Hello, On Tue, 29 Aug 2006, Michael Jerris wrote:
[ if (url->url_port) rv += (int)strlen(url->url_port) + 1; /* plus ':' */ ] > I don't disagree with you, but the other option is to change the api to > use size_t instead of int all over the place, which I am told is not > really an option as it would totally break ABI. In this case, if the > url_port is really over the length of max int then you will indeed have we can change all the internal uses, but not public structs nor signatures of public functions. But I agree that these should be handled somehow. With or without the cast, the problem is the same, the value returned by strlen() could overflow an int and cause havoc (note: the C spec doesn't say anything about the storage size of size_t -- only that you query it with SIZE_MAX). If strlen() returns INT_MAX+1, it will result in int value of -1, whether you cast it or not. So any good ideas how to fix this cleanly? Obviously casting to int will remove the warnings but not cure the problem. The options are: 1) turn ints into size_t's (but no in any public interfaces) 2) truncate size_t to INT_MAX and then cast to (int) 3) cast to ints like in Mike's patch 4) do nothing Options 3+4 would basicly require to go through all the cases and see whether the string could be controlled by an external party (and thus form a security threat). Otherwise, INT_MAX is so large even on embedded systems nowadays, that there is very little chance of actual real life trouble from all these. -- under work: Sofia-SIP at http://sofia-sip.sf.net ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Sofia-sip-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
