On Sat, 27 Oct 2018 14:24:22 +0200 info at smallinnovations dot nl <i...@smallinnovations.nl> wrote:
> Not my words although i agree fully with them: > https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/ "The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long," Wilhelm noted. They say: You must use systemd because sysvinit is soooooo old. I say: You must use strncpy()/strncat() because strcpy()/strcat() are soooooo old. What's it been now, 30 years since the strn versions of those commands have been around? You'd think they'd have taken that in and adopted it by now. But nooooooooooooooooooooooooo! Tip to Lennart: Make the size of the destination buffer a constant, then use the command with the n, like the following example: ====================================================== #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char * argv[]){ const int BUFSIZE = 10; char * buf = malloc (sizeof(char*) * BUFSIZE); if(!buf) return 1; strncpy(buf, "antidisestablishmentianism", BUFSIZE); buf[BUFSIZE - 1] = '\0'; //In case no nullbyte at end printf(buf); free(buf); return 0; } ====================================================== SteveT Steve Litt September 2018 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
