Security Audit, was Re: [crossfire] Server release?
David Delbecq
david.Delbecq at myrealbox.com
Sun Apr 17 13:49:56 CDT 2005
A few times ago, i tried to fix this by changing char* manipulation to some
macros. This made operations like strcat faster because we kept a track on
the lenght of buffer, but i dropped. This was taking me a huge amount of time
to code and the various changes in server occuring during that period made a
lot of conflict. The good point was 'it was working', the bad point was 'lots
of prototype changes'. Maybe i should retry but this time work on something
like commiting one clean file per week.
--- Mark Wedel <
mwedel at sonic.net
> wrote:
<snip>
>
Unfortunately, some number of those calls are on
>
data passed in, where it
>
would require changing the function prototype to
>
denote how large the buffer is.
>
>
There are still a lot of calls to sprintf/strcpy
>
in the code - fixing those is
>
no smaller matter.
>
>
On the bright side, the server requires no special
>
privileges to run, so could
>
be run in a jail/zone/chroot environment to mitigate
>
the risks.
>
--
--
David Delbecq
david.delbecq at myrealbox.com
Public PGP KEY FINGERPRINT:
F4BC EF69 54CC F2B5 4621 8DAF 1C71 8E6B 5436 C17C
Public PGP KEY location:
http://wwwkeys.pgp.net/pgpnet/wwwkeys.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://shadowknight.real-time.com/pipermail/crossfire/attachments/20050417/5e6f1ef9/attachment.pgp
More information about the crossfire
mailing list