Bugtraq mailing list archives
Re: syslog()/snprintf(): beware of functions with fuzzy specs
From: jna () concorde com (John Adams)
Date: Thu, 7 Sep 1995 12:01:41 -0500
On Wed, 6 Sep 1995, Casper Dik wrote:
BSD4.4 snprintf()s return the number of characters they would have written had the buffer been infinite. This is despite the manual page saying they return the number of characters actually written.
This should be fixed. It requires the *snprintf() code to parse and examine all arguments: that isn't necessary.
Yes, it should be fixed, but we have a large problem in developing secure code across platforms. For a programmer to take into account all of the nuances of the different compilers, operating systems, and libc.so* revisions. I'm beginning to wonder if it would be easier to bundle a secure set of string operations with code that I release, but even then I have to wonder of the integrity of my code and the willingness of others to use it. How do we resolve this issue? -john
Current thread:
- syslog()/snprintf(): beware of functions with fuzzy specs Dave Morrison (Sep 01)
- lsof 3.41 Vic Abell (Sep 05)
- Re: syslog()/snprintf(): beware of functions with fuzzy specs Casper Dik (Sep 06)
- Re: syslog()/snprintf(): beware of functions with fuzzy specs John Adams (Sep 07)