"Secure coding" audit checkers and Kerberos

John Hascall john at iastate.edu
Wed Oct 15 17:29:55 EDT 2008

> On Wed, Oct 15, 2008 at 04:05:10PM -0500, John Hascall wrote:
> >   1) snprintf is also non-standard
> >   2) there are some horrible snprintf's out there,
> >      including ones which do little more than call sprintf!

> The MIT-krb5-uses-snprintf() train departed long ago.

So be it, but it does seem a little odd to be worried about
a code-analysis tool false-flaging perfectly safe uses of
strcpy/strcat and suggesting that the fix is to use some
thing known to have a whole array of missing/bad/dangerous


More information about the krbdev mailing list