I agree about strings - you are polite though. It's rank amateur bs. VLAs too he... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jheriko on April 17, 2014 \| parent \| context \| favorite \| on: SigmaVPN: Stateless OpenVPN Replacement Using NaCl... I agree about strings - you are polite though. It's rank amateur bs. VLAs too here - but there are many situations where it is necessary to dynamically allocate based on message contents ... just not at this level. alloca is no more a risk than most other allocation methods when it is necessary - at least in the worst case

tptacek on April 17, 2014 [–]

A VLA is basically just alloca; you can't pass attacker-controlled lengths to it.

(I have no idea if it's an issue here and sort of doubt it, and would not call this "rank amateur bs").

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact