Use of atoll() for CVE-2011-2522
Andrew Bartlett
abartlet at samba.org
Thu Jul 28 05:09:16 MDT 2011
On Thu, 2011-07-28 at 04:37 -0500, Albert Chin wrote:
> The patch for CVE-2011-2522 uses atoll():
> ...
> + if (sizeof(time_t) == sizeof(int)) {
> + xsrf_time = atoi(time_str);
> + } else if (sizeof(time_t) == sizeof(long)) {
> + xsrf_time = atol(time_str);
> + } else if (sizeof(time_t) == sizeof(long long)) {
> + xsrf_time = atoll(time_str);
> + }
> ...
>
> HP-UX 11.00/PA, 11.11/PA, and 11.23/PA do not provide this function. I
> think it is specific to C99. Does Samba now require a C99-compliant
> system to compile?
Samba ships with and uses a library known as libreplace, which contains
replacement functions for standard system libraries that are not
available on all our target platforms.
The correct fix is to extend libreplace.
Because of the need to develop security fixes in private, it is harder
to get the same level of assurance regarding portability, simply as a
matter of logistics.
Perhaps you want to knock up a patch? It's probably too late for 3.6.0
(we really are trying to get that out the door) but I'm such patches
will make the next regular releases.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list