Use of atoll() for CVE-2011-2522

Andrew Bartlett abartlet at
Thu Jul 28 05:09:16 MDT 2011

On Thu, 2011-07-28 at 04:37 -0500, Albert Chin wrote:
> The patch for CVE-2011-2522 uses atoll():
>         ...
> +       if (sizeof(time_t) == sizeof(int)) {
> +               xsrf_time = atoi(time_str);
> +       } else if (sizeof(time_t) == sizeof(long)) {
> +               xsrf_time = atol(time_str);
> +       } else if (sizeof(time_t) == sizeof(long long)) {
> +               xsrf_time = atoll(time_str);
> +       }
>         ...
> HP-UX 11.00/PA, 11.11/PA, and 11.23/PA do not provide this function. I
> think it is specific to C99. Does Samba now require a C99-compliant
> system to compile?

Samba ships with and uses a library known as libreplace, which contains
replacement functions for standard system libraries that are not
available on all our target platforms. 

The correct fix is to extend libreplace.  

Because of the need to develop security fixes in private, it is harder
to get the same level of assurance regarding portability, simply as a
matter of logistics.  

Perhaps you want to knock up a patch?  It's probably too late for 3.6.0
(we really are trying to get that out the door) but I'm such patches
will make the next regular releases. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list