On Thu, 31 Dec 2020 15:27:02 +1100, Ross L Richardson wrote:
> It could, of course, just use a fixed string rather than the "%s" format,
> although the latter is certainly clear(er) and consistent.
I originally had a fixed string but decided that using the "%s"
format was clearer.
> With
On Wed, Dec 30, 2020 at 09:08:53AM -0700, Todd C. Miller wrote:
>[...]
> Yes, that should be checked. In the case of login_passwd.c there
> is really no reason to use auth_mkvalue(3) at all as there is nothing
> that needs to be escaped. I think the simplest approach is to send
> a reject
On Wed, 30 Dec 2020 15:34:34 +1100, Ross L Richardson wrote:
> auth_mkvalue(3) may return NULL (if no memory is available), but
> login_passwd.c and friends use the return value without checking.
Yes, that should be checked. In the case of login_passwd.c there
is really no reason to use