"Secure coding" audit checkers and Kerberos
john at iastate.edu
Wed Oct 15 17:05:10 EDT 2008
> On Wed, Oct 15, 2008 at 03:49:05PM -0500, John Hascall wrote:
> > > I disagree with the "far more baggage" characterization. Particularly
> > > if the alternative is to use memcpy() instead of strcpy().
> > While I can certainly understand the visceral dislike of memcpy
> > for string copies -- implementing every possible doohicky that
> > can go in a (GNU extended) *printf format string is a whole lot
> > of baggage.
> But you don't need to. You can implement asprintf() ontop of even an
> old snprintf() -- just realloc() if snprintf() > the allocated buffer.
1) snprintf is also non-standard
2) there are some horrible snprintf's out there,
including ones which do little more than call sprintf!
More information about the krbdev