"Secure coding" audit checkers and Kerberos

Ken Raeburn raeburn at MIT.EDU
Wed Oct 15 16:55:36 EDT 2008

On Oct 15, 2008, at 16:49, John Hascall wrote:
>> On Wed, Oct 15, 2008 at 03:16:06PM -0500, John Hascall wrote:
>>>> asprintf(&buf, "%s%s%s", s1, s2, s3);
>>>> if (buf == NULL)
>>>>   return ENOMEM;
>>>> Love
>>>  asprintf is a non-standard, and therefore
>>>  sub-optimally portable, GNU extension --
>>>  so you're still stuck writing something else
>>>  (perhaps your own asprintf implementation,
>>>  which is far more baggage than one needs
>>>  to concat a few strings).
>> I disagree with the "far more baggage" characterization.   
>> Particularly
>> if the alternative is to use memcpy() instead of strcpy().
> While I can certainly understand the visceral dislike of memcpy
> for string copies -- implementing every possible doohicky that
> can go in a (GNU extended) *printf format string is a whole lot
> of baggage.

If you have snprintf, you can build asprintf on top of it, without  
reimplementing everything.


More information about the krbdev mailing list