Re: strcmp vs strncmp question

2005-11-14 Thread Theo de Raadt 
 Wel. had you looked at the second hit (really near the top,
 so boredom should not have set in yet) searching for why it was a hit
 you would have seen several instances of str*** func calls being
 replaced by strn*** func when the str ones were unsafe. Seeing that it
 was all about a CERT vulnerability report one would have assumed that a
 student of the topic would have gotten some insight into why these
 changes were made.

Well too bad you are wrong Rod, but then you had to go insult him
as well, didn't you.

 The head tells you that buffer overflows were an issue as they often
 are when str funcs are used unsafely.

Not in this case.  He found a real mistake.  What exactly was your
contribution to this? OH right.  You were insulting with any cause.

 I'm sure that a good STFA would have found some insights from Theo and
 others and you really should have donee your homework there before
 asking about such a frequent topic. Mailing list netiquette.

PEOPLE LIKE YOU, jumping on people who actually find real bugs, are
the REAL problem with our mailing lists.

He found a real bug.

You just yelled and yelled and are an ass for it.

Re: strcmp vs strncmp question

2005-11-14 Thread Theo de Raadt 
 Rod.. Whitworth wrote:
   /* Made up example of course */
 -  if (!strcmp(buf,n/a))
 +  if (!strncmp(buf,n/a,3))
  you would have seen several instances of str*** func calls being
  replaced by strn*** func when the str ones were unsafe. Seeing that it
 
 The one has little to do with the other. What if buf, in the made-up 
 example, contains n/abc? strcmp() says it's not the same, while the 
 strncmp() line above does. Either function requires a valid, 
 NUL-terminated C string, and both need to be smart enough to not read 
 past that NUL (and they are.)
 
 I highly doubt that a str?cmp() fix ever went in like that, unless the 
 different behavior was desired. It would be nice if Patrick could 
 mention what he specifically means, because such a patch would most 
 likely be wrong if it went in as an errenous safe string function 
 replacement attempt.

I grepped the ports tree patches.  There are at least 10 of these bad
patches.

Someone should go delete them.

Re: UPDATE: lang/python

2005-11-14 Thread Eric Faurot 
On 11/11/05, Aleksander Piotrowski [EMAIL PROTECTED] wrote:
 Hi

 Here goes lang/python update.  Please test and comment.  Thanks.

Regression tests pass for me on i386, macppc and amd64. I have also
tried a couple of py- modules that seem to work correctly.

Eric.

Re: strcmp vs strncmp question

2005-11-14 Thread Peter Valchev 
 In the meantime, we're a few posts down the road from the original 
 question, and I haven't seen any answer; neither on the list, nor on the 
 Net. I suppose it has something to do with strcmp continuing to compare 
 until it finds a char with value 0, but I can think of many situations 
 where this wouldn't occur (it certainly shouldn't be an issue if all 
 strings are always 0-terminated).
 
 So, I second patrick's question, and I would ask that someone either 
 answer the question or provide a link to an answer. If it is indeed such 
 a frequently asked question, it shouldn't be too hard to find a FAQ 
 entry or mailing list post that answers it, right?

Indeed, it's Rod who decided he knew what he was doing, and had to
offend someone who was right.  Sad, really...  As already said, the
obvious answer to the question is that most of these patches are
plain wrong.  I'm surprised they haven't been fixed yet...

Re: strcmp vs strncmp question

2005-11-14 Thread Moritz Grimm 

Rod.. Whitworth wrote:

 /* Made up example of course */
-  if (!strcmp(buf,n/a))
+  if (!strncmp(buf,n/a,3))

you would have seen several instances of str*** func calls being
replaced by strn*** func when the str ones were unsafe. Seeing that it


The one has little to do with the other. What if buf, in the made-up 
example, contains n/abc? strcmp() says it's not the same, while the 
strncmp() line above does. Either function requires a valid, 
NUL-terminated C string, and both need to be smart enough to not read 
past that NUL (and they are.)


