On 11/23/2016 03:29 PM, Denys Vlasenko wrote:
> On Tue, Nov 22, 2016 at 5:07 PM, Rich Felker wrote:
>>> Different projects choose their paranoias differently.
>>> >From its inception, bbox was paranoid about code size.
>>>
>>> If you see an actual bug where buffer can overflow,
On Tue, Nov 22, 2016 at 5:07 PM, Rich Felker wrote:
>> Different projects choose their paranoias differently.
>> >From its inception, bbox was paranoid about code size.
>>
>> If you see an actual bug where buffer can overflow,
>> I'm more than willing to fix it.
>>
>> But if
On Tue, Nov 22, 2016 at 02:30:50AM +0100, Denys Vlasenko wrote:
> On Mon, Nov 21, 2016 at 8:18 PM, Simon Rettberg
> wrote:
> > On Mon, 21 Nov 2016 20:37:14 +0200
> > Timo Teras wrote:
> >>
> >> It is still good practice to fill it with
On Mon, Nov 21, 2016 at 8:18 PM, Simon Rettberg
wrote:
> On Mon, 21 Nov 2016 20:37:14 +0200
> Timo Teras wrote:
>>
>> It is still good practice to fill it with snprintf. If this is done,
>> proper error checking should be done to check the
On Mon, 21 Nov 2016 20:37:14 +0200
Timo Teras wrote:
>
> It is still good practice to fill it with snprintf. If this is done,
> proper error checking should be done to check the final 'len' that it
> does not exceed IOBUF_SIZE or you have information leak bug (since
>
Am 21.11.2016 um 18:08 schrieb walter harms:
the only reason we need to buffer everything is because of IE whatever.
Can someone confirm that this is still needed ?
AFAIK this was a valid issue until IE6. IE versions 7 and up should have
no problems with headers plus small HTML page in one
On Mon, 21 Nov 2016 18:08:39 +0100
walter harms wrote:
> but i have an other question, based to the comments in the code:
>
> * The arguments are combined and sent as one write operation. Note
> that
> * IE will puke big-time if the headers are not sent in one packet
> and the
Nice,
but i have an other question, based to the comments in the code:
* The arguments are combined and sent as one write operation. Note that
* IE will puke big-time if the headers are not sent in one packet and the
* second packet is delayed for any reason.
the only reason we need to
On 2016-11-21 09:53, Raphael de Carvalho Muniz wrote:
We understand that the resulting program may have vulnerabilities when
the macro "#if ENABLE_FEATURE_HTTPD_RANGES" is enabled, by the fact of
utilization that sprintf() function. Second the CWE Project, is the
classified by CWE-134, where