Hi Willy,
Le 01/12/2014 08:36, Willy Tarreau a écrit :
Hi Cyril,
I'm fine with applying your series except a minor detail to fix here :
On Sun, Nov 30, 2014 at 11:51:09PM +0100, Cyril Bonté wrote:
+ sprintf(check->envp[*idx], "%s=%s", envname, value);
Please use snprintf() with the allocated length and check the result (ie
reject <=0 and >len). Some OSes like OpenBSD emit link-time warning when
sprintf() is used, and after some time I tend to find they're right. While
the initial use case for sprintf() is generally OK, people modify the
format later without realizing the impacts so better be safe from the start.
Right, I'm preparing a new patch.
--
Cyril Bonté
