Bugtraq mailing list archives
Re: WuFTPD: Providing *remote* root since at least1994
From: Casper.Dik () HOLLAND SUN COM (Casper Dik)
Date: Thu, 29 Jun 2000 09:42:28 +0200
"Mouse" == der Mouse <mouse () RODENTS MONTREAL QC CA> writes:Not to mention that could still be overflowable. snprintf() doesn't null terminate.Mouse> Then IMO it's broken - what's your reference for thinking it doesn't? Mouse> The only snprintf manpage I have at hand (NetBSD's) says The behaviour of snprintf() has _changed_. The evil forces of POSIX (as opposed to the benign forces of POSIX) changed the semantics without changing the function name. They never learn...
POSIX? Perhaps you mean X/Open? X/OPen does guarantee NUL termination. The return value is, however, not properly specified. http://www.opengroup.org/onlinepubs/007908799/xsh/fprintf.html lists undefined behaviour for n < 1 (return a value < 1) and also appear to indicate it will return atmost "n - 1". I think a defect report weas issued; X/Open is also likely to follow C99.
So, if you use snprintf() in portable code, you must either: - Check to see if it null-terminates
If it doesn't, it's broken.
- Check to see what value it returns (number of bytes copied? number of bytes it _would_ have copied, if bufflen was infinite? -1 (what's errno)? 0?)
That is something that differs from implementation to implementation; I'm told even the original one returned bytes copied rather than whatever sprintf() would have returned. Also, be aware that snprintf(NULL, 0, fmt, ...) and snprintf(buf, 0, fmt, ...) are dangerous contructs to use (few implementation return the sprintf() result in that case) Since snprintf() shares the printf() formatting engine with the other functions it can return -1 w/ errno = EILSEQ on UNIX98 compliant systems. (And probably other errnos too) However, EILSEQ will only happen for wide char conversions; static inspection fo the snprintf fmt string willtell you whether or not you'll encounter them. Casper
Current thread:
- Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
- Re: ftpd: the advisory version Sebastian (Jun 26)
- [RHSA-2000:037-05] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 26)
- LeafChat Denial of Service Andrew Lewis (Jun 25)
- Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility Peter Grundl (Jun 26)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
- Re: WuFTPD: Providing *remote* root since at least1994 Peter Pentchev (Jun 23)
- Re: WuFTPD: Providing *remote* root since at least1994 der Mouse (Jun 25)
- Re: WuFTPD: Providing *remote* root since at least1994 Mikael Olsson (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Carson Gaspar (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Casper Dik (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Eric Hines (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Mikael Olsson (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 der Mouse (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Henrik Nordstrom (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Valentin Nechayev (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Kenn Humborg (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Hudin Lucian (Jun 29)
- Multiple vulnerabilities in Sybergen Secure Desktop anders.ingeborn () INFOSEC SE (Jun 30)
- SecureXpert Advisory [SX-20000620-2] SecureXpert DIRECT Sender (Jun 30)
- Re: WuFTPD: Providing *remote* root since at least1994 Henrik Nordstrom (Jun 27)