Comments by "Anony Mousse" (@anon_y_mousse) on "the new rsync exploit is sort of hilarious." video.

  1. It's not wrong to use a statically sized buffer, but it is wrong to not know what the size of that buffer actually is. Sure, over time things could grow to where that buffer is insufficient, but `#define alen(a) (sizeof(a)/sizeof(*a))` is so simple to write and include inside a standard header for your projects that it's ridiculous that someone would not do so and use it. I consider such CVE's to be skill issues. C does almost nothing for you, but such a check is easily optimized by the compiler if you actually do one yourself. Always check user input.
    1