[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

getline & getline_safe

From: Derek Robert Price
Subject: getline & getline_safe
Date: Tue, 15 Jul 2003 10:34:34 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Hey all,

I received a report recently ( <http://ccvs.cvshome.org/issues/show_bug.cgi?id=130> ) that CVS is having trouble compiling on 64-bit machines since it always compiles getline (and it sounds like it was finding the local getline.h and system getline()). I decided to fix the problem by installing the getline module from GNULIB since they do such great work saving me work. :)

Anyhow, I noticed that ccvs/src/server.c is calling a getline_safe() function that is basically getline() with a maximum read limit. The CVS log of ccvs/src/server.c & ccvs/src/getline.c reports that getline_safe() was added by Karl Fogel in July of 2000 and called in order to avoid a denial of service attack during the authentication phase where an attacker sends long authentication strings without newlines, I assume to fill up memory and slow things down or halt them. I couldn't find anything in the relevant mail archives on the subject.

My question is, is this really necessary? Don't most modern operating systems allow ulimit to limit process size? Granted this should be documented if it is the solution, but is it necessary? If getline_safe() _is_ necessary, is there interest in importing it into GNULIB (it really just wraps a call to getdelim2())? Alternatively, is it feasible to export getdelim2() from GNULIB's getline() so that I don't have to reimplement it or maintain a fork of GNULIB's getline() in CVS?



Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
I will not aim for the head.
I will not aim for the head.
I will not aim for the head...

         - Bart Simpson on chalkboard, _The Simpsons_

reply via email to

[Prev in Thread] Current Thread [Next in Thread]