Use of atoll() for CVE-2011-2522

simo idra at samba.org
Thu Jul 28 06:41:55 MDT 2011


On Thu, 2011-07-28 at 04:37 -0500, Albert Chin wrote:
> The patch for CVE-2011-2522 uses atoll():
>         ...
> +       if (sizeof(time_t) == sizeof(int)) {
> +               xsrf_time = atoi(time_str);
> +       } else if (sizeof(time_t) == sizeof(long)) {
> +               xsrf_time = atol(time_str);
> +       } else if (sizeof(time_t) == sizeof(long long)) {
> +               xsrf_time = atoll(time_str);
> +       }
>         ...
> 
> HP-UX 11.00/PA, 11.11/PA, and 11.23/PA do not provide this function. I
> think it is specific to C99. Does Samba now require a C99-compliant
> system to compile?

Basically, yes, we decided C99 is the baseline a few years ago, after
all we are in 2011, 12 years seem enough to get C99 standards adopted.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list