[PATCH] Re: Possible Vulnerability in httpd.c
Denys Vlasenko
vda.linux at googlemail.com
Wed Nov 23 21:29:41 UTC 2016
On Tue, Nov 22, 2016 at 5:07 PM, Rich Felker <dalias at libc.org> wrote:
>> Different projects choose their paranoias differently.
>> >From its inception, bbox was paranoid about code size.
>>
>> If you see an actual bug where buffer can overflow,
>> I'm more than willing to fix it.
>>
>> But if there is no actual bug, and it's just a general concern
>> that "it looks unsafe", then code size trumps it.
>
> Have you stopped to consider the size from pulling in the deprecated
> sprintf function to begin with? If all references to it were removed,
> then static-linked busybox would only have snprintf, not sprintf. On
> musl/i386 this would only save about 50 bytes but it might save more
> on other archs or libcs.
I found nearly 200 instances of sprintf() use in current bbox git.
I'm not embarking on a quest to replace all of them.
More information about the busybox
mailing list