On Fri, Apr 18, 2014 at 09:41:47PM -0400, Jacob L. Leifman wrote:
I'm guessing that openssl was incorporated into OpenBSD base without
prior sufficient audit by the OBSD devs because it was presumed to have
better auditing / quality control upstream given its security critical
nature and
I'm guessing that openssl was incorporated into OpenBSD base without
prior sufficient audit by the OBSD devs because it was presumed to have
better auditing / quality control upstream given its security critical
nature and function.
Everyone has to take shortcuts. After what you've seen
Seems it is ok to use strlcat/strlcpy that way in some cases:
$ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
249
Hi Claus @ Sendmail [come on, your employeer matters when you point
at code like this, you know better]
smtpd is a new project. The 2-3 developers working on it should
On Fri, Apr 18, 2014 at 05:19:15PM -0700, Claus Assmann wrote:
Seems it is ok to use strlcat/strlcpy that way in some cases:
$ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
249
We tend to be very strict with our checks in smtpd and we did not check
in various places because the
Small demonstration of the kinds of things we'll have to mop up for
weeks more.
From OpenSSL CHANGES file:
*) Introduce safe string copy and catenation functions
(BUF_strlcpy() and BUF_strlcat()).
[Ben Laurie (CHATS) and Richard Levitte]
That's from back in 2002.
These functions
On 2014/04/18 09:50, dera...@cvs.openbsd.org wrote:
Small demonstration of the kinds of things we'll have to mop up for
weeks more.
From OpenSSL CHANGES file:
*) Introduce safe string copy and catenation functions
(BUF_strlcpy() and BUF_strlcat()).
[Ben Laurie (CHATS) and
Seems it is ok to use strlcat/strlcpy that way in some cases:
$ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
249
On Fri, Apr 18, 2014 at 05:19:15PM -0700, Claus Assmann wrote:
Seems it is ok to use strlcat/strlcpy that way in some cases:
$ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
249
If your only goal is ensuring you don't have a non-nul terminated
string, sure, that's great. and the way
I'm guessing that openssl was incorporated into OpenBSD base without
prior sufficient audit by the OBSD devs because it was presumed to have
better auditing / quality control upstream given its security critical
nature and function. (A number of devs have commented in the past about
the [lack
