[OpenAFS-devel] ptuser interfaces: inconsistent downcasing

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 25 Jul 2012 12:35:47 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB005F687184DE89875C701ED
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

While the server does append a NUL at the end of the string,
any network facing code should not assume that a string is NUL
terminated.  An evil server can choose to do otherwise.

On Wednesday, July 25, 2012 11:48:09 AM, Garrett Wollman wrote:
> <<On Tue, 24 Jul 2012 22:06:35 -0400, I wrote:
>
>> Some interfaces in the client-side protection library, like
>> pr_CreateUser, pr_CreateGroup, and pr_SNameToId, unconditionally
>> downcase their arguments, which prevents them from being constified.
>> Other interfaces, like pr_AddToGroup and pr_RemoveUserFromGroup, do
>> not do so.  Can anyone explain the reason for this inconsistency?  It
>> would make more sense to me if these interfaces either all did
>> case-folding, or all did not.
>
> Another strange inconsistency: these routines are very unclear about
> whether they are dealing with strings or not.  In places they are
> careful to use interfaces like strncpy() that work on buffers, but
> in other places they call string-only interfaces like stolower() that
> will cheerfully walk off the end of the buffer.  Is PR_MAXNAMELEN
> supposed to account for a trailing null or not?  (The RPC side of
> things appears to believe the latter, although I haven't looked
> closely enough to be certain.)
>
> -GAWollman
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel


--------------enigB005F687184DE89875C701ED
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJQECBjAAoJENxm1CNJffh4N8UIAM7zPmDjQIHkBg6L/KNw0Lrc
q05Z6RLGmCoxLyUryHjI2DTvkXXUBqiFW3ADlXCikpCRZkZF28VtVdNJSNdj1M/B
ApCGOf9erKsHLStVPUQGnC+ELud4/YF04Kw1IcRZDboiSrwosadTvphvmy2/e4i4
3VaHpgt1efq1oklPGPwIH7DiokoW76wFqnv5DRHDTvGnfD3Qk1v7kh2VL1PVtEqL
FxMRhJxSlwgWDGLtu+1V2yTcVV7pLyxvcu+xiTGiE4GnHxizab1NCqeBVWLypGqD
Bs9lD5YPxuICCxEsLMmNMNV83tICVvsqftSQF3yVbxx4Vq1fdW7jXGl6N33k71c=
=JanH
-----END PGP SIGNATURE-----

--------------enigB005F687184DE89875C701ED--