Hi Zdenek, On Tue, Aug 13, 2013 at 8:17 AM, Zdenek Styblik <zdenek.styb...@gmail.com> wrote: >>> There are still those(two) scanf() patches left. I want to look at >>> these closer, because it seems tricky to handle scanf() correctly. >> >> It's really not _that_ tricky. It returns the number of things that >> it scanned in correctly. >> >>> I mean, not just patch it up. >> >> Well I didn't just patch it up.. I tried to handle them correctly. >> > > Here is what I had in mind: > > http://stackoverflow.com/questions/2430303/disadvantages-of-scanf > http://stackoverflow.com/questions/9457325/how-to-use-sscanf-correctly-and-safely > https://www.securecoding.cert.org/confluence/display/seccode/INT05-C.+Do+not+use+input+functions+to+convert+character+data+if+they+cannot+handle+all+possible+inputs > http://blog.markloiseau.com/2012/02/two-safer-alternatives-to-scanf/
My patch made no attempt to perform a security audit of the code. It was only to get rid of the warnings that were caused by removing the compilation flag. The same scanf's which were there before are still there, just the return code is now checked. If you want to go though all this hassle of getting rid of every scanf from the code, then that's up to you, but I don't think that there is any reason to intermingle this fairly massive project with my fairly simple patch to add return code checking. They are two different things and should be done in two different patches. thanks dan ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
