"Secure coding" audit checkers and Kerberos

John Hascall john at iastate.edu
Wed Oct 15 17:05:10 EDT 2008

> On Wed, Oct 15, 2008 at 03:49:05PM -0500, John Hascall wrote:
> > > I disagree with the "far more baggage" characterization.  Particularly
> > > if the alternative is to use memcpy() instead of strcpy().
> > 
> > While I can certainly understand the visceral dislike of memcpy
> > for string copies -- implementing every possible doohicky that
> > can go in a (GNU extended) *printf format string is a whole lot
> > of baggage.
> But you don't need to.  You can implement asprintf() ontop of even an
> old snprintf() -- just realloc() if snprintf() > the allocated buffer.

  1) snprintf is also non-standard
  2) there are some horrible snprintf's out there,
     including ones which do little more than call sprintf!


More information about the krbdev mailing list