Date: Sat, 08 Feb 1997 14:38:48 -0800 From: Craig Shaver <craig@progroup.com> To: Brian Tao <taob@risc.org> Cc: security@FreeBSD.ORG Subject: Re: Don't fulminate, be productive Message-ID: <32FD0078.3F54BC7E@progroup.com> References: <Pine.BSF.3.95.970208162327.17456C-100000@alpha.risc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Did Marc Slemko use perl scripts? Do you have an email addr for Marc? Do you think he would let others have access to the tools he used? Brian Tao wrote: > > On Sat, 8 Feb 1997, Jordan K. Hubbard wrote: > > > > Actually, that's a good 50% of it. The other 50% is replacing > > strcpy()'s with strncpy()'s. :-) > > I'm sure a perl hacker could come up with a script that can at > least flag some sort of warning where it suspects a line of code may > be susceptible. A grep through the sources only finds about 6000 > occurrences of sprintf or strcpy. ;-) BTW, has anyone been able to > get a FreeBSD version of Insure++ or Purify (or whichever product it > was) and run the source tree through it? > > > Seriously, looking for bufffer overflows is not rocket science, > > though if you spot more serious bugs along then way then you are > > more than free to fix them. :-) > > I'm definitely no code hacker, so I think I'd be limited to > standalone user space utilities and leave library routines and kernel > stuff to the experts. Still, it would be an instructional exercise, > even if no potential holes are found. I think Marc Slemko went over > the Apache sources in similar fashion and submitted a bunch of > security-related patches. del ... > Brian Tao (BT300, taob@risc.org) > "Though this be madness, yet there is method in't" -- Craig Shaver (craig@progroup.com) (415)390-0654 Productivity Group POB 60458 Sunnyvale, CA 94088
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32FD0078.3F54BC7E>