Use of atoll() for CVE-2011-2522
simo
idra at samba.org
Thu Jul 28 07:25:01 MDT 2011
On Thu, 2011-07-28 at 14:49 +0200, Volker Lendecke wrote:
> On Thu, Jul 28, 2011 at 08:41:55AM -0400, simo wrote:
> > > The patch for CVE-2011-2522 uses atoll():
> > > ...
> > > + if (sizeof(time_t) == sizeof(int)) {
> > > + xsrf_time = atoi(time_str);
> > > + } else if (sizeof(time_t) == sizeof(long)) {
> > > + xsrf_time = atol(time_str);
> > > + } else if (sizeof(time_t) == sizeof(long long)) {
> > > + xsrf_time = atoll(time_str);
> > > + }
> > > ...
> > >
> > > HP-UX 11.00/PA, 11.11/PA, and 11.23/PA do not provide this function. I
> > > think it is specific to C99. Does Samba now require a C99-compliant
> > > system to compile?
> >
> > Basically, yes, we decided C99 is the baseline a few years ago, after
> > all we are in 2011, 12 years seem enough to get C99 standards adopted.
>
> True. But where it's easy to work around old compilers we
> should do so. IMHO. There seem to be some compilers/libs
> that have partial C99 support.
Yes, if it is as easy as simply adding a subsitute function I am all for
it.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list