On Tue, Mar 15, 2016 at 10:12:51PM +0100, Benoît GARNIER wrote: > Le 15/03/2016 21:59, Willy Tarreau a écrit : > > Nice to see that you never resign, you pulled out the machine gun :-) > > I'll trust you as I guess you've run a number of tests. The glibc being > > covered by LGPL, it should be fine in theory, except if you picked it > > from an LPGLv3 version which is not compatible with GPLv2 (it requires > > to upgrade to GPLv3). But since I'm seeing this code in glibc 2.18 which > > is still LGPLv2.1, that's fine. You should mention the glibc version you > > used to clear any doubt. > > I'll redo the patch with the glibc 2.18 code, but I'll need to redo all > my tests if there are any differences in the aforementioned code.
Just diff it, visually it was exactly the same. > >> + sprintf(gmt_offset+1, "%02d%02d", (diff/60)%100, diff%60); > > Please use snprintf() instead. We completely got rid of sprintf() as it > > emits warnings on some platforms for being notoriously insecure and misused. > > I was extra careful to be sure to not overwrite the receiving buffer > (thus the modulus and the sign handling), but I didn't think about the > warnings. The only sprintf() we used to have were all pretty safe. Also, improper use of snprintf() can cause the same damage as sprintf(), but at least it limits the risks especially for quick changes performed later. So we declared that the warnings were easy to get rid of without adding any cost and that marked the end of sprintf(). Willy
