On 11 August 1998, D.A. Harris <rodmur(_at_)ecst(_dot_)csuchico(_dot_)edu>
wrote:
Maybe the point of the note I saw was that there are numerous strcpy,
strcmp, and strcat's that exist in procmail's source, which might need
conversion to strncpy, etc, etc., so as to minimize potential future
buffer overflows.
Well, as I said before, I don't think anybody in his right minds
would volunteer to dig through the code looking for overflows. But
there is something that could be done about it with relatively minimal
effort: run Procmail against a memory debugger. I happen to have
access to Insure++ here (that's a commercial memory debugger, similar
to but much better than Purify); so if anybody out there would care to
put together a kind of test suite, I'll run it, and post the results
here. If there is enough interest for that I'll also post the coverage
analysis report so that the suite can be improved. Comments?
Regards,
Liviu
--
Dr. Liviu Daia e-mail: daia(_at_)stoilow(_dot_)imar(_dot_)ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: finger
daia(_at_)stoilow(_dot_)imar(_dot_)ro