Use of atoll() for CVE-2011-2522
Albert Chin
samba-technical at mlists.thewrittenword.com
Mon Aug 8 18:28:34 MDT 2011
On Fri, Jul 29, 2011 at 08:18:46AM +0200, Kai Blin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2011-07-28 11:37, Albert Chin wrote:
> > The patch for CVE-2011-2522 uses atoll():
> > ...
> > + if (sizeof(time_t) == sizeof(int)) {
> > + xsrf_time = atoi(time_str);
> > + } else if (sizeof(time_t) == sizeof(long)) {
> > + xsrf_time = atol(time_str);
> > + } else if (sizeof(time_t) == sizeof(long long)) {
> > + xsrf_time = atoll(time_str);
> > + }
> > ...
> >
> > HP-UX 11.00/PA, 11.11/PA, and 11.23/PA do not provide this function. I
> > think it is specific to C99. Does Samba now require a C99-compliant
> > system to compile?
>
> So, seeing how HP-UX doesn't have atoll and strtoll, how do you convert
> a string to a long long on that platform? And what's the size of time_t
> on HP-UX? I take we can use strtoimax for our libreplace implementation
> of atoll?
Well, on this platform, sizeof(time_t) != sizeof(long long) so the
easiest fix is to wrap this in #ifdef HAVE_ATOLL:
#ifdef HAVE_ATOLL
} else if (sizeof(time_t) == sizeof(long long)) {
xsrf_time = atoll(time_str);
#endif
Admittedly, it's ugly.
--
albert chin (china at thewrittenword.com)
More information about the samba-technical
mailing list