"Secure coding" audit checkers and Kerberos

Philip Guenther guenther at gmail.com
Wed Oct 15 18:11:34 EDT 2008

On Wed, Oct 15, 2008 at 2:40 PM, Ken Raeburn <raeburn at mit.edu> wrote:
> They do mention libc4 on Linux, which I doubt anyone uses any more,
> and even if they do, I'm pretty sure we already use stuff that it
> doesn't support; they mention "some old HP systems" with even less
> detail.

Specific data point from personal experience: in 2003, HP-UX 11.11's
snprintf() had (at least) two defects:

1) it would return -1 if given a non-zero size smaller than the
required length.  I.e.,
         char c;
         snprintf(&c, 1, "foo");
   would return -1 instead of 3

2) if the size argument was zero, it would act like sprintf() and put
no limit on how many characters it would write to the buffer.

Philip Guenther

More information about the krbdev mailing list