On Mon, 8 Nov 2004, Tomasz Kojm wrote: > > I also dont particulary think its wise for a library to include any > > calls to exit. Libraries you link your program to should not terminate > > your program without your direct permission. > > libclamav doesn't contain any exit()-like calls.
Many developers include ASSERTions to guard parameters passed to library calls and, in general, a failed assertion causes an abort(). While this does leave open a possible DoS issue, I would much rather have a program die than continue without allocating memory which might lead to a heap overflow and be vulnerable to additional exploitation. Open source library assertions are not nearly as much of a problem as closed-source library assertions and for the latter I completely agree. For open-source implementations assertions do have their place. Grey line I know but a point of security which should be addressed. This is my $0.02 (or 1/2 sense). -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
