On 07/21/2010 05:12 PM, Bron Gondwana wrote:
We decided to pull map_stupidshared. Are you on the cyrus-devel
mailing list?
Yeah, but I've only been on it for a couple of months -- maybe this was
discussed previously.
Trying to evaluate C code that consists of lots of little functions with
no documentation is like playing nethack (you just entered a maze of
twisty little tunnels....).
For example, one of the debian package maintainers introduced this patch
to ~/master/master.c:
----------------------------------------------------
@ -195,13 +195,17 @@
free(a);
}
-void get_prog(char *path, unsigned size, char *const *cmd)
+void get_prog(char *path, unsigned int size, char *const *cmd)
{
if (cmd[0][0] == '/') {
/* master lacks strlcpy, due to no libcyrus */
snprintf(path, size, "%s", cmd[0]);
+ path[size-1] = '\0';
+ }
+ else {
+ snprintf(path, size, "%s/%s", SERVICE_PATH, cmd[0]);
+ path[size-1] = '\0';
}
- else snprintf(path, size, "%s/%s", SERVICE_PATH, cmd[0]);
}
----------------------------------------------------
The parameter type correction at the top fixes a bug, but what the code
null terminating path? If path is used as a string then this is OK, but
otherwise it could be overwriting a necessary character. To properly
check if this is an OK patch to submit to the bugzilla, I have to track
down every use of the get_prog function.
They're both being removed in Cyrus 2.4. GUID is now compulsary,
so sha1s will be calculated on append.
Not sure what "GUID is now compulsory" means, but it turns out I was
wrong and that sha1 has also been compromised
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
so hopefully this is just being used to generate checksums and not for
actually security....