I highly doubt that a str?cmp() fix ever went in like that, unless the 
different behavior was desired. It would be nice if Patrick could 
mention what he specifically means, because such a patch would most 
likely be wrong if it went in as an errenous safe string function 
replacement attempt.



Moritz

Re: strcmp vs strncmp question

2005-11-14 Thread patrick ~ 

--- Rod.. Whitworth [EMAIL PROTECTED] wrote:

 On Sun, 13 Nov 2005 17:22:42 -0800 (PST), patrick ~ wrote:

/* Made up example of course */
 -  if (!strcmp(buf,n/a))
 +  if (!strncmp(buf,n/a,3))
 
 
 Is there a real value in doing this?
 I don't see it.
 
 Can someone shed some light on this
 for me please.

 Are you just trolling?
 If not, how come you have not been looking in the archives?
 Mrs Google can help you too:
 http://justfuckinggoogleit.com/search?q=strncmp+openbsd+why


My question was meant to be a very
general one about why we patch 3rd
party software just to replace a
standard C function with another one
which gives exactly the same result
most of the time, and in some instances
could give *undesired* results, i.e.,
may adversely change the behavior of
the program.

Your suggested google query resulted to
nothing useful, other than a page with
an awk script counting string function
usage in openbsd source code.

I wonder if you even bothered to try
the link yourself before suggesting it?


Someone else, who emailed me in private,
was a bit upset that my message lacked
any specifics in regard to which port
I was referring to.

I was trying to keep the question very
general and not specific to any particular
port.  But if you must know I am looking
at graphics/p5-Image-EXIF on a 3.7-stable
system (my 3.8 CDs are still on my book
shelf waiting for me to get around to
upgrading a few machines).


g'nite,
--patrick

// don't cc: me. i'm subscribed




__ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Re: UPDATE: lang/python

2005-11-14 Thread steven mestdagh 
On Fri, Nov 11, 2005 at 04:48:28PM +0100, Aleksander Piotrowski wrote:
 Hi
 
 Here goes lang/python update.  Please test and comment.  Thanks.

I tested on i386 and got 1 error during regression checks:

test test_compare produced unexpected output:
**
*** lines 102-149 of actual output doesn't appear in expected output after line 
101:
+ ERROR: 1 -1 -1965125748 2123489356
+ ERROR: 1 -1 -1965125748 2123489420
+ ERROR: 1 -1 -1965125748 2123489388
+ ERROR: 1 -1 -1965125748 2123489324
+ ERROR: 1 -1 -1965125716 2123489356
+ ERROR: 1 -1 -1965125716 2123489420
+ ERROR: 1 -1 -1965125716 2123489388
+ ERROR: 1 -1 -1965125716 2123489324
+ ERROR: 1 -1 -1965125652 2123489356
+ ERROR: 1 -1 -1965125652 2123489420
+ ERROR: 1 -1 -1965125652 2123489388
+ ERROR: 1 -1 -1965125652 2123489324
+ ERROR: -1 1 2123489356 -1965125748
+ ERROR: -1 1 2123489356 -1965125716
+ ERROR: -1 1 2123489356 -1965125652
...

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Re: If you're desperate to run clisp...

2005-11-14 Thread Andrew Sveikauskas 
Sorry, I messed up this part:

On Mon, Nov 14, 2005 at 10:31:24PM -0500, Andrew Sveikauskas wrote:
 I was able to get clisp working like this:
 
 cd /usr/ports/lang/clisp
 make configure
 cd w-clisp-2.33.2p0/clisp-2.33.2/src/malloc
 ar cq /usr/local/lib/libgmalloc.a
 cd -
 [ Add -lgmalloc to LIBS in w-clisp-2.33.2p0/build-i386/Makefile ]
 make install

The part with the ar line should of course read:

gcc -I. -c gmalloc.c
ar cq /usr/local/lib/libgmalloc.a gmalloc.o