently in the process of doing - passing in the
> size of the buffer to gds__prefix. It gets called with buffer
> lengths of 64, 100, 128, 256 and 1024.

Ugh... seems I've missed some calls...

> I'm probably going to have to use strncat to keep it a bit more
> portable.

That's the reason why I haven't used strlcat...

> > OK, I only looked at the first two patch files, but it is clear that
> > this should not be committed.  IMHO, I also think this port _should_
> > be removed.  But, if you decide to slog through it once more and
> > correct some of these problems, we'll be here for another look!
> > 
> I don't particularly like it, but I'm inclined to agree with you - the
> port probably should go. I can always maintain the 1.0.x port outside
> of the FreeBSD Ports Tree and make it available on my Website with lots
> of warning labels. I'll get onto the Firebird 1.5 port pronto, which

We can add the warning labels also to the in tree port...

> should end this issue and put me out of my current misery.

And you're sure 1.5 is better in this regard?

Bye,
Alexander.

-- 
            Give a man a fish and you feed him for a day;
     teach him to use the Net and he won't bother you for weeks.

http://www.Leidinger.net                       Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030818131951.5690fa0e.Alexander>