> How will source code review catch buffer overrun? For C code (what the AES machine made by Smartmatic probably uses since it is Linux based and is an embeded machine) there are several basic things to check to catch vulnerabilities. The use of some functions that doesn't check the bounds of a buffer (for example: gets(), scanf(), strcpy() ), should raise a red flag.
> If my test will not catch it then there is this probability it will not occur. That's what the maker of the AES machine with the vulnerable image processing library said. _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
