> I am a bit worried when I see C-beginner mistakes like this in a security > suite: > When using sscanf on data you have not produced yourself, you should > always assume they will be bigger that your largest buffer/variable and deal > correctly with that.
That's a bit of an exaggeration here. It's not network data coming in from somewhere else, it's a number typed on the command line in a local program. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
