[ntp:questions] Re: Taming the pinball machine
Wolfgang S. Rupprecht
wolfgang+gnus20031126T215304 at dailyplanet.dontspam.wsrcc.com
Thu Nov 27 06:31:17 UTC 2003
Dave Thompson <david.thompson1 at worldnet.att.net> writes:
> On 13 Nov 2003 16:48:21 -0800, mayer at gis.net (Danny Mayer) wrote:
>> wolfgang+gnus20031113T094637 at dailyplanet.dontspam.wsrcc.com (Wolfgang S. Rupprecht) wrote in message news:<x74qx84065.fsf at capsicum.wsrcc.com>...
>> > Would ntp's caretakers accept a patch to change sprintf()'s to
>> > snprintf() so this thing can't happen again?
>> Yes. There are, however, more than a few sprintf's in the program.
> And remember that snprintf is not standard, until C99 which isn't
> widespread yet and probably won't be "universal" for some time.
> In particular in M$VC/Win it's _snprintf.
The question really boils down to is ntpd supposed to hold the bag for
every OS distribution that doesn't provide safe string handling yet?
Script kiddies are getting really good at finding buffer overflows
using brute force searches.
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
The above "From:" address is valid. Don't mess with it.
More information about the questions