On Fri, Oct 26, 2012 at 08:47:39AM +0200, Alistair Crooks wrote:
> >
> > What happens if $HOME is undefined ?
>
> If $HOME is undefined, then the default public keyring will not be
> found. If the default public keyring is not found, then the
> verification will fail.
I thought the code would probably call
snprintf(buf, sizeof buf, "%s/%s", NULL, "string");
Which is allowed to core dump (and will on Solaris).
> > What happens if $HOME is very long ?
>
> If $HOME is very long, then the snprintf will truncate the MAXPATHLEN
> buffer further down the call tree. If the buffer is truncated, the
> correct default public keyring will not be found. If the default
> public keyring is not found, the verification will fail.
Silent truncation seems a bad thing to do in security code.
David
--
David Laight: da...@l8s.co.uk
