On Fri, Apr 18, 2014 at 05:19:15PM -0700, Claus Assmann wrote:
> Seems it is ok to use strlcat/strlcpy that way in some cases:
> $ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
> 249
>
We tend to be very strict with our checks in smtpd and we did not check
in various places because the
> Seems it is ok to use strlcat/strlcpy that way in some cases:
> $ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
> 249
Hi Claus @ Sendmail [come on, your employeer matters when you point
at code like this, you know better]
smtpd is a new project. The 2-3 developers working on it shoul
> I'm guessing that openssl was incorporated into OpenBSD base without
> prior sufficient audit by the OBSD devs because it was presumed to have
> better auditing / quality control upstream given its security critical
> nature and function.
Everyone has to take shortcuts. After what you've see
On Fri, Apr 18, 2014 at 09:41:47PM -0400, Jacob L. Leifman wrote:
> I'm guessing that openssl was incorporated into OpenBSD base without
> prior sufficient audit by the OBSD devs because it was presumed to have
> better auditing / quality control upstream given its security critical
> nature and
On Fri, Apr 18, 2014 at 09:41:47PM -0400, Jacob L. Leifman wrote:
Some of the OpenSSL rot crept in slowly as "improvements from upstream".
As for everything else, The source tree is public - if you're
qualified to help, you're qualified to look. If you send a sane diff
we'll look at it.
-Bob
I'm guessing that openssl was incorporated into OpenBSD base without
prior sufficient audit by the OBSD devs because it was presumed to have
better auditing / quality control upstream given its security critical
nature and function. (A number of devs have commented in the past about
the [lack o
On Fri, Apr 18, 2014 at 05:19:15PM -0700, Claus Assmann wrote:
> Seems it is ok to use strlcat/strlcpy that way in some cases:
> $ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
> 249
If your only goal is ensuring you don't have a non-nul terminated
string, sure, that's great. and the wa
Seems it is ok to use strlcat/strlcpy that way in some cases:
$ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
249
On 2014/04/18 09:50, dera...@cvs.openbsd.org wrote:
> Small demonstration of the kinds of things we'll have to mop up for
> weeks more.
>
> From OpenSSL CHANGES file:
>
> *) Introduce safe string copy and catenation functions
> (BUF_strlcpy() and BUF_strlcat()).
> [Ben Laurie (CHATS)