On Tue, 2004-03-30 at 16:53, Jim Rosenberg wrote: > Has Asterisk ever been audited for common security holes, such as buffer > overruns? > > A quick grep through the source for routines that should never be used, > like strcpy, strcat, etc., reveals a lot of it. I fear I fear.
These functions aren't as bad as you make out. They are only dangerous when used with unchecked buffers that where accepted from outside sources. There are quite a few instances of strcpy and strcat that are using string constants and therefore are safe. Don't take that as an argument against checking other possible security concerns. Just as a reminder that the mere existence of certain functions doesn't mean it is unsafe. Also this discussion is probably better dealt with on the -dev list where the noise level is better suited for the developers you need to target to actually see this message. -- Steven Critchfield <[EMAIL PROTECTED]> _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
